Site Network:

Home

Skype-iplookup

https://github.com/zhovner/Skype-iplookup

 

DigiNotar certificates

Well known domain names certificates were issued to untrusted party.

MOZILLA : http://www.mozilla.org/security/announce/2011/mfsa2011-35.html
SANS : https://isc.sans.edu/diary/DigiNotar+breach+-+the+story+so+far/11500
TOR CERTS LIST : https://svn.torproject.org/svn/projects/misc/diginotar/rogue-certs-2011-...
VASCO: http://www.vasco.com/company/press_room/news_archive/2011/news_diginotar...

Emergingthreats rules :

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Known Fraudulent DigiNotar SSL Certificate for google.com 1"; flow:established,from_server; content:"|0C 76 DA 9C 91 0C 4E 2C 9E FE 15 D0 58 93 3C 4C|"; content:"google.com"; within:250; classtype:misc-activity; reference:url,www.vasco.com/company/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx; sid:2013500; rev:1; resp: reset_both,icmp_all;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Known Fraudulent DigiNotar SSL Certificate for google.com 2"; flow:established,from_server; content:"|0c 76 da 9c 91 0c 4e 2c 9e fe 15 d0 58 93 3c 4c|"; content:"google.com"; within:250; classtype:misc-activity; reference:url,www.vasco.com/company/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx; sid:2013501; rev:1; resp: reset_both,icmp_all;

 

Two years of IT sensor based on Nepenthes

Hi,

Here the results of two years of honeypot collection based on Nepenthes:

Top 10 ip rules :

http://www.snortattack.org/sensor/RULEZ_IP.rules

Top 10 files rules :

http://www.snortattack.org/sensor/RULEZ_FILE.rules

 

New preprocesso for sip

Hi,

In Snort 2.9.1 new preprocessor for SIP protocol.

Here the manual example for snort.conf :

preprocessor sip
preprocessor sip: max_sessions 500000
preprocessor sip: max_contact_len 512, max_sessions 300000, methods { invite \
cancel ack bye register options } , ignore_call_channel
preprocessor sip: ports { 5060 49848 36780 10270 }, max_call_id_len 200, \
max_from_len 100, max_to_len 200, max_via_len 1000, \
max_requestName_len 50, max_uri_len 100, ignore_call_channel,\
max_content_len 1000
preprocessor sip: disabled
preprocessor sip: ignore_call_channel

 

killapache.pl

Hi,

On 25 august a new/old vulnerability DOS on apache.
The VTR rule SID 19825 protect the attack vs. apache.

http://archives.neohapsis.com/archives/fulldisclosure/2011-08/att-0203/k...