Monday, December 31, 2012

Sourcefire VRT Certified Snort Rules Update for 12/31/2012, CVE-2012-4792

Just released: Sourcefire VRT Certified Snort Rules Update for 12/31/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 16 new rules and made modifications to 3 additional rules.

The VRT would like to thank Avery Tarasov for his work on sid: 25119

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Microsoft Security Advisory CVE-2012-4792:
Microsoft Internet Explorer versions 6, 7 and 8 contain a programming
error that may allow a remote attacker to execute code on an affected
system.

Rules to detect attacks targeting this vulnerability are included in
this release and are identified with GID 1, SIDs 25125 through 25134.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Friday, December 21, 2012

Master snort.conf's have been updated

With the addition of the new ports in all the configurations, I've went ahead and updated our master snort.conf examples from the VRT on the Snort.conf configuration page:

https://www.snort.org/configurations

By the way -- In case you want to find that page in the future, just remember to Google "Snort.conf configurations"  It's the first result.

Happy 2012!

Sourcefire VRT Certified Snort Rules Update for 12/20/2012

Just released: Sourcefire VRT Certified Snort Rules Update for 12/20/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 64 new rules and made modifications to 33 additional rules, in what will most likely be the last update of the year.

There were several changes made to the snort.conf in this release.

HTTP_PORTS, Stream5, and http_inspect ports were updated as such:

portvar HTTP_PORTS [80,81,311,383,591,593,901,1220,1414,1741,1830,2301,2381,2809,3037,3128,3702,4343,4848,5250,6988,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8088,8090,8118,8123,8180,8181,8243,8280,8300,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,11371,34443,34444,41080,50002,55555]

ports both 80 81 311 383 443 465 563 591 593 636 901 989 992 993 994 995 1220 1414 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7907 7001 7144 7145 7510 7802 7777 7779 7917 7918 7919 7920 8000 8008 8014 8028 8080 8088 8090 8118 8123 8180 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444 41080 50002 55555

ports { 80 81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7001 7144 7145 7510 7777 7779 8000 8008 8014 8028 8080 8088 8090 8118 8123 8180 8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444 41080 50002 55555 }

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the app-detect, blacklist, browser-ie, browser-plugins, deleted, dos, exploit-kit, file-identify, file-image, file-multimedia, file-office, indicator-obfuscation, malware-backdoor, malware-cnc, malware-other, netbios, scada, server-mail, server-other and web-client rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, December 18, 2012

Sourcefire VRT Certified Snort Rules Update for 12/18/2012

Just released: Sourcefire VRT Certified Snort Rules Update for 12/18/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 39 new rules and made modifications to 166 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank Avery Tarasov for their work on:
25054
25050


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, browser-webkit, exploit-kit, file-flash, file-identify, file-image, file-multimedia, indicator-compromise, malware-cnc, malware-other, os-other, os-windows, policy-other, protocol-ftp, protocol-icmp, protocol-voip, server-iis, server-mail, server-mysql, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Monday, December 17, 2012

Sourcefire VRT Certified Snort Rules Update for 12/17/2012

Just released: Sourcefire VRT Certified Snort Rules Update for 12/17/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 10 new rules and made modifications to 9 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, file-flash, file-identify, file-other, malware-backdoor and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, December 13, 2012

Sourcefire VRT Certified Snort Rules Update for 12/13/2012

Just released: Sourcefire VRT Certified Snort Rules Update for 12/13/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 26 new rules and made modifications to 25 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the browser-firefox, browser-ie, browser-plugins, file-flash, file-multimedia, file-other, malware-cnc, malware-other, policy-other, scada, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, December 11, 2012

Sourcefire VRT Certified Snort Rules Update for 12/11/2012, MSTuesday coverage

Just released: Sourcefire VRT Certified Snort Rules Update for 12/11/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 28 new rules and made modifications to 131 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Microsoft Security Bulletin MS12-077: Microsoft Internet Explorer contains a programming error that may allow a remote attacker to execute code on an affected system.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 24956.

Microsoft Security Bulletin MS12-078: The Microsoft Windows Adobe Type Manager font driver (ATMFD) contains a programming error that may allow a remote attacker to cause a Denial of Service (DoS) against an affected system.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3, SID 24971.

Microsoft Security Bulletin MS12-079: Microsoft Word contains a programming error that may allow a remote attacker to execute code on an affected system via a specially crafted rich text file.

Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 1, SIDs 24974 and 24975.

Microsoft Security Bulletin MS12-081: The Microsoft Windows operating system contains a programming error that may allow a remote attacker to execute code on an affected system via a specially crafted file name.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3, SID 24973.

Microsoft Security Bulletin MS12-082: Microsoft DirectPlay contains a programming error that may allow a remote attacker to execute code on an affected system.

Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 1, SIDs 24957 through 24970.

Additionally, the Sourcefire VRT has added and modified multiple rules in the app-detect, browser-ie, browser-plugins, exploit, exploit-kit, file-executable, file-flash, file-multimedia, file-office, indicator-compromise, indicator-obfuscation, malware-cnc, malware-other and server-mysql rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Friday, December 7, 2012

Mirroring traffic to Snort using a Consumer Grade Router

Thanks again to William Parker for providing some excellent documentation for the rest of the Snort community.

Just posted to http://www.snort.org/docs is a guide on how to use a consumer grade router (Linksys, D-Link, NetGear, etc) to mirror your traffic in your network over to a box running Snort.

Take a look at the doc!

Thanks Bill!

Thursday, December 6, 2012

Sourcefire VRT Certified Snort Rules Update for 12/06/2012

Just released: Sourcefire VRT Certified Snort Rules Update for 12/06/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 17 new rules and made modifications to 20 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the browser-ie, exploit-kit, file-executable, file-identify, file-other, malware-other, protocol-voip, server-mail, server-mysql, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Wednesday, December 5, 2012

Snort Startup scripts for various OSes posted!

Many thanks to one of our very dedicated Snort Community members, William Parker.  In his guides (also posted on the documentation page of Snort.org) he has embedded some Snort Startup scripts.

Because some people are having problems with copy and pasting out of the PDF documentation, so Mr. Parker put these startup scripts in their own files and sent them to me.  I created a special section on Snort.org/docs just for startup scripts, and they are all there!

Many thanks to Mr. Parker and our whole Snort Community!

Snort 2.9.4.0 Installation Guides now posted

Thanks to the tremendous work of our Snort Community, I've posted new install guides for Snort 2.9.4.0 to the website.

These individuals start working on the install guides early on in the process, testing our beta releases, RC code, and finally, retesting when we do the final release.

The Snort Team would like to thank Jason Weir and William Parker for their dedication to keeping their docs current and also for allowing us to host the docs for them.

Please feel free to link to the install guides on Snort.org.  They are there for you!

Check out the new guides here: http://www.snort.org/docs

They are posted for:

  • Fedora 17
  • OpenBSD 5.1
  • Debian 6.0.6
  • OpenSuSE 12.1
  • FreeBSD 8.2
  • FreeBSD 9.0
  • CentOS 6.3

If you'd like to submit Snort documentation for official hosting on the Snort.org website, please send it to me here: joel [at] snort [dot] org.

Thanks!

Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

Tuesday, December 4, 2012

Sourcefire VRT Certified Snort Rules Update for 12/04/2012

Just released: Sourcefire VRT Certified Snort Rules Update for 12/04/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 41 new rules and made modifications to 18 additional rules.

There were no changes made to the snort.conf in this release. Make sure you are using the most updated version of Snort and the correct snort.conf

The VRT would like to thank Avery Tarasov for his work on 24886 and 24885

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-ie, deleted, exploit-kit, file-flash, file-identify, file-office, malware-cnc, malware-other, os-windows, server-iis, server-mysql, server-oracle, server-other, server-webapp and web-client rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Monday, December 3, 2012

Snort 2.9.4.0 has been released!

Snort 2.9.4 is now available on snort.org, at https://www.snort.org/downloads in the Latest Release section.

************ Please note: 2.9.3.1 & later packages are signed with a new PGP key (that key is signed with the previous key). ************

Snort 2.9.4 includes changes for the following:

[*] New additions

* Consolidation of IPv6 -- now only a single build supports both IPv4 & IPv6, and removal of the IPv4 "only" code paths.

* File API and improvements to file processing for HTTP downloads and email attachments via SMTP, POP, and IMAP to facilitate broader file support

* Use of address space ID for tracking Frag & Stream connections when it is available with the DAQ

* Logging of packet data that triggers PPM for post-analysis via Snort event

* Decoding of IPv6 with PPPoE

* Added an API call to add a service to a host in the attribute table. Remove the unused live attribute update code.

[*] Improvements

* Update to Stream5 PAF for handling gaps in the sequence numbers of packets being reassembled.

* Selection of the Stream TCP policy based on the server rather than the destination of first packet seen by Snort

* Allow disabling of global thresholds via a count of -1

* Prevent blocking duplicate SYNs when using inline normalization

* Add SSLv3 backwards compatibility support for SSLv2 ClientHello messages

* Allow active responses to packets without data (eg, a TCP SYN)

* Changed logic of option evaluations for shared library rules that use a custom evaluation function to match that of the builtin logic when the NOT_FLAG is used. The 'NOT' matching now happens within each of the individual rule option evaluation functions.

* Updated SMTP preprocessor to better handle commands that have corresponding data on a subsequent line to reduce false positives. 3 commands fall into this category - X-EXPS, XEXCH50, and BDAT.

* Improve support for encapsulated & tunneling protocols to block or fastpath a connection within the tunnel rather applying that to the whole tunnel.

Please see the Release Notes and ChangeLog for more details.

Please submit bugs, questions, and feedback to bugs@snort.org.

Happy Snorting! The Snort Release Team

Sourcefire VRT Certified Snort Rules Update for 12/03/2012

Just released: Sourcefire VRT Certified Snort Rules Update for 12/03/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 44 new rules and made modifications to 48 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, deleted, exploit-kit, file-identify, file-multimedia, file-office, file-other, malware-cnc, malware-other, os-solaris, server-oracle, server-webapp and web-client rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!