Thursday, March 29, 2012

VRT Rule Update for 3/29/2012

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 11 new rules and made modifications to 8 additional rules.

 There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis: This release adds and modifies rules in several categories. 
Details: The Sourcefire VRT has added and modified multiple rules in the exploit, file-identify and web-client rule sets to provide coverage for emerging threats from these technologies.
In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!
Posted by Joel Esler
Labels: , , , , , , ,

Tuesday, March 27, 2012

Snort 2.9.2.2 has been released!

Snort 2.9.2.2 is now available on snort.org, at https://www.snort.org/downloads in the Latest Release section.

2.9.0 RC & later packages are signed with a new PGP key (that is signed with the previous key).

Snort 2.9.2.2 includes changes for the following:

* Updates to HTTP Inspect to handle normalization with large number of directories, eliminate false positives when chunks span multiple packets, and remove the upper limit on the gzip memcap.

* Update stream handling for TCP session cleanup with RSTs and other TCP state tracking.

* Update for active responses to fragmented IPv6 traffic and to the react page configuration.

* Updates to SIP preprocessor to limit false positives.

* Update for correct logging in unified2 when interface is passive.

* Add stats for SMTP preprocessor at termination.

* State tracking improvements to SMB processing in the dcerpc2 preprocessor when missing packets on a session.

Please see the Release Notes and ChangeLog for more details.

Please submit bugs, questions, and feedback to bugs@snort.org.
Posted by Joel Esler
Labels: , , ,

VRT Rule Update for 03/27/2012

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 26 new rules and made modifications to 297 additional rules.

This rule release provides support for Snort 2.9.2.2 which has just been released.

There was one change made to the snort.conf in this release, just a modification to this line:
preprocessor ftp_telnet: global inspection_type stateful encrypted_traffic no

 In VRT's rule release:
Synopsis: This release adds and modifies rules in several categories. 
Details: The Sourcefire VRT has added and modified multiple rules in the backdoor, blacklist, botnet-cnc, exploit, file-identify, misc, multimedia, netbios, phishing-spam, specific-threats, spyware-put, sql and web-misc rule sets to provide coverage for emerging threats from these technologies.
In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!
Posted by Joel Esler
Labels: , , , , , , ,

Thursday, March 22, 2012

VRT Rule Release for 03/22/2012, MS12-020

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 9 new rules and made modifications to 218 additional rules.

There were no changes made to the snort.conf in this release.

 In VRT's rule release:
Synopsis:This release adds and modifies rules in several categories. 
Details:Microsoft Security Advisory MS12-020:Microsoft Windows Remote Desktop suffers from programming errors thatmay allow a remote attacker to execute code on a vulnerable system.A rule identified with GID 3, SID 21619 has been added in this releasein order to improve detection of attacks and to improve performance. 
This rule replaces the rules identified with GID 1, SIDs 21571, 21572and 21592. These rules have been deleted in this release. 
Additionally, the Sourcefire VRT has added and modified multiple rulesin the backdoor, chat, dns, dos, exploit, file-identify, imap, misc,netbios, policy, pop3, scada, shellcode, smtp, specific-threats, sql,web-activex, web-client and web-php rule sets to provide coverage foremerging threats from these technologies.
In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!
Posted by Joel Esler
Labels: , , , , , , , ,

Tuesday, March 20, 2012

VRT Rule release for 03/20/2012

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 16 new rules and made modifications to 5 additional rules.

There were no changes made to the snort.conf in this release. 

 In VRT's rule release:
Synopsis: This release adds and modifies rules in several categories. 
Details: The Sourcefire VRT has added and modified multiple rules in the botnet-cnc, exploit, specific-threats, spyware-put, voip, web-client and web-misc rule sets to provide coverage for emerging threats from these technologies.
In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!
Posted by Joel Esler
Labels: , , , , , , ,

Monday, March 19, 2012

Snort 2.9.0.5 EOL notice

So, now that I am back from the land of Mickey, I bring to you some news with my first post.

Next Tuesday we'll be EOL'ing Snort 2.9.0.5.

With the pending release of Snort 2.9.2.2 and in compliance with our End of Life Policy, Snort 2.9.0.5 has reached the end of the line.

For those of you that want to move directly to Snort 2.9.2.2, it should be out this week.  More information on that soon.  Thanks!
Posted by Joel Esler
Labels: , , , ,

Friday, March 16, 2012

VRT Rule Release for 03/16/2012

Joel is still on vacation, I'm racking up another favor and expecting a suitable gift from Disneyland. We released another rule for MS12-020 today. The change logs can be found at http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2012-03-16.html

And the obligatory Joel Esler closing paragraph (if I have to keep doing this, there's a script and a template getting written).

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!
Posted by Nigel Houghton
Labels: , , , , , , ,

Thursday, March 15, 2012

VRT Rule Release for 03/15/2012

Joel is on vacation in Disneyland, hopefully Disney will not mistake him for one of Snow White's companions and he will be able to return next week. While he is out sunning himself, playing on the swing sets and strolling on the beach he asked me for a huge favor, he wanted me to keep everyone up to date on our rule issuances. So, here's what we just released today:

We added and modified multiple rules in the blacklist, botnet-cnc, dos, exploit, file-identify, policy, scada, specific-threats, web-activex and web-misc rule sets. In total, there were 15 new rule additions and 30 rule modifications.

Also, this release features a rule contribution by Nathan Fowler (check out the Snort mailing lists if you don't know who he is). GID 1, SID 21583 is brought to you courtesy of Nathan and his work on detecting the mis-doings of the Blackhole exploit kit. We appreciate the contribution and I'm sure you will too.

You can find the change logs at the usual place on snort.org here: http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2012-03-15.html.

Also, he wanted me to add the following to the end of the post, so here it is:

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!
Posted by Nigel Houghton
Labels: , , , , , , , ,

Tuesday, March 13, 2012

VRT Rule Release for 3/13/2012, MS Tuesday

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 26 new rules and made modifications to 17 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank Nathan Fowler for his contribution of the following rule:
21562 <-> BOTNET-CNC Trojan.Bredolab variant outbound connection

 In VRT's rule release:
Synopsis: The Sourcefire VRT is aware of vulnerabilities affecting products from Microsoft Corporation. 
Details: Microsoft Security Advisory MS12-017: The DNS protocol as implemented in Microsoft Windows systems may allow a remote attacker to cause a permanent Denial of Service (Dos) against an affected system. A previously released rule will detect attacks targeting this vulnerability and has been updated with the appropriate reference information. It is included in this release and is identified with GID 1, SID 13949. 
Microsoft Security Advisory MS12-020: Microsoft Windows RemoteDesktop suffers from programming errors that may allow a remote attacker to execute code on a vulnerable system. Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 21570, 21571 and 21572. 
Microsoft Security Advisory MS12-021: Microsoft Visual Studio suffers from a programming error that may allow a remote attacker to elevate privileges on a vulnerable system. A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 21576. 
Microsoft Security Advisory MS12-022: Microsoft Expression Design suffers from a programming error that may allow a remote attacker to execute code on a vulnerable system. Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 1, SIDs 21566 and 21567. 
The Sourcefire VRT has also added and modified multiple rules in the backdoor, blacklist, botnet-cnc, dns, dos, exploit, file-identify, misc, netbios, policy, scada, specific-threats, web-activex, web-client and web-php rule sets to provide coverage for emerging threats from these technologies.
In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!
Posted by Joel Esler
Labels: , , , , , , , , , ,

Monday, March 12, 2012

Tracking Brazilian Banking Trojans with Snort and HTTP Inspect

Rodrigo Montoro put out this wonderful blog post about the detection of some Brazilian Trojan Banking Trojans with HTTP Inspect using suppressions.

The same concept could be applied with the IP Whitelisting technology in Snort now.  Either way, please read this great article!

http://blog.spiderlabs.com/2012/03/detecting-brazilian-trojan-bankers-with-snort-http_inspect.html
Posted by Joel Esler
Labels: ,
Subscribe to: Posts (Atom)