snortattack

We added multiple rules to the specific-threats, spyware-put, web-client, backdoor, and web-misc rule sets as well as making a whole lot of modifications to existing rules. Just a bit of a clean up. Details here: http://www.snort.org/vrt/advisories/2010/03/04/vrt-rules-2010-03-04.html

Last Friday, I got into the office and pulled up my email. Among other things, there was an escalation from Sourcefire's support group, where the customer had alerts on SIDs 15512 and 3397, and they wanted an official opinion from Sourcefire as to whether the alerts they were seeing constituted false positives. Opening up the supplied packet captures, the DCERPC payload in question looked odd at

Microsoft Internet Explorer contains a programming error that may allow a remote attacker to execute commands on a vulnerable system. The attacker needs to supply VBScript to invoke winhlp32.exe, which can then be used to execute commands via a specially crafted .HLP file. http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2010-02-26.html

There has been a lot of talk about CNN’s special presentation called “Cyber Shockwave” in the past couple of days. The program was an edited presentation of the 4-hour war games exercise that took place at the Mandarin Oriental Hotel in Washington D.C. Designed by Michael Hayden, a former CIA director, sponsored by the Bipartisan Policy Center and billed as a “simulated cyber attack on our nation

Maintenance release, we added multiple rules to the rpc, specific-threats, web-client, chat, sql and oracle rule sets. A whole bunch of modifications too. http://www.snort.org/vrt/advisories/2010/02/23/vrt-rules-2010-02-23.html

A maintenance release, some new rules in the policy, web-misc, web-client, web-activex, sql and exploit rule sets, multiple rule modifications are available too. Details are here: http://www.snort.org/vrt/advisories/2010/02/17/vrt-rules-2010-02-17.html

February 2010 Vulnerability Report This month's report covers the Microsoft Tuesday advisories for February 2010 and a whole bunch of Snow at Sourcefire HQ.

Well, Microsoft really made up for a light patch in January with a hefty dose of vulnerabilities this month. We had our hands full dealing with this avalanche, we have coverage for the non-local vulnerabilities, only a couple of issues were covered in previously released rules, the rest are all new. Check out the rule release details here: http://www.snort.org/vrt/advisories/2010/02/09/vrt-rules

This is the first of a series of blog posts about writing Shared Object (SO) rules for snort. Not a lot of documentation exists as yet about how SO rules work or how to write them, and honestly this particular post isn't going to cover a lot of that information directly. Instead, we're going to go with an approach more akin to throwing everyone into the deep end of the pool but with a nice, big

I was in Chicago last Friday for a meeting of the local Snort Users' Group (Powerpoint presentation available here). While the weather was as crummy as you'd expect out of Chicago in January, overall it was an excellent visit, thanks to the group of people who turned out for the meeting. The ChiSUG people are friendly, know their stuff, and had plenty of intelligent questions after my

A few additions, some modifications. Mostly a maintenance release. Check it out: http://www.snort.org/vrt/advisories/2010/01/26/vrt-rules-2010-01-26.html

This is just a quick tidbit about writing effective snort rules that I thought I would share. I was writing a Snort shared object (SO) rule for demonstration purposes. I was going to use a "vulnerability" where the DATA section, which is the last part of the packet, specifies a size that is smaller than the actual amount of data left in the payload. The idea is based on a fairly standard

Adobe recently announced and released the Adobe Reader and Acrobat JavaScript Blacklist Framework. I've had a little bit of time to play with it and would just like to share my thoughts. First of all, I am very pleased with this new blacklisting feature. Until now, when we knew about 0-day being actively exploited in the wild using JavaScript in some manner, we would just turn off JavaScript in

It seems that a couple of large companies were targeted with a vulnerability in Internet Explorer. Today's release contains a rule to detect attacks targeting this vulnerability. Check out the details at http://www.snort.org/vrt/advisories/2010/01/15/vrt-rules-2010-01-15.html

Sourcefire VRT Vulnerability Report January 2010 from Sourcefire VRT on Vimeo.January 2010 Vulnerability ReportThis month Alain Zidouemba talks about Microsoft Tuesday, Adobe patches, Snort and ClamAV releases. From the beach. Where it's warm. While the rest of us freeze. Just saying. Putting it out there.

One advisory from Microsoft to start the year, one rule from us to cover it. Check it out here: http://www.snort.org/vrt/advisories/2010/01/12/vrt-rules-2010-01-12.html

Everyone who's ever used Snort, or any other IDS for that matter, for any length of time knows that in order to get the most of out of their system, they need to tune it. Most people have at least a basic idea of what that means - choosing the right rules to run, placing the system at the right spot in the network, etc. - but judging from some of the questions that routinely come in to the VRT,

Hey folks,Brad Arkin, Director, Product Security & Privacy for Adobe Systems left a note in the comments section of my blog entry on Vendor response (http://vrt-sourcefire.blogspot.com/2009/12/matts-guide-to-vendor-response.html). In that post, I expressed my concern on a number of issues related to Adobe Systems' response capability. Since most people who read that entry would not see the

First rule release of the year, a few updates a few modifications. Check it out here: http://www.snort.org/vrt/advisories/2010/01/06/vrt-rules-2010-01-06.html

As the guy in charge I've been too busy with the day-to-day operations of the Sourcefire VRT to create the cliched, annual "Top 10 List" of things that have come and gone, or things that will happen in the future. However I've procrastinated long enough on this topic, so without further ado, here are my predictions for 2010. I only managed to come up with five, but I hope you will enjoy them.