|
|
| The latest dirt on snort |
|
|
| Get snort, rulesets, and addons |
|
|
| Get all the dirt you need to roll around in the mud |
|
|
| How to get that pig to squeal |
|
|
| Official Snort mailing lists |
|
|
| Info for the hardcore pigs |
|
|
| Want to report a bug? Read BUGS. Then go here |
|
|
| Logs from hackfests around the world |
|
|
| Snort discussion forums hosted by Rapidnet |
|
|
| Other sites that play in the dirt |
|
|
| The snort license |
|
|
| Additional dirt on Snort &
snort.org (CREDITS) |
|
|
|
|
| Paper: Increasing Performance in High Speed NIDS |
Posted by brian : 2002-03-07 17:11:33-05 |
|
Neil Desai has written a very good paper discussing a number of methods to increase Snort and NIDS in general. Neil discusses a number of bottlenecks that Snort has, a brief history of snort's pattern matching, the work that Silicon Defense did with Aho-Corasick_Boyer-Moore, discussing the differences between network grep and protocol analysis.
This paper is a very good read for developers, users, and newbies alike. Kudos to Neil on the well written paper. Read it here.
|
| snort-1.8.4 beta4 released |
Posted by brian : 2002-03-02 16:00:29-05 |
|
This should be the last release before 1.8.4. Changes since beta3:
fix for stream4 crashes
massive rule merges
If all goes well, will be final before 1.8.4. (we've said it before, but we really mean it this time :P)
|
| Article: Snort, the guard pig |
Posted by brian : 2002-03-01 08:24:49-05 |
|
Wes Simonds of searchNetworking published an article about your favorite IDS and mine, Snort. Wes talks gives a brief (non IDS geek) look at snort and SourceFire. Wes also points out that many people were complaining about the lack of an associated drinking game for snort, but thanks to Erek's hard work thats been taken care of.
Read the article here.
|
| Help is still needed |
Posted by brian : 2002-02-28 18:22:26-05 |
|
We are trying very hard to have a great snort.org rules database full of information to help us all spend less time researching events that our sensors pick up. Just pick 1 signature from here, queue it up and submit the template
to snort-sigs
Our full request for help is here:
Chris and I also would like extend thanks to everyone that has been contributing to the database. Putting in a few definitions really helps out.
|
| Snort 1.8.4 Beta 3! |
Posted by cmg : 2002-02-28 18:02:50-05 |
|
Hopefully, this will be the last release before snort 1.8.4. Changes since Beta2:
Oracle Schema update (Chad Kreimendahl)
spo_database updates (Roman Danyliw)
spp_stream4 on SPARC fixes
small memory problems (pointed out by Magnus Almgren)
spo_xml uses classfication id now (Roman Danyliw)
--with-mysql=/blah should now work against the /blah installation
For snortdb users, there is no need to update your schema if you are
using 104.
The only change that I am anticipating between 1.8.4-beta3 and 1.8.4 proper is the movement of several additional rules from the HEAD branch into 1.8.4 and moving proven experimental rules into their
final reseting place.
If you keep track of the current snapshot rules at snortrules.tar.gz, ...
Read More |
| Article : IDSs Perspective |
Posted by brian : 2002-02-26 07:45:04-05 |
|
Gartner has put together a Market Analysis of the IDSs out there. This paper includes information as to who, what, how and why. This is a fairly good analysis of IDSs available and what good it does for you. Gartner goes into managed services, log correlaters, and other in depth technologies. Oh, and yes. Snort is mentioned :)
Read it here.
|
| Snort 1.8.4 Beta2 available |
Posted by cmg : 2002-02-25 09:28:17-05 |
|
The Snort development team is pleased to annouce that 1.8.4-beta2 is
out. Baring, critical bugs, this should be the last beta before 1.8.4
proper and in testing, is remarkably stable.
If you are using stream4, it is highly recommended that you upgrade to
this version as it fixes a crash bugs that have manifested itself in
several unpredictable ways.
Changes since 1.8.4-beta1:
SNMP Output updates
FlexResp headers fix
sp_pattern_match multiple content false match
ID tags in spp_defrag
Duplicate frag return code
ICMP decoder ASCII output improvements
frag2/stream4 argument parsing handles simple mistakes
stream4 memory management fixes
stream4 initilization fixes
Get it from:downloads
Read More |
| Article: Does TV make pigs look 10 LBS fatter? |
Posted by brian : 2002-02-18 08:36:45-05 |
|
Nir Zuk was recently on TechTV's The SCREENSAVERS, a show about "geeky stuff". Nir talked about IDSs and how they work. While I have not seen it, I have been told this episode aired sometime last week.
You can read Nir Zuk's article on TechTV here.
|
| Article: Commercial Snort, its a go |
Posted by brian : 2002-02-15 01:48:59-05 |
|
SecurityFocus has published an article about SourceFire (Marty's company that is building "commercial-grade" IDS appliances with snort as the core) has recently been funded $2 million in venture capital. Way to go Marty and gang.
Read the article here.
|
| Getting drunk with snort |
Posted by brian : 2002-02-08 09:55:59-05 |
|
Erek Adams has put up instructions for the Snort-Users Drinking Game. Make sure you have a dedicated operator to watch your IDS, because if you play this game you will probably have alcohol poisoning within the hour.
Snort does not recommend drinking, smoking, having adult relationships, eating red meat, or any other pleasurable activity. Use with caution, talk to your doct
or before trying this, and don't try this at home. Professional driver on a closed track. Some assembly required. No purchase necessary. Void where prohibited by law.
|
| Enterasys's Woes not as bad as it seems |
Posted by brian : 2002-02-06 10:24:21-05 |
|
Yahoo has upgraded their outlook for Enterasys from Sell to Stable after their slide earlier this week. this article from The Street, North American, European, and Latin American portions of Enterasys will probably not be affected by the investigation.
That combined with with a calming email from Ron Gula to the Dragon IDS user's mailing list stating that FreeBSD will won't be dropped until after 5.1 at the earliest has got to make Dragon's users much less worried.
UPDATE: A number of Enterasys Employ ...
Read More |
| Stock: Enterasys's stock plummets thanks to SEC investigation |
Posted by brian : 2002-02-04 12:55:21-05 |
|
Yahoo is reporting that Enterasys, makers of Dragon IDS, is currently under investigation from the SEC. Read this for a more in depth look into Enterasys's woes.
UPDATE: Just wanted to add that Enterasys makes decent products (Much of my wireless gear has the Enterasys logo). As a number of people have pointed out, if you use their stuff, you should not be worried by this investigation. Sorry for the scare.
|
| Movie: An attack in the garden of good and evil |
Posted by brian : 2002-01-31 14:56:59-05 |
|
Are you an evil hacker that wants to know how us good guys find out what you did? Are you a good guy wanting to know how the hax0rs got your porn?
The guys at MSNBC has put up a spiffy movie thingie done in flash that walks you through an attack through the eyes of the good and evil. Lance Spitzner provided the data, and of course ... used snort. (Go Lance go :P)
If you are flash enabled, play with the movie
here.
|
| Article: Sensor's Quarrel - You would think they were married |
Posted by brian : 2002-01-30 19:35:35-05 |
|
James Middleton of VNUNet.com has posted yet another article about the "spat" between Snort and ISS. The article James quotes Marty stating that the bug isn't as bad as ISS made it out to be. Of course, the article states that "Snort Blew Away commercial vendor IDS offerings" which always makes us smile.
Read the article here.
|
| Article: More FUD than you can shake a stick at |
Posted by brian : 2002-01-30 08:52:29-05 |
|
Brian McWilliams of Newsbytes published an article about the latest round of FUD regarding the ISS Alert regarding the ICMP ascii printing bug in snort. One has to wonder why all the fuss from ISS.
UPDATE FROM MARTY: The article states that all versions below 1.8.3 are vulnerable to this bug, that is incorrect. This bug is a result of a change to the ICMPHdr struct in decode.h that I made in 1.8.3 ONLY, no other versions are effected.
Read the article here.
|
| Snort 1.8.4-beta1 ready |
Posted by marty : 2002-01-30 00:17:49-05 |
|
|
Snort 1.8.4-beta1 is ready for testing. Note that this is a beta release only, it could have some problems, so if you find a bug follow the BUGS file instead of posting directly to Bugtraq.
Here's a list of changes:
ICMP header size calculation fix
Stream4 aggregate stream size calculations fixed
Stream4 retransmission resolution code handles retransmissions more properly
Stream4 puts proper Ethernet headers on traffic that have the proper DLT
Frag2 now favors old data over new
Frag2 has enhanced teardrop detection and event code
Nessus URLs added to cross reference list
Updated config.guess, Mac OS X should be properly detected by ./configure now
InitializeInterfaces() call added after GoDaemon() as a heinous kludge fo ...
Read More |
| Snort ICMP DoS is no big deal |
Posted by marty : 2002-01-29 15:52:12-05 |
|
|
Well, now that the news media have gotten into the act, I feel that it's necessary to pour a little cold water on this "ICMP DOS" that is going from molehill to mountain right now.
Here's the deal:
The ICMP problem only manifests itself on ICMP ping packets with payloads smaller than 4 bytes, which is non-standard. Regular ICMP ECHO traffic won't set it off.
The crash condition only occurrs if you're running the -d switch at the command line and logging in ASCII mode. This is not a default mode, you have to explicitly activate it and it's recommended specifically that you don't in production environments due to performance impact.
The recommended run-time output mode has been anything but ASCII mode for over two years, nobody should be running production sensors with ASCII logging active on an u ...
Read More |
| Stable Snort : Keeping those pigs in the barn |
Posted by brian : 2002-01-29 10:52:37-05 |
|
In order to get bug fixes out to the masses faster, We are now providing an hourly snapshot of the stable branch of the Snort CVS tree. This snapshot includes various bug fixes and other updates that have not been rolled into a new release yet.
If you are building snort for a production enviornment, you should think about using this snapshot
(NOTE: This includes fixes for the ICMP DOS that only affects verbose text output on linux)
|
| Paper: Polymorphicisms be gone |
Posted by brian : 2002-01-24 14:06:19-05 |
|
Fermin J. Serna of Next Generation Security Technologies has published a paper (and sourcecode) for catching polymorphic shellcode. His ideas revolve around counting multiple NOP type operations in a row and alerting when a threshold is reached. The idea has been kicked around for a while, but this is the first one that I have seen in actual implementation.
Read the paper here and download the sourcecode for a basic NIDS that has this functionality here.
|
| Article: Network Intrusion Detection Signatures, part 2 |
Posted by brian : 2002-01-23 19:51:01-05 |
|
Karen Kent Frederick of NFR has published her second article in the series discussiong backgrounds into Signatures.
If you've been to events such as SANS '01, she's the geek wearing the NFR police jacket at the NFR booth. If you enjoy her articles, stop by and say hi. Ok, stop by and say hi anyway and let her know that the snort guys said hi. :)
|
|
|
