I moved this post over to the Snort.org blog:
http://blog.snort.org/2011/12/if-you-are-having-problems-with-your.html
Showing posts with label Snort. Show all posts
Showing posts with label Snort. Show all posts
Wednesday, December 7
Saturday, November 5
FILE_DATA_PORTS error in Snort, SOLVED
I'm basically putting this post up for Google to index it and maybe it'll help some people solve the problem in the future.
If you came to this blog post by searching for the above error, or if you have the above error in Snort, you should read this post on the VRT blog that we wrote. It'll help solve your problem:
http://vrt-blog.snort.org/2011/11/say-hello-to-file-identify-category.html
There. Check that out.
PortVar Lookup failed on '$FILE_DATA_PORTS'If you came to this blog post by searching for the above error, or if you have the above error in Snort, you should read this post on the VRT blog that we wrote. It'll help solve your problem:
http://vrt-blog.snort.org/2011/11/say-hello-to-file-identify-category.html
There. Check that out.
Tuesday, October 4
Let's just assume this pcap is bad...mkay?
Alerts (2.9.1.1, 4924362.pcap)
1:18347:3 BLACKLIST USER-AGENT known malicious user-agent string AutoIt Alerts: 4
1:19734:1 BLACKLIST DNS request for known malware domain 770304123.cn Alerts: 2
1:16816:5 BOTNET-CNC known command and control channel traffic Alerts: 1
1:18762:1 BLACKLIST URI request for known malicious URI /blog.updata?v= - Win32-Agent-GRW Alerts: 1
1:17834:3 BLACKLIST DNS request for known malware domain 343.boolans.com Alerts: 1
120:3:1 (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE Alerts: 3
1:16815:4 BOTNET-CNC known command and control channel traffic Alerts: 1
Please leave comments below.
1:18347:3 BLACKLIST USER-AGENT known malicious user-agent string AutoIt Alerts: 4
1:19734:1 BLACKLIST DNS request for known malware domain 770304123.cn Alerts: 2
1:16816:5 BOTNET-CNC known command and control channel traffic Alerts: 1
1:18762:1 BLACKLIST URI request for known malicious URI /blog.updata?v= - Win32-Agent-GRW Alerts: 1
1:17834:3 BLACKLIST DNS request for known malware domain 343.boolans.com Alerts: 1
120:3:1 (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE Alerts: 3
1:16815:4 BOTNET-CNC known command and control channel traffic Alerts: 1
Please leave comments below.
Friday, July 29
What have I been up to?
Well, as promised, I haven't written a post in awhile. I've been really really busy, so I'll give you a crash course on what I've been doing that's kept me, and thoughts about things that have come to market in the past month or so.
1) My Mother passed away. As anyone who has had this happen knows, it's a pretty hard time, emotionally, as well as just, all the stuff you have to do. Writing your own mother's obituary isn't necessarily a good time. Selecting what she's going to wear, the casket, ... just a lot. The people that have written me and talked to me face to face have been great and I thank you all very much.
2) VRT. April 1st I moved to the Vulnerability Research Team at Sourcefire. I'm one of the many other analysts responsible for writing Snort (and now recently ClamAV!) rules to detect the known, and the unknown. It's a difficult job, it's challenging, it's fun, and it's busy. I currently have over 100 bugs in my cue. Lots of bugs and research to do. My current focus is Malware and some redesign efforts. We're trying to make the Snort rules easier to manage and provide more intelligence to the end user as well as increase our coverage in a lot of areas. Making our rules harder to bypass and more and more adaptable to today's client-based landscape. Over the rest of 2011, the VRT ruleset is going to change, for the better, and significantly. There's essentially going to be three steps to this, and I'll post about the changes soon over on the Snort Blog.
3) Snort Community. It's growing. When I took over the job in October of last year, I thought the Snort community had reached critical mass. Most open source projects that I've seen plateau after awhile. When I was running the BASE project we got up to about 15k downloads a day, and that was our plateau. But since I took over, I've started to keep a lot of metrics. Metrics about email postings, forum postings, users, downloads, etc. Lots of metrics. They are all going up. We're doing well.
4) Snort. It's changing and evolving. We're rolling out 2.9.1 soon with some very significant changes (read about PAF!) in detection and the IP reputation preprocessor. The changes we have planned for post 2.9.1 make Snort even faster (we are already hitting WAY over 20 G/sec in detection, and the next number we are aiming for is unheard of in our industry), and easier to deploy. Changes in it's detection will make it more accurate and significantly increase the effectiveness of our rules and keywords.
5) ClamAV. Also growing. Now built into Immunet 3.0 (the company we acquired in December of last year) providing not only cloud based detection (so awesome), and offline detection. Immunet is growing very fast by the looks of our daily metrics which means ClamAV use is increasing as well. OEM solutions that are building ClamAV are also growing, and now recently we are going to start accepting community virus detection as well. This will grow our detection rate exponentially.
6) OSX Lion. It's out. I'm using it (have been for about a month and a half). It works great. The only thing I don't like about it is the deletion of the scroll bar. I don't mind it as much as my wife will (I haven't converted her yet).
7) Defcon. We'll (VRT) be there. Look for us in pink. For those of you that were able to get an invite to TheBarCon, we'll see you there.
I can't think of anything more right now, and am being summoned for dinner. I'll write more when I have a chance. If you have any questions, leave a comment below.
Please leave comments below.
1) My Mother passed away. As anyone who has had this happen knows, it's a pretty hard time, emotionally, as well as just, all the stuff you have to do. Writing your own mother's obituary isn't necessarily a good time. Selecting what she's going to wear, the casket, ... just a lot. The people that have written me and talked to me face to face have been great and I thank you all very much.
2) VRT. April 1st I moved to the Vulnerability Research Team at Sourcefire. I'm one of the many other analysts responsible for writing Snort (and now recently ClamAV!) rules to detect the known, and the unknown. It's a difficult job, it's challenging, it's fun, and it's busy. I currently have over 100 bugs in my cue. Lots of bugs and research to do. My current focus is Malware and some redesign efforts. We're trying to make the Snort rules easier to manage and provide more intelligence to the end user as well as increase our coverage in a lot of areas. Making our rules harder to bypass and more and more adaptable to today's client-based landscape. Over the rest of 2011, the VRT ruleset is going to change, for the better, and significantly. There's essentially going to be three steps to this, and I'll post about the changes soon over on the Snort Blog.
3) Snort Community. It's growing. When I took over the job in October of last year, I thought the Snort community had reached critical mass. Most open source projects that I've seen plateau after awhile. When I was running the BASE project we got up to about 15k downloads a day, and that was our plateau. But since I took over, I've started to keep a lot of metrics. Metrics about email postings, forum postings, users, downloads, etc. Lots of metrics. They are all going up. We're doing well.
4) Snort. It's changing and evolving. We're rolling out 2.9.1 soon with some very significant changes (read about PAF!) in detection and the IP reputation preprocessor. The changes we have planned for post 2.9.1 make Snort even faster (we are already hitting WAY over 20 G/sec in detection, and the next number we are aiming for is unheard of in our industry), and easier to deploy. Changes in it's detection will make it more accurate and significantly increase the effectiveness of our rules and keywords.
5) ClamAV. Also growing. Now built into Immunet 3.0 (the company we acquired in December of last year) providing not only cloud based detection (so awesome), and offline detection. Immunet is growing very fast by the looks of our daily metrics which means ClamAV use is increasing as well. OEM solutions that are building ClamAV are also growing, and now recently we are going to start accepting community virus detection as well. This will grow our detection rate exponentially.
6) OSX Lion. It's out. I'm using it (have been for about a month and a half). It works great. The only thing I don't like about it is the deletion of the scroll bar. I don't mind it as much as my wife will (I haven't converted her yet).
7) Defcon. We'll (VRT) be there. Look for us in pink. For those of you that were able to get an invite to TheBarCon, we'll see you there.
I can't think of anything more right now, and am being summoned for dinner. I'll write more when I have a chance. If you have any questions, leave a comment below.
Please leave comments below.
Friday, May 27
Resolving Flowbit dependancies
I put this blog entry up over on the Snort.org blog this morning. Figured it might help people answer some questions. Check it out.
http://blog.snort.org/2011/05/resolving-flowbit-dependancies.html
Please leave comments below.
http://blog.snort.org/2011/05/resolving-flowbit-dependancies.html
Please leave comments below.
Sunday, May 15
Speaking Engagements
This past week I was invited to come speak at ISOI9 in Sterling, VA. The talk seemed to go over rather well, and while I didn't get a lot of questions in the presentation, I got a ton of questions afterwards out in the hall.
This coming week I'll be down at the Richmond Area Virginia Linux User Group. The coordinators of the group were kind enough to invite me down to talk about Sourcefire and the OpenSource company that we are.
If you are in the Richmond, VA area, be sure and come out!
I have another speaking engagement in August as well, but I'll blog about that when it gets a bit closer to the time.
If you are interested in coming to the meeting this week, it's on Tuesday, May 17th at 6pm.
Register here: http://rvalug.org/content/may-guest-speaker-joel-esler-opensource-community-director-sourcefire-cybersecurity
Please leave comments below.
This coming week I'll be down at the Richmond Area Virginia Linux User Group. The coordinators of the group were kind enough to invite me down to talk about Sourcefire and the OpenSource company that we are.
If you are in the Richmond, VA area, be sure and come out!
I have another speaking engagement in August as well, but I'll blog about that when it gets a bit closer to the time.
If you are interested in coming to the meeting this week, it's on Tuesday, May 17th at 6pm.
Register here: http://rvalug.org/content/may-guest-speaker-joel-esler-opensource-community-director-sourcefire-cybersecurity
Please leave comments below.
Wednesday, April 6
First 2011 Snort Webcast Registration is Open!
Just wanted to announce that Registration for the first 2011 Snort Webcast is now open at the following link:
https://sourcefire.webex.com/
Our Presenter is Nick Moore of Sourcefire and he'll be presenting the first of a two part series on simply getting started with Snort. How to set it up, running, and working with traffic.
When you click on the above link, you will see a "Register" link on the left-hand side of the page. Click that for pre-registration.
What does pre-registration get you? Reminders. You'll receive a reminder the 11th (Monday) and an hour before we begin so you'll be sure to remember to attend.
The registration form only asks for a couple things so we can remind you about the event. Registering for the event does not mean that you will start to receive sales information, we're simply using the information for numbers (how many registered, how many attended) information.
Topic: Snort Webinar Training
Date and Time:
April 13, 2011 11:00 am, Eastern Daylight Time (New York, GMT-04:00)
Event number: 793 571 014
Thanks!
https://sourcefire.webex.com/
Our Presenter is Nick Moore of Sourcefire and he'll be presenting the first of a two part series on simply getting started with Snort. How to set it up, running, and working with traffic.
When you click on the above link, you will see a "Register" link on the left-hand side of the page. Click that for pre-registration.
What does pre-registration get you? Reminders. You'll receive a reminder the 11th (Monday) and an hour before we begin so you'll be sure to remember to attend.
The registration form only asks for a couple things so we can remind you about the event. Registering for the event does not mean that you will start to receive sales information, we're simply using the information for numbers (how many registered, how many attended) information.
Topic: Snort Webinar Training
Date and Time:
April 13, 2011 11:00 am, Eastern Daylight Time (New York, GMT-04:00)
Event number: 793 571 014
Thanks!
Friday, April 1
Time to move on to a new job.
For the past, almost 6 years, my employment at Sourcefire has been great. I've worked in Professional Services, going around to over 150 customers, educating them on Sourcefire, the product, the GUI, detection, and all the awesome that is, but..... it's time for me to move on.
I accepted a position last October with Sourcefire, being in charge of OpenSource Community Management, in charge of coordinating the communities themselves and being the liaison between the communities and the company (Sourcefire) for all OpenSource products. This has been great.
Well, I'm pleased to announce that, I am retaining this new role as I go, so I will still be the OpenSource Community Manager for Sourcefire.
Where am I moving to? A company you may have heard of:
Sourcefire.
That's right, I'm staying right here. Effective today, I'm moving out of Sourcefire's Professional Services team and moving to the Vulnerability Research Team (VRT), the team at Sourcefire that is responsible for publishing detection for Snort, ClamAV, and Razorback.
My new role has me writing detection for Snort primarily, moving into writing detection for ClamAV and even vulnerability research down the road.
I'm pretty excited about this move, as you can probably tell, and look forward to working with my new team.
P.S. I know I write this on April 1, but it's not an April Fools joke ;)
Tuesday, January 11
Seven Cool Open Source Projects for Defenders
TaoSecurity: Seven Cool Open Source Projects for Defenders.
Richard Bejtlich wrote this good post over on his blog, a few good OpenSource tools to defend your networks with. He talks about the newest updates with:
Richard does pay me a kind compliment, so thank you Richard. Take a look at his post and try some of the tools out.
Richard Bejtlich wrote this good post over on his blog, a few good OpenSource tools to defend your networks with. He talks about the newest updates with:
- Rumainte IDS
- Security Onion
- Bro IDS
- Suricata IDS
- Snorby
- OpenFPC
- Polman
- Snort
- ClamAV
- Razorback
Richard does pay me a kind compliment, so thank you Richard. Take a look at his post and try some of the tools out.
Tuesday, December 14
Whew, what a whirlwind
Talk about a busy end of the year, so on top of going my actual consulting gigs for customers, I am also doing the other full time job I have of the Snort Community Manager. If you read my blog, you've known this.
So, what have I worked on so far.
Had an email that today that asked me about all these new "news" dissemination methods that we are standing up and is it going to create confusion. That's probably a blog post left for the Snort.org blog.
So, what have I worked on so far.
- Snort Twitter account. Not really a lot of work here, other than getting Twitter to remove it from the parker's clutches and give it to us.
- Snort Blog. Getting this set up, with the DNS entries, blog posts, editing, writing, design, and even the banner image (thanks CC for that!) was about 3 weeks worth of work. Check it out http://blog.snort.org
- Snort Mailing list/Forum Consolidation. I thought it best to let the Community decide, so I made a non-scientific poll to choose between the forums, the mailing lists, or the penultimate solution, to merge the two. Thought of Google Groups for this. Google Groups allows you to post like a forum, and post like a mailing lists, and Google Groups takes care of the arrangement, merging, and threading. Very nice. I had this all set up, and was preparing for everyone to start making the move over to Google Groups, and we came up with another idea. So we're working that angle right now (stay tuned).
- Snort Subscriptions. Been doing a bit of backend work on Snort subscriptions, trying to figure out how to work this out to be a more streamlined process and eliminate a lot of the headache and purchasing obstacles for our users. Concept work mostly. Also talking about VRT Subscriptions with various members of the legal team and VRT.
- ClamAV subscriptions. Working on what we are doing and going to do for certified ClamAV code.
- Code licensing. Meetings with our legal team!
- Writing articles for magazines and getting ready for speaking engagements in 2011. Pretty much what it says.
- Laying the groundwork for webcasts and Snort User Group Meetings. Going to fire these up in 2011 again. Several Snort User Group meetings are wanting to start back up. Great to see that there is a lot of interest for our community.
- Bug filing and progress. What I've started doing is, if bug reports come in via various methods of bug reports, I take them in, triage them, put them into bugzilla, and provide feedback to the people that filed the bugs. This seems to be working quite well right now.
- Working with our Web-team on any Snort.org issues. Pretty much what it sounds like.
- Fixing Snort.org. For instance, I rearranged the http://www.snort.org/docs link. To bring the content that people are looking for the most to the front page. Also it was brought to my attention that we had a bunch of W3C html coding errors. I went through and fixed about 40+ of these. Along with about 100 other barely seen or noticed changes to Snort.org in order to bring the good content to the front, and the content that is barely used to the back (or done away with).
- Internal VRT Subscriptions. It was brought to my attention that several people that work at Sourcefire apparently didn't have access to the VRT rules (like they should have). Had to fix that!
Had an email that today that asked me about all these new "news" dissemination methods that we are standing up and is it going to create confusion. That's probably a blog post left for the Snort.org blog.
Wednesday, December 8
Snort has a Twitter account
Another post for my Snort/IDS audience that read my blog.
We managed to get a hold of the "Snort" account on Twitter. Someone was simply squatting on the name, not using it, so Twitter has a way of petitioning to get a hold of a name for a bunch of different reasons. So we got with Twitter and they freed up the @Snort Twitter name for us.
Using the @Snort Twitter account we'll post new news, upcoming items, blog posts, news about Snort and interesting other tidbits that may or may not be found anywhere else on Snort.org
Check it out, follow us: http://twitter.com/Snort. Thanks!
We managed to get a hold of the "Snort" account on Twitter. Someone was simply squatting on the name, not using it, so Twitter has a way of petitioning to get a hold of a name for a bunch of different reasons. So we got with Twitter and they freed up the @Snort Twitter name for us.
Using the @Snort Twitter account we'll post new news, upcoming items, blog posts, news about Snort and interesting other tidbits that may or may not be found anywhere else on Snort.org
Check it out, follow us: http://twitter.com/Snort. Thanks!
Wednesday, December 1
Snort 2.9.0.2 Released!
To let my Snort audience know, if you don't know already by the mailing list, we just released Snort v2.9.0.2, a bug fix release. Enjoy!
Snort :: Snort 2.9.0.2 Released!.
Snort :: Snort 2.9.0.2 Released!.
Tuesday, November 30
Sorry for the lack of posts, I've been particularly busy.
Been pretty busy lately with my two full-time day jobs at Sourcefire. The good news is, if you are a Snort user, that I am working on a lot of things that will not only make our community better, but improve how Sourcefire interacts with that community and allow us to move forward in a more progressive manner.
Aside from Sourcefire/Snort stuff, the shop that is restoring my Mustang is almost done (should get it back this week, and when I do, I'll post pics), I'm working on the shops website too (as the old one needed some TLC). I got with the owner and we decided to redo the whole thing, so I am doing that in my spare time as well.
Thank you Squarespace!
Also working on another website that I tighten up a bit (aside from tightening up Snort.org a bit as well) for another company (Car alarm company) that I do a bit of consulting/marketing for. So, it feels like I am buried in html lately.
On top of all of that, my son is doing well, my daughter is awesome and my wife's Grandmother died this past week, so we are all dealing with that as well.
Busy Busy Busy. Stay tuned. I've got a few posts lined up for the pipeline for not only this blog but for another blog I am starting, so when that all comes together, stay tuned!
Aside from Sourcefire/Snort stuff, the shop that is restoring my Mustang is almost done (should get it back this week, and when I do, I'll post pics), I'm working on the shops website too (as the old one needed some TLC). I got with the owner and we decided to redo the whole thing, so I am doing that in my spare time as well.
Thank you Squarespace!
Also working on another website that I tighten up a bit (aside from tightening up Snort.org a bit as well) for another company (Car alarm company) that I do a bit of consulting/marketing for. So, it feels like I am buried in html lately.
On top of all of that, my son is doing well, my daughter is awesome and my wife's Grandmother died this past week, so we are all dealing with that as well.
Busy Busy Busy. Stay tuned. I've got a few posts lined up for the pipeline for not only this blog but for another blog I am starting, so when that all comes together, stay tuned!
Tuesday, November 23
"So I have this IDS now what?" presentation at BSidesDE
Joel Esler, so I have this IDS now what BSidesDE1 on USTREAM. Conference.
Above is a link to my presentation from BSidesDelaware a couple weeks ago. For some reason the audio and video are like 5 minutes off, but the presentation (for the most part) is intact.
Above is a link to my presentation from BSidesDelaware a couple weeks ago. For some reason the audio and video are like 5 minutes off, but the presentation (for the most part) is intact.
Monday, November 22
Snort Pig Roast was a success!
Snort :: Snort Pig Roast was a success!.
Just wanted to put up a couple pictures from the Pig Roast we had at corporate headquarters recently. Enjoy!
Just wanted to put up a couple pictures from the Pig Roast we had at corporate headquarters recently. Enjoy!
Monday, November 15
New Role at Sourcefire
This is just an announcement to let the users of our OpenSource products know that we have a new community manager here at Sourcefire.
Over the past year or so, Mike Guiterman, our former Community Manager has taken on a different role within Sourcefire. In the meantime, I've been filling some of the void.
For those of you that weren't able to make the Snort Rally/Pig Roast this past Friday at Sourcefire HQ, I have been officially assigned the role of Sourcefire's OpenSource Community Manager.
I know many of you, but for those who I don't, I came from the OpenSource community, working for the government using Snort in actual deployments. I submit rules to VRT, and was one of the original submitters to BleedingSnort (Now Emerging Threats). I've worked with both the OpenSource community and with our Corporate customers since I came to Sourcefire giving me first hand knowledge at how the community plays a vital role in the direction, development, and QA of our products.
I'll be focusing on product innovation in our OpenSource projects, as well as:
I have several projects in mind alerady, but the first thing is I want to hear from you. Suggestions, ideas, complaints, and compliments.
Let me hear it. Email me directly at jesler@sourcefire.com. I want to be able to track your ideas so I can write you back when we make movement.
I'll summarize your submissions in a blog post in the future and let everyone know where we are at with the progress of these great ideas.
I'd like to thank people both internally at Sourcefire and the community for building the community into what it is today, and I look forward to a great future! Also thanks to Mike Guiterman for his years of hard service working with our OpenSource communities.
For Razorback(tm) please continue to submit feature requests and any
other Razorback items to the Razorback Trac at:
http://sourceforge.net/apps/trac/razorbacktm/
And for Nugget related items please use:
http://sourceforge.net/apps/trac/nuggetfarm/
You can of course, also use the mailing lists for Razorback and the
Nugget Farm.
Over the past year or so, Mike Guiterman, our former Community Manager has taken on a different role within Sourcefire. In the meantime, I've been filling some of the void.
For those of you that weren't able to make the Snort Rally/Pig Roast this past Friday at Sourcefire HQ, I have been officially assigned the role of Sourcefire's OpenSource Community Manager.
I know many of you, but for those who I don't, I came from the OpenSource community, working for the government using Snort in actual deployments. I submit rules to VRT, and was one of the original submitters to BleedingSnort (Now Emerging Threats). I've worked with both the OpenSource community and with our Corporate customers since I came to Sourcefire giving me first hand knowledge at how the community plays a vital role in the direction, development, and QA of our products.
I'll be focusing on product innovation in our OpenSource projects, as well as:
- Communicating with the communities.
- Being available to answer questions and receive comments.
- Coordinating the release of OpenSource project software.
- Providing whitepapers and instructional materials on our software.
- Providing the go-between for the OpenSource communities and Sourcefire software developers, including receiving OSS feature requests and bugs. Entering these into our internal bug tracking system, and following up with the submitters.
- Snort-Groups. Standing these back up, both virtually and in person.
- Speaking about our software at events and shows.
I have several projects in mind alerady, but the first thing is I want to hear from you. Suggestions, ideas, complaints, and compliments.
- How we can make things better.
- Problems with Snort, ClamAV, DaemonLogger, or Razorback
- Features you'd like to see with these projects
- What isn't working now?
- What is working now!
- How can we make bug tracking more efficient?
- How can we make False positive submissions better?
- What can we put out (in terms of training and whitepapers) for better understanding and results?
- ???
Let me hear it. Email me directly at jesler@sourcefire.com. I want to be able to track your ideas so I can write you back when we make movement.
I'll summarize your submissions in a blog post in the future and let everyone know where we are at with the progress of these great ideas.
I'd like to thank people both internally at Sourcefire and the community for building the community into what it is today, and I look forward to a great future! Also thanks to Mike Guiterman for his years of hard service working with our OpenSource communities.
For Razorback(tm) please continue to submit feature requests and any
other Razorback items to the Razorback Trac at:
http://sourceforge.net/apps/trac/razorbacktm/
And for Nugget related items please use:
http://sourceforge.net/apps/trac/nuggetfarm/
You can of course, also use the mailing lists for Razorback and the
Nugget Farm.
Tuesday, October 26
Snort Community Pig Roast
(If you read this on Twitter, please RT!)
Sourcefire is going to throw a community pig roast at our World Wide Headquarters on November 12, 2010. We'll have some talks by Marty Roesch (our fearless leader) and Matt Watchinski (or VRT fearless leader).
Date: Friday, November 12, 2010
Time: 12:00PM
Where: Sourcefire HQ
9770 Patuxent Woods Dr.
Columbia, MD 21046
The event is open to our community, and we'd like you to come on over and hang out!
Please RSVP at: http://now.sourcefire.com/?elqPURLPage=2?elqformname=101112_snort_bbq&URL=
Sourcefire is going to throw a community pig roast at our World Wide Headquarters on November 12, 2010. We'll have some talks by Marty Roesch (our fearless leader) and Matt Watchinski (or VRT fearless leader).
Date: Friday, November 12, 2010
Time: 12:00PM
Where: Sourcefire HQ
9770 Patuxent Woods Dr.
Columbia, MD 21046
The event is open to our community, and we'd like you to come on over and hang out!
Please RSVP at: http://now.sourcefire.com/?elqPURLPage=2?elqformname=101112_snort_bbq&URL=
Monday, October 11
I'm speaking at Security B-Sides Delaware
We have a lot going on in Delaware. Tax-free shopping, we elect crazy people, and we have the Security B-sides Delaware event happening in November.
I was asked if I would submit a talk to the conference, and lo and behold, it was accepted. (Along with a bunch of other great presenters, check out the first round of CFP accepts here. Hopefully lots of people will come. I actually have a confession to make, I've never actually been to a Security B-sides, although, from watching the Twitter, they are very popular.
Abstract of my talk:
I look forward you seeing many of you there, thanks for supporting B-sides. Okay, back to making slides.
Security B-Sides / BSidesDelaware.
I was asked if I would submit a talk to the conference, and lo and behold, it was accepted. (Along with a bunch of other great presenters, check out the first round of CFP accepts here. Hopefully lots of people will come. I actually have a confession to make, I've never actually been to a Security B-sides, although, from watching the Twitter, they are very popular.
Abstract of my talk:
Shining light into the "now what" arena of IDS and IPS tuning, I'll talk about what the next steps should be with the alerts, tuning, and maintenance of the ruleset and configuration deployed into an IDS or an IPS. General guidelines will be provided, however, all guidelines must be adapted to your specific environment.
I look forward you seeing many of you there, thanks for supporting B-sides. Okay, back to making slides.
Security B-Sides / BSidesDelaware.
Monday, October 4
Snort 2.9.0 has been released
Now available from Snort.org, Snort 2.9.0 and DAQ 0.2. I'll be writing some articles at some point to expand upon some of the functionality of Snort 2.9, but for now, know that there are some very nice new keywords in 2.9 and also an improved Stream model, as well as lots of improvements all over the place in the engine.
...and now some cut and paste from the release notes! Download it now!
http://www.snort.org/snort-downloads
[*] New Additions
* Feature rich IPS mode including improvements to Stream for
inline deployments. Additionally a common active response API is
used for all packet responses, including those from Stream,
Respond, or React. A new response module, respond3, supports the
syntax of both resp & resp2, including strafing for passive
deployments. When Snort is deployed inline, a new preprocessor
has been added to handle packet normalization to allow Snort
to interpret a packet the same way as the receiving host.
* Use of a Data Acquisition API (DAQ) that supports many different
packet access methods including libpcap, netfilterq, IPFW, and
afpacket. For libpcap, version 1.0 or higher is now required.
The DAQ library can be updated independently from Snort and is
a separate module that Snort links to.
* A new rule option 'byte_extract' that allows extracted values to
be used in subsequent rule options for isdataat, byte_test,
byte_jump, and content distance/within/depth/offset.
* Two new rule options to support base64 decoding of certain pieces
of data and inspection of the base64 data via subsequent rule
options.
* Added a new pattern matcher that supports Intel's Quick Assist
Technology for improved performance on supported hardware
platforms. Visit http://www.intel.com to find out more about
Intel Quick Assist.
[*] Improvements
* Updates to HTTP Inspect to extract and log IP addresses from
X-Forward-For and True-Client-IP header fields when Snort generates
events on HTTP traffic.
* Updates to SMTP preprocessor to support MIME attachment decoding
across multiple packets.
* Updates to the Snort packet decoders for IPv6 for improvements to
anomaly detection.
...and now some cut and paste from the release notes! Download it now!
http://www.snort.org/snort-downloads
[*] New Additions
* Feature rich IPS mode including improvements to Stream for
inline deployments. Additionally a common active response API is
used for all packet responses, including those from Stream,
Respond, or React. A new response module, respond3, supports the
syntax of both resp & resp2, including strafing for passive
deployments. When Snort is deployed inline, a new preprocessor
has been added to handle packet normalization to allow Snort
to interpret a packet the same way as the receiving host.
* Use of a Data Acquisition API (DAQ) that supports many different
packet access methods including libpcap, netfilterq, IPFW, and
afpacket. For libpcap, version 1.0 or higher is now required.
The DAQ library can be updated independently from Snort and is
a separate module that Snort links to.
* A new rule option 'byte_extract' that allows extracted values to
be used in subsequent rule options for isdataat, byte_test,
byte_jump, and content distance/within/depth/offset.
* Two new rule options to support base64 decoding of certain pieces
of data and inspection of the base64 data via subsequent rule
options.
* Added a new pattern matcher that supports Intel's Quick Assist
Technology for improved performance on supported hardware
platforms. Visit http://www.intel.com to find out more about
Intel Quick Assist.
[*] Improvements
* Updates to HTTP Inspect to extract and log IP addresses from
X-Forward-For and True-Client-IP header fields when Snort generates
events on HTTP traffic.
* Updates to SMTP preprocessor to support MIME attachment decoding
across multiple packets.
* Updates to the Snort packet decoders for IPv6 for improvements to
anomaly detection.
Monday, September 27
Let me tell you about my past two weeks
The past couple weeks I've had the opportunity to do some really amazing work, something that most people, if they could do, would understand a lot more of what goes on behind the veiled curtain.
The last two weeks I worked for Sourcefire's Vulnerability Research Team (VRT).
First I'd like to say that I've never worked with a more professional organization. Period. I came in to do some technical work with them, which consisted of analyzing hundreds of pcaps, tons of analysis, and as a result writing rules for those threats. We did, kind of a tech exchange type of thing.
Now, we weren't shooting in the dark. (even though there is no overhead lighting in the VRT offices, and you have to watch for getting hit in the head with a Nerf dart) The VRT doesn't take the random vulnerability or exploit found on exploit-db.com or milw0rm or whatever, and just bang out a rule for it. They do labor intensive work.
For instance, I had to write a rule for a vulnerability in a piece of software that had to do with email. In order to test of this vulnerability, could I have taken a piece of a malicious attachment, or looked for a malicious attachment and written a "signature" to check for the exploit here. Sourcefire's standard is higher than that. We try to not do that kind of thing. We try and write a rule to look for the vulnerability itself. For example: If the vulnerability is actually the fact that a certain field, if it's over 512 bytes, can be used to overflow a buffer in the software, looking for a series of "A"s isn't going to work. Looking to see if the field is bigger than 512 bytes is the correct way to do it.
But I digress….
The easiest way to emulate this problem is to send an email with an attachment on it, and capture the pcap, then pick it apart from there. The problem with that is, most email (well at least Sourcefire's) is encrypted. So, I got with one of the other VRT guys and we came up with a solution.
Write an email delivery system.
So he did. It's in ruby, and it allows you to send an email, just like any other email client would, unencrypted, and much faster and more reliable than a regular email client would, if we were trying to trick the client into doing something.
We took the ruby script that he wrote, made it attach a file in base64, and captured the pcap. Now, you may ask me a question, "Heck, why didn't you just make a new email with Outlook Express and make an attachment and send it?" Because Outlook Express uses a different attachment system, it's crackheaded, and it's non-standard. Don't believe me? Send an email with Outlook and then send an email with Outlook Express and compare the two pcaps.
So I captured the pcap -- that's all well and good, except that I noticed that the checksums in the pcap was wrong. Sometimes when you capture traffic on an interface, on certain OSes, it will capture the traffic before the checksum is computed, so it will write to disk incorrectly. So that has to be corrected before you can write a rule to look for the vulnerability.
So, I used tcprewrite to correct the checksums on the packet, and off I went from there.
Now, you come up with the realization that this happens, sometimes 10-20x a day for the VRT, and you come to realize that the rules that are written by these guys are very professional and come with a higher degree of accuracy and purpose.
I'd like to thank the VRT to allowing me to come in and learn and share with them. I hope I helped them out as much as they helped me.
Final thought -- Take your time when writing your rules. The time spent writing them makes for a much more reliable rule than just banging out a rule…. and I have seen a lot of "just banging out a quick rule" lately. A quick rule usually isn't a rule. It's a signature. There is a difference.
Oh, and whomever wrote the Microsoft Word and Excel standard is a crazy crack smoker.
Long live Razorback.
The last two weeks I worked for Sourcefire's Vulnerability Research Team (VRT).
First I'd like to say that I've never worked with a more professional organization. Period. I came in to do some technical work with them, which consisted of analyzing hundreds of pcaps, tons of analysis, and as a result writing rules for those threats. We did, kind of a tech exchange type of thing.
Now, we weren't shooting in the dark. (even though there is no overhead lighting in the VRT offices, and you have to watch for getting hit in the head with a Nerf dart) The VRT doesn't take the random vulnerability or exploit found on exploit-db.com or milw0rm or whatever, and just bang out a rule for it. They do labor intensive work.
For instance, I had to write a rule for a vulnerability in a piece of software that had to do with email. In order to test of this vulnerability, could I have taken a piece of a malicious attachment, or looked for a malicious attachment and written a "signature" to check for the exploit here. Sourcefire's standard is higher than that. We try to not do that kind of thing. We try and write a rule to look for the vulnerability itself. For example: If the vulnerability is actually the fact that a certain field, if it's over 512 bytes, can be used to overflow a buffer in the software, looking for a series of "A"s isn't going to work. Looking to see if the field is bigger than 512 bytes is the correct way to do it.
But I digress….
The easiest way to emulate this problem is to send an email with an attachment on it, and capture the pcap, then pick it apart from there. The problem with that is, most email (well at least Sourcefire's) is encrypted. So, I got with one of the other VRT guys and we came up with a solution.
Write an email delivery system.
So he did. It's in ruby, and it allows you to send an email, just like any other email client would, unencrypted, and much faster and more reliable than a regular email client would, if we were trying to trick the client into doing something.
We took the ruby script that he wrote, made it attach a file in base64, and captured the pcap. Now, you may ask me a question, "Heck, why didn't you just make a new email with Outlook Express and make an attachment and send it?" Because Outlook Express uses a different attachment system, it's crackheaded, and it's non-standard. Don't believe me? Send an email with Outlook and then send an email with Outlook Express and compare the two pcaps.
So I captured the pcap -- that's all well and good, except that I noticed that the checksums in the pcap was wrong. Sometimes when you capture traffic on an interface, on certain OSes, it will capture the traffic before the checksum is computed, so it will write to disk incorrectly. So that has to be corrected before you can write a rule to look for the vulnerability.
So, I used tcprewrite to correct the checksums on the packet, and off I went from there.
Now, you come up with the realization that this happens, sometimes 10-20x a day for the VRT, and you come to realize that the rules that are written by these guys are very professional and come with a higher degree of accuracy and purpose.
I'd like to thank the VRT to allowing me to come in and learn and share with them. I hope I helped them out as much as they helped me.
Final thought -- Take your time when writing your rules. The time spent writing them makes for a much more reliable rule than just banging out a rule…. and I have seen a lot of "just banging out a quick rule" lately. A quick rule usually isn't a rule. It's a signature. There is a difference.
Oh, and whomever wrote the Microsoft Word and Excel standard is a crazy crack smoker.
Long live Razorback.
Subscribe to:
Posts (Atom)