Jeremy Hewlett announced that Snort 2.3.1 is now available. According to the announcement, there are only supposed to be new rules in the major releases (e.g., 2.4.0, 3.0.0 -- not 2.3.1). However, a cursory inspection of the new rules in 2.3.1 revealed some additions. For example:
drury:/usr/local/src$ diff snort-2.3.0/rules/backdoor.rules
snort-2.3.1/rules/backdoor.rules
3c3
< # $Id: backdoor.rules,v 1.44.2.4 2005/01/17 23:52:48 bmc Exp $
---
> # $Id: backdoor.rules,v 1.44.2.5 2005/03/01 18:57:08 bmc Exp $
102a103,104
> alert tcp $EXTERNAL_NET any -> $HOME_NET 31337
(msg:"BACKDOOR BackOrifice 2000 Inbound Traffic";
flow:to_server,established; content:"|31 6a d0 d9|";
classtype:trojan-activity; sid:3155; rev:1;)
> alert tcp $EXTERNAL_NET any -> $HOME_NET 3127:3198
(msg:"BACKDOOR mydoom.a backdoor upload/execute attempt";
flow:to_server,established; content:"|85 13 3c 9e a2|";
depth:5; classtype:trojan-activity; sid:3272; rev:1;)
Here's an example of a rule upgrade:
drury:/usr/local/src$ diff snort-2.3.0/rules/exploit.rules
snort-2.3.1/rules/exploit.rules
3c3
< # $Id: exploit.rules,v 1.63.2.3 2005/01/17 23:52:48 bmc Exp $
---
> # $Id: exploit.rules,v 1.63.2.5 2005/03/01 18:57:08 bmc Exp $
59c59
< alert udp any 4000 -> any any (msg:"EXPLOIT ICQ
SRV_MULTI/SRV_META_USER email overflow attempt";
content:"|05 00|"; depth:2; byte_jump:2,0,relative,little;
byte_test:2,>,128,0,relative,little; content:"|12 02|";
within:2; distance:5; byte_test:1,>,1,12,relative;
content:"|05 00|"; distance:0; content:"n|00|"; within:2;
distance:5; content:"|05 00|"; content:"|DE 03|"; within:2;
distance:5; byte_jump:2,18,relative,little;
byte_jump:2,0,relative,little;
reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html;
classtype:misc-attack; sid:2446; rev:4;)
---
> alert udp any 4000 -> any any (msg:"EXPLOIT ICQ
SRV_MULTI/SRV_META_USER overflow attempt"; content:"|05 00|";
depth:2; content:"|12 02|"; distance:5; within:2;
byte_test:1,>,1,12,relative; content:"|05 00|"; content:"|6E 00|";
distance:5; within:2; content:"|05 00|"; content:"|DE 03|";
distance:5; within:2; byte_test:2,>,512,-11,relative,little;
reference:cve,2004-0362;
reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html;
classtype:misc-attack; sid:2446; rev:5;)
84c84
Sourcefire has also responded to the complaints of its users by modifying the VRT Certified Rules License. The Audit clause has been replaced by the following:
"11. License Compliance.
You may be requested by Sourcefire to provide a certificate, signed by your authorized representative, that you are using the VRT Certified Rules consistent with a Permitted Use. In the event your use of the VRT Certified Rules is not in compliance with a Permitted Use, or if you otherwise violate the terms of this Agreement, Sourcefire may, since remedies at law may be inadequate, in addition to its other remedies:
(a) demand return of the VRT Certified Rules;
(b) forbid and enjoin your further use of the VRT Certified Rules;
(c) assess you a use fee appropriate to your actual use of the VRT Certified Rules."
I think this is much more reasonable. You may want to still run it by your corporate counsel before agreeing, if you want to use Snort in your environment as a registered user.
0 komentar:
Posting Komentar