snortattack

Here's your chance to become part of the Intelligence unit that powers the Vulnerability Research Team. We know all, we see all and we say almost nothing to anyone about anything. Kinda. Alright, not really. We get the data, we manage the data, we mine the data, we give out information and actionable intelligence. In short, we separate the intel from the noise. You may have seen our previous

Two main vulnerabilities covered in this release. Microsoft Windows Shell shortcut vulnerability (CVE-2010-2568) and the Siemens Simatic WinCC and PCS 7 SCADA vuln (CVE-2010-2772). Both of these are being actively used by the Stuxnet worm.More details are available here: http://www.snort.org/vrt/advisories/2010/07/22/vrt-rules-2010-07-22.html

So, this week, the OISF has been on a media blitz about Suricata, their open-source Intrusion Detection System.  As always, my preference is for you to review the information yourself, so before I give you my thoughts about the state of Suricata, here are some links: http://www.computerworld.com/s/article/9179436/DHS_vendors_unveil_open_source_intrusion_detection_engine?taxonomyId=82 http://

There is a special place in my heart for someone who accidentally causes all the Macs in the office to repeatably crash at the Grey Screen of Death. If you too like fun "accidents" or need to craft up some packets check out Judy Novak's SANS class on Scapy. This is an in-depth start to finish class on the Scapy API, and will take you from just knowing about Scapy to building complex packet

Sourcefire VRT Vulnerability Report July 2010 from Sourcefire VRT on Vimeo.

Three new rule categories were introduced yesterday (Tuesday, 13th July 2010) in SEU 348 and into the VRT Certified Rule packages. I'd like to take a moment to explain what's in these categories, where the data behind them is coming from, and what you should do if you turn them on and they start firing. The initial set of rules for these categories was pulled from the specific-threats and

Microsoft Security Advisory MS10-042:Microsoft Help and Support Center contains a programming error that may  allow a remote attacker to bypass security restrictions on an affected system. The error occurs when invalid hex-encoded characters are used as a parameter to a search query using the hcp:// URI schema.Microsoft Security Advisory MS10-043:The Microsoft Canonical Display Driver (cdd.dll)

Need some more exploit fun? Want to stay in Vegas a little longer? Need some face time with the VRT? We are holding the fundamentals of exploit development class right after DefCon this year. August 2nd, 3rd and 4th in Las Vegas, NV.For more details and to book your place, take a look at http://www.sourcefire.com/services/education/schedule/

Microsoft is warning that there has been an increase of attacks against a zero-day vulnerability in Microsoft Help and Support Center. The vulnerability is due to an error when using invalid hexadecimal characters in the search topic parameter of a URI. It can be used to bypass restrictions normally imposed by a command-line argument to load arbitrary help documents. Proof-of-concept code has

DEAR EDITOR: I have been in security for 8 years.  Some of my friends say there is no such thing as cyberwar.  My manager says, "If you see it on the VRT Blog then it's so"  Please tell me the truth; is there cyberwar? Virginia O'Hanlon. 115 West Ninety-Fifth Street. Virginia, Your friends are wrong.  They have been affected by the skepticism of a skeptical age.  They do not believe except

Remote code execution in Adobe Acrobat and Reader. Some folks are claiming it's a denial of service, heh, right. RCE is possible, get your rules here:http://www.snort.org/vrt/advisories/2010/07/01/vrt-rules-2010-07-01.html/

Today the Snort Web Team made a change to the way that Snort rules are downloaded from snort.org. Hopefully this will result in faster downloads for most people. The changes are highlighted below:We are changing the way we publish rules. In June 2010 we stopped offering rules in the "snortrules-snapshot-CURRENT" format. Instead, rules are released for specific versions of Snort. You will be

We added and modified multiple rules in the backdoor, dos, exploit, misc, multimedia, netbios, oracle, pop3, rpc, specific-threats, web-activex, web-client and web-misc rule sets.Information is here: http://www.snort.org/vrt/advisories/2010/06/29/vrt-rules-2010-06-29.html/

I got a flyer in my mail a couple of days ago, telling me that my local utility company would be coming out soon to install a smart meter on my house. Like most customers, I didn't think too much about it, until the new meter was installed today. That's when my curiosity got the better of me - even though I arrived home after dark, I had to go take a look at the shiny new toy on the side of my

Recently, we released the only official Windows-specific version of ClamAV, appropriately called ClamAV for Windows (http://www.clamav.net/lang/en/about/win32/). It is designed to use little memory and processing speed because it uses an advanced cloud-based protection mechanism, best of all it's free (as in free beer. Ummm...beeeeer). If you haven't tried it yet, I really encourage you to.You

Emerging Threats today announces an open call for developers to assist in creating QA, load testing, backend management, and execute rule porting activities to support a professional-grade IDS ruleset for multiple IDS engines and platforms.

With this call for developers, Emerging Threats seeks to further engage and employ both existing and new members of the open-source security community.

The Suricata engine is a significant supported platform in addition to Snort and others. With advanced features such as a multi-threaded design and IP reputation, Suricata unlocks the potential for a more advanced ruleset than was previously possible.   

With the speed of malware creation rapidly advancing, Emerging Threats plans to create additional research and intelligence resources to advance rulesets and policies.  This will allow Emerging Threats to continue to provide individuals and companies with the advanced protection they have come to expect from the open community.

Emerging Threats is an open source community project that produces the fastest and most diverse IDS signature set available today, through the contributions and support of its community.

Successful candidates should be familiar with the snort rule syntax, Suricata, malware trends and command and control methods, vulnerability concepts, and a deep understanding of network protocols.

If you are interested in participating in this initiative, please contact Matt Jonkman at jonkman@emergingthreats.net or threats@emergingthreats.net

 

Complete announcement here:

http://www.emergingthreats.net/6.21.10_ET_CallforDevelopers.pdf

Quite recently, Tavis Ormandy released a 0-day vulnerability in a prominent piece of software. For this transgression, both he and his employer received a good deal of bad press. Sadly, very few in the professional security researcher crowd made enough noise about this, and to the contrary, one man in particular came down squarely against him. Thankfully however we still have Brad Spengler.

From the Snorby guys:

 

I'm pleased to announce the new release of the new (SPSA) Snorby Preconfigured Security Applications version 1.4.

Snorby preconfigured security applications make effortless for anyone to use Snorby, the new and modern Snort IDS front-end. With (SPSA) Snorby Preconfigured Security Applications, it is possible to get Snorby and Snort up and running out of the box within a few minutes.

(SPSA) Snorby Preconfigured Security Applications web page

http://www.cryptolife.org/index.php/Spsa

 

[*] Improvements and fixes

* Snort 2.8.6 added

* Apache2-ssl support added ( https://ipaddress:8080 )

* Crontab issue fixed

* Webmin removed

* Shellinabox removed

* Turnkey linux configuration console modified

* Snorby installation moved to /var/Snorby

 

Enjoy, Phillip

 

-- (SPSA) Snorby Preconfigured Security Applications http://www.cryptolife.org/index.php/Spsa

 

As a result of ongoing research, the Sourcefire VRT has added multiple rules in the dos, exploit, ftp, mysql, policy, rpc, specific-threats, spyware-put, web-activex, web-client, web-misc and web-php rule sets to provide coverage for emerging threats from these technologies.For a complete list of new and modified rules please see:http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2010-06

So…you’re at the bar and across the room you see this incredible [insert whatever floats your boat here].You spend an inappropriate amount of your time watching this person and your mind starts to fill in the details that the dark environment masks.  Then they turn around walk towards the bar and (finally!) walk into enough light that you can see what they look like.  Your first thought…”KILL IT