Tuesday, December 24, 2013

Sourcefire VRT Certified Snort Rules Update for 12/24/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 12/24/2013

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 34 new rules and made modifications to 13 additional rules.

There were no changes made to the snort.conf in this release.


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, file-flash, file-multimedia, file-office, file-pdf, malware-backdoor, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, December 19, 2013

Sourcefire VRT Certified Snort Rules Update for 12/19/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 12/19/2013

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 43 new rules and made modifications to 17 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov:
29030
29031


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-ie, deleted, exploit-kit, file-identify, file-other, file-pdf, malware-cnc, malware-other, os-linux, os-windows, protocol-voip and server-webapp rule sets to provide coverage for emerging threats from these technologies.
In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Wednesday, December 18, 2013

Rule Attribution that we missed yesterday

When we publish a rule pack, we always thank the people that have submitted rules for the community ruleset, but yesterday I inadvertently missed some attribution for some rules.

So, the VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour:
28954
28953
28952
28951
28950
28940

Avery Tarasov:
28918
28919
28945
28959
28960
28976
28977

Sorry about that guys!

As a reminder, if you are interested in submitting rules to the Community ruleset, please feel free to do so.

More information on the ruleset can be found here:
http://blog.snort.org/2013/03/the-sourcefire-vrt-community-ruleset-is.html

Tuesday, December 17, 2013

Sourcefire VRT Certified Snort Rules Update for 12/17/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 12/17/2013

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 76 new rules and made modifications to 30 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour:
28980
28981
28982
28983
28984
28985
28986
28987
28988

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, exploit-kit, file-image, file-java, file-multimedia, file-other, file-pdf, indicator-compromise, indicator-obfuscation, malware-backdoor, malware-cnc, protocol-rpc, protocol-scada, pua-adware, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Sunday, December 15, 2013

Snort 2.9.5.3 is now EOL for rule support.

Snort 2.9.5.3 is now EOL for rule support.

This means we will no longer be releasing updates for this version of the rule engine. Users of this version are now encouraged to upgrade to the latest version of Snort, which is now Snort 2.9.5.6.

Please review our EOL policy here: https://www.snort.org/eol

Thursday, December 12, 2013

Sourcefire VRT Certified Snort Rules Update for 12/12/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 12/12/2013

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 19 new rules and made modifications to 3 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Caleb Jaren, Microsoft:
28913


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the browser-ie, browser-other, exploit-kit, file-identify, file-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, December 10, 2013

Sourcefire VRT Certified Snort Rules Update for 12/10/2013, MSTues

Just released:
Sourcefire VRT Certified Snort Rules Update for 12/10/2013

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 37 new rules and made modifications to 25 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Microsoft Security Bulletin 2914486:
A programming error in the Microsoft Windows Kernel-Mode NDProxy Driver
could lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 28867 through 28872.

Microsoft Security Bulletin MS13-096:
A coding deficiency exists in Microsoft Office TIFF processing that may
lead to remote code execution.

Previously released rules will detect attacks targeting this
vulnerability and have been updated with the appropriate reference
information. They are included in this release and are identified with
GID 1, SIDs 28464 through 28473, and 28525 through 28526.

Microsoft Security Bulletin MS13-097:
Internet Explorer suffers from programming errors that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 28862 through 28863,
28865 through 28866, 28873 through 28878, and 28880.

Microsoft Security Bulletin MS13-099:
The Microsoft Scripting Runtime Object Library suffers from a
programming error that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 28881 through 28882.


The Sourcefire VRT has added and modified multiple rules in the
blacklist, browser-ie, browser-other, browser-plugins, exploit-kit,
file-office, file-pdf, malware-cnc, malware-other, os-windows and
web-client rule sets to provide coverage for emerging threats from
these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, December 5, 2013

Sourcefire VRT Certified Snort Rules Update for 12/05/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 12/05/2013

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 8 new rules and made modifications to 38 additional rules.

There was one change made to the snort.conf in this release:

Port 9111 was added to HTTP_PORTS, http_inspect, and stream5 both.

The Snort.confs on the example page have been updated:
https://www.snort.org/configurations

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov:
28539
28809
28810
28814
28815

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-flash, file-image, file-multimedia, file-office, file-pdf, malware-cnc, malware-other, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.
In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Monday, December 2, 2013

Sourcefire VRT Certified Snort Rules Update for 12/02/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 12/02/2013

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 39 new rules and made modifications to 46 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-flash, file-office, file-other, file-pdf, indicator-obfuscation, malware-cnc, malware-other, protocol-ftp and server-other rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, November 26, 2013

Sourcefire VRT Certified Snort Rules Update for 11/26/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 11/26/2013

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 19 new rules and made modifications to 52 additional rules.

There were two changes made to the snort.conf in this release:

The following ports were added to HTTP_PORTS, http_inspect, and Stream5 both:

555
808

The Snort.confs on the example page have been updated:
https://www.snort.org/configurations

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov:
28800
28801
28802
28803
28804
28805
28806
28807
28809

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the deleted, exploit-kit, file-flash, file-office and malware-cnc rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Friday, November 22, 2013

Sourcefire VRT Certified Snort Rules Update for 11/22/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 11/22/2013

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 170 new rules and made modifications to 22 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the browser-ie, browser-plugins, file-flash, file-other, file-pdf, indicator-obfuscation and server-webapp rule sets to provide coverage for emerging threats from these technologies.
In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Wednesday, November 20, 2013

Sourcefire VRT Certified Snort Rules Update for 11/20/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 11/20/2013

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 61 new rules and made modifications to 20 additional rules.

There were no changes made to the snort.conf in this release.


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the browser-ie, browser-plugins, deleted, exploit-kit, file-flash, file-identify, file-office, file-other, file-pdf, indicator-obfuscation, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Monday, November 18, 2013

Snort 2.9.5.6 is now available on Snort.org!

Snort 2.9.5.6 is now available on Snort.org!

https://www.snort.org/downloads in the Latest Release section.
[*] Improvements
* Address issue with byte_extract values that cause a relative rule
option to search outside the packet payload.  Thanks to Nathan Fowler for noting the issue.

* Correct issue with DCE/RPC attempting to check PAF state before
a TCP session is created in Stream.

* Address issue with HTTP pipelined requests when HTTP cookies are
being normalized.  Thanks to Michael Galapchuk for reporting the problem.

Please submit bugs, questions, and feedback to bugs@snort.org.


Happy Snorting!

The Snort Release Team

Sourcefire VRT Certified Snort Rules Update for 11/18/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 11/18/2013

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 9 new rules and made modifications to 6 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour:
28552
28553
28554
28555
28556
28557

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, indicator-scan, malware-cnc and protocol-dns rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, November 14, 2013

Sourcefire VRT Certified Snort Rules Update for 11/14/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 11/14/2013

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 21 new rules and made modifications to 11 additional rules.

There were two changes made to the snort.conf in this release

The following ports were added to HTTP_PORTS, http_inspect ports, and Stream5's tcp (both) sections:

53331
6173

The Snort.confs on the example page have been updated: https://www.snort.org/configurations

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:
Avery Tarasov:
28404
28405
28406
28540
28541
28542
28543

Thanks to rmkml for his improvement to rule:
28445


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, exploit-kit, file-office, file-other, malware-backdoor, malware-cnc, malware-tools, pua-adware, pua-toolbars and web-client rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Wednesday, November 13, 2013

Sourcefire VRT Certified Snort Rules Update for 11/12/2013, MSTuesday

Just released:
Sourcefire VRT Certified Snort Rules Update for 11/12/2013


We welcome the introduction of the newest rule release from the VRT. In this release we introduced 56 new rules and made modifications to 610 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov:
28541
28542
28543

In VRT's rule release:
Details:
Microsoft Security Bulletin MS13-088:
Internet Explorer suffers from coding errors that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 28490 through 28492,
28494 through 28496, 28504, and 28522 through 28524.

Microsoft Security Bulletin MS13-089:
A programming error exists in the Microsoft Windows graphics device
interface that may lead to remote code execution.

Rules to detect attacks targeting this vulnerability are included in
this release and are identified with GID 1, SIDs 28509 through 28521.

Microsoft Security Bulletin MS13-090:
A programming error exists in an ActiveX control that may lead to
remote code execution.

Rules to detect attacks targeting this vulnerability are included in
this release and are identified with GID 1, SIDs 28493, and 28505
through 28506.

Microsoft Security Bulletin MS13-091:
Microsoft Office contains coding errors that may lead to remote code
execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 28498 through 28499,
and 28502 through 28503.


The Sourcefire VRT has also added and modified multiple rules in the
blacklist, browser-ie, browser-plugins, exploit-kit, file-identify,
file-office, file-other, malware-cnc, malware-other, pua-adware and
web-client rule sets to provide coverage for emerging threats from
these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, November 7, 2013

Sourcefire VRT Certified Snort Rules Update for 11/07/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 11/07/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 2 new rules and made modifications to 8 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the file-office rule set to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, November 5, 2013

Snort 2.9.5.0 is now EOL for rule support.

Snort 2.9.5.0 is now EOL for rule support.

This means we will no longer be releasing updates for this version of the rule engine. Users of this version are now encouraged to upgrade to the latest version of Snort, which is now Snort 2.9.5.5.

Please review our EOL policy here: https://www.snort.org/eol

Sourcefire VRT Certified Snort Rules Update for 11/05/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 11/05/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 49 new rules and made modifications to 57 additional rules.

There were three changes made to the snort.conf in this release:

The following ports were added to Stream5 (tcp - both), http_inspect, and HTTP_PORTS:
8081
56712
34412

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov:
28445
28446


In VRT's rule release:
Microsoft Security Advisory 2896666:
A coding deficiency in Microsoft Graphics Component could lead to remote code execution.

Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 1, SIDs 28464-28471.

The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-firefox, browser-ie, browser-plugins, deleted, exploit-kit, file-flash, file-image, file-multimedia, file-office, file-other, file-pdf, indicator-obfuscation, indicator-scan, malware-cnc, malware-tools, netbios, os-windows, policy-other, server-apache, server-iis and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, October 31, 2013

Sourcefire VRT Certified Snort Rules Update for 10/31/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 10/31/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 27 new rules and made modifications to 7 additional rules.

There were three changes made to the snort.conf in this release:

The following ports were added to HTTP_PORTS, http_inspect ports, and Stream5's tcp (both) sections:

51423
44440
33300
15489

The Snort.confs on the example page have been updated:
https://www.snort.org/configurations

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov:
28404
28405
28406


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, exploit-kit, file-multimedia, file-office, file-pdf, indicator-compromise, malware-cnc, os-mobile and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, October 29, 2013

Sourcefire VRT Certified Snort Rules Update for 10/29/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 10/29/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 63 new rules and made modifications to 78 additional rules.

There was one change made to the snort.conf in this release:

The following port was added to HTTP_PORTS, http_inspect ports, and Stream5's tcp (both) sections:

29991

The Snort.confs on the example page have been updated:
https://www.snort.org/configurations

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Nick Mavis:
28344


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-firefox, browser-ie, browser-plugins, exploit-kit, file-flash, file-identify, file-office, file-other, file-pdf, indicator-obfuscation, malware-cnc, malware-other, malware-tools, os-windows and server-other rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, October 24, 2013

Sourcefire VRT Certified Snort Rules Update for 10/24/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 10/24/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 25 new rules and made modifications to 29 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour:
28300

Avery Tarasov:
28302


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the browser-ie, exploit-kit, file-identify, file-office, file-other, file-pdf, indicator-compromise, indicator-scan, malware-cnc, netbios, os-windows, protocol-dns and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, October 22, 2013

Sourcefire VRT Certified Snort Rules Update for 10/22/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 10/22/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 45 new rules and made modifications to 66 additional rules.

There were two changes made to the snort.conf in this release:

The following ports were added to HTTP_PORTS, http_inspect ports, and Stream5's tcp (both) sections:
1533
8082

The Snort.confs on the example page have been updated:
https://www.snort.org/configurations

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov:
28255
28285
28293
28294
28295
28296
28297

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the app-detect, blacklist, browser-ie, browser-other, browser-plugins, exploit-kit, file-java, file-multimedia, file-other, file-pdf, indicator-compromise, malware-backdoor, malware-cnc, os-windows, protocol-icmp, protocol-tftp, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, October 17, 2013

Sourcefire VRT Certified Snort Rules Update for 10/17/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 10/17/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 14 new rules and made modifications to 28 additional rules.

The following ports were added to HTTP_PORTS, http_inspect "ports", and stream5 "both":

3029

The Snort.confs on the example page have been updated:
  https://www.snort.org/configurations

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the app-detect, blacklist, browser-ie, exploit-kit, file-image, file-pdf, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, October 15, 2013

Sourcefire VRT Certified Snort Rules Update for 10/15/2013, Rule Rebalancing

Just released:
Sourcefire VRT Certified Snort Rules Update for 10/15/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 25 new rules and made modifications to 6468 additional rules.  You should notice additional alerts in your console that you may have never seen before.  If you believe these to be false positives, please file a false positive report here: Submit a False Positive or via the Snort-sigs mailing list.  You may always find this link in the footer of Snort.org.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
This rule release contains updated base policies for use in your Snort
devices.

To help customers understand these changes, we are taking this
opportunity to explain the process used by the VRT for deciding how
rules are assigned to each policy.

The main metric used is the CVSS score assigned to each vulnerability
that might be covered by a rule. For more information on CVSS please
visit http://www.first.org/cvss. The second criteria is temporal-based
and concerns the age of a particular vulnerability. The final criteria
is the particular area of coverage for the rule. So for example, SQL
Injection rules are considered to be important enough to have influence
when being considered for policy inclusion. Note that, the
vulnerabilities covered by the rules in these categories are considered
important regardless of age.

The considerations for each policy are described below.

Connectivity over Security Base Policy:

1. CVSS Score must be 10
2. Age of the vulnerability:

  • Current year (2013 for example)
  • Last year (2012 in this example)
  • Year before last (2011 in this example)

3. Rule Category

  • Not used for this policy


Balanced Base Policy:

1. CVSS Score 9 or greater
2. Age of the vulnerability:

  • Current year (2013 for example)
  • Last year (2012 in this example)
  • Year before last (2011 in this example)

3. Rule Category

  • Malware-Cnc
  • Blacklist
  • SQL Injection
  • Exploit-kit


Security over Connectivity Base Policy:

1. CVSS Score 8 or greater
2. Age of the vulnerability:

  • Current year (2013 for example)
  • Last year (2012 in this example)
  • Year before last (2011 in this example)
  • Year prior (2010 in this example)

3. Rule Category

  • Malware-Cnc
  • Blacklist
  • SQL Injection
  • Exploit-kit
  • App-detect


All new rules are placed into the policies based on these criteria.
Every year during the third quarter of the year, the policies will be
re-assessed and rules from previous years, as the vulnerabilities age,
will be removed from the policy to keep the policy compliant with our
temporal selection criteria. Thus, in the third quarter of 2014, the
rules from 2011 will be removed from the “Connectivity over
Security” and “Balanced” policies while the rules from 2010 will
be removed from the “Security over Connectivity” policy. If rules
move between categories, their presence in policies will also be
decided based on the category selection process. Likewise, should the
CVSS score change for a particular vulnerability that is covered by a
rule, its presence in a policy based on the CVSS metric is also
re-assessed.

Rules in the listed policies are evaluated on a rule by rule basis.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Monday, October 14, 2013

Sourcefire VRT Certified Snort Rules Update for 10/14/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 10/14/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 1 new rules and made modifications to 8 additional rules.

There were three changes made to the snort.conf in this release:

The following ports were added to HTTP_PORTS, http_inspect "ports", and stream5 "both":

12601
55252
5117

The Snort.confs on the example page have been updated:
https://www.snort.org/configurations

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

James Lay:
28215


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the browser-ie, browser-plugins and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Friday, October 11, 2013

Snort VRT Default Ruleset Rebalancing

In an upcoming Rule Update, the VRT will be shipping updated base policies for use in your Snort installation.

To help customers understand these changes, we are taking this opportunity to explain the process used by the VRT for deciding how rules are assigned to each policy.

The main metric used is the CVSS score assigned to each vulnerability that might be covered by a rule. For more information on CVSS please visit http://www.first.org/cvss. The second criteria is temporal based and concerns the age of a particular vulnerability. The final criteria is the particular area of coverage for the rule. So for example, SQL Injection rules are considered to be important enough to have influence when being considered for policy inclusion. Note that, the vulnerabilities covered by the rules in these categories are considered important regardless of age.

The considerations for each policy are described below.


Connectivity over Security Base Policy:

1. CVSS Score must be 10
2. Age of the vulnerability:

  • Current year (2013 for example)
  • Last year (2012 in this example)
  • Year before last (2011 in this example)

3. Rule Category

  • Not used for this policy


Balanced Base Policy:

(As a reminder, the "Balanced" policy is the default shipping state of the VRT Ruleset for Open Source Snort)

1. CVSS Score 9 or greater
2. Age of the vulnerability:

  • Current year (2013 for example)
  • Last year (2012 in this example)
  • Year before last (2011 in this example)

3. Rule Category

  • Malware-Cnc
  • Blacklist
  • SQL Injection
  • Exploit-kit

Security over Connectivity Base Policy:

1. CVSS Score 8 or greater
2. Age of the vulnerability:

  • Current year (2013 for example)
  • Last year (2012 in this example)
  • Year before last (2011 in this example)
  • Year prior (2010 in this example)

3. Rule Category

  • Malware-Cnc
  • Blacklist
  • SQL Injection
  • Exploit-kit
  • App-detect


All new rules are placed into the policies based on these criteria. Every year during the third quarter of the year, the policies will be re-assessed and rules from previous years, as the vulnerabilities age, will be removed from the policy to keep the policy compliant with our temporal selection criteria. Thus, in the third quarter of 2014, the rules from 2011 will be removed from the “Connectivity over Security” and “Balanced” policies while the rules from 2010 will be removed from the “Security over Connectivity” policy. If rules move between categories, their presence in policies will also be decided based on the category selection process. Likewise, should the CVSS score change for a particular vulnerability that is covered by a rule, it’s presence in a policy based on the CVSS metric is also re-assessed.

Rules in the listed policies are evaluated on a rule by rule basis. There will be some rules that are older and not in the criteria above that will be in the default policies. The above is the selection criteria for default rules, and is always subject to change based upon the threat landscape.

If there are any questions, feel free to email me @ joel [at] sourcefire [dot] com, or use the Snort-Sigs mailing list:

https://www.snort.org/community

Sourcefire VRT Certified Snort Rules Update for 10/10/2013

Sourcefire VRT Certified Snort Rules Update for 10/10/2013

We welcome the introduction of the newest rule release for yesterday from the VRT. In this release we introduced 6 new rules and made modifications to 10 additional rules.

There were no changes made to the snort.conf in this release.


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the browser-ie, exploit-kit and malware-cnc rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, October 8, 2013

Sourcefire VRT Certified Snort Rules Update for 10/08/2013, MSTuesday

Just released:
Sourcefire VRT Certified Snort Rules Update for 10/08/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 71 new rules and made modifications to 61 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov:
28147
28148
28152
28153
28154
28155
28156
28192
28193

In VRT's rule release:
Microsoft Security Advisory MS13-080:
Internet Explorer suffers from programming errors that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 28151, 28158 through
28160, 28163, 28191, 28204, and 28207 through 28208.

Microsoft Security Advisory MS13-082:
Programming errors in the .NET Framework may lead to remote code
execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 28161 through 28162
and 28202 through 28203.

Microsoft Security Advisory MS13-084:
Microsoft SharePoint Server suffers from a coding error that may lead
to remote code execution.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 1, SID 28201.

Microsoft Security Advisory MS13-086:
Microsoft Word suffers from coding errors that may lead to remote code
execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 28205 and 28206.


The Sourcefire VRT has added and modified multiple rules in the
blacklist, browser-ie, browser-plugins, exploit-kit, file-image,
file-office, file-other, indicator-compromise, malware-cnc,
protocol-voip, pua-adware, server-mail and server-webapp rule sets to
provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Cisco, Community and Open Source

In July we told you about Sourcefire’s agreement to be acquired by Cisco, and today that acquisition has closed – we are now one company. This also means that we are also now one community, and Cisco has reiterated its commitment to maintaining our innovation and support of Snort, ClamAV and other open source projects, as well as its own projects. As Marty Roesch wrote on our corporate blog:

“I can tell you with certainty that this is a great match for Sourcefire, for Cisco and, ultimately, for our customers, partners and open source communities… Beyond the technology, one of the things that is important to me is that Cisco and Sourcefire both share key values that transcend our company names, HQ locations and number of employees. “

 I’m also happy to report that there will be no changes to how our communities are run or our communications, including mailing lists, snort.org, clamav.net or social media sites. Please visit the corporate blog for more details and, as always, reach out to me with questions. I will still be your community manager and I look forward to many more years of being a part of this community.

Thursday, October 3, 2013

Sourcefire VRT Certified Snort Rules Update for 10/03/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 10/03/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 25 new rules and made modifications to 18 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov:
28114
28115
28116
28117
28118
28119
28120
28121
28122
28123


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the browser-ie, browser-plugins, exploit-kit, file-java, file-office, file-other, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, October 1, 2013

Sourcefire VRT Certified Snort Rules Update for 10/01/2013, IE 0day coverage

Just released:
Sourcefire VRT Certified Snort Rules Update for 10/01/2013, IE 0day coverage

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 37 new rules and made modifications to 30 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov:
28080

James Lay:
28079

Yaser Mansour:
28105
28106
28107


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the app-detect, blacklist, browser-ie, browser-plugins, exploit-kit, file-java, file-multimedia, file-office, file-pdf, malware-cnc, os-mobile, os-solaris, protocol-ftp, protocol-rpc, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Monday, September 30, 2013

Snort 2.9.3.1 is now EOL for rule support.

Snort 2.9.3.1 is now EOL for rule support.

This means we will no longer be releasing updates for this version of the rule engine.  Users of this version are now encouraged to upgrade to the latest version of Snort, which is now Snort 2.9.5.5. 

Time to upgrade!  Thanks all!

Sourcefire VRT Certified Snort Rules Update for 09/26/2013

Sourcefire VRT Certified Snort Rules Update for 09/26/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 29 new rules and made modifications to 5 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov:
28044

Yaser Mansour:
28042


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the app-detect, blacklist, browser-plugins, exploit-kit, file-other, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, September 24, 2013

Sourcefire VRT Certified Snort Rules Update for 09/24/2013, Snort.conf updates

Just released:
Sourcefire VRT Certified Snort Rules Update for 09/24/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 96 new rules and made modifications to 40 additional rules.

There were three changes made to the snort.conf in this release.  The following ports were added to http_inspects "ports" line, stream5's "both" line, and the HTTP_PORTS variable:

8509
7770
1158

The example VRT snort.conf's have been updated at the following address:
https://www.snort.org/configurations

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:
Avery Tarasov:
27965
28004
28012

Yaser Mansour:
28005
28006 (Also special thanks to Avery Tarasov for writing almost the same rule)
28033
28034
28035
28036

James Lay:
28007
28008
28009
28010
28011

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the app-detect, blacklist, browser-ie, deleted, exploit-kit, file-identify, file-office, file-other, indicator-compromise, indicator-obfuscation, indicator-scan, malware-cnc, malware-other, malware-tools and smtp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, September 19, 2013

Sourcefire VRT Certified Snort Rules Update for 09/19/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 09/19/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 2 new rules and made modifications to 5 additional rules.

There were no changes made to the snort.conf in this release.


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the app-detect, blacklist, browser-ie and file-other rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, September 17, 2013

Sourcefire VRT Certified Snort Rules Update for 09/17/2013 release 2, IE 0Day

Just released:
Sourcefire VRT Certified Snort Rules Update for 09/17/2013 release 2 

We welcome the introduction of the second rule release from the VRT. In this release we introduced 6 new rules and made modifications to 9 additional rules. 
http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2013-09-17_2.html

There were no changes made to the snort.conf in this release. 


In VRT's rule release: 
Synopsis:
The Sourcefire VRT is aware of vulnerabilities affecting products from
Microsoft Corporation.

Details:
Microsoft Security Advisory 2887505:
A programming error in Internet Explorer could lead to remote code
execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 27943 and 27944.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most

Sourcefire VRT Certified Snort Rules Update for 09/17/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 09/17/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 29 new rules and made modifications to 13 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
27913
27914
27915
27916
27917

Avery Tarasov
27918
27919


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the app-detect, browser-ie, exploit-kit, file-other, indicator-obfuscation, malware-cnc, protocol-dns, pua-adware, pua-toolbars and server-other rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Monday, September 16, 2013

Snort 2.9.5.5 is now available on Snort.org

Snort 2.9.5.5 is now available on Snort.org!

https://www.snort.org/downloads in the Latest Release section.


2013-09-12 - Snort 2.9.5.5

[*] Improvements
* Address issue with SMTP preprocessor and the ignore_tls_data configuration
to correctly stop inspection after an SMTP session is encrypted.  
(Thanks Bram!)

* Disable all rule evaluation (as opposed to just rules with fast patterns)
for packets on a previously blocked session.

* Corrected when perfmon preprocessor writes stats to occur as soon as
both the time and packet count criteria are met.

* Enforce same restrictions on relative PCRE for HTTP buffers from
shared library rules as already existed with text rules.


Please submit bugs, questions, and feedback to bugs@snort.org.


Happy Snorting!

The Snort Release Team

Thursday, September 12, 2013

Sourcefire VRT Certified Snort Rules Update for 09/12/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 09/12/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 46 new rules and made modifications to 37 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov/Adam Gardner
27865

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, exploit, exploit-kit, file-identify, file-office, indicator-compromise, malware-cnc, protocol-voip, pua-adware and web-client rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Wednesday, September 11, 2013

PulledPork 0.7.0 Released! #include <IP.Reputation>

PulledPork 0.7.0 - Swine Flu has been released and can be found at the PulledPork site.  There are numerous feature changes and enhancements that dramatically affect the functionality and capabilities of PulledPork since the last major 0.6.x release.  An excerpt of the changelog is at the bottom of this post and lists all of the changes/features/enhancements.   

The most significant change that you are likely to notice deals with how PulledPork now processes the rules tarball.  In the previous versions of PulledPork when you would run the application it would process the rules tarball as designated in your configuration, regardless of whether or not the source tarball had changed (no new rules tarball for example).  With the new changes the source rules tarball is ONLY processed if it is new/changed OR if you specify the -P runtime flag.  So for tuning exercises or out of band runs when the source tarball is unchanged, you MUST specify the -P flag for any processing to occur.

Inline with the new IP Reputation preprocessor that was introduced in Snort 2.9.1 we have included full support for this feature.  This support includes a couple of new configuration options that are located in the pulledpork.conf and allow for retrieval of multiple ip reputation lists (PulledPork will automatically de-dupe these lists).  If you are running Snort on Linux you are also able to specify at ./configure time an option to allow for in-memory reloading of IP Reputation lists, thus you do not have to SIGHUP or completely reload Snort.  This in-memory reload is accomplished by using a control socket that this version of PulledPork is capable of utilizing.

Working closely with the Barnyard2 team we have developed a new version of the data in the sid-msg.map.  This allows for more information to be included in intrusion events such as the revision of the rule (currently not included in alerts).  The default version is still version 1 of the sid-msg.map file, it is CRITICAL to note that only Barnyard 2.2+ supports this new version of the sid-msg.map file and as such ONLY when using this version or newer of Barnyard 2.2+ should you change this value in your pulledpork.conf.

When utilizing the default configuration that creates two single unified rules files (one for so_rules and one for text rules) the so_rules stub files are now included in the single rules tarball.  This means that you no longer need to include the so_rules.rules file.  This single rules file is now internally separated by category and rule type, or generator to allow for rapid rule location and more logical perusing of the file.

As per the usual, thank you for your continued support and usage of PulledPork and Snort.  Should you have any questions or concerns please feel free to file a bug report or new feature request at http://pulledpork.googlecode.com and also to participate in the community mailing list that can be found at http://groups.google.com/group/pulledpork-users

Bug Fixes:
- Bug #79 - Fixed race condition that did not allow for disabled rules to be modified using modifysid
These rules would then be enabled by flowbit dependency check and be unmodified
- Bug #77 - Adjusted chown property of archive::tar
- Bug #78 - Adjusted per bug report to allow for proper ignoring of preproc.rules
- Bug #102 - Only Enabled rules are written to sid-msg.map now when -E flag is specified
- Bug #99 - Doc Bug, updated docs associated with snort_version variable
- Bug #96 - Modified code to allow for same-line traling comments: "1:10011 #can haz disable!"
Also updated the rulestate files (enable,disable,drop)
- Bug #82 - Modified run order to force modifysid to run before all other sid state modification routines
This allows for sid changes to be made prior to automatic state determination ala automatic
flowbit resolution.  NOTE that this DOES NOT AND WILL NOT disable automatic flowbit
resolution, this is a critical piece.
- Bug #81 - Updated valid SO distro pre-compiled list
- Bug #114 - Update Regex to allow for null search/replace in modify_sid sub
- Unlisted Bug - Allow for escaped ; "\;" in references
- Bug #121 - Update to allow for new etpro.com url and cert!
- Bug #119 - Fixed regex [^\\], should have been negative look behind (?<!\\)
- Bug #120 - Updated proxy code for better support and proper runtime load order
- Unlisted Bug - Account for multiple flowbits that are separated using &| operators
(flowbits:isset,flowbit1&flowbit2;)(flowbits:isset,flowbit1|flowbit2;)
- Bug #126 - Removed Switch usage
- Bug #129 - Fixed to allow for -n usage (in conjunction with -P) when an ip list is used also
- Unlisted Bug - Fixed to allow for proper -P usage

New Features / changes:
- Bug #105 - Removed Switch function as it is deprecated in > 5.12 perl
- NEW - Added IP Reputation Preprocessor support
- NEW - Capability to use control socket for IP List reload
- NEW - -P runtime flag to (process even if there is no new rules tarball)**
- Bug #68 - Added basic surricata support
- Bug #115 - Single rules file now has category (and GID) separators
Correlating to this we have also removed the separate so_rules.rules file
All rules are now in a single snort.rules file unless the keep flag is
specified at runtime.
- NEW - Numerous sub rewrites to allow for better performance
- NEW - New sid-msg.map format for barnyard 2.2+ gid || sid || rev || class || pri || msg || @refs
- NEW - SO rule categories are now prepended with VRT-SO
- NEW - More advanced sid-msg.map structure (for use with by2.2+) and backward compatibility
This allows for better mapping of gid:sid:rev in the database!
- NEW - Rewrote the way that extraction is handled, to properly support a single rules tarball being
updated.  This includes how md5 validation is done and in what order.  If a single
file is updated then they are all extracted and processed.



A few Shared Object platforms have been deprecated

As we indicated in a previous blog post back on August 14th, a few Shared Object rule platforms have been deprecated.

See blog post here: http://blog.snort.org/2013/08/a-few-shared-object-platforms-are-being.html

We are removing support for precompiled Shared Object rules on the following platforms:

OpenBSD 4.8
OpenSUSE 11.3


If you are using any of the above, please consider upgrading, as you will no longer be able to use precompiled Shared Object rules on your platform. Text rules (the vast majority of the ruleset) are unaffected by this.

Tuesday, September 10, 2013

Sourcefire VRT Certified Snort Rules Update for 09/10/2013, MSTues

Just released:
Sourcefire VRT Certified Snort Rules Update for 09/10/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 63 new rules and made modifications to 30 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour:
27801
27802
27803
27804

Paul Bottomley:
27805


In VRT's rule release:
Synopsis: The Sourcefire VRT is aware of vulnerabilities affecting products from
Microsoft Corporation.

Details:
Microsoft Security Advisory MS13-067:
A programming error in Microsoft Sharepoint could lead to remote code
execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 27818 through 27819,
27823, and 27826 through 27828.

Microsoft Security Advisory MS13-069:
Internet Explorer suffers from programming errors that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 27829 through 27846.

Microsoft Security Advisory MS13-071:
A programming error in Microsoft's Windows Theme File could lead to
remote code execution.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 1, SID 27822.

Microsoft Security Advisory MS13-072:
Microsoft Office suffers from coding errors that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 27850 through 27859.

Microsoft Security Advisory MS13-073:
A programming error in Microsoft Excel could lead to remote code
execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 27820 through 27821
and 27824 through 27825.

Microsoft Security Advisory MS13-078:
A coding error in Microsoft FrontPage could lead to information
disclosure.

A previously released rules will detect attacks targeting this
vulnerability and has been updated with the appropriate reference
information. It is included in this release and is identified with GID
1, SID 26626.

Microsoft Security Advisory MS13-079:
Programming errors in the .NET Framework and Silverlight may lead to
remote code execution.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 1, SID 27860.

The Sourcefire VRT has added and modified multiple rules in the
blacklist, browser-ie, deleted, exploit-kit, file-multimedia,
file-office, file-other, indicator-compromise, malware-cnc,
malware-other, os-windows, protocol-voip, server-oracle and
server-webapp rule sets to provide coverage for emerging threats from
these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Monday, September 9, 2013

Snort 2.9.5.3 rules for registered users are now available!

The 30 day window for Snort 2.9.5.3 has now expired and registered users can now download the 2.9.5.3 ruleset available here: http://www.snort.org/snort-rules/

Tuesday, September 3, 2013

Sourcefire VRT Certified Snort Rules Update for 09/03/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 09/03/2013


We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 35 new rules and made modifications to 30 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov:
27774
27775


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the browser-ie, browser-plugins, exploit-kit, file-executable, file-java, malware-cnc, policy-other, protocol-scada, protocol-tftp, server-apache, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, August 29, 2013

Sourcefire VRT Certified Snort Rules Update for 08/29/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 08/29/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 45 new rules and made modifications to 37 additional rules.

There were changes made to the snort.conf in this release:
The following ports were added to HTTP_PORTS, http_inspect, and stream5 (ports both)
36
818
801
972
4000

The example Snort.conf's have been updated here:
https://www.snort.org/configurations

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

James Lay:
27726
27727
27728

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, deleted, exploit-kit, file-flash, file-java, file-office, file-pdf, indicator-compromise, indicator-obfuscation, malware-cnc, os-mobile, protocol-dns, pua-adware, server-apache, server-mail, server-other and sql rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, August 27, 2013

Sourcefire VRT Certified Snort Rules Update for 08/27/2013, ftp-data metadata additions

Just released:
Sourcefire VRT Certified Snort Rules Update for 08/27/2013


We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 23 new rules and made modifications to 2421 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov:
27680

Yaser Mansour:
27707
27708


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the app-detect, blacklist, browser-chrome, browser-firefox, browser-ie, browser-other, browser-plugins, browser-webkit, exploit-kit, file-executable, file-flash, file-identify, file-image, file-java, file-multimedia, file-office, file-other, file-pdf, indicator-compromise, indicator-obfuscation, indicator-shellcode, malware-backdoor, malware-cnc, malware-other, os-linux, os-mobile, os-windows, policy-other, protocol-scada, server-mail, server-oracle, server-other and sql rule sets to provide coverage for emerging threats from these technologies. 
This release contains over 2400 rule modifications. 
The majority of these are due to the addition of the new metadata service parameter ftp-data.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, August 22, 2013

Sourcefire VRT Certified Snort Rules Update for 08/22/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 08/22/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 19 new rules and made modifications to 49 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov
27680

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the browser-ie, browser-plugins, exploit-kit, file-identify, file-java, file-office, file-pdf, malware-backdoor, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, August 20, 2013

Sourcefire VRT Certified Snort Rules Update for 08/20/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 08/20/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 35 new rules and made modifications to 30 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov
27648
27649


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the app-detect, blacklist, browser-firefox, browser-ie, browser-plugins, exploit-kit, file-flash, file-java, file-office, file-other, file-pdf, indicator-obfuscation, malware-cnc, protocol-imap and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, August 15, 2013

Sourcefire VRT Certified Snort Rules Update for 08/15/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 08/15/2013


We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 19 new rules and made modifications to 31 additional rules.

There were two changes made to the snort.conf in this release:
Ports 1741 and port 8181 were added to the Stream5 "both" configuration line.  The Snort.confs have been updated here: https://www.snort.org/configurations for your use.  Special thanks to "Bram" for pointing this out.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov:
27632
27633

Yaser Mansour
27625
27626
27627
27628
27629
27630
27631

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, file-executable, file-flash, file-image, file-multimedia, file-office, file-other, file-pdf, malware-cnc, os-mobile, server-oracle, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Wednesday, August 14, 2013

A few Shared Object platforms are being deprecated

In the near future the following Shared Object platform build environments will be deprecated as per our EOL policy:


OpenBSD 4.8
OpenSUSE 11.3

If you are using any of the above, please consider upgrading, as you will no longer be able to use precompiled Shared Object rules on your platform.  Text rules (the vast majority of the ruleset) are unaffected by this.

Tuesday, August 13, 2013

Sourcefire VRT Certified Snort Rules Update for 08/13/2013, MSTuesday

Just released:
Sourcefire VRT Certified Snort Rules Update for 08/13/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 31 new rules and made modifications to 12 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Nathan Fowler:
27594
27595

Avery Tarasov:
27596

James Lay:
27599

In VRT's rule release:
Microsoft Security Advisory MS13-059:
Internet Explorer suffers from programming errors that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 27605 through 27608,
27612 through 27616, and 27620.

Microsoft Security Advisory MS13-060:
A coding error exists in the Unicode Scripts Processor that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 27618 and 27619.

Microsoft Security Advisory MS13-064:
A coding error in Direct Access Server could lead to a Denial of
Service attack.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 27610 and 27611.

Microsoft Security Advisory MS13-065:
A coding error in ICMPv6 could lead to a Denial of Service attack.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 1, SID 27624.

Microsoft Security Advisory MS13-066:
A coding error exists in Active Directory Federation Services that may
lead to information disclosure.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 1, SID 27609.

The Sourcefire VRT has also added and modified multiple rules in the app-detect, browser-ie, browser-plugins, dos, exploit-kit, file-java, file-office, file-other, malware-cnc, malware-other, os-windows, policy-other, policy-spam, protocol-icmp, protocol-imap, server-other and web-client rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Monday, August 12, 2013

Snort 2.9.5.3 Install Docs have been posted!

Thanks to Mr. William Parker, yet again, he does a great job of turning out a massive amount of install docs for Snort, and they have all been updated on http://www.snort.org/docs.

I also updated his "Integrating Snort and AlienVault OSSIM" doc and the "How to make some Home Routers mirror traffic to Snort" docs.

Enjoy!

Friday, August 9, 2013

Inexpensive Cellular IDS allows for Inspection for Cell Traffic, using Snort

From the article:

"At DEF CON last weekend, a team of researchers demonstrated an inexpensive cellular intrusion detection system (CIDS) built with a commercial femtocell, commodity hardware, and the open source Snort IDS. The researchers say the system, the first publicly available for cellular traffic inspection, can scale for enterprise deployments with better hardware and is a game-changer for securing personal devices at work."

Take a look!  http://threatpost.com/inexpensive-cellular-ids-allows-for-inspection-of-cell-traffic

Thursday, August 8, 2013

Sourcefire VRT Certified Snort Rules Update for 08/08/2013

Just released:
Sourcefire VRT Certified Snort Rules Update for 08/08/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 18 new rules and made modifications to 928 additional rules.

There were no changes made to the snort.conf in this release.


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the app-detect, blacklist, browser-ie, browser-plugins, exploit-kit, file-identify, file-office, file-other, indicator-obfuscation, malware-backdoor, malware-cnc, malware-other, malware-tools, os-mobile, policy-social, protocol-ftp, protocol-imap, protocol-scada, protocol-voip, pua-adware, pua-toolbars, server-apache, server-mysql, server-other and sql rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, August 6, 2013

Sourcefire VRT Certified Snort Rules Update for 08/06/2013, 2.9.5.3 ruleset

Just released:
Sourcefire VRT Certified Snort Rules Update for 08/06/2013

We welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 18 new rules and made modifications to 9 additional rules.  This release also introduces support for Snort 2.9.5.3 (sorry for the delay!)

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov:
27566

Yaser Mansour/James Lay:
27567

Paul Bottomley:
27565


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-firefox, browser-plugins, file-image, file-other, malware-cnc, malware-other, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, August 1, 2013

Sourcefire VRT Certified Snort Rules Update for 08/01/2013


Sourcefire VRT Certified Snort Rules Update for 08/01/2013

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 25 new rules and made modifications to 17 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov
27533
27534
27535
27537
27538

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the app-detect, blacklist, browser-ie, exploit-kit, file-identify, file-office, malware-cnc, malware-other, os-mobile and web-client rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!