Snort mailing list archives
Sourcefire VRT Certified Snort Rules Update 2010-11-18
From: Research <research () sourcefire com>
Date: Thu, 18 Nov 2010 16:43:06 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sourcefire VRT Certified Snort Rules Update Synopsis: The Sourcefire VRT is aware of a vulnerability affecting Adobe Reader and Acrobat. Additionally, this release contains an updated detection engine which provides a new inline normalization preprocessor, multiple web interface improvements, several new intrusion rule keywords, and new options for the HTTP Inspect, SMTP, and TCP stream preprocessors and the packet decoder. Details: Adobe Security Bulletin APSB10-28: Adobe Reader and Acrobat contain a programming error that may allow a remote attacker to execute code on an affected system. The problem lies within the usage of the printSeps function. A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3, SID 18102. Note: You must be using SEU 216 or later to import the SEU on an appliance using Version 4.8.x software. (80478) When you import the SEU on an appliance using Version 4.9.x or later: * A new Advanced Settings intrusion policy page isolates access to preprocessor and other configurations that require specific expertise to configure, typically require little or no modification, and are not common to every deployment. * A link on configuration pages for the packet decoder and preprocessors displays all associated decoder and preprocessor rules. * A new intrusion policy option allows you to specify whether drop rules will drop offending packets in an inline deployment. * You can now edit saved settings on the intrusion policy Rate-Based Attack Prevention page. * The intrusion policy web interface now associates detection engine names with sensor names. * The intrusion policy Policy Layers page now displays the name of an advanced setting in italics in a layer where its configuration is overridden by a configuration for the advanced setting in a higher layer. * A new Preprocessors grouping on the intrusion policy Rules page displays associated rules for the packet decoder and each preprocessor. When you import the SEU on an appliance using Version 4.8.x, 4.9.x, or later: * A new inline normalization preprocessor normalizes any combination of IPv4, IPv6, ICMPv4, ICMPv6, and TCP traffic to minimize the chances of attackers evading detection in inline deployments. * A new option on the Version 4.8.x Rules page and the Version 4.9.x Rule Editor page allows you to simultaneously delete all rules in the local rule category. * Two new TCP stream preprocessor options allow you to initiate active responses that close a TCP or UDP session when an offending packet triggers a TCP or UDP drop rule. * The HTTP Inspect preprocessor now processes different UTF encodings and allows you to specify HTTP request methods for the preprocessor to inspect in addition to GET and POST. * A new packet decoder option allows inspection of Teredo tunneling of IPv6 traffic on a UDP port other than port 3544. * Two new SMTP preprocessor options control Base64 decoding of MIME email attachments, and a new MIME argument for the file_data keyword points the rules engine to the decoded data. In addition, new base64_decode and base64_data intrusion rule keywords can be used together to instruct the rules engine to decode and inspect the decoded Base64 data. * A new react intrusion rule keyword, the config response command, and modified behavior of the resp keyword provide several new options for using intrusion rules to initiate active responses. * A new stream_reassemble intrusion rule keyword allows you to enable or disable TCP stream reassembly for a single connection when inspected traffic matches rule conditions. * A new byte_extract intrusion rule keyword can be used to create a variable from a specified number of packet bytes. You can then use the variable later in the same rule as the value for specific arguments in certain other detection keywords. * You can now negate any ssl_state intrusion rule keyword argument. Resolved Issues: * The global threshold for intrusion rules no longer overrides individual rule thresholds or triggered rule keywords such as resp. (11782) * You can configure which active response interface to use in a passive policy and the number of TCP resets to attempt. (30952) * Resolved an issue where TCP stream reassembly could result in delayed alerts. (48868) * Resolved several issues where the intrusion policy web interface did not show the correct number of filtered rules. (65730, 70810, 75649, 78103) * You can now automatically reapply intrusion policies from a 4.9 or later Defense Center to a managed 4.8 sensor when importing an SEU. (75743) * Resolved an issue where the intrusion policy report did not include configuration details for the sensitive data preprocessor. (75966) * You can now search for rules by intrusion policy from the Version 4.8 Rules page and the Version 4.9 Rule Editor page. (76015) * Resolved an issue where you could not edit an imported intrusion policy when adaptive profiles were not configured in the exported policy. (76304, 76305) * An intrusion policy now displays the number of hosts used to make RNA rule-state recommendations. (76308) * Improved the handling of several content keyword arguments. (76697) * You can now delete intrusion policy rule settings in multiple layers from the policy-level Rule view. (76751, 79779) * Improved the performance of intrusion rules. (77148) * Resolved an issue where you could not expand the local rules category on the Version 4.8.x RNA Recommended Rules Blacklist page. (77254) * Resolved an issue where an intrusion policy status message sometimes indicated that an intrusion policy was up to date on a detection engine where the policy had not been reapplied following an SEU import. (77315) * Resolved an issue where email alerting did not reflect time zone updates. (77379) * Improved validation that IP addresses do not overlap in filtered policies. (77674) * You can now import local rules that use the open source http_uri keyword, which the web interface implements as a content keyword option.(77768) * Improved performance of the sensitive data preprocessor. (77841) * Resolved an intrusion policy issue where the base policy did not accept rule states from an imported SEU when you used a custom policy as your base policy. (78006) * Resolved an issue where the HTTP Inspect preprocessor did not de-chunk and decompress client-side HTTP data in some cases. (78011) * Resolved an issue with the timing of email alerts. (78138) * Improved audit log reporting of intrusion policy edits. (78174) * User documentation now specifies the number of filtered intrusion policies you can apply to Crossbeam-based sensors. (78261) * Resolved an issue were the Rules page in an intrusion policy displayed some packet decoder rules as local rules. (78701) * Resolved issues with an intrusion policy exported from a 4.8.x appliance so that drop rules are now set to alert when the policy mode is passive and remain as drop rules when the policy mode is inline. (79086, 79090) * Resolved an issue where the rules engine ignored a custom intrusion rule based on a shared object rule. (79334) * Resolved an issue where a particular version of an RNA service could halt detection when you applied an intrusion policy with adaptive profiles enabled. (79448) * Resolved an issue where an extremely large number of services on a single host could cause adaptive profiles to halt detection. (79825) * Resolved an issue with configuring OPSEC alerting on appliances using Version 4.9.x. (80554) For a complete list of new and modified rules please see: http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2010-11-18.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFM5ZpNQcQOxItLLaMRAglRAKCbbU1K9aWi8/0Z08XfbDYUQevpsACgnsAT 0mUxrWFtTP71J05Ft9GG7bs= =XWrs -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Beautiful is writing same markup. Internet Explorer 9 supports standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. Spend less time writing and rewriting code and more time creating great experiences on the web. Be a part of the beta today http://p.sf.net/sfu/msIE9-sfdev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Sourcefire VRT Certified Snort Rules Update 2010-11-18 Research (Nov 18)
- Re: Sourcefire VRT Certified Snort Rules Update 2010-11-18 Patrick Mullen (Nov 18)
- <Possible follow-ups>
- Sourcefire VRT Certified Snort Rules Update 2010-11-18 Research (Nov 18)