Multiple Rule Additions and Modifications

September 15th, 2009

This release contains an updated detection engine that includes an SSH preprocessor, the ability to apply rate-based rule states to intrusion rules, and a new detection_filter rule keyword that replaces the threshold keyword, which is still supported for backward compatibility. Additionally, this release adds and modifies rules in several categories.

Details:

The SSH preprocessor detects and alerts on the Challenge-Response Buffer Overflow exploit, the CRC-32 exploit, and the SecureCRT SSH Client Buffer Overflow exploit. Rate-based rule states provide the ability to change the state of a rule for a specified number of triggering packets within a specified time in response to attempts to overwhelm a network or host with excessive traffic. The detection_filter rule keyword can prevent a rule from prematurely generating events by specifying the number of packets that must trigger the rule within a specified time before the rule generates events. The Sourcefire VRT has also added multiple rules in the specific-threats, dns, web-client, dos, ftp and misc to provide coverage for threats from these categories.

For Assistance

Visit the Sourcefire Customer Support site at https://support.sourcefire.com.
Email Sourcefire Customer Support at support@sourcefire.com.
Call Sourcefire Customer Support at 410.423.1901 or 1.800.917.4134.