Matt Olney (of Sourcefire VRT) has read through and analyzed the “Protecting Cyberspace as a National Asset Act of 2010” (pdf), a 199 page piece of legislation introduced by Senator Lieberman (I-CT) along with Senator Susan Collins (R-ME) and Senator Thomas Carper (D-DE).  It is an excellent review of the bill.

Click here to read his entire post

Near Real-Time Detection (Razorback) is the result of extensive research into detection of attacks hidden inside numerous layers of compression, obfuscation, and evasion techniques across multiple file formats. Razorback in its current form is a plugin to the Snort detection engine. Razorback addresses the issues with file format parsing by separating selected file types from transmitted data, which are then passed to additional detection engines either on local or distributed remote system(s). The intention is for the system to be extensible and not necessarily be a plugin for Snort.

Future development plans include providing Snort with automatic detection rule updates that an IPS deployment of Snort can use to protect the private network along with further enhancements aimed at data leak prevention. The system will also use templates to describe file types and a simple rule language to detect attacks.

Click here for code and presentation

One of the many things that occupy the time of the VRT is reviewing rule performance data, whether that data is internally generated from one of our test environments or received from customer reports. In the “Rule Performance�? series of blog posts, we’ll look at the set of issues that encompass the problematic rule constructs that we’ve found most significantly impact the performance of Snort sensors. Hopefully you can use this information to add additional detection capability customized to your environment without adding undue processing load.

Read more @ http://vrt-sourcefire.blogspot.com

Thanks you all the people that make it to the NYC Snort User Group last night for the great conversations and topics we covered. Special thanks to thank Phil Jew from Sourcefire for the excellent presentation on Snort 3.0 alpha development.

 
On another note, we talked about deploying a Snort + BASE on a VMWare virtual appliance. Here’s the link to VMWare to get the virtual appliance, even though Snort is fairly outdated (2.4):

http://www.vmware.com/vmtn/appliances/directory/185

If you conduct a Google search other virtual appliances are available around.

We also talk about topics for the next NYC Snort user group and we wanted to put some ideas out there:

1. Best practices on Snort deployment in the enterprise;
2. Snort Graphical front-ends and network forensic consoles;
3. Introduction to Snort rules’ syntax and rule writing;
4. Snort.conf configuration 101 and settings for attacks that use evasion techniques;
5. Other open source tools and projects that use Snort

 Best way to vote on this or another possible future topic is to email the new york snort mailling list.  If you have not subscribed do so at :

https://lists.snort.org/mailman/listinfo/ny-sug 

DaemonLogger 0.9 has been released. The newest version has several new features including:
1) Support for dropping privileges at startup has been added.
2) DaemonLogger supports reading packets from pcap files instead of the network now. Those pcap files can be filtered for output back to the disk using BPF filters or they can be retransmitted on wire using the soft tap mode.
3) Support for chrooting at startup has been added.

daemonlogger-0.9.tar.gz

Articles on using daemonlogger:

TaoSecurity

Geek00l

Report from Marty Roesch @ Sourcefire:

The first alpha test for the Snort 3.0 code base is up and available in my user area on snort.org. For you intrepid souls who would like to have a look and test it out, please feel free to download the code and get going.

http://www.snort.org/users/roesch/Site/Snort 3.0.html

You can download the code directly from

http://www.snort.org/users/roesch/code/snort-03.0.0.a1.4.tar.gz

Snort 3.0 is a new code base with a new architecture. This first alpha release is intended to test out the new Data Source subsystem which includes the data acquisition mechanism, the decoder (and protocol printers) and the flow manager. The first alpha also includes the new command interface for Snort which is a CLI backed by the Lua embeddable programming language.

*Please* read the README, it only takes a few minutes and itll get you up and running quickly.

The code is nowhere near feature complete. It doesnt have a detection engine yet, it doesnt have an output system, it doesnt do a whole lot but sniff packets and display them its various output modes. All that other functionality will be following in other releases but for now what Im really looking for people to do is start exercising the protocol decoders in real-world environments. There are a lot of new and rewritten decoders in this code base so in addition to the classic protocols like IPv4, Ethernet and TCP Im particularly interested in getting people to attack the IPv6, MPLS, GRE and PPPoE decoders as well as the TCP and IP options decoders. If you cause the program to crash while its sniffing packets Id really like to know about it.

Please have a look and let me know what bugs you find, big and small. Remember to look at the BUGS file for information on filing complete bug reports. Please send bug reports directly to me as opposed to the bugs address at snort.org, Im the point person on this alpha series for now.

Ill be putting up architectural diagrams and discussions as I move the code forward in my user area on snort.org, stay tuned.

Thanks and happy snorting!

The fifth Snort Report — Snort Rules — has been posted. In this article Richard talks about what Snort rules really mean. He discusses how to get rules from Sourcefire and Bleeding Edge.

A security researcher has found a way hackers can make PCs of unsuspecting Web surfers do their dirty work, without having to actually commandeer the systems.

That’s possible with a new vulnerability scanner called Jikto. The tool is written in JavaScript and can make PCs of unknowing Web surfers hunt for flaws in Web sites.  It will be presented at ShmooCon by Billy Hoffman (lead researcher at SPI Dynamics).

News.com report

SearchSecurity report

In a three part blog series “Not Only Alert Data”, Ayoi details his trackdown of an incident using SANCP (Security Analyst Network Connection Profiler) in Sguil …

(Detection) http://blog.hazrulnz.net/171/monitoring-issues-part-i.html

(Analysis) http://blog.hazrulnz.net/175/monitoring-issues-part-ii.html

(Conclusion) http://blog.hazrulnz.net/185/not-only-alert-data-part-iii.html

A balanced look and good overview at some examples of Open Source security tools that a very large enterprise or data center could use, giving both the plusses and minuses. Mentions Snort, Nessus, SpamAssassin, and OpenVPN as prime examples.

Click here to read.

« Previous entries