Thursday, March 28, 2013

Sourcefire VRT Certified Snort Rules Update for 03/28/2013

Just released: Sourcefire VRT Certified Snort Rules Update for 03/28/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 57 new rules and made modifications to 615 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank Avery Tarasov for his submission of the rules:
26265
26264
26288
These rules are also included in the Community rule pack.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the app-detect, blacklist, browser-other, deleted, dns, dos, exploit, exploit-kit, file-executable, file-identify, file-multimedia, file-other, file-pdf, indicator-compromise, indicator-shellcode, malware-backdoor, malware-cnc, malware-other, misc, netbios, os-linux, os-other, os-solaris, os-windows, policy-other, policy-social, protocol-finger, protocol-ftp, protocol-icmp, protocol-pop, protocol-services, pua-other, pua-p2p, rpc, scan, server-iis, server-mail, server-mssql, server-mysql, server-other, server-webapp, snmp, sql, telnet and x11 rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Wednesday, March 27, 2013

The Talos Community ruleset is live!

As I discussed last week in my blog post concerning the recent Snort Subscriber Rule license changes (blog post can be found here:  http://blog.snort.org/2013/03/vrt-rule-license-change-v20.html), the community ruleset, something we've been planning here in at Talos is finally live!

The Community Ruleset is a GPLv2 Talos certified ruleset that is distributed free of charge without the Snort Subscriber Rule Set License restrictions, without delay, and without oinkcode restriction.  It consists of the original GPLv2 rules (SIDs 3464 and below) as well as any rules that have been submitted to us to date for inclusion in the VRT ruleset.

This ruleset is updated daily and is a subset of the subscriber ruleset. If you are a Snort Subscriber, the community ruleset is already built into your download.  The subscriber ruleset will continue to be published on Tuesdays and Thursdays.

If you are a registered user (under the 30-day delay) you may also include this ruleset in your Snort installation to stay current.  If there are SID conflicts when Snort starts up between the two rulesets Snort will always take the higher revision number or "rev".  In most cases this will be the community ruleset.

The ruleset is designed for the most recent version of Snort. This isn't to say that the ruleset won't function on older versions of Snort, we just design this up to date and living ruleset for  the most current version of Snort in production.

There are no shared object rules in the community rulepack.

You may download the Community ruleset by editing your pulledpork.conf and adding the following line to your "rule_url" section:
rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community

The SVN version of pulledpork also contains this functionality, and a new release of pulledpork will be pushed soon.

The authors of the rules in the community ruleset are listed in the AUTHORS file inside the tarball.

If you would like to submit to the community ruleset, you may do so by emailing your rule to vrt [at] sourcefire [dot] com.  We require a pcap for the traffic your rule is supposed to detect, and in lieu of a pcap, references, screenshots or something needs to be provided to give us some indication of what your rule is written to fire on.

Rules submitted to Talos on the Snort-sigs mailing list will also go into the community ruleset with full attribution to the author.

We look forward to working with you all and the many people that have already submitted rules to us in order to make this a vibrant living and breathing ruleset!  It's been a long time coming, so thanks for being patient with us!

If there are any questions, please send them to the Snort-sigs mailing list listed above!

I'd like to thank Miklovin of Talos for writing the software to make this all happen!

Tuesday, March 26, 2013

Sourcefire VRT Certified Snort Rules Update for 03/26/2013

Just released: Sourcefire VRT Certified Snort Rules Update for 03/26/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 11 new rules and made modifications to 1794 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the app-detect, browser-ie, browser-plugins, browser-webkit, dns, dos, exploit, exploit-kit, file-identify, file-image, file-multimedia, file-office, file-other, indicator-compromise, indicator-shellcode, malware-backdoor, malware-cnc, malware-other, malware-tools, netbios, nntp, os-windows, policy-multimedia, policy-other, policy-social, protocol-finger, protocol-ftp, protocol-icmp, protocol-imap, protocol-pop, protocol-services, pua-other, pua-p2p, rpc, scan, server-apache, server-iis, server-mail, server-mssql, server-mysql, server-oracle, server-other, server-webapp, snmp, sql, telnet, tftp and x11 rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Friday, March 22, 2013

VRT Rule License Change v2.0

In its first big update since the VRT License Agreement for Snort was written several years ago, we’re proud to announce Version 2.0 of the VRT License.

It can be read, as always, in its entirety here: http://www.snort.org/vrt/rules/vrt_license

The three main goals that we wanted to accomplish by revising the license agreement:

1. Simplify the license. 

Based on user feedback, we wanted to make the license more simple to follow. We have worked with our lawyers to incorporate the feedback from the user community into this license with the goal of clarifying those provisions that users had questions about.

 2. The inclusion of the Community ruleset

The primary goal for the license change was to allow for a set of rules written by, and for, the community.  GPLv2 licensed, free to use. There will be an additional blog post on the community ruleset very soon.

 3. Recurring subscriptions 
 **This has not been rolled out yet**

One of the common challenges our users tell us they face is the requirement to log into Snort.org and renew their VRT subscription on an annual basis. We want to remove this pain for everyone and make subscribing easier for everyone.

We are undergoing a complete rewrite of the Snort.org web site so that we can deliver content faster to users, make the downloads more reliable, and make user account issues a thing of the past. We plan to roll this out in the near future; more on this soon.

When we shift from the old web site to the new web site, there will be a process for you to login and migrate your account from the old database to the new database. During this process you will be required to agree to the new VRT 2.0 License Agreement that we’ve linked to above. The new agreement allows for recurring subscriptions, and any new subscription you purchase after the account migration will move to this new system to make that yearly task of renewing your account a thing of the past.

As I said above, we are working on several big improvements to Snort’s ecosystem. We have many exciting improvements waiting in the wings, and we intend on making sure they are available to the community!

 Thanks for your support of Snort!

Thursday, March 21, 2013

Sourcefire VRT Certified Snort Rules Update for 03/21/2013

Just released: Sourcefire VRT Certified Snort Rules Update for 03/21/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 0 new rules and made modifications to 143 additional rules.

There following changes were made to the snort.conf in this release:
Port 110 was added to the "stream5 both" parameter
Port 631 was added to HTTP_PORTS, http_inspect, and stream5's reassembly
Port 8222 was added to HTTP_PORTS, http_inspect, and stream5's reassembly
Port 70 was added to the "stream5 client" parameter

The correct VRT recommended configuration snort.conf's are here:
https://www.snort.org/configurations

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the app-detect, blacklist, exploit, exploit-kit, file-pdf, indicator-compromise, indicator-obfuscation, malware-cnc, malware-other, os-other, policy-other, policy-spam, pua-adware, server-mysql, server-other, server-webapp and web-client rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, March 19, 2013

Sourcefire VRT Certified Snort Rules Update for 03/19/2013

Just released: Sourcefire VRT Certified Snort Rules Update for 03/19/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 45 new rules and made modifications to 24 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions:
Avery Tarasov
26212
26211


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, dos, exploit, exploit-kit, file-identify, file-multimedia, file-other, file-pdf, malware-cnc, malware-other, misc, netbios and web-client rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, March 14, 2013

Sourcefire VRT Certified Snort Rules Update for 03/14/2013

Just released: Sourcefire VRT Certified Snort Rules Update for 03/14/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 34 new rules and made modifications to 34 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the browser-firefox, browser-ie, browser-other, browser-plugins, browser-webkit, file-flash, file-office, file-other, indicator-obfuscation, malware-cnc, os-windows, protocol-voip, server-iis, server-mail, server-other and web-client rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, March 12, 2013

Sourcefire VRT Certified Snort Rules Update for 03/12/2013, MSTUES

Just released: Sourcefire VRT Certified Snort Rules Update for 03/12/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 66 new rules and made modifications to 371 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank Avery Tarasov for his work in rule:
26106

In VRT's rule release:
Microsoft Security Bulletin MS13-021:
Microsoft Internet Explorer contains programming errors that may allow
a remote attacker to execute code on a vulnerable system.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 25775, 26125, 26129,
26130, 26132 through 26138, 26157 through 26162, 26168 and 26169.

Microsoft Security Bulletin MS13-023:
Microsoft Visio contains a programming error that may allow a remote
attacker to execute code on a vulnerable system.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 26163 and 26164.

Microsoft Security Bulletin MS13-024:
Microsoft SharePoint contains programming errors that may allow a
remote attacker to elevate privileges on a vulnerable system.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 26124, 26131 and 26165
through 26167.

Microsoft Security Bulletin MS13-025:
A vulnerability in Microsoft OneNote may allow a remote attacker to
gain access to sensitive information.

Rules to detect attacks targeting this vulnerability are included in
this release and are identified with GID 1, SIDs 26170 and 26171.

Additionally, the Sourcefire VRT has added and modified multiple rules in the blacklist, browser-firefox, browser-ie, browser-plugins, browser-webkit, exploit-kit, file-executable, file-flash, file-identify, file-image, file-multimedia, file-office, file-other, file-pdf, indicator-obfuscation, indicator-shellcode, malware-cnc, malware-other, os-linux, os-other, os-windows, policy-other, policy-spam, scada, server-mail, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Friday, March 8, 2013

Snort syntax highlighting for the Nano text editor

Caleb Jaren,  a regular Snort user and contributor has recently put up a blog post about some work he's done for Snort syntax highlighting for the Nano text editor.

If the name sounds familiar on the blog, it's because he recently performed the same work recently with the Notepad++ editor which we lighted back here: http://blog.snort.org/2012/08/snort-syntax-highlighting-and-more-in.html

For his most recent work on Nano check out his post here: http://www.tropismgroup.org/2013/03/07/snort-syntax-highlighting-for-the-nano-text-editor/


Thursday, March 7, 2013

Sourcefire VRT Certified Snort Rules Update for 03/07/2013

Just released: Sourcefire VRT Certified Snort Rules Update for 03/07/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 49 new rules and made modifications to 64 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank Avery Tarasov for his work on rule:
26075


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-identify, file-office, file-other, file-pdf, indicator-obfuscation, malware-cnc, malware-other, malware-tools, protocol-ftp and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Snort 2.9.4.1 installation guides have been posted

Thanks to the hard work of William Parker, he just sent me a whole swath of updates to his excellent Snort installation guides for various OSes.

Take a look at http://www.snort.org/docs and you'll see install guides for CentOS, NetBSD, Fedora, OpenSuSE, FreeBSD, and OpenBSD!

Thanks so much Mr. Parker, your work is extremely helpful to the community and I hope lots of people use them!

Tuesday, March 5, 2013

Sourcefire VRT Certified Snort Rules Update for 03/05/2013

Just released: Sourcefire VRT Certified Snort Rules Update for 03/05/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 35 new rules and made modifications to 51 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank Avery Tarasov for his contributions to the following rules:
26023
26024


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the browser-firefox, browser-ie, dos, exploit-kit, file-identify, file-office, file-other, file-pdf, indicator-compromise, malware-cnc, malware-other, malware-tools, os-windows, server-mail, server-other and web-client rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Monday, March 4, 2013

Snort 2.9.4.1 has been released!

We are pleased to announce the immediate availability of Snort 2.9.4.1.

The following is an excerpt from the ChangeLog detailing the changes:

[*] Improvements

* Updated File processing for partial HTTP content and MIME attachments.
* Addition of new config option max_attribute_services_per_host and improve memory usage within attribute table.
* Handle excessive overlaps in frag3.
* Stream API updates to return session key for a session.
* Reduce false positives for TCP window slam events.
* Updates to provide better encoding for TCP packets generated for respond and react. 
* Disable non-ethernet decoders by default for performance reasons. If needed, use --enable-non-ether-decoders with configure.

Snort 2.9.4.1 can be downloaded immediately at: https://www.snort.org/downloads

Thanks for your support of Snort!