Thursday, June 27, 2013

Sourcefire VRT Certified Snort Rules Update for 06/27/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 06/27/2013


We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 49 new rules and made modifications to 40 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov
27017

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-ie, browser-other, browser-plugins, deleted, exploit-kit, file-other, malware-cnc, malware-other, os-mobile, os-windows, policy-other, protocol-dns, protocol-ftp, protocol-imap, protocol-tftp, protocol-voip and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, June 25, 2013

Sourcefire VRT Certified Snort Rules Update for 06/25/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 06/25/2013


We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 34 new rules and made modifications to 25 additional rules.

There were two changes made to the snort.conf in this release:
Port 3443 was added to HTTP_PORTS, Stream5 both, and http_inspect
Port 50000 was added to HTTP_PORTS, Stream5 both, and http_inspect

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov
26984

Nathan Fowler
26985

I've went ahead and updated our master snort.conf examples from the VRT on the Snort.conf configuration page: https://www.snort.org/configurations

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-ie, browser-other, browser-plugins, deleted, exploit-kit, file-other, malware-cnc, os-mobile, protocol-dns, protocol-ftp, protocol-imap, protocol-tftp and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, June 20, 2013

Sourcefire VRT Certified Snort Rules Update for 06/20/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 06/20/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 59 new rules and made modifications to 707 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

James Lay & Nathan Fowler:
26948
26947
26949
26950
26951

James Lay:
26965

Avery Tarasov:
26966
26968
26969
26970
26971

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, dos, exploit, exploit-kit, file-flash, file-image, file-java, file-multimedia, file-office, indicator-compromise, indicator-scan, malware-backdoor, malware-cnc, os-mobile, protocol-dns, protocol-nntp, protocol-rpc, protocol-scada, protocol-snmp, protocol-telnet, protocol-tftp, server-other, server-samba and web-client rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, June 18, 2013

Sourcefire VRT Certified Snort Rules Update for 06/18/2013, New Categories

Just released:
Sourcefire VRT Certified Snort Rules Update for 06/18/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 28 new rules and made modifications to 48 additional rules.

There were changes made to the snort.conf in this release:

include $RULE_PATH/file-java.rules
include $RULE_PATH/indicator-scan.rules
include $RULE_PATH/os-mobile.rules
include $RULE_PATH/protocol-dns.rules
include $RULE_PATH/protocol-nntp.rules
include $RULE_PATH/protocol-rpc.rules
include $RULE_PATH/protocol-scada.rules
include $RULE_PATH/protocol-snmp.rules
include $RULE_PATH/protocol-telnet.rules
include $RULE_PATH/protocol-tftp.rules
include $RULE_PATH/server-samba.rules


This release introduces new rule categories:

File-Java
Indicator-Scan
Os-Mobile
Protocol-DNS
Protocol-NNTP
Protocol-RPC
Protocol-Scada
Protocol-SNMP
Protocol-Telnet
Protocol-TFTP
Server-Samba


I've went ahead and updated our master snort.conf examples from the VRT on the Snort.conf configuration page: https://www.snort.org/configurations

The VRT would like to thank the following individuals for their contributions:

Avery Tarasov:
26910
26911
26912
26913
26914
26915
26924

Alexandre Menezes:
26916
26917
26918
26919
26920

Paul Bottomley:
26923

Brandon Kendall:
26925


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, file-flash, file-java, file-other, file-pdf, indicator-scan, malware-cnc, malware-other, os-mobile, os-windows, protocol-dns, protocol-ftp, protocol-imap, protocol-nntp, protocol-rpc, protocol-scada, protocol-snmp, protocol-telnet, protocol-tftp, server-other, server-samba and sql rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, June 13, 2013

Sourcefire VRT Certified Snort Rules Update for 06/13/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 06/13/2013


We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 5 new rules and made modifications to 53 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-ie, file-image, file-pdf, malware-backdoor, malware-cnc, server-apache, server-iis, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, June 11, 2013

Sourcefire VRT Certified Snort Rules Update for 06/11/2013, MS Tuesday

Just released:
Sourcefire VRT Certified Snort Rules Update for 06/11/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 83 new rules and made modifications to 18 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions:

James Lay
26834
26837
26839

Avery Tarasov
26835
26836

Nathan Fowler
26838

Christopher Hall
26842

In VRT's rule release:
Synopsis:
The Sourcefire VRT is aware of vulnerabilities affecting products from the
Microsoft Corporation.

Details:
Microsoft Security Advisory MS13-047:
Internet Explorer suffers from programming errors that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 26843 through 26849,
26851 through 26853, 26867 through 26876, 26878, and 26882 through
26890.

Microsoft Security Advisory MS13-049:
A programming error exists in kernel-mode drivers that may lead to
remote code execution.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 3, SID 26877.

Microsoft Security Advisory MS13-051:
Microsoft Office suffers from programming errors that may lead to
remote code execution.

A previously released rule will detect attacks targeting this
vulnerability and has been updated with the appropriate reference
information. It is included in this release and is identified with GID
1, SID 6700.

The Sourcefire VRT has also added and modified multiple rules in the
blacklist, browser-ie, browser-other, browser-plugins, deleted, dos,
exploit-kit, file-identify, file-image, file-office, file-other,
indicator-obfuscation, malware-backdoor, malware-cnc, malware-other,
os-windows, protocol-ftp, server-oracle, server-other and sql rule sets
to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, June 6, 2013

Snort FAQ is open for community involvement!

Following the success of our ClamAV FAQ being placed on Github, we decided to do the same thing to the Snort FAQ in hopes that it will make the content available to community users to submit content to and make it easily manageable.

So, now available: https://github.com/vrtadmin/snort-faq/blob/master/README.md

The reason we put it on Github is it makes it simple to edit (in Markdown format), it's easy to audit, it's easy to clone and import, etc.  When we did this with the ClamAV FAQ, we found it made the content super easy to keep up to date, allows for several users to work on it and allows for community involvement.

So this is what we are hoping you will do.  I took the old FAQ that was on http://www.snort.org, converted it to Markdown and committed it to Github.

Now we can add things like "Having a problem capturing TCP traffic?  Have you tried "-k none" in your testing?"

So, have at it.  We'll review all content and approve it as it comes in through your pull requests.

Sourcefire VRT Certified Snort Rules Update for 06/06/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 06/06/2013


We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 12 new rules and made modifications to 33 additional rules.

There was one change made to the snort.conf in this release.  Port 90 was added to HTTP_PORTS, http_inspect, and stream5.  The Example VRT snort.conf's have been updated: https://www.snort.org/configurations.

The VRT would like to thank the following individuals for their contributions:

Avery Tarasov:
26811
26812

James Lay
26725
26726
26727
26728
26729
26730
26731
26732
26733
26734
26735
26736
26737
26738
26739
26740
26741
26742
26743
26744
26745
26746
26747
26748
26749
26750
26810

Nathan Fowler
26814

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the exploit-kit, file-pdf, malware-cnc and server-iis rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, June 4, 2013

Snort 2.9.4.0 is now EOL!

Snort 2.9.4.0 is now EOL for rule support.

This means we will no longer be releasing updates for this version of the rule engine.  Users of this version are now encouraged to upgrade to the latest version of Snort, which is now Snort 2.9.4.6. Snort 2.9.5.0 will be released soon.

Time to upgrade!  Thanks all!

Sourcefire VRT Certified Snort Rules Update for 06/04/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 06/04/2013


We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 36 new rules and made modifications to 40 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions:

Avery Tarasov:
26774
26775
26776
26779
26780
26781
26782



In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-firefox, dos, exploit-kit, file-identify, file-office, file-other, file-pdf, indicator-compromise, indicator-shellcode, malware-cnc, malware-other, malware-tools, server-iis and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!