>RSA 2011 Brainstorming Session Agenda Available

The agenda for major topics to cover for the OISF Brainstorming session at RSA 2011 in San Francisco is available! Please join us next Wednesday, February 16th 2011 from Noon until 5 or as needed. We’ll be in the Moscone Center off of the expo floor in room 133 North. If you are not already planning to attend RSA use code 1411EISFXPO to register for an expo only pass (normally $100) at http://www.rsaconference.com.

You can get a PDF of the Agenda here:

http://www.openinfosecfoundation.org/oisf_rsa_2011_agenda.pdf

Summary available below:

Free Lunch will be available on a first come first served basis.

Not all topics will be covered in detail unless there are questions to keep the meeting moving along.

Project Funding Status

Release Schedule

Current Stable Features

Phase 2 Dev Roadmap

Technical Topics/Proposed Features

CUDA GPU Acceleration	DNS Fast Flux/Anomaly Preprocessor
IP and DNS Reputation	IP and DNS Reputation Distribution Spec
File Extraction and Inspection	Alienvault’s Proposed Classification Schema
Unix Socket Output	GPLv3 Relicensing
Live Engine Status Page	Passive Fingerprinting
Regex Optimization	Host Attribute Scrubbing
Rotating Pcap Support	Mysql/Postgres/Sguil Output
Additional Protocol Recognitions	Netflow Output
IP Only Match Payload Capture	FTP-Data Stream Prediction / Exclusion
Run Mode Configurations	Live Ruleset Swap
Snortsam Output Plugin	Built-in Rule Testing
SCADA Preprocessors	Digital Bond SCADA Preprocessors
Replace Keyword	Max Inspection Time Cutoff
GeoIP Keyword	Stateful Pattern Matching
Performance Stats Addition	Global Shared Flowvars
DNS Name Var Support	Snort Syntax Support Status
Host/App/OS Table Import	Transaction Aware Detection

To RSVP please email meeting@openinfosecfoundation.org

We hope to see you there!

>Daily Update Summary 10/2/2011 Night Dragon Update

>This is just an incremental update, we wanted to get the Night Dragon sigs out asap. We may have another tarball yet this afternoon depending on how other research underway shapes up.

[+++] Added rules: [+++]

2012303 – ET TROJAN Night Dragon CnC Beacon Outbound (trojan.rules)
2012304 – ET TROJAN Night Dragon CnC Beacon Inbound (trojan.rules)
2012305 – ET TROJAN Night Dragon CnC Traffic Inbound 2 (trojan.rules)
2012306 – ET TROJAN Night Dragon CnC Traffic Outbound 2 (trojan.rules)

We also moved a number of chat rules from policy to the chat ruleset for organizational reasons. No changes to the rules themselves.

Please report your experiences on the Night Dragon rules. They fared well in FP testing, but real world is always the true test!

>Daily Update Summary 8/2/2011

Your patch tuesday update for the ET rulesets. Most of the major issues were previously disclosed, so there was already coverage in the rulesets. What was not yet disclosed is covered in this update. All ET Pro rules this time around.

Happy patching!

[+++] Added rules: [+++]

2801324 – ETPRO WEB_CLIENT Microsoft Internet Explorer insertBefore Document Memory Corruption (web_client.rules)
2801325 – ETPRO WEB_CLIENT Microsoft Internet Explorer getElementByID onCellChange Memory Corruption (web_client.rules)
2801326 – ETPRO RPC Microsoft Kerberos Encryption Downgrade to DES TCP (rpc.rules)
2801327 – ETPRO WEB_CLIENT IE Jscript Decoding Information Disclosure Attempt (web_client.rules)
2801328 – ETPRO EXPLOIT Symantec Alert Management System Pin Number Stack Buffer Overflow (exploit.rules)
2801329 – ETPRO TROJAN Trojan.Win32.Delf.MW Checkin 1 (trojan.rules)
2801330 – ETPRO TROJAN Trojan.Win32.Delf.MW Checkin 2 (trojan.rules)
2801331 – ETPRO TROJAN Worm.Win32.Autorun.ABB checkin (trojan.rules)
2801332 – ETPRO WEB_SPECIFIC_APPS SAP Crystal Reports 2008 Directory Traversal 1 (web_specific_apps.rules)
2801333 – ETPRO WEB_SPECIFIC_APPS SAP Crystal Reports 2008 Directory Traversal 2 (web_specific_apps.rules)
2801334 – ETPRO WEB_CLIENT Adobe PDF Memory Corruption /Ff Dictionary Key Corruption (web_client.rules)

>Daily Update Summary 7/2/2011

Not a huge update today, Preparing for patch tuesday sigs, we’ll have full coverage when we can release sigs!

RBN update in this tarball as well.

[+++] Added rules: [+++]

2012301 – ET TROJAN Potential Trojan dropper Wlock.A (AS1680) (trojan.rules)
2012302 – ET CURRENT_EVENTS Potential Fake AV Scan (AS31252) (current_events.rules)

Pro rules:
2801322 – ETPRO TROJAN Win32.Dogrobot activity on port 123 (trojan.rules)
2801323 – ETPRO CURRENT_EVENTS Win32/Dogrobot Checkin on HTTP_PORTS (current_events.rules)

[///] Modified active rules: [///]

2001652 – ET USER_AGENTS JoltID Agent New Code Download (user_agents.rules)
2011967 – ET CURRENT_EVENTS Trojan Zbot (AS9121) (current_events.rules)

Pro rules:
2800818 – ETPRO WORM Worm.Win32.Carrier.ih Checkin (hello) (worm.rules)
2801178 – ETPRO EXPLOIT Microsoft IIS FTP Server Telnet IAC Buffer Overflow (exploit.rules)

>Snortsam Patch for Snort 2.9.0 Available

>A patch for Snort 2.9.0 has been uploaded to the Snortsam web site. Get
it from http://www.snortsam.net/files/snort-plugin/

Thanks to Frank for posting, and to Robiscool for putting it together!

Emerging Threats Pro

>RSA 2011 Brainstorming Session Agenda Available

>Daily Update Summary 10/2/2011 Night Dragon Update

>Daily Update Summary 8/2/2011

>Daily Update Summary 7/2/2011

>Snortsam Patch for Snort 2.9.0 Available

Blog Archive

Categories

Twitter Updates