Monday, December 31, 2012

Sourcefire VRT Certified Snort Rules Update for 12/31/2012, CVE-2012-4792

Just released: Sourcefire VRT Certified Snort Rules Update for 12/31/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 16 new rules and made modifications to 3 additional rules.

The VRT would like to thank Avery Tarasov for his work on sid: 25119

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Microsoft Security Advisory CVE-2012-4792:
Microsoft Internet Explorer versions 6, 7 and 8 contain a programming
error that may allow a remote attacker to execute code on an affected
system.

Rules to detect attacks targeting this vulnerability are included in
this release and are identified with GID 1, SIDs 25125 through 25134.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Friday, December 21, 2012

Master snort.conf's have been updated

With the addition of the new ports in all the configurations, I've went ahead and updated our master snort.conf examples from the VRT on the Snort.conf configuration page:

https://www.snort.org/configurations

By the way -- In case you want to find that page in the future, just remember to Google "Snort.conf configurations"  It's the first result.

Happy 2012!

Sourcefire VRT Certified Snort Rules Update for 12/20/2012

Just released: Sourcefire VRT Certified Snort Rules Update for 12/20/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 64 new rules and made modifications to 33 additional rules, in what will most likely be the last update of the year.

There were several changes made to the snort.conf in this release.

HTTP_PORTS, Stream5, and http_inspect ports were updated as such:

portvar HTTP_PORTS [80,81,311,383,591,593,901,1220,1414,1741,1830,2301,2381,2809,3037,3128,3702,4343,4848,5250,6988,7001,7144,7145,7510,7777,7779,8000,8008,8014,8028,8080,8088,8090,8118,8123,8180,8181,8243,8280,8300,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,11371,34443,34444,41080,50002,55555]

ports both 80 81 311 383 443 465 563 591 593 636 901 989 992 993 994 995 1220 1414 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7907 7001 7144 7145 7510 7802 7777 7779 7917 7918 7919 7920 8000 8008 8014 8028 8080 8088 8090 8118 8123 8180 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444 41080 50002 55555

ports { 80 81 311 383 591 593 901 1220 1414 1741 1830 2301 2381 2809 3037 3128 3702 4343 4848 5250 6988 7001 7144 7145 7510 7777 7779 8000 8008 8014 8028 8080 8088 8090 8118 8123 8180 8181 8243 8280 8300 8800 8888 8899 9000 9060 9080 9090 9091 9443 9999 11371 34443 34444 41080 50002 55555 }

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the app-detect, blacklist, browser-ie, browser-plugins, deleted, dos, exploit-kit, file-identify, file-image, file-multimedia, file-office, indicator-obfuscation, malware-backdoor, malware-cnc, malware-other, netbios, scada, server-mail, server-other and web-client rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, December 18, 2012

Sourcefire VRT Certified Snort Rules Update for 12/18/2012

Just released: Sourcefire VRT Certified Snort Rules Update for 12/18/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 39 new rules and made modifications to 166 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank Avery Tarasov for their work on:
25054
25050


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, browser-webkit, exploit-kit, file-flash, file-identify, file-image, file-multimedia, indicator-compromise, malware-cnc, malware-other, os-other, os-windows, policy-other, protocol-ftp, protocol-icmp, protocol-voip, server-iis, server-mail, server-mysql, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Monday, December 17, 2012

Sourcefire VRT Certified Snort Rules Update for 12/17/2012

Just released: Sourcefire VRT Certified Snort Rules Update for 12/17/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 10 new rules and made modifications to 9 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, file-flash, file-identify, file-other, malware-backdoor and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, December 13, 2012

Sourcefire VRT Certified Snort Rules Update for 12/13/2012

Just released: Sourcefire VRT Certified Snort Rules Update for 12/13/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 26 new rules and made modifications to 25 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the browser-firefox, browser-ie, browser-plugins, file-flash, file-multimedia, file-other, malware-cnc, malware-other, policy-other, scada, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, December 11, 2012

Sourcefire VRT Certified Snort Rules Update for 12/11/2012, MSTuesday coverage

Just released: Sourcefire VRT Certified Snort Rules Update for 12/11/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 28 new rules and made modifications to 131 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Microsoft Security Bulletin MS12-077: Microsoft Internet Explorer contains a programming error that may allow a remote attacker to execute code on an affected system.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 24956.

Microsoft Security Bulletin MS12-078: The Microsoft Windows Adobe Type Manager font driver (ATMFD) contains a programming error that may allow a remote attacker to cause a Denial of Service (DoS) against an affected system.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3, SID 24971.

Microsoft Security Bulletin MS12-079: Microsoft Word contains a programming error that may allow a remote attacker to execute code on an affected system via a specially crafted rich text file.

Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 1, SIDs 24974 and 24975.

Microsoft Security Bulletin MS12-081: The Microsoft Windows operating system contains a programming error that may allow a remote attacker to execute code on an affected system via a specially crafted file name.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3, SID 24973.

Microsoft Security Bulletin MS12-082: Microsoft DirectPlay contains a programming error that may allow a remote attacker to execute code on an affected system.

Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 1, SIDs 24957 through 24970.

Additionally, the Sourcefire VRT has added and modified multiple rules in the app-detect, browser-ie, browser-plugins, exploit, exploit-kit, file-executable, file-flash, file-multimedia, file-office, indicator-compromise, indicator-obfuscation, malware-cnc, malware-other and server-mysql rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Friday, December 7, 2012

Mirroring traffic to Snort using a Consumer Grade Router

Thanks again to William Parker for providing some excellent documentation for the rest of the Snort community.

Just posted to http://www.snort.org/docs is a guide on how to use a consumer grade router (Linksys, D-Link, NetGear, etc) to mirror your traffic in your network over to a box running Snort.

Take a look at the doc!

Thanks Bill!

Thursday, December 6, 2012

Sourcefire VRT Certified Snort Rules Update for 12/06/2012

Just released: Sourcefire VRT Certified Snort Rules Update for 12/06/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 17 new rules and made modifications to 20 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the browser-ie, exploit-kit, file-executable, file-identify, file-other, malware-other, protocol-voip, server-mail, server-mysql, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Wednesday, December 5, 2012

Snort Startup scripts for various OSes posted!

Many thanks to one of our very dedicated Snort Community members, William Parker.  In his guides (also posted on the documentation page of Snort.org) he has embedded some Snort Startup scripts.

Because some people are having problems with copy and pasting out of the PDF documentation, so Mr. Parker put these startup scripts in their own files and sent them to me.  I created a special section on Snort.org/docs just for startup scripts, and they are all there!

Many thanks to Mr. Parker and our whole Snort Community!

Snort 2.9.4.0 Installation Guides now posted

Thanks to the tremendous work of our Snort Community, I've posted new install guides for Snort 2.9.4.0 to the website.

These individuals start working on the install guides early on in the process, testing our beta releases, RC code, and finally, retesting when we do the final release.

The Snort Team would like to thank Jason Weir and William Parker for their dedication to keeping their docs current and also for allowing us to host the docs for them.

Please feel free to link to the install guides on Snort.org.  They are there for you!

Check out the new guides here: http://www.snort.org/docs

They are posted for:

  • Fedora 17
  • OpenBSD 5.1
  • Debian 6.0.6
  • OpenSuSE 12.1
  • FreeBSD 8.2
  • FreeBSD 9.0
  • CentOS 6.3

If you'd like to submit Snort documentation for official hosting on the Snort.org website, please send it to me here: joel [at] snort [dot] org.

Thanks!

Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

Tuesday, December 4, 2012

Sourcefire VRT Certified Snort Rules Update for 12/04/2012

Just released: Sourcefire VRT Certified Snort Rules Update for 12/04/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 41 new rules and made modifications to 18 additional rules.

There were no changes made to the snort.conf in this release. Make sure you are using the most updated version of Snort and the correct snort.conf

The VRT would like to thank Avery Tarasov for his work on 24886 and 24885

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-ie, deleted, exploit-kit, file-flash, file-identify, file-office, malware-cnc, malware-other, os-windows, server-iis, server-mysql, server-oracle, server-other, server-webapp and web-client rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Monday, December 3, 2012

Snort 2.9.4.0 has been released!

Snort 2.9.4 is now available on snort.org, at https://www.snort.org/downloads in the Latest Release section.

************ Please note: 2.9.3.1 & later packages are signed with a new PGP key (that key is signed with the previous key). ************

Snort 2.9.4 includes changes for the following:

[*] New additions

* Consolidation of IPv6 -- now only a single build supports both IPv4 & IPv6, and removal of the IPv4 "only" code paths.

* File API and improvements to file processing for HTTP downloads and email attachments via SMTP, POP, and IMAP to facilitate broader file support

* Use of address space ID for tracking Frag & Stream connections when it is available with the DAQ

* Logging of packet data that triggers PPM for post-analysis via Snort event

* Decoding of IPv6 with PPPoE

* Added an API call to add a service to a host in the attribute table. Remove the unused live attribute update code.

[*] Improvements

* Update to Stream5 PAF for handling gaps in the sequence numbers of packets being reassembled.

* Selection of the Stream TCP policy based on the server rather than the destination of first packet seen by Snort

* Allow disabling of global thresholds via a count of -1

* Prevent blocking duplicate SYNs when using inline normalization

* Add SSLv3 backwards compatibility support for SSLv2 ClientHello messages

* Allow active responses to packets without data (eg, a TCP SYN)

* Changed logic of option evaluations for shared library rules that use a custom evaluation function to match that of the builtin logic when the NOT_FLAG is used. The 'NOT' matching now happens within each of the individual rule option evaluation functions.

* Updated SMTP preprocessor to better handle commands that have corresponding data on a subsequent line to reduce false positives. 3 commands fall into this category - X-EXPS, XEXCH50, and BDAT.

* Improve support for encapsulated & tunneling protocols to block or fastpath a connection within the tunnel rather applying that to the whole tunnel.

Please see the Release Notes and ChangeLog for more details.

Please submit bugs, questions, and feedback to bugs@snort.org.

Happy Snorting! The Snort Release Team

Sourcefire VRT Certified Snort Rules Update for 12/03/2012

Just released: Sourcefire VRT Certified Snort Rules Update for 12/03/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 44 new rules and made modifications to 48 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, deleted, exploit-kit, file-identify, file-multimedia, file-office, file-other, malware-cnc, malware-other, os-solaris, server-oracle, server-webapp and web-client rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Friday, November 30, 2012

Snort 2.9.3.0 will be EOL on December 30th.


In accordance with our EOL policy:

Please see it here:
https://www.snort.org/eol

Snort version 2.9.3.0's ruleset from the VRT will be EOL'ed as of December 30th. Technically it should already be EOL, but since 2.9.3.0 were released so close together, we're going to keep it around until December 30th.

That being said, Snort 2.9.4.0's release is imminent, so we encourage you to upgrade!

Please be sure and upgrade to the latest version of Snort available here: https://www.snort.org/downloads

Barnyard2 - v2-1.11 released


It appears that an early tag of 2-1.11 crept in a week or so ago before all the patches we wanted to merge were submitted. Nevertheless, we've now caught up with our queue and are formally tagging 2-1.11.

This is primarly a bug fix and usability improvement release. The salient points are as follows:

  * spo_database. Keep-alive (via ping) for postgresql databases.

  * Updated RPM spec file to support alternative pcap libraries and cleaned some existing cruft. Thanks to Brent Woodruff.

  * spo_alert_unixsock. Supports synchronisation, multiple connections and improved error reporting. Thanks to Martijn van Oosterhaut.

  * Many other general bug fixes and clean ups. Thanks to Jason Ish, Thorsten Fischer, Brad Voth and Bill Parker.

You can download the source in a number of ways:
  - https://github.com/firnsy/barnyard2/tags (as a zip/tarball)
  - git://github.com/firnsy/barnyard2.git (via a git clone)

- firnsy

Tuesday, November 27, 2012

Sourcefire VRT Certified Snort Rules Update for 11/27/2012

Just released: Sourcefire VRT Certified Snort Rules Update for 11/27/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 98 new rules and made modifications to 138 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank Avery Tarasov for his work on rule: 24798

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-other, browser-plugins, deleted, dos, exploit-kit, file-flash, file-identify, file-multimedia, file-other, malware-cnc, malware-other, netbios, os-windows, scada, server-mysql, server-other and web-client rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Monday, November 26, 2012

Autosnort updates and expanded OS support

Hello snort users,

It has been some amount of time since my initial announcement for autosnort. I've been (somewhat?) hard at work since then, improving the initial script, and also creating additional scripts for supporting other operating systems. In case you weren't around for the first announcement a few months ago, autosnort is a shell script that will take a supported operating system from base install and give you a fully updated, fully functional snort installation with minimal effort.

So without further adieu, here are the announcements:

1. Improved automation - the script no longer downloads a static version of snort, but is able to poll snort.org for the latest stable version of snort and daq libraries and automatically download them (special thanks to Dogbert2 in the snort IRC for the idea on how to do this)
2. Expanded OS support - there are now autosnort builds for CentOS 32 and 64 bit as well as Backtrack 5 r3 -- Gnome and KDE -- 32 and 64 bit.
3. Improved documentation - in the general README as well as OS-specific readmes that detail what exactly the script does to your system -- in addition to the code comments to explain EXACTLY what is going on, if you want to try your hand and modifying the script to suit your specific needs.

In the works:
1. A build for Debian 32 and 64-bit
2. A build for pentoo linux 
3. A choice of web front ends
4. Barebones install option (e.g. snort, daqlibs and output to syslog for SIEM integration)

Give it a try, let me know what you think. Contributions of code (or, well, anything, I suppose) will not be turned away. 

Autosnort now has its own blog so I don't have to hijack Joel's/snort's/Sourcefire's blog for announcements. (psst: Thanks!). If you run into any problems or have any questions, my contact information is available in the script readme, but for good measure:

blog: http://autosnort.blogspot.com/
github: https://github.com/da667/Autosnort
e-mail: deusexmachina667@gmail.com
twitter: @da_667

Thanks for your time, and happy snorting!

From Tony Robinson

Wednesday, November 21, 2012

Sourcefire VRT Certified Snort Rules Update for 11/20/2012

Just released: Sourcefire VRT Certified Snort Rules Update for 11/20/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 50 new rules and made modifications to 24 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-plugins, exploit, file-multimedia, file-office, file-other, file-pdf, malware-cnc, protocol-voip, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Friday, November 16, 2012

Sourcefire VRT Certified Snort Rules Update for 11/15/2012, Adobe 0day

Just released: Sourcefire VRT Certified Snort Rules Update for 11/15/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 53 new rules and made modifications to 7 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the browser-firefox, browser-plugins, file-flash, file-identify, file-image, file-multimedia, file-other, file-pdf, malware-other, policy-other, protocol-voip, rpc, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Wednesday, November 14, 2012

Sourcefire VRT Certified Snort Rules Update for 11/13/2012, MSTUES

Just released: Sourcefire VRT Certified Snort Rules Update for 11/13/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 47 new rules and made modifications to 380 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Microsoft Security Bulletin MS12-071: Microsoft Internet Explorer contains programming errors that may allow a remote attacker to execute code on an affected system. Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 24653, 24654, 24660, 24661, 24662 and 24663. 
Microsoft Security Bulletin MS12-072: Microsoft Briefcase contains programming errors that may allow a remote attacker to execute code on an affected system. A rule to detect attacks targeting these vulnerabilities is included in this release and is identified with GID 3, SID 24671. 
Microsoft Security Bulletin MS12-074: The Microsoft .NET framework contains programming errors that may allow a remote attacker to execute code on an affected system. Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 24652, 24655, 24656, 24664 and 24665. 
Microsoft Security Bulletin MS12-075: Some Microsoft kernel mode drivers contain programming errors that may allow a remote attacker to execute code on an affected system. Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 24649 and 24650. 
Microsoft Security Bulletin MS12-076: Microsoft Excel contains programming errors that may allow a remote attacker to execute code on an affected system. Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 24657, 24658, 24659, 24673, 24674, and GID 3, SID 24666. 
Additionally, a previously released rule will also detect attacks targeting these vulnerabilities and is identified with GID 1, SID 16654.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, November 8, 2012

Sourcefire VRT Certified Snort Rules Update for 11/08/2012

Just released: Sourcefire VRT Certified Snort Rules Update for 11/08/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 1 new rules and made modifications to 16 additional rules.

There were no changes made to the snort.conf in this release.


In VRT's rule release:
Details: The Sourcefire VRT has added and modified multiple rules in the dos, file-identify, file-pdf and malware-cnc rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, November 6, 2012

Sourcefire VRT Certified Snort Rules Update for 11/06/2012

Just released: Sourcefire VRT Certified Snort Rules Update for 11/06/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 19 new rules and made modifications to 344 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis: This release adds and modifies rules in several categories.
Details: The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-firefox, exploit, exploit-kit, file-flash, file-multimedia, file-office, file-other, file-pdf, indicator-compromise, malware-backdoor, malware-cnc, malware-other, os-linux, os-windows, server-other and sql rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Friday, November 2, 2012

Sourcefire VRT Certified Snort Rules Update for 11/02/2012

Just released: Sourcefire VRT Certified Snort Rules Update for 11/02/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 9 new rules and made modifications to 81 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis: This release adds and modifies rules in several categories. 
Details: The Sourcefire VRT has added and modified multiple rules in the app-detect, blacklist, file-flash, file-identify, file-image, file-multimedia, malware-cnc, malware-other, policy-social, pua-adware and server-mail rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, November 1, 2012

Sourcefire VRT Certified Snort Rules Update for 11/01/2012

Just released: Sourcefire VRT Certified Snort Rules Update for 11/01/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 54 new rules and made modifications to 605 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank James Lay for his contribution on SID:24598

In VRT's rule release:
Synopsis: This release adds and modifies rules in several categories. 
Details: The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-firefox, browser-other, browser-plugins, exploit, exploit-kit, file-identify, file-image, file-multimedia, file-office, file-other, indicator-compromise, malware-backdoor, malware-cnc, malware-other, malware-tools, os-windows, policy-spam, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, October 30, 2012

Sourcefire VRT Certified Snort Rules Update for 10/30/2012, Rule Recategorization

Just released: Sourcefire VRT Certified Snort Rules Update for 10/30/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 54 new rules and made modifications to 3416 additional rules.

There were no changes made to the snort.conf in this release.

ATTRIBUTION

In VRT's rule release:
Synopsis: This release adds and modifies rules in several categories. 
Details: The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-firefox, browser-ie, browser-plugins, dos, exploit, exploit-kit, file-flash, file-identify, file-image, file-multimedia, file-office, file-other, file-pdf, indicator-compromise, indicator-shellcode, malware-backdoor, malware-cnc, malware-other, malware-tools, netbios, nntp, os-linux, os-other, os-solaris, os-windows, protocol-ftp, protocol-voip, pua-other, rpc, server-apache, server-iis, server-mail, server-mssql, server-oracle, server-other and sql rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, October 25, 2012

Sourcefire VRT Certified Snort Rules Update for 10/25/2012, Rule Category Reorganization

Just released: Sourcefire VRT Certified Snort Rules Update for 10/25/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 8 new rules and made modifications to 1942 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis: This release adds and modifies rules in several categories. 
Details: The Sourcefire VRT has added and modified multiple rules in the blacklist, file-identify, file-multimedia, file-other, file-pdf, os-solaris, os-windows, policy-spam, protocol-ftp, protocol-icmp, pua-adware, scan, server-apache, server-iis, server-mysql, server-oracle, server-other and web-client rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

A few Shared Object Platforms are now deprecated

As of today, the following Shared Object platform build environments are now deprecated as per our EOL policy:


FreeBSD-7-3/i386
FreeBSD-7-3/x86-64
Debian-5-0/i386
Debian-5-0/x86-64
Centos-4-8/i386

If you are using any of the above, please consider upgrading, as you will no longer be able to use precompiled Shared Object rules on your platform.  Text rules (the vast majority of the ruleset) are unaffected by this.

Wednesday, October 24, 2012

Snort 2.9.4 RC Now Available!

Snort 2.9.4 RC is now available on snort.org, at
https://www.snort.org/downloads in the Latest Release section.

Snort 2.9.4 includes changes for the following:

[*] New additions

 * Consolidation of IPv6 -- now only a single build supports both IPv4 & IPv6, and removal of the IPv4 "only" code paths.

 * File API and improvements to file processing for HTTP downloads and email attachments via SMTP, POP, and IMAP to facilitate broader file support

 * Use of address space ID for tracking Frag & Stream connections when it is available with the DAQ

 * Logging of packet data that triggers PPM for post-analysis via Snort event

 * Decoding of IPv6 with PPPoE

[*] Improvements

 * Update to Stream5 PAF for handling gaps in the sequence numbers of packets being reassembled.

 * Selection of the Stream TCP policy based on the server rather than the destination of first packet seen by Snort

 * Allow disabling of global thresholds via a count of -1

 * Prevent blocking duplicate SYNs when using inline normalization

 * Add SSLv3 backwards compatibility support for SSLv2 ClientHello messages

 * Allow active responses to packets without data (eg, a TCP SYN)

 * Changed logic of option evaluations for shared library rules that use a custom evaluation function to match that of the builtin logic when the NOT_FLAG is used.  The 'NOT' matching now happens within each of the individual rule option evaluation functions.

Please see the Release Notes and ChangeLog for more details.

Please submit bugs, questions, and feedback to bugs@snort.org.

Happy Snorting!
The Snort Release Team

Tuesday, October 23, 2012

Sourcefire VRT Certified Snort Rules Update for 10/23/2012, Rule Category Reorganization

Just released: Sourcefire VRT Certified Snort Rules Update for 10/23/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 67 new rules and made modifications to 667 additional rules.

There following changes were made to the snort.conf in this release:
include $RULE_PATH/browser-plugins.rules 
include $RULE_PATH/indicator-shellcode.rules 
include $RULE_PATH/os-linux.rules 
include $RULE_PATH/os-solaris.rules 
include $RULE_PATH/os-windows.rules 
include $RULE_PATH/os-other.rules 
include $RULE_PATH/policy-spam.rules 
include $RULE_PATH/protocol-finger.rules 
include $RULE_PATH/protocol-ftp.rules 
include $RULE_PATH/protocol-icmp.rules 
include $RULE_PATH/protocol-imap.rules 
include $RULE_PATH/protocol-pop.rules 
include $RULE_PATH/protocol-services.rules 
include $RULE_PATH/protocol-voip.rules 
include $RULE_PATH/pua-adware.rules 
include $RULE_PATH/pua-other.rules 
include $RULE_PATH/server-apache.rules 
include $RULE_PATH/server-iis.rules 
include $RULE_PATH/server-mssql.rules 
include $RULE_PATH/server-mysql.rules 
include $RULE_PATH/server-oracle.rules 
include $RULE_PATH/server-other.rules 
include $RULE_PATH/server-webapp.rules

In VRT's rule release:
Synopsis: This release adds and modifies rules in several categories. 
Details: This release introduces the following new rule categories. 
Also, the Sourcefire VRT has added and modified multiple rules in the blacklist, browser-ie, browser-other, ddos, dns, dos, exploit, exploit-kit, file-flash, file-identify, file-multimedia, file-office, indicator-compromise, indicator-shellcode, malware-cnc, malware-other, os-linux, os-windows, protocol-finger, protocol-ftp, protocol-icmp, protocol-imap, protocol-pop, protocol-services, protocol-voip, scada, specific-threats and web-misc rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Snort 2.9.1.2 is now EOL


In accordance with our EOL policy:

Please see it here:
https://www.snort.org/eol

Snort version 2.9.1.2's ruleset from the VRT is now EOL'ed after today's release.  This was first announced back in July here: http://blog.snort.org/2012/07/2921-eol-notice.html, and re-noticed here: http://blog.snort.org/2012/10/snort-2912-is-eol-on-october-17th.html

Please be sure and upgrade to the latest version of Snort (2.9.3.1) available here: https://www.snort.org/downloads

Monday, October 22, 2012

Rule Category Reorganization Phase 3


Beginning back in April 2012, the Vulnerability Research Team (VRT) began its Rule Category Reorganization effort to realign the rules into an easier to understand category structure.

We are continuing that effort with the VRT’s upcoming rule release, adding the following categories:

BROWSER-PLUGINS -- This category contains rules that look for, and control, the traffic of certain applications that are considered plugins to the browser.  ActiveX as an example.

INDICATOR-SHELLCODE -- This category contains detection for generic shellcode being found in traffic.  This category is largely a carry-over from the previous shellcode.rules category.

OS-LINUX -- This category contains detection for vulnerabilities present in the Linux family of Operating Systems.  Made to be enabled by those users that have any Linux OS on the network.

OS-SOLARIS  -- This category contains detection for vulnerabilities present in the Sun (now Oracle) Solaris OS.  Made to be enabled by those users that have any version of Solaris OS on the network.

OS-WINDOWS -- This category contains detection for vulnerabilities present in the Windows family of Operating Systems.  Made to be enabled by those users that have any version of Windows OS present on the network.  This is mutually exclusive of products from Microsoft like Office which is in the FILE-OFFICE category.

OS-OTHER -- This category contains detection for vulnerabilities in other Operating Systems not listed above.  Android, AIX, etc.

POLICY-SPAM -- This category contains rules that are specifically tailored to detect spam within emails.  Largely a carry-over from the present phishing-spam.rules category.

PROTOCOL-FINGER -- This category contains rules for vulnerabilities that are found or are delivered through the finger protocol.

PROTOCOL-FTP -- This category contains rules for vulnerabilities that are found or are delivered through the FTP protocol.

PROTOCOL-ICMP -- This category contains rules for vulnerabilities that are found inside, are delivered through, or information about the ICMP protocol.  Largely a carry-over from the present icmp.rules and icmp-info.rules categories.

PROCOTOL-IMAP -- This category contains rules for vulnerabilities present inside of or delivered by the ICMP protocol.

PROCOTOL-POP -- This category contains rules for vulnerabilities present inside of or delivered through the POP protocols.

PROTOCOL-SERVICES -- This category contains rules for vulnerabilities present inside of, or delivered through the "RServices" features.  Largely a carry-over from the present rservices.rules.

PROTOCOL-VOIP -- This category contains rules for vulnerabilities present inside of, or delivered through "VOIP" protocols or products.  Largely a carry-over from the present voip.rules categories, but all VOIP related products will be consolidated here for easy use.

PUA-ADWARE -- This category contains rules for the detection of Adware found in traffic.  Largely a carry over of the present spyware-put.rules category, but falling in line with the naming convention with our other products and for the easy consolidation into one category from multiple places.

PUA-OTHER -- This category will contain anything that is considered a "Potentially Unwanted Application" that does not fit into the other PUA categories.

SERVER-APACHE -- This category will contain rules for the detection of vulnerabilities present in the Apache Web Server family of products.

SERVER-IIS -- This category will contain rules for the detection of vulnerabilities present in the Microsoft IIS family of products.

SERVER-MSSQL -- This category will contain rules for the detection of vulnerabilities present in the Microsoft MSSQL family of products.

SERVER-MYSQL -- This category will contain rules for the detection of vulnerabilities present in the Oracle MySQL family of products.  Largely a carry-over from the present mysql.rules category.

SERVER-ORACLE -- This category will contain rules for the detection of vulnerabilities present in the Oracle Database.  Largely a carry-over from the present oracle.rules category.

SERVER-WEBAPP -- This category will contain rules for the detection of vulnerabilities present in "Web based Applications".

SERVER-OTHER -- This category will contain rules for the detection of vulnerabilities against servers not otherwise listed above.

To include these in your snort.conf please add the following lines to the rule section at the end, if you are using pulledpork in it's default mode, you shouldn't need to do anything:

include $RULE_PATH/browser-plugins.rules
include $RULE_PATH/indicator-shellcode.rules
include $RULE_PATH/os-linux.rules
include $RULE_PATH/os-solaris.rules
include $RULE_PATH/os-windows.rules
include $RULE_PATH/os-other.rules
include $RULE_PATH/policy-spam.rules
include $RULE_PATH/protocol-finger.rules
include $RULE_PATH/protocol-ftp.rules
include $RULE_PATH/protocol-icmp.rules
include $RULE_PATH/protocol-imap.rules
include $RULE_PATH/protocol-pop.rules
include $RULE_PATH/protocol-services.rules
include $RULE_PATH/protocol-voip.rules
include $RULE_PATH/pua-adware.rules
include $RULE_PATH/pua-other.rules
include $RULE_PATH/server-apache.rules
include $RULE_PATH/server-iis.rules
include $RULE_PATH/server-mssql.rules
include $RULE_PATH/server-mysql.rules
include $RULE_PATH/server-oracle.rules
include $RULE_PATH/server-other.rules
include $RULE_PATH/server-webapp.rules

Updated default Snort.conf's are here: https://www.snort.org/configurations

If you are using the Sourcefire product, PulledPork, or Oinkmaster, the vast majority of you should be unaffected. These products will handle the transition just fine. The only way you will be affected using PulledPork (or Oinkmaster's related tools) is if you use enablesid.conf or disablesid.conf to enable or disable entire categories of rules.

Thursday, October 18, 2012

Sourcefire VRT Certified Snort Rules Update for 10/18/2012

Just released: Sourcefire VRT Certified Snort Rules Update for 10/18/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 14 new rules and made modifications to 237 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis: This release adds and modifies rules in several categories. 
Details: The Sourcefire VRT has added and modified multiple rules in the bad-traffic, dos, file-flash, file-identify, malware-backdoor, malware-cnc, malware-other, multimedia, netbios and web-php rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, October 16, 2012

Sourcefire VRT Certified Snort Rules Update for 10/16/2012

Just released: Sourcefire VRT Certified Snort Rules Update for 10/16/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 29 new rules and made modifications to 620 additional rules.

The following changes were made to the snort.conf in this release:
The following line was updated from:
config event_queue: max_queue 8 log 3 order_events content_length
to
config event_queue: max_queue 8 log 5 order_events content_length

The following ports were added to http_inspect, the HTTP_PORTS variable, and stream5:
383
8300
50002


The example snort.confs that the VRT recommends that you use can be found here:
https://www.snort.org/configurations

In VRT's rule release:
Synopsis: This release adds and modifies rules in several categories. 
Details: The Sourcefire VRT has added and modified multiple rules in the app-detect, browser-firefox, ddos, exploit, exploit-kit, indicator-compromise, malware-backdoor, malware-cnc, malware-other, misc, netbios and web-iis rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, October 11, 2012

Sourcefire VRT Certified Snort Rules Update for 10/11/2012

Just released: Sourcefire VRT Certified Snort Rules Update for 10/11/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 12 new rules and made modifications to 45 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis: This release adds and modifies rules in several categories. 
Details: The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-ie, dos, exploit, exploit-kit, file-flash, file-identify, file-office, indicator-compromise, indicator-obfuscation, malware-cnc, malware-other, scan and web-misc rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, October 9, 2012

Sourcefire VRT Certified Snort Rules Update for 10/09/2012, MS Tuesday

Just released:
Sourcefire VRT Certified Snort Rules Update for 10/09/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 12 new rules and made modifications to 16 additional rules.

The following changes were made to the snort.conf:

portvar HTTP_PORTS [80,81,311,591,593,901,1220,1414,1741,1830,2301,2381,2809,3128,3702,4343,4848,5250,7001,7145,7510,7777,7779,8000,8008,8014,8028,8080,8088,8090,8118,8123,8180,8181,8243,8280,8800,8888,8899,9000,9080,9090,9091,9443,9999,11371,55555] 

now reads:

portvar HTTP_PORTS [80,81,311,591,593,901,1220,1414,1741,1830,2301,2381,2809,3128,3702,4343,4848,5250,7001,7145,7510,7777,7779,8000,8008,8014,8028,8080,8088,8090,8118,8123,8180,8181,8243,8280,8800,8888,8899,9000,9060,9080,9090,9091,9443,9999,11371,55555] 

(Addition of 9060)

The port was also added to stream5 and http_inspect's configuration lines.

I have updated the example snort.conf's, they can be found here: https://www.snort.org/configurations

In VRT's rule release:
Synopsis: The Sourcefire VRT is aware of multiple vulnerabilities affecting products from Microsoft Corporation. 
Details: Microsoft Security Bulletin MS12-064: Microsoft Word contains programming errors that may allow a remote attacker to execute code on an affected system. Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 24353, 24354, 24357 and 24358. 
Microsoft Security Bulletin MS12-065: Microsoft Works contains programming errors that may allow a remote attacker to execute code on an affected system. Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 24351 and 24352. 
Microsoft Security Bulletin MS12-066: A vulnerability in the Microsoft HTML sanitization component may allow an attacker to elevate privileges. Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 23136 and 23137. 
Microsoft Security Bulletin MS12-069: The Microsoft implementation of Kerberos may allow a remote attacker to cause a Denial of Service (DoS) against an affected system. A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 24360. 
Microsoft Security Bulletin MS12-070: A vulnerability in Microsoft SQL Server may allow a remote attacker to elevate privileges. Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 24355 and 24356.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Some VRT Shared Object rule platforms are being EOL'ed

As always, this is a EOL notification for the following platforms:
They are all EOL and are no longer supported with updates.

Debian-5-0/x86-64
Debian-5-0/i386
Centos-4-8/i386
Ubuntu 8.4 i386
Ubuntu 8.4 x86-64 
  

We have also be adding support for the following:
OpenSUSE-11-4/x86-64
OpenSUSE-11-4/i386

The official page has been updated to reflect these changes:

Thursday, October 4, 2012

Sourcefire VRT Certified Snort Rules Update for 10/04/2012

Just released: Sourcefire VRT Certified Snort Rules Update for 10/04/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 43 new rules and made modifications to 33 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis: This release adds and modifies rules in several categories. 
Details: The Sourcefire VRT has added and modified multiple rules in the bad-traffic, blacklist, dos, exploit, exploit-kit, file-multimedia, file-other, indicator-compromise, malware-cnc, malware-other, netbios, sql, web-activex, web-client and web-misc rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Snort 2.9.1.2 is EOL on October 17th!


In accordance with our EOL policy:

Please see it here:
https://www.snort.org/eol

Snort version 2.9.1.2's ruleset from the VRT will be EOL'ed as of October 17th.  This was first announced back in July here: http://blog.snort.org/2012/07/2921-eol-notice.html.

Please be sure and upgrade to the latest version of Snort (2.9.3.1) available here: https://www.snort.org/downloads

Tuesday, October 2, 2012

Sourcefire VRT Certified Snort Rules Update for 10/02/2012

Just released: Sourcefire VRT Certified Snort Rules Update for 10/02/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 43 new rules and made modifications to 20 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank James Lay for his contributions in rule: 24265

In VRT's rule release:
Synopsis: This release adds and modifies rules in several categories. 
Details: The Sourcefire VRT has added and modified multiple rules in the app-detect, browser-webkit, dns, exploit, exploit-kit, file-multimedia, file-office, file-other, file-pdf, icmp, malware-cnc, malware-other, voip, web-activex, web-client and web-misc rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, September 27, 2012

Sourcefire VRT Certified Snort Rules Update for 09/27/2012

Just released: Sourcefire VRT Certified Snort Rules Update for 09/27/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 12 new rules and made modifications to 2 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank Avery Tarasov for his work on sid: 24255
The VRT would like to thank James Lay for his work on sids: 24253, 24254

In VRT's rule release:
Synopsis: This release adds and modifies rules in several categories. 
Details: The Sourcefire VRT has added and modified multiple rules in the browser-ie, indicator-compromise, malware-cnc and web-php rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, September 25, 2012

Sourcefire VRT Certified Snort Rules Update for 09/25/2012

Just released:
Sourcefire VRT Certified Snort Rules Update for 09/25/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 20 new rules and made modifications to 22 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.
Details:
The Sourcefire VRT has added and modified multiple rules in the
browser-firefox, browser-ie, exploit-kit, file-flash, file-office,
file-other, malware-cnc, malware-other, misc, voip and web-misc rule
sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store.  Make sure and stay up to date to catch the most emerging threats!

Barnyard2 - v2-1.10 has been released

It's my great pleasure to finally announce the next stable release of barnyard2 v2-1.10 build(310).

After almost 20 months of development and continuous testing from the community we are happy to get this one out to the masses (without the beta tag).

This development cycle has seen a lot of changes, refinements and fixes. This will be the last version build arround the old database schema.

The next release of barnyard2 will come with new database output that only support the new schema, native IPv6 support and FULL unified2 support for all output plugin.

I could go on about the changes, but the wait has been long enough. Here's a summary of the more notable changes:
 * Additions
 - spo_database. Support of encrypted connections to postgresql is now available. See README.database for the appropriate options.
 - spo_sguil. Fixed issue with duplication of alerts.
 - Completely re-written database plugin for performance optimisation against the original DB schema. 
NOTE: If you have intentions of running this new version we highly recommended you to clean two databases table for better performance: reference and sig_reference, not doing so will not break anything but could slow the startup caching process).
 - New Bro output plugin (thanks to Seth Hall)
 - A new syslog plugin (syslog_full) that support local and remote TCP and UDP syslog. * Improvements
 - Improved support against the latest Unified 2 format. Extended headers are read, however no plugins use the information currently.
 - Improved core IPv6 support.
 - Compile under cygwin
 - And many, many bugfixes.

 You can download the source in a number of ways:
 - https://github.com/firnsy/barnyard2/tags (as a zip/tarball)
 - git://github.com/firnsy/barnyard2.git (via a git clone)

 I would like to pay a special thanks to Eric Lauzon (the newest member of the core development team) and the many people who have helped along the road: Russell Fulton, Tim Shelton, JJ Cummings. Michael Steele, Brett Edgar, Bill Parker, Miguel Alvarez, Martin Holste, Jason Haar and any others who I may have missed.

Regards,

firnsy

Friday, September 21, 2012

Sourcefire VRT Certified Snort Rules Update for 09/21/2012

Just released: Sourcefire VRT Certified Snort Rules Update for 09/21/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 17 new rules and made modifications to 9 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank James Lay for his contributions on rule: 24224
The VRT would like to thank Eoin Miller for his contributions on rules: 24227 24228

In VRT's rule release:
Synopsis: This release adds and modifies rules in several categories. 
Details: The Sourcefire VRT has added and modified multiple rules in the browser-ie, exploit, exploit-kit, file-identify, file-multimedia, file-other, malware-cnc and web-misc rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, September 18, 2012

Sourcefire VRT Certified Snort Rules Update for 09/18/2012, IE 0day

Just released:
Sourcefire VRT Certified Snort Rules Update for 09/18/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 3 new rules and made modifications to 17 additional rules.

There were no changes made to the snort.conf in this release.


In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the
browser-ie, exploit-kit, file-identify and malware-cnc rule sets to
provide coverage for emerging threats from these technologies.



In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Monday, September 17, 2012

Sourcefire VRT Certified Snort Rules Update for 09/17/2012, IE 0day

Just released:
Sourcefire VRT Certified Snort Rules Update for 09/17/2012


We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 39 new rules and made modifications to 21 additional rules.


There were no changes made to the snort.conf in this release.


In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the
blacklist, browser-firefox, browser-ie, file-identify, file-image,
file-office, file-other, malware-backdoor, malware-cnc, sql,
web-activex and web-php rule sets to provide coverage for emerging
threats from these technologies.



In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, September 13, 2012

Sourcefire VRT Certified Snort Rules Update for 09/13/2012

Just released:
Sourcefire VRT Certified Snort Rules Update for 09/13/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 34 new rules and made modifications to 13 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals their contributions:
James Lay:
24171
Eoin Miller:
23058

In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the
blacklist, exploit-kit, file-flash, file-identify, file-other,
file-pdf, indicator-obfuscation, malware-cnc, malware-other and
web-misc rule sets to provide coverage for emerging threats from these
technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, September 11, 2012

Sourcefire VRT Certified Snort Rules Update for 09/11/2012

Just released:
Sourcefire VRT Certified Snort Rules Update for 09/11/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 26 new rules and made modifications to 331 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank Christopher Granger for his work on rule 24127.

In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the
blacklist, browser-ie, exploit-kit, file-identify, file-image,
file-multimedia, file-office, file-other, file-pdf,
indicator-compromise, indicator-obfuscation, malware-backdoor,
malware-cnc, malware-other, misc, mysql, policy-other, policy-social,
scada, shellcode, specific-threats, web-activex, web-client and web-php
rule sets to provide coverage for emerging threats from these
technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, September 6, 2012

Sourcefire VRT Certified Snort Rules Update for 09/06/2012, Rule Re-categorization

Just released:
Sourcefire VRT Certified Snort Rules Update for 09/06/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 28 new rules and made modifications to 1028 additional rules.

Be sure you have the following in your snort.conf to get all the new rules:

include $RULE_PATH/app-detect.rules
include $RULE_PATH/browser-chrome.rules
include $RULE_PATH/browser-firefox.rules
include $RULE_PATH/browser-ie.rules
include $RULE_PATH/browser-other.rules
include $RULE_PATH/browser-webkit.rules
include $RULE_PATH/exploit-kit.rules
include $RULE_PATH/file-executable.rules
include $RULE_PATH/file-flash.rules
include $RULE_PATH/file-image.rules
include $RULE_PATH/file-multimedia.rules
include $RULE_PATH/malware-backdoor.rules
include $RULE_PATH/malware-cnc.rules
include $RULE_PATH/malware-other.rules
include $RULE_PATH/malware-tools.rules
include $RULE_PATH/policy-multimedia.rules
include $RULE_PATH/file-office.rules
include $RULE_PATH/file-other.rules
include $RULE_PATH/file-pdf.rules
include $RULE_PATH/indicator-compromise.rules
include $RULE_PATH/indicator-obfuscation.rules
include $RULE_PATH/policy-multimedia.rules
include $RULE_PATH/policy-other.rules
include $RULE_PATH/policy-social.rules
include $RULE_PATH/pua-p2p.rules
include $RULE_PATH/pua-toolbars.rules
include $RULE_PATH/server-mail.rules


There were no changes made to the snort.conf in this release.

The VRT would like to thank James Lay for his contribution of the following rule:
24102

In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the
app-detect, blacklist, browser-firefox, exploit-kit, file-executable,
file-identify, file-image, file-multimedia, file-office, file-other,
file-pdf, indicator-compromise, malware-backdoor, malware-cnc,
malware-other, malware-tools, mysql, netbios, oracle, policy-other,
specific-threats, spyware-put, telnet, web-activex, web-client and
web-php rule sets to provide coverage for emerging threats from these
technologies.



In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, September 4, 2012

Sourcefire VRT Certified Snort Rules Update for 09/04/2012, Rule Recategorization

Just released:
Sourcefire VRT Certified Snort Rules Update for 09/04/2012


We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 21 new rules and made modifications to 2482 additional rules.

As you can see, thousands of rules have been moved, please read this post to stay current and make sure you add the new files in for the best detection

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the
blacklist, browser-chrome, browser-firefox, browser-ie, browser-other,
browser-webkit, exploit, exploit-kit, file-executable, file-flash,
file-identify, file-image, file-multimedia, file-office, file-other,
file-pdf, indicator-compromise, indicator-obfuscation,
malware-backdoor, malware-cnc, malware-other, malware-tools, mysql,
netbios, policy-other, spyware-put, voip, web-activex, web-client,
web-iis and web-php rule sets to provide coverage for emerging threats
from these technologies.



In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, August 30, 2012

Sourcefire VRT Certified Snort Rules Update for 08/30/2012, Rule Re-Categorization

Just released:
Sourcefire VRT Certified Snort Rules Update for 08/30/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 24 new rules and made modifications to 43 additional rules.

There following changes were made to the snort.conf in this release:

include $RULE_PATH/app-detect.rules
include $RULE_PATH/browser-chrome.rules
include $RULE_PATH/browser-firefox.rules
include $RULE_PATH/browser-ie.rules
include $RULE_PATH/browser-other.rules
include $RULE_PATH/browser-webkit.rules
include $RULE_PATH/exploit-kit.rules
include $RULE_PATH/file-executable.rules
include $RULE_PATH/file-flash.rules
include $RULE_PATH/file-image.rules
include $RULE_PATH/file-multimedia.rules
include $RULE_PATH/malware-backdoor.rules
include $RULE_PATH/malware-cnc.rules
include $RULE_PATH/malware-other.rules
include $RULE_PATH/malware-tools.rules
include $RULE_PATH/policy-multimedia.rules



In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the
app-detect, botnet-cnc, browser-chrome, browser-firefox, browser-ie,
browser-other, browser-webkit, exploit, exploit-kit, file-executable,
file-flash, file-identify, file-image, file-multimedia, file-office,
file-other, indicator-compromise, malware-backdoor, malware-cnc,
malware-other, malware-tools, smtp, specific-threats, spyware-put,
web-activex, web-client and web-php rule sets to provide coverage for
emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Rule Category Reorganization Phase 2

Beginning back in April 2012, the Vulnerability Research Team (VRT) began its Rule Category Reorganization effort to realign the rules into an easier to understand category structure.

We are continuing that effort with the VRT’s newest rule release, adding the following categories:

APP-DETECT -- This category contains rules that look for, and control, the traffic of certain applications that generate network activity.

BROWSER-CHROME -- This category contains detection for vulnerabilities present in the Chrome browser. (This is separate from the “Webkit” category, as Chrome has enough vulnerabilities to be broken out into it’s own, and while it uses the Webkit rendering engine, there’s a lot of other features to Chrome.)

BROWSER-FIREFOX -- This category contains detection for vulnerabilities present in the Firefox browser, or products that have the “Gecko” engine. (Thunderbird email client, etc)

BROWSER-IE -- This category contains detection for vulnerabilities present in the Internet Explorer browser (Trident or Tasman engines)

BROWSER-WEBKIT -- This category contains detection for vulnerabilities present in the Webkit browser engine (aside from Chrome) this includes Apple’s Safari, RIM, Nokia, KDE, and Palm.

BROWSER-OTHER -- This category contains detection for vulnerabilities in other browsers not listed above. (Opera)

EXPLOIT-KIT -- This category contains rules that are specifically tailored to detect exploit kit activity (Blackhole, Phoenix, etc).

FILE-EXECUTABLE -- This category contains rules for vulnerabilities that are found or are delivered through executable files, regardless of platform.

FILE-FLASH -- This category contains rules for vulnerabilities that are found inside of flash files. Either compressed or uncompressed, regardless of delivery method or software being attacked.

FILE-IMAGE -- This category contains rules for vulnerabilities that are found inside of images files. Regardless of delivery method, software being attacked, or type of image file. (jpg, png, gif, bmp, etc)

FILE-MULTIMEDIA -- This category contains rules for vulnerabilities present inside of multimedia files (mp3, movies, wmv)

MALWARE-BACKDOOR -- This category contains rules that detection traffic destined to known listening backdoor command channels. If a piece of malicious software opens and port and waits for incoming commands for its control functions this type of detection should be placed here. A simple example would be detection for BackOrifice as it listens on a specific port and then executes the commands it was sent. Other examples would be SubSeven which is a VNC like application that allows the remote attacker to control the victims computer.

MALWARE-CNC -- This category contains known malicious command and control activity for identified botnet traffic. This includes call home, downloading of dropped files, and ex-filtration of data.

MALWARE-TOOLS -- This category contains rules that deal with tools that can be considered malicious in nature. For example, LOIC.

MALWARE-OTHER -- This category contains rules that are malware related, but don’t fit into one of the other ‘malware’ categories.

If you are using the Sourcefire product, PulledPork, or Oinkmaster, the vast majority of you should be unaffected. These products will handle the transition just fine. The only way you will be affected using PulledPork (or Oinkmaster's related tools) is if you use enablesid.conf or disablesid.conf to enable or disable entire categories of rules.

Tuesday, August 28, 2012

Sourcefire VRT Certified Snort Rules Update for 08/28/2012

Just released:
Sourcefire VRT Certified Snort Rules Update for 08/28/2012

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 69 new rules and made modifications to 357 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions to the following rules:
24017 -- James Lay & Nathan Fowler
24031,24032,24033,24034 -- Alexandre Menezes

In VRT's rule release:
Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the
backdoor, blacklist, botnet-cnc, dos, exploit, file-office, file-other,
indicator-compromise, indicator-obfuscation, netbios, policy-other,
policy-social, specific-threats, web-activex, web-client and web-php
rule sets to provide coverage for emerging threats from these
technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Friday, August 24, 2012

Snort 2.9.3.1 Installation Guide for OpenBSD 5.1 has been posted

William Parker has been cranking them out.  Today I added his installation document for Snort 2.9.3.1 on OpenBSD 5.1.

Great job Bill! Fantastic work.

I also have a NetBSD installation guide that has provided me, however, some patches are needed for Snort in order to make it run, so we are reviewing those patches and when they will be put into Snort.

You can find all the installation guides here:
http://www.snort.org/docs

2012 Snort Scholarship winners!

Sourcefire, Inc. (Nasdaq: FIRE), the creator of Snort® and a leader in intelligent cybersecurity solutions, is delighted to announce that it has selected Elizabeth Gossell and Ryan McDougall as the recipients of the 2012 Snort Scholarship. The scholarships, each worth up to $15,000, are awarded to university students around the world that use Snort to further their education and gain hands-on experience in network security.

To qualify, applicants must be enrolled in a university that uses Snort or Sourcefire products to protect its network or uses Snort as part of the curriculum in the classroom. The scholarships assist the winning students in completing their degrees and covering educational costs. Sourcefire selected Darcie and Daniel from a pool of hundreds of applicants.

To assist the winning students in completing their degrees, Sourcefire has awarded each a $5,000 scholarship for educational costs at the students’ respective universities. The winners also receive a $10,000 credit to use toward any training course or certification exam in the Sourcefire Security Education Program. The Sourcefire Security Education and Certification Programs deliver training and testing for IT staff on Sourcefire’s products and open source security solutions, either on-site or at dedicated locations around the world.

Sourcefire developed the Snort Scholarship in 2004 as a way to give back to the open source and security communities. Since the inception of the Snort Scholarship program eight years ago, Sourcefire has recognized university students from around the world, including the United States, Australia, Turkey, Mexico, the Netherlands and Rwanda. Martin Roesch founded Sourcefire in 2001 to deliver commercial security solutions that leverage his open source innovation, Snort. Snort is the world’s most widely deployed intrusion detection and prevention technology with more than 350,000 registered users and over 4 million downloads to date. As the de facto standard for intrusion detection and prevention, Snort is used extensively by Fortune 100 enterprises and government agencies.

About Sourcefire
Sourcefire, Inc. (Nasdaq:FIRE), is a world leader in intelligent cybersecurity solutions. Sourcefire is transforming the way Global 2000 organizations and government agencies manage and minimize network security risks. Sourcefire’s IPS, Real-time Network Awareness and Real-time Adaptive Security solutions equip customers with an efficient and effective layered security defense – protecting network assets before, during and after an attack. Through the years, Sourcefire has been consistently recognized for its innovation and industry leadership by customers, media and industry analysts alike – with more than 50 awards and accolades. Today, the name Sourcefire has grown synonymous with innovation and network security intelligence. For more information about Sourcefire, please visit http://www.sourcefire.com.

Sourcefire, the Sourcefire logo, Snort, the Snort and Pig logo, ClamAV, Immunet and certain other trademarks and logos are trademarks or registered trademarks of Sourcefire, Inc. in the United States and other countries. Other company, product and service names may be trademarks or service marks of others.