Thursday, August 29, 2013

Sourcefire VRT Certified Snort Rules Update for 08/29/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 08/29/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 45 new rules and made modifications to 37 additional rules.

There were changes made to the snort.conf in this release:
The following ports were added to HTTP_PORTS, http_inspect, and stream5 (ports both)
36
818
801
972
4000

The example Snort.conf's have been updated here:
https://www.snort.org/configurations

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

James Lay:
27726
27727
27728

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, deleted, exploit-kit, file-flash, file-java, file-office, file-pdf, indicator-compromise, indicator-obfuscation, malware-cnc, os-mobile, protocol-dns, pua-adware, server-apache, server-mail, server-other and sql rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, August 27, 2013

Sourcefire VRT Certified Snort Rules Update for 08/27/2013, ftp-data metadata additions

Just released:
Sourcefire VRT Certified Snort Rules Update for 08/27/2013


We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 23 new rules and made modifications to 2421 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov:
27680

Yaser Mansour:
27707
27708


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the app-detect, blacklist, browser-chrome, browser-firefox, browser-ie, browser-other, browser-plugins, browser-webkit, exploit-kit, file-executable, file-flash, file-identify, file-image, file-java, file-multimedia, file-office, file-other, file-pdf, indicator-compromise, indicator-obfuscation, indicator-shellcode, malware-backdoor, malware-cnc, malware-other, os-linux, os-mobile, os-windows, policy-other, protocol-scada, server-mail, server-oracle, server-other and sql rule sets to provide coverage for emerging threats from these technologies. 
This release contains over 2400 rule modifications. 
The majority of these are due to the addition of the new metadata service parameter ftp-data.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, August 22, 2013

Sourcefire VRT Certified Snort Rules Update for 08/22/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 08/22/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 19 new rules and made modifications to 49 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov
27680

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the browser-ie, browser-plugins, exploit-kit, file-identify, file-java, file-office, file-pdf, malware-backdoor, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, August 20, 2013

Sourcefire VRT Certified Snort Rules Update for 08/20/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 08/20/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 35 new rules and made modifications to 30 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov
27648
27649


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the app-detect, blacklist, browser-firefox, browser-ie, browser-plugins, exploit-kit, file-flash, file-java, file-office, file-other, file-pdf, indicator-obfuscation, malware-cnc, protocol-imap and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, August 15, 2013

Sourcefire VRT Certified Snort Rules Update for 08/15/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 08/15/2013


We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 19 new rules and made modifications to 31 additional rules.

There were two changes made to the snort.conf in this release:
Ports 1741 and port 8181 were added to the Stream5 "both" configuration line.  The Snort.confs have been updated here: https://www.snort.org/configurations for your use.  Special thanks to "Bram" for pointing this out.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov:
27632
27633

Yaser Mansour
27625
27626
27627
27628
27629
27630
27631

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, file-executable, file-flash, file-image, file-multimedia, file-office, file-other, file-pdf, malware-cnc, os-mobile, server-oracle, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Wednesday, August 14, 2013

A few Shared Object platforms are being deprecated

In the near future the following Shared Object platform build environments will be deprecated as per our EOL policy:


OpenBSD 4.8
OpenSUSE 11.3

If you are using any of the above, please consider upgrading, as you will no longer be able to use precompiled Shared Object rules on your platform.  Text rules (the vast majority of the ruleset) are unaffected by this.

Tuesday, August 13, 2013

Sourcefire VRT Certified Snort Rules Update for 08/13/2013, MSTuesday

Just released:
Sourcefire VRT Certified Snort Rules Update for 08/13/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 31 new rules and made modifications to 12 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Nathan Fowler:
27594
27595

Avery Tarasov:
27596

James Lay:
27599

In VRT's rule release:
Microsoft Security Advisory MS13-059:
Internet Explorer suffers from programming errors that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 27605 through 27608,
27612 through 27616, and 27620.

Microsoft Security Advisory MS13-060:
A coding error exists in the Unicode Scripts Processor that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 27618 and 27619.

Microsoft Security Advisory MS13-064:
A coding error in Direct Access Server could lead to a Denial of
Service attack.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 27610 and 27611.

Microsoft Security Advisory MS13-065:
A coding error in ICMPv6 could lead to a Denial of Service attack.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 1, SID 27624.

Microsoft Security Advisory MS13-066:
A coding error exists in Active Directory Federation Services that may
lead to information disclosure.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 1, SID 27609.

The Sourcefire VRT has also added and modified multiple rules in the app-detect, browser-ie, browser-plugins, dos, exploit-kit, file-java, file-office, file-other, malware-cnc, malware-other, os-windows, policy-other, policy-spam, protocol-icmp, protocol-imap, server-other and web-client rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Monday, August 12, 2013

Snort 2.9.5.3 Install Docs have been posted!

Thanks to Mr. William Parker, yet again, he does a great job of turning out a massive amount of install docs for Snort, and they have all been updated on http://www.snort.org/docs.

I also updated his "Integrating Snort and AlienVault OSSIM" doc and the "How to make some Home Routers mirror traffic to Snort" docs.

Enjoy!

Friday, August 9, 2013

Inexpensive Cellular IDS allows for Inspection for Cell Traffic, using Snort

From the article:

"At DEF CON last weekend, a team of researchers demonstrated an inexpensive cellular intrusion detection system (CIDS) built with a commercial femtocell, commodity hardware, and the open source Snort IDS. The researchers say the system, the first publicly available for cellular traffic inspection, can scale for enterprise deployments with better hardware and is a game-changer for securing personal devices at work."

Take a look!  http://threatpost.com/inexpensive-cellular-ids-allows-for-inspection-of-cell-traffic

Thursday, August 8, 2013

Sourcefire VRT Certified Snort Rules Update for 08/08/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 08/08/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 18 new rules and made modifications to 928 additional rules.

There were no changes made to the snort.conf in this release.


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the app-detect, blacklist, browser-ie, browser-plugins, exploit-kit, file-identify, file-office, file-other, indicator-obfuscation, malware-backdoor, malware-cnc, malware-other, malware-tools, os-mobile, policy-social, protocol-ftp, protocol-imap, protocol-scada, protocol-voip, pua-adware, pua-toolbars, server-apache, server-mysql, server-other and sql rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, August 6, 2013

Sourcefire VRT Certified Snort Rules Update for 08/06/2013, 2.9.5.3 ruleset

Just released:
Sourcefire VRT Certified Snort Rules Update for 08/06/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 18 new rules and made modifications to 9 additional rules.  This release also introduces support for Snort 2.9.5.3 (sorry for the delay!)

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov:
27566

Yaser Mansour/James Lay:
27567

Paul Bottomley:
27565


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-firefox, browser-plugins, file-image, file-other, malware-cnc, malware-other, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, August 1, 2013

Sourcefire VRT Certified Snort Rules Update for 08/01/2013


Sourcefire VRT Certified Snort Rules Update for 08/01/2013

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 25 new rules and made modifications to 17 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov
27533
27534
27535
27537
27538

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the app-detect, blacklist, browser-ie, exploit-kit, file-identify, file-office, malware-cnc, malware-other, os-mobile and web-client rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!