Snort

General
Development
Edit

News

[26 total ]
Snort 2.8.3 Now Available

Posted about 22 hours ago by Snort Release Team (Sourcefire)

Snort 2.8.3 is now available on snort.org, at http://www.snort.org/dl/

Snort 2.8.3 introduces:

- MPLS decoding support

- Improvements to HTTP Inspect to provide more information to the rules
language

- ... [More] Several other improvements and fixes

Please see the release notes and changelog for more details.

Happy Snorting!
The Snort Release Team [Less]

OSSEC HIDS 1.6 Released

Posted 4 days ago by Mike Guiterman (Sourcefire)

From Daniel Cid of the OSSEC Team

"The OSSEC team is pleased to announce the general availability of
OSSEC version 1.6.

OSSEC is an Open Source Host-based Intrusion Detection System. It
performs log analysis, integrity ... [More] checking,
Windows registry monitoring, rootkit detection, real-time alerting and
active response. It runs on most operating systems,
including Linux, OpenBSD, FreeBSD, MacOS, Solaris and Windows.

This new version delivers the most comprehensive update to OSSEC in
its history, with numerous new features and bug fixes, including:

* New multi-server architecture
* New platform support for Microsoft Vista (and Server 2008)
* New platform support for VMware ESX
* Added active response module for Windows
* CIS benchmarks on Linux (through the policy auditing)
* Added the VMWare Security hardening guideline to the policy auditing
* Added support for McAfee VirusScan Enterprise logs
* Added support for VMware ESX hostd logs
* Added support for Mac OS FTP server logs
* New tools to better manage the data stored (syscheck_control,
rootcheck_control, log_test)

And much more… Check the release message for more information:
http://www.ossec.net/main/ossec-v16-released

Download it from: http://www.ossec.net/main/downloads"

Congratulations on the release guys! [Less]

Snort Users Group Melbourne - Sept. 10, 2008

Posted 11 days ago by Mike Guiterman (Sourcefire)

Hi Everyone,

Here are the details for a Snort Users Group meeting in Melbourne, Australia.

Date: Wednesday the 10th of September
Location: Misty Place, 3 - 5 Hosier Lane, Melbourne
Time: 5:00 PM ... [More] (for 5:30 PM presentation) - 6:30 PM

The Snort Users Group Meeting gives you a chance to meet and greet fellow Snort Users, give your input for future user group presentations, and find out more about Snort 3.0.

Bar snacks and refreshments will be provided by Sourcefire®, the creators of Snort.

Please RSVP by email to kelvin.rundle@sourcefire.com by 5:00 PM on the 8th of September. [Less]

VRT Certified Rules Update Available

Posted 11 days ago by Sourcefire VRT (Sourcefire)

The Sourcefire VRT has added multiple rules in the web-client and exploit categories to provide coverage for emerging ActiveX control and exploit threats.

These rules are available to subscribers only until Thursday, September 25, 2008.

Download rules | view advisory | view changelog | subscribe now.

Defcon, testing and exploiting

Posted 15 days ago by Lurene Grenier VRT (Sourcefire)

This year at Defcon Immunity trotted out the first iteration of their NOP cert test, and I had the pleasure of giving it a test run. I still think it's a great indicator of ability, despite the Immunity tools focus; I'm not a user of any of their ... [More] tools generally, but I managed to pull off the hardest level test in a modest time.  It got us thinking on the way home, where does one go from the bar set by the NOP to get to the next level in terms of exploit development skill? In this vein I've thrown together a few windows executables, and in a nod to Gera of Core, they're called Advanced Windows Buffer Overflows (AWBOs).

We've set up a few ground rules and a basic set up to keep things moving along:

1) All exploits are performed in Windows 2000 SP4 unless otherwise specified.  Sometimes, otherwise will be specified.
2) Exploits will use the provided shellcode, or ret2lib.
3) You may not return to hard coded stack addresses.
4) No source code will be provided - just like the NOP cert.

Standard tools used are cygwin with perl, and windbg, installation in vmware a plus. The shellcode provided is the amazing windows exec shellcode from metasploit set up to run calc.exe.

I can say that all of these are exploitable, and they run through a progression, so try to do each of them in the most straight forward way possible. We'll be skipping awbo1.exe as it's very similar to one of immunity's tests (as far as my memory serves). They'll be released slowly over the next few months. Feel free to send in your solutions, or ask for tips. All of the examples have been play tested by the VRT analysts team, and are assured to be exploitable.

"This next test could take a very,  very long time. If you become lightheaded from thirst, feel free to pass out. An intubation associate will be dispatched to revive you with peptic salve and adrenaline."

Awbo2.exe download and shellcode download [Less]

VRT Certified Rules Update Available

Posted 18 days ago by Sourcefire VRT (Sourcefire)

The Sourcefire VRT has added multiple rules in the spyware-put, web-client and sql categories to provide coverage for emerging spyware, ActiveX control and SQL injection threats.

These rules are available to subscribers only until Thursday, September 18, 2008.

Download rules | view advisory | view changelog | subscribe now.

OfficeCat Update Available

Posted 24 days ago by Sourcefire VRT (Sourcefire)

The OfficeCat tool has been updated to include detection for a vulnerability in Microsoft PowerPoint.

Download zip archive | Download Linux-wine archive | view advisory.

VRT Certified Rules Update Available

Posted 24 days ago by Sourcefire VRT (Sourcefire)

The Sourcefire VRT is aware of multiple vulnerabilities affecting Microsoft products.

These rules are available to subscribers only until Thursday, September 11, 2008.

Download rules | view advisory | view changelog | subscribe now.

DNS Vulnerability Paper

Posted 25 days ago by VRT (Sourcefire)

Now that Defcon is over and the Kaminsky DNS Vulnerability is completely out in the open, the Sourcefire VRT has a new whitepaper that discusses the issue and suggests detection methods using Snort rules. Download it here.

Register for the next Snort Users Webcast - Aug. 20, 2008

Posted about 1 month ago by Mike Guitermran (Sourcefire)

The next installment of the Snort Users Webcast Series will be broadcast live on Aug. 20 at 4:00 PM EDT.  Details are below:

This month's presenter is Joel Esler, a Sourcefire security consultant and frequent contributor to the ... [More] Snort community. Joel will be discussing some of the most common mistakes made when configuring and using Snort and how to fix them.  Topics covered in this session will include:

o Snort.conf file
o Variables
o Preprocessors
o Rules
o Barnyard and SnortUnified

Date: Wednesday, August 20, 2008
Time: 4:00 PM US Eastern Daylight Time (GMT -4:00)

To register for this webcast visit:

https://sourcefireevents.webex.com/mw0305l/mywebex/default.do?siteurl=sourcefireevents

As always this session will be recorded with links posted on Snort.org and Sourcefire.com for future use. [Less]

Daemonlogger v1.1 Released

Posted about 1 month ago by Mike Guiterman (Sourcefire)

Marty released Daemonlogger 1.1 yesterday.  In this release:

-M switch added to perform disk utilization-based rollovers and pruningBug fix related to file pruning reported by Wesley ShieldsDaemonlogger v1.1 can be downloaded at:  http://www.snort.org/users/roesch/Site/Daemonlogger/Daemonlogger.html

Enjoy!

Motor City Area Snort Users Group - August 14

Posted about 1 month ago by Mike Guiterman (Sourcefire)

The first meeting of the Motor City Snort Users Group will be held August 14, 2008 at Sourcefire's Education Headquarters in Livonia, Michigan. 

Snort Users Groups are a great place to meet and network with other Snort ... [More] users and information security professionals regardless of your level of experience.

The Details are:

Date: August 14, 2008Time: 4:00 PMAgenda:

Introductions and networkingBest Practice for writing Snort RulesAn overview of the SnortSP 3.0 architectureFor more information or to register, please email SourcefireEvents@sourcefire.com or call Patrick Mahoney at (815) 230-5237.

  [Less]

VRT Certified Rules Update Available

Posted about 1 month ago by Sourcefire VRT (Sourcefire)

The Sourcefire VRT is aware of vulnerabilities affecting Sun Java Web Start, Oracle Database Server and DNS implementations.

These rules are available to subscribers only until Thursday, August 28, 2008.

Download rules | view advisory | view changelog | subscribe now.

IPS Challenge at MOCA2008

Posted about 1 month ago by Mike Guiterman (Sourcefire)

Hi Everyone,

The Italy Snort Users Group has issued another IPS challenge. This year the challenge will be held August 21-24 at MOCA2008 in Pescara Italy.

Challenge Details:

Two virtual UML machines running old ... [More] , un-patched versions of Apache, MySQL, Joomla and PHP-nuke installed. One of these virtual servers will be defended by an IPS in inline mode and the other will not. Challengers will have the option of attacking a server with or without an IPS - the greater rewards will go to those able to gain root on the server defended by the IPS.

More information on challenge is available at www.snortattack.org or you can email matteo and pierpaolo at admin@snortattack.org.

More information on MOCA 2008 is available at: http://camp.olografix.org/home.php

[Less]

Canberra Snort Users Group Meeting - July 30, 2008

Posted about 1 month ago by Mike Guiterman (Sourcefire)

Date: Wednesday the 30th of July
Location: King O'Malley's, 131 City Walk, Canberra City
Time: 5:00 (for 5:30 presentation) - 6:30 PM
Topic: Paul Nevin and Brian Candlish from Verizon Business ... [More] will be presenting on their experiences using Snort

The Snort Users Group Meeting gives you a chance to meet and greet fellow Snort Users regardless of your level of experience.

Bar snacks and refreshments will be provided by Sourcefire, the creators of Snort.

Please RSVP by email to kelvin.rundle@sourcefire.com by 5:00 PM on the 28th of July. [Less]

VRT Certified Rules Update Available

Posted about 1 month ago by Sourcefire VRT (Sourcefire)

The Sourcefire VRT is aware of vulnerabilities affecting IBM Lotus Domino, Novell GroupWise and Adobe RoboHelp.

These rules are available to subscribers only until Thursday, August 21, 2008.

Download rules | view advisory | view changelog | subscribe now.

VRT Certified Rules Update Available

Posted about 1 month ago by Sourcefire VRT (Sourcefire)

The Sourcefire VRT is aware of vulnerabilities affecting Adobe Photoshop and HP Instant Support DataManager.

These rules are available to subscribers only until Thursday, July 24, 2008.

Download rules | view advisory | view changelog | subscribe now.

BOSS Conference - Call for Speakers Closes July 15

Posted about 1 month ago by Mike Guiterman (Sourcefire)

We just wanted to remind everyone that the deadline to submit a speaking application for the BOSS Conference www.bossconference.com is coming up on July 15.  We’ve received some outstanding proposals to date – keep them coming ... [More] in.  The speaker application is available at: http://www.bossconference.com/speakers.html

 

We hope to see you in Vegas! [Less]

Snort Security Platform 3.0 Beta Now Available

Posted about 1 month ago by Snort Release Team (Sourcefire)

We’re pleased to introduce our first beta release built on the new Snort 3.0 architecture. SnortSP is an open-source platform for running packet-based network security applications, including the Snort 2.8.2.1 detection engine. SnortSP ... [More] introduces a new shell-based user interface, a multi-threaded execution module, native IPv6 support, performance improvements, and more.

Get more info on SnortSP here. [Less]

VRT Certified Rules Update Available

Posted about 1 month ago by Sourcefire VRT (Sourcefire)

The Sourcefire VRT is aware of vulnerabilities affecting Adobe Photoshop and HP Instant Support DataManager.

These rules are available to subscribers only until Thursday, July 31, 2008.

Download rules | view advisory | view changelog | subscribe now.

VRT Certified Rules Update Available

Posted about 1 month ago by Sourcefire VRT (Sourcefire)

The Sourcefire VRT is aware of multiple vulnerabilities affecting Microsoft products.

These rules are available to subscribers only until Thursday, August 7, 2008.

Download rules | view advisory | view changelog | subscribe now.

New Setup Guides for XP and Solaris 10

Posted about 1 month ago by Mike Guiterman (Sourcefire)

Hi everyone,

There are a couple of new, user contributed set-up guides listed in the docs section Snort.org.

Snort with BASE on Solaris 10 (Sparc) was contributed by Randal RiouxSnort on XP was contributed by Kasey EfawBoth ... [More] documents are listed here: http://snort.org/docs/#setup

Thanks to both Kasey and Randal for the contribution. Both authors encourage you to provide feedback.

Keep on Snorting! [Less]

VRT Certified Rules Update Available

Posted about 1 month ago by Sourcefire VRT (Sourcefire)

This release contains a fix for a problem that prevented the rules for MS08-040 from being loaded correctly.

These rules are available to subscribers only until Friday, August 8, 2008.

Download rules | view advisory | view changelog | subscribe now.

OfficeCat Update Available

Posted about 1 month ago by Sourcefire VRT (Sourcefire)

The OfficeCat tool has been updated to include detection for a vulnerability in Microsoft Word.

Download zip archive | view advisory.

VRT Certified Rules Update Available

Posted about 1 month ago by Sourcefire VRT (Sourcefire)

This release contains a fix for a problem that caused the rule for MS08-037 to generate false positive events. This release also contains multiple rules in the spyware-put and backdoor categories to provide coverage for emerging spyware and backdoor ... [More] threats.

These rules are available to subscribers only until Sunday, August 10, 2008.

Download rules | view advisory | view changelog | subscribe now. [Less]

VRT Certified Rules Update Available

Posted about 1 month ago by Sourcefire VRT (Sourcefire)

The Sourcefire VRT is aware of vulnerabilities affecting Apple QuickTime and IBM Lotus Sametime.

These rules are available to subscribers only until Thursday, August 14, 2008.

Download rules | view advisory | view changelog | subscribe now.