VRT Advisories


VRT Rules 2010-04-26

Sourcefire VRT Rules Update

Date: 2010-04-26

Synopsis:

This release contains support for Snort 2.8.6.0. Additionally, new packages have been added that contain 4 digit versioning.

New package names: 1. snortrules-snapshot-2853_s.tar.gz 2. snortrules-snapshot-2860_s.tar.gz

Details:

The packages have been updated with support for Snort 2.8.6.0. Additionally, a number of improvements have been made to the packages to help clarify which packages to use with your specific snort version.

New package names: 1. snortrules-snapshot-2853_s.tar.gz 2. snortrules-snapshot-2860_s.tar.gz

The Old Package names are still available but they are now symlinked to the new package names. The symlinks will exist for the next 30 days.

Symlinks Subscriber: 1. snortrules-snapshot-2853_s.tar.gz -> snortrules-snapshot-CURRENT_s.tar.gz 2. snortrules-snapshot-2853_s.tar.gz -> snortrules-snapshot-2.8_s.tar.gz

* IMPORTANT * The above is not a typo. The 2853 is symlinked to CURRENT and 2.8 packages this is intentional, as to not break auto downloaders that define CURRENT incorrectly.

Registered Users: There are no new symlinks for registered users as the new packages won't be available to registered users for 30 days.

Additional Package Updates.

1. Packages are now locked to the version of snort they support. This includes sub directories in the packages. For examples the 2853 packages now only contain SO rules for 2.8.5.3.

2. Snort.conf in etc/ directory has been updated to support additional features in 2.8.5.3 and 2.8.6.0.

3. Preprocessor Rules are now contained in the package.

4. For 2.8.6.0 Sensitive data rules are contained in the package.

Not running 2.8.5.3 and downloading CURRENT / 2.8 / 2853 packages ?:

1. You will need to modify oinkmaster, pulled pork, or whatever update system you are using to remove 2.8.5.3 version specific rule keywords or snort will fail to load.

Rule Pack Summary:

For a complete list of new and modified rules, click here.

Warning:

Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should upgrade to the latest revision or patch level for Snort to ensure these enhancements are available before using these rules.

About the VRT:

The Sourcefire VRT is a group of leading edge intrusion detection and prevention experts working to proactively discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in the network security industry.