Tuesday, November 26, 2013

Sourcefire VRT Certified Snort Rules Update for 11/26/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 11/26/2013

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 19 new rules and made modifications to 52 additional rules.

There were two changes made to the snort.conf in this release:

The following ports were added to HTTP_PORTS, http_inspect, and Stream5 both:

555
808

The Snort.confs on the example page have been updated:
http://www.snort.org/vrt/snort-conf-configurations/

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov:
28800
28801
28802
28803
28804
28805
28806
28807
28809

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the deleted, exploit-kit, file-flash, file-office and malware-cnc rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Friday, November 22, 2013

Sourcefire VRT Certified Snort Rules Update for 11/22/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 11/22/2013

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 170 new rules and made modifications to 22 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the browser-ie, browser-plugins, file-flash, file-other, file-pdf, indicator-obfuscation and server-webapp rule sets to provide coverage for emerging threats from these technologies.
In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Wednesday, November 20, 2013

Sourcefire VRT Certified Snort Rules Update for 11/20/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 11/20/2013

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 61 new rules and made modifications to 20 additional rules.

There were no changes made to the snort.conf in this release.


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the browser-ie, browser-plugins, deleted, exploit-kit, file-flash, file-identify, file-office, file-other, file-pdf, indicator-obfuscation, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Monday, November 18, 2013

Snort 2.9.6.0 beta has just been posted!

Just released for public testing, the Snort 2.9.6.0 beta can be found at our normal downloads site:
http://www.snort.org/snort-downloads.  The following features and improvements are to be tested, and believe there are several that the Snort community has been asking for:

[*] New additions
* Add support to do file specific processing within DCERPC
preprocessor for files being transferred over SMB.

* File capture and storage -- saves files as they traverse the
network via a new preprocessor that ties in support within
HTTP, FTP, SMTP, POP, IMAP, and SMB. See README.file and
README.file_server (under tools/file_server) for details.

* Add <= and >= operators to byte_test rule option.

* Update SMTP to detect Cyrus SASL authentication attack.

* Add capability to capture a single session from start to end.

* EXPERIMENTAL: Add support to leverage file type identification in
snort rules. See README.file_ips for details.

[*] Improvements
* Only inject active responses when a TCP session is established.

* Update the POP and IMAP protocols to support simple PAF for improved
identification and capture of files.

* Update SMTP, POP, IMAP to improve inspection when mime boundaries are
split across packets.

* Address issue to address end of line incorrectly for Quoted Printable
email attachments.

* Handle out of order SSL handshake in SMTP when STARTTLS is used and
fix checks for SSL type only within the SSL hand shake.

* Update sensitive data preprocessor to handle a stateful search of
patterns across multiple packets.

* Address a few issues in the Snort manual and other READMEs for
flowbits and tunneling.

* Save off packet data for quicker debugging in case of a SIGABRT or
SIGBUS.

Snort 2.9.5.6 is now available on Snort.org!

Snort 2.9.5.6 is now available on Snort.org!

http://www.snort.org/snort-downloads/ in the Latest Release section.
[*] Improvements
* Address issue with byte_extract values that cause a relative rule
option to search outside the packet payload.  Thanks to Nathan Fowler for noting the issue.

* Correct issue with DCE/RPC attempting to check PAF state before
a TCP session is created in Stream.

* Address issue with HTTP pipelined requests when HTTP cookies are
being normalized.  Thanks to Michael Galapchuk for reporting the problem.

Please submit bugs, questions, and feedback to bugs@snort.org.


Happy Snorting!

The Snort Release Team

Sourcefire VRT Certified Snort Rules Update for 11/18/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 11/18/2013

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 9 new rules and made modifications to 6 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour:
28552
28553
28554
28555
28556
28557

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, indicator-scan, malware-cnc and protocol-dns rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, November 14, 2013

Sourcefire VRT Certified Snort Rules Update for 11/14/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 11/14/2013

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 21 new rules and made modifications to 11 additional rules.

There were two changes made to the snort.conf in this release

The following ports were added to HTTP_PORTS, http_inspect ports, and Stream5's tcp (both) sections:

53331
6173

The Snort.confs on the example page have been updated: http://www.snort.org/vrt/snort-conf-configurations/ 

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:
Avery Tarasov:
28404
28405
28406
28540
28541
28542
28543

Thanks to rmkml for his improvement to rule:
28445


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, exploit-kit, file-office, file-other, malware-backdoor, malware-cnc, malware-tools, pua-adware, pua-toolbars and web-client rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Wednesday, November 13, 2013

Sourcefire VRT Certified Snort Rules Update for 11/12/2013, MSTuesday

Just released:
Sourcefire VRT Certified Snort Rules Update for 11/12/2013


We welcome the introduction of the newest rule release from the VRT. In this release we introduced 56 new rules and made modifications to 610 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov:
28541
28542
28543

In VRT's rule release:
Details:
Microsoft Security Bulletin MS13-088:
Internet Explorer suffers from coding errors that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 28490 through 28492,
28494 through 28496, 28504, and 28522 through 28524.

Microsoft Security Bulletin MS13-089:
A programming error exists in the Microsoft Windows graphics device
interface that may lead to remote code execution.

Rules to detect attacks targeting this vulnerability are included in
this release and are identified with GID 1, SIDs 28509 through 28521.

Microsoft Security Bulletin MS13-090:
A programming error exists in an ActiveX control that may lead to
remote code execution.

Rules to detect attacks targeting this vulnerability are included in
this release and are identified with GID 1, SIDs 28493, and 28505
through 28506.

Microsoft Security Bulletin MS13-091:
Microsoft Office contains coding errors that may lead to remote code
execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 28498 through 28499,
and 28502 through 28503.


The Sourcefire VRT has also added and modified multiple rules in the
blacklist, browser-ie, browser-plugins, exploit-kit, file-identify,
file-office, file-other, malware-cnc, malware-other, pua-adware and
web-client rule sets to provide coverage for emerging threats from
these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, November 7, 2013

Sourcefire VRT Certified Snort Rules Update for 11/07/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 11/07/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 2 new rules and made modifications to 8 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the file-office rule set to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, November 5, 2013

Snort 2.9.5.0 is now EOL for rule support.

Snort 2.9.5.0 is now EOL for rule support.

This means we will no longer be releasing updates for this version of the rule engine. Users of this version are now encouraged to upgrade to the latest version of Snort, which is now Snort 2.9.5.5.

Please review our EOL policy here: http://www.snort.org/vrt/rules/eol_policy

Sourcefire VRT Certified Snort Rules Update for 11/05/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 11/05/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 49 new rules and made modifications to 57 additional rules.

There were three changes made to the snort.conf in this release:

The following ports were added to Stream5 (tcp - both), http_inspect, and HTTP_PORTS:
8081
56712
34412

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov:
28445
28446


In VRT's rule release:
Microsoft Security Advisory 2896666:
A coding deficiency in Microsoft Graphics Component could lead to remote code execution.

Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 1, SIDs 28464-28471.

The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-firefox, browser-ie, browser-plugins, deleted, exploit-kit, file-flash, file-image, file-multimedia, file-office, file-other, file-pdf, indicator-obfuscation, indicator-scan, malware-cnc, malware-tools, netbios, os-windows, policy-other, server-apache, server-iis and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!