|
Written by Matt Jonkman
|
|
Monday, 21 April 2008 |
|
Now that everything is stable from the move to Emerging Threats, it's time to change the file names of the rulesets. Wednesday 4/23/08 we will be changing files named bleeding-* to emerging-*. This is a cosmetic change only, all the rules have already been renamed. In the tarballs and in the web directories we will keep links from the new names to the old, so any rule managers ought to not break. But please change to the new names soon as we'll eventually drop the links. You can change now to the new tarball url: http://www.emergingthreats.net/rules/emerging.rules.tar.gz or http://www.emergingthreats.net/rules/emerging.rules.zip ANd as always all the rules are available to browse in that durectory: http://www.emergingthreats.net/rules/ Matt |
|
Last Updated ( Monday, 21 April 2008 )
|
|
|
Written by Matt Jonkman
|
|
Monday, 14 April 2008 |
|
Enhanced has put up a very good how to for installing and configuring SnortSam, Snort and Squid on FreeBSD, It'll help you out with any other OS as well, but FreeBSD has a few extra steps (but many advantages). You can read it here: http://global-security.blogspot.com/2008/04/block-bad-oss-ips-with-content.html Great Blog to keep up with, highly recommend it! Matt |
|
|
Written by Matt Jonkman
|
|
Thursday, 10 April 2008 |
|
As you may know, Cyber-ta (http://www.cyber-ta.org ) is one of the projects we're working very closely with to bring some new tools and research to the Emerging Threats and Snort community. They've just released a new information source called MTC, Malware Threat Center. There's a press release here with much more detail: http://www.marketwire.com/mw/release.do?id=842518 And of course the actual MTC is available here: http://mtc.sri.com The project has only begun, so if you see new ideas or data that could benefit the community pleaselet them know, or let us know and we can pass on the information. Matt |
|
Last Updated ( Thursday, 10 April 2008 )
|
|
|
Written by Matt Jonkman
|
|
Wednesday, 09 April 2008 |
Some great intelligence from Joe Stewart at Secureworks . Seems that the Bobax spam has some very unique and sig'able message-id fields.
If you block on these you ought to reduce the load on your spam filtering systems significantly. Load ought to be manageable even though it's pcre.
In the first one Bobax has a consistently long and setup message-id. It also uses a lower case d in Id, where the norm is all upper.
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET CURRENT_EVENTS Bobax Spam Inbound (Unique Faked Message-Id)"; flow:established,to_server; content:"Message-Id\: <"; pcre:"/Message-Id\: <[0-9A-Z]{8}\.\d{6}\.\d{5}@[A-Z]{4}>/"; classtype:misc-activity; sid:2008121; rev:1;)
Here we have a predictable string in the message id, and the same lowercase d. The trailing info is usually a domain name.
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET CURRENT_EVENTS Bobax Spam Inbound (Unique Faked Message-Id)"; flow:established,to_server; content:"Message-Id\: <"; pcre:"/Message-Id\: <[A-Z0-9]{6}EJXVWDA\d\d\d@/"; classtype:misc-activity; sid:2008122; rev:1;)
These will change over time of course, but they'll be good for a while. Please let me know how these fare! Be sure to pull sigs from the repository and not here, changes may not be reflected here in the future.
|
|
|
Written by Matt Jonkman
|
|
Wednesday, 09 April 2008 |
|
The guys at Openpacket.org are finally out of development and have released a working project. This has been in the works for a while, and is a VERY much needed service for the security and networking community. The basic idea is us in the community submit pcaps to openpacket, they archive and index them. Why would this be useful? I'll tell ya. How many times have you gone to write a signature about some protocol but weren't sure what "normal" traffic on that port looks like? Normally we'd then go somewhere to find that protocol in use, get pcaps, wait, grab the wrong stream, try again, finally get a sample pcap. Well, now you can just go there, search for stuff, downlaod and go. If you have a pcap that was useful to you you can add it to the archive. From the Emerging Threats persepctive, we're going to try hard to put pcaps of exploits up on openpacket.org and use those as references from documentation about rules. That'll help us go back in time and figure out what the heck we were thinkign when we wrote a rule. Anyway, congratulations to Richard and the guys at Openpacket. They've been working hard to get this online. Here's a reference to the announcement: http://taosecurity.blogspot.com/2008/04/openpacketorg-10-is-live.html And the site itself is http://www.openpacket.org |
|
|
Written by Matt Jonkman
|
|
Wednesday, 09 April 2008 |
|
Had a really cool set of sigs from Nathaniel Richmond. These detect TFTP to an external host. As you know a lot of the win32 works out there still use tftp to move binaries after infection, so these are of particular interest. If you're using tftp over the internet (you shouldn't be) don't use these, or set suppression rules for known hosts.
#by Nathaniel Richmond
alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET POLICY Outbound TFTP Read Request"; content:"|00 01|"; depth:2; classtype:bad-unknown; sid:2008120; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET POLICY Outbound TFTP Write Request"; content:"|00 02|"; depth:2; classtype:bad-unknown; sid:2008116; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET POLICY Outbound TFTP Data Transfer"; content:"|00 03|"; depth:2; classtype:bad-unknown; sid:2008117; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET POLICY Outbound TFTP ACK"; content:"|00 04|"; depth:2; classtype:bad-unknown; sid:2008118; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET POLICY Outbound TFTP Error Message"; content:"|00 05|"; depth:2; classtype:bad-unknown; sid:2008119; rev:1;) |
|
Last Updated ( Wednesday, 09 April 2008 )
|
|
|
|
<< Start < Prev 1 2 3 4 5 6 7 8 9 Next > End >>
|
| Results 41 - 50 of 83 |
