Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Snort 2.8.6 is released!

Published: 2010-04-26
Last Updated: 2010-04-27 12:11:28 UTC
by Joel Esler (Version: 2)
0 comment(s)

Snort 2.8.6 is finally out.  It's been in beta and RC for awhile now, but here it is!  Sourcefire (the company I work for), the makers of Snort have been working on several of the features you see below for awhile, and we have plenty more in store.  So go update now!

[*] New Additions
* HTTP Inspect now splits requests into 5 components -
Method, URI, Header (non-cookie), Cookies, Body.
Content and PCRE rule options can now search one or more of these buffers.

HTTP server-specific configurations to normalize the HTTP header and/or cookies have been added.

Support gzip decompression across multiple packets.

* Added a Sensitive Data preprocessor, which performs detection of Personally Identifiable Information (PII).  A new rule option is available to define new PII.  See README.sensitive_data and the Snort Manual for configuration details.

* Added a new pattern matcher and related configurations.  The new pattern matcher is optimized to use less memory and perform at AC speed.

[*] Improvements
* Addressed problem to resolve output obfuscation affecting packets when Snort is inline.

* Preprocessors with memcap settings can now be configured in a "disabled" state.  This allows you to configure that memcap globally, but only enable the preprocessor in targeted configurations.

Go to http://www.snort.org to download the latest release!  I have two more posts that will be coming out later today with further updates, so make sure you read those as well. One of the posts, about rule updates, is huge and will affect everyone who uses Snort, so make sure you stay tuned!  Also, make sure you read the VRT blog for further information: http://vrt-sourcefire.blogspot.com

-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler

Keywords:
0 comment(s)

New VRT Rulepack Changes (all Snort Users should read)

Published: 2010-04-26
Last Updated: 2010-04-27 12:10:36 UTC
by Joel Esler (Version: 2)
1 comment(s)

There has been a lot of confusion between the rule update packs.  Some people would see the word "snortrules-snapshot-CURRENT_s.tar.gz" in the rulepack name, or the "snortrules-snapshot-2.8_s.tar.gz" name, and not know which ones to use, or which version of rulepack to use with which version of Snort, so hopefully with this change we've eliminated that confusion.  Now the Snort RulePacks are specific to "Version released".  

What does that mean for you?

If you are using 2.8.5.3 and are updating to 2.8.6 (recommended)

You need to go into your oinkmaster / pulledpork / wget / any updater that you are using, and change the name of the rulepack you are grabbing to the version that is specific to your environment, so if you are changing to 2.8.6, you will not only need to update to 2.8.6, but you will also need to change your rulepack name to:

snortrules-snapshot-2860.tar.gz

If you are using 2.8.5.3, and are NOT planning to update to 2.8.6 at this time

You STILL need to go into your oinkmaster / pulledpork / wget / any updater that you are using and change the name of the rulepack you are pulling to the version that is specific to your environment.

In short, everyone that uses Snort will need to make this change.  For the next 30-days, the "snortrules-snapshot-CURRENT.tar.gz" and "snortrules-snapshot-2.8.tar.gz" links will symlink to the "snortrules-snapshot-2853.tar.gz". So if you update to 2.8.6 you will need to change to the appropriate rulepack.

These symlinks will exist for the next 30-days.

If you are a Snort VRT rules subscriber (aka, you pay for it), the symlinks will be of use to you for 30-days, however, you are strongly encouraged to make the change now so that after the symlinks are removed, you won't get 404 errors.

If you are NOT a Snort VRT rules subscriber (aka, registered user, you don't pay for it, and you get the rulepack after the "30-day free window" is lifted) you need to make the change.  So for example, if snortrules-snapshot-CURRENT.tar.gz is in your rule download URL, you need to update it to snortrules-snapshot-2853.tar.gz (or snortrules-snapshot-2860.tar.gz if you update).  The Symlinks will NEVER apply to you, as the new packages won't be available to registered users for 30 days.

If you are running a version of Snort that is < 2.8.5.3.  

You will need to modify oinkmaster / pulledpork / wget / whatever update system you are using to remove 2.8.5.3 version specific rule keywords or Snort will fail to load.

Be sure and read my post in order to make sure you are fully up to date with everything going on. Also be sure and read the VRT blog for further information: http://vrt-sourcefire.blogspot.com

 

-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler

 

Keywords:
1 comment(s)

PulledPork v0.4.1 is released!

Published: 2010-04-26
Last Updated: 2010-04-27 12:06:02 UTC
by Joel Esler (Version: 2)
2 comment(s)

PulledPork is the 'newest' Snort rule updater.  Written by JJ Cummings, a Sourcefire guy like myself, and maintainer of https://www.openpacket.org, is a great way to keep your Snort rules up to date.  In addition to all the wonderful things that PulledPork does already (namely, it updates and auto-maintains Snort's SO rules!), the new version has these features: 

New Features/changes:

- Flowbit tracking! - This means that all flowbits are not enabled when a specific base ruleset is specified (security etc...) but rather all flowbits are now tracked, allowing for only those that are required to be enabled.

- Adjusted pulledpork.conf to account for new snort rules tarball naming and packing scheme, post Snort 2.8.6 release.

- Added option to specify all rule modification files in the master pulledpork.conf file - feature request 19.

- Added capability to specify base ruleset (see README.RULESETS) in master pulledpork.conf file.

- Handle preprocessor and sensitive-information rulesets

Bug Fixes:

- 18 - non-rule lines containing the string sid:xxxx were being populated into the rule data structure, added an extra check to ensure that this does not occur

- Cleaned up href pointers, syntatical purposes only...

- Modified master config to allow for better readability on smaller console based systems

- Error output was not always returning full error

Be sure and go here to download the newest update!

http://code.google.com/p/pulledpork/

Be sure and read my other two posts in order to make sure you are fully up to date with everything going on.

 

-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler

Keywords:
2 comment(s)

Vulnerable Sites Database

Published: 2010-04-26
Last Updated: 2010-04-26 16:50:26 UTC
by Raul Siles (Version: 1)
4 comment(s)

Besides other common sources of real security vulnerabilities made public, such as the full-disclosure mailing-list, zone-h.org (well known for the publication of web defacement and vulnerabilities), or the xssed.com (that publishes websites that are vulnerable to Cross-Site Scripting, XSS), a new website saw the light this month: the Vulnerable Sites Database (http://www.vs-db.info).

This disclosure repository publishes web server and web application vulnerabilities, such as Local File Inclusion (LFI), Remote File Inclusion (RFI), SQL Injection (SQL), Cross-Site Scripting (XSS), Cross-Site REquest Forgery (CSRF), Directory Traversal, etc. The site says they practice "Responsible disclosure no details are made public (details of vulnerabilities are privately reported to developer or web site owners).", with limited details about the vulnerability, but definitely becoming a new wall of shame. A new place to keep an eye on and try not to show up in the picture.

Although similar initiatives existed in the past and then disappear, and although it is too soon to confirm, for now, the site remains very active with multiple daily entries.

----
Raul Siles
Founder and Senior Security Analyst with Taddong
www.taddong.com

4 comment(s)
Diary Archives