The Snort 2.8 beta is now available on CVS for download and testing.

Binaries will be available within a few days.

Feature highlights:

* Port lists
* IPv6 support
* Packet performance monitoring
* Experimental support for target-based stream and IP frag reassembly
* Ability to take actions on preprocessor events
* Detection for TCP session hijacking based on MAC address
* Unified2 output plugin
* Improved performance and detection capabilities

Please submit bugs, questions, and feedback to snort-beta at sourcefire.com.

Acquisition Expands Company’s Open Source Portfolio and Commercial
COLUMBIA, Md.–(BUSINESS WIRE)–Aug. 17, 2007–Open source
innovator and SNORT (R) creator, Sourcefire, Inc. (Nasdaq:FIRE), today announced that it has acquired ClamAV(TM), a leading open source gateway anti-virus and anti-malware project. Sourcefire’s first acquisition since its Initial Public Offering in March 2007, ClamAV will broaden the company’s open source footprint while providing the technology foundation for new products and services that will extend the company’s Enterprise Threat Management network security portfolio.

With nearly 1 million unique IP addresses downloading ClamAV malware updates daily across more than 120 mirrors in 38 countries, ClamAV is one of the most broadly adopted open source security projects worldwide. ClamAV has also been recognized as comparable in quality and coverage to leading commercial anti-virus solutions. Most recently, at LinuxWorld this year, ClamAV was one of only three anti-virus technologies to provide a 100% detection rate in their live ‘Fight Club’ test featuring live submissions from the show audience.

Read more here.

Many of you may have heard that Patrick Harper passed away late last week.  He was a strong supporter of the Snort community and will be greatly missed.  Most of you know him from his many contributions to Snort.org and his helpful posts to Snort related mailing lists and forums.  Just a few of Patrick’s contributions include his popular installation guides, the VMWare build of Snort, MySQL and BASE that’s hosted on the home page of Snort.org and his role as a founding member of the North Texas Snort Users Group.  All of us in the Snort community and the information security community at large have benefited from Patrick’s hard work and dedication.  I will post any additional information regarding services or other memorials as I receive it.

Mike Guiterman

Hi everybody,

Snort v2.6.1.5 has been released. The software and source code is
available at: http://snort.org/dl/

Snort v2.6.1.5 includes:

* A new http_post rule keyword used to search for content in normalized HTTP posts
* A fix for a potential memory leak when generating HTTP Inspection events

NOTE: In the default configuration, the http_inspect preprocessor will generate informational events on normalized HTTP POST data. To disable these events, refer to the Snort Manual.

Happy Snorting!

The Snort Release Team
Sourcefire, Inc.

Snort Management Reports is a configurable reporting application that can be run against any Snort™ compliant database to analyse and report the result of the analysis in a Portable Document Format (PDF) report. Snort™ as an Open Source Intrusion Detection and Prevention System now benefits from a high quality Management reporting tool. Alert Management Reports is a robust and configurable reporting solution that can provide a strategic view of your companies security performance.

Alert Management Reports can either draw a high level statistical overview of your incident database or can be configured to do a detailed analysis of your security traffic for each day of the report period. This flexibility allows the administrator to use the report to measure weekly performance and by tracking the variance on the data in the report, can alert you to any anomalous activity that needs deeper investigation. This allows you to use Management Reports as a security dashboard to keep an eye on your security posture and to investigate in more detail if any anomaly is detected. The application can be configured to include any of a range of specific types of data ranging from graphs of events vs. time to summarised and/or detail listings of IP and port numbers of alerts packets.

Alert Management Reports can easily be extended to provide answers to questions that are of specific interest to your organisation. These queries can be anything ranging from custom views of data returned by existing queries to complex data mining operations on historical data.

Please download a sample report from our product documentation section.

You can download the product as a tar.gz file and install it or you can download our debianized packages. Click here to read the product installation readme.

You can download the product from here.

Check out this great site that collects and shares open source security tools for the enterprise, tools howtos and experiences, articles, etc.

http://seepurity.com/

This paper provides readers with an excellent overview of the criteria that need to be followed to select and properly scale an IDS / IPS enterprise installation.

It ranks the criteria as Must Have, Should Have, and Good to Have so you can prioritize different vendors’ IDS features.

This paper is a MUST-HAVE prior to starting any IDS / IPS implementation project.

http://www.snort.org/docs/IDS_criteria.pdf

Thanks you all the people that make it to the NYC Snort User Group last night for the great conversations and topics we covered. Special thanks to thank Phil Jew from Sourcefire for the excellent presentation on Snort 3.0 alpha development.

 
On another note, we talked about deploying a Snort + BASE on a VMWare virtual appliance. Here’s the link to VMWare to get the virtual appliance, even though Snort is fairly outdated (2.4):

http://www.vmware.com/vmtn/appliances/directory/185

If you conduct a Google search other virtual appliances are available around.

We also talk about topics for the next NYC Snort user group and we wanted to put some ideas out there:

1. Best practices on Snort deployment in the enterprise;
2. Snort Graphical front-ends and network forensic consoles;
3. Introduction to Snort rules’ syntax and rule writing;
4. Snort.conf configuration 101 and settings for attacks that use evasion techniques;
5. Other open source tools and projects that use Snort

 Best way to vote on this or another possible future topic is to email the new york snort mailling list.  If you have not subscribed do so at :

https://lists.snort.org/mailman/listinfo/ny-sug 

The next meeting of the NYC SUG is scheduled for Thursday April 26, 6:00 PM at Ciphertechs, Inc. in Manhattan.

Philip Jew from Sourcefire’s security engineering team will be presenting on the future of Snort and will be available to answer questions. As many of you know Marty has been hard at work on Snort 3.0 and has posted the first sub-system code for alpha testing. This is a great opportunity to see what the future holds for everyone’s favorite pig.

Thanks to Ciphertechs for hosting the meeting. Details are below:

Time: 6:00 pm – 8:00 pm

Location: 55 Broadway
11th Floor
New York, New York

55 Broadway is a secure building so please RSVP at: http://snort.org/registrations/rsvp.html

Via Brian Caswell …

The fastest full detail output for Snort “unified logs”, which were meant to unify packet and event logs into a single binary file format. Along the way, someone (cough, Marty, cough) forgot the definition of “unified”. There are two seperate file formats, unified logs and unified alerts. The great part about “unified” files is that they they are host-byte-order dependant!

If you want to read unified files, you have a few options.

• Barnyard, an unmaintained unified file reader.
• Mudpit, an unmaintained unified file reader.
• Cerebus, an unmaintained, binary only text based event reader.
• SnortUnified.pm, a sort-of OOP perl API for unified files (Don’t attempt to read multiple files at once!)

Or… unified.rb, a tiny ruby API for reading unified files.

http://www.shmoo.com/~bmc/software/ruby/unified.rb

« Previous entries