Thursday, May 30, 2013

Sourcefire VRT Certified Snort Rules Update for 05/30/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 05/30/2013


We welcome the introduction of the newest rule release for today from the VRT. In this release we made modifications to 16 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has modified multiple rules in the browser-webkit, file-identify, file-pdf, indicator-compromise, malware-cnc and protocol-ftp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, May 28, 2013

Sourcefire VRT Certified Snort Rules Update for 05/28/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 05/28/2013


We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 51 new rules and made modifications to 31 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions:

Avery Tarasov
26722
26723
26752
26762


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, dos, file-executable, file-image, file-multimedia, file-office, file-other, file-pdf, indicator-obfuscation, malware-backdoor, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, May 23, 2013

Sourcefire VRT Certified Snort Rules Update for 05/23/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 05/23/2013


We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 12 new rules and made modifications to 19 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions:

Avery Tarasov
26718
26722
26723

James Lay
26719
26720


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-firefox, exploit-kit, file-office, file-other, file-pdf, indicator-obfuscation, malware-cnc, protocol-ftp and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, May 21, 2013

Sourcefire VRT Certified Snort Rules Update for 05/21/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 05/21/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 57 new rules and made modifications to 68 additional rules.

Port 10000 was added to the snort.conf for http_inspect, stream5, and HTTP_PORTS. The Example VRT snort.conf's have been updated: http://www.snort.org/vrt/snort-conf-configurations.

The VRT would like to thank the following individuals for their contributions:

Avery Tarasov
26654
26657
26660
26696
26697

James Lay
26655
26656
26658
26659
26698

Paul Bottomley
26695


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-firefox, browser-ie, browser-plugins, browser-webkit, exploit-kit, file-flash, file-identify, file-image, file-multimedia, file-office, file-pdf, malware-backdoor, malware-cnc, malware-other, os-windows, protocol-ftp, pua-adware and web-client rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, May 16, 2013

Sourcefire VRT Certified Snort Rules Update for 05/16/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 05/16/2013


We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 11 new rules and made modifications to 24 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the app-detect, blacklist, browser-firefox, browser-ie, browser-plugins, exploit-kit, file-flash, file-other, file-pdf, malware-other, os-windows, server-mysql, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, May 14, 2013

Sourcefire VRT Certified Snort Rules Update for 05/14/2013, MSTuesday

Just released:
Sourcefire VRT Certified Snort Rules Update for 05/14/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 25 new rules and made modifications to 24 additional rules.

Port 8500 was added to the snort.conf for http_inspect, stream5, and HTTP_PORTS.  The Example VRT snort.conf's have been updated: http://www.snort.org/vrt/snort-conf-configurations/

The VRT would like to thank the following contributors for their addition(s):

Nathan Fowler
26618

In VRT's rule release:
Microsoft Security Advisory MS13-037:
Internet Explorer suffers from programming errors that may lead to
information disclosure or remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 26624, 26625, 26629
through 26631, 26633 through 26638, 26641, and 26642.

Microsoft Security Advisory MS13-038:
Internet Explorer suffers from a programming error that may lead to
remote code execution.

Previously released rules will detect attacks targeting this
vulnerability and have been updated with the appropriate reference
information. They are included in this release and are identified with
GID 1, 26569, 26570, 26571, and 26572.

Microsoft Security Advisory MS13-039:
A programming error exists in the Windows 2012 Server HTTP subsystem
that may allow a remote attacker to cause a permanent Denial of Service
(DoS) against an affected system.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 1, SID 26632.

Microsoft Security Advisory MS13-040:
The .NET Framework suffers from a programming error that may allow an
attacker to bypass XML authentication.

Rules to detect attacks targeting this vulnerability are included in
this release and are identified with GID 1, SIDs 26639 and 26640

Microsoft Security Advisory MS13-044:
Microsoft Visio suffers from a programming error that may expose
affected systems to information disclosure.

Rules to detect attacks targeting this vulnerability are included in
this release and are identified with GID 1, SIDs 26626 through 26628.

Microsoft Security Advisory MS13-045:
Microsoft Windows Live Essentials contains programming errors that may
expose affected systems to information disclosure.

Rules to detect attacks targeting this vulnerability are included in
this release and are identified with GID 1, SIDs 26622 and 26623

Additionally, the Sourcefire VRT has added and modified multiple rules
in the browser-ie, browser-other, browser-plugins, exploit-kit,
file-office, file-other, indicator-obfuscation, malware-cnc,
policy-other and server-webapp rule sets to provide coverage for
emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Barnyard v.2.1-13 has been released!

We are happy to announce the latest STABLE release v2.1-13 which was tagged a few hours ago (https://github.com/firnsy/barnyard2/tags)

This release is a bug fix release that also introduce a few new features and enhancements.


UPGRADE REQUIREMENTS

If you are upgrading to barnyard2 2-1.13 (build 327) or above from a previous version and using output database.

You will need to delete every row in your sig_reference table. (DELETE FROM sig_reference;)

The table will be re-populated at startup, and has no impact on historical data.


FEATURE REQUESTS
Phil Daws - add interface and hostname field to spo_alert_csv if specified.
Jorge Pinto - spo_syslog_full support for ASCII,BASE64 payload
Jason Brvenik - variables ... (a long time ago, sorry :P)
Martin Olsson - remove some useless verbosity unless ./configure --enable-debug is specified and proper flag are used (spo_database and sid-msg.mapv2)
All other barnyard2 users who help and contribute.

BUG REPORTS
Martin Olsson - bug in sig_reference generation and good discussions. Rewrote the code & al
John Eure and others - autogen.sh could cause some issue on some system so [autoreconf -fv --install] is not set to autoreconf -fvi
John Naggets - spo_database: could stop barnyard2 from processing new event if some packets with ip option where processed and option_len was null.
Fäbu Hufi - spo_syslog_full: in complete mode was printing wrong ip version information and ip header length.
Jeremy Hoel - identified issue with suppression range in 2-1.13-BETA (fixed in release)
Bill Green - identified is with signature insertion mainly preprocessor in 2-1.13-BETA (fixed in release)
All other barnyard2 users who help and contribute.

NEW FEATURES
1. Support for sid-msg.map version 2 format.

A new sig-msg.map format can be generated by pulledpok (upcomming release, already in svn).

Detection of sid-msg.map version is done by a simple header in the file that shouldn't be altered if you want it to be processed correctly.

The sig-msg.map version 2 format extends the information already present in the sid-msg.map file created from rules.

This new format version allow signature pre-population if users are using output database method with barnyard2 2-1.13 and above.


sid-msg.map v1 format:

SID || MSG || REF 1 || REF N

sid := integer
msg := string
ref := string

sid-msg.map v2 format:

GID || SID || REV || CLASSIFICATION || PRIORITY || MSG || REF 1 || REF N

gid := integer
sid := integer
rev := integer
classification := string (if NULL set to NOCLASS)
priority := integer (if prio == 0, classification priority is used)
msg := string
ref := string

=====================
generator (GID, gen-msg.map) are defaulted to the following value
if their information is not overruled in sid-msg.map v2 file via processing of preprocessor.rules:

revision 1
classification 0
priority 3

If generator message is present in the sid-msg.map v2 file, and gen-msg.map message are longer
(more comprehensive by string length),
gen-msg.map messages are used instead of sid-msg.map v2 file generator messages.
=====================


2. Signature/event logging suppression at spooler level.

Read doc/README.sig_suppression


3. Configuration file variables.

You can now use [var VARNAME value] in the barnyard2 configuration file and every instance of $VARNAME will get replaced by value.

Note that variable declaration order is important only you include a variable with in a variable.

EX (is VALID):
var INTERFACE ethX
var PATH /var/log/IDS
var LOG $PATH/$INTERFACE/log
var ARCHIVE $PATH/$INTERFACE/archive

EX (is INVALID):
var LOG $PATH/$INTERFACE/log
var ARCHIVE $PATH/$INTERFACE/archive
var INTERFACE ethX
var PATH /var/log/IDS


4. New output database configuration keyword.

Keywords connection_limit and reconnect_sleep_time where added in 2-1.10 but where "undocumented" and shouldn't be modified unless you encounter an issue.

connection_limit : default 10
The maximum number of time that barnyard2 will tolerate a transaction faillure and or database connection failure.

reconnect_sleep_time : default 5
The number of seconds to sleep betwen connection retry.

disable_signature_reference_table
Tell the output plugin not to synchronize the sig_reference table in the schema.

Note: This option will speedup the process, especialy if you use sid-msg.mapv2 file or have alot of signature already in databases. (Make sure that you do not need that information before enabling this)


So we hope you enjoy the new release, as a side note the RELEASE.NOTES file has not been updated and will be removed in the next version. It's honestly the most laborious part of release time ;)

Regards,

The barnyard2 team.

Thursday, May 9, 2013

Sourcefire VRT Certified Snort Rules Update for 05/09/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 05/09/2013


We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 34 new rules and made modifications to 61 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following people for their listed rule(s):

Avery Tarasov
26589
26612
26613
26614

James Lay
26585


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, browser-webkit, dos, exploit-kit, file-executable, file-office, file-other, indicator-compromise, indicator-obfuscation, malware-backdoor, malware-cnc, os-windows, protocol-ftp, protocol-services, protocol-voip, server-mail, server-oracle, server-other and web-client rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, May 7, 2013

Reminder: Google Reader is ending it's life on July 1, here's an alternative

As may of you may know, Google Reader is EOL'ing it's product effective July 1.

Since several thousand of you are subscribed to this blog via Google Reader, I thought I'd let you know about another option that we offer that many of you also take advantage of.  Subscribing via email.

If you go to http://blog.snort.org, look over to the right in the sidebar, you'll see "Subscribe to the Snort.org blog via email".  This will allow you to keep your updates to the Snort.org blog, but instead of having to go to a third program to read the feed, it'll be delivered shortly after I click "Publish" directly to your inbox.

There are hundreds of people that do this already to the Snort blog, so it seems that it works quite well.  Give it a shot!

Google Reader's EOL announcement: http://googlereader.blogspot.com/2013/03/powering-down-google-reader.html

Sourcefire VRT Certified Snort Rules Update for 05/07/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 05/07/2013


We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 11 new rules and made modifications to 5 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following people for their listed rule(s):

Avery Tarasov:
26580
26581
26582
26583

Eddie Mitchell:
26578
26579

Nathan Fowler:
26576
26577


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-plugins, dos, indicator-compromise and netbios rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Saturday, May 4, 2013

Sourcefire VRT Certified Snort Rules Update for 05/04/2013, IE 0day

Just released:
Sourcefire VRT Certified Snort Rules Update for 05/04/2013, including coverage for the new IE 0day

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 11 new rules and made modifications to 46 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following people for their listed rule(s):

Avery Tarasov
26562
26563

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the browser-ie, exploit-kit, file-multimedia, file-pdf, indicator-obfuscation and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, May 2, 2013

Sourcefire VRT Certified Snort Rules Update for 05/02/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 05/02/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 36 new rules and made modifications to 41 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions to the listed rules:

Avery Tarasov:
26533
26560
26561

James Lay:
26522

Yaser Mansour:
26553
26554
26555
26556

Eddie Mitchell:
26526

Dell SecureWorks:
26558

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-ie, browser-other, browser-plugins, exploit-kit, file-identify, file-other, indicator-compromise, indicator-obfuscation, malware-cnc, malware-other, os-other, policy-other, protocol-ftp, pua-adware, server-mail, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!