Tuesday, August 30, 2011

VRT Rule Update for 08/30/2011

Just updated, is a rule release for today from the VRT.  This rule release contains 68 new rules and 25 rule updates, mostly malware:

There are no changes to the snort.conf in this release.

The Sourcefire VRT has added and modified multiple rules in the backdoor, blacklist, botnet-cnc, deleted, dos, exploit, netbios, policy, specific-threats, spyware-put and web-client rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store.  Make sure and stay up to date to catch the most emerging threats!

Friday, August 26, 2011

Snort 2.9.1: Where does file_data point?

For the first article in our Snort 2.9.1 series, we thought we'd talk about file_data. Its function has changed from Snort version 2.9.0.5, so it's important that we discuss the differences.

Where does file_data point?

Prior to Snort 2.9.1:

* In the earlier versions of Snort, file_data pointed to one of the following:
  1. The decompressed/dechunked/normalized HTTP response body (when the data was chunked/compressed/encoded)
  2. SMTP attachments or data body when file_data was used with the argument "mime".
In Snort 2.9.1:

* file_data will set the cursor used for detection to one of the following buffers based on the traffic.

1. HTTP response body (Raw/encoded/chunked/compressed)

Example:
Consider the following HTTP response:

HTTP/1.0 200 OK
Date: Wed, 24 Aug 2011 23:59:59 GMT
Content-Type: text/html
Content-Length: 1354
<html>
<body>
<h1>Snort 2.9.1 released!</h1>
(more file contents)
.
.
.

</body>
</html>

For this packet file_data points to the start of the HTML text. This response body can be chunked/compressed/encoded/etc, and in such cases, file_data points to the dechunked/decompressed/normalized data.

2. SMTP/POP/IMAP data body.

When the traffic is SMTP/POP/IMAP the file_data points to the decoded attachments when decoding is enabled for those preprocessors, otherwise to the entire data body.

The argument "mime" to file_data is deprecated. However, rules that use this argument will still function as they did before.

How does file_data work?

Prior to Snort 2.9.1:

* file_data had to be followed by a relative rule option. Any absolute (non relative) rule options start their search from the beginning of the payload. To access the file_data buffer again, a rule had to specify file_data rule option again.

Examples:
Rules that will work

alert tcp any any -> any any (file_data; content:"<html>"; within:10; ...)
alert tcp any any -> any any (file_data; content:"HTTP/1.0"; depth:10; file_data; content:"<html>"; within:10; ...)

Rules that will not work

alert tcp any any -> any any (file_data; content:"<html>"; depth:10; content:"<body>"; within:10;...)
alert tcp any any -> any any (file_data; content:"<html>"; depth:10;...)

In Snort 2.9.1:

* Any non-HTTP (without the HTTP modifiers http_uri/http_header/etc.) content matches (relative or absolute) without the keyword "rawbytes" or payload detecting rule options that follow the file_data in a rule will apply to the cursor set by file_data until explicitly reset by other rule options such as pkt_data/base64_data/SIP modifiers.

A new rule option in Snort 2.9.1, "pkt_data", will reset the cursor to the start of the TCP payload. This rule option is intended to give the rule writer the ability to change the context of subsequent detection options. Any content matches (excluding HTTP/rawbytes) and other detection options (such as "byte_test", "byte_jump", etc.) will apply to the TCP payload.

Other rule options that change the cursor are base64_data, sip_header, sip_body, etc.

Example:
Rules that will work

alert tcp any any -> any any (file_data; content:"<html>"; within:10; ...)
alert tcp any any -> any any (file_data; content:"<html>"; ...)
alert tcp any any -> any any (file_data; content:"<html>"; depth:10; content:"<body>"; within:10;...)
alert tcp any any -> any any (file_data; content:"<html>"; depth:10;...)
alert tcp any any -> any any (file_data; content:"<html>"; within:10; pkt_data; content:"HTTP/1.0"; depth:10; ....)

Rules that will not work

alert tcp any any -> any any (file_data; content:"<html>"; depth:10; rawbytes;...)
alert tcp any any -> any any (file_data; pkt_data; content:"<html>"; depth:10; rawbytes;...)

Thursday, August 25, 2011

VRT Rule Update for 08/25/2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduce 55 new rules and make modifications to 19 additional rules.

The registered users of Snort have emailed me and told me that they will not be able to access the snort.conf for 2.9.1 until the 30 day window is open.  This is correct, however, for registered users's convenience you may access the 2.9.1 snort.conf here:
http://www.snort.org/assets/184/snort.conf

The following changes have been made to the snort.conf in this release:

Modifications to HTTP_PORTS

portvar HTTP_PORTS [80,81,311,591,593,901,1220,1414,1830,2301,2381,2809,3128,3702,4343,5250,7001,7145,7510,7777,7779,8000,8008,8014,8028,8080,8088,8118,8123,8180,8181,8243,8280,8800,8888,8899,9080,9090,9091,9443,9999,11371,55555]


Modifications to Stream5 configuration:

ports both 80 81 311 443 465 563 591 593 636 901 989 992 993 994 995 1220 1414 1830 2301 2381 2809 3128 3702 4343 5250 7907 7001 7145 7510 7802 7777 7779 7917 7918 7919 7920 8000 8008 8014 8028 8080 8088 8118 8123 8180 8243 8280 8800 8888 8899 9080 9090 9091 9443 9999 11371 55555


Modifications to http_inspect

ports { 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 4343 5250 7001 7145 7510 7777 7779 8000 8008 8014 8028 8080 8088 8118 8123 8180 8181 8243 8280 8800 8888 8899 9080 9090 9091 9443 9999 11371 55555 }


Increase to the Max sessions in the SIP preprocessor

preprocessor sip: max_sessions 40000


Increase to the max_content_len parameter in the SIP preprocessor

max_content_len 2048


Modifications to the file names in the IP Blacklist Preprocessor

preprocessor reputation: \
memcap 500, \
priority whitelist, \
nested_ip inner, \
whitelist $WHITE_LIST_PATH/white_list.rules, \
blacklist $BLACK_LIST_PATH/black_list.rules


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the backdoor, botnet-cnc, dos, exploit, netbios, rpc, specific-threats, spyware-put and web-misc rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, August 23, 2011

VRT Rule Support for 2.8.6.1 will end in 90 days

With today's announcement of Snort 2.9.1, we're taking this opportunity to remind you that VRT Rule Support for Snort 2.8.6.1 will end in 90 days.

With 2.9.1's release we are also EOL'ing Snort 2.9.0.4's support as well making the current list:
  • 2.9.1.0
  • 2.9.0.5
  • 2.8.6.1
Snort 2.9.0.4 was supposed to EOL sometime ago, however, we've left it in the build process past its expiration date.

Snort 2.9.1 has been released, including Protocol Aware Flushing and IP Reputation Preprocessor

Snort 2.9.1 has been released!

Now available at our download link here:  https://www.snort.org/downloads


Please start downloading and using Snort 2.9.1.  You should be aware that you'll get some new alerts and things will behave a bit differently with the file_data rule option now because of PAF.  For more on PAF please read the README.stream5 documentation file.

The Snort 2.9.1 manual will be up on http://manual.snort.org and http://www.snort.org/docs in a few minutes.

Every Friday for the next few weeks we will be posting a new blog post covering the new features of 2.9.1 directly from the Snort Developers.  So stay tuned!

Below are the Release Notes and Changelog for everything since the release of Snort 2.9.0.5:


Snort 2.9.1 introduces the following new capabilities:

* Protocol aware reassembly support for HTTP and DCE/RPC
preprocessors.  Updates to Stream5 allowing Snort to more
intelligently inspect HTTP and DCE/RPC requests and responses.
See README.stream5 subsection related to Protocol Aware Flushing
(PAF).

* SIP preprocessor to identify SIP call channels and provide
rule access via new rule option keywords.  Also includes new
preprocessor rules for anomalies in the SIP communications.
See the Snort Manual and README.sip for details.

* POP3 & IMAP preprocessors to decode email attachments in
Base64, Quoted Printable, and uuencode formats, and updates
to SMTP preprocessor for decoding email attachments encoded
as Quoted Printable and uuencode formats.  See the Snort
Manual, README.pop, README.imap, and README.SMTP for details.

* Support for reading large pcap files.

* Logging of HTTP URL (host and filename), SMTP attachment
filenames and email recipients to unified2 when Snort generates
events on related traffic.

* IP Reputation preprocessor, allowing Snort to blacklist or
whitelist packets based on their IP addresses. This preprocessor
is still in an experimental state, so please report any issues
to the Snort team.  See README.reputation for more information.

Additionally, the following updates and improvements have been made:

* Updates to give shared library rules direct access to gzip
decoding capabilities.

* Rule Option Improvements:

- Updates to content modifier http_cookie to not include
the HTTP header names themselves in the buffer.  This change
may affect existing rules that leverage this keyword.

- Updates to the file_data and base64_data rule option keywords
and added a pkt_data rule option keyword that sets the buffer
to be used for subsequent content/pcre/etc rule options.

- Updates to the tcp flag rule option keyword to support 'C'
and 'E' for CWR and ECN bits.

- Updates to byte_extract rule option keyword to support
the same string formats as with byte_test and byte_jump.

* Updates to Snort's build infrastructure and autoconf script
for portability and improved checks for library dependencies.
To facilitate easier building of Snort on many of the different
platforms supported, Snort now uses pkg-config to check for
certain library locations.  Obtain pkg-config from freedesktop.org.

* Many updates and improvements to the Snort documentation.  Special
thanks to all of the contributors from the Snort community for
working with us and making the documentation more accurate and
usable.

* Updates to the sensitive data preprocessor for handling HTTP
traffic and reducing false positives.

* Updates to Snort's config parsing to provide more meaningful
error messages relating to snort.conf errors and configuration
display at startup.

* Updates to Snort's active response packets whether via response
keyword or part of inline normalization.

* Improvements to HTTP Inspect processing of chunked HTTP data.
Additional HTTP Inspect alerts for evasion attempts such as small
chunks and excessive whitespace in folded headers.

* Updates to the statistics Snort prints to console or syslog
at exit for different preproessors.




2.9.1.0 Changelog:

Snort 2.9.1
* src/build.h:
Updated build number to 71.

* etc/gen-msg.map, preproc_rules/decoder.rules, src/decode.c,
src/decode.h, src/generators.h, src/snort.c,
src/dynamic-plugins/sf_engine/sf_snort_packet.h:
Fixed an issue with decoding large numbers of IPv6 extension headers.
Added rule 116:456 to safeguard against too many IPv6 extension headers.
Thanks to Martin Schutte for reporting the issue.

* src/detection-plugins/sp_urilen_check.c,
src/detection-plugins/sp_urilen_check.h:
Fixed the urilen rule option to look at reassembled packets.
Added an extra parameter to specify whether to check raw or normalized uri buffer. Will check raw uri buffer by default.

* src/: dynamic-preprocessors/dcerpc2/sf_dce2.dsp,
dynamic-preprocessors/dns/sf_dns.dsp,
dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp,
dynamic-preprocessors/imap/sf_imap.dsp,
dynamic-preprocessors/isakmp/sf_isakmp.dsp,
dynamic-preprocessors/pop/sf_pop.dsp,
dynamic-preprocessors/reputation/sf_reputation.dsp,
dynamic-preprocessors/sdf/sf_sdf.dsp,
dynamic-preprocessors/sip/sf_sip.dsp,
dynamic-preprocessors/smtp/sf_smtp.dsp,
dynamic-preprocessors/ssh/sf_ssh.dsp,
dynamic-preprocessors/ssl/sf_ssl.dsp,
win32/WIN32-Prj/sf_engine.dsp:
Fixed a bug where the sensitive_data preprocessor gave an error while loading sensitive data rules.

* doc/README.http_inspect, etc/gen-msg.map,
preproc_rules/preprocessor.rules, src/generators.h,
src/preprocessors/snort_httpinspect.c,
src/preprocessors/HttpInspect/event_output/hi_eo_log.c,
src/preprocessors/HttpInspect/include/hi_eo_events.h,
src/preprocessors/HttpInspect/utils/hi_paf.c:
Added two HTTP Inspect preprocessor rules:
119:28 - post w/o content-length or transfer-encoding: chunked
120:8 - message with invalid content-length or chunk size

* src/preprocessors/spp_httpinspect.c:
Fixed a bug where Snort wouldn't reload, giving the error that
"Changing decompress_depth requries a restart".

* etc/gen-msg.map:
Commented out four rules from gen-msg.map, 133:44 through 133:47,
because they were not yet implemented.

* preproc_rules/preprocessor.rules:
Added a CVE reference for Rule 119:19.
Added a reference to SMTP preprocessor rule 124:4.
Added a preprocessor rule, 125:9, for an FTPTelnet preprocessor
alert that was missing the corresponding rule.

* src/dynamic-plugins/sf_engine/sf_snort_plugin_api.c:
PAF tweak for single-segment full PDUs matching only-stream

* src/snort.c:
Fixed a bug where Snort wouldn't reload on SIGHUP with OpenBSD.
Set default paf_max to 16K.

* doc/: README.reputation, snort_manual.pdf, snort_manual.tex:
Added a use case in the IP Reputation preprocessor documentation.

* src/: dynamic-preprocessors/reputation/reputation_config.c,
dynamic-preprocessors/reputation/sf_reputation.dsp,
win32/WIN32-Prj/snort.dsw, win32/WIN32-Prj/snort_installer.nsi:

Fixed the IP Reputation preprocessor so that it would build on Windows.

* src/preprocessors/HttpInspect: client/hi_client.c, include/hi_client.h,
server/hi-server.c, utils/hi_paf.c:
Support up to full 32-bit content-lengths

* src/preprocessors/Stream5/stream5_paf.c:
Fixed compilation with the options "--disable-target-based --enable-paf".

* src/preprocessors/Stream5/snort_stream5_tcp.c:
Fixed an error in IDS mode when segments overlap and the sequence
number wraps.

* tools/u2spewfoo/Makefile.am:
Added the u2spewfoo Windows project file to the Snort source tarball.

Snort 2.9.1 RC
* doc/README.sip, doc/snort_manual.pdf, doc/snort_manual.tex,
preproc_rules/preprocessor.rules,
src/dynamic-preprocessors/sip/sip_parser.c,
src/dynamic-preprocessors/sip/spp_sip.h, etc/gen-msg.map:
Added three new SIP preprocessor alerts.

* src/preprocessors/Stream5/: snort_stream5_tcp.c, stream5_paf.c,
stream5_paf.h:
Allow multiple preprocs to scan for PDUs on the same port.
This fixes a problem with DCE autodetect using the same
ports as HTTP.

* src/build.h:
Updated build number to 63.

* src/: fpcreate.c, log.c, detection-plugins/sp_byte_extract.c,
detection-plugins/sp_tcp_win_check.c,
dynamic-plugins/sf_engine/sf_snort_plugin_content.c,
dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c,
preprocessors/spp_normalize.c:
Fixed some compiler warnings.

* src/: detection-plugins/detection_options.c,
detection-plugins/sp_flowbits.h,
dynamic-plugins/sf_engine/sf_snort_detection_engine.c,
dynamic-plugins/sf_engine/examples/Makefile.am,
dynamic-plugins/sf_engine/examples/flowbits_test.c,
dynamic-plugins/sf_engine/examples/rules.c,
dynamic-plugins/sf_engine/examples/web-client_test.c:
Only set/clear/toggle/unset a flowbit when all of the rule
matches, including the IPs and Ports. Thanks to Eoin Miller
for reporting the issue.

* src/dynamic-preprocessors/: Makefile.am, dcerpc2/Makefile.am,
dns/Makefile.am, ftptelnet/Makefile.am, imap/Makefile.am,
pop/Makefile.am, reputation/Makefile.am, rzb_saac/Makefile.am,
sdf/Makefile.am, sip/Makefile.am, smtp/Makefile.am,
ssh/Makefile.am, ssl/Makefile.am:
Fixed dynamic preprocesor Makefiles so that they can be built
in parallel.

* doc/README.http_inspect, doc/snort_manual.pdf,
doc/snort_manual.tex, etc/gen-msg.map,
preproc_rules/preprocessor.rules, src/generators.h,
src/preprocessors/snort_httpinspect.c,
src/preprocessors/snort_httpinspect.h,
src/preprocessors/HttpInspect/client/hi_client.c,
src/preprocessors/HttpInspect/event_output/hi_eo_log.c,
src/preprocessors/HttpInspect/include/hi_eo_events.h,
src/preprocessors/HttpInspect/include/hi_ui_config.h,
src/preprocessors/HttpInspect/include/hi_util.h,
src/preprocessors/HttpInspect/user_interface/hi_ui_config.c,
src/sfutil/util_unfold.c:

Added a new HTTP Inspect preprocessor rule, GID 119 SID 26.  This rule checks for 200+ whitespaces in a folded header line from an HTTP request. A new config option was added to configure the allowable amount whitespace.

Added a new configuration option to http_inspect server configuration:
"small_chunk_length { <chunk_size> <num_consec_chunks> }", with preprocessor rules for both client and server. Consecutive chunk lengths less than or equal to <chunk_size> will cause an event to be generated.

See README.http_inspect for more information.

* src/: dynamic-preprocessors/dcerpc2/sf_dce2.dsp,
dynamic-preprocessors/dns/sf_dns.dsp,
dynamic-preprocessors/ftptelnet/sf_ftptelnet.dsp,
dynamic-preprocessors/imap/sf_imap.dsp,
dynamic-preprocessors/isakmp/sf_isakmp.dsp,
dynamic-preprocessors/sdf/sf_sdf.dsp,
dynamic-preprocessors/sf_dynamic_initialize/sf_dynamic_initialize.dsp,
dynamic-preprocessors/sip/sf_sip.dsp,
dynamic-preprocessors/smtp/sf_smtp.dsp,
dynamic-preprocessors/ssh/sf_ssh.dsp,
dynamic-preprocessors/ssl/sf_ssl.dsp,
win32/WIN32-Prj/sf_engine.dsp,
win32/WIN32-Prj/sf_engine_initialize.dsp,
win32/WIN32-Prj/sf_testdetect.dsp, win32/WIN32-Prj/snort.dsp:
Fixed the Win32 build to (1) not use .pch, and (2) correct sed
patterns on ipv6_port.h.

* src/output-plugins/spo_alert_sf_socket.c:
Fixed a problem where Snort's generic IP address structure was being sent by the socket output plugin.
The output plugin now only generates events for IPv4 packets, and is guaranteed to use uint32_t IPv4 addresses for interoperability.

* src/sfutil/: sfrt.c, sfrt.h:
Optimized some memory usage.

* configure.in:
Add check for pkg-config and provide instructions to get it if pkg-config is not installed.

* src/preprocessors/Stream5/: snort_stream5_tcp.c,
stream5_common.h:
Show single segment PAF packets and only short-circuit at
correct sequence.
When aborting PAF, flush at paf_max.
Tweaked retransmission check to use actual sequence numbers
instead of the adjusted sequence numbers.
Changed the pseudo-random flush point after each flush.

* src/snort.c:
Fixed a compilation error when active response is disabled.

* src/snort.h:
Fixed a bug where Snort wouldn't daemonize on OpenBSD if the process was running as root. Thanks to Olaf Schreck for reporting this issue.

* src/preprocessors/: perf-base.c, perf-base.h, perf-event.c,
perf-event.h, perf-flow.c, perf-flow.h, perf.c, perf.h,
spp_perfmonitor.c:
Split out Perfmon submodule Init and Reset, so that everything is
initialized when the Perfmonitor preprocessor is initialized.
Previously, some data was initialized on the first packet.

* src/detection-plugins/sp_tcp_flag_check.c:
Fixed a couple spots where the "1" and "2" flags weren't renamed to "C" and "E". Thanks to Joshua Kinard for reporting the issue and supplying a patch.

* doc/README.sip, doc/snort_manual.pdf, doc/snort_manual.tex,
src/dynamic-preprocessors/sip/sip_parser.c,
src/dynamic-preprocessors/sip/spp_sip.h,
preproc_rules/preprocessor.rules, etc/gen-msg.map:
Added a new SIP preprocessor alert for missing content type headers.
Fixed an issue where the SIP preprocessor checked for Stream5 even if the SIP preprocessor was disabled.

* etc/unicode.map:
Updated unicode.map to match the unicode standard on Windows 7 SP1.

* etc/snort.conf:
Sync'ed to VRT's latest snort.conf.

* src/: decode.c, detect.c:
Tweaked the preprocessing loop to bypass app preprocs if no app data.

* src/sfutil/sf_ip.c, src/sfutil/sf_ip.h, src/sfutil/sfrt_dir.c,
src/dynamic-preprocessors/reputation/Makefile.am,
src/dynamic-preprocessors/reputation/reputation_config.h,
src/dynamic-preprocessors/reputation/reputation_utils.c,
src/dynamic-preprocessors/reputation/sf_reputation.dsp,
src/dynamic-preprocessors/reputation/spp_reputation.c,
src/dynamic-preprocessors/reputation/spp_reputation.h,
src/dynamic-preprocessors/reputation/reputation_config.c,
src/dynamic-preprocessors/reputation/reputation_debug.h,
src/dynamic-preprocessors/reputation/reputation_utils.h,
doc/README.reputation, doc/Makefile.am, doc/snort_manual.pdf,
doc/snort_manual.tex, preproc_rules/preprocessor.rules,
src/dynamic-preprocessors/Makefile.am, configure.in,
src/preprocids.h, etc/gen-msg.map:
Added the IP Reputation preprocessor. This preprocessor provides the ability to whitelist and blacklist packets based on IP addresses.
See README.reputation for more information.

* src/: sf_types.h, dynamic-plugins/sf_dynamic_plugins.c,
dynamic-preprocessors/dcerpc2/Makefile.am,
dynamic-preprocessors/dcerpc2/dce2_config.c,
dynamic-preprocessors/dcerpc2/dce2_debug.h,
dynamic-preprocessors/dcerpc2/dce2_paf.c,
dynamic-preprocessors/dcerpc2/dce2_paf.h,
dynamic-preprocessors/dcerpc2/sf_dce2.dsp,
dynamic-preprocessors/dcerpc2/snort_dce2.c:
Added protocol-aware flushing support for the dcerpc2 preprocessor.

* src/dynamic-plugins/sf_convert_dynamic.c:
Added the ability to convert shared object rules that use the preprocessor rule option.

* src/preprocessors/: snort_httpinspect.c, spp_httpinspect.c,
HttpInspect/include/hi_paf.h, HttpInspect/utils/hi_paf.c,
Stream5/snort_stream5_tcp.c:
Don't enable paf unless stream ports configured for the given direction; add "(PAF)" to http inspect ports output to indicate when enabled; and only register port for given direction if corresponding flow depth is set.

Support full 32-bit content-lengths and chunk sizes, and flush/abort when exceeded.

* doc/README.SMTP, doc/snort_manual.tex,
src/dynamic-preprocessors/smtp/smtp_config.h,
src/dynamic-preprocessors/smtp/smtp_util.c,
src/dynamic-preprocessors/smtp/snort_smtp.c,
src/dynamic-preprocessors/smtp/snort_smtp.h,
src/dynamic-preprocessors/smtp/spp_smtp.c:
Fixed performance issue: allocate the buffers used for filename, mailfrom and rcptto logging using mempool ('memcap' used to allocate the mempool).
Added a fatal error when b64_decode_depth is used with enable_mime_decoding.

* src/dynamic-plugins/sf_engine/examples: all rule files:
Fixed compiler warnings.


* configure.in:
Updates to configure.in.
Fix zlib checks to use correctly named variable for checking zlib header and library existence.
Enable IPv6 by default in builds.  Can use --disable-ipv6 to turn it off.
Using --enable-zlib, configure should fail.  snort -V should show IPv6 by default and VRT config should load without modification.

Added a new option, "--enable-large-pcap", which allows Snort to read pcap files that are larger than 2 GB.
Changed the default ./configure options to match the requirements for the bundled snort.conf
* doc/: INSTALL, README.imap, README.pop,
README.SMTP, README.stream5, README.sip, README.tag,
README.http_inspect, README.counts, README.normalize,
snort_manual.pdf, snort_manual.tex:
Updated documentation for Snort 2.9.1:

Added documentation for new SIP, POP and IMAP preprocessors
Updated README.stream5 with documentation for Protocol Aware Flushing (PAF)
Updated README.http_inspect with memcap information, clarified "http_cookie" information, and documentation for "log_uri" and "log_hostname".
Fixed a typo in README.counts
Updated "byte_extract" section to reflect syntax changes
Improved the explanation of "max_queued_events"
Added documentation for the ESP decoder, which is now configurable
Improved the explanation of "rawbytes"
Fixed an incorrect example in README.tag.
* etc/snort.conf:
Synced snort.conf with VRT's latest version.

Added configurations for new preprocessors.
* preproc_rules/: decoder.rules, preprocessor.rules
Added new preprocessor rules for SIP, SMTP, POP, and IMAP.

Added decoder rules 116:453, 116:454, and 116:455. These rules
were formerly covered by VRT rules.
* src/build.h: Updated build number to 46
* src/decode.c:
TCP and UDP decoder rules that require a fully-decoded packet will only fire if the checksum is correct and the port number is not ignored.

ESP decoding is now configurable, and off by default.

The "config enable_decode_oversized_alerts" option now applies to packets where the UDP header claims there is more data than actually exists.
The Teredo decoder now only processes packets in the Teredo prefix
(2001:0000::/32) or the link-local prefix (fe80::/16).
* src/detection-plugins/sp_cvs.c:
Fixed a false positive in the CVS detection plugin.
* doc/snort_manual.tex, src/detection-plugins/sp_byte_extract.c:
Made some changes to the byte_extract syntax:
Writing "string" without a number type defaults to decimal.
The "string" and "hex/dec/oct" options are now independent of each other, like in byte_test and byte_jump. You can write "string,dec", "hex,string", "string,relative,oct", etc.
Specifying one of "hex", "dec", and "oct" without using "string"
results in an error.
byte_extract options can no longer be delimited by spaces. This does not affect "align <num>" or "multiplier <num>".
* src/: parser.c, util.c, util.h,
detection-plugins/sp_base64_decode.c,
dynamic-plugins/sf_dynamic_plugins.c,
dynamic-plugins/sf_dynamic_preprocessor.h,

dynamic-plugins/sp_dynamic.c,
dynamic-preprocessors/smtp/smtp_util.c,
preprocessors/HttpInspect/client/hi_client.c,
preprocessors/HttpInspect/server/hi_server.c,
sfutil/sf_base64decode.c, sfutil/sf_base64decode.h:
Changes include the following:
- Attempt dechunkind only when transfer-encoding: chunked is present.
- Override the content length with transfer encoding
- SnortStrcasestr uses slen now.
- unfolding : trim spaces when required.
* src/: pcap_pkthdr32.h, preprocessors/spp_frag3.c,
preprocessors/Stream5/snort_stream5_tcp.c,
preprocessors/Stream5/stream5_common.h, sfutil/sf_ipvar.c,
sfutil/sf_ipvar.h, sfutil/sf_vartable.c:
Update Frag3/Stream5 to print bound addresses, better descriptsions of detect anomalies and port lists.
- Updated Frag3/Stream5 to print bound addresses for IPv6 enabled builds
- Updated Frag3 to print meaningful detect anomalies configuration
- Updated Stream5 to print that there are more ports than those printed.
* src/dynamic-plugins/sf_engine/: Makefile.am, sf_decompression.c,
sf_decompression.h, sf_snort_detection_engine.c,
sf_snort_plugin_api.h:
Added a Decompression API that wraps Zlib for use with dynamic
plugins. See sf_decompression.h for more details.
* src/: fpcreate.c, fpdetect.c, treenodes.h:
Update pattern matcher and sort functions to correctly sort by priority as well as implement sorting by content_length (which was never done with 2.8.2 addition of rule option tree).

Added a warning when max-pattern-len is defined twice.

Packets will no longer be tagged or logged if they are filtered or passed.
* src/preprocessors/Stream5:
Ensured that reassembly doesn't require packet dropping in IPS mode.
The message "additional ports configured but not printed" is only printed when that is actually the case.
* src/snort.c:
fix output of filename / shutdown alerts sequence when iterating over multiple pcaps with --pcap-show --pcap-reset and console alerts (eg -A cmg or
-A console:test).

Fixed an issue with reloading Snort while the default output options were used.

When reading several pcap files with --pcap-dir, Snort will move on
to the next file if one fails to load.
* src/output-plugins/spo_alert_full.c:
Update alert_full to print rule references, regardless of whether
there is TCP/UDP/etc.
* src/output-plugins/spo_log_tcpdump.c:
convert DLT_IPV{4,6} to DLT_RAW for compatibility with libpcap 1.0.0
fix 'mixed decls and code' compiler warning
* src/: decode.h, detect.c, detection_util.c, detection_util.h,
fpcreate.c, fpdetect.c, log.c, log_text.c, parser.h, plugbase.c,
rule_option_types.h, detection-plugins/Makefile.am,
detection-plugins/detection_options.c,
detection-plugins/sp_base64_data.c,
detection-plugins/sp_byte_check.c,
detection-plugins/sp_byte_extract.c,
detection-plugins/sp_byte_jump.c,
detection-plugins/sp_file_data.c,
detection-plugins/sp_ftpbounce.c,
detection-plugins/sp_isdataat.c,
detection-plugins/sp_pattern_match.c,
detection-plugins/sp_pcre.c, detection-plugins/sp_pkt_data.c,
detection-plugins/sp_pkt_data.h,
dynamic-plugins/sf_convert_dynamic.c,
dynamic-plugins/sf_dynamic_common.h,
dynamic-plugins/sf_dynamic_define.h,
dynamic-plugins/sf_dynamic_engine.h,
dynamic-plugins/sf_dynamic_plugins.c,
dynamic-plugins/sf_dynamic_preprocessor.h,
dynamic-plugins/sp_dynamic.c, dynamic-plugins/sp_dynamic.h,
dynamic-plugins/sf_engine/sf_snort_detection_engine.c,
dynamic-plugins/sf_engine/sf_snort_packet.h,
dynamic-plugins/sf_engine/sf_snort_plugin_api.c,
dynamic-plugins/sf_engine/sf_snort_plugin_content.c,
dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c,
dynamic-plugins/sf_engine/examples/detection_lib_meta.h,
dynamic-preprocessors/ftptelnet/pp_ftp.c,
dynamic-preprocessors/ftptelnet/pp_telnet.c,
dynamic-preprocessors/ftptelnet/snort_ftptelnet.c,
dynamic-preprocessors/smtp/smtp_util.c,
dynamic-preprocessors/smtp/snort_smtp.c,
dynamic-preprocessors/smtp/snort_smtp.h,
preprocessors/snort_httpinspect.c,
preprocessors/snort_httpinspect.h,
preprocessors/spp_rpc_decode.c,
preprocessors/HttpInspect/server/hi_server.c,
preprocessors/HttpInspect/server/hi_server_norm.c,
preprocessors/Stream5/snort_stream5_tcp.c:
The "file_data" and "base64_data" rule options now set the buffer
for any rule options that follow them. This applies to both relative and non-relative rule options.

The detection code now uses 3 separate buffers:
- "Alt Detect": set by file_data, base64_data, etc.
- "Alt Decode": set by preprocessor normalization, e.g. HTTP Inspect
- Raw packet data

The AltDetect buffer can also be set by custom .so rules.
* src/parser.c, src/parser.h, src/snort.h, src/output-plugins/spo_unified2.c,
src/sfutil/Unified2_common.h:
IPv6 source and destination addresses are now logged in Unified2 as extra data events. This is configured with "config log_ipv6_extra_data".
* src/dynamic-preprocessors/sip/Makefile.am,
src/dynamic-preprocessors/sip/sf_sip.dsp,
src/dynamic-preprocessors/sip/sip_config.c,
src/dynamic-preprocessors/sip/sip_config.h,
src/dynamic-preprocessors/sip/sip_debug.h,
src/dynamic-preprocessors/sip/sip_dialog.c,
src/dynamic-preprocessors/sip/sip_dialog.h,
src/dynamic-preprocessors/sip/sip_parser.c,
src/dynamic-preprocessors/sip/sip_parser.h,
src/dynamic-preprocessors/sip/sip_roptions.c,
src/dynamic-preprocessors/sip/spp_sip.c,
src/dynamic-preprocessors/sip/spp_sip.h,
src/dynamic-preprocessors/sip/sip_roptions.h,
src/dynamic-preprocessors/sip/sip_utils.c,
src/dynamic-preprocessors/sip/sip_utils.h, doc/README.sip,
etc/gen-msg.map, src/dynamic-preprocessors/sip/test/Makefile.am,
src/dynamic-preprocessors/sip/test/sip_test.c, configure.in,
src/dynamic-preprocessors/Makefile.am:
Added a new preprocessor for SIP traffic.
See README.sip and the Snort Manual for more information.
* src/: dynamic-preprocessors/dcerpc2/dce2_utils.c,
dynamic-preprocessors/dcerpc2/spp_dce2.c,
preprocessors/spp_frag3.c:
Make Frag3 OpenBSD Vuln alert only happen if the frag policy is 'linux' (which includes OpenBSD).  The 'bsd' policy is NOT used for OpenBSD, which is the only OS on which the vulnerability was present.

This reduces false positives to only occur when frag3 policy is linux and its an actual linux system, rather than the alert occurring regardless of frag policy.
* src/: detection-plugins/Makefile.am,
detection-plugins/sp_byte_extract.c,
detection-plugins/sp_byte_extract.h,
dynamic-plugins/sf_convert_dynamic.c,
dynamic-plugins/sf_engine/Makefile.am,

dynamic-plugins/sf_engine/sf_snort_detection_engine.c,
dynamic-plugins/sf_engine/sf_snort_detection_engine.h,
dynamic-plugins/sf_engine/sf_snort_plugin_api.c,
dynamic-plugins/sf_engine/sf_snort_plugin_api.h,
dynamic-plugins/sf_engine/sf_snort_plugin_byte.c,
dynamic-plugins/sf_engine/sf_snort_plugin_content.c,
dynamic-plugins/sf_engine/sf_snort_plugin_hdropts.c,
dynamic-plugins/sf_engine/sf_snort_plugin_loop.c,
dynamic-plugins/sf_engine/sf_snort_plugin_pcre.c,
Added support for ByteExtract variables to the .so rule versions of
Content, ByteTest, ByteJump, and isdataat.
* src/: encode.c, preprocessors/spp_normalize.c,
preprocessors/Stream5/snort_stream5_tcp.c,
preprocessors/Stream5/stream5_common.c:
Fixed the TTL on encoded response packets.
* src/: fpcreate.c, fpdetect.c,
detection-plugins/sp_pattern_match.c,
detection-plugins/sp_pattern_match.h,
dynamic-plugins/sf_dynamic_define.h,
dynamic-plugins/sf_engine/sf_snort_detection_engine.c,
dynamic-plugins/sf_engine/sf_snort_plugin_api.h:
Update to not inspect HTTP method buffer with Snort's fast pattern engine.
Rules with only HTTP method content end up as non-content rules.
This eliminates a short cycle of searches with fast pattern on every initial HTTP request.
* src/dynamic-preprocessors/pop/: all files
Added a new preprocessor for POP traffic.
See README.pop for more information.
* src/dynamic-preprocessors/imap/: all files
Added a new preprocessor for IMAP traffic.
See README.imap for more information.
* src/sfutil/: sf_email_attach_decode.c, sf_email_attach_decode.h:
Base64 decoding was moved to its own section in sfutil, for use by the new email preprocessors.

Added support for uuencoded email attachments.
* src/dynamic-preprocessors/sdf/spp_sdf.c:
The Sensitive Data preprocessor now inspects the "file_data" buffer, used for HTTP response bodies & decoded email attachments.
* src/: snort.c, preprocessors/spp_stream5.c,
preprocessors/stream_api.h:
Update Snort to return a DAQ verdict of whitelist (meaning don't send Snort any more packets) for sessions that are being ignored in both directions or ports that are configured to ignore.  For DAQ modules and hardware that supports it, this should result in a performance gain because Snort no longer has to decode packets that are part of that connection.
* src/util.c:
Added an error message when opening a pid file fails.
* src/preprocessors/HttpInspect/: client/hi_client.c,
server/hi_server.c:
The Set-Cookie: and Cookie: headers wont be included in the cookie buffers.
* configure.in, src/active.c, src/active.h, src/decode.h,
src/encode.c, src/encode.h, src/log_text.c, src/log_text.h,
src/parser.c, src/parser.h, src/sf_types.h, src/sfdaq.c,
src/sfdaq.h, src/snort.h, src/snort_debug.h,
src/detection-plugins/sp_react.c,
src/detection-plugins/sp_respond3.c,
src/dynamic-plugins/sf_dynamic_define.h,
src/dynamic-plugins/sf_engine/sf_snort_packet.h,
src/preprocessors/snort_httpinspect.c,
src/preprocessors/spp_httpinspect.c,
src/preprocessors/spp_stream5.c, src/preprocessors/stream_api.h,
src/preprocessors/HttpInspect/Makefile.am,
src/preprocessors/HttpInspect/include/Makefile.am,
src/preprocessors/HttpInspect/include/hi_paf.h,
src/preprocessors/HttpInspect/mode_inspection/hi_mi.c,
src/preprocessors/HttpInspect/server/hi_server.c,
src/preprocessors/HttpInspect/utils/Makefile.am,
src/preprocessors/HttpInspect/utils/hi_paf.c,
src/preprocessors/Stream5/Makefile.am,
src/preprocessors/Stream5/snort_stream5_icmp.c,
src/preprocessors/Stream5/snort_stream5_session.c,
src/preprocessors/Stream5/snort_stream5_tcp.c,
src/preprocessors/Stream5/snort_stream5_tcp.h,
src/preprocessors/Stream5/snort_stream5_udp.c,
src/preprocessors/Stream5/stream5_common.c,
src/preprocessors/Stream5/stream5_common.h,
src/preprocessors/Stream5/stream5_paf.c,
src/preprocessors/Stream5/stream5_paf.h, src/sfutil/sf_textlog.h:
Added support in Stream5 for Protocol Aware Flushing (PAF). PAF allows Snort to statefully scan a stream and reassemble a complete PDU regardless of segmentation.

Added PAF support to HTTP Inspect, allowing the preprocessor to determine when HTTP sessions are flushed by Stream5.

See README.stream5 for more details.
* src/preprocessors/: stream_ignore.h, stream_ignore.c,
Stream5/snort_stream5_udp.c:
Added support for ignoring UDP channels. Light weight session will be created to track UDP channel, even ports are not monitored.
* src/win32/: most files
Updated Snort and its libraries to build/link against MFC.


VRT Rule Update for 08/23/2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduce 57 new rules and make modifications to 153 additional rules.

This rule package also includes support for the 2.9.1.0 version.

The following changes are made to the Snort.conf in this release, with so many changes we recommend rebuilding your snort.conf with a 2.9.1.0 template:

Updated HTTP_PORTS variable:
portvar HTTP_PORTS [80,81,311,591,593,901,1220,1414,1830,2301,2381,2809,3128,3702,4343,5250,7001,7145,7510,7777,7779,8000,8008,8014,8028,8080,8088,8118,8123,8180,8181,8243,8280,8800,8888,8899,9080,9090,9091,9443,9999,11371,55555]

New SIP_PORTS variable
portvar SIP_PORTS [5060,5061,5600]

New IP Blacklist variables:
var WHITE_LIST_PATH rules/
var BLACK_LIST_PATH rules/


New PAF configuration line (VERY IMPORTANT!)
config paf_max: 16000

Updated stream5 configuration:
ports both 80 81 311 443 465 563 591 593 636 901 989 992 993 994 995 1220 1414 1830 2301 2381 2809 3128 3702 4343 5250 7907 7001 7145 7510 7802 7777 7779 7917 7918 7919 7920 8000 8008 8014 8028 8080 8088 8118 8123 8180 8243 8280 8800 8888 8899 9080 9090 9091 9443 9999 11371 55555

Updated HTTP_INSPECT configuration lines:
http_methods { GET POST PUT SEARCH MKCOL COPY MOVE LOCK UNLOCK NOTIFY POLL BCOPY BDELETE BMOVE LINK UNLINK OPTIONS HEAD DELETE TRACE TRACK CONNECT SOURCE }
and
ports { 80 81 311 591 593 901 1220 1414 1830 2301 2381 2809 3128 3702 4343 5250 7001 7145 7510 7777 7779 8000 8008 8014 8028 8080 8088 8118 8123 8180 8181 8243 8280 8800 8888 8899 9080 9090 9091 9443 9999 11371 55555 }

Updated SMTP preprocessor configuration lines:
b64_decode_depth 0 \
qp_decode_depth 0 \
bitenc_decode_depth 0 \
uu_decode_Depth 0 \
log_mailfrom \
log_rcptto \
log_filename \
log_email_hdrs


Finally, new preprocessor configurations:

# SIP Session Initiation Protocol preprocessor. For more information see README.sip
preprocessor sip: max_sessions 40000, \
ports { 5060 5061 5600 }, \
methods { invite \
cancel \
ack \
bye \
register \
options \
refer \
subscribe \
update \
join \
info \
message \
notify \
benotify \
do \
qauth \
sprack \
publish \
service \
unsubscribe \
prack }, \
max_uri_len 512, \
max_call_id_len 80, \
max_requestName_len 20, \
max_from_len 256, \
max_to_len 256, \
max_via_len 1024, \
max_contact_len 512, \
max_content_len 2048

# IMAP preprocessor. For more information see README.imap
preprocessor imap: \
ports { 143 } \
b64_decode_depth 0 \
qp_decode_depth 0 \
bitenc_decode_depth 0 \
uu_decode_depth 0

# POP preprocessor. For more information see README.pop
preprocessor pop: \
ports { 110 } \
b64_decode_depth 0 \
qp_decode_depth 0 \
bitenc_decode_depth 0 \
uu_decode_depth 0

# Reputation preprocessor. For more information see README.reputation
preprocessor reputation: \
memcap 500, \
priority whitelist, \
nested_ip inner, \
whitelist $WHITE_LIST_PATH/white_list.rules, \
blacklist $BLACK_LIST_PATH/white_list.rules





The Sourcefire VRT has added and modified multiple rules in the backdoor, blacklist, botnet-cnc, netbios, policy, smtp, specific-threats, spyware-put, sql and web-misc rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Friday, August 19, 2011

The HTML Snort Manual

It's back by popular demand!

One of the biggest requests I received when I took over the Community Management position was to get the HTML'ized Snort Manual back online, so...

Without further ado, here it is:  http://manual.snort.org

It's also linked from: http://www.snort.org/docs

Tuesday, August 16, 2011

Snort 2.9.1's status

We know a lot of people have been patiently waiting for the impending 2.9.1 release. We did have it scheduled for this week, however, during final regression testing we uncovered some issues that we need to address before the final release.

So, we have re-targeted the Snort 2.9.1 release for early next week to give us time to fix the issues and re-test everything. As always, we'll publish a blog post about the release when it comes to fruition and we'll be following that up over the next few weeks, with several blog posts regarding the new functionality and features.

Thanks for your patience and for using Snort.

Monday, August 15, 2011

Snort 2.9.1 is coming soon!

Snort 2.9.1 that came out in the RC form last month is getting ready to ship, so I thought I'd put out the Release notes.  There are a lot of changes in there that will effect how certain rules will work, especially when it comes to HTTP and DCE reassembly.  So make sure and read up on PAF!

We've also had a lot of positive feedback about the new IP reputation preprocessor, so we are really looking forward to seeing how users are going to put it to work in their environment.


[*] New Additions
* HTTP aware TCP reassembly support within HTTP Inspect and
Stream5, allowing Snort to more intelligently inspect HTTP
requests and responses. See README.stream5 subsection
related to Protocol Aware Flushing (PAF).

* SIP preprocessor to identify SIP call channels and provide
rule access via new rule option keywords. See the Snort
Manual and README.sip for details.

* POP3 & IMAP preprocessors to decode email attachments in
Base64, Quoted Printable, and uuencode formats, and updates
to SMTP preprocessor for decoding email attachments encoded
as Quoted Printable and uuencode formats. See the Snort
Manual, README.pop, README.imap, and README.SMTP for details.

* Add support for reading large pcap files.

* IP Reputation preprocessor, allowing Snort to blacklist or
whitelist packets based on their IP addresses. This
preprocessor is still in an experimental state, so please
report any issues to the Snort team.
See README.reputation for more information.

* DCE aware TCP reassembly has been added to the dcerpc2 preprocessor.
See README.stream5 subsection related to Protocol Aware Flushing (PAF).

[*] Improvements
* Logging of HTTP URL (host and filename), SMTP attachment
filenames and email recipients when Snort generates events
on related traffic.

* Updates to give shared library rules direct access to gzip
decoding capabilities.

* Rule Option Improvements:

- Updates to content modifier http_cookie to not include
the HTTP header names themselves in the buffer. This change
may affect existing rules that leverage this keyword.

- Updates to the file_data and base64_data rule option keywords
and added a pkt_data rule option keyword that sets the buffer
to be used for subsequent content/pcre/etc rule options.

- Updates to the tcp flag rule option keyword to support 'C'
and 'E' for CWR and ECN bits.

- Updates to byte_extract rule option keyword to support
the same string formats as with byte_test and byte_jump.

* Updates to Snort's build infrastructure and autoconf script
for portability and improved checks for library dependencies.

* Many updates and improvements to the Snort documentation. Special
thanks to all of the contributors from the Snort community for
working with us and making the documentation more accurate and
usable.

* Updates to the sensitive data preprocessor for handling HTTP
traffic and reducing false positives.

* Updates to Snort's config parsing to give more meaningful
error messages relating to snort.conf errors and configuration
display at startup.

* Updates to Snort's active response packets whether via response
keyword or part of inline normalization.

* Improvements to HTTP Inspect processing of chunked HTTP data.

* Updates to the statistics Snort prints to console or syslog
at exit for different preproessors.

* To facilitate easier building of Snort on many of the different
platforms supported, Snort now uses pkg-config to check for
certain library locations. Obtain pkg-config from freedesktop.org.

* HTTP Inspect has new options to detect the following anomalies:
- Excessive whitespace in a folded header line
- Series of HTTP chunks with small lengths

* SIP preprocessor has new alerts for the following anomalies:
- Invalid SIP version
- Unknown SIP method
- SIP method mis-match
- Missing content-type header

* Several bug fixes for Stream5's Protocol Aware Flushing

* Fixed a bug where the socket output plugin sent the wrong data when
IPv6 was enabled

* Other bug fixes, see ChangeLog for more details.

Swinedroid

Two weeks ago at Defcon, several of the VRT were waiting to grab a cab, and the author of this tool saw our Sourcefire shirts and wanted to show us this tool he wrote to be able to monitor Snort alerts on an Android Phone!  So after a business card and email exchange or two, I'd like to introduce you to Swinedroid!


Swinedroid is an Android Snort monitoring application.  It has a client and server-side component, and works for Snort setups logging to PostgreSQL and MySQL.  It's available on the Android market currently, and the source is available here:

https://github.com/Hainish/Swinedroid

Great job Hainish!

Dynamic Preprocessor Starter Kit

Ever since the introduction of dynamic preprocessors there has been a lot of questions and interest over the years on how to get started and develop a dynamic preprocessor for Snort.

Well, today is the day you've been waiting for developers!

Our own Russ Combs has put together the Dynamic Preprocessor Starter Kit, or "dpx" for short, to enable developers to get started writing their own dynamic preprocessors.

Please take a look at the brand new DPX page over on the Snort.org website to get started!

New Snort 3rd Party project is listed: iBlock

The author of this project Roberto Zarrelli wrote me last week while I was at the GFirst conference, and notified me of the listing of his new project "iBlock"'s (For "Intrusion Block") listing on Sourceforge.

A short description of the project:

This tool is a small Linux Daemon that greps the Snort Alert file and blocks the offending hosts via iptables for a given amount of time. iBlock supports the whitelisting of IP addresses so those IPs will never be blocked.
iBlock is now listed on our 3rd Party projects page on Snort.org, and a link to Roberto's project directly on Sourceforge is here.

Thanks Roberto for your submission, we're all hoping that your project does well!

Thanks to all of the 3rd party projects surrounding Snort!

VRT Rule Update for 08/11/2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduce 20 new rules and make modifications to 8 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the backdoor, botnet-cnc, dos, smtp, specific-threats, spyware-put, tftp, and web-misc rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, August 9, 2011

SQueRT 0.9.2 Released

## CHANGELOG:

# Squert 0.9.2

* Added 'last time' indicators to summary tab (see the main screenshot for ex.)
* Fixed display logic when viewing spans on summary tab
* Added record count selector to summary tab
* Changed country and signature charts to donut variant. Cleaner
* Truncate long key entries for country and signature charts
* Countries were not being filtered correctly when added to the
exclude filter. This has been fixed

## Screenshots

http://www.squertproject.org/screenshots

## Demo server:

I have an interested party (Thanks AD). Now just need to bring it online.

## You can download it here:

http://www.squertproject.org/download

VRT Rule Update for 08/09/2011, MS Tuesday, and Adobe Coverage

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduce 33 new rules and make modifications to 6 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT is aware of vulnerabilities affecting products from Microsoft Corporation and Adobe Inc.

Details:
Microsoft Security Advisory MS11-057:
Microsoft Internet Explorer contains programming errors that may allow a remote attacker to execute code on an affected system.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 19666 through 19672.

Microsoft Security Advisory MS11-058:
The Microsoft implementation of DNS contains a programming error that may allow a remote attacker to execute code on an affected system.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 19677.

Microsoft Security Advisory MS11-059:
The Microsoft Data Access Components (MDAC) contains a programming error that may allow a remote attacker to execute code on an affected system.

Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 1, SIDs 19673 and 19674.

Microsoft Security Advisory MS11-060:
Microsoft Visio contains programming errors that may allow a remote attacker to execute code on an affected system.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 19675 and 19676.

Microsoft Security Advisory MS11-061:
Microsoft Remote Desktop Web Access contains a programming error that may allow a remote attacker to execute a cross site scripting attack.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 19665.

Microsoft Security Advisory MS11-062:
The Microsoft Remote Access Service NDISTAPI driver contains a programming error that may allow a remote attacker to gain privileges on an affected system.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 19679.

Microsoft Security Advisory MS11-063:
The Microsoft Windows Client/Server Run-time Subsytem contains a programming error that may allow a remote attacker to gain privileges on an affected system.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 19680.

Microsoft Security Advisory MS11-064:
The Microsoft implementation of the TCP/IP stack contains programming errors that may allow a remote attacker to cause a Denial of Service (DoS) against an affected system.

A rule to detect attacks targeting these vulnerabilities is included in this release and is identified with GID 1, SID 19678.

Additionally, a previously released rule will detect attacks targeting these vulnerabilities and has been updated with the appropriate reference information. It is included in this release and is identified with GID 1, SID 17410.

Microsoft Security Advisory MS11-066:
A programming error in the Microsoft .NET framework may lead to unauthorized information disclosure.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 19694.

Microsoft Security Advisory MS11-067:
Microsoft Report Viewer contains a programming error that may lead to unauthorized information disclosure.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 19681.

Adobe Security Bulletin APSB11-21:
Adobe Flash Player contains programming errors that may allow a remote attacker to execute code on an affected system.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 19682 through 19693.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Wednesday, August 3, 2011

VRT Rule Update for 08/03/2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduce 9 new rules and make modifications to an additional rule.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT is aware of a programming error in the TimThumb plugin for WordPress that may allow a remote attacker to execute code on an affected system. The vulnerability is present in the timthump.php script which does not correctly process user supplied input, allowing a remote attacker to upload content of their choosing into a directory, which can them be executed by the attacker.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 19653.

Additionally, the Sourcefire VRT has added and modified multiple rules in the backdoor, botnet-cnc and exploit rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, August 2, 2011

VRT Rule Update for 08/02/2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduce 31 new rules and make modifications to an additional 2.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, botnet-cnc, exploit, policy and web-activex rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!