the de facto standard in IPS  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Snort Downloads Snort Rules Snort Docs Snort Training Snort Forums Snort Community Snort Store
Search Site
Search Rules
Account
email
password
not registered?
can't login?
user preferences

News

Submit News News Feeds Questions?
-
(Displaying 1 - 10 of 713)
VRT Certified Rules Update Available Sourcefire VRT (Sourcefire) @ August 26, 2008 16:11:32

The Sourcefire VRT has added multiple rules in the web-client and exploit categories to provide coverage for emerging ActiveX control and exploit threats.

These rules are available to subscribers only until Thursday, September 25, 2008.

Download rules | view advisory | view changelog | subscribe now.
Snort Users Group Melbourne - Sept. 10, 2008 Mike Guiterman (Sourcefire) @ August 26, 2008 15:50:32

Hi Everyone,

Here are the details for a Snort Users Group meeting in Melbourne, Australia.

Date: Wednesday the 10th of September
Location: Misty Place, 3 - 5 Hosier Lane, Melbourne
Time: 5:00 PM (for 5:30 PM presentation) - 6:30 PM

The Snort Users Group Meeting gives you a chance to meet and greet fellow Snort Users, give your input for future user group presentations, and find out more about Snort 3.0.

Bar snacks and refreshments will be provided by Sourcefire®, the creators of Snort.

Please RSVP by email to kelvin.rundle@sourcefire.com by 5:00 PM on the 8th of September.
Defcon, testing and exploiting Lurene Grenier VRT (Sourcefire) @ August 22, 2008 17:03:13
This year at Defcon Immunity trotted out the first iteration of their NOP cert test, and I had the pleasure of giving it a test run. I still think it's a great indicator of ability, despite the Immunity tools focus; I'm not a user of any of their tools generally, but I managed to pull off the hardest level test in a modest time.  It got us thinking on the way home, where does one go from the bar set by the NOP to get to the next level in terms of exploit development skill? In this vein I've thrown together a few windows executables, and in a nod to Gera of Core, they're called Advanced Windows Buffer Overflows (AWBOs).

We've set up a few ground rules and a basic set up to keep things moving along:

1) All exploits are performed in Windows 2000 SP4 unless otherwise specified.  Sometimes, otherwise will be specified.
2) Exploits will use the provided shellcode, or ret2lib.
3) You may not return to hard coded stack addresses.
4) No source code will be provided - just like the NOP cert.

Standard tools used are cygwin with perl, and windbg, installation in vmware a plus. The shellcode provided is the amazing windows exec shellcode from metasploit set up to run calc.exe.

I can say that all of these are exploitable, and they run through a progression, so try to do each of them in the most straight forward way possible. We'll be skipping awbo1.exe as it's very similar to one of immunity's tests (as far as my memory serves). They'll be released slowly over the next few months. Feel free to send in your solutions, or ask for tips. All of the examples have been play tested by the VRT analysts team, and are assured to be exploitable.

"This next test could take a very,  very long time. If you become lightheaded from thirst, feel free to pass out. An intubation associate will be dispatched to revive you with peptic salve and adrenaline."

Awbo2.exe download and shellcode download
VRT Certified Rules Update Available Sourcefire VRT (Sourcefire) @ August 19, 2008 17:10:56

The Sourcefire VRT has added multiple rules in the spyware-put, web-client and sql categories to provide coverage for emerging spyware, ActiveX control and SQL injection threats.

These rules are available to subscribers only until Thursday, September 18, 2008.

Download rules | view advisory | view changelog | subscribe now.
VRT Certified Rules Update Available Sourcefire VRT (Sourcefire) @ August 12, 2008 18:22:33

The Sourcefire VRT is aware of multiple vulnerabilities affecting Microsoft products.

These rules are available to subscribers only until Thursday, September 11, 2008.

Download rules | view advisory | view changelog | subscribe now.
OfficeCat Update Available Sourcefire VRT (Sourcefire) @ August 12, 2008 17:13:59

The OfficeCat tool has been updated to include detection for a vulnerability in Microsoft PowerPoint.

Download zip archive | Download Linux-wine archive | view advisory.
DNS Vulnerability Paper VRT (Sourcefire) @ August 11, 2008 15:38:33
Now that Defcon is over and the Kaminsky DNS Vulnerability is completely out in the open, the Sourcefire VRT has a new whitepaper that discusses the issue and suggests detection methods using Snort rules. Download it here.
Daemonlogger v1.1 Released Mike Guiterman (Sourcefire) @ August 07, 2008 11:16:24

Marty released Daemonlogger 1.1 yesterday.  In this release:

  • -M switch added to perform disk utilization-based rollovers and pruning
  • Bug fix related to file pruning reported by Wesley Shields

Daemonlogger v1.1 can be downloaded at:  http://www.snort.org/users/roesch/Site/Daemonlogger/Daemonlogger.html

Enjoy!
Register for the next Snort Users Webcast - Aug. 20, 2008 Mike Guitermran (Sourcefire) @ August 07, 2008 10:50:43

The next installment of the Snort Users Webcast Series will be broadcast live on Aug. 20 at 4:00 PM EDT.  Details are below:

This month's presenter is Joel Esler, a Sourcefire security consultant and frequent contributor to the Snort community. Joel will be discussing some of the most common mistakes made when configuring and using Snort and how to fix them.  Topics covered in this session will include:

o Snort.conf file
o Variables
o Preprocessors
o Rules
o Barnyard and SnortUnified


Date: Wednesday, August 20, 2008
Time: 4:00 PM US Eastern Daylight Time (GMT -4:00)

To register for this webcast visit:

https://sourcefireevents.webex.com/mw0305l/mywebex/default.do?siteurl=sourcefireevents

As always this session will be recorded with links posted on Snort.org and Sourcefire.com for future use.
IPS Challenge at MOCA2008 Mike Guiterman (Sourcefire) @ July 29, 2008 16:51:14

Hi Everyone,

The Italy Snort Users Group has issued another IPS challenge. This year the challenge will be held August 21-24 at MOCA2008 in Pescara Italy.

Challenge Details:

Two virtual UML machines running old, un-patched versions of Apache, MySQL, Joomla and PHP-nuke installed. One of these virtual servers will be defended by an IPS in inline mode and the other will not. Challengers will have the option of attacking a server with or without an IPS - the greater rewards will go to those able to gain root on the server defended by the IPS.

More information on challenge is available at www.snortattack.org or you can email matteo and pierpaolo at admin@snortattack.org.

More information on MOCA 2008 is available at: http://camp.olografix.org/home.php


-
(Displaying 1 - 10 of 713)
site feedback | Terms of Use | Privacy Policy | forum archives ©2007 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.