snortattack

This month, Alain discusses the two patches from Microsoft, 0day vulnerabilities in Apache, Opera, Internet Explorer and finishes with VRT activity in March.

Microsoft Security Advisory (MS10-016): Microsoft Windows Movie Maker contains a programming error that may allow a remote attacker to execute code on an affected system. Microsoft Security Advisory (MS10-017): Microsoft Excel contains several programming errors that may allow a remote attacker to execute code on an affected system. Apache HTTPD mod_isapi RCE (2010-0425): The mod_isapi module

There is no more predictable group of people than marketers. Once a term reaches a certain tipping point, they grab onto it for dear life and choke it until it means nothing. Apparently, the Advanced Persistent Threat (APT) hit that point somewhere around December. Despite the term being used by the defense industrial base for years, it wasn’t until this year that firms really started pounding

The OISF Team conducted a major development and planning session the last week of February in preparation for the next phase of Suricata Development. We have made some incredible progress in a very short time and much of that progress is due to the great feedback and testing we receive from the community. We are extremely grateful for the support both from individuals and large corporations who are putting the engine to the test in their environments. The amount of code and and patches flowing in has been very exciting and we have progressed farther and faster than our expectations!
We are still in Phase One of our development plan and we are officially announcing a feature freeze and release date for a final phase one production ready engine!
The feature freeze is now in effect for Phase One. We will have a Phase One Release Candidate available for testing on Monday May 3rd, 2010. We will then release the final production ready Phase One engine on July 1st, 2010.
In addition to what Suricata does so well now, the following additional features will be made available with this production release:
Complete Snort Syntax and Keyword Support (A few details to finalize, yet we will support 2.8.5 and prior syntax)
SMB Preprocessor Completion (Features such as request logging, etc)
Complete LibHTP Integration, and added keywords to make use of those capabilities
Complete Documentation of the Engine, Configuration, and Tuning
Configurable Run Modes will be available
CUDA GPU Acceleration Support as an Experimental Feature
Fully tested Windows Binaries will be available
Basic Performance Statistics Available (Very advanced statistics will be made available in Phase Two)
Detailed Error Codes and associated Documentation
Local IP Reputation Support and GeoIP capabilities (Distributed Reputation functionality to be released in Phase Two)

Included in this cycle will be some major internal performance tuning.  We are learning a lot with the multi-threaded nature of this engine, and it’s being tested on some incredibly high speed links. Throughput rates are very impressive, but we're seeing where we can make it even better!
The above features are in addition to what Suricata is already doing well. As a reminder, some of the more exciting features already functional and in the current release are:
Multi-Threading
Native IPv6 Support
FlowInts
HTTP logging
LibHTP from Ivan Ristic
Mac OS X & FreeBSD inline
And many more...

Further announcements will be made in the near future including the new features we are targeting for Phase Two, upcoming brainstorming meetings near you, and some new ancillary projects. So stay tuned, and thanks for supporting the Foundation, this is a community project and we are proud to be a part of it!
Please Stay Tuned! And keep the feedback and patches coming!

We added multiple rules to the specific-threats, spyware-put, web-client, backdoor, and web-misc rule sets as well as making a whole lot of modifications to existing rules. Just a bit of a clean up. Details here: http://www.snort.org/vrt/advisories/2010/03/04/vrt-rules-2010-03-04.html

Last Friday, I got into the office and pulled up my email. Among other things, there was an escalation from Sourcefire's support group, where the customer had alerts on SIDs 15512 and 3397, and they wanted an official opinion from Sourcefire as to whether the alerts they were seeing constituted false positives. Opening up the supplied packet captures, the DCERPC payload in question looked odd at

Microsoft Internet Explorer contains a programming error that may allow a remote attacker to execute commands on a vulnerable system. The attacker needs to supply VBScript to invoke winhlp32.exe, which can then be used to execute commands via a specially crafted .HLP file. http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2010-02-26.html

There has been a lot of talk about CNN’s special presentation called “Cyber Shockwave” in the past couple of days. The program was an edited presentation of the 4-hour war games exercise that took place at the Mandarin Oriental Hotel in Washington D.C. Designed by Michael Hayden, a former CIA director, sponsored by the Bipartisan Policy Center and billed as a “simulated cyber attack on our nation

Maintenance release, we added multiple rules to the rpc, specific-threats, web-client, chat, sql and oracle rule sets. A whole bunch of modifications too. http://www.snort.org/vrt/advisories/2010/02/23/vrt-rules-2010-02-23.html

A maintenance release, some new rules in the policy, web-misc, web-client, web-activex, sql and exploit rule sets, multiple rule modifications are available too. Details are here: http://www.snort.org/vrt/advisories/2010/02/17/vrt-rules-2010-02-17.html

February 2010 Vulnerability Report This month's report covers the Microsoft Tuesday advisories for February 2010 and a whole bunch of Snow at Sourcefire HQ.

Well, Microsoft really made up for a light patch in January with a hefty dose of vulnerabilities this month. We had our hands full dealing with this avalanche, we have coverage for the non-local vulnerabilities, only a couple of issues were covered in previously released rules, the rest are all new. Check out the rule release details here: http://www.snort.org/vrt/advisories/2010/02/09/vrt-rules

This is the first of a series of blog posts about writing Shared Object (SO) rules for snort. Not a lot of documentation exists as yet about how SO rules work or how to write them, and honestly this particular post isn't going to cover a lot of that information directly. Instead, we're going to go with an approach more akin to throwing everyone into the deep end of the pool but with a nice, big

I was in Chicago last Friday for a meeting of the local Snort Users' Group (Powerpoint presentation available here). While the weather was as crummy as you'd expect out of Chicago in January, overall it was an excellent visit, thanks to the group of people who turned out for the meeting. The ChiSUG people are friendly, know their stuff, and had plenty of intelligent questions after my

A few additions, some modifications. Mostly a maintenance release. Check it out: http://www.snort.org/vrt/advisories/2010/01/26/vrt-rules-2010-01-26.html

This is just a quick tidbit about writing effective snort rules that I thought I would share. I was writing a Snort shared object (SO) rule for demonstration purposes. I was going to use a "vulnerability" where the DATA section, which is the last part of the packet, specifies a size that is smaller than the actual amount of data left in the payload. The idea is based on a fairly standard

Adobe recently announced and released the Adobe Reader and Acrobat JavaScript Blacklist Framework. I've had a little bit of time to play with it and would just like to share my thoughts. First of all, I am very pleased with this new blacklisting feature. Until now, when we knew about 0-day being actively exploited in the wild using JavaScript in some manner, we would just turn off JavaScript in

One of my favorite projects has a new significant release. Bothunter is an automated bot finding tool. It uses the Emerging Threats signature base, but has a LOT more under the hood. I highly recommend it, we write a lot of signatures based on new threats it identifies first.

 

Find more info here:

http://www.bothunter.net 

It seems that a couple of large companies were targeted with a vulnerability in Internet Explorer. Today's release contains a rule to detect attacks targeting this vulnerability. Check out the details at http://www.snort.org/vrt/advisories/2010/01/15/vrt-rules-2010-01-15.html

Sourcefire VRT Vulnerability Report January 2010 from Sourcefire VRT on Vimeo.January 2010 Vulnerability ReportThis month Alain Zidouemba talks about Microsoft Tuesday, Adobe patches, Snort and ClamAV releases. From the beach. Where it's warm. While the rest of us freeze. Just saying. Putting it out there.