Friday, October 28, 2011

Snort 2.8.6.1 isn't EOL yet!

This mornings post (and the previous week's posts) were in error.  Snort 2.8.6.1's EOL date is 90 days past the release of 2.9.1.

Snort 2.9.1 was released on August 23rd.  That places our 90 day window at November 23rd.  We apologize for any panic and inconvenience this may have caused.

We do highly recommend you take the next month to upgrade to Snort 2.9.1.2.  It should be our last release (unless something catastrophic comes up) until Snort 2.9.2.

Again, apologies.

Thursday, October 27, 2011

VRT Rule Release for 10/27/2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 137 new rules and made modifications to 707 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the netbios, oracle, voip and web-misc rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Wednesday, October 26, 2011

Razorback 0.3 has been released!

Please see the article over on the VRT Blog about Razorback's 0.3 release.

We're excited to see all the new uses that people are dreaming up for Razorback, and look forward to the feedback!

Check out the article here: http://blog.talosintel.com/2011/10/razorback-03-released.html

Thursday, October 20, 2011

VRT Rule release for 10/20/2011, Snort 2.9.1.2

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 16 new rules and made modifications to 1003 additional rules. In this rulepack we also introduce support for Snort 2.9.1.2.

There were no changes made to the snort.conf in this release.


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the backdoor, blacklist, botnet-cnc, specific-threats, web-activex, and web-misc rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, October 18, 2011

The VRT is looking for more good test environments.

Over the years we have developed a large rule test environment, both internally at Sourcefire and externally with test sensors and customer networks. We are looking to expand this trusted group of Snort rule contributors. When we have a rule we'd like to deploy "in the wild" we will send these rules into these environments. We're looking to expand this group another 20 or so.

This group needs to have a large variety of things on the network.  Servers, clients, Windows, Macs, Linux, malware, the works. .EDU, .MIL, .GOV, .COM. These need to be large environments with lots of diversity. The rules we send to you will be governed under the VRT license, and may or may not make it into the official VRT ruleset.

You will be required to sign a NDA with us in order to be a part of this group, because in addition, as an added benefit to being a member of this group, we’ll be giving you access to our blacklist IP ruleset. This ruleset used by the IP reputation preprocessor currently contains about 3 Million IPs, and will change by approximately 20,000 to 100,000 per day.

Information we'd need back from you:

  • Performance of the rule.
  • Detection of the rule (Is it false positive prone? Is it useful to you?)
  • The ability to grab full session packet captures of traffic, if needed.
  • The ability to provide the packet captures to us, of course, under the NDA.


As a reward, we will receive a free VRT subscription, Tshirts, calendars, and of course, access to the blacklist IP feed.

If you are interested, please respond back to me, personally, at jesler@sourcefire.com. Please do not respond to the list, to preserve your anonymity.

VRT Rule release for 10/18/2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduce 4 new rules and make modifications to 526 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the backdoor, botnet-cnc, dos, exploit, netbios, oracle, policy, specific-threats, web-activex, and web-misc rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Friday, October 14, 2011

A Comparison of 3 Popular Snort GUIs

James Lay, an outstanding Snort Community Member, sent me this great comparison of three popular Snort GUIs:

  • BASE 1.4.5
  • Snorby 2.3.9
  • SQueRT 0.9.2
I've posted it on http://snort.org/docs as well, but for those of you that would like a direct link:

https://www.snort.org/documents/29

I'd like to take the time to thank James for the time he took to set all three of these up and compare the two.

If anyone would like to add another Snort GUI that you use to this matrix, please send me the name of the product, version, and the points as laid out in the document.  If you'd like to add some fields, that'd be fine too.

Tuesday, October 11, 2011

VRT Rule Update for 10/11/2011, MS Tuesday

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduce 48 new rules and make modifications to 20 additional rules.

There were two changes made to the snort.conf in this release.  Since the last of the Shared Object rules have been moved out of the pop3 and sql categories, the following two files are removed from the snort.conf:

# include $SO_RULE_PATH/pop3.rules
# include $SO_RULE_PATH/sql.rules


In VRT's rule release:
Synopsis: The Sourcefire VRT is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Security Advisory MS11-075:
The Microsoft Windows operating system contains a programming error that may allow a remote attacker to execute code on an affected system.

Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 1, SIDs 20253 and 20254.

Microsoft Security Advisory MS11-076:
The Microsoft Windows Media Player contains a vulnerability that may allow a remote attacker to execute code on an affected system via the loading of a dynamic-link library from a remote location.

Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 1, SIDs 18496 and 18497.

Microsoft Security Advisory MS11-077:
The Microsoft Windows operating system contains a vulnerability that may allow a remote attacker to execute code on an affected system.

Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 1, SIDs 20261 and 20269.

Microsoft Security Advisory MS11-078:
Microsoft Silverlight contains a programming error that may allow a remote attacker to execute code on an affected system.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 20255.

Microsoft Security Advisory MS11-079:
Microsoft Forefront contains programming errors that may allow a remote attacker to execute code on an affected system.

Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 1, SIDs 20256 through 20260 and 20272.

Microsoft Security Advisory MS11-080:
The Microsoft Windows operating system contains a programming error that may allow a remote attacker to execute code on an affected system.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 20270.

Microsoft Security Advisory MS11-081:
Microsoft Internet Explorer contains multiple vulnerabilities that may allow a remote attacker to execute code on an affected system.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 20262 through 20268 and 20273.

Microsoft Security Advisory MS11-082:
The Microsoft Host Integration Server contains a vulnerability that may allow a remote attacker to cause a Denial of Service (DoS) against a vulnerable host.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 20271.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, October 6, 2011

Snort 2.9.1.1 Manuals are updated

The PDF documentation available at http://www.snort.org/docs as well as the HTTP manual at http://manual.snort.org have been updated to Snort 2.9.1.1.

Snort 2.9.1.1 has been posted!

As noted earlier today in the "release notes" post, we've just released Snort 2.9.1.1, as well as a new version of DAQ.

This release introduces a number of bug fixes, as well as introducing unicode, "zlib deflated", and "raw compress" data decoding to the http_inspect preprocessor and the file_data keyword.

Snort 2.9.1.1 is available immediately from the Snort download site.

To make installation easier for our users, you simply need to compile Snort with
./configure --enable-sourcefire

We'll be working with our community documentation writers in order to update the documentation to reflect this information.

VRT Rule release for 10/06/2011, Snort 2.9.1.1

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we didn't introduce any new rules and made modifications to 16 additional rules. In this rulepack we also introduce support for Snort 2.9.1.1.

There were minor changes made to the snort.conf in this release:

max_spaces 0
small_chunk_length { 10 5 }


Were inserted into the http_inspect preprocessor configuration.
and

uu_decode_depth 0



was inserted into the SMTP preprocessor configuration. (Note the lowercase "d" in depth)

These changes are included in the etc/ directory of the VRT tarball for subscribers. If you are a registered Snort user, you may make the changes manually to your Snort.conf as seen above, or you can download the 2.9.1.1 snort.conf here.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the p2p rule set to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Snort 2.9.1.1 Release Notes

As mentioned on Twitter yesterday, we will be releasing Snort 2.9.1.1 today.  I'll have an additional post when it is released along with the accompanying VRT rule release.

In the meantime here are the release notes:


2011-10-05 - Snort 2.9.1.1
[*] New Additions
  * Added the ability to use shared memory (linux only) for the
    experimental IP reputation preprocessor. See README.reputation for details.

  * Added a Unix control socket (linux only), used to issue commands to
    running Snort processes. Currently, it is only used by the IP
    Reputation preprocessor for communication regarding the shared memory.
    See the Snort Manual and the tools/control directory for more details.

[*] Improvements
  * Improved HTTP Inspect and rule processing for both raw compress
    and zlib deflated data. Expanded coverage of normalization for
    Unicode encoded data.

  * Updated HTTP Inspect PAF support to better handle HTTP 1.1 responses.

Tuesday, October 4, 2011

VRT Rule Update for 10/04/2011

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduce 20 new rules and make modifications to 152 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the backdoor, bad-traffic, botnet-cnc, chat, deleted, dns, dos, exploit, ftp, netbios, policy, rpc, smtp, specific-threats, sql, web-activex, and web-misc rule sets to provide coverage for emerging threats from these
technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Monday, October 3, 2011

Sourcefire - SC Award Nominee for Best IPS/IDS and Best Cloud Security

"It’s crunch time for security enthusiasts who are preparing for next year’s RSA Conference in San Francisco. One key item is gearing up for the SC Awards - ‘the Oscars’ of the week’s events - which honors best-in-class security products.

Each year the SC Awards honor companies whose products have most strongly contributed to the security and reliability of North America’s IT industry. Sourcefire is honored to have been nominated in two categories:

1. Best IPS/IDS for our breadth of IPS solutions
2. Best Cloud Security for our Virtual 3D sensor

The voting process runs through October 7. Voting is open to SC Magazine subscribers who are security end users and practitioners - 25,000 of which have been pre-approved by the magazine.

If you fit into this description, and truly believe that Sourcefire technologies are the best of the best, please vote today.

Finalists for all categories will be announced the first week of November and the winners will be announced on Feb. 28, 2012, at the SC Awards U.S. Dinner at RSA Conference in San Francisco.

Wish us luck!"

-- Marc Solomon
Originally posted here.  Reposted for the Snort.org audience.