Thursday, August 30, 2012

Sourcefire VRT Certified Snort Rules Update for 08/30/2012, Rule Re-Categorization

Just released:
Sourcefire VRT Certified Snort Rules Update for 08/30/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 24 new rules and made modifications to 43 additional rules.

There following changes were made to the snort.conf in this release:

include $RULE_PATH/app-detect.rules
include $RULE_PATH/browser-chrome.rules
include $RULE_PATH/browser-firefox.rules
include $RULE_PATH/browser-ie.rules
include $RULE_PATH/browser-other.rules
include $RULE_PATH/browser-webkit.rules
include $RULE_PATH/exploit-kit.rules
include $RULE_PATH/file-executable.rules
include $RULE_PATH/file-flash.rules
include $RULE_PATH/file-image.rules
include $RULE_PATH/file-multimedia.rules
include $RULE_PATH/malware-backdoor.rules
include $RULE_PATH/malware-cnc.rules
include $RULE_PATH/malware-other.rules
include $RULE_PATH/malware-tools.rules
include $RULE_PATH/policy-multimedia.rules



In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the
app-detect, botnet-cnc, browser-chrome, browser-firefox, browser-ie,
browser-other, browser-webkit, exploit, exploit-kit, file-executable,
file-flash, file-identify, file-image, file-multimedia, file-office,
file-other, indicator-compromise, malware-backdoor, malware-cnc,
malware-other, malware-tools, smtp, specific-threats, spyware-put,
web-activex, web-client and web-php rule sets to provide coverage for
emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Rule Category Reorganization Phase 2

Beginning back in April 2012, the Vulnerability Research Team (VRT) began its Rule Category Reorganization effort to realign the rules into an easier to understand category structure.

We are continuing that effort with the VRT’s newest rule release, adding the following categories:

APP-DETECT -- This category contains rules that look for, and control, the traffic of certain applications that generate network activity.

BROWSER-CHROME -- This category contains detection for vulnerabilities present in the Chrome browser. (This is separate from the “Webkit” category, as Chrome has enough vulnerabilities to be broken out into it’s own, and while it uses the Webkit rendering engine, there’s a lot of other features to Chrome.)

BROWSER-FIREFOX -- This category contains detection for vulnerabilities present in the Firefox browser, or products that have the “Gecko” engine. (Thunderbird email client, etc)

BROWSER-IE -- This category contains detection for vulnerabilities present in the Internet Explorer browser (Trident or Tasman engines)

BROWSER-WEBKIT -- This category contains detection for vulnerabilities present in the Webkit browser engine (aside from Chrome) this includes Apple’s Safari, RIM, Nokia, KDE, and Palm.

BROWSER-OTHER -- This category contains detection for vulnerabilities in other browsers not listed above. (Opera)

EXPLOIT-KIT -- This category contains rules that are specifically tailored to detect exploit kit activity (Blackhole, Phoenix, etc).

FILE-EXECUTABLE -- This category contains rules for vulnerabilities that are found or are delivered through executable files, regardless of platform.

FILE-FLASH -- This category contains rules for vulnerabilities that are found inside of flash files. Either compressed or uncompressed, regardless of delivery method or software being attacked.

FILE-IMAGE -- This category contains rules for vulnerabilities that are found inside of images files. Regardless of delivery method, software being attacked, or type of image file. (jpg, png, gif, bmp, etc)

FILE-MULTIMEDIA -- This category contains rules for vulnerabilities present inside of multimedia files (mp3, movies, wmv)

MALWARE-BACKDOOR -- This category contains rules that detection traffic destined to known listening backdoor command channels. If a piece of malicious software opens and port and waits for incoming commands for its control functions this type of detection should be placed here. A simple example would be detection for BackOrifice as it listens on a specific port and then executes the commands it was sent. Other examples would be SubSeven which is a VNC like application that allows the remote attacker to control the victims computer.

MALWARE-CNC -- This category contains known malicious command and control activity for identified botnet traffic. This includes call home, downloading of dropped files, and ex-filtration of data.

MALWARE-TOOLS -- This category contains rules that deal with tools that can be considered malicious in nature. For example, LOIC.

MALWARE-OTHER -- This category contains rules that are malware related, but don’t fit into one of the other ‘malware’ categories.

If you are using the Sourcefire product, PulledPork, or Oinkmaster, the vast majority of you should be unaffected. These products will handle the transition just fine. The only way you will be affected using PulledPork (or Oinkmaster's related tools) is if you use enablesid.conf or disablesid.conf to enable or disable entire categories of rules.

Tuesday, August 28, 2012

Sourcefire VRT Certified Snort Rules Update for 08/28/2012

Just released:
Sourcefire VRT Certified Snort Rules Update for 08/28/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 69 new rules and made modifications to 357 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions to the following rules:
24017 -- James Lay & Nathan Fowler
24031,24032,24033,24034 -- Alexandre Menezes

In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the
backdoor, blacklist, botnet-cnc, dos, exploit, file-office, file-other,
indicator-compromise, indicator-obfuscation, netbios, policy-other,
policy-social, specific-threats, web-activex, web-client and web-php
rule sets to provide coverage for emerging threats from these
technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Friday, August 24, 2012

Snort 2.9.3.1 Installation Guide for OpenBSD 5.1 has been posted

William Parker has been cranking them out.  Today I added his installation document for Snort 2.9.3.1 on OpenBSD 5.1.

Great job Bill! Fantastic work.

I also have a NetBSD installation guide that has provided me, however, some patches are needed for Snort in order to make it run, so we are reviewing those patches and when they will be put into Snort.

You can find all the installation guides here:
http://www.snort.org/docs

2012 Snort Scholarship winners!

Sourcefire, Inc. (Nasdaq: FIRE), the creator of Snort® and a leader in intelligent cybersecurity solutions, is delighted to announce that it has selected Elizabeth Gossell and Ryan McDougall as the recipients of the 2012 Snort Scholarship. The scholarships, each worth up to $15,000, are awarded to university students around the world that use Snort to further their education and gain hands-on experience in network security.

To qualify, applicants must be enrolled in a university that uses Snort or Sourcefire products to protect its network or uses Snort as part of the curriculum in the classroom. The scholarships assist the winning students in completing their degrees and covering educational costs. Sourcefire selected Darcie and Daniel from a pool of hundreds of applicants.

To assist the winning students in completing their degrees, Sourcefire has awarded each a $5,000 scholarship for educational costs at the students’ respective universities. The winners also receive a $10,000 credit to use toward any training course or certification exam in the Sourcefire Security Education Program. The Sourcefire Security Education and Certification Programs deliver training and testing for IT staff on Sourcefire’s products and open source security solutions, either on-site or at dedicated locations around the world.

Sourcefire developed the Snort Scholarship in 2004 as a way to give back to the open source and security communities. Since the inception of the Snort Scholarship program eight years ago, Sourcefire has recognized university students from around the world, including the United States, Australia, Turkey, Mexico, the Netherlands and Rwanda. Martin Roesch founded Sourcefire in 2001 to deliver commercial security solutions that leverage his open source innovation, Snort. Snort is the world’s most widely deployed intrusion detection and prevention technology with more than 350,000 registered users and over 4 million downloads to date. As the de facto standard for intrusion detection and prevention, Snort is used extensively by Fortune 100 enterprises and government agencies.

About Sourcefire
Sourcefire, Inc. (Nasdaq:FIRE), is a world leader in intelligent cybersecurity solutions. Sourcefire is transforming the way Global 2000 organizations and government agencies manage and minimize network security risks. Sourcefire’s IPS, Real-time Network Awareness and Real-time Adaptive Security solutions equip customers with an efficient and effective layered security defense – protecting network assets before, during and after an attack. Through the years, Sourcefire has been consistently recognized for its innovation and industry leadership by customers, media and industry analysts alike – with more than 50 awards and accolades. Today, the name Sourcefire has grown synonymous with innovation and network security intelligence. For more information about Sourcefire, please visit http://www.sourcefire.com.

Sourcefire, the Sourcefire logo, Snort, the Snort and Pig logo, ClamAV, Immunet and certain other trademarks and logos are trademarks or registered trademarks of Sourcefire, Inc. in the United States and other countries. Other company, product and service names may be trademarks or service marks of others.

Snort 2.9.2.2 is End-of-Life

As I mentioned back in this post: http://blog.snort.org/2012/07/2921-eol-notice.html,  2.9.2.2 is now End of Lifed for support and will be removed from future VRT builds.

For further details on our EOL policy, please see: https://www.snort.org/eol

Thursday, August 23, 2012

Sourcefire VRT Certified Snort Rules Update for 08/23/2012

Just released:
Sourcefire VRT Certified Snort Rules Update for 08/23/2012


We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 16 new rules and made modifications to 71 additional rules.


There were no changes made to the snort.conf in this release.


In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the
botnet-cnc, dos, file-office, file-other, netbios, scada, smtp,
specific-threats, spyware-put, voip and web-misc rule sets to provide
coverage for emerging threats from these technologies.



In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Wednesday, August 22, 2012

Autosnort v1 for Ubuntu 12.04 released


Hello Snort Users!

My name is Tony Robinson, and I often go by da_667 as my handle in cyberspace.  Are you sick and tired of people telling you how snort is so hard to set up? That all that work isn’t worth it? How it is pain to gather all the packages, read the (very) well put together documentation or download all the different parts to get a full-blown snort install working? Well, I would like to introduce a little project I’m working on called Autosnort.

Autosnort is a simple script written in bash that will take an Ubuntu 12.04 system (32 or 64-bit) and essentially follow David Gullett’s Ubuntu 12.04 snort installation guide from base install to finish – It installs snort 2.9.3 (can easily be modified to install 2.9.3.1), barnyard 2 and snort report automagically. If you provide the install with a snort rules snapshot tarball that is compatible with the snort release (e.g. snortrules-snapshot-2930.tar.gz – registered user or subscriber edition) the script will copy the 32 or 64-bit Ubuntu precompiled rules (as appropriate) and modify snort.conf to use them.  The script will configure the interface you will be running snort against to be brought up at boot and will configure snort and barnyard to run at startup as well. This script will take you from 0 to a full snort in less than an hour!

All you have to do is download the script, run chmod u+x against the script (to make it executable) then run the script as root (sudo su – then ./autosnort.sh or sudo ./autosnort.sh) and follow the on-screen prompts as they come up. The script verifies you ran it as the root user, confirms internet connectivity, confirms it is being ran on Ubuntu 12.04, then goes through the entire install process, ending with a recommendation to reboot the system to apply system updates and changes.

This script is only the beginning. I have a massive to-do list that involves porting the script to run on Debian, CentOS/Redhat, Backtrack 5r2 and r3 in addition to various feature enhancements such as automated inline mode configuration, selection of alternate web frontends (i.e. BASE and snorby in addition to snort report), a barebones, no mysql, no web front-end, syslog only (intended for SIEM integration) configuration, and pulled pork integration in addition to other plans.

If this script sounds like something you are interested in, I’m releasing it as an open-source project under the MIT license at github. So if you want to take a copy of the code and get autosnort to drop a snort install on Gentoo or GNU/HURD by all means, I would love to see it! My e-mail address is deusexmachina667@gmail.com and my twitter is @da_667 happy snorting!

Sourcefire VRT Certified Snort Rules Update for 08/21/2012

Just released:
Sourcefire VRT Certified Snort Rules Update for 08/21/2012


We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 20 new rules and made modifications to 6 additional rules.


There were no changes made to the snort.conf in this release.


In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the
botnet-cnc, dns, dos, exploit, indicator-obfuscation, oracle, sql,
web-attacks, web-client and web-php rule sets to provide coverage for
emerging threats from these technologies.



In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Friday, August 17, 2012

Sourcefire VRT Certified Snort Rules Update for 08/17/2012, DistTrack, Shamoon

Just released: Sourcefire VRT Certified Snort Rules Update for 08/17/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 28 new rules and made modifications to 3 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
This release provides protection against DistTrack/Shamoon's lateral movement across the network via SMB.  

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Sourcefire VRT Certified Snort Rules Update for 08/16/2012, DistTrack, Shamoon

Released last night: Sourcefire VRT Certified Snort Rules Update for 08/16/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 12 new rules and made more than 2000 modifications to additional rules.

There were no changes made to the snort.conf in this release.

In this release we provided coverage for the DistTrack/Shamoon Trojan, along with a ton of performance and detection related improvements.


 In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, August 16, 2012

Sourcefire VRT Certified Snort Rules Update for 08/15/2012

Just released:
Sourcefire VRT Certified Snort Rules Update for 08/15/2012


We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 45 new rules and made modifications to 14 additional rules.


There were no changes made to the snort.conf in this release.


In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the
botnet-cnc, deleted, file-identify, file-office, file-other, file-pdf,
smtp, specific-threats, spyware-put, web-activex and web-misc rule sets
to provide coverage for emerging threats from these technologies.



In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, August 14, 2012

Sourcefire VRT Certified Snort Rules Update for 08/14/2012, MS Tuesday

Just released:
Sourcefire VRT Certified Snort Rules Update for 08/14/2012


We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 51 new rules and made modifications to 1109 additional rules.


There were no changes made to the snort.conf in this release.


In VRT's rule release:
Synopsis:
The Sourcefire VRT is aware of multiple vulnerabilities affecting
products from Microsoft Corp.

Details:
Microsoft Security Bulletin MS12-052:
Microsoft Internet Explorer contains programming errors that may allow
a remote attacker to execute code on an affected system.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 23834, 23835, 23836,
23840 and 23841.

Additionally, a previously released rule identified with GID 1, SID
16506 will also detect attacks.

Microsoft Security Bulletin MS12-053:
Microsoft Remote Desktop contains a programming error that may allow a
remote attacker to execute code on an affected system.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 1, SID 23846.

Microsoft Security Bulletin MS12-054:
Some Microsoft Windows Networking Components contain programming errors
that may allow a remote attacker to execute code on an affected system.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 3, SID 23847 and GID 1, SIDs
23837, 23838 and 23839.

Microsoft Security Bulletin MS12-056:
The Microsoft JScript and VBScript scripting engines contain
programming errors that may allow a remote attacker to execute code on
an affected system.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 23840 and 23841.

Microsoft Security Bulletin MS12-057:
Microsoft Office contains a programming error that may allow a remote
attacker to execute code on an affected system.

Previously released rules, identified with GID 1, SIDs 18200 and 19156
will detect attacks targeting this vulnerability.

Microsoft Security Bulletin MS12-059:
Microsoft Visio contains a programming error that may allow a remote
attacker to execute code on a vulnerable system.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 23842 and 23843.

Microsoft Security Bulletin MS12-060:
Microsoft Windows Common Controls contain programming errors that may
allow a remote attacker to execute code on a vulnerable system.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 23844 and 23845.



In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Friday, August 10, 2012

Historical Archive of Snort Code is available

Recently on the Snort Mailing lists a request was made for the historical archive of the Snort code.  So after  pulling from several different areas I've assembled as much as I can (on a Friday) here:


Specifically:


There is a directory in there called "Old stuff you shouldn't use".

Seriously, you shouldn't use it.  It's there for historical archive as requested.

I'll keep this up moving forward when there's a new release.  Some versions missing in there, and I'm working to get those versions up as soon as possible.  (Have to go to the backup tapes!)

Sourcefire/Snort/VRT's stance on support does not change, however.  https://www.snort.org/eol  These are the versions we support.  We want people to upgrade because of features, bug fixes, and a plethora of other things.  If you write in for support for an older version of Snort, we may be able to help you, but most likely you are going to be asked to Upgrade.

You simply would not believe the amount of requests we receive to troubleshoot stuff in older versions of Snort (like 2.3!?)  Most likely, a problem in that old of a version of Snort has been fixed by now.  Upgrade, Upgrade, Upgrade.  I understand some of you have it baked into your routers and things like that.  I know of routers/firewalls running 2.6.  That version is about 7 years old now, and we just can't support every version.

The vast majority of our user base is around one version back (2.9.2.3) according to our download stats.



We think this is great.  Our latest version, 2.9.3.0, fixes a ton of issues (like logging output of data), and introduces new features like flowbit OR'ing.  2.9.3.1 was released this week and contains some bug fixes and code cleanup that didn't make it into the 2.9.3.0 release.

So I encourage you to look through our archives and see how far we've come in 10+ years.  The future is right around the corner, and it's brighter than ever.

Sourcefire VRT Certified Snort Rules Update for 08/09/2012

Just released:
Sourcefire VRT Certified Snort Rules Update for 08/09/2012


We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 6 new rules and made modifications to 135 additional rules.


There were no changes made to the snort.conf in this release.


In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the
blacklist, botnet-cnc, misc, oracle, smtp, specific-threats,
spyware-put, sql, web-activex and web-php rule sets to provide coverage
for emerging threats from these technologies.



In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Wednesday, August 8, 2012

The Agile Security Manifesto

I may have to break out my 'old man pants' on this blog post.

Awhile back, over on the Sourcefire corporate blog, we put out what we called the "Agile Security Manifesto".  A series of 12 or so blog posts that detailed what we (Sourcefire corporate) really meant by our Agile Security message.

When I started working with Snort, this would have been around 2001, I was in the military and I believed that what I was doing, protecting networks, was my little corner of the Army sphere.  I believed that my goal was to protect everything that I could the best that I could, and so I tried to use the tools and develop the methodologies that allowed me and my team to do that.  Here it is 2012, and I still believe that.

I read the blog posts that various people at Sourcefire wrote on the corporate blog and I liked them.  Heck, even Matt Olney liked them over on the VRT blog.  Anytime you can show the VRT something we can get behind, I'm betting 99.9 times out of 100, it isn't going to be tied to marketing.  But for Matt it was different, and it's different for me too.

Internally we put these twelve blog posts into a PDF and we sent it around for people to read and to share with people.  I asked our VP of Corporate Communications if I could put it out on the Snort blog.  Not behind a Marketing signup, just out there, free for download so that people could read what is so near and dear to the core of what and who Sourcefire is.

This PDF reads like a mission statement to me.  Even if people people aren't using our products, or even if people have no intention of buying our products, this PDF inspired me and makes me want to move forward and invent the next great thing.  It makes me want to dedicate time to making sure that my customers remain secure from as many threats as we can protect them from.

Tech people hate to be marketed to, they love a solution, they love an outlook, they like to believe there is a light at the end of the tunnel.  People generally want to be believe that what they are doing is making a difference.  At least I do.

When I write detection and the next day I receive a ton of feedback via support and email asking for feedback on some rule that I just wrote and shipped and suddenly is catching some new attack strain, I see the results of my work.  The VRT thrives on this.  We love to see that what we are doing isn't just going out into the ether.  We like to see what we are doing is making a difference.

This blog post series is what we are about, what we believe, and what we are striving for, and now, it's available for download here:

Snort 2.9.3.1 has been released.

Snort 2.9.3.1 is now available on snort.org, at https://www.snort.org/downloads in the Latest Release section.

************
Please note:
2.9.3.1 & later packages are signed with a new PGP key (that key is signed with the previous key).
************

Snort 2.9.3.1 includes changes for the following:

* Corrected check for TCP RST flags to prevent sending resets to reset packets with inline and active response.

* Update hashing for internal storage of rule options for 64bit platforms when checking uniqueness to remove duplicate copies in memory.

* Address some small memory leaks from parsing snort.conf.

Please see the Release Notes and ChangeLog for more details.

Please submit bugs, questions, and feedback to bugs@snort.org.

Tuesday, August 7, 2012

Sourcefire VRT Certified Snort Rules Update for 08/07/2012

Just released:
Sourcefire VRT Certified Snort Rules Update for 08/07/2012


We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 13 new rules and made modifications to 13 additional rules.


There were no changes made to the snort.conf in this release.


In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the
botnet-cnc, dos, exploit, netbios, policy-other, specific-threats,
web-client and web-php rule sets to provide coverage for emerging
threats from these technologies.



In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Friday, August 3, 2012

Security Onion for Splunk 1.1.3

Security analyst Brad Shoop has sent in a new tool for managing active rules on Security Onion and Splunk - a unified GUI that allows for rule searches in a variety of new ways, includes a workflow useful for those monitoring rules from different sets, and helps make documentation available with as little hassle as possible. You can get full details here, and code if you drop Brad a line. Happy Snorting!

Snort syntax highlighting and more in Notepad++

Friend of the VRT, Caleb Jaren, recently showed me some cool work he's done creating a Snort "User Defined Language" in Notepad++. This UDL provides flexible syntax highlighting, rule validation, and general assistance as you're getting familiar with the Snort rules language and its capabilities. It's freely available on his site, and he's looking for feedback and testing from the community.

Thanks, Caleb, for the great contribution to the community. Windows users, have fun with this useful new bit of code!

Thursday, August 2, 2012

Sourcefire VRT Certified Snort Rules Update for 08/02/2012

Just released:
Sourcefire VRT Certified Snort Rules Update for 08/02/2012


We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 143 new rules and made modifications to 15 additional rules.


There were no changes made to the snort.conf in this release.


In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the
botnet-cnc, file-identify, indicator-obfuscation and web-php rule sets
to provide coverage for emerging threats from these technologies.



In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Wednesday, August 1, 2012

Sourcefire VRT Certified Snort Rules Update for 08/01/2012

Just released:
Sourcefire VRT Certified Snort Rules Update for 08/01/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 17 new rules and made modifications to 11 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the
blacklist, botnet-cnc, exploit, file-identify, file-other, file-pdf,
indicator-obfuscation, specific-threats, sql, web-client and web-misc
rule sets to provide coverage for emerging threats from these
technologies.
In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!