Thursday, March 27, 2014

Sourcefire VRT Certified Snort Rules Update for 03/27/2014

Just released:
Sourcefire VRT Certified Snort Rules Update for 03/27/2014

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 31 new rules and made modifications to 16 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov
30255
30256
30257
30258
30259
30260
30261
30262

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the app-detect, blacklist, dos, file-flash, file-identify, file-office, malware-cnc, malware-other, netbios, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, March 25, 2014

Sourcefire VRT Certified Snort Rules Update for 03/25/2014

Just released:
Sourcefire VRT Certified Snort Rules Update for 03/25/2014

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 18 new rules and made modifications to 60 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Microsoft Security Bulletin 2953095: A coding deficiency in Microsoft Word could lead to remote code execution. Previously released rules will detect attacks targeting this vulnerability and have been updated with the appropriate reference information. They are included in this release and are identified with GID 1, SIDs 24974 through 24975. 
The Sourcefire VRT has also added and modified multiple rules in the bad-traffic, blacklist, browser-chrome, browser-ie, chat, dos, exploit, exploit-kit, file-office, file-other, file-pdf, indicator-obfuscation, malware-backdoor, malware-cnc, multimedia, netbios, pua-adware, server-other, server-webapp, smtp and web-client rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, March 20, 2014

Sourcefire VRT Certified Snort Rules Update for 03/20/2014

Just released:
Sourcefire VRT Certified Snort Rules Update for 03/20/2014

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 14 new rules and made modifications to 6 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov
30234


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the app-detect, browser-plugins, indicator-compromise, indicator-shellcode, malware-cnc and os-windows rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, March 18, 2014

Sourcefire VRT Certified Snort Rules Update for 03/18/2014

Just released:
Sourcefire VRT Certified Snort Rules Update for 03/18/2014

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 25 new rules and made modifications to 10 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov
30196
30197
30198

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-image, file-java, file-multimedia, malware-backdoor, malware-cnc, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Friday, March 14, 2014

OpenAppID Install Video

OpenAppID Install


This short blog post accompanies the below video showing the installation of Snort with OpenAppID onto a completely clean Ubuntu Server running 13.10. Hold on to your hat, it’s a quick video, so fast in fact we thought it wise to also provide this text listing of the commands typed (without the typos you’ll see in the video).

If you’ve not watched the video yet, go watch it now, below for reference.




Step #1, Prep the system.


You’ll need to download the following files from snort.org

daq-2.0.2.tar.gz
snort-2.9.7.0_alpha.tar.gz
snort-openappid-detectors.2014-02-22.187-0.tgz
snortrules-snapshot-2960.tar.gz

You’ll find the first three files in the downloads section https://www.snort.org/downloads, and the last file in the rules section http://www.snort.org/snort-rules/. The exact rules files available will change over time, just make sure you get one that is compatible with Snort 2.9.x release.

Start with a clean installation of Ubuntu 13.10 Server. The only task selected for the system to be used at during installation was an SSH Server. The files were downloaded into a directory called build.

mkdir ~/build
cd ~/build

Step #2, Install Snort requirements


The following packages were added to the system via apt.

apt-get install openssl libssl-dev build-essential g++ flex bison zlib1g-dev autoconf libtool libpcap-dev libpcre3-dev libdumbnet-dev build-essential

Libdnet-1.11 and LuaJIT were compiled and used so we were running the same versions as those who were developing OpenAppID.

cd ~/build/
wget http://prdownloads.sourceforge.net/libdnet/libdnet-1.11.tar.gz
tar xzvf libdnet-1.11.tar.gz
cd libdnet-1.11/
./configure
make
sudo make install

cd ~/build/
wget http://luajit.org/download/LuaJIT-2.0.2.tar.gz
tar xzvf LuaJIT-2.0.2.tar.gz
cd LuaJIT-2.0.2/
make
sudo make install

cd ~/build/
tar -xzvf daq-2.0.2.tar.gz
cd daq-2.0.2/
./configure
make
sudo make install
sudo ldconfig

Step #3 Building Snort with OpenAppID support.


cd ~/build/
tar -zxvf snort-2.9.7.0_alpha.tar.gz
cd snort-2.9.7.0.alpha/
./configure --enable-sourcefire --enable-open-appid
make
sudo make install

Step #4 Configure Snort without OpenAppID enabled



Before we jump into the new capabilities of OpenAppID, it’s best to make sure the foundations are functioning. Snort needs some configuration files and directories to be made.

sudo mkdir /etc/snort # For configuration
sudo mkdir /var/log/snort # For log data
sudo mkdir /usr/local/lib/snort_dynamicrules # For dynamic rules
sudo mkdir /etc/snort/rules # For normal text rules
touch /etc/snort/white_list.rules # For white lists
touch /etc/snort/black_list.rules # For black lists

A set of configuration files are included in the snort tarball. These can be copied into your /etc/snort/ directory.

cd ~/build/snort-2.9.7.0.alpha/etc/
sudo cp attribute_table.dtd file_magic.conf snort.conf unicode.map classification.config gen-msg.map reference.config threshold.conf /etc/snort/

The last thing to do is to add some of the VRT supplied rules to enable snort to detect ‘bad’ stuff. We’ve untarred unto a temp directory called ‘crules’, the name has no meaning.

cd ~/build
mkdir crules
mv snortrules-snapshot-2960.tar.gz crules
cd crules/
tar -zxvf snortrules-snapshot-2960.tar.gz

sudo cp -r preproc_rules /etc/snort
sudo cp -r rules /etc/snort/
sudo cp -r so_rules /etc/snort/

The next step is to configure the snort.conf file. They key changes made to get Snort working were:

RULE_PATH /etc/snort/rules
SO_RULE_PATH /etc/snort/rules
PREPROC_RULE_PATH /etc/snort/rules
WHITE_LIST_PATH /etc/snort
BLACK_LIST_PATH /etc/snort

To test Snort’s config the -T option can be used. If Snort has any problems with configuration, it will let you know.

sudo snort -c /etc/snort/snort.conf -T

Step #5 Enabling OpenAppID in Snort.


First we need to add the OpenAppID detector package, this was one of the files that was downloaded earlier.

cd ~/build
tar -zxvf ./snort-openappid-detectors.2014-02-22.187-0.tgz
sudo mkdir /usr/local/lib/openappid
sudo mv odp/ /usr/local/lib/openappid/

The appid preprocessor now needs to be enabled in Snort. Add the following line at the end of the preprocessor section.

preprocessor appid : app_stats_filename appstats-unified.log, app_stats_period 60, app_detector_dir /usr/local/lib/openappid

Every 60 seconds details of the apps found in use on the network will be dropped into this file
To start Snort,  the following command was used.

sudo snort -c /etc/snort/snort.conf --daq afpacket -i eth0 -k none

In future posts we’ll go into some of the other ways you can use Snort with OpenAppID, but this should be enough to get you started. If you have any questions, please send them to the snort-openappid mailing list at snort-openappid@lists.sourceforge.net.

-Leon

Thursday, March 13, 2014

Open Source Community Webinar Recording and Slides posted

Today we held an Open Source Community Webinar on line, and I wanted to take the opportunity to thank the people in attendance.  I know the announcement was short notice, but we received positive engagement from the community with several questions during the webinar, and several after.

I've posted the recording and the slides on our Snort Webinar Series page on Snort.org.

Please feel free to check it out and if you have any questions about the Webinar or anything I said in it, please feel free to reach out to me.

Sourcefire VRT Certified Snort Rules Update for 03/13/2014

Just released:
Sourcefire VRT Certified Snort Rules Update for 03/13/2014

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 43 new rules and made modifications to 2 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

BAE - Detica Division
30191


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the app-detect, blacklist, browser-ie, file-office, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, March 11, 2014

Sourcefire VRT Certified Snort Rules Update for 03/11/2014, MSTuesday

Just released:
Sourcefire VRT Certified Snort Rules Update for 03/11/2014

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 76 new rules and made modifications to 59 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov
30091


In VRT's rule release:
Microsoft Security Bulletin MS14-012:
Microsoft Internet Explorer contains programming errors that may allow
a remote attacker to execute code on a vulnerable system.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 29717 through 29718,
29819 through 29820, 30106 through 30132, and 30140 through 30145.

The Sourcefire VRT has also added and modified multiple rules in the
blacklist, browser-ie, browser-plugins, exploit-kit,
file-flash, file-identify, file-multimedia, file-other, malware-cnc,
malware-other, protocol-icmp and server-webapp rule sets to provide
coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, March 6, 2014

Sourcefire VRT Certified Snort Rules Update for 03/06/2014

Just released:
Sourcefire VRT Certified Snort Rules Update for 03/06/2014

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 67 new rules and made modifications to 17 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

James Lay
30065
30066

Avery Tarasov
30067
30068

Yaser Mansour
30069
30070
30071
30072


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-plugins, exploit-kit, file-identify, file-other, indicator-compromise, malware-cnc, malware-other, policy-other, pua-toolbars, server-apache, server-other and sql rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, March 4, 2014

Firing up OpenAppID

The purpose of this post is to provide guidance to Snort users who would like to try out Snort 2.9.7.0 and the OpenAppID features that it comes with. It is not intended to guide the reader through setting up Snort from scratch, there are plenty of docs on how to set up Snort at http://www.snort.org/docs.

Snort

Before we can download the latest Snort source code and compile it, we have a new prerequisite to fulfill before we can compile Snort. You'll need to install Luajit, which is used to define application detectors with the new OpenAppID.

On my Ubuntu system this was as easy as the following command.

sudo apt-get install libluajit-5.1-2 libluajit-5.1-common libluajit-5.1-dev luajit

Now we’re all set to download and install the alpha version of Snort. At the time this was written that was 2.9.7.0 alpha (snort-2.9.7.0_alpha.tar.gz). Grab the latest source from snort.org’s Download Snort page. Then we can extract and build.

tar zxvf snort-2.9.7.0_alpha.tar.gz
cd snort-2.9.7.0.alpha
./configure --prefix=/usr/local/snort --enable-sourcefire --enable-open-appid
make
sudo make install

Note the new flag on the configure command. We are adding that switch to enable OpenAppID.

Application Detector Package

The next step is to download the Application Detector Package. This entirely new content contains what is at the heart of the OpenAppID feature. You can download it from the Download Snort page on snort.org (currently: snort-openappid-detectors.2014-02-22.187-0.tgz).

This package contains the Lua libraries for detecting applications, as well as the application detectors themselves.

sudo tar -xzf snort-openappid-detectors.2014-02-22.187-0.tgz -C /usr/local/snort

Once that is unpacked you will see your Snort directory now has an odp directory. Here you will see the appMapping.data file, which includes metadata about the application detectors. A simple way to explore what application detectors are included in this first release is to examine the second column of this file. If you’d like to see the list, try the following command.

cat appMapping.data | cut -f2

For example, if you would like to see what micro-applications that can be identified within Facebook, search for that data.

cat appMapping.data | cut -f2 | grep Facebook
Facebook Apps
Facebook
Facebook Chat
Facebook Comment
Facebook Read Email
Facebook Send Email
Facebook Status Update
Facebook search
Facebook event
Facebook post
Facebook video chat
Facebook message
Facebook video


You will also see the libs subdirectory, which contains the Lua libraries needed to run application detection. The port and lua subdirectories contain the applications detectors themselves. The port detectors are simple YAML files to patch port and application. The lua directory contains the bulk of the detectors. These lua scripts perform far more powerful detection.

Configure snort.conf

There are several changes to make in our snort.conf file. We must add the preprocessor command for OpenAppID and configure the output command.

Configure OpenAppID Preprocessor

Our next step is to add the configuration for the OpenAppID preprocessor to the snort.conf file. Find the lines for the reputation preprocessor. This should be followed by commented text for “Step 6.” Just after the reputation preprocessor and before Step 6 we will add another preprocessor setting.

preprocessor appid: app_stats_filename appstats-u2.log, \    
app_stats_period 60, \
app_detector_dir /usr/local/snort

This will turn on the OpenAppID preprocessor. The first step simply names the configuration file to which application statistics will be logged. The second gives the time period used to sample this data. Finally, you must point out the directory which contains the odp directory we extracted from the Open App ID Detector package.

Configure Output
The final step in configuring our snort.conf file will be to change the output command. Everyone should be using the Unified2 output module already, but there is a new command to add new the new event field for the application in use.

Look into Step 6 find the lines explaining the unified2 output type. In that section add the following line.

output unified2: filename snort.log, limit 128, appid_event_types

Testing Snort

Now let’s fire up Snort.

/usr/local/snort/bin/snort -c /usr/local/snort/etc/snort.conf -i eth#

Where eth# is which ever interface you will be monitoring with (e.g. eth0).

If there aren't any errors you will see the final line output by Snort indicating a successful startup, as “Commencing packet processing.” If you examine the output above that you will see a new section for AppID Configuration. This will include the configuration given to the preprocessor for reference.

To test the new deployment, fire up a web browser to test out application detection. For my test I used Chrome to visit cnn.com.

If you are still examining the console output of the Snort process you will see something to the effect of “Opening /var/log/snort/appstats-u2.log.1393807981 for output.” Ending the Snort process will also write what data has not yet been output.

Examining Application Statistics

When you downloaded the Snort package, it included a tools subdirectory. In here you will find a couple of programs for changing the unified2 binary format to readable text. In this case we will use the u2openappid program to print the application statistics that Snort is collecting for us.

u2openappid /var/log/snort/appstats-u2.log.1393807981
statTime="1393807860",appName="chrome",txBytes="6043",rxBytes="111267"
statTime="1393807860",appName="dns",txBytes="8708",rxBytes="38103"
statTime="1393807860",appName="http",txBytes="200399",rxBytes="1444070"
statTime="1393807860",appName="cnn.com",txBytes="198478",rxBytes="1557970"
statTime="1393807860",appName="doubleclick",txBytes="5543",rxBytes="2598"
statTime="1393807860",appName="truste",txBytes="1829",rxBytes="12208"
statTime="1393807860",appName="washington_time",txBytes="2210",rxBytes="1401"
statTime="1393807860",appName="turner_broadcas",txBytes="1785",rxBytes="1316"
statTime="1393807860",appName="moat",txBytes="5707",rxBytes="3453"


From this you can see a number of entries. In this case the above were generated from my visit to cnn.com. You can see that they share the same statTime. OpenAppID identifies the client application (Chrome), DNS request, protocol (http), and web app (cnn.com). The rest of the entries are other web apps embedded within CNN’s web page.

To further illustrate the data we can get form OpenAppID, here is the output from when I instead use Firefox to visit Netflix.

statTime="1393809840",appName="google",txBytes="3500",rxBytes="5171"
statTime="1393809840",appName="firefox",txBytes="11695",rxBytes="20818"
statTime="1393809840",appName="http",txBytes="11695",rxBytes="20818"
statTime="1393809840",appName="netflix",txBytes="1072",rxBytes="1262"
statTime="1393809840",appName="https",txBytes="18330",rxBytes="33984"
statTime="1393809840",appName="verisign",txBytes="1450",rxBytes="2668"


Happy Snorting! Check out the new stuff. There are a few new features to explore here.

Sourcefire VRT Certified Snort Rules Update for 03/04/2014

Just released:
Sourcefire VRT Certified Snort Rules Update for 03/04/2014

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 19 new rules and made modifications to 10 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, exploit-kit, file-office, malware-backdoor, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!