snortattack

Adobe Acrobat Reader and Adobe Acrobat contains a programming error that may allow a remote attacker to execute code on an affected system. The problem occurs when parsing TrueType font data. More info: http://www.snort.org/vrt/advisories/2010/09/09/vrt-rules-2010-09-09.html

Users of prior versions of ClamAV may have noticed a drastic increase in the size of the tarball with the introduction of 0.96. This is due to the addition of a bytecode interpreter, and a JIT Low Level Virtual Machine (LLVM). It greatly extends ClamAV detection capabilities by being able to interpret/execute bytecode. Not a lot of documentation exists as yet about how to write bytecode for

The OISF is proud to announce that NVIDIA has joined the foundation as a technology partner to help develop and enhance CUDA GPU based acceleration within Suricata. This exciting development gives the foundation access and assistance from NVIDIA engineers and designers to bring you Suricata IDS/IPS GPU acceleration on standard hardware.

Watch for new developments with GPU acceleration to hit the streets very soon! 

 

Additions and modifications to the policy, specific-threats and web-client rule sets.

Adobe, vulnerabilities in Director, no kidding. Who would've thought that? Well, rules are out.Check it out here: http://www.snort.org/vrt/advisories/2010/08/25/vrt-rules-2010-08-25.html

Maintenance release this one, some new rules, some modifications, check it out here: http://www.snort.org/vrt/advisories/2010/08/18/vrt-rules-2010-08-18.html

ClamAV for Windows 2.0 has officially launched. This version contains a new GUI, numerous new detection features, a new prevention engine, and a ton of other features. Check out ClamAV for Windows 2.0 (here) New Features Include: New GUI - Completely new UI for a better user experience. Community Visualization – Graphical representation of your community and an understanding of the threat

Malware and Google's Android OS are two of my favorite things to play with. You would think that when I heard that there was a Trojan in the wild targeting Android devices, I'd be all over it. Indeed, I was. But I was not happy because I just don't like the sound of "malware" and "Android" in the same sentence. I got a copy of the Trojan (MD5: fdb84ff8125b3790011b83cc85adce16) and proceeded to

Adobe, HP and Symantec products have issues, we have rules, check it out here: http://www.snort.org/vrt/advisories/2010/08/12/vrt-rules-2010-08-12.html

The recently released Snort 2.9 Beta introduces the Data AcQuisition library (DAQ), for packet I/O. The DAQ replaces direct calls into packet capture libraries like PCAP with an abstraction layer that make it easy to add additional software or hardware packet capture implementations. DAQ 0.1 supports PCAP, AFPACKET, NFQ, IPQ, IPFW, and DUMP which is used for testing. So why the change? The DAQ

In a previous blog post I was writing about an increase in attacks against an at the time, un-patched vulnerability. Microsoft patched it on July 13, which doesn't mean that people aren't still trying to own un-patched machines.goodgirlsbadguys.com (213.155.12.144) is a domain registered on July 19 2010 with a registrant address listed in Cambodia. Visiting a particular webpage for that domain (

Microsoft Security Advisory MS10-046:Microsoft Windows Shell contains a vulnerability that may allow a remote attacker to execute code on an affected system.Previously released rules to detect attacks targeting these vulnerabilities have been updated with the appropriate reference and are included in this release. These are identified with GID 1, SIDs 17042 and 17043.Microsoft Security Advisory

Added and modified multiple rules in the exploit, ftp, imap, mysql, netbios, rpc, specific-threats, sql, web-activex, web-client, web-iis, web-misc and web-php rule sets.Check here for details: http://www.snort.org/vrt/advisories/2010/08/03/vrt-rules-2010-08-03.html

Here's your chance to become part of the Intelligence unit that powers the Vulnerability Research Team. We know all, we see all and we say almost nothing to anyone about anything. Kinda. Alright, not really. We get the data, we manage the data, we mine the data, we give out information and actionable intelligence. In short, we separate the intel from the noise. You may have seen our previous

Two main vulnerabilities covered in this release. Microsoft Windows Shell shortcut vulnerability (CVE-2010-2568) and the Siemens Simatic WinCC and PCS 7 SCADA vuln (CVE-2010-2772). Both of these are being actively used by the Stuxnet worm.More details are available here: http://www.snort.org/vrt/advisories/2010/07/22/vrt-rules-2010-07-22.html

So, this week, the OISF has been on a media blitz about Suricata, their open-source Intrusion Detection System.  As always, my preference is for you to review the information yourself, so before I give you my thoughts about the state of Suricata, here are some links: http://www.computerworld.com/s/article/9179436/DHS_vendors_unveil_open_source_intrusion_detection_engine?taxonomyId=82 http://

There is a special place in my heart for someone who accidentally causes all the Macs in the office to repeatably crash at the Grey Screen of Death. If you too like fun "accidents" or need to craft up some packets check out Judy Novak's SANS class on Scapy. This is an in-depth start to finish class on the Scapy API, and will take you from just knowing about Scapy to building complex packet

Sourcefire VRT Vulnerability Report July 2010 from Sourcefire VRT on Vimeo.

Three new rule categories were introduced yesterday (Tuesday, 13th July 2010) in SEU 348 and into the VRT Certified Rule packages. I'd like to take a moment to explain what's in these categories, where the data behind them is coming from, and what you should do if you turn them on and they start firing. The initial set of rules for these categories was pulled from the specific-threats and

Microsoft Security Advisory MS10-042:Microsoft Help and Support Center contains a programming error that may  allow a remote attacker to bypass security restrictions on an affected system. The error occurs when invalid hex-encoded characters are used as a parameter to a search query using the hcp:// URI schema.Microsoft Security Advisory MS10-043:The Microsoft Canonical Display Driver (cdd.dll)