snortattack

There is no more predictable group of people than marketers. Once a term reaches a certain tipping point, they grab onto it for dear life and choke it until it means nothing. Apparently, the Advanced Persistent Threat (APT) hit that point somewhere around December. Despite the term being used by the defense industrial base for years, it wasn’t until this year that firms really started pounding

Microsoft Internet Explorer (2010-0806): Microsoft Internet Explorer contains a programming error that may allow a remote attacker to execute code on an affected system. Check it here Oh, and the rule is a shared object rule, so the changelog won't actually show it. If you use PulledPork for your rule updates though, you should see it in the changes when you update.

This month, Alain discusses the two patches from Microsoft, 0day vulnerabilities in Apache, Opera, Internet Explorer and finishes with VRT activity in March.

Microsoft Security Advisory (MS10-016): Microsoft Windows Movie Maker contains a programming error that may allow a remote attacker to execute code on an affected system. Microsoft Security Advisory (MS10-017): Microsoft Excel contains several programming errors that may allow a remote attacker to execute code on an affected system. Apache HTTPD mod_isapi RCE (2010-0425): The mod_isapi module

We added multiple rules to the specific-threats, spyware-put, web-client, backdoor, and web-misc rule sets as well as making a whole lot of modifications to existing rules. Just a bit of a clean up. Details here: http://www.snort.org/vrt/advisories/2010/03/04/vrt-rules-2010-03-04.html

Last Friday, I got into the office and pulled up my email. Among other things, there was an escalation from Sourcefire's support group, where the customer had alerts on SIDs 15512 and 3397, and they wanted an official opinion from Sourcefire as to whether the alerts they were seeing constituted false positives. Opening up the supplied packet captures, the DCERPC payload in question looked odd at

Microsoft Internet Explorer contains a programming error that may allow a remote attacker to execute commands on a vulnerable system. The attacker needs to supply VBScript to invoke winhlp32.exe, which can then be used to execute commands via a specially crafted .HLP file. http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2010-02-26.html

There has been a lot of talk about CNN’s special presentation called “Cyber Shockwave” in the past couple of days. The program was an edited presentation of the 4-hour war games exercise that took place at the Mandarin Oriental Hotel in Washington D.C. Designed by Michael Hayden, a former CIA director, sponsored by the Bipartisan Policy Center and billed as a “simulated cyber attack on our nation

Maintenance release, we added multiple rules to the rpc, specific-threats, web-client, chat, sql and oracle rule sets. A whole bunch of modifications too. http://www.snort.org/vrt/advisories/2010/02/23/vrt-rules-2010-02-23.html

A maintenance release, some new rules in the policy, web-misc, web-client, web-activex, sql and exploit rule sets, multiple rule modifications are available too. Details are here: http://www.snort.org/vrt/advisories/2010/02/17/vrt-rules-2010-02-17.html

February 2010 Vulnerability Report This month's report covers the Microsoft Tuesday advisories for February 2010 and a whole bunch of Snow at Sourcefire HQ.

Well, Microsoft really made up for a light patch in January with a hefty dose of vulnerabilities this month. We had our hands full dealing with this avalanche, we have coverage for the non-local vulnerabilities, only a couple of issues were covered in previously released rules, the rest are all new. Check out the rule release details here: http://www.snort.org/vrt/advisories/2010/02/09/vrt-rules

This is the first of a series of blog posts about writing Shared Object (SO) rules for snort. Not a lot of documentation exists as yet about how SO rules work or how to write them, and honestly this particular post isn't going to cover a lot of that information directly. Instead, we're going to go with an approach more akin to throwing everyone into the deep end of the pool but with a nice, big

I was in Chicago last Friday for a meeting of the local Snort Users' Group (Powerpoint presentation available here). While the weather was as crummy as you'd expect out of Chicago in January, overall it was an excellent visit, thanks to the group of people who turned out for the meeting. The ChiSUG people are friendly, know their stuff, and had plenty of intelligent questions after my

A few additions, some modifications. Mostly a maintenance release. Check it out: http://www.snort.org/vrt/advisories/2010/01/26/vrt-rules-2010-01-26.html

This is just a quick tidbit about writing effective snort rules that I thought I would share. I was writing a Snort shared object (SO) rule for demonstration purposes. I was going to use a "vulnerability" where the DATA section, which is the last part of the packet, specifies a size that is smaller than the actual amount of data left in the payload. The idea is based on a fairly standard

Adobe recently announced and released the Adobe Reader and Acrobat JavaScript Blacklist Framework. I've had a little bit of time to play with it and would just like to share my thoughts. First of all, I am very pleased with this new blacklisting feature. Until now, when we knew about 0-day being actively exploited in the wild using JavaScript in some manner, we would just turn off JavaScript in

It seems that a couple of large companies were targeted with a vulnerability in Internet Explorer. Today's release contains a rule to detect attacks targeting this vulnerability. Check out the details at http://www.snort.org/vrt/advisories/2010/01/15/vrt-rules-2010-01-15.html

Sourcefire VRT Vulnerability Report January 2010 from Sourcefire VRT on Vimeo.January 2010 Vulnerability ReportThis month Alain Zidouemba talks about Microsoft Tuesday, Adobe patches, Snort and ClamAV releases. From the beach. Where it's warm. While the rest of us freeze. Just saying. Putting it out there.

One advisory from Microsoft to start the year, one rule from us to cover it. Check it out here: http://www.snort.org/vrt/advisories/2010/01/12/vrt-rules-2010-01-12.html