snortattack

Here's your chance to become part of the Intelligence unit that powers the Vulnerability Research Team. We know all, we see all and we say almost nothing to anyone about anything. Kinda. Alright, not really. We get the data, we manage the data, we mine the data, we give out information and actionable intelligence. In short, we separate the intel from the noise. You may have seen our previous

Two main vulnerabilities covered in this release. Microsoft Windows Shell shortcut vulnerability (CVE-2010-2568) and the Siemens Simatic WinCC and PCS 7 SCADA vuln (CVE-2010-2772). Both of these are being actively used by the Stuxnet worm.More details are available here: http://www.snort.org/vrt/advisories/2010/07/22/vrt-rules-2010-07-22.html

So, this week, the OISF has been on a media blitz about Suricata, their open-source Intrusion Detection System.  As always, my preference is for you to review the information yourself, so before I give you my thoughts about the state of Suricata, here are some links: http://www.computerworld.com/s/article/9179436/DHS_vendors_unveil_open_source_intrusion_detection_engine?taxonomyId=82 http://

There is a special place in my heart for someone who accidentally causes all the Macs in the office to repeatably crash at the Grey Screen of Death. If you too like fun "accidents" or need to craft up some packets check out Judy Novak's SANS class on Scapy. This is an in-depth start to finish class on the Scapy API, and will take you from just knowing about Scapy to building complex packet

Sourcefire VRT Vulnerability Report July 2010 from Sourcefire VRT on Vimeo.

Three new rule categories were introduced yesterday (Tuesday, 13th July 2010) in SEU 348 and into the VRT Certified Rule packages. I'd like to take a moment to explain what's in these categories, where the data behind them is coming from, and what you should do if you turn them on and they start firing. The initial set of rules for these categories was pulled from the specific-threats and

Microsoft Security Advisory MS10-042:Microsoft Help and Support Center contains a programming error that may  allow a remote attacker to bypass security restrictions on an affected system. The error occurs when invalid hex-encoded characters are used as a parameter to a search query using the hcp:// URI schema.Microsoft Security Advisory MS10-043:The Microsoft Canonical Display Driver (cdd.dll)

Need some more exploit fun? Want to stay in Vegas a little longer? Need some face time with the VRT? We are holding the fundamentals of exploit development class right after DefCon this year. August 2nd, 3rd and 4th in Las Vegas, NV.For more details and to book your place, take a look at http://www.sourcefire.com/services/education/schedule/

Microsoft is warning that there has been an increase of attacks against a zero-day vulnerability in Microsoft Help and Support Center. The vulnerability is due to an error when using invalid hexadecimal characters in the search topic parameter of a URI. It can be used to bypass restrictions normally imposed by a command-line argument to load arbitrary help documents. Proof-of-concept code has

DEAR EDITOR: I have been in security for 8 years.  Some of my friends say there is no such thing as cyberwar.  My manager says, "If you see it on the VRT Blog then it's so"  Please tell me the truth; is there cyberwar? Virginia O'Hanlon. 115 West Ninety-Fifth Street. Virginia, Your friends are wrong.  They have been affected by the skepticism of a skeptical age.  They do not believe except

Remote code execution in Adobe Acrobat and Reader. Some folks are claiming it's a denial of service, heh, right. RCE is possible, get your rules here:http://www.snort.org/vrt/advisories/2010/07/01/vrt-rules-2010-07-01.html/

Today the Snort Web Team made a change to the way that Snort rules are downloaded from snort.org. Hopefully this will result in faster downloads for most people. The changes are highlighted below:We are changing the way we publish rules. In June 2010 we stopped offering rules in the "snortrules-snapshot-CURRENT" format. Instead, rules are released for specific versions of Snort. You will be

We added and modified multiple rules in the backdoor, dos, exploit, misc, multimedia, netbios, oracle, pop3, rpc, specific-threats, web-activex, web-client and web-misc rule sets.Information is here: http://www.snort.org/vrt/advisories/2010/06/29/vrt-rules-2010-06-29.html/

I got a flyer in my mail a couple of days ago, telling me that my local utility company would be coming out soon to install a smart meter on my house. Like most customers, I didn't think too much about it, until the new meter was installed today. That's when my curiosity got the better of me - even though I arrived home after dark, I had to go take a look at the shiny new toy on the side of my

Recently, we released the only official Windows-specific version of ClamAV, appropriately called ClamAV for Windows (http://www.clamav.net/lang/en/about/win32/). It is designed to use little memory and processing speed because it uses an advanced cloud-based protection mechanism, best of all it's free (as in free beer. Ummm...beeeeer). If you haven't tried it yet, I really encourage you to.You

Quite recently, Tavis Ormandy released a 0-day vulnerability in a prominent piece of software. For this transgression, both he and his employer received a good deal of bad press. Sadly, very few in the professional security researcher crowd made enough noise about this, and to the contrary, one man in particular came down squarely against him. Thankfully however we still have Brad Spengler.

As a result of ongoing research, the Sourcefire VRT has added multiple rules in the dos, exploit, ftp, mysql, policy, rpc, specific-threats, spyware-put, web-activex, web-client, web-misc and web-php rule sets to provide coverage for emerging threats from these technologies.For a complete list of new and modified rules please see:http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2010-06

So…you’re at the bar and across the room you see this incredible [insert whatever floats your boat here].You spend an inappropriate amount of your time watching this person and your mind starts to fill in the details that the dark environment masks.  Then they turn around walk towards the bar and (finally!) walk into enough light that you can see what they look like.  Your first thought…”KILL IT

Apple Safari RCE (CVE-2010-1939), Google Chrome GLUG bypass (CVE-2010-1663). Details available here: http://www.snort.org/vrt/advisories/2010/06/14/vrt-rules-2010-06-14.html/

One of the hardest things in life is finding the right place to work, where you can spend eight to ten hours a day doing something you enjoy and also pay your bills. I’ve been lucky enough in my life to find this type of place three times: HiverWorld, Farm9, and Sourcefire. Each one of these places had a number of attributes that made it appealing to me, and made it where I wanted to spend the