Solera Networks, a leading network forensics products and services company today announced its partnership with Sourcefire, Inc. (Nasdaq:FIRE), the creators of SNORT® and a leader in intelligent Cybersecurity solutions. Solera Networks can now integrate its award-winning network forensics technology directly into Sourcefire’s event analysis. The integration enhances Sourcefire’s packet analysis functionality to include full session capture, which provides detailed forensics for any security event. The partnership enables swift incident response to any security event and provides full detail in the interest of understanding “what happened before and after a security event?”

http://www.soleranetworks.com/news/solera-networks-and-sourcefire-announce-partnership/

http://taosecurity.blogspot.com/2010/06/all-aboard-nsm-train.html

Near Real-Time Detection (Razorback) is the result of extensive research into detection of attacks hidden inside numerous layers of compression, obfuscation, and evasion techniques across multiple file formats. Razorback in its current form is a plugin to the Snort detection engine. Razorback addresses the issues with file format parsing by separating selected file types from transmitted data, which are then passed to additional detection engines either on local or distributed remote system(s). The intention is for the system to be extensible and not necessarily be a plugin for Snort.

Future development plans include providing Snort with automatic detection rule updates that an IPS deployment of Snort can use to protect the private network along with further enhancements aimed at data leak prevention. The system will also use templates to describe file types and a simple rule language to detect attacks.

Click here for code and presentation

Hi Snort® User,

On behalf of the Snort Team at Sourcefire, I’d like to invite you to attend the next session of the Snort Users Webinar Series.

In this webinar Steve Sturges Snort development team manager will discuss Snort Performance Tuning – Rules and Preprocessors

This discussion will focus on guidelines for tuning Snort based on performance statistics from rule and preprocessor profiling and the perfmon preprocessor. It is intended to help Snort administrators when tuning and troubleshooting performance issues. The discussion may also be useful to Snort rule writers for measuring the potential performance impact of their rules

Webinar details:

Date: November 9, 2009
Time: 10:00 AM US Eastern Standard Time (GMT -5:00))

To register for this webinar visit: https://sourcefire.webex.com/sourcefire/onstage/g.php?t=a&d=792341054

As always this session will be recorded and posted on Snort.org for future use.

I hope you can join us.

Regards,
Mike

Mike Guiterman
Snort Community Manager
Sourcefire, Inc.
mguiterman@sourcefire.com

Clam AntiVirus (ClamAV) is a free, cross-platform antivirus software tool-kit capable of detecting many types of malicious software, including viruses. One of its main uses is on mail servers as a server-side email virus scanner. The application was developed for Unix and has third party versions available for AIX, BSD, HP-UX, Linux, Mac OS X, OpenVMS, OSF and Solaris. At one time it had a native version available for Windows, but that project has been ended.

Both ClamAV and its updates are made available free of charge.

Sourcefire, a maker of intrusion detection products and the owner of Snort, announced on 17 August 2007 that it had acquired the trademarks and copyrights to ClamAV from five key developers.

Below are 6 screencasts by by Tomasz Kojm discussing: an overview of ClamAV, architecture, deployment and installation, detection mechanism, and troubleshooting.

Part I - http://www.youtube.com/watch?v=hqitIW_XgGI

Part II - http://www.youtube.com/watch?v=YWowwh_32cA

Part III - http://www.youtube.com/watch?v=jElBFo07y5I

Part IV - http://www.youtube.com/watch?v=wMjMoMcu_4c

Part V - http://www.youtube.com/watch?v=tJvn9AquL6g

Part VI - http://www.youtube.com/watch?v=WX2Xdh3KghU

Hi all,

As many of you know the Snort project recently reached its 10th Anniversary.  In honor of this milestone we’re giving Snort a new website to call home.  This site update is much more than just a new look and feel.  We’re rebuilding the site from the ground up to better serve the needs of the Snort Community.  Once the site is complete, some of the improvements you’ll see are:

•    Simplified navigation including a new persistent links panel at the bottom of every page allowing you to get the content you need from anywhere on the site
•    Improved user account management allowing you to edit all of your profile information including your email address
•    New Forums application with the ability to rate posts
•    Improved management of VRT Subscriptions including the ability to generate multiple Oinkcodes

The new Snort.org site is still in development but we’ve reached a point where we’d like to ask you, the community for feedback.  We’ve released a beta site at: http://beta.snort.org that we’d like you to review and provide feedback on.  We’d primarily like your feedback on the new look and feel, updated navigation and content on the site. We’d also like you to submit enhancement requests for new features and content you’d like to see on Snort.org

We’d particularly like to get specific feedback on additional content that you as a Snort user, rule writer or someone who is developing related projects would like to see on the site that would help you in your day to day life with Snort.

This is a live project and we’ll continue to add functionality and content based on your feedback.  In this beta release some of the site functionality has been disabled.  At this time you will not be able to register an account, log in, post to the forums, generate Oinkcodes, or buy a VRT subscription, but all other site features are open for your review.  We’ll migrate all user account and subscription information prior to the site going live.

All feedback should be submitted via a very short survey at: https://www.surveymonkey.com/s.aspx?sm=WjBviOcPU5nPg5002A12pg_3d_3d.

Thanks for you help and feedback on this project.

Mike Guiterman (Sourcefire)

Hi everybody,

Snort v2.6.1.5 has been released. The software and source code is
available at: http://snort.org/dl/

Snort v2.6.1.5 includes:

* A new http_post rule keyword used to search for content in normalized HTTP posts
* A fix for a potential memory leak when generating HTTP Inspection events

NOTE: In the default configuration, the http_inspect preprocessor will generate informational events on normalized HTTP POST data. To disable these events, refer to the Snort Manual.

Happy Snorting!

The Snort Release Team
Sourcefire, Inc.

DaemonLogger 0.9 has been released. The newest version has several new features including:
1) Support for dropping privileges at startup has been added.
2) DaemonLogger supports reading packets from pcap files instead of the network now. Those pcap files can be filtered for output back to the disk using BPF filters or they can be retransmitted on wire using the soft tap mode.
3) Support for chrooting at startup has been added.

daemonlogger-0.9.tar.gz

Articles on using daemonlogger:

TaoSecurity

Geek00l

Report from Marty Roesch @ Sourcefire:

The first alpha test for the Snort 3.0 code base is up and available in my user area on snort.org. For you intrepid souls who would like to have a look and test it out, please feel free to download the code and get going.

http://www.snort.org/users/roesch/Site/Snort 3.0.html

You can download the code directly from

http://www.snort.org/users/roesch/code/snort-03.0.0.a1.4.tar.gz

Snort 3.0 is a new code base with a new architecture. This first alpha release is intended to test out the new Data Source subsystem which includes the data acquisition mechanism, the decoder (and protocol printers) and the flow manager. The first alpha also includes the new command interface for Snort which is a CLI backed by the Lua embeddable programming language.

*Please* read the README, it only takes a few minutes and itll get you up and running quickly.

The code is nowhere near feature complete. It doesnt have a detection engine yet, it doesnt have an output system, it doesnt do a whole lot but sniff packets and display them its various output modes. All that other functionality will be following in other releases but for now what Im really looking for people to do is start exercising the protocol decoders in real-world environments. There are a lot of new and rewritten decoders in this code base so in addition to the classic protocols like IPv4, Ethernet and TCP Im particularly interested in getting people to attack the IPv6, MPLS, GRE and PPPoE decoders as well as the TCP and IP options decoders. If you cause the program to crash while its sniffing packets Id really like to know about it.

Please have a look and let me know what bugs you find, big and small. Remember to look at the BUGS file for information on filing complete bug reports. Please send bug reports directly to me as opposed to the bugs address at snort.org, Im the point person on this alpha series for now.

Ill be putting up architectural diagrams and discussions as I move the code forward in my user area on snort.org, stay tuned.

Thanks and happy snorting!

Sourcefire, the security firm that oversees the open source intrusion-detection system software, Snort, is making available another open source tool for network traffic logging.

The tool, called Daemonlogger, is a packet sniffer that can passively capture network traffic logs and write them to disk in PCAP format. Sourcefire said Daemonlogger is being licensed under the GNU General Public License Version 2, under which anyone may access, modify and redistribute the Daemonlogger source code so that users can share enhancements and new features with other network professionals.Martin Roesch, CTO of Sourcefire and the originator of Snort IDS, said open source Daemonlogger is intended to be a “handy and easy-to-use tool.� Sourcefire indicated Daemonlogger is offered as an alternative to proprietary products for logging and storing network traffic that are needed to meet with a growing number of regulatory requirements.

« Previous entries