Welcome to www.Snort.org
The Lightweight Network Intrusion Detection System


Snort.org Latest News

Page: 1 2 3 4 5 6 7   

1 June, 2001
Interesting Statistics - by Jim Forster @ 15:53:50
   In searching for a replacement source for defacement info (as attrition.org recently shut down their defacement mirror) I came across http://www.alldas.de
The information they provide is very interesting to say the least.
The following data was pulled from http://defaced.alldas.de/

(Statistical Data from 04/2000) OS Statistics for 16782 defaced Websites / 17 OS
10441 Windows Hosts have been defaced, which is 62.22%
3189 Linux Hosts have been defaced, which is 19%
1907 Unknown Hosts have been defaced, which is 11.36%
554 Solaris Hosts have been defaced, which is 3.3%
250 IRIX Hosts have been defaced, which is 1.49%
167 FreeBSD Hosts have been defaced, which is 1%
140 BSDI Hosts have been defaced, which is 0.83%
66 SCO Hosts have been defaced, which is 0.39%
22 NetBSD Hosts have been defaced, which is 0.13%
9 AIX Hosts have been defaced, which is 0.05%
9 HP-UX Hosts have been defaced, which is 0.05%
8 Tru64 UNIX Hosts have been defaced, which is 0.05%
7 Digital Unix Hosts have been defaced, which is 0.04%
6 MacOS Hosts have been defaced, which is 0.04%
5 OpenBSD Hosts have been defaced, which is 0.03%
1 Novell Hosts have been defaced, which is 0.01%
1 Ultrix Hosts have been defaced, which is 0.01%

05/2001:12 Os's 472 Attackers 3431 defaced sites archived
04/2001:14 Os's 308 Attackers 3003 defaced sites archived
03/2001:9 Os's 261 Attackers 2168 defaced sites archived
02/2001:10 Os's 199 Attackers 1350 defaced sites archived
01/2001:10 Os's 207 Attackers 1279 defaced sites archived

12/2000:10 Os's 165 Attackers 839 defaced sites archived
11/2000:10 Os's 166 Attackers 707 defaced sites archived
10/2000:10 Os's 122 Attackers 614 defaced sites archived
09/2000:10 Os's 71 Attackers 300 defaced sites archived
08/2000:10 Os's 112 Attackers 388 defaced sites archived
07/2000:12 Os's 97 Attackers 264 defaced sites archived
06/2000:9 Os's 96 Attackers 251 defaced sites archived
05/2000:8 Os's 90 Attackers 277 defaced sites archived
04/2000:7 Os's 82 Attackers 178 defaced sites archived
03/2000:8 Os's 69 Attackers 165 defaced sites archived
02/2000:8 Os's 94 Attackers 218 defaced sites archived
01/2000:10 Os's 91 Attackers 192 defaced sites archived


29 May, 2001
Ueli Kistler Releases IDScenter 1.08c - by Jim Forster @ 13:18:15
   Version 1.08c Includes-
Snort 1.7 and Snort 1.6 support, integration in taskbar (tray-icon), immediate autorestart of Snort if it was killed (TaskManager, Ctrl-Break... or unusual exits...), IP/Interface detection, audio alert (WAV) / beep alerts, execution of other programs on alerts (e.x. net send...), integrated log viewer, "Test configuration"
button, e-mail alert, download link for new rulesets, support for external viewers/editors (alertlog and ruleset file), process priority option...
You can download this new release Here

22 May, 2001
Service / Port Searches Online - by Jim Forster @ 14:57:10
   I've added to the 'port search' database with the ability to search by service name.
You can try it out using the link to the left, or just click here - http://www.snort.org/Database/portsearch2.asp
Note: There will be dupes at this time, the cleanup is an ongoing process. :)
If you see anything I'm missing in there, please let me know.

Silicon Defense Releases SnortSnarf 052101.1 - by Jim Forster @ 09:14:23
   Here are the changes for version 052101.1:

+ fixed 'unmatched [] in regexp' problem under windows
+ actually included support for the variation on syslog formatting
that I announced last time but forgot to put in the released package
+ classification/priority lines in fast alerts now disregarded in parsing
[contrib by Chris Green]

You can download this and learn more at:
http://www.silicondefense.com/software/snortsnarf/


18 May, 2001
Installing Snort on a Win2k System - by Jim Forster @ 08:23:51
   Michael Steele from Silicon Defense has written up a guide on installing Snort on a Windows 2000 system.
Instructions start at installing Snort, and ends using Acid to view the alerts logs.
This document is available via the link to the left under 'documentation'.
Thanks Michael!

NOTE: Revision 1.2 has been posted this morning, May 21, 2001.
Document is available here

17 May, 2001
Silicon Defense releases SnortSnarf 051601.1 - by Jim Forster @ 08:32:10
   Silicon Defense is pleased to announce the release of SnortSnarf version 051601.1.
Changes in this release:

+ fixed the full qualification of input files under Windows
+ fixed a bug when using -rulesdir and -rulesfile with a path under Windows
+ fixed a couple warning messages often encountered when using -homenet
+ restored port lookup links (was not being generated due to a bug)
+ optimized additional accesses to HTMLMemStorage (should speed up run time especially for large inputs)
+ Xref lines in full alerts now scanned for links to include on signature pages
+ classification/priority lines in full alerts now disregarded in parsing [based on contrib by Craig Barraclough]
+ added support for another variation on syslog format
+ fixed generation of Silicon Defense logo on Windows
+ now ensures all chosen signature page names are unique
+ added note in README about installing the time modules under Windows

This has a few bug fixes, a few feature additions, and a speedup, so this is a recommended upgrade, especially if you have been having problems.

You can download this and learn more at: http://www.silicondefense.com/software/snortsnarf/


16 May, 2001
Port 10008 Scans - by Jim Forster @ 08:44:01
   In watching mailing lists the past week, I've seen a number of people asking about these odd SYN scans to port 10008. One recent post listed 1i0n 3 as the cause, and information from Whitehats.com matches this.
(From Whitehats.com)
Lion.v3 /bin/sh bound to tcp port 10008 (from bind exploit)
/sbin/asp bound to tcp port 27374 (webserver allowing download of Lion.v3 worm archive)

The full article by Max Vision is available here
------------------------------------------------------------------------
This just posted to incidents@securityfocus.com by HyunWoo Lee-

Cheese worm found around 14th May.

It scans 10008 port which opened by 1i0n worm. and removes rootshells from inetd.conf

removes rootshells running from /etc/inetd.conf after a l10n infection... (to stop pesky haqz0rs
messing up your box even worse than it is already)
This code was not written with malicious intent.
Infact, it was written to try and do some good.

It was found in the directory "/tmp/.cheese/" and following files are found in this directory

ADL
cheese
cheese.uue
psm

8 May, 2001
Using Snort to monitor ISA Vulnerabilities - by Jim Forster @ 13:46:13
   I received this paper in my E-mail today from Richard Howlett. In it he describes the procedures to configure the Windows port of Snort to monitor an ISA Server.
You can grab a copy of this paper here


4 May, 2001
The Port Database Returns - by Jim Forster @ 16:29:53
   I've updated the ports list, and placed it back online. I'll be adding more information to it over time, but it has enough to be a good 'start' at the moment.
You can access it from the link to the left, or directly using this address-
http://www.snort.org/Database/portsearch.asp

Would you like to be able to search by other criteria? Shoot me an E-mail with any suggestions.

3 May, 2001
IIS 5 ISAPI Hole Sigs - by Jim Forster @ 16:40:16
   I've had numerous requests on this one concerning the IIS5 printer ISAPI hole today, so I'm posting these directly from Max's arachNIDS database at www.whitehats.com.
NOTE: If you are using the snort.org rulesets, change $EXTERNAL to $EXTERNAL_NET and $INTERNAL to $HOME_NET.

-------------------
Rules for Snort 1.7
-------------------
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg:"IDS533/http-iis5-printer-isapi"; flags: P+; content: ".printer"; nocase;)

alert TCP $EXTERNAL any -> $INTERNAL 80 (msg:"IDS534/http-iis5-printer-eeye"; flags: P+; content: "|8B C4 83 C0 11 33 C9 66 B9 20 01 80 30 03|";)

alert TCP $EXTERNAL any -> $INTERNAL 80 (msg:"IDS535/http-iis5-printer-beavuh"; flags: P+; content: "|33 C0 B0 90 03 D8 8B 03 8B 40 60 33 DB B3 24 03 C3|";)

-------------------
Rules for Snort 1.8
-------------------
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg:"IDS533/http-iis5-printer-isapi"; flags: P+; uricontent: ".printer"; nocase;classtype: attempted-admin; reference: arachnids,533;)

alert TCP $EXTERNAL any -> $INTERNAL 80 (msg:"IDS534/http-iis5-printer-eeye"; flags: P+; content: "|8B C4 83 C0 11 33 C9 66 B9 20 01 80 30 03|"; classtype: attempted-admin; reference: arachnids,534;)

alert TCP $EXTERNAL any -> $INTERNAL 80 (msg:"IDS535/http-iis5-printer-beavuh"; flags: P+; content: "|33 C0 B0 90 03 D8 8B 03 8B 40 60 33 DB B3 24 03 C3|"; classtype: attempted-admin; reference:arachnids,535;)

-------------------
Experimental Rules
-------------------
alert TCP $EXTERNAL any -> $INTERNAL 80 (msg:"IDS533/http-iis5-printer-isapi"; flags: P+; uricontent: ".printer"; nocase;classtype: attempted-admin; osaffected: windows; reference: arachnids,533;)

alert TCP $EXTERNAL any -> $INTERNAL 80 (msg:"IDS534/http-iis5-printer-eeye"; flags: P+; content: "|8B C4 83 C0 11 33 C9 66 B9 20 01 80 30 03|"; classtype: attempted-admin; osaffected: windows; reference: arachnids,534;)

alert TCP $EXTERNAL any -> $INTERNAL 80 (msg:"IDS535/http-iis5-printer-beavuh"; flags: P+; content: "|33 C0 B0 90 03 D8 8B 03 8B 40 60 33 DB B3 24 03 C3|"; classtype: attempted-admin; osaffected: windows; reference: arachnids,535;)

Page: 1 2 3 4 5 6 7