[Snort-sigs] Sourcefire VRT Certified Snort Rules Update

research at ...435... research at ...435...
Wed Apr 8 17:41:37 EDT 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Sourcefire VRT Certified Snort Rules Update

Synopsis:
This release updates the VRT Certified Snort Rules to utilize the new
DCE/RPC v2 preprocessor.  This change deletes more than 5000 rules in
the netbios rule category and replaces them with a much smaller rule
set.  It aslo contains additional detection for hosts that are
currently infected with the Conficker worm.

Details:
The DCE/RPC preprocessor now offers improved reassembly of fragmented
DCE/RPC requests and improved desegmentation of SMB traffic containing
DCE/RPC requests. The preprocessor now also alerts on anomalous
behavior and evasion techniques in DCE/RPC data streams. Three new
DCE/RPC rule keywords and new DCE/RPC arguments for the byte_test and
byte_jump rule keywords add to the enhanced detection capabilities.

IMPORTANT: This release removes more than 5000 rules from the netbios
rule category and replaces them with a much smaller number of rules,
the Sourcefire VRT has taken care to ensure that your NetBIOS, SMB,
DCE/RPC vulnerability coverage is not affected. This means that the
vulnerabilities previously covered with hundreds of rules are now
covered with one or two rules.

NOTE: These changes only affect plain text (GID 1) rules, the shared
object (GID 3) rules remain unaffected by the change to the
preprocessor.

The default configuration for the new preprocessor is as follows:

  preprocessor dcerpc2: memcap 102400, events [smb, co, cl]
  preprocessor dcerpc2_server: default, policy WinXP, \
    detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server
593], \
    autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
    smb_max_chain 3

NOTE: This configuration may generate a lot of events from the
preprocessor in certain environments, if this is the case and these
events need to be turned off completely, use the following
configuration options:

  preprocessor dcerpc2: memcap 102400, events none
  preprocessor dcerpc2_server: default, policy WinXP, \
    detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server
593], \
    autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
    smb_max_chain 3

Conficker Worm Update:
Included in this release are four new rules that detect Conficker
activity. They are identified with GID 3, SIDs 15449 through 15452.

SIDs 15449 and 15450 detect DNS traffic generated by Conficker infected
hosts, while SIDs 15451 and 15452 detect other Conficker related
traffic.

IMPORTANT: SIDs 15449 and 15450 may have an adverse affect on sensor
performance. If this is the case, disable these two rules in favor of
SIDs 15451 and 15452 which also detect Conficker traffic but are prone
to false positive event generation.

When downloading rules it is important to note that the 2.8
subscription release is for Snort version 2.8.4 and these rules WILL
NOT work with older versions of Snort. This includes 2.8.3 and earlier.
In 30 days time, these packages will be rolled over to registered
users, when this happens the registered user rule tarballs will also
contain the changes to the netbios rule set.

Each rule tarball contains an etc directory, in here you will find a
snort.conf. This configuration file contains the latest configuration
options available for that particular release of Snort. For the 2.8.4
rule set, the snort.conf contains the default configuration above.

Additionally, the Snort 2.8.4 release sees some other major
enhancements:

  * Support for IPv6 with Frag3 and all application preprocessors
(SMTP, FTP/Telnet, DCE/RPC, SSL, DNS, Portscan)
  * Improved target-based support within application preprocessors
  * Addition to automatically pre-filter traffic that is not
explicitly configured for inspection to improve performance.
  * HttpInspect update to limit number of HTTP Header fields and alert
if limit is reached.
  * Support for multiple IP Addresses and/or CIDRs in HTTP Inspect and
FTP/Telnet Server/Client specific configurations

The Snort 2.8.4 release represents a major amount of work on the part
of the Snort development team who have done an outstanding job of
improving the detection capabilities of Snort. It is important to stay
current with your Snort installations as future versions will see many
more features improved and added, as always the Sourcefire VRT
Certified rule releases will take advantage of these features to the
fullest extent. The Sourcefire VRT wishes to thank the Snort
development team for their continued hard work in making Snort what it
is today and what it is becoming in the future.

For a complete list of new and modified rules please see:

http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2009-04-08.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFJ3RgO8GAEVQeoGrMRAu5TAKDAri/TjXGguJs30HEkzDD9NcYDWACgk6fj
D3Mxk1NcUSd+Qgah/+j3EVA=
=g3TV
-----END PGP SIGNATURE-----




More information about the Snort-sigs mailing list