Thursday, February 27, 2014

Snort 2.9.7.0 Alpha with OpenAppID, a quick introduction to getting started

A new preprocessor has been included with Snort, and when used in conjunction with the OpenAppID detector content package, provides Snort the ability to identify, control and measure the applications in use on the network.  The initial detector package contains logic to identify 1,477 unique protocols, client and server applications, as well as web applications.

We are also introducing a new keyword called 'appid'. The new keyword may be used by itself, or in conjunction with any other Snort rule keywords, and may leverage any existing rule actions - alert, block, pass, etc.  This provides the ability to control applications and services with the rule language.

OpenAppID will also provide statistics for the bytes sent and received per application within a specific time slot.

To help pass the data to other 3rd party analytics tools we have also created 2 new utilities:
  • - u2openappid - generates a comma separated sheet of the data, including the column’s name and value for the new statistics.
  • - u2streamer - used to stream the live feed to 3rd party tools reading this data.  For example, an auth login tool.
To build Snort with OpenAppID, you will need to add the following line in the ./configure script:
./configure --enable-open-appid

To configure your snort.conf to use the OpenAppID you will need to add the following new preprocessor in the following format:

preprocessor appid : app_stats_filename appstats-unified.log, app_stats_period 300, app_detector_dir

Where
  • - app_stats_period – The time window where we restart our measuring  for each application (In seconds)
  • - app_detector_dir – The full path to where the detectors are located.
An example on how create a new rule with the appid keyword is as follows:

 alert tcp any any -> any any  (msg:”OpenAppID: test for app ssh"; appid: ssh; sid:100000; rev:4; )
  • - ssh is the AppID used for detecting SSH based traffic over the network.
We currently allow up to 10 AppIDs per rule each can be separated by a space or comma.
For more information about the installation and configuration of the OpenAppID in Snort see the README file included with the source code.

We will be continuing to add coverage for additional applications through updates to the detector content package on a regular basis. We welcome any feedback, reports on any issues, questions, as well as contributions of new detectors via a new mailing list:  https://lists.sourceforge.net/lists/listinfo/snort-openappid

Sourcefire VRT Certified Snort Rules Update for 02/27/2014

Just released:
Sourcefire VRT Certified Snort Rules Update for 02/27/2014

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 45 new rules and made modifications to 34 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov:
29981


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-ie, browser-webkit, exploit-kit, file-flash, file-identify, file-image, file-java, file-other, file-pdf, malware-backdoor, malware-cnc, protocol-scada, scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Wednesday, February 26, 2014

FreeBSD 10 Shared Object rules are now available!

Last week we began distributing FreeBSD 10 Shared Object rules in the Rule Pack.  This means that we will discontinue distributing FreeBSD 8 in the Shared Object rule pack in a few weeks.

I'll update with an additional post when that date gets closer, however, if you are using FreeBSD 8, I would encourage you to start thinking about your upgrade.

Tuesday, February 25, 2014

Sourcefire VRT Certified Snort Rules Update for 02/25/2014

Just released:
Sourcefire VRT Certified Snort Rules Update for 02/25/2014

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 39 new rules and made modifications to 35 additional rules.

There were no changes made to the snort.conf in this release.


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-chrome, browser-ie, browser-webkit, exploit, file-flash, malware-cnc, malware-other, os-windows, protocol-dns, protocol-rpc, protocol-scada and server-other rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Snort 2.9.7.0 Alpha release now available!

Just posted to Snort.org, Snort 2.9.7.0 Alpha. We have some exciting things in store here that we've been looking forward to releasing. Please see the below notes for more details!

We also put out a couple of press releases this morning about OpenAppID.  Take a look:
http://finance.yahoo.com/news/cisco-security-introduces-open-source-130000271.html

Our founder Marty also wrote a blog post over on the Cisco blog:
http://blogs.cisco.com/security/cisco-announces-openappid-the-next-open-source-game-changer-in-cybersecurity/

Follow the @Snort account on Twitter to stay current with our releases!

2014-02-25 - Snort 2.9.7.0 alpha
[*] New additions
* Application Identification Preprocessor, when used in conjunction with
open app ID detector content, that will identify application protocol,
client, server, and web applications and include the info in Snort alert
data. In addition, a new rule option keyword 'appid' that can be used
to constrain Snort rules based on one or more applications that are identified
for the connection. See README.appid for details. Please report issues
or ask questions via a new mailing list: snort-openappid@sourceforge.net.

* A new protected_content rule option that is used to match against a content
that is hashed. It can be used to obscure the full context of the rule from
the administrator.

* Protocol Aware Flushing (PAF) improvements for SMTP, POP, and IMAP to
more accurately process different portions of email messages and file
attachments.

[*] Improvements
* Update active response to allow for responses of 1500+ bytes that span
multiple TCP packets.

* Check limits of multiple configurations to not exceed a maximum ID of 4095.

* Updated the error output of byte_test, byte_jump, byte_extract to
including details on offending options for a given rule.

* Update build and install scripts to install preprocessor and engine libraries
into user specified libdir.

Get Snort 2.9.7.0 Alpha here! http://www.snort.org/snort-downloads

Thursday, February 20, 2014

Sourcefire VRT Certified Snort Rules Update for 02/20/2014

Just released:
Sourcefire VRT Certified Snort Rules Update for 02/20/2014

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 72 new rules and made modifications to 116 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset

Alexandre Menezes
29832
29833
29834
29835
29836
29837
29838
29839
29840
29841
29842
29843
29844
29845
29846
29847
29848
29849
29850
29851
29852
29853
29854
29855
29856
29857
29858

Avery Tarasov
29862
29863
29865
29875
29882
29884
29891
29894
29895
29897

Yaser Mansour
29864

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-ie, deleted, exploit-kit, file-flash, file-other, file-pdf, malware-backdoor, malware-cnc, server-apache, server-iis, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Wednesday, February 19, 2014

Gen-msg.map has been removed from the ruleset.

A recent post on the Snort Mailing lists about some differences in between the gen-msg.map file that is shipped with the Snort tarball, and the file that it shipped in the Snort Rules tarball led us to actually just remove it from the Rules tarball.

This is because this file will only ever change with the release of a version of Snort, and the file should be used out of the Snort tarball when it is released.

Hope this clears up any confusion that existed!

Open Source Community Meeting at RSA next week!

After a lot of hard work by our teams, and with RSA just a few days away, we are proud to announce that along with Cisco and Sourcefire's corporate teams being present at RSA, and for the first time we will also be holding an Open Source Community Meeting!

Matt Watchinski (Director of the Vulnerability Research Team) and myself, Joel Esler, (Open Source Manager) will be presenting on the state of our Open Source projects at Sourcefire, the state of Open Source now that we are Cisco,  some future developments and of course, open Q&A!

So here's some attendance details:

Open Source Community Meeting
AMA -- American Management Association
Executive Conference Center
55 4th Street -- Level 2
San Francisco, CA 94103

Wednesday, February 26th, 2014
12:00pm - 2:00pm

Lunch will be provided on site.

We also have some exclusive Swag give-aways that not only no one else at RSA has, but aren't available anywhere else!  Available for the first 40 people that come through the door (if we have your size).

We'll have availability for about 50 people on site, so first come, first served, let's make this a repeating event!

We look forward to seeing you there!

Tuesday, February 18, 2014

Snort 2.9.5.5 is now EOL for rule support.

Snort 2.9.5.5 is now EOL for rule support.

This means we will no longer be releasing updates for this version of the rule engine. Users of this version are now encouraged to upgrade to the latest version of Snort, which is now Snort 2.9.6.0.

Please review our EOL policy here: http://www.snort.org/vrt/rules/eol_policy

Sourcefire VRT Certified Snort Rules Update for 02/18/2014

Just released:
Sourcefire VRT Certified Snort Rules Update for 02/18/2014


We welcome the introduction of the newest rule release from the VRT. In this release we introduced 11 new rules and made modifications to 15 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:
James Lay
29816
29817
29829
29830
29831

Avery Tarasov
29216
29824
29825
29826
29827
29828
29832
29833

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, file-flash, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Friday, February 14, 2014

Sourcefire VRT Certified Snort Rules Update for 02/14/2014, Microsoft Internet Explorer 10 Vulnerability

Just released:
Sourcefire VRT Certified Snort Rules Update for 02/14/2014

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 8 new rules and made modifications to 16 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

James Lay
29816
29817

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-ie, file-pdf, indicator-compromise, malware-cnc, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, February 13, 2014

Sourcefire VRT Certified Snort Rules Update for 02/13/2014

Just released:
Sourcefire VRT Certified Snort Rules Update for 02/13/2014

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 70 new rules and made modifications to 20 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Tony Robinson:
29760
29788
29789
29790
29791

Alexandre Menezes & Tony Robinson
29761
29762
29763
29763
29764
29765
29766
29767
29768
29769
29770
29771
29771
29772
29773
29774
29775
29776
29777
29778
29779
29780
29781

Yaser Mansour
29666

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-chrome, browser-ie, browser-other, browser-plugins, deleted, dos, file-other, indicator-obfuscation, malware-cnc, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, February 11, 2014

Sourcefire VRT Certified Snort Rules Update for 02/11/2014, MSTuesday

Just released:
Sourcefire VRT Certified Snort Rules Update for 02/11/2014

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 110 new rules and made modifications to 44 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov:
29664
29665

In VRT's rule release:
Microsoft Security Bulletin MS14-005:
Programming errors exist in Microsoft XML Core Services (MSXML) that
could lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 29680 through 29705.

Microsoft Security Bulletin MS14-006:
A coding deficiency in IPv6 could lead to a Denial of Service (DoS).

Previously released rules will detect attacks targeting this
vulnerability and have been updated with the appropriate reference
information. They are included in this release and are identified with
GID 1, SIDs 23178 and 24296.

Microsoft Security Bulletin MS14-007:
A coding deficiency exists in Direct2D that may lead to remote code
execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 29713 through 29714.

Microsoft Security Bulletin MS14-009:
Programming errors in the .NET Framework may lead to an escalation of
privilege.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 1, SID 29715.

Microsoft Security Bulletin MS14-010:
Internet Explorer suffers from programming errors that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 29655, 29667 through
29668, 29671 through 29674, 29676 through 29679, 29706 through 29712,
29716 through 29722, 29727 through 29738, and 29741 through 29744.

Microsoft Security Bulletin MS14-011:
A coding deficiency exists in the VBScript Scripting Engine that may
lead to remote code execution.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 1, SID 29675.


The Sourcefire VRT has also added and modified multiple rules in the
blacklist, browser-ie, browser-plugins, exploit-kit, file-flash,
file-multimedia, file-office, file-other, file-pdf, malware-cnc,
malware-other, protocol-icmp, server-apache, server-iis and
server-webapp rule sets to provide coverage for emerging threats from
these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Friday, February 7, 2014

Sourcefire VRT Certified Snort Rules Update for 02/06/2014

Just released:
Sourcefire VRT Certified Snort Rules Update for 02/06/2014


We welcome the introduction of the newest rule release from the VRT. In this release we introduced 25 new rules and made modifications to 19 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-firefox, browser-plugins, browser-webkit, file-flash, file-identify, file-image, file-other, file-pdf, malware-cnc, netbios, protocol-icmp, protocol-scada, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, February 4, 2014

Sourcefire VRT Certified Snort Rules Update for 02/04/2014

Just released:
Sourcefire VRT Certified Snort Rules Update for 02/04/2014

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 108 new rules and made modifications to 91 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour:
29567
29568
29569


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the bad-traffic, blacklist, browser-chrome, browser-firefox, browser-ie, browser-plugins, browser-webkit, dos, exploit-kit, file-flash, file-java, file-multimedia, file-other, indicator-obfuscation, malware-cnc, netbios, os-windows, protocol-imap, protocol-scada, scada, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!