New York Snort Users Group

IMPORTANT Rule Download Change

jonbaer — Tue, 29 Jun 2010 16:52:39 +0000

According to VRT blog …

Today the Snort Web Team made a change to the way that Snort rules are downloaded from snort.org. Hopefully this will result in faster downloads for most people. The main thing to note though is that the actual file download links have changed.

First, there is no longer any need to add an “_s” to the rule file in order to get the subscriber pack. Second, the link to the file itself has changed:

Old Link:

http://dl.snort.org/reg-rules/snortrules-snapshot-2860.tar.gz?oink_code=

New Link:

http://www.snort.org/reg-rules/snortrules-snapshot-2860.tar.gz/

You should update your PulledPork and Oinkmaster installations to reflect these changes.

Solera Networks partner with Sourcefire

jonbaer — Tue, 22 Jun 2010 13:21:03 +0000

Solera Networks, a leading network forensics products and services company today announced its partnership with Sourcefire, Inc. (Nasdaq:FIRE), the creators of SNORT® and a leader in intelligent Cybersecurity solutions. Solera Networks can now integrate its award-winning network forensics technology directly into Sourcefire’s event analysis. The integration enhances Sourcefire’s packet analysis functionality to include full session capture, which provides detailed forensics for any security event. The partnership enables swift incident response to any security event and provides full detail in the interest of understanding “what happened before and after a security event?”

http://www.soleranetworks.com/news/solera-networks-and-sourcefire-announce-partnership/

http://taosecurity.blogspot.com/2010/06/all-aboard-nsm-train.html

National Cyber-Security Emergency and Phenomenal Cosmic Power

jonbaer — Tue, 15 Jun 2010 15:22:03 +0000

Matt Olney (of Sourcefire VRT) has read through and analyzed the “Protecting Cyberspace as a National Asset Act of 2010” (pdf), a 199 page piece of legislation introduced by Senator Lieberman (I-CT) along with Senator Susan Collins (R-ME) and Senator Thomas Carper (D-DE). It is an excellent review of the bill.

Click here to read his entire post

Snorby VMware Appliance (Cryptolife)

jonbaer — Mon, 14 Jun 2010 17:35:31 +0000

The Snorby virtual appliance provides a preconfigured out of the box Snorby front-end for snort, the popular intrusion detection system . The Snorby interface is developed by Dustin Webber. This appliance is indicated for security professionals with a depth knowledge of intrusion detection and security monitoring. Nevertheless beginners can use the appliance to to understand and learn about intrusion detection and network security.

Click here for notes and download

Project Razorback™ (formerly known as Near Real-Time Detection)

jonbaer — Mon, 14 Jun 2010 17:30:31 +0000

Near Real-Time Detection (Razorback) is the result of extensive research into detection of attacks hidden inside numerous layers of compression, obfuscation, and evasion techniques across multiple file formats. Razorback in its current form is a plugin to the Snort detection engine. Razorback addresses the issues with file format parsing by separating selected file types from transmitted data, which are then passed to additional detection engines either on local or distributed remote system(s). The intention is for the system to be extensible and not necessarily be a plugin for Snort.

Future development plans include providing Snort with automatic detection rule updates that an IPS deployment of Snort can use to protect the private network along with further enhancements aimed at data leak prevention. The system will also use templates to describe file types and a simple rule language to detect attacks.

Click here for code and presentation

Snort Performance Tuning Webcast - Nov 9th @ 10AM EST

jonbaer — Tue, 03 Nov 2009 01:44:50 +0000

Hi Snort® User,

On behalf of the Snort Team at Sourcefire, I’d like to invite you to attend the next session of the Snort Users Webinar Series.

In this webinar Steve Sturges Snort development team manager will discuss Snort Performance Tuning – Rules and Preprocessors

This discussion will focus on guidelines for tuning Snort based on performance statistics from rule and preprocessor profiling and the perfmon preprocessor. It is intended to help Snort administrators when tuning and troubleshooting performance issues. The discussion may also be useful to Snort rule writers for measuring the potential performance impact of their rules

Webinar details:

Date: November 9, 2009
Time: 10:00 AM US Eastern Standard Time (GMT -5:00))

To register for this webinar visit: https://sourcefire.webex.com/sourcefire/onstage/g.php?t=a&d=792341054

As always this session will be recorded and posted on Snort.org for future use.

I hope you can join us.

Regards,
Mike

Mike Guiterman
Snort Community Manager
Sourcefire, Inc.
mguiterman@sourcefire.com

NYC Snort User Group Meeting

mo — Mon, 19 Oct 2009 13:14:01 +0000

I’ve had some calls about holding another Snort User Group meeting soon. If you are interested shoot me an email at mo@ciphertechs.com

Vulnerability Report August 2009

jonbaer — Tue, 18 Aug 2009 03:52:38 +0000

Rule Performance Part I : Content Matches

jonbaer — Sun, 12 Jul 2009 02:56:50 +0000

One of the many things that occupy the time of the VRT is reviewing rule performance data, whether that data is internally generated from one of our test environments or received from customer reports. In the “Rule Performance�? series of blog posts, we’ll look at the set of issues that encompass the problematic rule constructs that we’ve found most significantly impact the performance of Snort sensors. Hopefully you can use this information to add additional detection capability customized to your environment without adding undue processing load.

Intro to ClamAV (Screencast)

jonbaer — Thu, 11 Jun 2009 02:40:09 +0000

Clam AntiVirus (ClamAV) is a free, cross-platform antivirus software tool-kit capable of detecting many types of malicious software, including viruses. One of its main uses is on mail servers as a server-side email virus scanner. The application was developed for Unix and has third party versions available for AIX, BSD, HP-UX, Linux, Mac OS X, OpenVMS, OSF and Solaris. At one time it had a native version available for Windows, but that project has been ended.

Both ClamAV and its updates are made available free of charge.

Sourcefire, a maker of intrusion detection products and the owner of Snort, announced on 17 August 2007 that it had acquired the trademarks and copyrights to ClamAV from five key developers.

Below are 6 screencasts by by Tomasz Kojm discussing: an overview of ClamAV, architecture, deployment and installation, detection mechanism, and troubleshooting.

Part I - http://www.youtube.com/watch?v=hqitIW_XgGI

Part II - http://www.youtube.com/watch?v=YWowwh_32cA

Part III - http://www.youtube.com/watch?v=jElBFo07y5I

Part IV - http://www.youtube.com/watch?v=wMjMoMcu_4c

Part V - http://www.youtube.com/watch?v=tJvn9AquL6g

Part VI - http://www.youtube.com/watch?v=WX2Xdh3KghU