VRT Advisories


VRT Rules 2009-04-08

Sourcefire VRT Rules Update

Date: 2009-04-08

Synopsis:

This release updates the VRT Certified Snort Rules to utilize the new DCE/RPC v2 preprocessor. This change deletes more than 5000 rules in the netbios rule category and replaces them with a much smaller rule set. It also contains additional detection for hosts that are currently infected with the Conficker worm.

Details:

The DCE/RPC preprocessor now offers improved reassembly of fragmented DCE/RPC requests and improved desegmentation of SMB traffic containing DCE/RPC requests. The preprocessor now also alerts on anomalous behavior and evasion techniques in DCE/RPC data streams. Three new DCE/RPC rule keywords and new DCE/RPC arguments for the byte_test and byte_jump rule keywords add to the enhanced detection capabilities.

IMPORTANT: This release removes more than 5000 rules from the netbios rule category and replaces them with a much smaller number of rules, the Sourcefire VRT has taken care to ensure that your NetBIOS, SMB, DCE/RPC vulnerability coverage is not affected. This means that the vulnerabilities previously covered with hundreds of rules are now covered with one or two rules.

NOTE: These changes only affect plain text (GID 1) rules, the shared object (GID 3) rules remain unaffected by the change to the preprocessor.

The default configuration for the new preprocessor is as follows:

   preprocessor dcerpc2: memcap 102400, events [smb, co, cl]
   preprocessor dcerpc2_server: default, policy WinXP, \
     detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
     autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
     smb_max_chain 3

NOTE: This configuration may generate a lot of events from the preprocessor in certain environments, if this is the case and these events need to be turned off completely, use the following configuration options:

   preprocessor dcerpc2: memcap 102400, events none
   preprocessor dcerpc2_server: default, policy WinXP, \
     detect [smb [139,445], tcp 135, udp 135, rpc-over-http-server 593], \
     autodetect [tcp 1025:, udp 1025:, rpc-over-http-server 1025:], \
     smb_max_chain 3

Conficker Worm Update:
Included in this release are four new rules that detect Conficker activity. They are identified with GID 3, SIDs 15449 through 15452.

SIDs 15449 and 15450 detect DNS traffic generated by Conficker infected hosts, while SIDs 15451 and 15452 detect other Conficker related traffic.

IMPORTANT: SIDs 15449 and 15450 may have an adverse affect on sensor performance. If this is the case, disable these two rules in favor of SIDs 15451 and 15452 which also detect Conficker traffic but are prone to false positive event generation.

When downloading rules it is important to note that the 2.8 subscription release is for Snort version 2.8.4 and these rules WILL NOT work with older versions of Snort. This includes 2.8.3 and earlier. In 30 days time, these packages will be rolled over to registered users, when this happens the registered user rule tarballs will also contain the changes to the netbios rule set.

Each rule tarball contains an etc directory, in here you will find a snort.conf. This configuration file contains the latest configuration options available for that particular release of Snort. For the 2.8.4 rule set, the snort.conf contains the default configuration above.

Additionally, the Snort 2.8.4 release sees some other major enhancements:

  • Support for IPv6 with Frag3 and all application preprocessors (SMTP, FTP/Telnet, DCE/RPC, SSL, DNS, Portscan)
  • Improved target-based support within application preprocessors
  • Addition to automatically pre-filter traffic that is not explicitly configured for inspection to improve performance.
  • HttpInspect update to limit number of HTTP Header fields and alert if limit is reached.
  • Support for multiple IP Addresses and/or CIDRs in HTTP Inspect and FTP/Telnet Server/Client specific configurations

The Snort 2.8.4 release represents a major amount of work on the part of the Snort development team who have done an outstanding job of improving the detection capabilities of Snort. It is important to stay current with your Snort installations as future versions will see many more features improved and added, as always the Sourcefire VRT Certified rule releases will take advantage of these features to the fullest extent. The Sourcefire VRT wishes to thank the Snort development team for their continued hard work in making Snort what it is today and what it is becoming in the future.

Rule Pack Summary:

For a complete list of new and modified rules, click here.

Warning:

Sourcefire VRT rule packs often utilize enhancements made to Snort. Operators should upgrade to the latest revision or patch level for Snort to ensure these enhancements are available before using these rules.

About the VRT:

The Sourcefire VRT is a group of leading edge intrusion detection and prevention experts working to proactively discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in the network security industry.