Thursday, March 10, 2005

Snort 2.3.1 Released, Audit Clause Modified

Jeremy Hewlett announced that Snort 2.3.1 is now available. According to the announcement, there are only supposed to be new rules in the major releases (e.g., 2.4.0, 3.0.0 -- not 2.3.1). However, a cursory inspection of the new rules in 2.3.1 revealed some additions. For example:

drury:/usr/local/src$ diff snort-2.3.0/rules/backdoor.rules
snort-2.3.1/rules/backdoor.rules
3c3
< # $Id: backdoor.rules,v 1.44.2.4 2005/01/17 23:52:48 bmc Exp $
---
> # $Id: backdoor.rules,v 1.44.2.5 2005/03/01 18:57:08 bmc Exp $
102a103,104
> alert tcp $EXTERNAL_NET any -> $HOME_NET 31337
(msg:"BACKDOOR BackOrifice 2000 Inbound Traffic";
flow:to_server,established; content:"|31 6a d0 d9|";
classtype:trojan-activity; sid:3155; rev:1;)

> alert tcp $EXTERNAL_NET any -> $HOME_NET 3127:3198
(msg:"BACKDOOR mydoom.a backdoor upload/execute attempt";
flow:to_server,established; content:"|85 13 3c 9e a2|";
depth:5; classtype:trojan-activity; sid:3272; rev:1;)

Here's an example of a rule upgrade:

drury:/usr/local/src$ diff snort-2.3.0/rules/exploit.rules
snort-2.3.1/rules/exploit.rules
3c3
< # $Id: exploit.rules,v 1.63.2.3 2005/01/17 23:52:48 bmc Exp $
---
> # $Id: exploit.rules,v 1.63.2.5 2005/03/01 18:57:08 bmc Exp $
59c59
< alert udp any 4000 -> any any (msg:"EXPLOIT ICQ
SRV_MULTI/SRV_META_USER email overflow attempt";
content:"|05 00|"; depth:2; byte_jump:2,0,relative,little;
byte_test:2,>,128,0,relative,little; content:"|12 02|";
within:2; distance:5; byte_test:1,>,1,12,relative;
content:"|05 00|"; distance:0; content:"n|00|"; within:2;
distance:5; content:"|05 00|"; content:"|DE 03|"; within:2;
distance:5; byte_jump:2,18,relative,little;
byte_jump:2,0,relative,little;
reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html;
classtype:misc-attack; sid:2446; rev:4;)
---
> alert udp any 4000 -> any any (msg:"EXPLOIT ICQ
SRV_MULTI/SRV_META_USER overflow attempt"; content:"|05 00|";
depth:2; content:"|12 02|"; distance:5; within:2;
byte_test:1,>,1,12,relative; content:"|05 00|"; content:"|6E 00|";
distance:5; within:2; content:"|05 00|"; content:"|DE 03|";
distance:5; within:2; byte_test:2,>,512,-11,relative,little;
reference:cve,2004-0362;
reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html;
classtype:misc-attack; sid:2446; rev:5;)
84c84

Sourcefire has also responded to the complaints of its users by modifying the VRT Certified Rules License. The Audit clause has been replaced by the following:

"11. License Compliance.

You may be requested by Sourcefire to provide a certificate, signed by your authorized representative, that you are using the VRT Certified Rules consistent with a Permitted Use. In the event your use of the VRT Certified Rules is not in compliance with a Permitted Use, or if you otherwise violate the terms of this Agreement, Sourcefire may, since remedies at law may be inadequate, in addition to its other remedies:

(a) demand return of the VRT Certified Rules;

(b) forbid and enjoin your further use of the VRT Certified Rules;

(c) assess you a use fee appropriate to your actual use of the VRT Certified Rules."

I think this is much more reasonable. You may want to still run it by your corporate counsel before agreeing, if you want to use Snort in your environment as a registered user.

No comments: