Exim Remote Root
We've heard from a number of Sourcefire customers and open-source Snort users lately, asking us whether we'll be releasing coverage for last week's Exim remote root (CVE-2010-4344 for those keeping score at home). Based on what hit the Exim-dev mailing list, we felt c
Detecting Obfuscated Malicious JavaScript with Snort and Razorback
Unlike most Americans, who were busy recovering from a turkey-induced coma, I spent this past weekend at the Hackers 2 Hackers Conference in Sao Paulo, Brazil. In addition to being a nice respite from the cold weather in DC, the event featured excellent speakers on topics as dive
Some Facts About Advanced Evasion Techniques
Chances are you've heard the recent "news" about Advanced Evasion Techniques (AETs) from Finnish IPS vendor Stonesoft. Originally announced in an October 4 press release, the good folks at Stonesoft reported the IDS/IPS evasion techniques mentioned in their release
New Rule Categories
Three new rule categories were introduced yesterday (Tuesday, 13th July 2010) in SEU 348 and into the VRT Certified Rule packages. I'd like to take a moment to explain what's in these categories, where the data behind them is coming from, and what you should do if you tur
Smart Grids and the Importance of Smart Security Choices
I got a flyer in my mail a couple of days ago, telling me that my local utility company would be coming out soon to install a smart meter on my house. Like most customers, I didn't think too much about it, until the new meter was installed today. That's when my curiosity
Known Unknowns: The "Don't Do That" Rules
I recently had a chance to speak with several Sourcefire customers on a trip to the Tennessee/Kentucky area. While it's always nice to talk to customers and get a better idea of how people use Snort in the wild, this trip was particularly interesting, since the customers I sp
Using Snort fast patterns wisely for fast rules
Anyone that's ever written their own Snort rule has wondered, at some point or another, about how to make their rule(s) faster. While some things are obvious - don't use a PCRE with a bunch of ".*" clauses, for example - others are less so. Today I'd like to
WTF, Ubuntu?
I just finished installing Ubuntu 9.10 server edition on a shiny new Dell PowerEdge R805 box, as part of expanding our malware analysis labs. No big deal - half an hour of babysitting an installer, right? Wrong. It took me 5 hours, thanks to some really stupid decisions made by
The Sudden Reappearance of MS03-039
Last Friday, I got into the office and pulled up my email. Among other things, there was an escalation from Sourcefire's support group, where the customer had alerts on SIDs 15512 and 3397, and they wanted an official opinion from Sourcefire as to whether the alerts they were