[Snort-sigs] Sourcefire VRT Certified Snort Rules Update 2010-11-18

Research research at ...435...
Thu Nov 18 16:43:06 EST 2010

Hash: SHA1

Sourcefire VRT Certified Snort Rules Update

The Sourcefire VRT is aware of a vulnerability affecting Adobe Reader
and Acrobat.

Additionally, this release contains an updated detection engine which
provides a new inline normalization preprocessor, multiple web
interface improvements, several new intrusion rule keywords, and new
options for the HTTP Inspect, SMTP, and TCP stream preprocessors and
the packet decoder.

Adobe Security Bulletin APSB10-28:
Adobe Reader and Acrobat contain a programming error that may allow a
remote attacker to execute code on an affected system. The problem lies
within the usage of the printSeps function.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 3, SID 18102.

Note: You must be using SEU 216 or later to import the SEU on an
appliance using Version 4.8.x software. (80478)

When you import the SEU on an appliance using Version 4.9.x or later:
  * A new Advanced Settings intrusion policy page isolates access to
preprocessor and other configurations that require specific expertise
to configure, typically require little or no modification, and are not
common to every deployment.
  * A link on configuration  pages for the packet decoder and
preprocessors displays all associated decoder and preprocessor rules.
  * A new intrusion policy option allows you to specify whether drop
rules will drop offending packets in an inline deployment.
  * You can now edit saved settings on the intrusion policy Rate-Based
Attack Prevention page.
  * The intrusion policy web interface now associates detection engine
names with sensor names.
  * The intrusion policy Policy Layers page now displays the name of an
advanced setting in italics in a layer where its configuration is
overridden by a configuration for the advanced setting in a higher
  * A new Preprocessors grouping on the intrusion policy Rules page
displays associated rules for the packet decoder and each preprocessor.

When you import the SEU on an appliance using Version 4.8.x, 4.9.x, or
  * A new inline normalization preprocessor normalizes any combination
of IPv4, IPv6, ICMPv4, ICMPv6, and TCP traffic to minimize the chances
of attackers evading detection in inline deployments.
  * A new option on the Version 4.8.x Rules page and the Version 4.9.x
Rule Editor page allows you to simultaneously delete all rules in the
local rule category.
  * Two new TCP stream preprocessor options allow you to initiate
active responses that close a TCP or UDP session when an offending
packet triggers a TCP or UDP drop rule.
  * The HTTP Inspect preprocessor now processes different UTF encodings
and allows you to specify HTTP request methods for the preprocessor to
inspect in addition to GET and POST.
  * A new  packet decoder option allows inspection of Teredo tunneling
of IPv6 traffic on a UDP port other than port 3544.
  * Two new SMTP preprocessor options control Base64 decoding of MIME
email attachments, and a new MIME argument for the file_data keyword
points the rules engine to the decoded data. In addition, new
base64_decode and base64_data intrusion rule keywords can be used
together to instruct the rules engine to decode and inspect the decoded
Base64 data.
  * A new react intrusion rule keyword, the config response command,
and modified behavior of the resp keyword provide several new options
for using intrusion rules to initiate active responses.
  * A new stream_reassemble intrusion rule keyword allows you to enable
or disable TCP stream reassembly for a single connection when inspected
traffic matches rule conditions.
  * A new byte_extract intrusion rule keyword can be used to create a
variable from  a specified number of packet bytes. You can then use the
variable later in the same rule as the value for specific arguments in
certain other detection keywords.
  * You can now negate any ssl_state intrusion rule keyword argument.

Resolved Issues:
  * The global threshold for intrusion rules no longer overrides
individual rule thresholds or triggered rule keywords such as resp.
  * You can configure which active response interface to use in a
passive policy and the number of TCP resets to attempt. (30952)
  * Resolved an issue where TCP stream reassembly could result in
delayed alerts. (48868)
  * Resolved several issues where the intrusion policy web interface
did not show the correct number of filtered rules. (65730, 70810,
75649, 78103)
  * You can now automatically reapply intrusion policies from a 4.9 or
later Defense Center to a managed 4.8 sensor when importing an SEU.
  * Resolved an issue where the intrusion policy report did not include
configuration details for the sensitive data preprocessor. (75966)
  * You can now search for rules by intrusion policy from the Version
4.8 Rules page and the Version 4.9 Rule Editor page. (76015)
  * Resolved an issue where you could not edit an imported intrusion
policy when adaptive profiles were not configured in the exported
policy. (76304, 76305)
  * An intrusion policy now displays the number of hosts used to make
RNA rule-state recommendations. (76308)
  * Improved the handling of several content keyword arguments. (76697)
  * You can now delete intrusion policy rule settings in multiple
layers from the policy-level Rule view. (76751, 79779)
  * Improved the performance of intrusion rules. (77148)
  * Resolved an issue where you could not expand the local rules
category on the Version 4.8.x RNA Recommended Rules Blacklist page.
  * Resolved an issue where an intrusion policy status message
sometimes indicated that an intrusion policy was up to date on a
detection engine where the policy had not been reapplied following an
SEU import. (77315)
  * Resolved an issue where email alerting did not reflect time zone
updates. (77379)
  * Improved validation that IP addresses do not overlap in filtered
policies. (77674)
  * You can now import local rules that use the open source http_uri
keyword, which the web interface implements as a content keyword
  * Improved performance of the sensitive data preprocessor. (77841)
  * Resolved an intrusion policy issue where the base policy did not
accept rule states from an imported SEU when you used a custom policy
as your base policy. (78006)
  * Resolved an issue where the HTTP Inspect preprocessor did not
de-chunk and decompress client-side HTTP data in some cases. (78011)
  * Resolved an issue with the timing of email alerts. (78138)
  * Improved audit log reporting of intrusion policy edits. (78174)
  * User documentation now specifies the number of filtered intrusion
policies you can apply to Crossbeam-based sensors. (78261)
  * Resolved an issue were the Rules page in an intrusion policy
displayed some packet decoder rules as local rules. (78701)
  * Resolved issues with an intrusion policy exported from a 4.8.x
appliance so that drop rules are now set to alert when the policy mode
is passive and remain as drop rules when the policy mode is inline.
(79086, 79090)
  * Resolved an issue where the rules engine ignored a custom intrusion
rule based on a shared object rule. (79334)
  * Resolved an issue where a particular version of an RNA service
could halt detection when you applied an intrusion policy with adaptive
profiles enabled. (79448)
  * Resolved an issue where an extremely large number of services on a
single host could cause adaptive profiles to halt detection. (79825)
  * Resolved an issue with configuring OPSEC alerting on appliances
using Version 4.9.x. (80554)

For a complete list of new and modified rules please see:

Version: GnuPG v1.2.6 (GNU/Linux)


More information about the Snort-sigs mailing list