Tuesday, July 30, 2013

Sourcefire VRT Certified Snort Rules Update for 07/30/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 07/30/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 246 new rules and made modifications to 7 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-image, file-office, malware-cnc, os-windows and sql rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Snort 2.9.5.3 is now available!

Snort 2.9.5.3 is now available on snort.org, at http://www.snort.org/snort-downloads/ in the Latest Release section.

2013-07-30 - Snort 2.9.5.3

[*] Improvements
* Performance improvements to eliminate some unnecessary work, reduction
of sizes of data structures, and cleanup of processing for HTTP
normalized buffers.


* Cap the number of expected connections (eg FTP data channel) to
prevent memory growth


* Address issue with reloading reputation lookup tables when more
addresses are added.


* Address issue with potential hang during shutdown of control socket
config reload processing thread.


See the Release Notes and ChangeLog for more details.

Please submit bugs, questions, and feedback to bugs@snort.org.

Happy Snorting!
The Snort Release Team

Friday, July 26, 2013

Martin Roesch on Snort’s history and the Sourcefire Acquisition

Dennis Fisher talks with Martin Roesch, the author of the Snort IDS and founder of Sourcefire, about the evolution of Snort from a side project to an open-source security powerhouse to the technological basis for a hugely successful company.

http://threatpost.com/martin-roesch-on-snorts-history-and-the-sourcefire-acquisition/101510

A great podcast with some history and where we are headed.

Thursday, July 25, 2013

Sourcefire VRT Certified Snort Rules Update for 07/25/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 07/25/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 27 new rules and made modifications to 503 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-chrome, browser-firefox, browser-other, browser-plugins, exploit-kit, file-flash, file-identify, file-java, file-multimedia, file-office, file-other, indicator-obfuscation, indicator-shellcode, malware-backdoor, malware-cnc, malware-other, netbios, os-solaris, protocol-ftp, protocol-imap, protocol-pop, protocol-rpc, protocol-scada, protocol-tftp, protocol-voip, pua-other, server-apache, server-iis, server-mail, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Wednesday, July 24, 2013

Snort 2.9.4.5 is now EOL for rule support, and news about 2.9.3.1

Snort 2.9.4.5 is now EOL for rule support.

This means we will no longer be releasing updates for this version of the rule engine.  Users of this version are now encouraged to upgrade to the latest version of Snort, which is now Snort 2.9.5.0.

Also, as a heads up for those of you on 2.9.3.1, it will EOL on September 30th.


Thanks all!

Sourcefire VRT Certified Snort Rules Update for 07/24/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 07/24/2013


We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 23 new rules and made modifications to 48 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Paul Bottomley:
27246

Avery Tarasov:
27247
27248
27252
27253
27254
27255
27256
27257


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, dos, exploit-kit, file-flash, file-image, file-java, file-multimedia, file-office, file-other, indicator-compromise, indicator-obfuscation, malware-cnc, malware-other, netbios, server-apache and web-client rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, July 23, 2013

Why are rules on/off by default?

One of the questions we receive here at Snort Headquarters a lot within the Vulnerability Research Team (VRT) is "Why are rules on/off by default"

I've explained what is the criteria is for the three policies (Connectivity, Balanced, and Security) already in previous blog posts here, but we thought we'd expand on that subject a bit and add it to the Snort FAQ.


So here you go:

https://github.com/vrtadmin/snort-faq/blob/master/Rules/Why-are-rules-commented-out.md

A Continued Commitment to Open Source

A Continued Commitment to Open Source

Earlier today Cisco announced a definitive agreement to acquire Sourcefire. Marty Roesch has detailed the announcement on our corporate blog, but we want to make sure that you, our friends and community, are especially assured of Cisco’s commitment to maintaining our innovation and support of our open source projects. As Marty writes:

“I created Snort in 1998 to provide value-added security solutions for open source and address big problems that no one else could solve. We later expanded that open source commitment to ClamAV… The best news in all of this, especially for our partners, customers and open source users, is that Cisco is committed to accelerate the realization of our vision into the market. We’ll be able to more quickly innovate, develop and provide products and technologies that continue to solve your biggest security challenges. And not just for commercial and government solutions – they are committed to continued innovation and support of our open source projects, too."

Please visit the corporate blog for more details and feel free to reach out to me with any questions that you might have. We look forward to continuing to innovate together.

Additional Information and Where to Find It

In connection with the proposed acquisition by Cisco Systems, Inc. (“Cisco”) of Sourcefire, Inc. (“Sourcefire”) pursuant to the terms of an Agreement and Plan of Merger by and among Sourcefire, Cisco, and a wholly-owned subsidiary of Cisco, Sourcefire will file a proxy statement with the Securities and Exchange Commission (the “SEC”). Investors are urged to read the proxy statement (including all amendments and supplements) because it will contain important information. Investors may obtain free copies of the proxy statement when it becomes available, as well as other filings containing information about Sourcefire, without charge, at the SEC’s Internet site (http://www.sec.gov). These documents may also be obtained for free from Sourcefire’s Investor Relations web site (http://investor.sourcefire.com/) or by directing a request to Sourcefire at: Sourcefire, Inc., 9770 Patuxent Woods Drive, Columbia, MD 21046.
Sourcefire and its officers and directors and other members of management and employees may be deemed to be participants in the solicitation of proxies from Sourcefire’s stockholders with respect to the acquisition. Information about Sourcefire’s executive officers and directors is set forth in the proxy statement for the Sourcefire 2013 Annual Meeting of Stockholders, which was filed with the SEC on April 24, 2013. Investors may obtain more detailed information regarding the direct and indirect interests of Sourcefire and its respective executive officers and directors in the acquisition by reading the preliminary and definitive proxy statements regarding the transaction, which will be filed with the SEC.

Forward-Looking Statements

This written communication contains forward-looking statements that involve risks and uncertainties concerning Cisco’s proposed acquisition of Sourcefire, Sourcefire’s expected financial performance, as well as Sourcefire’s strategic and operational plans. Actual events or results may differ materially from those described in this written communication due to a number of risks and uncertainties. The potential risks and uncertainties include, among others, the possibility that the transaction will not close or that the closing may be delayed; the reaction of our customers to the transaction; general economic conditions; the possibility that Sourcefire may be unable to obtain stockholder approval as required for the transaction or that the other conditions to the closing of the transaction may not be satisfied; the transaction may involve unexpected costs, liabilities or delays; the outcome of any legal proceedings related to the transaction; the occurrence of any event, change or other circumstances that could give rise to the termination of the transaction agreement. In addition, please refer to the documents that Cisco and Sourcefire file with the SEC on Forms 10-K, 10-Q and 8-K. The filings by Sourcefire identify and address other important factors that could cause its financial and operational results to differ materially from those contained in the forward-looking statements set forth in this written communication. Sourcefire is under no duty to update any of the forward-looking statements after the date of this written communication to conform to actual results.

Thursday, July 18, 2013

Sourcefire VRT Certified Snort Rules Update for 07/18/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 07/18/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 17 new rules and made modifications to 24 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the browser-ie, browser-plugins, exploit-kit, file-office, file-pdf, malware-other, os-windows, protocol-dns and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, July 16, 2013

Sourcefire VRT Certified Snort Rules Update for 07/16/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 07/16/2013


We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 40 new rules and made modifications to 166 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov
27180
27181
27199
27200
27201
27202
27204

James Lay
27203


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, exploit-kit, file-flash, file-java, file-office, file-other, indicator-compromise, malware-cnc, malware-other, os-linux, os-windows, policy-social, protocol-imap, server-oracle, server-other and sql rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Monday, July 15, 2013

OpenBSD 5.2 and 5.3 now supported through Shared Object rules

Good news for those of you running OpenBSD 5.2 or 5.3 with Snort.  The Vulnerability Research Team will now support, build, and ship pre-compiled Shared Object rules for those platforms.

The updated builds will ship in tomorrow's rule release.  OpenBSD 4.8 will continue to be supported for next couple of weeks before removal.

Thursday, July 11, 2013

Sourcefire VRT Certified Snort Rules Update for 07/11/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 07/11/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 22 new rules and made modifications to 7 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the browser-ie, browser-plugins, deleted, file-other, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, July 9, 2013

Sourcefire VRT Certified Snort Rules Update for 07/09/2013, MSTuesday, 2.9.5.0 Support

Just released:
Sourcefire VRT Certified Snort Rules Update for 07/09/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 73 new rules and made modifications to 220 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Nathan Fowler:
27085
27086
27087
27088

James Lay:
27144
27145

Avery Tarasov:
27146
27155


In VRT's rule release:
Details:
Microsoft Security Advisory MS13-052:
Programming errors in the .NET Framework and Silverlight may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 27136 and 27139.

Microsoft Security Advisory MS13-055:
Internet Explorer suffers from programming errors that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 27126 through 27135,
27137 through 27138, 27147 through 27154, and 27156 through 27157.

The Sourcefire VRT has also added and modified multiple rules in the
blacklist, browser-ie, browser-plugins, deleted, dos, exploit-kit,
file-multimedia, file-office, file-other, file-pdf, malware-backdoor,
malware-cnc, malware-other, os-mobile, os-windows, protocol-ftp,
protocol-tftp and server-webapp rule sets to provide coverage for
emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Monday, July 8, 2013

Snort 2.9.4.1 is now EOL for rule support.

Snort 2.9.4.1 is now EOL for rule support.

This means we will no longer be releasing updates for this version of the rule engine.  Users of this version are now encouraged to upgrade to the latest version of Snort, which is now Snort 2.9.5.0. Snort 2.9.5.0's rules will be released tomorrow.

Time to upgrade!  Thanks all!

Tuesday, July 2, 2013

Sourcefire VRT Certified Snort Rules Update for 07/02/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 07/02/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 52 new rules and made modifications to 40 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov
27017
27043
27044
27045

James Lay
27039
27040
27041
27042
27047

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the app-detect, blacklist, browser-ie, deleted, exploit-kit, file-java, file-other, indicator-compromise, indicator-obfuscation, indicator-shellcode, malware-cnc, malware-other, malware-tools, netbios, os-mobile, os-other, protocol-tftp, server-other and web-client rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Monday, July 1, 2013

Snort Manual has been updated to 2.9.5.0

The PDF documentation available at http://www.snort.org/docs as well as the HTTP manual at http://manual.snort.org have been updated to Snort 2.9.5.0.

Snort 2.9.5 is now available!

Snort 2.9.5 is now available on snort.org, at
http://www.snort.org/snort-downloads/ in the Latest Release section.

We've rolled up a large number bug fixes and made some other additions
and improvements into this release.  Additions, deletions, and changes
are highlighted.

2013-07-01 - Snort 2.9.5

[*] New additions

* Added tracking of FTP data channel for file transfers as file_data
  for Snort rules.

* Add support for doing PAF based on services loaded thru the
  attribute table and hardened PAF code/removed --disable-paf

* Added decoding support for Cisco ERSPAN

* Added tracking of HTTP uploads as file_data for Snort rules.

* Added ability to use event filters with PPM rules

* Added a control channel command to reload the Snort configuration to
  give feedback on new configuration.  This improves on the older sigHUP
  which would just result in Snort exiting and restarting if the new
  configuration required a restart.

* Added a configuration option to perfmon to write flow-ip data to a
  file

* New decoding alert for IPv6 Routing type 0 header.

* Added the ability to sync basic session state from one Snort to
  another via a side channel communication between the two Snort
  instances.  NOTE:  This is currently experimental.

[*] Improvements

* Improved Stream's midstream pickup handling for TCP state processing,
  sequence validation, and reassembly.  Thanks to John Eure.

* Added a parse error for a rule if there is a relative content used
  after a content that is 'fast_pattern only'.

* Improved HTTP PAF reassembly capabilities to be better aligned on PDU
  boundaries, terminate if not actually HTTP, and to include all
  appropriate line feeds.

* Hardened the code related to dynamic modules.  Removed --disable-
  dynamicplugin configuration option since rule and preprocessor shared
  libraries are here to stay.

* Improved parsing of IP lists for reputation

* Update to Teredo processing and Snort rule evaluation when the inner
  IPv6 packet doesn't have payload.  Thanks to Yun Zheng Hu &
  L0rd Ch0de1m0rt for reporting the issue & crafting traffic to reproduce. 

* Improved logging of packets associated with alerts when a Stream
  reassembled packet triggers multiple Snort rules.

* Improvements to the Snort manual including documentation of specific
  rule options and configuration items.  Thanks to Nicholas Horton and many others.

* Removed a bunch of dead code paths, updated to use more current memory
  functions for easier code maintenance and portability.  Thanks to William Parker.

[*] Deletions

* Remove deprecated unified support, use unified2 for all of your
  logging needs.

See the Release Notes and ChangeLog for more details.

Please submit bugs, questions, and feedback to bugs@snort.org.

Happy Snorting!
The Snort Release Team