Snort.org Blog

Snort 2.9.2.3 Install Guide for Debian 6.0.5 posted!

noreply@blogger.com (Joel Esler) — Fri, 18 May 2012 16:13:00 +0000

Thanks to Jason Weir, I just posted his Snort 2.9.2.3 Install Guide for Debian 6.0.5.

You may find his updated guide at http://www.snort.org/docs. We'd like to thank Jason Weir and the rest of the Snort community with their constant support, guides, bug reports, false positive reports, and participation in the mailing lists.

You all are fantastic!

Thanks Jason!

Snort 2.9.3 Beta Now Available

noreply@blogger.com (Joel Esler) — Fri, 18 May 2012 14:29:00 +0000

Snort 2.9.3 Beta is now available on snort.org, at http://www.snort.org/snort-downloads/ in the Latest Development Release section.

2.9.0 RC & later packages are signed with a new PGP key (that is signed with the previous key).

Snort 2.9.3 introduces the following new capabilities:

[*] New additions

* Updates to flowbit rule option to allow for OR and AND of individual bits within a single rule, and allow flowbits to be used in multiple groups. See README.flowbits and the Snort manual for details.

* Dynamic output plugin architecture to provide an API that developers can write their own output mechanisms to log alert and packet data from Snort. Some output plugins have been removed as a result of this to be maintained by their respective authors.

* Update to dcerpc2 preprocessor for improved accuracy and handling of different OSs for SMB processing. See README.dcerpc2 and the Snort manual for details.

* Updates to reputation preprocessor for handling of whitlelist and trustlists and zone information. See README.reputation and the Snort manual for details.

* Updates to the packet decoders to support pflog v4.

[*] Improvements

* Update to return error messages through the control socket.

* Updates to the processing of email attachments for better handling of non-encoded attachments, and improved memory management for attachment processing.

* Improvements in HTTP Inspect for better performance with gzip decompression. Also improvements for handling simple responses, encoded query strings, transfer encoding and chunk encoding processing.

* Fix logging of multiple unified2 alerts with reassembled packets.

* Compiler warning cleanup across multiple platforms.

* Added 116:458 and 116:459 to cover fragmentation issues.

Please see the Release Notes and ChangeLog for more details.

Please submit bugs, questions, and feedback to snort-beta@sourcefire.com.

VRT Rule Update for 05/17/2012

noreply@blogger.com (Joel Esler) — Thu, 17 May 2012 20:02:00 +0000

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 25 new rules and made modifications to 814 additional rules.

In VRT's rule release:

Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the backdoor, blacklist, botnet-cnc, dos, exploit, file-identify, file-office, file-pdf, indicator-compromise, phishing-spam, server-mail, smtp, specific-threats, web-activex and web-misc rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Snort 2.9.2.3 has been released!

noreply@blogger.com (Joel Esler) — Tue, 15 May 2012 21:20:00 +0000

Snort 2.9.2.3 is now available on snort.org, at http://www.snort.org/snort-downloads/ in the Latest Release section.

2.9.0 RC & later packages are signed with a new PGP key (that is signed with the previous key).

Snort 2.9.2.3 includes changes for the following:

* Update to GTP preprocessor to better handle GTPv1 data.

* Update to DNP3 preprocessor to add stricter checking on

packets before processing by dnp3. Improved checking

on reassembly buffer

* Update to PCRE rule option processing to prevent issues

seen w/ libpcre-8.30 and certain rules.

* Update to dcerpc2 to not abort reassembly if target-based

protocol is undefined.

Please submit bugs, questions, and feedback to bugs@snort.org.

VRT: PHP-CGI vulnerability - exploits in the wild and Snort coverage

noreply@blogger.com (Joel Esler) — Sat, 12 May 2012 02:19:00 +0000

VRT: PHP-CGI vulnerability - exploits in the wild and Snort coverage:

Just wanted to call our Snort.org blog subscribers out to this article by Alex Kirk over on our VRT Blog. This article deals with the PHP-CGI vulnerability and which Snort rules you need to enable in order to protect your network from it.

Take a look!

VRT Rule Update for 05/10/2012

noreply@blogger.com (Joel Esler) — Thu, 10 May 2012 22:43:00 +0000

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 819 new rules and made modifications to 554 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:

Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the
backdoor, blacklist, botnet-cnc, dos, file-office, file-other,
indicator-compromise, misc and specific-threats rule sets to provide
coverage for emerging threats from these technologies.

2012 Snort Scholarship is now open!

noreply@blogger.com (Joel Esler) — Thu, 10 May 2012 13:24:00 +0000

Annually, Sourcefire provides a Snort Scholarship to two individuals selected at random (by drawing) in the amount of $5000 US for higher education purposes. The winners also receive a 10,000 credit to use toward any training courses or certification exam in the Sourcefire Security Education Program.

To be eligible, you must meet the legal criteria found here on our website, sign up for the scholarship here, and following that, on or about May 31, 2012, two winners will be selected.

For further information, please see the links above, also found linked here.

VRT Rule Release for 05/08/2012, MS Tuesday

noreply@blogger.com (Joel Esler) — Wed, 09 May 2012 02:07:00 +0000

Sorry for the delay in getting the blog post up, we've been really busy today planning some great things for the future! Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 23 new rules and made modifications to 48 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:

Synopsis:
The Sourcefire VRT is aware of vulnerabilities affecting products from
Microsoft Corporation.

Details:
Microsoft Security Advisory MS12-029:
The Microsoft RTF importer contains programming errors that may allow a
remote attacker to execute code on an affected system.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 3, SID 22089.

Microsoft Security Advisory MS12-030:
Microsoft Excel contains programming errors that may allow a remote
attacker to execute code on a vulnerable system.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 22076, 22077, 22078,
22081, 22091, 22092, 22093 and 22094.

Microsoft Security Advisory MS12-031:
Microsoft Visio contains a programming error that may allow a remote
attacker to execute code on an affected system.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 1, SID 22075.

Microsoft Security Advisory MS12-034:
Microsoft Office contains programming errors that may allow a remote
attacker to execute code on an affected system.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 22085, 22086, 22087
and 22090.

Microsoft Security Advisory MS12-035:
The Microsoft .NET Framework contains programming errors that may allow
a remote attacker to execute code on an affected system.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 22079 and 22080.

Additionally, the Sourcefire VRT has added and modified multiple rules
in the bad-traffic, botnet-cnc, file-identify, file-office, file-other,
server-mail and web-client rule sets to provide coverage for emerging
threats from these technologies.

VRT Rule Update for 05/04/2012, #2 (Adobe 0day coverage)

noreply@blogger.com (Joel Esler) — Sat, 05 May 2012 02:02:00 +0000

In this release we introduced 9 new rules and made modifications to 1 additional rule.

There were no changes made to the snort.conf in this release.

This second release of the day provides coverage for CVE-2012-0779, which is discussed here on Adobe's site. Included in this update is more generic coverage for the attack vector surrounding this attack that is being seen in the wild. The "INDICATOR-OBFUSCATION" rules below may very well catch a ton of additional exploit methods other than the Adobe attack referenced above.

Since the usual link on Snort.org isn't currently working, I'm posting the sid and rule msg's here:



22066(1) "POLICY Microsoft Office Word ScriptBridge OCX controller attempt"

22067(1) "MISC Adobe Flash malformed error response"

22068(1) "SPECIFIC-THREATS Adobe Flash systemMemoryCall RTMP query"

22069(1) "SPECIFIC-THREATS Adobe Flash Player object confusion attempt"

22070(1) "SPECIFIC-THREATS Adobe Flash Player object confusion attempt"

22071(1) "INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - eval"

22072(1) "INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - fromCharCode"

22073(1) "INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - unescape"

22074(1) "INDICATOR-OBFUSCATION Microsoft Office Word JavaScript obfuscation - charCode"

In VRT's rule release:

Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the indicator-obfuscation, misc and specific-threats rule sets to provide coverage for emerging threats from these technologies.

VRT Rules Update for 5/4/2012, PHP 0day, lots of malware

noreply@blogger.com (Joel Esler) — Fri, 04 May 2012 22:09:00 +0000

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 25 new rules and made modifications to 9 additional rules.

There were no changes made to the snort.conf in this release.

We'd also like to thank Eoin Miller for his contributions to this rule pack.

In VRT's rule release:

Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the
backdoor, blacklist, botnet-cnc, exploit, file-identify, file-office,
file-other, specific-threats and web-php rule sets to provide coverage
for emerging threats from these technologies.

VRT Rule Update for 05/02/2012

noreply@blogger.com (Joel Esler) — Wed, 02 May 2012 21:57:00 +0000

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 100 new rules and made modifications to 163 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:

Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the
backdoor, blacklist, botnet-cnc, chat, dns, dos, exploit,
file-identify, file-office, file-other, file-pdf, misc, mysql, netbios,
oracle, policy, server-mail, smtp, specific-threats, web-activex,
web-cgi, web-client and web-misc rule sets to provide coverage for
emerging threats from these technologies.

Registered user? Time to upgrade to 2.9.2.2!

noreply@blogger.com (Joel Esler) — Thu, 26 Apr 2012 22:45:00 +0000

For those Registered Users for Snort (read: Not subscribers), letting you know it's been 30 days since the release of Snort 2.9.2.2 and now the rules are released to everyone for free.

If you've been waiting to make the upgrade until this point, now is the time!

VRT Rule Update for 04/26/2012

noreply@blogger.com (Joel Esler) — Thu, 26 Apr 2012 21:14:00 +0000

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 3 new rules and made modifications to 24 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:

Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the
backdoor, blacklist, dos, exploit, file-identify, file-office, misc,
specific-threats, telnet and web-misc rule sets to provide coverage for
emerging threats from these technologies.

VRT Rule Update for 4/25/2012

noreply@blogger.com (Joel Esler) — Wed, 25 Apr 2012 22:35:00 +0000

Join us as we welcome the introduction of the newest rule release from the VRT. In this release we introduced 4 new rules and made modifications to 11 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:

Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the
file-office and spyware-put rule sets to provide coverage for emerging
threats from these technologies.

VRT Rule Update for 4/24/2012

noreply@blogger.com (Joel Esler) — Wed, 25 Apr 2012 19:50:00 +0000

Join us as we welcome the introduction of the newest rule release from the VRT. In this release we introduced 44 new rules and made modifications to 658 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:

Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the
blacklist, botnet-cnc, dos, exploit, file-identify, file-office,
file-pdf, indicator-compromise, misc, netbios, oracle, server-mail,
specific-threats, spyware-put, web-activex, web-client, web-iis and
web-php rule sets to provide coverage for emerging threats from these
technologies.

VRT Rule Update for 04/17/2012

noreply@blogger.com (Joel Esler) — Tue, 17 Apr 2012 16:26:00 +0000

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 35 new rules and made modifications to 1152! additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:

Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the blacklist, botnet-cnc, dos, exploit, file-identify, file-office, file-other, file-pdf, imap, indicator-obfuscation, misc, netbios, oracle, policy-social, pua-toolbars, specific-threats, sql, web-activex, web-cgi, web-client and web-misc rule sets to provide coverage for emerging threats from these technologies.

VRT Rule Update for 04/12/2012, Rule-Recategorization

noreply@blogger.com (Joel Esler) — Thu, 12 Apr 2012 20:01:00 +0000

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 47 new rules and made modifications to 581 additional rules.

There were no changes made to the snort.conf in this release.

In this rule release many rules were moved from their old categories to new categories as listed in this blog post. Rules are going to be continually moving throughout the next few months, so please pay attention to the blog to make sure you don't miss anything!

In VRT's rule release:

Synopsis:
This release adds and modifies rules in several categories.

Details:
The Sourcefire VRT has added and modified multiple rules in the
botnet-cnc, dns, dos, exploit, file-identify, file-office, file-pdf,
indicator-compromise, policy, policy-multimedia, pua-p2p, server-mail,
specific-threats, web-activex, web-client and web-misc rule sets to
provide coverage for emerging threats from these technologies.

VRT Rule Update for 04/11/2012, Samba Remote Root

noreply@blogger.com (Joel Esler) — Wed, 11 Apr 2012 18:58:00 +0000

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 5 new rules and made modifications to 11 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:

Synopsis:
This release adds and modifies rules in several categories and includes
detection for a Remote Code Execution (RCE) vulnerability in Samba.

Details:
Samba Remote Code Execution (CVE-2012-1182):
The RPC code generator in certain versions of Samba does not correctly
validate an array length. This error may allow remote attackers to
execute code on an affected system.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 1, SID 21806.

Additionally, the Sourcefire VRT has added and modified multiple rules
in the exploit, file-identify, file-office, indicator-compromise and
web-client rule sets to provide coverage for emerging threats from
these technologies.

Snort 2.9.2.2 Install Guide for Debian 6.0.4 posted!

noreply@blogger.com (Joel Esler) — Tue, 10 Apr 2012 20:10:00 +0000

Thanks to Jason Weir, I just posted his Snort 2.9.2.2 Install Guide for Debian 6.0.4.

You may find his updated guide at http://www.snort.org/docs. We'd like to thank Jason Weir and the rest of the Snort community with their constant support, guides, bug reports, false positive reports, and participation in the mailing lists.

You all are fantastic!

VRT Rule Update for 4/10/12, MS Tuesday

noreply@blogger.com (Joel Esler) — Tue, 10 Apr 2012 17:46:00 +0000

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 78 new rules and made modifications to 301 additional rules. There were no changes made to the snort.conf in this release.

In VRT's rule release:

Synopsis: The Sourcefire VRT is aware of vulnerabilities affecting products from Microsoft Corporation.

Details:

Microsoft Security Bulletin MS12-023: Microsoft Internet Explorer suffers from programming errors that may allow a remote attacker to execute code on an affected system. Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 21793 and 21796.

Microsoft Security Bulletin MS12-024: The Microsoft Windows Authenticode verification system contains a programming error that may allow a remote attacker to include executable code in an application while keeping the digital signature intact. A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 21795.

Microsoft Security Bulletin MS12-025: The Microsoft .NET Framework incorrectly validates some parameters used in processing image data. This may allow a remote attacker to execute code on an affected system. A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 21792.

Microsoft Security Bulletin MS12-027: The Microsoft Windows Common Controls ActiveX DLL (MSCOMCTL) contains programming errors that may allow a remote attacker to execute code on an affected system. Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 21797 through 21801.

Microsoft Security Bulletin MS12-028: The Microsoft Office WPS converter contains a programming error that may allow a remote attacker to execute code on an affected system. A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 21794.

Additionally, the Sourcefire VRT has added and modified multiple rules in the backdoor, botnet-cnc, dns, dos, exploit, file-identify, file-office, file-other, file-pdf, netbios, policy, pop3, rpc, scada, shellcode, smtp, specific-threats, sql, voip, web-activex and web-misc rule sets to provide coverage for emerging threats from these technologies.

VRT Rule Release for 3/5/2012

noreply@blogger.com (Joel Esler) — Thu, 05 Apr 2012 20:56:00 +0000

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 37 new rules and made modifications to 248 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:

Synopsis: This release adds and modifies rules in several categories.

Details: The Sourcefire VRT has added and modified multiple rules in the dos, exploit, file-identify, file-office, file-other, file-pdf, misc, multimedia, netbios, policy, policy-other, shellcode, smtp, specific-threats, sql, web-activex and web-misc rule sets to provide coverage for emerging threats from these technologies.

REMINDER: READ THIS BLOG POST

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

VRT Rule Update for 4/3/2012, Rule-Recategorization

noreply@blogger.com (Joel Esler) — Tue, 03 Apr 2012 21:33:00 +0000

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 30 new rules and made modifications to 169 additional rules.

The following changes made to the snort.conf in this release, these can be added to the bottom of the snort.conf where the rule declarations are made:

 include $RULE_PATH/file-office.rules

 include $RULE_PATH/file-other.rules

 include $RULE_PATH/file-pdf.rules

 include $RULE_PATH/indicator-compromise.rules

 include $RULE_PATH/indicator-obfuscation.rules

 include $RULE_PATH/policy-multimedia.rules

 include $RULE_PATH/policy-other.rules

 include $RULE_PATH/policy-social.rules

 include $RULE_PATH/pua-p2p.rules

 include $RULE_PATH/pua-toolbars.rules

 include $RULE_PATH/server-mail.rules

In VRT's rule release:

Synopsis: This release introduces eleven new rule categories and contains new and modified rules in several categories.

Details: This release introduces eleven new rule categories:

File-Office File-Other File-PDF Indicator-Compromise Indicator-Obfuscation Policy-Multimedia Policy-Other Policy-Social PUA-P2P PUA-Toolbars Server-Mail

These categories have been populated with rules that were formerly in policy.rules, leaving 36 rules in that category. These will be moved in the near future

This release contains new and modified rules in the backdoor, botnet-cnc, dos, exploit, file-identify, file-office, file-other, file-pdf, indicator-compromise, indicator-obfuscation, mysql, policy-multimedia, policy-other, policy-social, pua-p2p, pua-toolbars, server-mail, specific-threats, spyware-put, voip, web-client and web-php rule sets to provide coverage for emerging threats from these technologies.

VRT Rule Update for 3/29/2012

noreply@blogger.com (Joel Esler) — Thu, 29 Mar 2012 20:22:00 +0000

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 11 new rules and made modifications to 8 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:

Synopsis: This release adds and modifies rules in several categories.

Details: The Sourcefire VRT has added and modified multiple rules in the exploit, file-identify and web-client rule sets to provide coverage for emerging threats from these technologies.

Snort 2.9.2.2 has been released!

noreply@blogger.com (Joel Esler) — Tue, 27 Mar 2012 21:43:00 +0000

Snort 2.9.2.2 is now available on snort.org, at http://www.snort.org/snort-downloads/ in the Latest Release section.

2.9.0 RC & later packages are signed with a new PGP key (that is signed with the previous key).

Snort 2.9.2.2 includes changes for the following:

* Updates to HTTP Inspect to handle normalization with large number of directories, eliminate false positives when chunks span multiple packets, and remove the upper limit on the gzip memcap.

* Update stream handling for TCP session cleanup with RSTs and other TCP state tracking.

* Update for active responses to fragmented IPv6 traffic and to the react page configuration.

* Updates to SIP preprocessor to limit false positives.

* Update for correct logging in unified2 when interface is passive.

* Add stats for SMTP preprocessor at termination.

* State tracking improvements to SMB processing in the dcerpc2 preprocessor when missing packets on a session.

Please see the Release Notes and ChangeLog for more details.

Please submit bugs, questions, and feedback to bugs@snort.org.

VRT Rule Update for 03/27/2012

noreply@blogger.com (Joel Esler) — Tue, 27 Mar 2012 21:42:00 +0000

Join us as we welcome the introduction of the newest rule release for today from the VRT. In this release we introduced 26 new rules and made modifications to 297 additional rules.

This rule release provides support for Snort 2.9.2.2 which has just been released.

There was one change made to the snort.conf in this release, just a modification to this line:
preprocessor ftp_telnet: global inspection_type stateful encrypted_traffic no

In VRT's rule release:

Synopsis: This release adds and modifies rules in several categories.

Details: The Sourcefire VRT has added and modified multiple rules in the backdoor, blacklist, botnet-cnc, exploit, file-identify, misc, multimedia, netbios, phishing-spam, specific-threats, spyware-put, sql and web-misc rule sets to provide coverage for emerging threats from these technologies.