Tuesday, January 29, 2013

Sourcefire VRT Certified Snort Rules Update for 01/29/2013

Just released: Sourcefire VRT Certified Snort Rules Update for 01/29/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 26 new rules and made modifications to 108 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-firefox, browser-ie, browser-webkit, dos, exploit, exploit-kit, file-flash, file-identify, file-multimedia, file-office, file-other, file-pdf, indicator-compromise, malware-cnc, malware-other, os-windows, policy-multimedia, policy-other, policy-social, protocol-services, protocol-voip, rpc, scan, server-apache, server-iis, server-oracle, server-other and specific-threats rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, January 24, 2013

Sourcefire VRT Certified Snort Rules Update for 01/24/2013

Just released: Sourcefire VRT Certified Snort Rules Update for 01/24/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 15 new rules and made modifications to 33 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank Randy Miller for his contributions on SIDs: 25518,25519,25520,25521,25522,25523,25524,25525

If you are interested in submitting rules to the VRT, please feel free to email me at joel@sourcefire.com for more details.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the exploit-kit, file-executable, file-identify, malware-cnc, os-other and pua-adware rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, January 22, 2013

Sourcefire VRT Certified Snort Rules Update for 01/22/2013

Just released: Sourcefire VRT Certified Snort Rules Update for 01/22/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 7 new rules and made modifications to 8 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank Avery Tarasov for his work on sid:
25511

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the exploit-kit and netbios rule sets to provide coverage for emerging threats from these technologies.
The Sourcefire VRT has also fixed an integer overflow vulnerability in GID 3, SID 20275. This was reported by Fermin J. Serna and Tavis Ormandy.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Friday, January 18, 2013

Sourcefire VRT Certified Snort Rules Update for 01/17/2013

Just released: Sourcefire VRT Certified Snort Rules Update for 01/17/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 91 new rules and made modifications to 38 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank Avery Tarasov for his work on the following SIDS:
25503
25504
25471

The VRT would also like to thank Tavis Ormandy for his work in finding a potential security issue with rule 3:20275.

From our assessment this looks like the potential impact is a DoS, however, we've been unable to cause this in our testing. We've rolled the subscriber sets to registered so everyone can download the updates. Additionally, the rule is not enabled in default policies so the exposure is limited.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the app-detect, blacklist, browser-ie, dns, dos, exploit-kit, file-flash, file-identify, file-multimedia, file-office, file-other, file-pdf, indicator-obfuscation, malware-cnc, misc, netbios, os-windows, policy-social and web-client rule sets to provide coverage for emerging threats from these technologies. 

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, January 15, 2013

Sourcefire VRT Certified Snort Rules Update for 01/15/2013

Just released: Sourcefire VRT Certified Snort Rules Update for 01/15/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 59 new rules and made modifications to 17 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the app-detect, blacklist, browser-firefox, browser-ie, browser-plugins, deleted, dns, dos, exploit-kit, file-executable, file-identify, file-image, file-multimedia, file-office, file-other, indicator-compromise, malware-cnc, os-windows, policy-other, server-other and sql rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Monday, January 14, 2013

Sourcefire VRT Certified Snort Rules Update for 01/14/2013

Just released: Sourcefire VRT Certified Snort Rules Update for 01/14/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 30 new rules and made modifications to 16 additional rules.

There were changes made to the snort.conf in this release.
Port 8085 was added to HTTP_PORTS, http_inspect, and stream5. Please make sure you are using the most updated snort.conf by downloading it here: http://www.snort.org/vrt/snort-conf-configurations/

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the browser-ie, browser-plugins, dos, exploit-kit, file-identify, file-multimedia, file-office, file-other, os-windows, policy-other, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, January 10, 2013

Sourcefire VRT Certified Snort Rules Update for 01/10/2013, Ruby, Java 0day

Just released: Sourcefire VRT Certified Snort Rules Update for 01/10/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 26 new rules and made modifications to 12 additional rules.

This update contains rules that detect the newest public exploits for the Ruby on Rails XML/YAML vulnerability as well as the new Oracle Java 1.7 0day circulated this morning.

There were no changes made to the snort.conf in this release.

The VRT would like to thank Avery Tarasov for his contributions in the following rules:
25277
The VRT would also like to thank Christopher Granger for his contribution in the following rule:
25279 and for information that led to the generation of the rest of the Htran rules.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the browser-firefox, browser-plugins, exploit-kit, file-flash, file-identify, file-multimedia, file-office, file-other, malware-backdoor, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, January 8, 2013

Sourcefire VRT Certified Snort Rules Update for 01/08/2013, MSTUES

Just released: Sourcefire VRT Certified Snort Rules Update for 01/08/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 20 new rules and made modifications to 4 additional rules.

There was one change made to the snort.conf in this release.  The port 7000 was added to http_inspect, stream5, and the HTTP_PORTS variable for reassembly.

The VRT would like to thank Avery Tarasov for his contributions in the following rules:
25257
25258
25259
25269
25271

and James lay for his contributions in the following rules:
25260
25261
25262

In VRT's rule release:
Microsoft Security Bulletin MS13-002: 
Microsoft XML Core Services (MSXML) contains programming errors that may allow a remote attacker to execute code on an affected system. Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 25270 and 25275. 
Microsoft Security Bulletin MS13-003: 
Microsoft System Center contains programming errors that may allow a remote attacker to inject code into web pages or execute attacker-controlled JavaScript in a victim web browser via a cross-site scripting attack. Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 25272 and 25273. 
Additionally, the Sourcefire VRT has added and modified multiple rules in the blacklist, file-other, indicator-compromise, malware-cnc, server-iis and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Saturday, January 5, 2013

Snort 2.9.3.0 is now EOL

Snort 2.9.3.0 is now EOL for rule support.

As I let you all know back in late November, here in this blog post, Snort 2.9.3.0 is now EOL for rule support.

This means we will no longer be releasing updates for this version of the rule engine.  Users of this version are now encouraged to upgrade to the latest version of Snort, which is now Snort 2.9.4.0.

The next version to go EOL is Snort 2.9.2.3, which EOL date is set for the 28th of February.  

Time to upgrade!  Thanks all!

Thursday, January 3, 2013

Sourcefire VRT Certified Snort Rules Update for 01/03/2013

Just released: Sourcefire VRT Certified Snort Rules Update for 01/03/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 122 new rules and made modifications to 18 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank Avery Tarasov for his work in the following sids:
25256
25224

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-chrome, browser-firefox, browser-ie, browser-plugins, exploit-kit, file-executable, file-flash, file-identify, file-multimedia, file-other, indicator-obfuscation, malware-cnc, policy-other, server-iis, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!