Known Unknowns: The "Don't Do That" Rules
I recently had a chance to speak with several Sourcefire customers on a trip to the Tennessee/Kentucky area. While it's always nice to talk to customers and get a better idea of how people use Snort in the wild, this trip was particularly interesting, since the customers I sp
Rule release for today, Thursday April 29th, 2010
Performance update release for 2.8.6 to utilize HTTP buffers and fast_pattern. Check here for details.
Using Snort fast patterns wisely for fast rules
Anyone that's ever written their own Snort rule has wondered, at some point or another, about how to make their rule(s) faster. While some things are obvious - don't use a PCRE with a bunch of ".*" clauses, for example - others are less so. Today I'd like to
Rule release for today - April 26th, 2010
This release contains support for Snort 2.8.6.0. Additionally, new packages have been added that contain 4 digit version numbers. New package names: 1. snortrules-snapshot-2853_s.tar.gz 2. snortrules-snapshot-2860_s.tar.gz Details: The packages have been updated with support fo
A New Detection Framework
We just completed a talk here in Dubai on some detection capability research the VRT has been doing. The subtitle of the presentation, "What would you do with a pointer and a size?" pretty much sums up the potential of the project. It all started last December at the
Rule release for today, Thursday April 15th, 2010
Maintenance release, a few new rules and modifications to existing ones. Check here for details.
April 2010 Vulnerability Report
Rule release for today, Tuesday April 13th, 2010
Microsoft Tuesday and Adobe Quarterly Patch. Details available here. Microsoft Security Advisory (MS10-019): The Microsoft CAB Subject Interface Package (SIP) implementation contains a programming error that may allow a remote attacker to bypass the authentication mechanism. Mi
Rule release for today, Thursday April 8th, 2010
Mostly some small fixes, couple of reference changes and some new rules. Check it out here