Thursday, April 30, 2009

Some days you just can't walk away.....

I apologize ahead of time for the marketing fluff in this post, I promise the next several posts after this will be much heavier on the tech and the cool. However, I just couldn't let this one go and neither could any of the Sourcefire VRT.

Today we got an anonymous email with the following pictures in them.




Now I know that whenever a marketing department makes a slide for a competitive package, it always makes them out to be the best. But this falls far from reality, these guys have Cisco over Sourcefire. Nothing wrong with Cisco, they make good routers and switches, but other than awesome comic book flash movies (therealm) and cool phones on 24 that's about it. They definitely didn't beat the VRT for 2008 MS Vulnerability coverage. (side note, there were 143 cve's from MS in 2008 not 140 - but who's counting?) (side side note there were 153 cve's issued total 10 were locals, and since we are a Network IPS we dropped those from the count)

Therefore I call these numbers into question, and I will now provide my own numbers, diligently researched by Alex Kirk (Sourcefire VRT, not marketing guy). This uses the same rules as provided in the first image above using grep and CVE references against available coverage data. Note: Only had TippingPoints and ours available so we didn't restate the other vendors numbers.





Additionally since the negative day response time thing is statistically silly at best, we calculated this number on our side by utilizing prior coverage detection. This included ms08-067 and MS08-052 which are detected by rules released in early 2006 or prior. It would be more statistically correct to give all prior coverage dates a value of 0, as negative numbers skew this data significantly. If we used this metric our response time would be .23 or essentially day 0 detection.

I now return you to your regularly scheduled blog of cool, and I will now return to playing with Adobe Javascript.......

int static_key_1 = 0x82056842;

Wednesday, April 29, 2009

DoJoSec Meeting - May 7th

Here lie the details: http://www.dojosec.com/?p=109

A few of us are planning on attending the meeting, come and say hello.

Also, from last month's meeting, our fearless leader and Senior Director of Chaos and Mayhem gave a talk that had something to do with PDFs and Adobe :)

The video is now available online from here: http://www.dojosec.com/?p=92

Tuesday, April 21, 2009

Rule release for today - April 21st 2009

A small set of new rules in today's release and a couple of modifications. Here are the highlights:

Adobe Flash Player Buffer Overflow (CVE-2009-0520):
Adobe Flash Player contains a programming error that may allow a remote attacker to execute code on a vulnerable system via a specially crafted flash file.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 15478.

Oracle BEA WebLogic Buffer Overflow (CVE-2008-5457):
Oracle BEA WebLogic contains a programming error that may allow a remote attacker to execute code on a vulnerable system.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 15477.

A previously released rule identified with GID 1, SID 15263 will also detect attacks targeting this vulnerability.

RealNetworks Helix Server Buffer Overflow (CVE-2008-5911):
RealNetworks Helix Server contains a programming error that may allow a remote attacker to execute code on a vulnerable system. The error occurs when the application fails to properly process RTSP header information.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 15479.

The advisory is available here.

Monday, April 20, 2009

New Snort.org Website

As many of you know the Snort project recently reached its 10th Anniversary. In honor of this milestone we’re giving Snort a new website to call home. This site update is much more than just a new look and feel. We’re rebuilding the site from the ground up to better serve the needs of the Snort Community. Once the site is complete, some of the improvements you’ll see are:

  • Simplified navigation including a new persistent links panel at the bottom of every page allowing you to get the content you need from anywhere on the site
  • Improved user account management allowing you to edit all of your profile information including your email address
  • New Forums application with the ability to rate posts
  • Improved management of VRT Subscriptions including the ability to generate multiple Oinkcodes


The new Snort.org site is still in development but we’ve reached a point where we’d like to ask you, the community for feedback. We’ve released a beta site at: http://beta.snort.org that we’d like you to review and provide feedback on. We’d primarily like your feedback on the new look and feel, updated navigation and content on the site. We’d also like you to submit enhancement requests for new features and content you’d like to see on Snort.org

We’d particularly like to get specific feedback on additional content that you as a Snort user, rule writer or someone who is developing related projects would like to see on the site that would help you in your day to day life with Snort.

This is a live project and we’ll continue to add functionality and content based on your feedback. In this beta release some of the site functionality has been disabled. At this time you will not be able to register an account, log in, post to the forums, generate Oinkcodes, or buy a VRT subscription, but all other site features are open for your review. We’ll migrate all user account and subscription information prior to the site going live.

All feedback should be submitted via a very short survey at: https://www.surveymonkey.com/s.aspx?sm=WjBviOcPU5nPg5002A12pg_3d_3d.

Thanks for you help and feedback on this project.

Tuesday, April 14, 2009

Microsoft Tuesday Coverage for April MS09-009, MS09-010, MS09-011, MS09-012, MS09-013, MS09-014, MS09-015, MS09-016

Microsoft Security Advisory MS09-009:
A programming error in Microsoft Excel may allow a remote attacker to execute code on a vulnerable system via a specially crafted XLS file.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3, SID 15465.

A previously released rule identified with GID 3, SID 15365 will also detect attacks targeting this vulnerability.

Microsoft Security Advisory MS09-010:
Multiple vulnerabilities in Microsoft Wordpad may allow a remote attacker to execute code on a vulnerable system via a malformed file.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 3, SIDs 15466,15467,15469 and 15455.

Microsoft Security Advisory MS09-011:
A programming error in Microsoft DirectShow may allow a remote attacker to execute code on a vulnerable system via a specially crafted file.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3, SID 15457.

Microsoft Security Advisory MS09-012:
A programming error in the Microsoft network service may allow a remote attacker to escalate privileges on a vulnerable system.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3, SID 15470.

Microsoft Security Advisory MS09-013:
A vulnerability in Microsoft WinHTTP may allow a remote attacker to execute code on a vulnerable system. Additionally, a remote attacker may be able to supply an invalid SSL/TLS certificate to the service and impersonate a legitimate web service.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 3, SIDs 15456 and 15462.

Additionally, a previously released rule identified with GID 3, SID 15124 will also detect attacks targeting these vulnerabilities.

Microsoft Security Advisory MS09-014:
Multiple vulnerabilities in Microsoft Internet Explorer may allow a remote attacker to execute code on a vulnerable system.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 3, SIDs 15458,15459,15460 and 15461.

Additionally, a previously released rule identified with GID 3, SID 15124 will also detect attacks targeting these vulnerabilities.

Microsoft Security Advisory MS09-015:
A vulnerability in the Microsoft SearchPath function may be exploited by a remote attacker should the target system be using the Apple Safari browser.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3, SID 15468.

Microsoft Security Advisory MS09-016:
Multiple vulnerabilities in Microsoft Internet Security and Acceleration (ISA) server may allow a remote attacker to cause a Denial of Service (DoS) or execute a cross site scripting attack.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 3, SIDs 15474 and 15475

Details and rules available here: http://www.snort.org/vrt/advisories/vrt-rules-2009-04-14.html

Friday, April 10, 2009

Rule release for today - April 10th 2009

Rule for Powerpoint memory corruption bug, CVE-2009-0556, extra rule for MS08-068 and Conficker detection update.

More details here: http://www.snort.org/vrt/advisories/vrt-rules-2009-04-10.html

Updating Software

Things to remember when updating software:

  • Backup what you already have
  • Use checklists
  • Read the documentation for the new software (including the INSTALL file and README) you never know what might have changed since the last time you did it
  • When installing from source, (and who doesn't with security software?) run ./configure --help first and check the options available (they may have changed or new things might be available)
  • Document what you are doing (what config options you used and why etc..)
  • Make sure the new version is actually installed after make install is done
  • Replace the old configuration file with the new one from your source tarball (no, really, this is important)
  • Edit your new configuration to suit and document what you are doing and why (read your old config and notes, you did it last time right?)
  • Test everything, make sure the software starts properly, logs properly and behaves how you expect it to etc...
  • If the software is complex and puts a lot of files in different places on the system, it is also a good idea to start with a checklist of files that should be replaced, it might even be better to make deinstall the old version and make sure everything is gone before installing the new one
  • If the software interacts with other daemons etc. make sure everything works as expected
  • Keep a close eye on the system itself for a few days
  • Take notes, the kind of notes that someone else could pick up, read and know what you did and could repeat or reverse what you have done

Wednesday, April 8, 2009

Rule Release for today - April 8th 2009

This release updates the VRT Certified Snort Rules to utilize the new DCE/RPC v2 preprocessor. This change deletes more than 5000 rules in the netbios rule category and replaces them with a much smaller rule set. It aslo contains additional detection for hosts that are currently infected with the Conficker worm.

The DCE/RPC preprocessor now offers improved reassembly of fragmented DCE/RPC requests and improved desegmentation of SMB traffic containing DCE/RPC requests. The preprocessor now also alerts on anomalous behavior and evasion techniques in DCE/RPC data streams. Three new DCE/RPC rule keywords and new DCE/RPC arguments for the byte_test and byte_jump rule keywords add to the enhanced detection capabilities.

IMPORTANT: This release removes more than 5000 rules from the netbios rule category and replaces them with a much smaller number of rules, the Sourcefire VRT has taken care to ensure that your NetBIOS, SMB, DCE/RPC vulnerability coverage is not affected. This means that the vulnerabilities previously covered with hundreds of rules are now covered with one or two rules.

NOTE: These changes only affect plain text (GID 1) rules, the shared object (GID 3) rules remain unaffected by the change to the preprocessor.

The default configuration for the new preprocessor is as follows:

preprocessor dcerpc2: memcap 102400, events [smb, co, cl] preprocessor dcerpc2_server: default, policy WinXP, \
detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
smb_max_chain 3

NOTE: This configuration may generate a lot of events from the preprocessor in certain environments, if this is the case and these events need to be turned off completely, use the following configuration options:

preprocessor dcerpc2: memcap 102400, events none preprocessor dcerpc2_server: default, policy WinXP, \
detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
smb_max_chain 3

Conficker Worm Update: Included in this release are four new rules that detect Conficker activity. They are identified with GID 3, SIDs 15449 through 15452.

SIDs 15449 and 15450 detect DNS traffic generated by Conficker infected hosts, while SIDs 15451 and 15452 detect other Conficker related traffic.

IMPORTANT: SIDs 15449 and 15450 may have an adverse affect on sensor performance. If this is the case, disable these two rules in favor of SIDs 15451 and 15452 which also detect Conficker traffic but are prone to false positive event generation.

When downloading rules it is important to note that the 2.8 subscription release is for Snort version 2.8.4 and these rules WILL NOT work with older versions of Snort. This includes 2.8.3 and earlier. In 30 days time, these packages will be rolled over to registered users, when this happens the registered user rule tarballs will also contain the changes to the netbios rule set.

Each rule tarball contains an etc directory, in here you will find a snort.conf. This configuration file contains the latest configuration options available for that particular release of Snort. For the 2.8.4 rule set, the snort.conf contains the default configuration above.

Additionally, the Snort 2.8.4 release sees some other major enhancements:

  • Support for IPv6 with Frag3 and all application preprocessors (SMTP, FTP/Telnet, DCE/RPC, SSL, DNS, Portscan)
  • Improved target-based support within application preprocessors
  • Addition to automatically pre-filter traffic that is not explicitly configured for inspection to improve performance.
  • HttpInspect update to limit number of HTTP Header fields and alert if limit is reached.
  • Support for multiple IP Addresses and/or CIDRs in HTTP Inspect and FTP/Telnet Server/Client specific configurations

The Snort 2.8.4 release represents a major amount of work on the part of the Snort development team who have done an outstanding job of improving the detection capabilities of Snort. It is important to stay current with your Snort installations as future versions will see many more features improved and added, as always the Sourcefire VRT Certified rule releases will take advantage of these features to the fullest extent. The Sourcefire VRT wishes to thank the Snort development team for their continued hard work in making Snort what it is today and what it is becoming in the future.

Ruleset changelogs are available here

Monday, April 6, 2009

Snort 2.8.4 is nigh

Back in February, I wrote about having to upgrade Snort pretty soon. Well, the time is upon us. This week, we will be releasing Snort 2.8.4. When this happens, the only way to stay current with detection for anything DCERPC related will be to upgrade Snort. We will not be releasing detection that does not use the new dcerpc2 preprocessor.

Did I mention that you need to upgrade Snort as soon as it is released? Well, you do.

What this means is, the only version of Snort that will get new rules for anything DCERPC related will be 2.8.4. There will be nothing released that is backwards compatible. It is not possible to do so. On the upside though, the number of rules that will be needed in the NetBIOS category will be reduced greatly. This will make rule management a lot easier. Previously, a lot of detection and decoding was being done with the rules themselves, with the new preprocessor this is no longer necessary. Thus the huge reduction in rules and increase in simplicity of the rules themselves.

Did I mention that you need to upgrade Snort as soon as it is released? Well, you do.

I also wrote a post about the new ruleset available for dcerpc2. We posted a new ruleset for dcerpc2, instructions for using the new preprocessor and the README file for it too.

Did I mention that you need to upgrade Snort as soon as it is released? Well, you do.

Keep an eye on the mailing lists, snort.org and this space. Release is imminent.

Friday, April 3, 2009

New SO Rules For Conficker.C P2P Detection

As part of our ongoing research surrounding everyone's favorite new worm, Conficker, several members of the VRT recently joined the Conficker Working Group, a group of security professionals from a wide range of networking and security-related companies. You may have heard of them as the guys who came up with the Conficker Eye Chart that hit Slashdot yesterday.

Yesterday afternoon, CWG member Phil Porras of SRI International informed members of the group about a Snort preprocessor he'd written to detect the P2P traffic being used by Conficker.C to securely distribute updates and the like (his analysis is here). After discussing it with him briefly, I decided to port his preprocessor to an SO rule, figuring that a lot more people would be willing and/or able to load an SO rule for this than install a custom preprocessor.

That conversion is now complete. Based on tests run with PCAPs obtained from the CWG, the two SO rules here (one for TCP and another for UDP) appear to be extremely effective: for a single PCAP that spans just under 25 hours, 47,450 alerts are generated by the UDP rule; another 37,541 are generated by the TCP rule.

Since no IDS analyst wants to be flooded with that many alerts, it's obvious that some sort of thresholding is necessary. The good news is that thresholding can be applied to SO rules via threshold.conf, in the same way you would threshold any other rule. My testing, using "threshold gen_id 3, sig_id 999999 type both, track by_src, count 10, seconds 300;", brought the number of alerts down to a much more manageable 296 for both rules - one every five minutes. Anyone using these rules should tune the "seconds" parameter to a longer value if they want fewer alerts, and of course update the sig_id to reflect the SID they use to deploy these rules in their environment.

We're releasing these SO rules under the GPLv2 with Mr. Porras' consent, as an additional tool that can be used to investigate Conficker infections in the wild. That said, there are three things that anyone deploying this rule should keep in mind:

  • The existing VRT Certified Rules for MS08-067 are still valid for detecting attempts to infect a machine with Conficker, and should still be enabled to prevent hosts from being compromised.

  • These SO rules are considered experimental, and have not been run through the VRT test suite or in a production environment. There may be a performance impact when running them, and it is possible that false positives will be generated.

  • They are primarily useful for researchers, or as an additional layer of information for people who are already using other tools to detect and eradicate Conficker infections.


The SO rules can be downloaded from http://www.snort.org/vrt/tools/conficker-so-rules.tar.gz.