SNORT® Rules
Premium Fuel for Snort
Snort has long been recognized as the de facto standard for intrusion detection and prevention.
The power, precision and flexibility of the technology and the robust rules language enable the
industry’s most comprehensive threat coverage. Sourcefire enhances this coverage by combining the
accuracy of Snort with the expertise of the Sourcefire Vulnerability Research Team (VRT), network insight
provided by Sourcefire RNA™ and real world insights of the user community. Sourcefire
customers benefit from this combination by gaining the most effective network security available today.
The Sourcefire VRT is a group of leading edge intrusion prevention experts
working to proactively discover, assess and respond to the latest trends in attacks and security vulnerabilities. The VRT is also supported by the vast resources of the open source Snort
community, making it one of the largest groups dedicated to advances in network security.
A Revolutionary Approach Provides Superior Coverage
In addition to the
Sourcefire VRT's own research, the early warnings provided by the open source community give
the Sourcefire VRT insight and access to vulnerability data well before exploits are available. This enables
them to proactively focus on the underlying vulnerability, rather than reacting to known attacks. By
leveraging the flexibility of the Snort rules language, the Sourcefire VRT is able to provide Sourcefire
customers with detection capabilities well in advance of an actual threat. For example, when the team
learned of a new vulnerability in Microsoft RPC DCOM, they immediately recognized the potential for this vulnerability to be exploited. Within days they were able to release new Snort rules to detect attempts to exploit this
vulnerability. When the Blaster worm, which uses this attack vector, was released weeks later,
Sourcefire customers were already protected. In addition, when a variant of Blaster known as
Nachi was released, customers were confident they had detection capabilities already in place.
Advanced Vulnerability Analysis Enables Zero-Day Protection
The Sourcefire VRT
focuses its efforts on researching new vulnerabilities and ways to detect them. The team concentrates on
detecting potential attacks against the underlying vulnerabilities exploited by many worms and malicious scripts. This means that the Sourcefire 3D Sensors are able to detect many zero-day attacks
against newly announced vulnerabilities. This also means that Sourcefire customers are equipped with the
necessary detection and prevention capabilities long before a worm or virus is released that takes advantage
of a vulnerability in an operating system or application. A recent example would be the detection and
protection Sourcefire customers and the Snort® community had long before the infamous Sasser worm hit
networks around the world.
A New Layer of Insight – Beyond Intrusion Prevention
With the advent of
Sourcefire's groundbreaking RNA technology, the Sourcefire VRT goes beyond basic intrusion prevention. The combination of attack detection, passive network discovery, behavioral profiling and vulnerability
analysis delivers the most comprehensive view of the security events occurring on your network and provides the
ideal basis for the most effective, efficient network defense.
Sourcefire VRT Provides Unparalleled Research
The Sourcefire VRT in Action – Zero-Day Protection Two Years Ahead of the Threat
Microsoft Animated Cursor Vulnerability (MS07-17)
- January 2005 - Sourcefire learns of animated cursor vulnerability in Microsoft Windows operating systems
- January 2005 - Sourcefire releases Snort rule SID-3079 to address this vulnerability
- November 2006 - Malware released to exploit this vulnerability
- March 2007 - Microsoft issues Security Advisory 935423 after completing investigation
- April 2007 - Microsoft releases patch to address this vulnerability
- Today - Sourcefire customers have been protected against malware exploiting the Microsoft Animated Cursor Vulnerability for more than two years
|
Sourcefire Technology Brief