Dcerpc2 Ruleset Now Available
Now that the Snort 2.8.4 RC-1 has been released, we at the VRT have been busy putting together a special rules file for use with this version of Snort and the new dcerpc pre-processor. We would like your assistance in testing this ruleset, the new version of Snort and the dcerpc
Microsoft Tuesday Coverage for February MS09-002, MS09-003, MS09-004, MS09-005
Four Microsoft Advisories to cover this month, fortunately, one of them was released in December so that left three... Microsoft Security Advisory MS09-002: Microsoft Internet Explorer contains programming errors that may allow a remote attacker to execute code on a vulnerable s
Important Snort rule changes and the new dcerpc preprocessor
In the very near future, the release of Snort 2.8.4 is going to bring about some major changes to the way that NetBIOS traffic is handled. This is because of the new dcerpc preprocessor. This preprocessor handles all the decoding functions that were previously taken care of usin
Rule release for today - February 3rd 2009
New rules in web-activex, chat and specific threats. Also, modifications to shared object rules for MS08-067, little bit of a performance enhancement. Details are available here: http://www.snort.org/vrt/advisories/vrt-rules-2009-02-03.html
Dial up security woes from East Africa
Two weeks ago, I upgraded my Internet connection at home. I went from a DSL (512 Kb/s download) to a fiber optics (20 Mb/s download) connection. A few days after getting this incredibly fast (and relatively affordable) connection I traveled from the East Coast of the United State
Rule release for today - January 27th 2009
Large batch of Oracle vulnerabilities today. We've had to work through these carefully as details were pretty scant. Here's what we released: Oracle Secure Backup Command Injection (CVE-2008-4006) Oracle BPEL Injection (CVE-2008-4014) Oracle Secure Backup Command Injecti
Rule release for today - January 20th 2009
Lots of rule modifications in this release as well as some fixes and new rules. Security Fix - This module pack resolves a potential recursive evaluation DoS condition in SO rules that utilize the built-in content match API function. Sourcefire recommends installing this release
Update to byakugan’s identBuf and memDiff functionality
I've added the ability to import files into tracked buffers, and also added the ability to make use of them as a memDiff input type. This means a new format for the !jutsu identBuf command: !jutsu identBuf TYPE NAME [VALUE SIZE] Depending on the TYPE, the rest of the comman
!jutsu memDiff
On request, I've added a memory diffing function to byakugan, which will allow you to compare a segment of memory to any buffer that's tracked with identBuf. Shortly I'll be adding the ability to pull buffers in from files, and even directly from metasploit through a