Thursday, October 31, 2013

Sourcefire VRT Certified Snort Rules Update for 10/31/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 10/31/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 27 new rules and made modifications to 7 additional rules.

There were three changes made to the snort.conf in this release:

The following ports were added to HTTP_PORTS, http_inspect ports, and Stream5's tcp (both) sections:

51423
44440
33300
15489

The Snort.confs on the example page have been updated:
http://www.snort.org/vrt/snort-conf-configurations/

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov:
28404
28405
28406


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, exploit-kit, file-multimedia, file-office, file-pdf, indicator-compromise, malware-cnc, os-mobile and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, October 29, 2013

Sourcefire VRT Certified Snort Rules Update for 10/29/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 10/29/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 63 new rules and made modifications to 78 additional rules.

There was one change made to the snort.conf in this release:

The following port was added to HTTP_PORTS, http_inspect ports, and Stream5's tcp (both) sections:

29991

The Snort.confs on the example page have been updated:
http://www.snort.org/vrt/snort-conf-configurations/

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Nick Mavis:
28344


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-firefox, browser-ie, browser-plugins, exploit-kit, file-flash, file-identify, file-office, file-other, file-pdf, indicator-obfuscation, malware-cnc, malware-other, malware-tools, os-windows and server-other rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, October 24, 2013

Sourcefire VRT Certified Snort Rules Update for 10/24/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 10/24/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 25 new rules and made modifications to 29 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour:
28300

Avery Tarasov:
28302


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the browser-ie, exploit-kit, file-identify, file-office, file-other, file-pdf, indicator-compromise, indicator-scan, malware-cnc, netbios, os-windows, protocol-dns and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, October 22, 2013

Sourcefire VRT Certified Snort Rules Update for 10/22/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 10/22/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 45 new rules and made modifications to 66 additional rules.

There were two changes made to the snort.conf in this release:

The following ports were added to HTTP_PORTS, http_inspect ports, and Stream5's tcp (both) sections:
1533
8082

The Snort.confs on the example page have been updated:
http://www.snort.org/vrt/snort-conf-configurations/

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov:
28255
28285
28293
28294
28295
28296
28297

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the app-detect, blacklist, browser-ie, browser-other, browser-plugins, exploit-kit, file-java, file-multimedia, file-other, file-pdf, indicator-compromise, malware-backdoor, malware-cnc, os-windows, protocol-icmp, protocol-tftp, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, October 17, 2013

Sourcefire VRT Certified Snort Rules Update for 10/17/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 10/17/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 14 new rules and made modifications to 28 additional rules.

The following ports were added to HTTP_PORTS, http_inspect "ports", and stream5 "both":

3029

The Snort.confs on the example page have been updated:
  http://www.snort.org/vrt/snort-conf-configurations/

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the app-detect, blacklist, browser-ie, exploit-kit, file-image, file-pdf, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, October 15, 2013

Sourcefire VRT Certified Snort Rules Update for 10/15/2013, Rule Rebalancing

Just released:
Sourcefire VRT Certified Snort Rules Update for 10/15/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 25 new rules and made modifications to 6468 additional rules.  You should notice additional alerts in your console that you may have never seen before.  If you believe these to be false positives, please file a false positive report here: Submit a False Positive or via the Snort-sigs mailing list.  You may always find this link in the footer of Snort.org.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
This rule release contains updated base policies for use in your Snort
devices.

To help customers understand these changes, we are taking this
opportunity to explain the process used by the VRT for deciding how
rules are assigned to each policy.

The main metric used is the CVSS score assigned to each vulnerability
that might be covered by a rule. For more information on CVSS please
visit http://www.first.org/cvss. The second criteria is temporal-based
and concerns the age of a particular vulnerability. The final criteria
is the particular area of coverage for the rule. So for example, SQL
Injection rules are considered to be important enough to have influence
when being considered for policy inclusion. Note that, the
vulnerabilities covered by the rules in these categories are considered
important regardless of age.

The considerations for each policy are described below.

Connectivity over Security Base Policy:

1. CVSS Score must be 10
2. Age of the vulnerability:

  • Current year (2013 for example)
  • Last year (2012 in this example)
  • Year before last (2011 in this example)

3. Rule Category

  • Not used for this policy


Balanced Base Policy:

1. CVSS Score 9 or greater
2. Age of the vulnerability:

  • Current year (2013 for example)
  • Last year (2012 in this example)
  • Year before last (2011 in this example)

3. Rule Category

  • Malware-Cnc
  • Blacklist
  • SQL Injection
  • Exploit-kit


Security over Connectivity Base Policy:

1. CVSS Score 8 or greater
2. Age of the vulnerability:

  • Current year (2013 for example)
  • Last year (2012 in this example)
  • Year before last (2011 in this example)
  • Year prior (2010 in this example)

3. Rule Category

  • Malware-Cnc
  • Blacklist
  • SQL Injection
  • Exploit-kit
  • App-detect


All new rules are placed into the policies based on these criteria.
Every year during the third quarter of the year, the policies will be
re-assessed and rules from previous years, as the vulnerabilities age,
will be removed from the policy to keep the policy compliant with our
temporal selection criteria. Thus, in the third quarter of 2014, the
rules from 2011 will be removed from the “Connectivity over
Security” and “Balanced” policies while the rules from 2010 will
be removed from the “Security over Connectivity” policy. If rules
move between categories, their presence in policies will also be
decided based on the category selection process. Likewise, should the
CVSS score change for a particular vulnerability that is covered by a
rule, its presence in a policy based on the CVSS metric is also
re-assessed.

Rules in the listed policies are evaluated on a rule by rule basis.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Monday, October 14, 2013

Sourcefire VRT Certified Snort Rules Update for 10/14/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 10/14/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 1 new rules and made modifications to 8 additional rules.

There were three changes made to the snort.conf in this release:

The following ports were added to HTTP_PORTS, http_inspect "ports", and stream5 "both":

12601
55252
5117

The Snort.confs on the example page have been updated:
http://www.snort.org/vrt/snort-conf-configurations/

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

James Lay:
28215


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the browser-ie, browser-plugins and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Friday, October 11, 2013

Snort VRT Default Ruleset Rebalancing

In an upcoming Rule Update, the VRT will be shipping updated base policies for use in your Snort installation.

To help customers understand these changes, we are taking this opportunity to explain the process used by the VRT for deciding how rules are assigned to each policy.

The main metric used is the CVSS score assigned to each vulnerability that might be covered by a rule. For more information on CVSS please visit http://www.first.org/cvss. The second criteria is temporal based and concerns the age of a particular vulnerability. The final criteria is the particular area of coverage for the rule. So for example, SQL Injection rules are considered to be important enough to have influence when being considered for policy inclusion. Note that, the vulnerabilities covered by the rules in these categories are considered important regardless of age.

The considerations for each policy are described below.


Connectivity over Security Base Policy:

1. CVSS Score must be 10
2. Age of the vulnerability:

  • Current year (2013 for example)
  • Last year (2012 in this example)
  • Year before last (2011 in this example)

3. Rule Category

  • Not used for this policy


Balanced Base Policy:

(As a reminder, the "Balanced" policy is the default shipping state of the VRT Ruleset for Open Source Snort)

1. CVSS Score 9 or greater
2. Age of the vulnerability:

  • Current year (2013 for example)
  • Last year (2012 in this example)
  • Year before last (2011 in this example)

3. Rule Category

  • Malware-Cnc
  • Blacklist
  • SQL Injection
  • Exploit-kit

Security over Connectivity Base Policy:

1. CVSS Score 8 or greater
2. Age of the vulnerability:

  • Current year (2013 for example)
  • Last year (2012 in this example)
  • Year before last (2011 in this example)
  • Year prior (2010 in this example)

3. Rule Category

  • Malware-Cnc
  • Blacklist
  • SQL Injection
  • Exploit-kit
  • App-detect


All new rules are placed into the policies based on these criteria. Every year during the third quarter of the year, the policies will be re-assessed and rules from previous years, as the vulnerabilities age, will be removed from the policy to keep the policy compliant with our temporal selection criteria. Thus, in the third quarter of 2014, the rules from 2011 will be removed from the “Connectivity over Security” and “Balanced” policies while the rules from 2010 will be removed from the “Security over Connectivity” policy. If rules move between categories, their presence in policies will also be decided based on the category selection process. Likewise, should the CVSS score change for a particular vulnerability that is covered by a rule, it’s presence in a policy based on the CVSS metric is also re-assessed.

Rules in the listed policies are evaluated on a rule by rule basis. There will be some rules that are older and not in the criteria above that will be in the default policies. The above is the selection criteria for default rules, and is always subject to change based upon the threat landscape.

If there are any questions, feel free to email me @ joel [at] sourcefire [dot] com, or use the Snort-Sigs mailing list:

http://www.snort.org/community/mailing-lists

Sourcefire VRT Certified Snort Rules Update for 10/10/2013

Sourcefire VRT Certified Snort Rules Update for 10/10/2013

We welcome the introduction of the newest rule release for yesterday from the VRT. In this release we introduced 6 new rules and made modifications to 10 additional rules.

There were no changes made to the snort.conf in this release.


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the browser-ie, exploit-kit and malware-cnc rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, October 8, 2013

Sourcefire VRT Certified Snort Rules Update for 10/08/2013, MSTuesday

Just released:
Sourcefire VRT Certified Snort Rules Update for 10/08/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 71 new rules and made modifications to 61 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov:
28147
28148
28152
28153
28154
28155
28156
28192
28193

In VRT's rule release:
Microsoft Security Advisory MS13-080:
Internet Explorer suffers from programming errors that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 28151, 28158 through
28160, 28163, 28191, 28204, and 28207 through 28208.

Microsoft Security Advisory MS13-082:
Programming errors in the .NET Framework may lead to remote code
execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 28161 through 28162
and 28202 through 28203.

Microsoft Security Advisory MS13-084:
Microsoft SharePoint Server suffers from a coding error that may lead
to remote code execution.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 1, SID 28201.

Microsoft Security Advisory MS13-086:
Microsoft Word suffers from coding errors that may lead to remote code
execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 28205 and 28206.


The Sourcefire VRT has added and modified multiple rules in the
blacklist, browser-ie, browser-plugins, exploit-kit, file-image,
file-office, file-other, indicator-compromise, malware-cnc,
protocol-voip, pua-adware, server-mail and server-webapp rule sets to
provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Cisco, Community and Open Source

In July we told you about Sourcefire’s agreement to be acquired by Cisco, and today that acquisition has closed – we are now one company. This also means that we are also now one community, and Cisco has reiterated its commitment to maintaining our innovation and support of Snort, ClamAV and other open source projects, as well as its own projects. As Marty Roesch wrote on our corporate blog:

“I can tell you with certainty that this is a great match for Sourcefire, for Cisco and, ultimately, for our customers, partners and open source communities… Beyond the technology, one of the things that is important to me is that Cisco and Sourcefire both share key values that transcend our company names, HQ locations and number of employees. “

 I’m also happy to report that there will be no changes to how our communities are run or our communications, including mailing lists, snort.org, clamav.net or social media sites. Please visit the corporate blog for more details and, as always, reach out to me with questions. I will still be your community manager and I look forward to many more years of being a part of this community.

Thursday, October 3, 2013

Sourcefire VRT Certified Snort Rules Update for 10/03/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 10/03/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 25 new rules and made modifications to 18 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov:
28114
28115
28116
28117
28118
28119
28120
28121
28122
28123


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the browser-ie, browser-plugins, exploit-kit, file-java, file-office, file-other, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, October 1, 2013

Sourcefire VRT Certified Snort Rules Update for 10/01/2013, IE 0day coverage

Just released:
Sourcefire VRT Certified Snort Rules Update for 10/01/2013, IE 0day coverage

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 37 new rules and made modifications to 30 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov:
28080

James Lay:
28079

Yaser Mansour:
28105
28106
28107


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the app-detect, blacklist, browser-ie, browser-plugins, exploit-kit, file-java, file-multimedia, file-office, file-pdf, malware-cnc, os-mobile, os-solaris, protocol-ftp, protocol-rpc, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!