Tuesday, March 29, 2011

Snort 2.9.0.2 Shared Object rules are on their way out next release!

As noted before when we End-Of-Life'd 2.9.0.1 Shared Object rules, 2.9.0.2 rules will EOL with the next rule pack and will no longer be released.  People using 2.9.0.2 should update to the newest version of Snort and Shared Object rules at 2.9.0.4.

The Shared Object rule builds for 2.8.6.1 are unaffected, however, as a reminder, support for 2.8.6.1 will end at the release of Snort 2.9.1 (+90 days), so those of you on 2.8.6.1 are encouraged to start upgrading.

Keep your eyes peeled to the blog for Snort 2.9.0.5's debut, along with accompanying Shared Object rule release shortly!

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store.  Make sure and stay up to date to catch the most emerging threats!

VRT Rule Update for 03/29/2011

Just released, is a rule release for today from the VRT. In this release we introduce 24 new rules and make modifications to 40 more.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the
exploit, ftp, imap, misc, netbios, oracle, policy, specific-threats,
sql, web-activex, web-client, web-misc and web-php rule sets to provide
coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Monday, March 28, 2011

New PulledPork (v0.6.0) Released!

PulledPork v0.6.0 the Smoking Pig, has now been released. This version represents a significant amount of feature enhancements, bug fixes, and core updates for improved speed and stability.

The new PullePork can be downloaded at the following location:
http://pulledpork.googlecode.com/files/pulledpork-0.6.0.tar.gz
SHA1 Checksum: c4fdf58c716017a0ebad3c46f770fda54c8f23b2
MD5 Checksum: d65c4ef29956823a1a5a05921f219a29

v0.6.0 the Smoking Pig

New Features / changes:
  • Added -q command line switch to squelch everything except fatal errors
  • Code clean up for readability
  • Move debug output to allow for better debugging of actual variable values
  • Update config to allow for ssl from ET
  • Update config to allow for new snort rules gzip
  • Bug #55 - Create capability to ignore more granularly (plaintext, preproc, shared object or global).
  • Bug #50 - You can now create backups and archives of your existing config and rules files etc...
    • This adds the PM requirement of File::Find
  • Bug #56 - More verbose output when a flowbit is re-enabled (only when run with -v)
  • Bug #60 - added -E flag that will cause ONLY enabled rules to be written to output files
  • Bug #47 - added -R flag that will set the state of the rules specified in enablesid.conf back to their ORIGINAL state, as read from the source rules tarball.
  • Bug #63 - added sid MSG information to changelog output.
  • Added -k and -K options to allow for the writing of the original source file rather than one large output file.
  • Bug #66 - Prepend VRT rulesets with VRT- and ET rulesets with ET- to allow for paralell ruleset operations. This also provides more granularity in that scenario wherein the user could set state in a VRT or ET category only by specifying VRT-category or ET-category in the sid state modification files.
  • Added support for 500 errors, specifying that users should update their root cert store!
Bug Fixes:
  • Bug #39 - updated to allow for use of username:pass@proxy.url
  • Bug #49 - fix for race condition not allowing HUP to work with -nTH switches specified
  • Bug #40 - allow so_rules to be handled when non VRT rulesets are downloaded
  • Bug #45 - create a blank so_stub rules file so that we don't get an error re: a blank file from snort when generating so_stubs! (only if the file does not already exist, and only if you are using SOs!)
  • Bug #46 - throw error if a config file that is specified does not exist
  • Bug #42 - Added OpenSUSE-11-3 to list
  • Fixed race condition that did not properly handle certain spaces in flowbits set and isset values, resulting in unchecked flowbits etc...
  • Bug #51 - Increased timeout value to 60 seconds
  • Bug #53 - Fixed pcre issue that caused certain rules containing isset and set flobwits values to incorrectly be auto-enabled.
  • Bug #61 - Fixed so that .so rules are not touched!
  • Bug #67 - Fixed regex to allow for space between ( and msg.
  • Bug #71 - Flaw in if statement logic did not allow for proper multiline rule parsing
  • Undocumented ID - Flaw in changelog routine did not allow for proper writing of sid-msg or sid in "deleted rules" section of the changelog.
  • Bug #62 - Added check for amd64 string during arch detection!

Special Notes:
  • Bug #47 - This should be used by advanced users only, it can produce results that may not make sense to the typical user. And frankly, I don't understand it ;-)
  • Bug #60 - This fix WILL cause inconsistency in your changelog, as when PP reads the old rules from the existing rules file, it will have only the enabled rules in it.. thus any rules that were not enabled in that file will show up as NEW rules in the changelog output, you have been warned, so no whining!
The official release and additional information can be found at http://global-security.blogspot.com/2011/03/pulledpork-060-smoking-pig-hes-on-fire.html

Snort IDS Sensor with Sguil Framework ISO

Guy Bruneau of the Internet Storm Center  has released a CD that he calls a:

"a hardened OS that includes Snort IDS sensor (version 2.9.0.4) with all the Sguil components ready to use."
It's available in both 32 bit and 64 bit versions and each version has three options:

"sensor only, database only or all components on the same system"
Be sure and check it out, if this will help you get starting using Snort and Sguil faster.

Link to the Internet Storm Center Article is here.
 

Thursday, March 24, 2011

VRT Rule Update for 03/24/2011

Just released, is a rule release for today from the VRT. In this release we introduce 24 new rules and make modifications to 40 more.

In VRT's rule release:
The Sourcefire VRT is aware of the existance of nine fraudulent digital
certificates issued by Comodo. Using these certificates, an attacker
may be able to spoof content, perform various phishing attacks or
perform man-in-the-middle attacks on sites and users relying on these
certificates for identification purposes.

Rules to detect attacks targeting this vulnerability are included in
this release and are identified with GID 1, SIDs 18565 through 18573.

Additionally, the Sourcefire VRT has added and modified multiple rules
in the ftp, imap, specific-threats, spyware-put, web-activex and
web-client rule sets to provide coverage for emerging threats from
these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Wednesday, March 23, 2011

Snort Webcast series progress

I meant to post this last week, but just wanted to keep our community up to date with everything going on, with last weeks announcement that we were going to be reinvigorating the Snort webcast series, I thought it would be neat to let you all know that I have a webcast planned for every month for the rest of the year!

Our first webcast will be by Nick Moore of Sourcefire, on April 13, 2011 (Wednesday) at 11:00 am.  We'll start with the basics, how to set up Snort.

I'll post a reminder that Monday as well.  But just in case you want to block our your calendars now, feel free to do so.

If you have suggestions for webcasts you'd like to see, either from Snort.org or from the community itself, please feel free to suggest them!

Tuesday, March 22, 2011

VRT Rule Update for 03/22/2011

Just released, is a rule release for today from the VRT. In this release we introduce 11 new rules and make modifications to 2 more.

In VRT's rule release:
As a result of ongoing research, the Sourcefire VRT has added and
modified multiple rules in the botnet-cnc, deleted, exploit, misc,
netbios, policy, rpc, smtp, specific-threats, web-activex, web-client
and web-misc rule sets to provide coverage for emerging threats from
these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Marty speaking at new CyberSecurity Seminar Series at the University of Maryland

Google is now sponsoring a CyberSecurity Seminar Series at the University of Maryland, featuring speakers from the industry, academia, and government, addressing a broad range of topics related to cybersecurity, including technology, policy, and economics.

One of the speakers confirmed for the Seminar Series is our own Martin Roesch!

Check out this excerpt from the press release:

The second seminar will be held on Thursday, April 21, at 5:00 p.m., and will feature Martin Roesch, Chief Technology Officer (CTO) of Sourcefire®, a leader in intelligent cybersecurity solutions. The title of his talk will be "Intrusion Detection and Network Security Perspectives From A Veteran."
With nearly 20 years of industry experience in network security and embedded systems engineering, Roesch has dedicated himself to developing intelligent network security tools and technologies to address evolving threats. A respected authority on intrusion prevention and detection technology and forensics, Roesch has been interviewed as an industry expert in multiple technology publications, as well as print and online news services, such as MSNBC, Wall Street Journal, CNET, ZDNet, and numerous books. Roesch founded Sourcefire® in 2001 and is the author and lead developer of the Snort® Intrusion Prevention and Detection System that forms the foundation for the Sourcefire IPSTM. Roesch has received a host of awards of his technology innovation and vision. Most recently, he was recognized as a 2010 Security Superstar by Everything Channel's CRN magazine for the value his innovations provide partners and customers, and was selected as one of eWeek's Top 100 Most Influential People in IT
I hope you have the opportunity to attend!

Wednesday, March 16, 2011

Snort 2.9.0.1 Shared Object Rules are depreciated

As noted before when we End-Of-Life'd 2.9.0.0 Shared Object rules, 2.9.0.1 rules have now reached EOL and will no longer be released.  People using 2.9.0.1 should update to the newest version of Snort and Shared Object rules at 2.9.0.4.

Towards the end of March, 2.9.0.2 will also be EOL, so it's encouraged that planning begin for the movement off of that patch level if anyone is still on it.

The Shared Object rule builds for 2.8.6.1 are unaffected, however, as a reminder, support for 2.8.6.1 will end at the release of Snort 2.9.1 (+90 days), so those of you on 2.8.6.1 are encouraged to start upgrading.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store.  Make sure and stay up to date to catch the most emerging threats!

Snort Webcast Series is back

When I took over the OpenSource Community Manager position here at Sourcefire, I sent out an email asking for suggestions about what I can do to make things better and provide an awesome community for the OpenSource products.

One of the things that was emailed to me was "Can you put the Snort Webcast Series back up?"  and "Start the webinar series back up!".  So, I did, and we will.

You can find the old series that Mike Guiterman (thanks Mike!) was coordinating back in 2009, re-released and put up on Snort.org.  It's always been available, but over on Sourcefire.com where you had to register to view the content.  This is one of the other complaints I received, that people had to surrender their email to the website in order to gain access to this valuable information.

So I removed that restriction as well.

So, announcing without further ado, the old series is back up, and we're going to be reviving the series soon (probably once a month or so), and putting that information up for consumption as well.  As always I'll post a blog entry when we are going to schedule a webcast, so you may participate live and ask questions of the speakers, and I'll post a blog entry when we put it up on the website for archiving.

You can find the Snort webcast series here, at it's new home, on Snort.org.

Tuesday, March 15, 2011

VRT Rule Update for 03/15/2011, MS Tues

Just released, is a rule release for today from the VRT. In this release we introduce 11 new rules and make modifications to 2 more.

In VRT's rule release:
Details:

Adobe Security Advisory APSA11-01:
Adobe Flash Player contains a programming error that may allow a remote
attacker to execute code on an affected system. This problem affects
the Microsoft Windows, Apple Mac OS, Linux and Solaris operating
systems.

The Sourcefire VRT have reports of this vulnerability being exploited
in the wild via an embedded Flash file in a Microsoft Excel document
delivered via email.

Rules to detect attacks targeting this vulnerability are included in
this release and are identified with GID 3, SID 18543, GID 1, SIDs
18545 through 18554.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, March 8, 2011

VRT Rule Update for 03/08/2011

Just released, is a rule release for today from the VRT. In this release we introduce 49 new rules and make modifications to 28 more.

In VRT's rule release:
Details:

Microsoft Security Advisory MS11-015:
Microsoft Windows Media Player contains a programming error that may
allow a remote attacker to execute code on an affected system.

Rules to detect attacks targeting this vulnerability are included in
this release and are identified with GID 3, SIDs 18496, 18497 and
18498.

Microsoft Security Advisory MS11-016:
Microsoft Office Groove contains a programming error that may allow a
remote attacker to execute code on an affected system.

Rules to detect attacks targeting this vulnerability are included in
this release and are identified with GID 3, SIDs 18499 and 18500.

Microsoft Security Advisory MS11-017:
Microsoft Remote Desktop Client contains a programming error that may
allow a remote attacker to execute code on an affected system.

Rules to detect attacks targeting this vulnerability are included in
this release and are identified with GID 3, SIDs 18494 and 18495.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Snort-Users Google Group Feed

On the frontpage of Snort.org, we used to have a feed that pointed at the Snort.org Forums for people to see a quick heads up of the new topics being posted in the forums.  Since we've depreciated the forums on Snort.org and moved to Google Groups (quite successfully I might add!  There is a lot more traffic on the Google Groups as people are able to ask and give questions and answers easier) we need to fix that feed.

So, now when you navigate to Snort.org you'll notice that the three feeds at the bottom of the front page are now:
Snort Blog (this one), VRT Blog, and now Snort-Users Group

Reminder if you haven't signed up for the Google Groups yet, please do so!  http://www.snort.org/community/groups

Thanks!

Thursday, March 3, 2011

VRT Rule Update for 03/03/2011

Just released, is a rule release for today from the VRT. This release is much larger than yesterdays and makes changes to 573 rules.

In VRT's rule release:

Details:

As a result of ongoing research, the Sourcefire VRT has added and modified multiple rules in the backdoor, blacklist, botnet-cnc, chat, deleted, dos, exploit, icmpv6, imap, netbios, policy, scada, smtp, specific-threats, voip-sip, web-activex, web-cgi, web-client, web-misc, and web-php rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Wednesday, March 2, 2011

VRT Rule Update for 03/02/2011

Just updated, is a rule release for today from the VRT. This rule release only contains a couple updates.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, March 1, 2011

The end of an era, Snort Forums.

As announced back in the beginning of February, our transition to Google Groups instead of the Snort Forums is now taking place.

The old Snort forums found at https://forums.snort.org, are now depreciated in favor of moving to a more versatile Google Groups solution.

For those of you that haven't yet participated in the Google Groups, the seem to be working out quite well so far, and we encourage everyone to go there and sign up.  Thanks for working with us during this transition.

http://www.snort.org/community/groups/