Marty Roesch and company have just announced the release of Snort 3.0 beta.
From Snort.org:
We’re pleased to introduce our first beta release built on the new Snort 3.0 architecture. The Snort 3.0 architecture consists of two primary components: a software platform called the Snort Security Platform (SnortSP) 3.0, which is shipping in beta form in this release, and traffic analysis engine modules that plug into SnortSP. This beta test release contains one engine module which contains the Snort 2.8.2 detection engine implemented as a SnortSP engine module. SnortSP is an open-source platform for running packet-based network security applications. It provides many of the common functions required by programs that deal with packet processing such as configuration loading, event generation and traffic logging, data acquisition, protocol decoding and validation, flow management, and more.
They provide you an opportunity to provide feedback on the beta release as well “sspneta SHIFT 2 sourcefire D0T com”.
Downloading my copy now.
For a networking company, that’s gotta hurt.
From Cisco:
Cisco Intrusion Prevention System (IPS) platforms that have gigabit network interfaces installed and are deployed in inline mode contain a denial of service vulnerability in the handling of jumbo Ethernet frames. This vulnerability may lead to a kernel panic that requires a power cycle to recover platform operation. Platforms deployed in promiscuous mode only or that do not contain gigabit network interfaces are not vulnerable.
Cisco has released free software updates that address this vulnerability. There is a workaround for this vulnerability.
Update or workaround? Which is it then? At the very least get your patch on.
Ok everyone, here’s your chance to comment, make yourself heard, voice an opinion, tell me I don’t know what the heck I’m talking about.
The question:
Using as little money as possible, assemble a list of tools (software, hardware, wetware or other) which would serve the needs of a CSIRT in time of crisis.
Lets call the time limit for responses Thursday, November 29th 2007 at 19:00EST. At that point, I’ll summarize and wrap up.
For my picks, please see comments below.
Tags: open loops, challenge, CSIRT, toolkit, hardware, software, wetware
In Check Point’s never ending quest to rule the security world, they announced today their IPS solution. Check Point is a world leader in firewall technology. They have recently made a great number of purchases, such as encryption provider PointSec, which I think were brilliant moves on their part.
Today’s announcement heralds the “what-could-have-been” for the failed Sourcefire purchase. I firmly believe that the blocking of this purchase by the Committee on Foreign Investments was political payback for their refusal to open their source code. A sad result.
With this addition to the Check Point arsenal we will see a greater push to the “one vendor to rule them all” approach that was talked about at the RSA Conference 2007 in San Francisco. The solution, a rebranded NFR, extends Check Point into yet another aspect of the security market that they had not really been in prior. I see Check Point as a provider that can deliver a lot of great products. Their firewall is rock solid. Mind you, the SMTP queue on the firewall is for shit. But, by and large this company has itself on a positive path.
Now, if they could just get their licensing models unf*cked.
Tags: Check Point, IPS-1, Intrusion Prevention, IDS, NFR
From ISS X-Force:
Snort is vulnerable to a stack-based buffer overflow as a result of DCE/RPC reassembly. This vulnerability is in a dynamic-preprocessor enabled in the default configuration, and the configuration for this preprocessor allows for auto-recognition of SMB traffic to perform reassembly on. No checks are performed to see if the traffic is part of a valid TCP session, and multiple Write AndX requests can be chained in the same TCP segment. As a result, an attacker can exploit this overflow with a single TCP PDU sent across a network monitored by Snort or Sourcefire.
Tags: Snort, IDS, Buffer Overflow
We recently heard rumblings about open source security provider Sourcefire might be going public. Today we here at Security Digest heard confirmation from their Canadian rep that the company will in fact be going public in 2007. This is some good news for the company after the US government blocked the attempted purchase by Checkpoint Software Technologies. This is an interesting IPO. Sourcefire is the first open source company to go public since 1998 and the first security vendor to go public since 2001.
“The SNORT® open source intrusion prevention and detection technology was created in 1998 by Martin Roesch, the founder of Sourcefire. With its dramatic speed, power and performance, Snort® quickly gained momentum to become the single most widely deployed intrusion prevention and detection technology in the world.”
Here is the link to their SEC filing. Here is a less than motivational quote from the “certain risk” section “As we have had operating losses since our inception and we expect operating expenses to increase in the foreseeable future, we may never reach or maintain profitability.”
Now, where’s my brokers number?
UPDATE: Wow, I really missed the boat on this one. People having been talking about this one for over a month now…sigh.
Tags: Sourcefire, Checkpoint, IPO, Snort
The Snort Team is pleased to announce the availability of Snort v2.6.1. The software and source code is available at:
http://www.snort.org/dl/
2.6.1 provides new functionality including the following:
* New pattern matcher with a significantly reduced memory footprint
* Introduction of stream5 for experimental use
* Improvements to stream4, including UDP session tracking and optimizations for the reassembly buffer
* Handling for reassembly of SMB fragmented data in DCE/RPC
* An ssh preprocessor for experimental use
* Updated Snort decoder that can decode GRE encapsulated packets
* Output plugin to allow Snort to configure Aruba access control
And:
* Bug fixes and performance improvements
Tags: Snort, Intrusion Detection, IDS, Open Source IDS
I have been a great fan of Nokia based appliances for a long time now. I myself have had great luck with these systems. Only once in the last five years have I had an issue and that was when a hard drive failed. Today Nokia has announced the release of a security appliance based on Sourcefire’s SNORT software.
The product uses three methods for blocking threats. Sourcefire Intrusion Sensor for Nokia uses the Snort detection engine to inspect incoming traffic for problems, generate alerts and block traffic. The software examines packets using signature, protocol and anomaly-based inspection methods.The appliance also uses Sourcefire Real-Time Network Awareness for Nokia to do intelligent network monitoring. Information gathered by the monitoring software can be used to remediate an attack.
The price tag on the new appliance is a little painful at $14,995 US.
Tags: Nokia, Sourcefire, SNORT, Intrusion Detection
If you are in the security space and haven’t heard about this…hold on. IBM, big blue, has bought up Internet Security Systems. This is something that I should have, in retrospect, seen coming. But, this one managed to catch me off guard when I read it this morning.
I had a couple of conversations with folks at ISS and IBM and they are all extremely excited about this purchase. In all likelihood this will go forward. I have a hard time believing that this will suffer the fate of the Checkpoint/Sourcefire screw job. This is bigger than RSA being scooped by EMC or @tstake by Symantec. This will be a spring board that will allow IBM to take a serious run at taking a huge chunk of the MSSP market.
Great choice IBM!
Tags: IBM Acquisition, ISS Purchased, RSA, Checkpoint
The folks over at Bleeding Snort have issued an alert on domain issues. It turns out that one of the URLs that they owned the rights to appears to have lapsed and was scooped up by a group that might potentially be using it to distribute malware. Here is the passage from their site on the domain issue.
We’ve never used bleedingsnort.org as a distributed link, but some people in the past had assumed that was the domain (org vs com), so we had owned the domain.Somehow I let that domain expire and someone picked it up on the 27th, it’s now got the standard crap trying to distribute malware and search crud.
So a reminder: If you hit that, it’s not us. Our primary domain is and always has been bleedingsnort.com.
Tags: Bleeding Snort, Snort, Domain Hijack, Malware
