Coming Soon To A Snort User's Group Near You
I was in Chicago last Friday for a meeting of the local Snort Users' Group (Powerpoint presentation available here). While the weather was as crummy as you'd expect out of Chicago in January, overall it was an excellent visit, thanks to the group of people who turned out
VRT Guide To IDS Ruleset Tuning
Everyone who's ever used Snort, or any other IDS for that matter, for any length of time knows that in order to get the most of out of their system, they need to tune it. Most people have at least a basic idea of what that means - choosing the right rules to run, placing the
Hacker2Hacker and the State of Computer Security in Brazil
I was lucky enough to attend the 6th Annual Hacker2Hacker Conference this weekend in Sao Paulo, Brazil as a speaker sent by Sourcefire. As it was my first time in South America, the trip was an enlightening one - not only did I learn all about the awesomeness that are caipirinhas
Paranoia and the rise of fake antivirus
This weekend I got a call from my father, who wanted my advice as the computer security guy in the family. It seems that my younger sister's laptop had become infected with a nasty little virus called Block Watcher, which had popped up a series of messages telling her that he
Gumblar and More On Javascript Obfuscation
A couple of months ago I put together a post on detection of obfuscated JavaScript. Not surprisingly, that topic has popped back up on the VRT radar screen this week, this time in the context of something much more interesting - Gumblar, the new worm that everyone is talkingabout
New SO Rules For Conficker.C P2P Detection
As part of our ongoing research surrounding everyone's favorite new worm, Conficker, several members of the VRT recently joined the Conficker Working Group, a group of security professionals from a wide range of networking and security-related companies. You may have heard of
Detecting Silly Javascript Obfuscation Techniques
Last week I got an e-mail from Edward Fjellskål, Senior Security Analyst at Sourcefire's new Norwegian partner Redpill Linpro. He'd run across a strange piece of obfuscated Javascript at hxxp://bizoplata.ru/pay.html (WARNING: CONTAINS LIVE MALWARE), and he wanted to know
MS08-067 In The Wild
While sifting through my e-mail this morning, I saw a note from one of Sourcefire's European employees, asking if the VRT could take a look at some PCAPs pulled from a customer sensor - they'd triggered the rules for MS08-067, and our guy didn't think that they were f