Friday, November 30, 2012

Snort 2.9.3.0 will be EOL on December 30th.


In accordance with our EOL policy:

Please see it here:
http://www.snort.org/vrt/rules/eol_policy

Snort version 2.9.3.0's ruleset from the VRT will be EOL'ed as of December 30th. Technically it should already be EOL, but since 2.9.3.0 were released so close together, we're going to keep it around until December 30th.

That being said, Snort 2.9.4.0's release is imminent, so we encourage you to upgrade!

Please be sure and upgrade to the latest version of Snort available here: http://www.snort.org/snort-downloads

Barnyard2 - v2-1.11 released


It appears that an early tag of 2-1.11 crept in a week or so ago before all the patches we wanted to merge were submitted. Nevertheless, we've now caught up with our queue and are formally tagging 2-1.11.

This is primarly a bug fix and usability improvement release. The salient points are as follows:

  * spo_database. Keep-alive (via ping) for postgresql databases.

  * Updated RPM spec file to support alternative pcap libraries and cleaned some existing cruft. Thanks to Brent Woodruff.

  * spo_alert_unixsock. Supports synchronisation, multiple connections and improved error reporting. Thanks to Martijn van Oosterhaut.

  * Many other general bug fixes and clean ups. Thanks to Jason Ish, Thorsten Fischer, Brad Voth and Bill Parker.

You can download the source in a number of ways:
  - https://github.com/firnsy/barnyard2/tags (as a zip/tarball)
  - git://github.com/firnsy/barnyard2.git (via a git clone)

- firnsy

Tuesday, November 27, 2012

Sourcefire VRT Certified Snort Rules Update for 11/27/2012

Just released: Sourcefire VRT Certified Snort Rules Update for 11/27/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 98 new rules and made modifications to 138 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank Avery Tarasov for his work on rule: 24798

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-other, browser-plugins, deleted, dos, exploit-kit, file-flash, file-identify, file-multimedia, file-other, malware-cnc, malware-other, netbios, os-windows, scada, server-mysql, server-other and web-client rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Monday, November 26, 2012

Autosnort updates and expanded OS support

Hello snort users,

It has been some amount of time since my initial announcement for autosnort. I've been (somewhat?) hard at work since then, improving the initial script, and also creating additional scripts for supporting other operating systems. In case you weren't around for the first announcement a few months ago, autosnort is a shell script that will take a supported operating system from base install and give you a fully updated, fully functional snort installation with minimal effort.

So without further adieu, here are the announcements:

1. Improved automation - the script no longer downloads a static version of snort, but is able to poll snort.org for the latest stable version of snort and daq libraries and automatically download them (special thanks to Dogbert2 in the snort IRC for the idea on how to do this)
2. Expanded OS support - there are now autosnort builds for CentOS 32 and 64 bit as well as Backtrack 5 r3 -- Gnome and KDE -- 32 and 64 bit.
3. Improved documentation - in the general README as well as OS-specific readmes that detail what exactly the script does to your system -- in addition to the code comments to explain EXACTLY what is going on, if you want to try your hand and modifying the script to suit your specific needs.

In the works:
1. A build for Debian 32 and 64-bit
2. A build for pentoo linux 
3. A choice of web front ends
4. Barebones install option (e.g. snort, daqlibs and output to syslog for SIEM integration)

Give it a try, let me know what you think. Contributions of code (or, well, anything, I suppose) will not be turned away. 

Autosnort now has its own blog so I don't have to hijack Joel's/snort's/Sourcefire's blog for announcements. (psst: Thanks!). If you run into any problems or have any questions, my contact information is available in the script readme, but for good measure:

blog: http://autosnort.blogspot.com/
github: https://github.com/da667/Autosnort
e-mail: deusexmachina667@gmail.com
twitter: @da_667

Thanks for your time, and happy snorting!

From Tony Robinson

Wednesday, November 21, 2012

Sourcefire VRT Certified Snort Rules Update for 11/20/2012

Just released: Sourcefire VRT Certified Snort Rules Update for 11/20/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 50 new rules and made modifications to 24 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-plugins, exploit, file-multimedia, file-office, file-other, file-pdf, malware-cnc, protocol-voip, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Friday, November 16, 2012

Sourcefire VRT Certified Snort Rules Update for 11/15/2012, Adobe 0day

Just released: Sourcefire VRT Certified Snort Rules Update for 11/15/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 53 new rules and made modifications to 7 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the browser-firefox, browser-plugins, file-flash, file-identify, file-image, file-multimedia, file-other, file-pdf, malware-other, policy-other, protocol-voip, rpc, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Wednesday, November 14, 2012

Sourcefire VRT Certified Snort Rules Update for 11/13/2012, MSTUES

Just released: Sourcefire VRT Certified Snort Rules Update for 11/13/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 47 new rules and made modifications to 380 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Microsoft Security Bulletin MS12-071: Microsoft Internet Explorer contains programming errors that may allow a remote attacker to execute code on an affected system. Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 24653, 24654, 24660, 24661, 24662 and 24663. 
Microsoft Security Bulletin MS12-072: Microsoft Briefcase contains programming errors that may allow a remote attacker to execute code on an affected system. A rule to detect attacks targeting these vulnerabilities is included in this release and is identified with GID 3, SID 24671. 
Microsoft Security Bulletin MS12-074: The Microsoft .NET framework contains programming errors that may allow a remote attacker to execute code on an affected system. Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 24652, 24655, 24656, 24664 and 24665. 
Microsoft Security Bulletin MS12-075: Some Microsoft kernel mode drivers contain programming errors that may allow a remote attacker to execute code on an affected system. Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 24649 and 24650. 
Microsoft Security Bulletin MS12-076: Microsoft Excel contains programming errors that may allow a remote attacker to execute code on an affected system. Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 24657, 24658, 24659, 24673, 24674, and GID 3, SID 24666. 
Additionally, a previously released rule will also detect attacks targeting these vulnerabilities and is identified with GID 1, SID 16654.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, November 8, 2012

Sourcefire VRT Certified Snort Rules Update for 11/08/2012

Just released: Sourcefire VRT Certified Snort Rules Update for 11/08/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 1 new rules and made modifications to 16 additional rules.

There were no changes made to the snort.conf in this release.


In VRT's rule release:
Details: The Sourcefire VRT has added and modified multiple rules in the dos, file-identify, file-pdf and malware-cnc rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, November 6, 2012

Sourcefire VRT Certified Snort Rules Update for 11/06/2012

Just released: Sourcefire VRT Certified Snort Rules Update for 11/06/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 19 new rules and made modifications to 344 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis: This release adds and modifies rules in several categories.
Details: The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-firefox, exploit, exploit-kit, file-flash, file-multimedia, file-office, file-other, file-pdf, indicator-compromise, malware-backdoor, malware-cnc, malware-other, os-linux, os-windows, server-other and sql rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Friday, November 2, 2012

Sourcefire VRT Certified Snort Rules Update for 11/02/2012

Just released: Sourcefire VRT Certified Snort Rules Update for 11/02/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 9 new rules and made modifications to 81 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis: This release adds and modifies rules in several categories. 
Details: The Sourcefire VRT has added and modified multiple rules in the app-detect, blacklist, file-flash, file-identify, file-image, file-multimedia, malware-cnc, malware-other, policy-social, pua-adware and server-mail rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, November 1, 2012

Sourcefire VRT Certified Snort Rules Update for 11/01/2012

Just released: Sourcefire VRT Certified Snort Rules Update for 11/01/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 54 new rules and made modifications to 605 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank James Lay for his contribution on SID:24598

In VRT's rule release:
Synopsis: This release adds and modifies rules in several categories. 
Details: The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-firefox, browser-other, browser-plugins, exploit, exploit-kit, file-identify, file-image, file-multimedia, file-office, file-other, indicator-compromise, malware-backdoor, malware-cnc, malware-other, malware-tools, os-windows, policy-spam, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!