Feed aggregator
Rule release for today - March 9th, 2010
Microsoft Security Advisory (MS10-016):
Microsoft Windows Movie Maker contains a programming error that may allow a remote attacker to execute code on an affected system.
Microsoft Security Advisory (MS10-017):
Microsoft Excel contains several programming errors that may allow a remote attacker to execute code on an affected system.
Apache HTTPD mod_isapi RCE (2010-0425):
The mod_isapi module
APT: Should your panties be in a bunch, and how do you un-bunch them?
There is no more predictable group of people than marketers. Once a term reaches a certain tipping point, they grab onto it for dear life and choke it until it means nothing. Apparently, the Advanced Persistent Threat (APT) hit that point somewhere around December. Despite the term being used by the defense industrial base for years, it wasn’t until this year that firms really started pounding
OISF Suricata Development Meeting Update
The OISF Team conducted a major development and planning session the last week of February in preparation for the next phase of Suricata Development. We have made some incredible progress in a very short time and much of that progress is due to the great feedback and testing we receive from the community. We are extremely grateful for the support both from individuals and large corporations who are putting the engine to the test in their environments. The amount of code and and patches flowing in has been very exciting and we have progressed farther and faster than our expectations!
We are still in Phase One of our development plan and we are officially announcing a feature freeze and release date for a final phase one production ready engine!
The feature freeze is now in effect for Phase One. We will have a Phase One Release Candidate available for testing on Monday May 3rd, 2010. We will then release the final production ready Phase One engine on July 1st, 2010.
In addition to what Suricata does so well now, the following additional features will be made available with this production release:
Complete Snort Syntax and Keyword Support (A few details to finalize, yet we will support 2.8.5 and prior syntax)
SMB Preprocessor Completion (Features such as request logging, etc)
Complete LibHTP Integration, and added keywords to make use of those capabilities
Complete Documentation of the Engine, Configuration, and Tuning
Configurable Run Modes will be available
CUDA GPU Acceleration Support as an Experimental Feature
Fully tested Windows Binaries will be available
Basic Performance Statistics Available (Very advanced statistics will be made available in Phase Two)
Detailed Error Codes and associated Documentation
Local IP Reputation Support and GeoIP capabilities (Distributed Reputation functionality to be released in Phase Two)
Included in this cycle will be some major internal performance tuning. We are learning a lot with the multi-threaded nature of this engine, and it’s being tested on some incredibly high speed links. Throughput rates are very impressive, but we're seeing where we can make it even better!
The above features are in addition to what Suricata is already doing well. As a reminder, some of the more exciting features already functional and in the current release are:
Multi-Threading
Native IPv6 Support
FlowInts
HTTP logging
LibHTP from Ivan Ristic
Mac OS X & FreeBSD inline
And many more...
Further announcements will be made in the near future including the new features we are targeting for Phase Two, upcoming brainstorming meetings near you, and some new ancillary projects. So stay tuned, and thanks for supporting the Foundation, this is a community project and we are proud to be a part of it!
Please Stay Tuned! And keep the feedback and patches coming!
We are still in Phase One of our development plan and we are officially announcing a feature freeze and release date for a final phase one production ready engine!
The feature freeze is now in effect for Phase One. We will have a Phase One Release Candidate available for testing on Monday May 3rd, 2010. We will then release the final production ready Phase One engine on July 1st, 2010.
In addition to what Suricata does so well now, the following additional features will be made available with this production release:
Complete Snort Syntax and Keyword Support (A few details to finalize, yet we will support 2.8.5 and prior syntax)
SMB Preprocessor Completion (Features such as request logging, etc)
Complete LibHTP Integration, and added keywords to make use of those capabilities
Complete Documentation of the Engine, Configuration, and Tuning
Configurable Run Modes will be available
CUDA GPU Acceleration Support as an Experimental Feature
Fully tested Windows Binaries will be available
Basic Performance Statistics Available (Very advanced statistics will be made available in Phase Two)
Detailed Error Codes and associated Documentation
Local IP Reputation Support and GeoIP capabilities (Distributed Reputation functionality to be released in Phase Two)
Included in this cycle will be some major internal performance tuning. We are learning a lot with the multi-threaded nature of this engine, and it’s being tested on some incredibly high speed links. Throughput rates are very impressive, but we're seeing where we can make it even better!
The above features are in addition to what Suricata is already doing well. As a reminder, some of the more exciting features already functional and in the current release are:
Multi-Threading
Native IPv6 Support
FlowInts
HTTP logging
LibHTP from Ivan Ristic
Mac OS X & FreeBSD inline
And many more...
Further announcements will be made in the near future including the new features we are targeting for Phase Two, upcoming brainstorming meetings near you, and some new ancillary projects. So stay tuned, and thanks for supporting the Foundation, this is a community project and we are proud to be a part of it!
Please Stay Tuned! And keep the feedback and patches coming!
The Sudden Reappearance of MS03-039
Last Friday, I got into the office and pulled up my email. Among other things, there was an escalation from Sourcefire's support group, where the customer had alerts on SIDs 15512 and 3397, and they wanted an official opinion from Sourcefire as to whether the alerts they were seeing constituted false positives. Opening up the supplied packet captures, the DCERPC payload in question looked odd at
Rule release for today - February 26th 2010
Microsoft Internet Explorer contains a programming error that may allow a remote attacker to execute commands on a vulnerable system. The attacker needs to supply VBScript to invoke winhlp32.exe, which can then be used to execute commands via a specially crafted .HLP file.
http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2010-02-26.html
CyberShockWave
There has been a lot of talk about CNN’s special presentation called “Cyber Shockwave” in the past couple of days. The program was an edited presentation of the 4-hour war games exercise that took place at the Mandarin Oriental Hotel in Washington D.C. Designed by Michael Hayden, a former CIA director, sponsored by the Bipartisan Policy Center and billed as a “simulated cyber attack on our nation
Microsoft Tuesday Coverage for February 2010
Well, Microsoft really made up for a light patch in January with a hefty dose of vulnerabilities this month. We had our hands full dealing with this avalanche, we have coverage for the non-local vulnerabilities, only a couple of issues were covered in previously released rules, the rest are all new.
Check out the rule release details here: http://www.snort.org/vrt/advisories/2010/02/09/vrt-rules
Introduction to the Shared Object Rules Generator
This is the first of a series of blog posts about writing Shared Object (SO) rules for snort. Not a lot of documentation exists as yet about how SO rules work or how to write them, and honestly this particular post isn't going to cover a lot of that information directly. Instead, we're going to go with an approach more akin to throwing everyone into the deep end of the pool but with a nice, big
Coming Soon To A Snort User's Group Near You
I was in Chicago last Friday for a meeting of the local Snort Users' Group (Powerpoint presentation available here). While the weather was as crummy as you'd expect out of Chicago in January, overall it was an excellent visit, thanks to the group of people who turned out for the meeting. The ChiSUG people are friendly, know their stuff, and had plenty of intelligent questions after my
Using byte_jump as a Detection Mechanism
This is just a quick tidbit about writing effective snort rules that I thought I would share. I was writing a Snort shared object (SO) rule for demonstration purposes. I was going to use a "vulnerability" where the DATA section, which is the last part of the packet, specifies a size that is smaller than the actual amount of data left in the payload.
The idea is based on a fairly standard
The Acrobat JavaScript Blacklist Framework
Adobe recently announced and released the Adobe Reader and Acrobat JavaScript Blacklist Framework. I've had a little bit of time to play with it and would just like to share my thoughts.
First of all, I am very pleased with this new blacklisting feature. Until now, when we knew about 0-day being actively exploited in the wild using JavaScript in some manner, we would just turn off JavaScript in
Bothunter 1.5 Released!
One of my favorite projects has a new significant release. Bothunter is an automated bot finding tool. It uses the Emerging Threats signature base, but has a LOT more under the hood. I highly recommend it, we write a lot of signatures based on new threats it identifies first.
Find more info here:
January 2010 Vulnerability Report
Sourcefire VRT Vulnerability Report January 2010 from Sourcefire VRT on Vimeo.January 2010 Vulnerability ReportThis month Alain Zidouemba talks about Microsoft Tuesday, Adobe patches, Snort and ClamAV releases. From the beach. Where it's warm. While the rest of us freeze. Just saying. Putting it out there.


