BEA WebLogic plug-in for Apache JSESSION Cookie overflow
Sometimes you forget you reported a vulnerability. Especially when the vendor keeps sending you lots of messages that contain the following: ____________________________________________________ Reporter: Matt Watchinski ("Matt Watchinski" <mwatchinski@sourcefire.co
Conficker.C Purchase tickets now for the April 1st event
Recap. Conficker.C also known as W32/Conficker.C.worm, WORM_DOWNAD.AD,W32.Downadup,Net-Worm.Win32.Kido.cn Still uses MS08-067 to spread itself just like the A and B variants, therefore the detection released on 2008-10-23 still generates events based on this spreading mechanism
Geographic Representation of Snort Events
One of the Sourcefire field engineers has whipped up a Perl script that will take events generated by Snort or a Sourcefire appliance and map them using Google Earth. You can find a write up here at Leon's blog where he has an interesting example relating to worm activity.
Creating new detection coverage : Using SCADA OMRON-FINS as an example
The What In 2008 a lot of reports and press centered around SCADA Networks and their protection, additionally Core Security and several other researchers released vulnerabilities in software related to SCADA networks. The most notorious was the vulnerability in CitectSCADA (http:
Rule release for today - March 17th 2009
We've been busy updating some rules and adding extras, lots of changes to a lot of rules. Mostly a maintenance release with some new scada rules. The scada rule set now includes support for OMRON FINS. Additionally, multiple rules in the specific-threats and content-replace
Behold the Glory of Mattland
Like many other groups, the VRT has a morning routine. Generally it involves comparing kill board stats or raiding tips on whatever game is hot, a quick run down on the work of the day (sometimes as broad as “go break something”, sometimes more specific), and then some time set a
Microsoft Tuesday Coverage for March MS09-006, MS09-008
Microsoft Security Bulletin MS09-006: A programming error in the Microsoft Windows kernel may allow a remote attacker to execute code with system level privileges. This may be exploited when specially crafted EMF files are viewed using Microsoft Internet Explorer. A rule to dete
Generating Virus Signatures - The Automated Way
A common characteristic of malware distributed as an executable is to use a PE packer, such as UPX or Petite, to compress and obfuscate the malicious content. Once a file has been determined to be malware by our analysts and is using a PE packer that ClamAV does not currently unp
Rule release for today - March 3rd 2009
Specific threats, ActiveX and web-client have new rules. Major rule updates to other, older rules. Details: http://www.snort.org/vrt/advisories/vrt-rules-2009-03-03.html