News

The Zotob worm variants are continuing to gain momentum and popularity, even being covered by CNN after an attack hit their own network. The Sourcefire VRT has continued to stay on top of this activity and verified that all variants are currently detected by the original rules released on August 12, 2005. These rules have now been released to Registered Snort Users at http://www.snort.org/pub-bin/downloads.cgi#VRT.

The Zotob worm is making the news and Matt Watchinski, director of the Sourcefire Vulnerability Research Team, was quoted as an expert in an article featured in Red Herring’s online magazine posted on August 15th. The article discusses the most recent Internet worm to strike Microsoft Windows, Zotob, and the impact it is having on global networks.

In the article, Watchinski highlights an existing trend of reduced time from vulnerability to exploitation. “The really interesting thing here is how quickly an exploit to take advantage of the hole was created and released,” Watchinski is quoted as saying.

The article goes on to discuss the spread of Zotob and variations that are already in the wild. For the full article, please visit http://www.redherring.com/Article.aspx?a=13175&hed=Zotob+Virus+Strikes+Windows.

Activeworx is pleased to announce the release of Honeynet Security Console(HSC) version 2.5 For Windows 2000/XP. HSC is a free analysis tool to view events on your personal network or honeynet. It gives you the power to view events from Snort, TCPDump, Firewall, Syslog and Sebek logs.

This tool is not only for honeynets, it is also a great interface to view Snort events. With both HSC and IDS Policy Manager (also at activeworx.org) you have a free complete solution to manage your Snort rules and view the events.

The release of HSC v2.5 adds many new features, including new graphs, printing, copying events and overall look and feel.

To download this free software or get more details about this product, visit http://www.activeworx.org.

The Sourcefire Vulnerability Research Team (VRT) has received reports of a new worm variant, known as Zotob, that makes use of the Plug-and-Play (PnP) vulnerability (MS05-039) to propagate. The worm uses exploit code that targets the PnP issue via port 445 and upon successful exploitation, it then uses ftp to transfer data from the infecting machine. The newly infected machine then becomes an ftp server itself and begins scanning for other vulnerable hosts to infect.

The VRT released rules on August 12th, 2005 that detect all attempts to exploit this vulnerability. These rules are identified as sids 3828 through 4125. The Zotob worm will alert on SID 3999. Inline users may wish to set this rule to 'drop' for added protection.

To ensure detection/prevention of all variants of the worm and additional potential attack vectors, the VRT recommends using Snort v2.3.x or higher. This will ensure the latest detection capabilities are being utilized. In addition, Snort v2.3.x users are advised to make the following configuration change to snort.conf. Read the full advisory for complete details.

In addition, a patch for this vulnerability is available at http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx.

Download Rules:
These rules will be available to subscribers only until August 17th, 2005. Subscribers can download the rules at http://www.snort.org/pub-bin/downloads.cgi.

If you would like to purchase a subscription, please visit http://www.snort.org/rules/why_subscribe.html or contact Dale Reynolds at 703.462.2639 or snort-sub@sourcefire.com.

OSSEC HIDS is a self-contained system for Host-based intrusion detection. It performs log extraction, integrity checking and health monitoring. All this information is correlated and analyzed by a single engine, creating a very powerfull and scalable detection tool.

Daniel Cid [danielcid@yahoo.com.br] has announced that v.02 is now available. The new version includes a number of fixes, new features and additional detection rules.

For more information: http://www.ossec.net/hids/

Mark Sobell, president of Sobell Associates Inc., provides a great write up of some of the projects featured in the LinuxWorld.org pavilion. He includes updates on what is happening with EFF (www.eff.org) , KDE (plasma.kde.org), LinuxPrinting.org and of course Snort.

Check out the review, including a classic picture of Mark riding the mechanical bull on the main show floor at http://www.bookpool.com/ct/98048.

Mark G. Sobell is president of Sobell Associates Inc., a consulting firm that specializes in UNIX/Linux training, support, and custom software development.

The Sourcefire Vulnerability Research Team (VRT) has learned of a serious vulnerability affecting Microsoft Windows systems, additionally exploit code that targets the vulnerability is in distribution.

These rules are available to subscribers only until Wednesday, August 17, 2005.

Download rules | view advisory | view changelog.

The BASE Project has released BASE 1.1.4 (cheryl). Compared to some of their other releases, this is a pretty small one. They have added Polish and updated some of the other languages. We have also fixed some minor bugs in the system. The biggest fix is to the SQL files for new users.

From Kevin Johnson of BASE:
"The main reason this release is being put out is to thank Joel Esler. Today is his first day with Sourcefire and he is out at LinuxWorld representing the BASE project. After this release he will no longer be an active part of the BASE project and we wanted to take this moment to thank him for everything that he has done for BASE and the Snort community.

So all together now.... Thanks Joel!<g>"

Check out BASE at http://secureideas.sourceforge.net/.

InformationWeek Magazine is writing an Open Source Feature that focuses on how companies are using open source in their IT environments and are looking for companies to profile. If you are interested in having your company featured, please contact me directly at jennifer.steffens@sourcefire.com so I can coordinate the interview.

The second meeting of the OSSRC will be held on Thursday, August 18th at 12:00pm EDT on irc in the #ossrc room. This will be the last truly open meeting of the consortium. Moving forward, attendance will require membership. If you have not yet registered you can do so at here.

This agenda for the meeting is as follows:

• Introductions from nominated parties
• Details on how to participate in the election
• Feedback on the new ossrc.snort.org site
• New projects

I hope everyone can attend. For those who can't, we will make logs available. If you have any questions or concerns, feel free to contact me directly at jennifer.steffens@sourcefire.com.

Gianluca Varenni announced that after more than two years of hard work, the final version of WinPcap 3.1 is available from today in the download section of the WinPcap website, http://www.winpcap.org/install/.

This new release represents an important milestone for the project: major improvements and bug fixes have been carried out during this long period of time, and the result is the most stable and reliable version of WinPcap in its history. Gianluca sends out a big thanks to all the users that contributed to this result by submitting bug reports and thoroughly testing the several betas that were made available.

Learn more at http://www.winpcap.org/.

Birds-of-a-Feather Snort/Sguil Meeting at the upcoming LinuxWorld Expo

Sourcefire is also sponsoring Snort and Sguil in the .org pavilion of the expo. Come meet members of the Sourcefire Snort Team as well as David Bianco of the Sguil project. Snort schwag will be available!

Registration for the expo and meeting are FREE. Details are available at http://www.linuxworldexpo.com/live/12/events/12SFO05A/exposition. If you have any questions, contact snort_groups@sourcefire.com

Hope to see folks there!

Hi all,

This is a good overview of the concepts embodied in Sourcefire's RNA technology (which I invented) and should give you a pretty good idea as to why I'm so passionate about it these days.  If you want to understand how IDS is going to work (much) better in the future, start learning about PNDS today.

Here is an excerpt from the abstract: “Network security analysts are confronted with numerous ambiguities when interpreting alerts produced by security devices. Even with the increased accuracy of these tools, analysts still have to sort through a tremendous number of potential security events in order to maintain the desired level of assurance. This paper describes how passive network discovery and persistent monitoring can provide significant contextual information valuable to network security professionals responsible for protecting the network. Techniques discussed include the capability to discover active nodes, their operating systems, the role they carry out, their system uptime, the services they offer, the protocols they support, and their IP network configuration.”

The full report is posted here: http://www.snort.org/docs/.

If anyone has any questions or comments please send mail to me or snort-feedback@sourcefire.com and we'll get back to you.

Thanks,
Marty

Sandro Poppi has announced a new release of the GPL'ed Snort IDMEF plugin 2.0.0alpha2 for Snort as a patch against v2.4.0. This version is mainly a patch for the new Snort v2.4.0. See ChangeLog for details.

IDMEF is the Intrusion Detection Exchange Message Format which is XML based and developed by the IETF working group IDWG. It's current status is "Draft". Snort IDMEF enables Snort to generate IDMEF based messages and store them either in a flat file or distribute them via TCP sockets.

On the project's homepage you'll find some mailinglists for issues related to the snort-idmef-plugin.

Thanks Sandro!

Release 1.0’s Dave Rosenberg investigates the idea of cultivating a strong community around an open-source product in a series of articles in the online magazine’s latest update. In part one of the three-part saga, Rosenberg refers to open-source as “the new punk rock,” relating to the way an open-source community can help to further the development and endorsement of a product. He then profiles seven companies built from that mold. The Snort community is highlighted during the Sourcefire discussion, when Snort creator Marty Roesch states that the Snort community “continues to be vital to the success of Snort.” (Keep up all the great work guys!)

The second piece of the series will focus on a “Built from Scratch” model.

Definitely an interesting read. Check it out at http://release1-0.com/freshproduce/article.cfm?serialnum=FRP200507220000

We have added two new books to the site Snort Cookbook by Angela D. Orebaugh, Simon Biles and Jacob Babbin as well as Managing Security with Snort & IDS Tools by Kerry J. Cox and Christopher Gerg.

Read more at http://www.snort.org/docs/#ids_books

Big thanks to Andrew Simmons for pointing these out to us!

Bob Walder of The NSS Group announced that their latest IPS report has been released and includes products from Cisco, Intoto, Juniper, NFR, Radware, Symantec and Westline. The NSS IPS Group Test evaluates the performance, reliability, security effectiveness, and usability of Network IPS products. The test consists of seven sections within three primary areas: performance and reliability, security accuracy, and usability. The entire report is available for free viewing, however, the detailed benchmark results require registration.

The report is available at www.nss.co.uk/ips.

Snort v2.4 is now officially available. This release includes a number of new features, fixes and performance enhancements, including the Frag3 preprocessor, a target-based IP defragmentation module and an "ftpbounce" rule detection plugin.

With this release, rules are no longer distributed as part of the Snort releases, they are available as a separate download from snort.org. This was done for three reasons:

1. To better manage the new rules licensing
2. To reduce the size of the engine download
3. To move the thousands of documentation files for the rules into the rules tarballs. If you've ever checked Snort out of CVS you'll know why this is a Good Thing

Snort tarballs and RPMs as well as detailed set of release notes are available at http://www.snort.org/dl

If you have any feedback, let us know - snort-team@sourcefire.com.

Happy Snorting!

We have created a web site dedicated to the Open Source Snort Rules Consortium (http://ossrc.snort.org). This is just the start of the site but includes:

• Overview of the consortium
• A web form for joining
• Highlights of potential projects
• Logs from the first meeting

We will be updating the site with additional content in the upcoming weeks. The site is dedicated to the consortium so the features and functionality will be fleshed out with the members moving forward. In the meantime, if you have any feedback, contact snort-site@sourcefire.com.

The Sourcefire Vulnerability Research Team (VRT) has learned of serious vulnerabilities affecting Microsoft Windows, RealPlayer, MailEnable, the PHP XML-RPC module and FutureSoft TFTP server.

These rules are available to subscribers only until Wednesday, July 27, 2005.

Download rules | view advisory | view changelog.

Back by popular demand, Sourcefire will be sponsoring another meeting at DefCon. We decided to do it as a lunch this time to give folks time to sleep off the hangovers. Brian Caswell, Principal Research Engineer with the Sourcefire VRT, will be hosting the meeting along with a few other folks from the Sourcefire Snort Team.

So come hang out with some fellow Snorters. There will be free food and free Snort schwag. What more could you ask for?

Date: Saturday, July 30th
Time: 12:00-2:30pm

Space is limited so we need folks to register at here. Complete details on the location will be sent to registrants prior to the event.

Questions? Let me know.

Sourcefire today announced its new Certified Snort Integrator Program, which allows third-party solution providers to deliver Sourcefire® VRT Certified Snort Rule updates directly to their end users. The Certified Snort Integrator Program also enables partners to increase the value of their offerings, simplify the way their products are updated and provide detection in advance of actual threats.

Charter members of the program include: Astaro, BRConnection, Catbird Networks, Counterpane Internet Security, e-Cop, Netreo, NTT DATA CORPORATION (Japan), ProtectPoint, SecurePipe, StillSecure, VarioSecure Networks, VeriSign, Voyant Strategies and WatchGuard.

Read the full release at http://www.sourcefire.com/news/press_releases/pr072005.html. Questions about the program? Contact Jennifer Steffens at jennifer.steffens@sourcefire.com.

For those who are interested, Dragos Ruiu has announced the opportunity to submit papers for the third annual PacSec/core05 network security training conference in Tokyo. The conference focuses on emerging information security tutorials - it will be a bridge between the international and Japanese information security technology communities. Paper proposal submissions are due before Aug 1 2005. Slides for the papers must be submitted by October 1st 2005. The conference is November 15th and 16th 2005, presenters need to be available in the days before to meet with interpreters.

The conference is responsible for travel and accommodations for the speakers. If you have a proposal for a tutorial session then please email a
synopsis of the material and your biography, papers and, speaking background to core05@pacsec.jp. Tutorials are one hour in length, but with simultaneous translation should be approximately 45 minutes in English, or Japanese. Only slides will be needed for the October paper deadline, full text does not have to be submitted.

English url: http://pacsec.jp/speakers.html?LANG=ENGLISH
Japanese url: http://pacsec.jp/speakers.html?LANG=JAPANESE

Richard Harman wrote a small management script called WaldoGPS. This script monitors the .waldo file of multiple barnyard processes (that write to different databases), and deletes the unified log file only after all the barnyard processes have finished reading events from that log file. He made waldogps available here: http://www.xabean.com/code/waldogps. The script has built-in Plain Old Documentation (perl POD), which you
can see by running 'perldoc waldogps', or running 'waldogps -?'.

This is also available at http://www.snort.org/dl/contrib/other_stuff/

Hope folks find it useful! Comments and questions can be sent to snort at richardharman dot com but keep in mind he works full time so be nice if you don't get an answer right away.

The Sourcefire Vulnerability Research Team has discovered a bug in the default wu-manber multi-pattern algorithm in Snort. This vulnerability could allow an attacker to potentially evade Snort. The Snort Team is currently working on the Snort 2.4 release, in which the default multi-pattern match algorithm will be Aho-Corasick.

Until the next release of Snort is available, users can update their Snort configuration to use a different algorithm. To update your Snort configuration, add the following line to snort.conf:

 config detection: search-method ac 

The Sourcefire Vulnerability Research Team (VRT) has learned of a serious vulnerability affecting Internet Explorer.

These rules are available to subscribers only until Wednesday, July 13, 2005.

Download rules | view advisory | view changelog.

Well folks, we finally kicked off the OSSRC today with a fairly successful meeting. There were some great new items discussed for the OSSRC to consider, including central documentation, performance monitoring and integrity validation. Thanks to all who attended. And for those who couldn't make it, you can read the logs.

We have opened up membership to all interested parties. Simply fill in this form and return it to me at jennifer.steffens@sourcefire.com or fax it to my attention at 410.290.0024. In addition, nominations for the board are open until Monday, July 25, 2005. The Board of Directors will be made up of 2 co-chairs, Sourcefire and BleedingSnort. In addition, we will elect 3 board members. Anyone is eligible but they must be nominated by 2 members. At the end of the nomination period we will provide a list of candidates and hold an election.

We have the Charter and Operating Plan for review as well. The Charter has been updated to reflect that we will revisit it in 6 months to ensure that it is still serving the OSSRC appropriately.

Richard Bejtlich, founder of TaoSecurity, a company that helps clients detect, contain, and remediate intrusions using network security monitoring (NSM) principles and author of our beloved TaoSecurity blog will be teaching two training courses at the upcoming USENIX show from July 31st-August 5, 2005 in Baltimore, MD. Network Security Monitoring with Open Source Tools (including Snort) and Network Incident Response.

Both sound like great courses. You can get further details or register at http://www.usenix.org/events/sec05/.

After much preparation (ok ok so I have been on the road a ton and am finally getting back to reality) we are finally kicking off the Open Source Snort Rules Consortium (OSSRC). As a reminder, the goals of this group are to:

• Establish metrics and standards for Open Source Snort rule development and documentation
• Provide a forum for the sharing of research and information for the development of effective Snort Rules
• Ensure continuous support for a Snort Ruleset licensed under the GPI

The first meeting will be held on Thursday, July 7th at 12:00pm EDT on IRC, freenode.net in the #ossrc room.

Agenda items will include:

• An overview of how the OSSRC will run
• Nominations for officers
• Discussion of SID allocation for the various rulesets
• Discussion of sharing rulesets on the various web sites

All are welcome to attend. If your organization is interested in being formally represented in the OSSRC, please contact me directly at jennifer.steffens@sourcefire.com.

The Sourcefire Vulnerability Research Team (VRT) has learned of multiple serious vulnerabilities affecting Veritas Backup Exec Server and Agent software.

These rules are available to subscribers only until Tuesday, July 5, 2005.

Download rules | view advisory | view changelog.

The Sourcefire Vulnerability Research Team (VRT) has learned of serious vulnerabilities affecting IBM Websphere and Squid HTTP proxy server.

These rules are available to subscribers only until Monday, July 4, 2005.

Download rules | view advisory | view changelog.

Heyas, Snorters -

Just wanted to let everyone know that I'm leaving Sourcefire (on good terms) to pursue another opportunity. I've enjoyed working with the community, you all have made Snort into a great opensource project.

Those of you who have been working with me on bugs, features, etc, you can continue this conversation at snort-team@sourcefire.com. I'll be working with Sourcefire to make this transition as easy as possible. You can still reach me at this address, as well, should you need to do so.

*Wave*

Sourcefire is interested in increasing our support for the various Snort related open source projects. We have a few upcoming projects that we are soliciting interest in.

1. We have arranged for a booth in the .org pavilion at the LinuxWorld San Francisco, CA. We will handle all show logistics, signage and promotion. If you are interested in having your project participate, please let me know.

2. We are trying to put together a Snort track for upcoming security conferences. To accomplish this, we will need speakers for various topics relating to Snort. Please forward any topic ideas directly to me.

3. We will be expanding the “downloads” section of the snort.org web site to better serve the community’s needs. If you have any ideas for ways we can improve this section, send them my way.

Any other ideas for how we can support your project are more than welcome as well. You can send all feedback and ideas directly to Jennifer Steffens.

The folks at Activeworx have released IDS Policy Manager 1.7.0 for Windows 2000/XP. This new release of IDS Policy Manager adds a few nice new features. Now, when uploading, it will upload the rules into multiple directories. i.e. If you have the snort.conf in one directory and rules files in another. Also, Bleeding Snort rules are now automatically checked when you open a policy. To enable this, edit the policy options and check the box to enable Bleeding Snort checking. Enjoy the new features!

This free software can be download at http://www.activeworx.org.

Sourcefire invites you to join SANS on June 28th at 1:00 pm EST for a WhatWorks interview with Sourcefire's customer, Jon Postiglione, a network engineer who handles the intrusion detection and prevention system at Sisters of Charity Providence Hospitals. Jon discusses how his company dealt with the SQL worm and provides solid proof of the value of intrusion detection and prevention systems in identifying the source of attacks on their systems.

To register for this event, please visit: https://www.sans.org/webcasts/show.php?webcastid=90591

The Sourcefire Vulnerability Research Team (VRT) has learned of serious vulnerabilities affecting various vendor Telnet client software and Microsoft Internet Explorer.

These rules are available to subscribers only until Monday, June 20, 2005.

Download rules | view advisory | view changelog.

The BASE project team announced the immediate availability of the 1.1.3(lynn) release. This release includes a number of performance increases along with a number of bug fixes. They have also included support for Oracle and increased their translations to include Simplified Chinese and Czech! The download is available at http://sourceforge.net/projects/secureideas

They also had a wonderful IRC session, where a number of users met with the developers to discuss the future of BASE and what 2.x means. The transcript of this meeting is available on their website at
http://secureideas.sourceforge.net.

Questions, comments and feedback can be sent to them at base@secureideas.net.

Thanks guys!!

Protecting Consumer Data on the Cheap - A mandate to protect individuals' personal data in the agency's databases isn't accompanied by any extra funds.

Computerworld Security Manager's Journal is following "C.J. Kelly" as she tries to comply with a privacy bill that is expected to pass and become a law. When that happens, state agencies like the one she works in, as well as private businesses, will be held accountable for any disclosures of individuals' personal information. To protect all the personal information that resides in their databases and servers and traverses their network, she will rely on open-source tools and existing hardware to configure and install an intrusion-detection system (more specifically Red Hat Inc.'s Fedora Core 3, Snort, MySQL and BASE, as well as Apache, SSL and PHP with Patrick Harper's how-to guide close in hand).

The story will continue in the upcoming weeks. Read the story and her challenge to "any interested security managers to do this with her -- all by yourselves. Don't let the engineers have all the fun."

Read about the privacy act at
http://www.computerworld.com/securitytopics/security/story/0,10801,101408,00.html

Read about her project at
http://www.computerworld.com/printthis/2005/0,4814,101885,00.html

The Sourcefire Vulnerability Research Team (VRT) has learned of serious vulnerabilities affecting MySQL and Ethereal. The VRT has also completed work to normalize older rules to improve the detection capabilities of the Snort engine.

These rules are available to subscribers only until Sunday, June 5, 2005.

Download rules | view advisory | view changelog.

Kevin Carlson of Watchfire has written an article titled "IDS: Security At Its Finest" in the May 30, 2005 issue of VARBusiness. In it he highlights the combination of Snort and BASE as his preferred Intrusion Detection System.

Read the full article here | Snort sidebar item.

The folks at Activeworx have released IDS Policy Manager 1.6.2 for Windows. This new release adds a few minor changes, including:

Added - Support for external syslog server
Added - Flow Bits Size custom option
Fixed - Threshold Directory now saving properly

This new release is available at http://www.activeworx.org

Note from Activeworx: If you are running a version older then 1.6, you will not getting rule updates. We still see a lot of people trying to update their rules from activeworx.org. Sourcefire has change the licensing for the rules and you must have IDS Policy Manager version 1.6+ to download the rules directly from snort.org. If you don't, you will not get updates. Enjoy the new release!

Joel Esler + Kevin Johnson have planned a brainstorming meeting for the BASE project for June 1st 2005 at approximately 1900 EST (7 PM). The meeting will take place on IRC, freenode.net in the #secureideas room. They plan to iron out what the goals are for the project and see if they can't get some more people interested in working on development.

They are even hoping to have Marty and Matt Watchinski there, if they can coax them out of their traveling schedules!! (I'll see what I can do to help there)

If you don't know how to sign onto IRC, which, some people don't, it's okay... take a look into XChat (many platforms, including mac os x... this is what I use) or for you Windows people, mIRC.

BASE is a great project so I hope everyone can join in. If you have any questions, contact base@secureideas.net.

Reminder of the upcoming Snort User Group meeting at the LinuxWorldExpo in NYC. The topic remains the same - we discuss all things Snort and demonstrate Sourcefire's latest Target-based Snort prototype.

In addition, Sourcefire's Education Team has donated a free training that will be raffled off as a door prize. All attendees will also receive a 10% discount on any upcoming Snort training.

NOTE: The location has changed:
Where: Room Marquis B (9th Floor)
When: Wednesday, May 25th, 5pm-7pm

Hope to see everyone there!

After continuing research into vulnerabilities affecting BrightStor ARCserve Backup Universal Agent and the CVS daemon, the Sourcefire Vulnerability Research Team (VRT) has released a number of rules to detect attacks against vulnerabilities in these products.

These rules are available to subscribers only until 2005-05-23.

Download rules | view advisory | view changelog.

Sourcefire has arranged to have a Snort User Group meeting at the upcoming LinuxWorld show in NYC. Join us for drinks and a discussion of all things Snort. In addition, Jason Brvenik, Director of Security Engineering at Sourcefire, will discuss the future of Snort. We will even show off some of Sourcefire's work with a demonstration of the latest Target-based Snort prototype.

Where:
LinuxWorldExpo - NYC
Marriott Marquis Hotel - 7th Floor
1535 Broadway
New York, NY 10036

When:
Wednesday, May 25th from 5:00-7:00pm.

Space is limited so please RSVP to jennifer.steffens@sourcefire.com.

Hope to see everyone there.

Sourcefire invites you to join Marty Roesch for a SANS webinar on "Harnessing the Power of Snort."

Details:
In 1998, Martin Roesch wrote Snort, which he termed a "lightweight" intrusion detection technology in comparison to commercially available systems. Today that moniker doesn't even begin to describe the capabilities that Snort brings to the table as the most widely deployed intrusion detection and prevention technology worldwide. Over the years Snort has evolved into a mature, feature rich technology that has become the de facto standard in intrusion detection and prevention. Recent advances in both the rules language and detection capabilities offer the most flexible and accurate threat detection available. Today, Snort goes beyond basic exploit detection to discover any threat targeted against an underlying vulnerability. This revolutionary approach provides "zero day" threat detection while significantly reducing the risk of evasion.

Join Marty as he highlights these advances as well as some of exciting new features in store for Snort.

When:
Thursday, May 19 at 1:00 PM EDT (1700 UTC)

Register:
https://www.sans.org/webcasts/show.php?webcastid=90565

Patrick Harper has provided a new Install Guide for Snort, Apache, SSL, PHP, MySQL, and BASE on CentOS 4 (or RHEL 4). He has switched to CentOS for this version because if you follow it you can use Fedora, RHEL, or CentOS (CentOS is RHEL or Redhat Enterprise Linux without the cost, basically all they did was build it form the SRPM’s and change the logos, pretty cool and it stays up to date. It also has the 2 year lifespan of Redhat Enterprise so you will not have to be updating all the time).

Both Patrick (Patrick@internetsecurityguru.com) and Nick Oliver (nwoliver@internetsecurityguru.com) are available for feedback. Thanks guys!

Sourcefire will soon be offering a comprehensive online training and certification program to support the demand from the growing Snort community, and its worldwide customer base. This comprehensive program provides the open source Snort community, Sourcefire customers, resellers, technology partners, and security professionals with courses to optimize Sourcefire products and Snort technology to their fullest capabilities and three certification tracks to fully recognize the skills gained through testing and training.

You can find additional info here.

Sandro Poppi has announced a new release of the GPL'ed Snort IDMEF plugin 2.0.0alpha for Snort as a patch against v2.3.3.

IDMEF is the Intrusion Detection Exchange Message Format which is XML based and developed by the IETF working group IDWG. Snort IDMEF enables
Snort to generate IDMEF based messages and store them either in a flat file or distribute them via TCP sockets.

This new version is a complete rewrite of the output plugin. The major changes include:

• conforms to current IDMEF Draft 14
• requires the new libidmef 1.0.2+
• added general message generation for not yet supported generators
• added sfportscan message generation
• added a patch for sfportscan preprocessor to show port/ip lists instead of ranges as the original one
• added validate_log.c to validate idmef messages even if more than one

XML document is in a single file like the message file created by snort-idmef it has to be compiled separately, see the file for instructions

Complete details as well as mailing lists for feedback can be found at http://sourceforge.net/projects/snort-idmef.

Congratulations to the two Snort $5,000 Scholarship winners!

Hector Jaime Barraza from Santa Catarina, Mexico IT Administration Major, working towards a LATI degree at ITESM in Monterrey, Mexico, and Venu Madhav Bolisetty from Lincoln Park, New Jersey, Computer Science Major, working towards a M.S. at New York University.

A big thanks to the hundreds of applicants that submitted applications for this program. Look out for the next scholarship program that will be running spring of 2006!

Based on feedback from Chi-town Snorters, we have moved the kick off meeting of the Chicago Snort User Group to June 9th. The rest of the details are the same:

Nigel Houghton, Research Engineer on the Sourcefire Vulnerability Research Team, will discuss some of the great things you can do with Snort rules.

Sponsored by IDC Global Networks and Sourcefire.

When: Thursday, June 9nd 5:00-6:30PM
Where: 111 North Canal; Lobby conference room, Chicago, IL 60606
(Catty Corner from Ogilvie Train Station/Metra)

Reception: Just to make sure we do things right the first time, there will be drinks and networking sponsored by IDC Global Networks and Soucefire to follow at: Coogans Riverside Saloon, 180 N Wacker, Chicago IL 60606 312-444-1134

Space is limited, so please RSVP to snort_groups@sourcefire.com.

The latest addition to the International Snort documentation collection has arrived. Fathi Ben Nasr has written a French step by step installation guide for Snort. This guide is available in the docs section.

Thanks Fathi!

The Win32 release of Snort v2.3.3 is now available. We realize this has been an issue for many users, but unfortunately there were some unavoidable delays for this release. We're sorry for the delay.

Below is a recap of the changes for 2.3.3:

• Fixed sfPortscan Open Ports not getting suppressed.
• Added new mini-preprocessor to catch the X-Link2State vulnerability. See Snort manual for details.

Cheers,
The Snort Team

Marty and Bill Sieglein, VP of Corporate Strategy at True North Solutions, have teamed up for a omplementary webcast entitled "Buidling a Self-Securing Network." Hear Marty explore recent innovations in network discovery and how security systems are gaining the intelligence required to automate threat management. He will discuss why a policy-based security approach is important, as well as the role that a Network Defense System (NDS) which includes IDS, IPS, real-time discovery and vulnerability management will play in this next generation "self-securing network."

When: May 17, 2005 at 12:00pm EST

Details and registration here.

InfoWorld pitted Martin Roesch, CTO and founder of Sourcefire (and the creator of Snort) against Marc Willebeek-LeMair, CTO and Chief Strategy Officer of 3Com’s security division for the Great IPS Debate. TippingPoint’s Willebeek-LeMair is bullish on the supreme effectiveness of his IPS approach; while Roesch positions IPSes (which Sourcefire offers) as just one component of an integrated network defense system. The clash of these two partisans reveals much about the state of network protection and the rivalry between hardware and software security vendors.

This one is definitely worth a read.

http://www.infoworld.com/article/05/05/09/19FEipsids_1.html

JP Vossen, Senior Security Engineer for Counterpane Internet Security, has written a Snort Technical Guide. "Arguably one of the best network intrusion-detection systems (NIDS) is the free and open source Snort package. It has a large and active community, and is backed by the commercial company Sourcefire, making Snort a strong contender in the NIDS market. The package itself is free. All that's required is some hardware to run it on and the time to install, configure and maintain it. Snort runs on any modern operating system (including Windows and Linux), but some consider it to be complicated to operate. The goal of this guide is to take some of the mystery out of Snort."

Topics include:

• Why Snort makes IDS worth the time and effort
• How to identify ports
• How to deal with switches and segments
• Where to place IDS sensors
• What OS to use for Snort sensors
• How to determine how many interfaces a sensor needs
• How to modify and write custom Snort rules
• How to define Snort's configuration variables
• Where to find Snort rules
• How to automatically update Snort rules
• How to decipher the Oinkcode
• How to verify that Snort is operating

This guide is available at http://searchsecurity.techtarget.com/general/0,295582,sid14_gci1083823,00.html.
Thanks JP!

After continuing research into vulnerabilities in Oracle, Computer Associates License Application and the Mozilla web browser, the Sourcefire Vulnerability Research Team (VRT) has released a number of rules to detect attacks against vulnerabilities in these products. These rules are available to subscribers only until 05/09/05.

Download rules | view advisory | changelog.

IDC Global Networks has graciously agreed to sponsor the first Snort User Group meeting in the Chicago area. This will hopefully be the first of many so we invite you all to join us and provide feedback to make this group a success.

In addition, Nigel Houghton, Principal Research Engineer on the Sourcefire Vulnerability Research Team, will discuss some of the great things you can do with Snort rules.

Sponsored by IDC Global Networks and Sourcefire.

When: Thursday, June 2nd 5:00-6:30PM
Where: 111 North Canal; Lobby conference room, Chicago, IL 60606 (Catty Corner from Ogilvie Train Station/Metra)

Reception: And just to make sure we do things right the first time, there will be drinks and networking sponsored by IDC Global Networks and Soucefire to follow at: Coogans Riverside Saloon, 180 N Wacker, Chicago IL 60606 312-444-1134

Space is limited, so please RSVP to snort_groups@sourcefire.com.

Hope to see everyone there!

A new draft operating plan for the OSSRC is now available here. It is intended to define how the OSSRC will operate, and to help move the organization towards its official launch. As with the charter, this operating plan is open to debate, particularly on the new OSSRC-Intro mailing list (where much productive discussion is already occurring).

We look forward to hearing your comments on this document, and the OSSRC in general. See you on the list!

Snort has begun to implement target-based analysis with the frag3 preprocessor. Frag3 is able to reassemble overlapping fragments using the same policy as the destination host. A user configures the IDS to apply specific fragmentation reassembly policies for individual hosts or networks. Then, when the Snort sees overlapping fragments bound for any of these hosts, it knows the appropriate reassembly policy to apply—allowing both Snort and the destination host to reassemble the fragments identically. This successfully precludes evasion attacks that use overlapping fragments.

As I was writing code to test frag3, it seemed like a good idea to document what I was doing and what I learned. This evolved into a paper that discusses a sample fragmentation attack, talks about the fragment reassembly policies identified by Vern Paxson and Umesh Shankar, and shows how Snort frag3 can be used. I've included some of the poorly written code (not pretty, but it worked for these purposes) I wrote to assess the fragmentation reassembly policy used by a remote host and to test whether or not an IDS can be evaded by an attack that uses overlapping fragments.

Hope you all find it interesting. You can download the paper at http://www.snort.org/docs/#devel. Feel free to send any feedback to snort-feedback@sourcefire.com.

Based on feedback from you guys, we have updated the forums with some great new features. We have added things like:

• Easier navigation
• Reply counter
• "Last post" column
• Reputation items like # of posts per user and registration date
• Emoticons, emoticons, emoticons

Hope everyone likes 'em. Send any additional feedback to snort-feedback@sourcefire.com

Happy Snorting!

Sourcefire is pleased to announce a new mailing list, ossrc-intro@lists.snort.org. This list is open to the public, and will not be moderated; users may subscribe by sending a blank mail to ossrc-intro-subscribe@lists.snort.org or via a web interface at https://lists.snort.org/mailman/listinfo/ossrc-intro.

The purpose of this list is to promote discussion of the Open Source Snort Rules Consortium prior to its official launch, in order to make sure that input from all potentially interested members is heard. New lists will be created as appropriate once the OSSRC is up and operational.

Any questions, comments, or complaints concerning this list should be directed to Jennifer Steffens.

Hope to chat with you there.

Good evening, Snorters!

Snort v2.3.3 has been officially released.

This release covers two points, listed below:

• Issues with suppressing sfPortscan Open Ports have been fixed.
• Added a new mini-preprocessor to catch the X-Link2State vulnerability. This preprocessor can be configured to drop the offending connection when in Inline-mode. Please read snort.conf or the snort manual for more details. This preprocessor is enabled by default in snort.conf.

Snort tarballs and RPMS can be found at http://www.snort.org/dl/; Win32 distribution is not yet available, however we hope to have it up shortly.

Thanks, and do have a great weekend!

The Snort Team

The Securimine team has made a maintenance release of Securimine for Snort (SFS 1.0.2.19) available at http://www.securimine.com/download.html.

SFS is an analysis and reporting tool for Snort alerts. SFS is a complementary tool to existing Snort web interfaces (ACID, etc.) that offers a unique analysis based on data mining and behavioral modeling techniques. SFS reduces false positives and enhances the ability to identify significant threats.

SFS 1.0.2.19 includes:

• Better and faster payload comparisons
• Bug fixes
• General performance improvements

They welcome your suggestions, comments and feedback as well. Please write to support@securimine.com.

For additional information please visit http://www.securimine.com.

The Sourcefire VRT has received reliable reports that a worm is being developed that propagates using a vulnerability announced in the Microsoft Security Bulletin (MS05-021) released on Tuesday April 12 2005.  The VRT has released a new rule to detect possible attempts to exploit this vulnerability, which is associated with an extended verb request in Microsoft Exchange servers.

Read full advisory | Download Ruleset

Ron Henderson and the folks at NST have submitted the following regarding the recent release of NST V1.2.2. For complete details, visit http://www.networksecuritytoolkit.org. Thanks guys!

From NST:
"There have been many more enhancements and updates. The major highlights include:

• Complete end-to-end management of the Snort IDS application. The Snort scripts and web based interface have been greatly enhanced. There have been many additions to allow for the full management/customization of your snort processes. The Snort binary was built with both the flex-response and inline features. It now supports Bleeding Snort flex-response rule sets. Snort rules may now be edited on the fly. We have made it easy to update your Snort rule sets with your registered "Oinkcode". BASE v1.1.2 is also included.
• We also added the Metasploit Framework package. A web-based front end was added to make setting up the metasploit framework a snap.
• There have been many additions and enhancements to the NST WUI (web-base user interface) such as auto-refresh file viewing for task completion.

As usual, there have been many package updates since 1.2.1. Please see the changelog for a complete list of updates: http://www.networksecuritytoolkit.org/nst/log/changelog.html"

After continuing research into to the Microsoft Security Bulletin (MS05-017) released on Tuesday, April 12 2005, the Sourcefire Vulnerability Research Team (VRT) has released a number of new rules to detect possible attempts to exploit the vulnerability remotely. Additionally a rule to detect attempts to cause a Denial of Service using spoofed ICMP messages is also included in this rule pack.

View advisory | change log.

To download this VRT Certified Ruleset, click here

Charles Bedón and Andres Arboleda have released a set of diagrams for Snort developers. This is the very first release (v02_alpha) so any comments and corrections are welcome. Documentation is available at http://www.unicauca.edu.co/~cbedon/snort/snort.html.

Way to go guys!

We have yet another international doc to add to our growing collection. Big thanks to Ozmen Emre DEMIRKOL for providing a Snort Installation Guide in Turkish. This can found at our setup guides section under docs.

Oinkmaster v1.2 has been released. This release includes the following changes:

• Slightly improved modifysid/template documentation and examples.
• Suppress warnings about non-matching modifysid expressions when running in super quiet mode (-Q).
• Permit .tgz suffix for rules archive.
• Permit filename as argument to modifysid (and use_template) to apply a substitution expression on all rules in the specified files(s).
• You can now download multiple rules archives from different URLs at the same time.
• Many updates to the FAQ, especially regarding how to update rules from multiple sources. Also added info about how to use Oinkmaster after Sourcefire changed the license of the rules.

This update as well as a detailed change log is available at http://oinkmaster.sourceforge.net/

The folks at ActiveWorx have released IDS Policy Manager 1.6.1 for Windows 2000/XP. IDS Policy Manager was designed to manage Snort IDS sensors in a distributed environment. This is done by having the ability to take the text configuration and rule files and allow you to modify them with an easy to use graphical interface. In addition, you can merge new rule sets, manage preprocessors, control output modules and scp rules to sensors.

This new release of IDS Policy Manager adds a few new items and lots of minor issues cleaned up. For snort users on windows, they have also added the ability to upload via file copy.

Some of the new features include:

• Added - File copy for upload to windows snort sensor
• Added - Comments to threshold/suppression
• Added - When start search, enable signatures tab
• Added - Quick rule update check back into app
• Fixed - lots of minor issues within the app

You can download this free software at http://www.activeworx.org

After continuing research into to the Microsoft Security Bulletin (MS05-019) released on Tuesday April 12 2005, the Sourcefire Vulnerability Research Team (VRT) has determined that existing rules and pre-processors will generate events if attempts are made to exploit the vulnerabilities outlined in the bulletin.

View advisory.

The Sourcefire Vulnerability Research Team (VRT) has learned of serious vulnerabilities affecting Microsoft Internet Explorer and the Microsoft Windows operating system. In a partnership with iDEFENSE, the Sourcefire VRT received advanced notice of these vulnerabilities and has coorindated release of VRT Certified Rules in conjunction with Microsoft's public announcement - providing Snort users with coverage in advance of actual threats.

View advisory | change log.

To download this VRT Certified Ruleset, click here

The BASE Team has announced that due to a series of serious bugs that affected certain installations of BASE, they have released the 1.1.2 (zora) version. This version is a minor release but is recommended to everyone as the bugs can cause issues that will be hard to track down.

Specifically, the errors were fatal calls to a non-object when ever you selected one of the query pages.

The BASE project team would like to thank everyone that assisted with figuring this out. The users of BASE have proven that OSS works, since the developers were not able to reproduce the error on any of our test systems.

http://secureideas.sourceforge.net/

The Sourcefire VRT has learned of a serious vulnerability affecting IBM Lotus Domino Server. Certain versions of IBM Lotus Domino Server are vulnerable to a Denial of Service condition as reported by iDefense[0]. During our research, we have verified that Snort will generate events from http_inspect based on the large URI request that is needed to trigger the DoS condition.

The event will appear in Snort logs as:

  [**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**]
	

[0] http://www.idefense.com/application/poi/display? id=224&type=vulnerabilities

The folks over at Activeworx have announced the release of Honeynet Security Console (HSC) version 2.0 For Windows 2000/XP. Honeynet Security Console is an analysis tool to view events on your personal network or honeynet. It gives you the power to view events from Snort, TCPDump, Firewall, Syslog and Sebek logs. It also allows you to correlate events between each of these data types to have a full view of the attackers' actions.

This tool is not only for honeynets, it is also a great interface to view snort events. With both Honeynet Security Console and IDS Policy Manager (also at activeworx.org) you have a complete solution to manage your snort rules and view the events.

Some of the new features of Honeynet Security Console are:

• Additional search capabilities to IDS events
• Additional graphs and updated existing graphs
• Added Search capabilities to IDS event payload
• all new look and feel for 2005!
• plus a lot more...

To download this free software or get more details about this product, visit http://www.activeworx.org.

The Sourcefire Vulnerability Research Team (VRT) has learned of serious vulnerabilities affecting Telnet. Programming errors in the Telnet client code from various vendors may present an attacker with the opportunity to overflow a fixed length buffer.

View advisory | change log.

The BASE project has released BASE version 1.1. The new feature list includes an in-built graphing engine, a stand-alone database cache updater, support for themes and colors as well as support for viewing archived data alongside the working data in the same BASE installation. For all the other feature details and bug fixes, visit the project web site at http://base.secureideas.net/

As we improve Snort's detection capabilities we like to keep the community informed of new directions that we're going with the system. Today we'd like to announce a major new capability that we've added to Snort, the ability to detect intelligent extraterrestrial life. This new rules pack will enable Snort to detect a variety of alien intelligences both benign and hostile. In testing we were able to detect alien intelligences from up to 10 megaparsecs distance without incurring false positives, giving ample warning time to evacuate the planet, prepare appropriate solar system defenses and even travel back in time to kill the alien in question's grandparents. Please keep in mind that these rules may effect sensor performance somewhat, but we feel that the increased capabilities beyond the usual old buffer overflows, worms and viruses make any performance hit worth it.

Download new ruleset

Happy Snorting!

Jason Alexander, the Keeper of SnortCenter, has released a new version of SnortCenter 2.x. This release provides the functionality to allow you to to bring in rules from Sourcefire VRT, Sourcefire Community, and also Bleeding Snort. To accomplish this they have created a script that goes out and downloads all the archives from the various sources and then combines them into one source and makes them available to snortcenter via the same webserver that hosts the console. This script is located in the scripts directory and after you configure it with your OinkCode and other information they suggest that you put this file into a cron job. Once the rule_combine script has been configured, simply point the config.php file at the directory you created the rules in. This script can be easly extended to any new rules sets that come along requiring no changes to the main SnortCenter 2.x code.

You can download the new version of the console from the sourceforge project site at: http://sourceforge.net/projects/snortcenter2/

The Sourcefire Vulnerability Research Team (VRT) has learned of serious vulnerabilities affecting MySQL. A new VRT Certified Ruleset has been released which includes rules to detect attempts to exploit this vulnerability. In addition, the VRT has leveraged new detection engine capabilities to provide coverage for an FTP port bounce attack.

The VRT has also added rules and improved detection capabilities as a result of ongoing research into serious vulnerabilities affecting Computer Associates License Server, BrightStor ARCserver and Oracle database servers.

View advisory | change log.

Bob Walder and The NSS Group just published Edition 3 of their Gigabit IDS group test report. Only two products were able to make it through to the final report this time:

• ISS Proventia A604 at 600Mbps
• Sourcefire IS3000 at 1Gbps

In addition, the report highlights the Sourcefire RNA product.

The report can be viewed on-line at www.nss.co.uk/gigabitids. As usual, the entire report is up there barring only the benchmark results tables.

Big thanks to The NSS Group!

The Open Source Snort Rules Consortium (OSSRC) is dedicated to the development and advancement of Snort Rules. The OSSRC was created to provide a means by which members of the Snort community can embrace the open source model and share resources for the greatest benefit of all members of the community.

The stated goals of the OSSRC are to:

• Establish metrics and standards for Open Source Snort rule development and documentation
• Provide a forum for the sharing of research and information for the development of effective Snort Rules
• Ensure continuous support for a Snort Ruleset licensed under the GPL.

The folks over at Activeworx have released IDS Policy Manager 1.6.0 for Windows 2000/XP which includes support for the changes that have recently been made with snort.org and the ruleset license. To upgrade your ruleset, you will now need an oinkcode. Registered users can generate an oink code for free at https://www.snort.org/reg-bin/userprefs.cgi.

IDS Policy Manager is designed to manage Snort IDS sensors in a distributed environment. This is done by having the ability to take the text configuration and rule files and allow you to modify them with an easy to use graphical interface. With the added ability to merge new rule sets, manage preprocessors, control output modules and scp rules to sensors, this tool makes managing snort easy for most security professionals.

Some of the additions include:

• Support for threshold.conf file
• Support for downloading rules with new format from snort.org
• Support for new Snort.org reference website format
• Bleeding Snort ruleset now downloads bleeding.rules.tar.gz from bleedingsnort.com

A Sourcefire VRT Certified Ruleset was released to subscribers tonight. This update includes rules to detect attempts to exploit serious vulnerabilities affecting Oracle database servers, Computer Associates License server and MySQL MaxDB WebSQL service.

Read the full advisory here. Download the rules here.

We received numerous mentions of SnortSnarf's SID lookup function not working properly with the new SID DB script on the site. I did a little mini update to fix the problem, go get it at http://www.snort.org/dl/contrib/data_analysis/snortsnarf/. Please report any more snort.org related issues you have with unmaintained 3rd party software to snort-feedback@sourcefire.com.

Sourcefire and Bleeding Snort have been working together over the last week with input from other Snort community members. We're excited to announce that Sourcefire and Bleeding Snort will be forming a consortium called OSSRC Open Source Snort Rules Consortium.

The OSSRC will be a group that any company or organization will be welcome to join. The members will share research on new threats and rules to handle those threats, with the goal of creating a unified community-based ruleset. Each member may post these rules wherever they choose, distribute them to their clients or customers, or use them in their own subscription services according to the provisions in the GPL. The goals of the group are still forming, but initially will be to:

1. Maintain a fast moving and GPL-licensed Snort ruleset
2. Avoid rule duplication amongst community rulesets, both in terms of content and SIDs
3. Improve and enforce quality standards for rules (documentation, etc.)
4. Possibly move to a Stable and Unstable rule 'vetting' process

More details will come shortly, but the gist is that all of the companies and organizations that want to contribute resources and efforts to the open source community may do so in a single framework, but still bring that information back to their own projects. We will avoid duplication, SID conflicts, and gaps in rulesets.

All of the contributing members of the OSSRC will have an equal say in direction and operation. We are finalizing the draft of a formal charter, which will be available to all for review soon. This will outline a board of directors and officers that will be modeled after other open source projects. No one company or organization will have any controlling interest in the OSSRC, nor will there be any chance of the content channeled through the OSSRC becoming anything but free under the GPL.

This is something we have been considering for quite some time and are excited to finally have the opportunity to move forward and continue to increase our support of the Open Source Snort community. We welcome every interested organization to join the OSSRC. Please email either Jennifer Steffens or Matt Jonkman at Bleeding Snort if you're interested in being an initial member. There are no financial obligations: you are only being asked to contribute to the work of the group and share in the information being collected.

The first official Sourcefire VRT Certified Ruleset was released to subscribers tonight. This update includes rules to detect attempts to exploit serious vulnerabilities affecting Computer Associates BrightStor ARCserver. In addition, the VRT has also added rules and improved detection capabilities of existing rules as a result of ongoing research into vulnerabilities with Microsoft applications using SSL.

Read the full advisory here. Download the rules here.

Howdy all,

Based on feedback from the community and in support of the Bleeding Snort ruleset, we have removed the end-of-line parser fix. We will be completely reworking this for the next parser overhaul.

Thanks,
The Snort Team

Ok guys, based on feedback from the community we have made a few changes to the license and web site.

1. The feared audit provision has been replaced by the following:

License Compliance. You may be requested by Sourcefire to provide a certificate, signed by your authorized representative, that you are using the VRT Certified Rules consistent with a Permitted Use. In the event your use of the VRT Certified Rules is not in compliance with a Permitted Use, or if you otherwise violate the terms of this Agreement, Sourcefire may, since remedies at law may be inadequate, in addition to its other remedies: (a) demand return of the VRT Certified Rules; (b) forbid and enjoin your further use of the VRT Certified Rules; (c) assess you a use fee appropriate to your actual use of the VRT Certified Rules.

The revised license is now available at http://www.snort.org/about_snort/licenses/vrt_license.html. All Sourcefire VRT Certified Rulesets will be governed by this license unless otherwise communicated by Sourcefire.

2. Oink Codes for Oinkmaster are now generated based on your username and do not require an Internet IP address of the snort box. Previous Oink Codes generated with an IP address will still work as expected.

3. The Rule Search functionality is currently being revised and will be available this week.

I would like to thank everyone for being patient as we are rolling out these new changes. If you have any other questions or concerns about the licensing or web site, please let us know. As I have said before, we continue to have the interest of the Snort community at heart so we are always willing to listen and try to improve.

If anyone has any questions or comments please send mail to me or snort-feedback@sourcefire.com and we'll get back to you.

Hello Snorters!

Snort 2.3.1 has been released to address a few important issues some users have experienced since the release of 2.3.0. A big thanks to the community for your continued support and feedback, which is very much appreciated. Below is the list of resolved items for this release:

• Fixed issue where the number of flowbits were too small. Thanks Marc Norton for the fix.
• Fixed parsing of comments at end of line in config file. In snort.conf, anything that follows a # on a line is considered a comment. Thanks Steve Sturges for the fix.
• Fixed alignment issue causing sfPortscan to crash on Solaris/HPUX. Thanks Andy Mullican for the fix. Thanks Senthil Prabu.S and Jonathan Miner for working with us on this.

Sourcefire is pleased to provide a redesigned and enhanced snort.org web site for your use, including new features such as User Forums. We will be continuing to update the site with additional features and content over the next few weeks. In the meantime, your feedback is important to us, so please send your comments to snort-feedback@sourcefire.com.

As you have probably heard, on March 7th Sourcefire will be distributing new "Sourcefire VRT Certified" Rule updates under a new license that restricts commercial redistribution. In the same effort, we will also be investing additional resources in enhancing the development and management of Community Snort Rules. To help accomplish this, we have been working closely with folks over at Bleeding Snort. We are happy to announce that we will be working toward integrating their hard work more closely with the Snort.org project. We are confident that this joint effort will help foster a single community that will be the premier source for Snort rules, along with a more mature and still completely open rule and research group.

Details of this arrangement are still being finalized but be assured, the primary goals of everyone at Bleeding Snort and of Sourcefire are:

1. Keeping a fast moving community ruleset
2. Keeping community rules open sourced, community based, and community maintained

As you might have seen on the various snort mailing list, Marty announced a new license for new rules released by Sourcefire. His announcement is available here. Marty makes a number of important comments, so please read his entire announcement before judging it.

AFTER you are done reading the entire message, if you have questions or suggestions, please contact snort-feedback@sourcefire.com or Marty directly.

“Snort has become the de facto standard for intrusion detection and prevention because it delivers exactly the flexibility and precision that organizations need to protect their networks,” said Martin Roesch, Author of Snort and Founder/CTO of Sourcefire. We are very proud of this recognition from SC Magazine and will continue the rapid pace of development that has put Snort on the leading edge of network security innovation.”

Read full press release | See a photo from the ceremony

zinfo@mail.ru sent us a Snort, Apache, PHP, MySQL, and BASE install guide for SuSe 9.2. While a guide is nothing new, this one is the first guide in Russian. NOTE, I don't speak russian. So reader beware, we can't vouch for this document!

The guide is availabe in our doc sections. Thanks zinfo@mail.ru!.

Hello all,

The Snort Team is pleased to announce the availability of Snort v2.3.0 Final! There are only a few minor changes from RC2 to final. The following are the release notes for Final:

• Fixed issue with sfPortscan reporting incorrect IP datagram length. Thanks Jon Hart for the test case and finding the bug, and Marc Norton for resolving the issue.
• Threshold/Suppression now prints properly when logging to syslog. Thanks Sekure for pointing ot the problem. Thanks Steve Sturges for working on the fix.
• Threshold memcap argument now correctly handles non-integer input. Thanks nnposter for the patch.
• Fixed issue reported by Allan Jensen, where on MacOS X, ppp links were not decoded properly. Thanks Dan Roelker for the fix.
• Snort manual and FAQ are updated for 2.3. Thanks Jen Harvey for your work on putting it all together.

Please see the ChangeLog and RELEASE.NOTES for further details.

The Final version can be downloaded from the usual place. RPMs and Win32 binaries will be up shortly.

Also, a big thanks to the community for using and testing out the release candidates. Your support and contributions are appreciated!

Cheers,
The Snort Team

Time is starting to run out guys. Sourcefire offering two $5,000 scholarships to college students attending a Snort-approved university (that means Snort is either covered in the Computer Science curriculum or helping to secure the university network) for the fall 2005 semester. For more information on how to apply click here.

Sourcefire is sponsoring a webcast on January 26th via SecureEnterpriseLinux.com that is relevant to Snort users. The official blurb that I was given is:

Do you Snort when you tackle securing your network? If Snort isn't on your security tool list, you're missing a free ride to a more secure enterprise. Find out about Snort and other enterprise-ready open source security applications in this Webcast. Expert speaker Bernard Golden offers a guide to choosing and using security management and administration applications.

You can register here.

First off... If you are using 2.3.0 RC1 or RC2? You are not vulnerable. Get back to work!

Yes, Snort is vulnerable to a denial of service. The bug was reported by Marcin Zgorecki, and fixed by Dan on 2004-10-04. You are only vulnerable if you are running snort with "FAST" output (which isn't very fast) or in verbose mode. Neither of these methods are recommended for production, so this bug should not be a problem for most people.

Using barnyard? Using snortdb? You are not vulnerable.

Using FAST output? Use this as an opportunity to switch to a faster output plugin (unified, and barnyard) or upgrade to 2.3.0RC2.

There are a number of new rules available today that detect two 0 day vulnerabilities (Samba & Ethereal). These rules are made available for download in the usual place. The rules were writen by the Sourcefire research team. Please make sure to say thanks for the hard work.

NOTE: you must use 2.3.0 RC2 in order for the new rules to work!

Thanks to everyone who tested and commented on the Snort 2.3.0 RC1 release. Your support is, as always, very much appreciated.

Since Snort 2.3.0 RC1 was released, we've added some new functionality, and wanted to go ahead and do another Release Candidate once more before final. The main features of this release are some new rule option features to byte_jump that can be used for advanced SMB exploit detection. New rules that use this functionality will be available shortly.

So without further delay, we're pleased to announce the availability of Snort 2.3.0 RC2. The following bulleted items are the complete release notes for RC2:

• Added from_beginning and multiplier options for byte_jump. from_beginning skips bytes from the beginning of the content, instead of from the location immediately following the number of bytes to skip. multiplier takes a numeric argument, and skips x times that number of bytes. Thanks Steve Sturges.
• Updated documentation on flow_depth and HTTP headers per conversations with Joe Patterson. Thanks Joe!
• Small performance improvement to arpspoof and also fixed a problem where the list of configured IP/MAC entries would contain only one entry and leaked memory. Thanks Jeff Nathan.
• Fixed a problem affecting MacOS X where linking may fail with non-standard libraries when global symbols are encountered multiple times. Thanks Jeff Nathan.
• Ignore RST|ACK midstream pickup case so we don't get an evasive TCP alerts. Thanks for the report, Sekure. Thanks Dan Roelker for the fix.
• Moved CheckLogDir() to after parsing snort.conf (for IDS mode) so the logdir config will work if the default or command-line logdir does not exist on the system. Thanks Dan Roelker.
• Fixed bug when setting the doe_ptr on a successful pcre match. It is now set relative to base_ptr. Thanks Steve Sturges for the fix.
• In "fast" output, now log only actual packet contents when UDP data length is greater than actual data length. Thanks Brian Caswell for spotting this, and Andrew Mullican for working on the fix.

Further details can be found in the ChangeLog. Thanks again for the support, and please let us know what you think of this release.

Cheers,
The Snort Team