Friday, April 29, 2011

Pcaprr External DAQ has been posted

Today Jeff Murphy submitted to us another external DAQ module for Snort.  I think his email best describes it:

We use Endace DAG cards in our sensors along with regen taps. Those cards don't work with the bonding driver, so merging the two streams from a regen tap isn't possible (unless we use a different tap or fix the drivers to work together). The attached patch creates a new module in the os-daq-modules directory called "pcaprr.c". This module will open multiple devices and then make round-robin reads from the device list (much like the bonding driver would if it worked with the DAG driver).  Modifications made against DAQ 0.5 code.
Thanks Jeff for your contribution, as with any external additions to Snort, it's great to see the community putting code up!

I've placed Jeff's pcaprr DAQ module on the "External-Daq" page on Snort.org.   Enjoy!

PulledPork makes the cover of Linux Pro magazine!

Our own JJ Cummings of Sourcefire and fellow Snort.org blogger is the author of Snort's PulledPork tool, the best way for keeping your rules up to date, was recently featured in an article in Linux Pro's Magazine.

Here's a picture of the cover, with the PulledPork article circled.


The cover says that there are other Snort-related tools discussed as well in the article, unfortunately, I do not have a copy of the magazine so I don't know which ones they are talking about.

If you have a copy of this edition of Linux Pro Magazine, please feel free to leave a comment and let us know what other tools were discussed!

Congratulations to JJ for all of his hard work to give such a great tool away to help people maintain their rule updates!  Thanks JJ!

Awesome.  As noted in the comments, the article has been posted online at Linux Magazine:
http://www.linuxpromagazine.com/Issues/2011/125/Snort-Helpers

Wednesday, April 27, 2011

VRT Rule Update for 04/27/2011

Just released, is a rule release for today from the VRT. In this release we make modifications to 2 rules.

In VRT's rule release:
The Sourcefire VRT has identified possible issues with two shared
object rules. This release contains modifications to those rules that
fix these potential problems.

Details:
A problem has been identified in a shared object rule identified as GID
3 SID 18676. This problem causes Snort to hang in an infinite loop when
the rule is evaluated.

Mitigation:

1. The set of conditions necessary to cause this rule to enter an
infinite loop require a very unique set of content matches to be
present in the data being processed. In the unlikely event that
these conditions occur, the last content match in the set must not
return true.
2. This set of conditions is very unlikely to occur in normal,
non-malicious network traffic.
3. Additionally, if all the conditions in the rule are met, meaning
that a malicious set of traffic was detected, then the rule works
as expected and the infinite loop does not occur.
4. There are currently no known threats available publicly or in the
wild for this vulnerability.

Upon review of other custom shared object rule code, a similar issue was
found in GID 3, SID 17665. The VRT has pro-actively fixed that rule.

The modifications to GID 3, SIDs 18676 and 17665 are included in this release.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, April 26, 2011

VRT Rule Update for 04/26/2011

Just released, is a rule release for today from the VRT. In this release we introduce 41 new rules and make modifications to 11 more.

Also as a request from the Snort Community, at the above link, we have started indicating whether the rule is Enabled or Disabled by default.  The policy you select as part of a PulledPork download (if you are using that feature) does override this.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the
blacklist, dos, scada, smtp, specific-threats, spyware-put, sql and
web-misc rule sets to provide coverage for emerging threats from these
technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, April 21, 2011

VRT Rule Update for 04/21/2011

Just released, is a rule release for today from the VRT. In this release we introduce 12 new rules and make modifications to 37 more.

Also as a request from the Snort Community, at the above link, we have started indicating whether the rule is Enabled or Disabled by default.  The policy you select as part of a PulledPork download (if you are using that feature) does override this.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the
backdoor, misc, oracle, policy and web-client rule sets to provide
coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, April 19, 2011

VRT Rule Update for 04/19/2011

Just released, is a rule release for today from the VRT. In this release we introduce 27 new rules and make modifications to 4410 more.

Also as a request from the Snort Community, at the above link, we have started indicating whether the rule is Enabled or Disabled by default.  The policy you select as part of a PulledPork download (if you are using that feature) does override this.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the
attack-responses, backdoor, bad-traffic, blacklist, botnet-cnc, chat,
dns, dos, exploit, imap, misc, mysql, netbios, oracle, policy, scan,
snmp, specific-threats, spyware-put, sql, telnet, tftp, web-activex,
web-cgi, web-client, web-coldfusion, web-frontpage, web-misc and x11
rule sets to provide coverage for emerging threats from these
technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Napatech External DAQ Posted

Just posted this morning, Snort community member and the VP of Product Engineering at nPulse Technologies, Randy Caldejon, submitted this External DAQ module for Snort for use with the Napatech Network Adapters.

To build this requires the Napatech ntcommoninterface library, which is bundled with the purchase of each adapter.

I posted it on the "External DAQ" page, ready for your use.

We received a lot of flak when Sourcefire externalized the DAQ out of Snort, however, this is exact reason that we were hoping for!

I'd like to thank Randy for his hard work on this!

Friday, April 15, 2011

Snort 2.9.0.5 setup on Mac OSX Posted

Christoph Murauer, one of the Snort community has written a series of blog posts (in both German and English!) on his site that detail the setup of Snort 2.9.0.5 on Mac OSX.

As always, Sourcefire or Snort.org does not warrantee these results and we have not tested them, so your milage may vary.

We'd like to thank Christoph for the time it took to write these up, and we look forward to seeing even more Snort users on OSX!

PostgreSQL and pgAdmin 3
http://www.mac.ph/www.mac.ph/Blog/Einträge/2011/3/3_EN_PostgreSQL_9.0.3_and_pgAdmin_3_1.12.2.html

DAQ and Snort
http://www.mac.ph/www.mac.ph/Blog/Einträge/2011/3/9_EN_DAQ_0.5_and_Snort_2.9.0.5_with_snort.org_Rulesets.html

ADOdb and BASE
http://www.mac.ph/www.mac.ph/Blog/Einträge/2011/3/14_EN_ADOdb_5.1.1_and_BASE_1.4.5.html

German :

PostgreSQL und pgAdmin 3
http://www.mac.ph/www.mac.ph/Blog/Einträge/2011/3/2_PostgreSQL_9.0.3_und_pgAdmin_3_1.12.2.html

DAQ and Snort
http://www.mac.ph/www.mac.ph/Blog/Einträge/2011/3/8_DAQ_0.5_und_Snort_2.9.0.5_mit_snort.org_Rulesets.html

ADOdb and BASE
http://www.mac.ph/www.mac.ph/Blog/Einträge/2011/3/11_ADOdb_5.1.1_und_BASE_1.4.5.html

Wednesday, April 13, 2011

First 2011 Snort Webcast has been posted!

Today, April 13, 2011, Nick Moore of our Security Engineering group at Sourcefire presented on the Intro to Installing Snort.  This webcast was recorded and is now available for consumption, along with the rest of the past Webcast recordings over at: http://www.snort.org/webcast_series.

Our next webcast is currently scheduled for May 25, 2011 with John Gay, one of our Instructors from the Education department here at Sourcefire.  I'll be sure and post reminders, but be sure and mark your calendars.

Snort 2.9.0.5 Install Guide for Fedora Core 14 is posted

Nick Moore of Sourcefire strikes again, and he has published his guide for installing Snort 2.9.0.5 on Fedora Core 14.  Thanks Nick!  Great job!

Please see http://snort.org/docs for the complete guide.

Snort 2.9.0.5 is available for Gentoo and FreeBSD

Some of you may have saw the Tweet the Snort.org Twitter account tooted the other day, but I just wanted to let the blog readers know as well.  FreeBSD and Gentoo now have Snort 2.9.0.5 available at your fingertips.

Gentoo can get the most current version of Snort through Portage and FreeBSD users may get it through the port system

Happy Snorting!

Tuesday, April 12, 2011

Microsoft Tuesday VRT Rule Update for 04/12/2011 & Adobe 0day coverage

Just released, is a rule release for today from the VRT. In this release we introduce 47 new rules and make modifications to 3 more.

In VRT's rule release:
Microsoft Security Advisory MS11-018:
Microsoft Internet Explorer contains programming errors that may allow
a remote attacker to execute code on an affected system.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 3, SIDs 18646 and 18669
through 18671.

Microsoft Security Advisory MS11-019:
The Microsoft implementation of the Common Internet Filing System
(CIFS) contains programming errors that may allow a remote attacker to
execute code on an affected system.

Previously released rules will detect attacks targeting these
vulnerabilities and are included in this release with updated reference
information, and are identified with GID 3, SID 16631 and GID 1, SID
18462.

Microsoft Security Advisory MS11-020:
The Microsoft implementation of the Common Internet Filing System
(CIFS), specifically the Server Message Block (SMB) portion, contains
programming errors that may allow a remote attacker to execute code on
an affected system.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 3, SID 18660.

Microsoft Security Advisory MS11-021:
Microsoft Excel contains programming errors that may allow a remote
attacker to execute code on an affected system.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 3, SIDs 18630 through 18634,
18639 through 18641 and 18676.

Microsoft Security Advisory MS11-022:
Microsoft PowerPoint contains programming errors that may allow a
remote attacker to execute code on an affected system.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 3, SIDs 18635 through 18637.

Microsoft Security Advisory MS11-023:
Microsoft Office contains programming errors that may allow a remote
attacker to execute code on an affected system.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 3, SIDs 18638, 18647 and
18650.

Microsoft Security Advisory MS11-024:
The Microsoft Fax Cover Page Editor contains a programming error that
may allow a remote attacker to execute code on an affected system.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 3, SID 18673.

Microsoft Security Advisory MS11-025:
The Microsoft Foundation Class Library (MFC) contains programming
errors that may allow a remote attacker to execute code on an affected
system via applications compiled using these libraries.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 3, SIDs 18619 through 18629.

Microsoft Security Advisory MS11-026:
The Microsoft implementation of MIME HTML (MHTML) contains programming
errors that may allow a remote attacker to execute code on an affected
system via a cross-site scripting attack.

A previously released rule will detect attacks targeting this
vulnerability and is included in this release with updated reference
information, it is identified with GID 1, SID 18335.

Microsoft Security Advisory MS11-027:
Microsoft Internet Explorer, when using ActiveX controls, contains
programming errors that may allow a remote attacker to execute code on
an affected system.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 3, SIDs 18668 and 18672.

Additionally, previously released rules will detect attacks targeting
these vulnerabilities and are included in this release with updated
reference information; they are identified with GID 1, SIDs 18241,
18242 and 18329.

Microsoft Security Advisory MS11-028:
The Microsoft .Net implementation contains a programming error that may
allow a remote attacker to execute code on an affected system.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 3, SID 18624.

Microsoft Security Advisory MS11-029:
The Microsoft Graphics Device Interface (GDI) contains a programming
error that may allow a remote attacker to execute code on an affected
system.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 3, SID 18645.

Microsoft Security Advisory MS11-030:
The Microsoft implementation of the Domain Name System (DNS),
specifically when handling the Link-local Multicast Name Resolution
(LLMNR) protocol, contains a programming error that may allow a remote
attacker to execute code on an affected system.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 3, SID 18655.

Microsoft Security Advisory MS11-032:
The Microsoft implementation for handling Open-Type fonts contains a
programming error that may allow a remote attacker to execute code on
an affected system.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 3, SID 18644.

Microsoft Security Advisory MS11-033:
The Microsoft Office Word Converter contains programming errors that
may allow a remote attacker to execute code on an affected system.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 3, SIDs 18642 and 18643.

Microsoft Security Advisory MS11-034:
The Microsoft Windows Operating System contains programming errors that
may allow an attacker to escalate privileges on an affected host.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 3, SIDs 18661 through 18667.

Adobe Security Advisory APSA11-02:
Adobe Flash Player contains a programming error that may allow a remote
attacker to execute code on an affected system.

A previously released rule will detect attacks targeting this
vulnerability and is identified with GID 1, SID 18546.

Support for the upcoming release of Snort 2.9.0.5 is included in this rule pack as well.  When Snort 2.9.0.5 is released, subscribers will have the coverage of the latest detection functionality and ruleset.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Wednesday, April 6, 2011

2.9.0.5 is available for download!

Now available for download from the link here, 2.9.0.5 brings many improvements to Snort in terms of bug fixes.  Below is a cut and paste from the Changelog.


2011-03-23 Steven Sturges <ssturges@sourcefire.com>
  * src/build.h:
      Increment Snort build number to 134
  * src/: decode.h, encode.c:
  * src/dynamic-plugins/sf_engine/: sf_snort_packet.h:
  * src/preprocessors/: spp_sfportscan.c, spp_frag3.c:
  * src/output-plugins/: spo_alert_fast.c:
  * src/preprocessors/Stream5/: stream5_common.c:
      Updated portscan to set protocol correctly in raw packet for
      IPv6 and changed the encoder to recognize portscan packets as pseudo
 packets so that the checksum isn't calculated
  * src/: sfdaq.c, util.c:
      Improve handling of DAQ failure codes when Snort is shutting down.
  * src/preprocessors/spp_perfmonitor.c:
      Update perfmonitor to create now files prior to dropping privs

2011-03-16 Ryan Jordan <ryan.jordan@sourcefire.com>
Snort 2.9.0.5
  * src/build.h:
      Increment Snort build number to 132
  * src/snort.c:
  * src/preprocessors/: normalize.c, perf-base.c, perf-base.h,
    Stream5/snort_stream5_tcp.c:
      TCP timestamp options are only NOPed by the Normalization preprocessor
      if Stream5 has seen a full 3-way handshake, and timestamps weren't
      negotiated.

      The IPS mode reassembly policy has been refactored to do stream
      normalization within the first policy.

      Packets injected by the normalization preprocessor are now counted
      in the packet statistics.
  * doc/snort_manual.tex:
  * src/: parser.c, parser.h:
  * src/preprocessors/: spp_frag3.c, Stream5/snort_stream5_session.c:
      Added a "config vlan_agnostic" setting that globally disables Stream's
      use of vlan tag in session tracking.
  * src/: snort.c, preprocessors/normalize.c,
    preprocessors/spp_normalize.c, preprocessors/spp_normalize.h,
    preprocessors/perf-base.c, preprocessors/perf-base.h:
  * doc/: README.normalize, snort_manual.pdf, snort_manual.tex:
      Fixed the normalization preprocessor to call its post-initialization
      config functions during a policy reload.

      Packets can no longer be trimmed below the minimum ethernet frame
      length. Trimming is now configurable with the "normalize_ip4: trim;"
      option. TOS clearing is now configurable with "normalize_ip4: tos;".

      The "normalize_ip4: trim" option is automatically disabled if the
      DAQ can't inject packets. If the DAQ tries and fails to inject
      a given packet, the wire packet is not blocked.

      Updated documentation regarding these changes.
  * src/detection-plugins/sp_cvs.c:
      Fixed a false positive in the CVS detection plugin. It was incorrectly
      parsing CVS entries that had a '+' in between the 3rd and 4th slashes.
  * src/preprocessors/HttpInspect/: client/hi_client.c,
    server/hi_server.c:
      Changed a pointer comparison to a size check for code readability.
      Belated thanks to Dwane Atkins and Parker Crook for reporting a
      related issue that was fixed in Snort 2.9.0.4 build 111.

      Moved the zlib initialization such that gzipped responses are still
      inspected if the zipped data starts after the first Stream-reassembled
      packet is inspected.
  * src/decode.c:
      Fixed an issue with decoding too many IP layers in a single packet. The
      Teredo proto bit was not unset after hitting the limit on IP layers.
      Thanks to Dwane Atkins for reporting this issue.

      IPv6 fragmented packets are no longer inspected unless they have an
      offset of zero and the next layer is UDP. This behavior is consistent
      with IPv4 decoding.
      Thanks to Martin Schütte for reporting an issue where fragged ICMPv6
      packets were being inspected.

      The decoder no longer attempts to decode Teredo packets inside of
      IPv4 fragments, instead waiting for the reassembled packet.
  * src/encode.c:
      Fixed a problem where encoded packets had their lengths calculated
      incorrectly. This caused the active response feature to generate
      incorrect RST packets if the original packet had a VLAN tag.
  * preproc_rules/preprocessor.rules:
      Updated references to rule 125:1:1
  * src/preprocessors/spp_perfmonitor.c:
      Perfmonitor files are now created after Snort changes uid/gid.
  * src/dynamic-plugins/sf_preproc_example/sf_dynamic_preproc_lib.c:
      Fixed the size formatting of an error message argument when
      compiling with --enable-rzb-saac.
      Thanks to Cleber S. Brandão for reporting this issue.
  * etc/snort.conf:
      Updated the default snort.conf with max compress and decompress
      depths to enable unlimited decompression of gzipped HTTP responses.
  * snort.8:
      Fixed the man page's URL regarding the location of Snort rules.
      Thanks to Michael Scheidell for reporting an out-of-date man page section.
  * doc/README.http_inspect, doc/snort_manual.tex,
    src/preprocessors/snort_httpinspect.c:
      HTTP Inspect's "unlimited_decompress" option now requires that
      "compress_depth" and "decompress_depth" are set to their max values.
  * src/: fpcreate.c, dynamic-plugins/sf_dynamic_define.h,
    dynamic-plugins/sf_dynamic_engine.h,
    preprocessors/Stream5/snort_stream5_tcp.c:
      Fixed an error that prevented compiling with --disable-dynamicplugin.
      Thanks to Jason Wallace for reporting this issue.
  * src/dynamic-preprocessors/ftptelnet/: snort_ftptelnet.c,
    snort_ftptelnet.h, spp_ftptelnet.c:
      Changed the names of ProcessGlobalConf() and PrintGlobalConf() inside
      the ftp_telnet preprocessor to avoid a naming conflict with similar
      functions in HTTP Inspect.
      Thanks to Bruce Corwin for reporting this issue.
  * src/preprocessors/: perf.c, perf-base.c, perf-base.h, perf-flow.c,
    perf-flow.h:
      Fixed comparisons between signed and unsigned int, which lead to
      a faulty length check.
      Thanks to Cihan Ayyildiz and Jason Wallace for helping us debug this
      issue.
 Please upgrade your version of Snort!

VRT Rule Update for 04/06/2011 and Shared Object rules for 2.9.0.5

Just released, is a rule release for today from the VRT. In this release we introduce 2 new rules and make modifications to 19 more.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the dns,
mysql, specific-threats, sql and web-client rule sets to provide
coverage for emerging threats from these technologies.
The highlight of this rule pack is a Specific-Threats rule that further addresses the recent Lizamoon attacks. The SID in question is 18604.  For more information on this attack, please see this VRT Blog Entry.

Support for the upcoming release of Snort 2.9.0.5 is included in this rule pack as well.  When Snort 2.9.0.5 is released, subscribers will have the coverage of the latest detection functionality and ruleset.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

First 2011 Snort Webcast Registration is Open!

Just wanted to announce that Registration for the first 2011 Snort Webcast is now open at the following link:

https://sourcefire.webex.com/sourcefire/onstage/g.php?t=a&d=793571014

Our Presenter is Nick Moore of Sourcefire and he'll be presenting the first of a two part series on simply getting started with Snort.  How to set it up, running, and working with traffic.

When you click on the above link, you will see a "Register" link on the left-hand side of the page.  Click that for pre-registration.

What does pre-registration get you?  Reminders.  You'll receive a reminder the 11th (Monday) and an hour before we begin so you'll be sure to remember to attend.

The registration form only asks for a couple things so we can remind you about the event.  Registering for the event does not mean that you will start to receive sales information, we're simply using the information for numbers (how many registered, how many attended) information.


Topic: Snort Webinar Training
Date and Time:
April 13, 2011 11:00 am, Eastern Daylight Time (New York, GMT-04:00)
Event number: 793 571 014

Thanks!

Monday, April 4, 2011

2.9.0.5 is coming soon

We are currently planning the release of 2.9.0.5, so we thought we'd put out the Changelog for it.  We are currently planning to release this week, so prepare to upgrade!

Changelog:

[*] Improvements
 * The normalization perprocessor now has options to configure packet trimming
   and TOS clearing. Packets injected by the preprocessor will now appear in
   Snort's packet statistics. TCP timestamps are now only normalized if a
   session is established without timestamp negotiation.
   See ChangeLog or README.normalize for more details.
 * Added a "config vlan_agnostic" setting that globally disables Stream's use
   of vlan tags in session tracking.
 * Fixed some issues in the packet decoder, including one where IPv6 fragments
   were being decoded incorrectly.
 * Updated the default snort.conf to enable unlimited decompression of gzipped
   HTTP server responses.
As always, we'll announce on the blog when we release the upgrade.  Stay tuned!

Friday, April 1, 2011

2011 Snort Scholarship is now open!

Annually, Sourcefire provides a Snort Scholarship to two individuals selected at random (by drawing) in the amount of $5000 US for higher education purposes.

To be eligible, you must meet the legal criteria found here on our website, sign up for the scholarship here, and following that, on or about May 16, 2011, two winners will be selected.

For further information, please see the links above, also found linked here.