VRT Advisories


April 2009 Archive

VRT Rules 2009-04-21

Sourcefire VRT Rules Update

Date: 2009-04-21

Synopsis:

The Sourcefire VRT is aware of vulnerabilities affecting products from Adobe, Oracle and RealNetworks.

Details:

Adobe Flash Player Buffer Overflow (CVE-2009-0520):
Adobe Flash Player contains a programming error that may allow a remote attacker to execute code on a vulnerable system via a specially crafted flash file.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 15478.

Oracle BEA WebLogic Buffer Overflow (CVE-2008-5457):
Oracle BEA WebLogic contains a programming error that may allow a remote attacker to execute code on a vulnerable system.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 15477.

A previously released rule identified with GID 1, SID 15263 will also detect attacks targeting this vulnerability.

RealNetworks Helix Server Buffer Overflow (CVE-2008-5911):
RealNetworks Helix Server contains a programming error that may allow a remote attacker to execute code on a vulnerable system. The error occurs when the application fails to properly process RTSP header information.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 15479.

Rule Pack Summary:

For a complete list of new and modified rules, click here.

Warning:

Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should upgrade to the latest revision or patch level for Snort to ensure these enhancements are available before using these rules.

About the VRT:

The Sourcefire VRT is a group of leading edge intrusion detection and prevention experts working to proactively discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in the network security industry.

Posted by on Apr 21, 2009



VRT Rules 2009-04-14

Sourcefire VRT Rules Update

Date: 2009-04-14

Synopsis:

The Sourcefire VRT is aware of multiple vulnerabilities affecting Microsoft products.

Details:

Microsoft Security Advisory MS09-009:
A programming error in Microsoft Excel may allow a remote attacker to execute code on a vulnerable system via a specially crafted XLS file.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3, SID 15465.

A previously released rule identified with GID 3, SID 15365 will also detect attacks targeting this vulnerability.

Microsoft Security Advisory MS09-010:
Multiple vulnerabilities in Microsoft Wordpad may allow a remote attacker to execute code on a vulnerable system via a malformed file.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 3, SIDs 15466,15467,15469 and 15455.

Microsoft Security Advisory MS09-011:
A programming error in Microsoft DirectShow may allow a remote attacker to execute code on a vulnerable system via a specially crafted file.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3, SID 15457.

Microsoft Security Advisory MS09-012:
A programming error in the Microsoft network service may allow a remote attacker to escalate privileges on a vulnerable system.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3, SID 15470.

Microsoft Security Advisory MS09-013:
A vulnerability in Microsoft WinHTTP may allow a remote attacker to execute code on a vulnerable system. Additionally, a remote attacker may be able to supply an invalid SSL/TLS certificate to the service and impersonate a legitimate web service.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 3, SIDs 15456 and 15462.

Additionally, a previously released rule identified with GID 3, SID 15124 will also detect attacks targeting these vulnerabilities.

Microsoft Security Advisory MS09-014:
Multiple vulnerabilities in Microsoft Internet Explorer may allow a remote attacker to execute code on a vulnerable system.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 3, SIDs 15458,15459,15460 and 15461.

Additionally, a previously released rule identified with GID 3, SID 15124 will also detect attacks targeting these vulnerabilities.

Microsoft Security Advisory MS09-015:
A vulnerability in the Microsoft SearchPath function may be exploited by a remote attacker should the target system be using the Apple Safari browser.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3, SID 15468.

Microsoft Security Advisory MS09-016:
Multiple vulnerabilities in Microsoft Internet Security and Acceleration (ISA) server may allow a remote attacker to cause a Denial of Service (DoS) or execute a cross site scripting attack.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 3, SIDs 15474 and 15475.

Rule Pack Summary:

For a complete list of new and modified rules, click here.

Warning:

Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should upgrade to the latest revision or patch level for Snort to ensure these enhancements are available before using these rules.

About the VRT:

The Sourcefire VRT is a group of leading edge intrusion detection and prevention experts working to proactively discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in the network security industry.

Posted by on Apr 14, 2009



VRT Rules 2009-04-10

Sourcefire VRT Rules Update

Date: 2009-04-10

Synopsis:

The Sourcefire VRT is aware of a vulnerability in Microsoft Powerpoint. This release also contains a fix for a known issue that affects Conficker detection.

Details:

Microsoft Powerpoint Code Execution (CVE-2009-0556):
Microsoft Powerpoint contains a programming error that may allow a remote attacker to execute code on a vulnerable system. An attacker would need to supply a specially crafted file to cause the fault and execute code.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3 SID 15454.

Microsoft Security Advisory MS08-068:
A vulnerability in the Microsoft Server Message Block (SMB) protocol may allow a remote attacker to execute code on an affected system. The problem lies in the way that the protocol handles NTLM credentials when users attempt to login to a system.

An additional rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 3, SID 15453.

Conficker Worm Update: SIDs 15449 and 15450 detect DNS traffic generated by Conficker-infected hosts, while SIDs 15451 and 15452 detect other Conficker-related traffic. The rules that detect variants C and D are more prone to the generation of false positive events than the A and B variant rules.

IMPORTANT: SIDs 15449 and 15450 may have an adverse affect on sensor performance. If this is the case, disable these two rules in favor of SIDs 15451 and 15452 which also detect Conficker traffic but are prone to false positive event generation.

Rule Pack Summary:

For a complete list of new and modified rules, click here.

Warning:

Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should upgrade to the latest revision or patch level for Snort to ensure these enhancements are available before using these rules.

About the VRT:

The Sourcefire VRT is a group of leading edge intrusion detection and prevention experts working to proactively discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in the network security industry.

Posted by on Apr 10, 2009



VRT Rules 2009-04-08

Sourcefire VRT Rules Update

Date: 2009-04-08

Synopsis:

This release updates the VRT Certified Snort Rules to utilize the new DCE/RPC v2 preprocessor. This change deletes more than 5000 rules in the netbios rule category and replaces them with a much smaller rule set. It also contains additional detection for hosts that are currently infected with the Conficker worm.

Details:

The DCE/RPC preprocessor now offers improved reassembly of fragmented DCE/RPC requests and improved desegmentation of SMB traffic containing DCE/RPC requests. The preprocessor now also alerts on anomalous behavior and evasion techniques in DCE/RPC data streams. Three new DCE/RPC rule keywords and new DCE/RPC arguments for the byte_test and byte_jump rule keywords add to the enhanced detection capabilities.

IMPORTANT: This release removes more than 5000 rules from the netbios rule category and replaces them with a much smaller number of rules, the Sourcefire VRT has taken care to ensure that your NetBIOS, SMB, DCE/RPC vulnerability coverage is not affected. This means that the vulnerabilities previously covered with hundreds of rules are now covered with one or two rules.

NOTE: These changes only affect plain text (GID 1) rules, the shared object (GID 3) rules remain unaffected by the change to the preprocessor.

The default configuration for the new preprocessor is as follows:

   preprocessor dcerpc2: memcap 102400, events [smb, co, cl]
   preprocessor dcerpc2_server: default, policy WinXP, \
     detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
     autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
     smb_max_chain 3

NOTE: This configuration may generate a lot of events from the preprocessor in certain environments, if this is the case and these events need to be turned off completely, use the following configuration options:

   preprocessor dcerpc2: memcap 102400, events none
   preprocessor dcerpc2_server: default, policy WinXP, \
     detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
     autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
     smb_max_chain 3

Conficker Worm Update:
Included in this release are four new rules that detect Conficker activity. They are identified with GID 3, SIDs 15449 through 15452.

SIDs 15449 and 15450 detect DNS traffic generated by Conficker infected hosts, while SIDs 15451 and 15452 detect other Conficker related traffic.

IMPORTANT: SIDs 15449 and 15450 may have an adverse affect on sensor performance. If this is the case, disable these two rules in favor of SIDs 15451 and 15452 which also detect Conficker traffic but are prone to false positive event generation.

When downloading rules it is important to note that the 2.8 subscription release is for Snort version 2.8.4 and these rules WILL NOT work with older versions of Snort. This includes 2.8.3 and earlier. In 30 days time, these packages will be rolled over to registered users, when this happens the registered user rule tarballs will also contain the changes to the netbios rule set.

Each rule tarball contains an etc directory, in here you will find a snort.conf. This configuration file contains the latest configuration options available for that particular release of Snort. For the 2.8.4 rule set, the snort.conf contains the default configuration above.

Additionally, the Snort 2.8.4 release sees some other major enhancements:

  • Support for IPv6 with Frag3 and all application preprocessors (SMTP, FTP/Telnet, DCE/RPC, SSL, DNS, Portscan)
  • Improved target-based support within application preprocessors
  • Addition to automatically pre-filter traffic that is not explicitly configured for inspection to improve performance.
  • HttpInspect update to limit number of HTTP Header fields and alert if limit is reached.
  • Support for multiple IP Addresses and/or CIDRs in HTTP Inspect and FTP/Telnet Server/Client specific configurations

The Snort 2.8.4 release represents a major amount of work on the part of the Snort development team who have done an outstanding job of improving the detection capabilities of Snort. It is important to stay current with your Snort installations as future versions will see many more features improved and added, as always the Sourcefire VRT Certified rule releases will take advantage of these features to the fullest extent. The Sourcefire VRT wishes to thank the Snort development team for their continued hard work in making Snort what it is today and what it is becoming in the future.

Rule Pack Summary:

For a complete list of new and modified rules, click here.

Warning:

Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should upgrade to the latest revision or patch level for Snort to ensure these enhancements are available before using these rules.

About the VRT:

The Sourcefire VRT is a group of leading edge intrusion detection and prevention experts working to proactively discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in the network security industry.

Posted by on Apr 08, 2009