Tuesday, April 30, 2013

Sourcefire VRT Certified Snort Rules Update for 04/30/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 04/30/2013


We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 12 new rules and made modifications to 84 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-plugins, exploit-kit, file-identify, file-other, file-pdf, malware-cnc and tftp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Monday, April 29, 2013

Sourcefire VRT Certified Snort Rules Update for 04/25/2013

Sourcefire VRT Certified Snort Rules Update for 04/25/2013


We welcome the introduction of the newest rule release from the VRT. In this release we introduced 26 new rules and made modifications to 12 additional rules.

There were changes made to the snort.conf in this release.

The following ports were added to the HTTP_PORTS, stream5 "both" attribute, and http_inspect's "ports" attribute line:

82
83
84
85
86
87
88
89
3057
6080

The lines now look like this (for easy copy and paste):

HTTP_PORTS:
portvar HTTP_PORTS [80,81,82,83,84,85,86,87,88,89,311,383,591,593,631,901,1220,1414,1741,1830,2301,2381,2809,3037,3057,3128,3702,4343,4848,5250,6080,6988,7000,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8085,8088,8090,8118,8123,8180,8181,8222,8243,8280,8300,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,11371,34443,34444,41080,50002,55555] 

Stream5:
ports both 80 81 82 83 84 85 86 87 88 89 110 311 383 443 465 563 591 593 631 636 901 989 992 993 994 995 1220 1414 1830 2301 2381 2809 3037 3057 3128 3702 4343 4848 5250 6080 6988 7907 7000 7001 7144 7145 7510 7802 7777 7779 \ 7801 7900 7901 7902 7903 7904 7905 7906 7908 7909 7910 7911 7912 7913 7914 7915 7916 \ 7917 7918 7919 7920 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180 8222 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444 41080 50002 55555 

http_inspect:
ports { 80 81 82 83 84 85 86 87 88 89 311 383 591 593 631 901 1220 1414 1741 1830 2301 2381 2809 3037 3057 3128 3702 4343 4848 5250 6080 6988 7000 7001 7144 7145 7510 7777 7779 8000 8008 8014 8028 8080 8085 8088 8090 8118 8123 8180 8181 8222 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444 41080 50002 55555 }

And as indicated here: http://blog.snort.org/2013/04/master-snortconf-configurations-have.html, the snort.conf configurations that we distribute have been updated.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the browser-other, browser-plugins, exploit-kit, file-flash, file-identify, file-multimedia, file-other, file-pdf, malware-cnc, scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Wednesday, April 24, 2013

Master Snort.conf configurations have been updated!

I've went ahead and updated our master snort.conf examples from the VRT on the Snort.conf configuration page:

http://www.snort.org/vrt/snort-conf-configurations/

By the way -- In case you want to find that page in the future, just remember to Google "Snort.conf configurations"  It's the first result.

VRT End-of-Life dates have been updated

As always when a new version of Snort comes out, I update the EOL date versions found here:

http://www.snort.org/vrt/rules/eol_policy

So, take a look there and see if you are affected, and if so, be sure and stay current and update Snort!  http://www.snort.org/snort-downloads

Snort 2.9.4.6 has been released!

Snort 2.9.4.6 is now available on snort.org, at
http://www.snort.org/snort-downloads/ in the Latest Release section.

Snort 2.9.4.6 includes changes for the following:

[*] Improvements

* Improved support for DAQ verdicts of whitelist and blacklist for 6in4 and 4in6 encapsulated traffic (similar to Teredo & GTP). See the Snort manual for configuration details.

* Avoid changing the length of IP options in frag3 when receiving duplicate 0-offset fragments that have IP options.

See the Release Notes and ChangeLog for more details.

Please submit bugs, questions, and feedback to bugs@snort.org.

Happy Snorting!
The Snort Release Team

Tuesday, April 23, 2013

Sourcefire VRT Certified Snort Rules Update for 04/23/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 04/23/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 21 new rules and made modifications to 18 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank rmkml for their contribution in the development of rule(s):
26468
26469

The VRT would like to thank Avery Tarasov for their contribution in the development of rule(s):
26470
26480
26481
26482

The VRT would like to thank James Lay for their contribution in the development of rule(s):
26467
26483

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the browser-plugins, dns, file-executable, file-multimedia, file-other, indicator-compromise, malware-cnc, malware-other, os-other, protocol-ftp, pua-p2p, server-oracle, server-other and telnet rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, April 18, 2013

Sourcefire VRT Certified Snort Rules Update for 04/18/2013

Just released: Sourcefire VRT Certified Snort Rules Update for 04/18/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 36 new rules and made modifications to 237 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-firefox, browser-ie, browser-plugins, dns, exploit-kit, file-flash, file-identify, file-image, file-multimedia, file-office, file-other, indicator-obfuscation, malware-cnc, os-linux, os-other, os-windows, protocol-voip, pua-other, server-mail, server-mssql and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Snort Startup Scripts for various OSes have been updated!

Many thanks to one of our very dedicated Snort Community members, William Parker.  In his guides (also posted on the documentation page of Snort.org) he has embedded some Snort Startup scripts.

Because some people are having problems with copy and pasting out of the PDF documentation, so Mr. Parker put these startup scripts in their own files and sent them to me.  I created a special section on Snort.org/docs just for startup scripts, and they are all there!

Many thanks to Mr. Parker for updating his scripts based on user feedback, and the new ones are now up.

Tuesday, April 16, 2013

Sourcefire VRT Certified Snort Rules Update for 04/16/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 04/16/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 37 new rules and made modifications to 315 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank Avery Tarasov for their contribution in the development of rule(s):
26398

The VRT would like to thank Yaser Mansour for their contribution in the development of rule(s):
26395
26396
26399
26400
26401
26402
26403
26404
26405
26406
26407
26408
26409
26411
26412
26413


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the app-detect, blacklist, browser-ie, browser-other, browser-plugins, dos, exploit, exploit-kit, file-flash, file-identify, file-image, file-multimedia, file-office, file-other, indicator-compromise, indicator-obfuscation, malware-backdoor, malware-cnc, malware-other, netbios, nntp, os-windows, policy-other, policy-social, protocol-ftp, protocol-imap, protocol-voip, scada, server-iis, server-other and web-misc rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Monday, April 15, 2013

Integrating Snort and AlienVault OSSIM

Just added to the Docs section on Snort.org, another wonderful document by William Parker, a document that will help you integrate Snort-2.9.4.x and AlienVault's OSSIM tool.

I've listed it under the "Snort Deployment Guides" section on http://www.snort.org/docs.

Thanks William!

Thursday, April 11, 2013

Sourcefire VRT Certified Snort Rules Update for 04/11/2013

Just released: Sourcefire VRT Certified Snort Rules Update for 04/11/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 16 new rules and made modifications to 820 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank James Lay for his contributions in the creation of the following rules:
26380
26381
26382


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the app-detect, blacklist, browser-firefox, browser-ie, browser-other, browser-plugins, browser-webkit, dns, dos, exploit-kit, file-executable, file-identify, file-multimedia, file-office, file-other, file-pdf, malware-backdoor, malware-cnc, malware-other, netbios, os-windows, policy-other, protocol-ftp, protocol-pop, protocol-voip, rpc, scada, server-apache, server-iis, server-mssql, server-mysql, server-other, server-webapp and web-client rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Wednesday, April 10, 2013

Sourcefire VRT Certified Snort Rules Update for 04/09/2013, MSTUES

Sourcefire VRT Certified Snort Rules Update for 04/09/2013

(Sorry for the late post, this was released yesterday!

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 45 new rules and made modifications to 26 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank Avery Tarasov for his contribution of rules:
26335
26370
26371

In VRT's rule release:
Details: Microsoft Security Bulletin MS13-029: 
Microsoft Remote Desktop Client contains programming errors that may allow a remote attacker to execute code on a vulnerable system. Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 26355 through 26365. 
Microsoft Security Bulletin MS13-032: A vulnerability in Microsoft Active Directory could lead to a denial of service. Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SID 26354. 
Additionally, the Sourcefire VRT has added and modified multiple rules in the bad-traffic, blacklist, browser-ie, browser-plugins, dos, exploit-kit, file-other, indicator-compromise, indicator-obfuscation, malware-cnc, malware-other, netbios, os-windows, protocol-ftp and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Barnyard2 2-1.13-BETA is now available!

We are happy to announce the Availability of Barnyard2 2-1.13-BETA which can be downloaded from HERE: https://github.com/firnsy/barnyard2.git

This release is a bug fix release that also introduce a few new features and enhancements


=====================
UPGRADING REQUIREMENT
=====================
----------------------
If you are upgrading to barnyard2 2-1.13 Build 325 or above from a previous version  that is not 2-1.13 and using the output database.

***** We highly recommend ******
To delete every row in your sig_reference table. (DELETE FROM sig_reference;) The table will be re-populated at  process startup, and has no impact on historical data.
----------------------
=====================
UPGRADING REQUIREMENT
=====================





Feature request:
----------------
Phil Daws:        Add interface and hostname field to spo_alert_csv if specified.

Jorge Pinto:      spo_syslog_full support for ASCII,BASE64 payload

Jason Brvenik:  variables .....(a long time ago, sorry :P)

Martin Olsson:  Remove some useless verbosity unless ./configure --enable-debug is specified and proper flag are used (spo_database and sid-msg.mapv2)

*And all other barnyard2 users who help and contribute.

Bug report:
-----------
Martin Olsson:              - bug in sig_reference generation and good discussions.

John Eure and others   - autogen.sh could cause some issue on some system so [autoreconf -fv --install] is not set to autoreconf -fvi

John Naggets               - spo_database: could stop barnyard2 from processing new event if some packets with ip option where processed and option_len  was null.

Fäbu Hufi                     - spo_syslog_full: in complete mode was printing wrong ip version information and ip header length.

*And all other barnyard2 users who help and contribute.


New feature:
------------


Support for sid-msg.map Version 2 format.
-------
A new sig-msg.map format can be generated by pulledpok (upcoming release, already in svn). Detection of sid-msg.map version is done by a simple header in the  file that shouldn't be altered if you want it to be processed correctly.

sig-msg.map version 2 format extend the information already present in the sid-msg.map file created from rules.

This new format version allow signature  pre-population if users are using output database method with  barnyard2 2-1.13 and above.
______________________
sid-msg.map v1 format:
______________________
SID || MSG || REF 1 || REF N
sid := integer
msg := string
ref := string
______________________
sid-msg.map v2 format:
______________________
GID || SID || REV || CLASSIFICATION || PRIORITY || MSG || REF 1 || REF N
gid := integer
sid := integer
rev := integer
classification := string (if NULL set to NOCLASS)
priority := integer (if prio == 0, classification priority is used)
msg := string
ref := string
=====================
generator (GID, gen-msg.map) are defaulted to the following value if their information is not overruled in sid-msg.map v2 file via processing of preprocessor.rules:
revision 1
classification 0
priority 3
If generator message is present in the sid-msg.map v2 file, and gen-msg.map message are longer (more comprehensive by string length), gen-msg.map messages are used instead of sid-msg.map v2 file generator messages.
=====================
 -------


Signature/event logging suppression at spooler level
-------
Read doc/README.sig_suppression
configuration file Variables:
-------

Barnyard2 configuration Variables
 -------
You can now use [var VARNAME value] in the barnyard2 configuration file and every instance of $VARNAME will get replaced by value.
Note that variable declaration order is important only you include a variable in a variable.
EX (is VALID):
 var INTERFACE ethX
 var PATH /var/log/IDS
 var LOG $PATH/$INTERFACE/log
 var ARCHIVE $PATH/$INTERFACE/archive
 EX (is INVALID):
 var LOG $PATH/$INTERFACE/log
 var ARCHIVE $PATH/$INTERFACE/archive
 var INTERFACE ethX
 var PATH /var/log/IDS
 -------

new output database configuration keyword
-------

Keywords connection_limit and reconnect_sleep_time where added in 2-1.10 but where "undocumented" and shouldn't be modified unless you encounter connectivity issue.

connection_limit <integer>: default 10  - The maximum number of time that barnyard2 will
tolerate a transaction failure and or database connection failure.

reconnect_sleep_time <integer> : default 5 - The number of seconds to sleep between connection retry.

disable_signature_reference_table - Tell the output plugin not to synchronize the sig_reference table in the schema. This option will speedup the process, especially if you use sid-msg.mapv2 file or  have a lot of signature already in databases. (Make sure that you
do not need that information before enabling this)
 -------


Enjoy and do not hesitate to send feedback/suggestion/feature request.

The barnyard2 team.

Monday, April 8, 2013

2013 Snort Scholarship is now open!

Annually, Sourcefire provides a Snort Scholarship to two individuals selected at random (by drawing) in the amount of $5000 US for higher education purposes.

To be eligible, you must meet the legal criteria found here on our website, sign up for the scholarship here, and following that, on or about May 17, 2013, two winners will be selected.

For further information, please see the links above, also found linked here.

Friday, April 5, 2013

Snort 2.9.4.5 install docs have been updated!

Thanks to William Parker, again, working tirelessly until his documentation is updated, I just posted all the 2.9.4.5 install docs that he makes, now available at the only official Snort Documentation site.

There are docs for the following Operating Systems:


  • CentOs 6.x
  • NetBSD 6.0
  • NetBSD 5.1.x
  • Fedora 17
  • Fedora 18
  • OpenSuSE 14
  • OpenSuSe 12
  • FreeBSD 8.2
  • FreeBSD 9.0
  • OpenBSD 5.1

Did you know there was a Snort IRC channel?

Ran into someone today online that was not aware that Snort had an IRC channel.

So, for those of you that use IRC and would like to participate with us, #snort on irc.freenode.net is where we can be found!


Wednesday, April 3, 2013

Sourcefire VRT Certified Snort Rules Update for 04/03/2013

Just released: Sourcefire VRT Certified Snort Rules Update for 04/03/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 14 new rules and made modifications to 37 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank Avery Tarasov for his contributions for the following rules:
26319
26325
26327


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the app-detect, browser-ie, browser-plugins, dns, dos, exploit-kit, file-image, file-office, imap, malware-backdoor, malware-cnc, multimedia, netbios, server-mysql, server-webapp, smtp and web-misc rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Snort EOL for VRT Subscriber rules have been updated


A chart for the End-of-life for Snort rule versions is posted on our EOL Policy page:  http://www.snort.org/vrt/rules/eol_policy.  As always, it has been updated to include our latest release numbers.  Please note that 2.9.4.0 is now slated for EOL on June 2nd, 2013.

Please note that "TBD" in the chart stands for "To Be Determined".

Snort 2.9.4.5 is now available

Snort 2.9.4.5 is now available on snort.org, at
http://www.snort.org/snort-downloads/ in the Latest Release section.

******
Please Note:
We understand that there may be some confusion by moving from 2.9.4.1
to 2.9.4.5, and we apologize for that. We are aligning our internal
build numbers with our open source build versions to make versioning
and distribution easier on the backend. This will help us in ensuring
that the correct versions of rules are available for the supported
versions of Snort.
******

Snort 2.9.4.5 includes changes for the following:

[*] Improvements

* Removed proxy information from HTTP URI searching so that the URI
matches are just on the actual URI so that offsets work as expected.

Thanks to L0rd Ch0de1m0rt for reporting the issue.


* Addressed an issue when logging of packet data via unified2 when
alerting on a packet with multiple HTTP PDUs.

* Continue to search for patterns within the HTTP URI until the end of
the URI.

See the Release Notes and ChangeLog for more details.

Please submit bugs, questions, and feedback to bugs@snort.org.

Happy Snorting!
The Snort Release Team

Tuesday, April 2, 2013

Sourcefire VRT Certified Snort Rules Update for 04/02/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 04/02/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 0 new rules and made modifications to 15 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has modified multiple shared object rules in the imap, multimedia, netbios, smtp, specific-threats and web-misc rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!