Fun with SSDT Hooks and DEP
My favorite part of work here at the VRT is how much you can learn from a project that, in the end, doesn’t achieve what you set out to do. This past week, I was looking at the possibility of watching, in the Windows kernel, for attempts to bypass DEP protection. Briefly, DEP is
OpenSSH Plaintext Recovery Attack - nothing to panic about
So, somebody pointed this out to me the other day: http://www.cpni.gov.uk/Docs/Vulnerability_Advisory_SSH.txt which talks about the probability of recovering some plain text from an ssh session. Having seen nothing at all from OpenSSH about this, my first reaction was "OH NO
New rule groups and new rules for SCADA
Today's VRT Certified Rule release sees the introduction of two new rule groupings, scada.rules and web-activex.rules. SCADA Rules: This group contains rules that pertain to the Supervisory Control and Data Acquisition (SCADA) protocol used for computer controlled system mon
VRT Rule Release Feed
We have added a news feed for our rule release advisories, you can get it here: http://www.snort.org/vrt/advisoryfeed.xml It is very basic, but it will help keep track of new snort rule releases.
Microsoft Tuesday Coverage for November
Not a huge month for Microsoft problems this time around. There are two interesting sets vulnerabilities though, one in XML Core Services (MS08-069) and the other in SMB (MS08-068). We have released rules for attack coverage and you can find details at vrt-rules-2008-11-11.html
Advanced Windows Buffer Overflow 5
Time for more pain. I like this one. It'll be different than the last few, and might involve a bit of a brain stretch for those not familiar with exploit techniques that differ from the norm. It'll hurt. There's a bit of basic reversing, but that's not the proble
White Paper on the MS08-067 vulnerability and the associated malware
Matt Olney, Alain Zidouemba and Lurene Grenier of the Sourcefire VRT have collated their analysis of the DCE/RPC vulnerability announced in Microsoft Security Bulletin MS08-067. A white paper that discusses this issue is now available on snort.org at the following address: http:
Update on Snort and ClamAV for ms08-067
There's been a lot of action on the MS08-067 front over the weekend, so we thought we'd bring you up to date on the bug in general, and how Snort and ClamAV are providing specific detection. Interestingly, things are rolling out about the way we expected them to. We happe
Why 114 rules for MS08-067?
With the release of Sourcefire's coverage for MS08-067, I've heard the same question repeatedly. "Why 114 rules? They were able to do it with just one." Since I wrote these rules, I'm the best to explain my solution. I will not be going over the explicit na