snortattack

Need some more exploit fun? Want to stay in Vegas a little longer? Need some face time with the VRT? We are holding the fundamentals of exploit development class right after DefCon this year. August 2nd, 3rd and 4th in Las Vegas, NV.For more details and to book your place, take a look at http://www.sourcefire.com/services/education/schedule/

Microsoft is warning that there has been an increase of attacks against a zero-day vulnerability in Microsoft Help and Support Center. The vulnerability is due to an error when using invalid hexadecimal characters in the search topic parameter of a URI. It can be used to bypass restrictions normally imposed by a command-line argument to load arbitrary help documents. Proof-of-concept code has

DEAR EDITOR: I have been in security for 8 years.  Some of my friends say there is no such thing as cyberwar.  My manager says, "If you see it on the VRT Blog then it's so"  Please tell me the truth; is there cyberwar? Virginia O'Hanlon. 115 West Ninety-Fifth Street. Virginia, Your friends are wrong.  They have been affected by the skepticism of a skeptical age.  They do not believe except

Remote code execution in Adobe Acrobat and Reader. Some folks are claiming it's a denial of service, heh, right. RCE is possible, get your rules here:http://www.snort.org/vrt/advisories/2010/07/01/vrt-rules-2010-07-01.html/

Today the Snort Web Team made a change to the way that Snort rules are downloaded from snort.org. Hopefully this will result in faster downloads for most people. The changes are highlighted below:We are changing the way we publish rules. In June 2010 we stopped offering rules in the "snortrules-snapshot-CURRENT" format. Instead, rules are released for specific versions of Snort. You will be

We added and modified multiple rules in the backdoor, dos, exploit, misc, multimedia, netbios, oracle, pop3, rpc, specific-threats, web-activex, web-client and web-misc rule sets.Information is here: http://www.snort.org/vrt/advisories/2010/06/29/vrt-rules-2010-06-29.html/

I got a flyer in my mail a couple of days ago, telling me that my local utility company would be coming out soon to install a smart meter on my house. Like most customers, I didn't think too much about it, until the new meter was installed today. That's when my curiosity got the better of me - even though I arrived home after dark, I had to go take a look at the shiny new toy on the side of my

Recently, we released the only official Windows-specific version of ClamAV, appropriately called ClamAV for Windows (http://www.clamav.net/lang/en/about/win32/). It is designed to use little memory and processing speed because it uses an advanced cloud-based protection mechanism, best of all it's free (as in free beer. Ummm...beeeeer). If you haven't tried it yet, I really encourage you to.You

Emerging Threats today announces an open call for developers to assist in creating QA, load testing, backend management, and execute rule porting activities to support a professional-grade IDS ruleset for multiple IDS engines and platforms.

With this call for developers, Emerging Threats seeks to further engage and employ both existing and new members of the open-source security community.

The Suricata engine is a significant supported platform in addition to Snort and others. With advanced features such as a multi-threaded design and IP reputation, Suricata unlocks the potential for a more advanced ruleset than was previously possible.   

With the speed of malware creation rapidly advancing, Emerging Threats plans to create additional research and intelligence resources to advance rulesets and policies.  This will allow Emerging Threats to continue to provide individuals and companies with the advanced protection they have come to expect from the open community.

Emerging Threats is an open source community project that produces the fastest and most diverse IDS signature set available today, through the contributions and support of its community.

Successful candidates should be familiar with the snort rule syntax, Suricata, malware trends and command and control methods, vulnerability concepts, and a deep understanding of network protocols.

If you are interested in participating in this initiative, please contact Matt Jonkman at jonkman@emergingthreats.net or threats@emergingthreats.net

 

Complete announcement here:

http://www.emergingthreats.net/6.21.10_ET_CallforDevelopers.pdf

Quite recently, Tavis Ormandy released a 0-day vulnerability in a prominent piece of software. For this transgression, both he and his employer received a good deal of bad press. Sadly, very few in the professional security researcher crowd made enough noise about this, and to the contrary, one man in particular came down squarely against him. Thankfully however we still have Brad Spengler.

From the Snorby guys:

 

I'm pleased to announce the new release of the new (SPSA) Snorby Preconfigured Security Applications version 1.4.

Snorby preconfigured security applications make effortless for anyone to use Snorby, the new and modern Snort IDS front-end. With (SPSA) Snorby Preconfigured Security Applications, it is possible to get Snorby and Snort up and running out of the box within a few minutes.

(SPSA) Snorby Preconfigured Security Applications web page

http://www.cryptolife.org/index.php/Spsa

 

[*] Improvements and fixes

* Snort 2.8.6 added

* Apache2-ssl support added ( https://ipaddress:8080 )

* Crontab issue fixed

* Webmin removed

* Shellinabox removed

* Turnkey linux configuration console modified

* Snorby installation moved to /var/Snorby

 

Enjoy, Phillip

 

-- (SPSA) Snorby Preconfigured Security Applications http://www.cryptolife.org/index.php/Spsa

 

As a result of ongoing research, the Sourcefire VRT has added multiple rules in the dos, exploit, ftp, mysql, policy, rpc, specific-threats, spyware-put, web-activex, web-client, web-misc and web-php rule sets to provide coverage for emerging threats from these technologies.For a complete list of new and modified rules please see:http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2010-06

So…you’re at the bar and across the room you see this incredible [insert whatever floats your boat here].You spend an inappropriate amount of your time watching this person and your mind starts to fill in the details that the dark environment masks.  Then they turn around walk towards the bar and (finally!) walk into enough light that you can see what they look like.  Your first thought…”KILL IT

Apple Safari RCE (CVE-2010-1939), Google Chrome GLUG bypass (CVE-2010-1663). Details available here: http://www.snort.org/vrt/advisories/2010/06/14/vrt-rules-2010-06-14.html/

One of the hardest things in life is finding the right place to work, where you can spend eight to ten hours a day doing something you enjoy and also pay your bills. I’ve been lucky enough in my life to find this type of place three times: HiverWorld, Farm9, and Sourcefire. Each one of these places had a number of attributes that made it appealing to me, and made it where I wanted to spend the

Microsoft Help and Support Center Bypass Vulnerability:Microsoft Help and Support Center contains a programming error that may allow a remote attacker to bypass security restrictions on an affected system. The error occurs when invalid hex-encoded characters are used as a parameter to a search query using the hcp:// URI schema.Changelogs here: http://www.snort.org/vrt/advisories/2010/06/10/

Here we are again, Microsoft Tuesday for June 2010. A number of issues this month and rules to provide coverage for attack detection. Main advisory numbers for IDS/IPS coverage are MS10-033, MS10-034, MS10-035, MS10-038, MS10-039 and MS10-041. Check out the advisory and changelog here: http://www.snort.org/vrt/advisories/2010/06/08/vrt-rules-2010-06-08.html/

Or,No Performance for you, go home now.Today's blog post is a guest appearance by our Benevolent Dictator and Glorious Leader, Marty Roesch.We asked Marty for his thoughts on threading, performance and processing network data. Here's what we got:Executive SummaryPerformance of processes on current- and next-generation Intel CPUs is closely tied to proper cache utilization. Claims being made

The OISF development team is proud to introduce the second release candidate release of Suricata, the Open Source Intrusion Detection and Prevention engine. We're working towards our first stable release, currently schedules for July 1st 2010.

Get the new release here: http://www.openinfosecfoundation.org/download/suricata-0.9.1.tar.gz

New features

- support for the asn1 keyword added
- support for reading of ERF files added
- basic rule profiling functionality added
- ssl2/ssl3 app layer support added
- detection engine was made partly stateful

Improvements

- multiple regressions in the detection engine causing false negatives were fixed
- many accuracy and stability improvements were made
- icmp handling in the flow engine was improved

Known issues & missing features

We have made significant progress towards reaching our first full (non-beta) release of Suricata.  Your feedback is always important to us and we appreciate your time and effort. As always, we are doing our best to make you aware of continuing development and items within the engine that are not yet complete.  With this in mind, please notice the list we have included of known items we are working on.

- Currently we don't support the dce option for byte_test and byte_jump.
- Stream reassembly is currently only performed for app-layer code.
- Inconsistent time stamps in http log file due to handling & updating of the http state.
- DCE/RPC over udp is not currently supported.
- dce_stub_data does not respect relative modifiers.
- Engine does not work properly on big endian platforms.
- Time based stats are not calculated correctly.
- signatures using the uricontent keyword might generate multiple alerts for the same event

See https://redmine.openinfosecfoundation.org/projects/suricata/issues for an up to date list and to report new issues.

A maintenance release, new rules in web-client, web-misc, backdoor, oracle, policy and specific-threats rule sets and an extensive set of rule updates. Check it out: http://www.snort.org/vrt/advisories/2010/05/25/vrt-rules-2010-05-25.html/