[SecurityRatty] tag: snort

Snort Security Platform 3.0 Beta Released

Mon, 30 Jun 2008 21:11:34 +0000

Marty Roesch and company have just announced the release of Snort 3.0 beta.

From Snort.org:

We’re pleased to introduce our first beta release built on the new Snort 3.0 architecture. The Snort 3.0 architecture consists of two primary components: a software platform called the Snort Security Platform (SnortSP) 3.0, which is shipping in beta form in this release, and traffic analysis engine modules that plug into SnortSP. This beta test release contains one engine module which contains the Snort 2.8.2 detection engine implemented as a SnortSP engine module. SnortSP is an open-source platform for running packet-based network security applications. It provides many of the common functions required by programs that deal with packet processing such as configuration loading, event generation and traffic logging, data acquisition, protocol decoding and validation, flow management, and more.

They provide you an opportunity to provide feedback on the beta release as well “sspneta SHIFT 2 sourcefire D0T com”.

Downloading my copy now.

Article Link

Antispam appliance vendor Barracuda wants to buy Sourcefire

Thu, 29 May 2008 20:00:00 +0000

Security appliance vendor Barracuda Networks is looking to buy Sourcefire, makers of the open-source Snort and ClamAV security software.

When Snort is not enough

Tue, 27 May 2008 10:28:08 +0000

Sometimes, Snort isn't enough to complete a detection and response operation. Learn when and how to support the Snort network intrusion detection system with complementary tools and techniques.

IPS - is it soup yet? Mike Chapple says yes and no

Tue, 13 May 2008 16:25:13 +0000

Mike Chapple over at SearchSecurity has a good article up on whether IPS are mature enough for enterprises to deploy. Some may say that Mike has been asleep at the wheel, because certainly there have been plenty of IPS appliances sold over the last 3 to 4 years. Mike comes to the same conclusion I did almost 2 years ago in this article. Namely that the selling and marketing of IPS has far outstripped the actual performance of these devices. As Chapple says, "While today's IPS devices can keep up with high-speed network connections and process rulebases more efficiently, I'm not sure that the technology itself has matured; in fact, it hasn't really changed much at all."

Just as I said back then. people today are still using IPS as IDS. In spite of what Richard Stiennon said back in 2003, it is still the fact. Those that have ventured beyond pure IDS do so on a limited basis. Mike lays out three best practices that most who are successful with IPS adopt:

Run the IPS in "monitor" mode until it's clear that the system is properly tuned. We have been recommending this with our Strata Guard IDS/IPS for years. In fact we have a tuning wizard which gives you a real leg up in getting started with your tuning. In essence though this means that you start off not blocking anything,and only after seeing what is really happening on your network do you selectively start enabling blocking of specific types of attacks. You don't just turn on every rule to block. This advice is similar to what our best practices in NAC recommends as well.
Keep the number of "block" mode rules to a small, finely tuned set. Again this is something that has been the reasonable route for a while now. Most IPS today runs in a hybrid IDS/IPS mode. Be selective in what you want to actually block verses what you just want to alert and/or log. Too many rules set to block will lead to failure. Being smart about which rules are set and grouping attacks to trigger a minimum amount of rules is key. I have seen rule sets where one kind of attack can trigger multiple signatures. This will fire more blocks than necessary and burden your system for no reason. Don't overlap your rule sets if you are using Snort!
Consider using a fail-open device. In line devices are a single point of failure. If your IPS does not offer some sort of bypass or other fail open device, you are asking for trouble. Also, don't settle for the sales guy telling you the software or appliance is designed to fail open. In a power failure that isn't going to help. Make sure it is a self-powered bypass to be sure.

All in all it was a good validation for me to read this article. I think IPS is at a critical mass of adoption today, I just don't think it has reached a critical mass of utilization yet. But progress is being made.

Justifying Snort

Mon, 12 May 2008 11:12:01 +0000

Intrusion detection systems like Snort can be invaluable to your customers and their networks. Learn how to justify Snort to your customers by highlighting its capabilities.

Detection Rates for Malware in the Wild

Wed, 30 Apr 2008 00:58:01 +0000

Yet another Early Warning Security Event System has been made available to the public, earlier this month. The Malware Threat Center is currently generating automated tracking reports in the following sections :

- Most Aggressive Malware Attack Source and Filters
- Most Effective Malware-Related Snort Signatures
- Most Prolific BotNet Command and Control Servers and Filters
- Most Observed Malware-Related DNS Names
- Most Effective Antivirus Tools Against New Malware Binaries
- Most Aggressively Spreading Malware Binaries

I was particularly interested in the rankings in the "Most Effective Antivirus Tools Against New Malware Binaries" section, especially its emphasis on malware that's currently in the wild. Furthermore, to prove my point, you can see the top 10 list of Anti virus vendors as it were on the 20th, and the top 10 list of anti virus vendors as it were yesterday? Can you find the differences? Grisoft, Avira, Secure Computing and Quick Heal remain on the same
positions, whereas the rest of the vendors are in a different rank, although on the 20th they were exposed to 1030 binaries only, and on the 29th to 1759.

So what? In respect to signatures based malware scanning, every vendor has its 15 minutes of fame, however, as I pointed out two years ago :

"Avoid the signatures hype and start rethinking the concept of malware on demand, open source malware, and the growing trend of malicious software to disable an anti virus scanner, or its ability to actually obtain the latest signatures available."

What has changed? The DIY nature of malware building, the managed undetected binaries as a service coming with the purchase of proprietary malware tools, the fact that malware is tested against all the anti virus vendors and the most popular personal firewalls before it starts participating in a campaign, and is also getting benchmarked and optimized against the objectives set for its lifecycle. Moreover, with malware authors waging tactical warfare on the vendors infrastructure by supplying more malware variants than then can timely analyze, this tactical warfare on behalf of the malicious parties is only going to get more efficient.

The Four Horsemen

Thu, 17 Apr 2008 09:28:38 +0000

The Network Is the Compu...oh, crap. Never mind, it's broken. (Death) Nearly made me snort coffee from my nose when I read this line. That is brilliant. It is a long post, but worth the time to read. It will...

Milton Security Group takes over Vernier EdgeWall 7000 support - Who is Milton Security?

Fri, 11 Apr 2008 18:13:00 +0000

From this press release it looks like the newly named Autonomic Networks (formerly Vernier) has found ~~a sucker~~ an entity to take over ongoing support and perhaps development of the EdgeWall 7000 line of appliances (what about the other Edgewall models?). Before we go any further, one might say that unlike Lockdown, at least they are getting someone to support the customers. But before we go there, maybe we should ask, who or what is Milton Security Group? I am afraid when we peel the layers of this onion we find more of the same old, same old from the folks at Vernier.

I went to the Milton Security web site and it looks like the paint is still wet. They are in protection, compliance and reporting, but I am afraid the links are not yet working to dive in much beyond that. When you go to the company page you get this:

About Milton Security Group LLC

Success in the 21st century is defined by your agility in a changing time. This includes adapting to the needs of your employees, contractors, outsource providers on the workforce side and the changing landscape of how to provide the right access to each one of these groups. Your current infrastructure may be limited in its ability to change as well. Real time auditing and control is required in this age, The Age of Compliance(T).

Milton Security Group LLC is a security company with a consulting practice. The Principals and Staff at Milton Security are dedicated individuals with many years of experience with diverse organizations from small businesses to government agencies. Combined with this and our unique range of experience and knowledge, Milton Security serves only one purpose, helping our customer's succeed.

OK, not really too much there. They are a security company with a consulting practice. I did a little more digging. They have two job openings posted, one for a Sr Systems Engineer for the current and next generation of MSG NAC products. I guess this is the guy who will continue on the development of the Vernier line.

But you guys don't pay me what you do to stop there do you? I did some more digging. Seems that Milton Security is the brainchild of its founder and CEO, James McMurray. I did some more digging and it seems James is the former head of the SE group at Vernier, what a surprise! Looks like he was able to get them to let him take over the IP and run with it. I bet he and his friends paid little if anything for this.

People lets get real here. I applaud James for biting this off and wish he and his band of merry men the best of luck. But is this fair to the people who spent all that money on the Vernier boxes. At best Milton will be pressed to keep up with the snort and nessus signatures the Vernier boxes use. I guess being this small, without VC money behind them, they might be just better off using the Tenable and Sourcefire signatures and hope that those guys figure they are too small to sue.

If you are a Vernier customer you have to be checking your underwear. I mean do you want Milton-Bradley supporting your NAC system? This isn't board games we are talking about here. There are too many replacement and trade up offers from StillSecure and other NAC vendors for you to want to be a guinea pig in yet another experiment from the folks at Vernier. How many times do you have to get burned before you learn? You deserve better!

NSM-Console and HeX update

Thu, 10 Jan 2008 09:50:00 +0000

While researching the HeX System for the pending February toolsmith, I was extremely pleased to discover NSM-Console, from Matthew Lee Hinman. I've not yet seen such an efficient, useful, all encompassing framework for offline packet analysis. NSM-Console includes modules for:
# aimsnarf
# ngrep (gif/jpg/pdf/exe/pe/ne/elf/3pg/torrent)
# tcpxtract
# tcpflow
# chaosreader
# bro-IDS
# snort
# tcpdstat
# capinfos
# tshark
# argus
# ragator
# racount
# rahosts
# hash (md5 & sha256)
# ra
# honeysnap
# p0f
# pads
# fl0p
# iploc
Consider giving both HeX System and the included NSM-Console an immediate look.