One last new ruleset to add this week. I promise no more for a bit.

http://docs.bleedingthreats.net/bin/view/Main/CompromisedHost

This is a compilation of several very reliable sources of hosts that are compromised. Not your everyday compromised spewing a little spam kind of hosts. These are significantly hostile.

These are updated daily or better, so be sure you’re updating as well.

If you have an intelligence source to add to the list please let me know.

http://www.bleedingthreats.net/rules/bleeding-compromised.rules
http://www.bleedingthreats.net/rules/bleeding-compromised-BLOCK.rules

Matt

As we all know Storm has created an ongoing serious issue. To that end we’ve got a list of name servers in use by the Storm nets, and will be publishing storm signatures based on them. Updated daily at the least, likely more often as our information sources improve.

This first list has over 800 servers that are confirmed hostile, and were active in the last 24 hours.

http://www.bleedingthreats.net/rules/bleeding-storm.rules

And a version prebuilt with a 30 day Snortsam block:

http://www.bleedingthreats.net/rules/bleeding-storm-BLOCK.rules

We’ll be collating Storm related links and data sources on the following page which is referenced in these sigs:

http://doc.bleedingthreats.net/bin/view/Main/StormWorm

If you have valuable links to contribute please feel free to throw them up on the page or send to me. Hopefully we can create a good list of material to help control this.

Matt

Victor Julien (co-author of the inline portions of Snort) posted in his blog a while ago about the license changes to Snort that Sourcefire is trying to slip by. They have made a mass change to the Snort code, even that parts they do NOT hold the copyright about.

Victor and myself have asked and blogged about the issue and after weeks have no response from Sourcefire. Victor doesn’t want the license on his code changed, and hasn’t been able to get a response from Sourcefire.

I personally don’t have code in there, but I am concerned at the motivation of this change, as well as the lack of respect for the contributors rights. Victor has put up a new post which puts things very well:

http://www.inliniac.net/blog/2007/07/16/snort-license-changes-revisited.html

I echo that sentiment, and add my concerns here:

What is the issue in GPLv3 that Sourcefire is concerned about?

What are Sourcefire’s intentions for the future of Snort then?

Why is CVS no longer accessible?

Is it possible to get any response from Sourcefire about this? A lot of us rely on this code, and it’s not all owned by sourcefire. If we can’t trust Sourcefire to even communicate with us, then I think we need to start thinking about a new home for Snort.

If you want the community’s trust, you have to communicate!

Matt

Snort announced yet another license change. See below:

http://www.snort.org/pub-bin/snortnews.cgi#664

In essence they are rejecting the inherent condition of the GPL that future versions apply at the users discretion, even though their source code says it does apply.

They are also taking the liberty of applying this to all contributed code, Snort_Inline for example:

http://www.inliniac.net/blog/?p=90

I can’t say it any better than Victor does in his blog in the link above. Sourcefire has of course written the majority of the snort code, but certainly not all. What is their concern with GPLv3, and what plans do they have for this code that would be in jeopardy from the license change?

And why do they keep announcing these things on fridays? Expecting it to get missed on the way out the door? :)

What are your thoughts? Anyone have an insight into the licensing issues that might be of concern to Sourcefire?

Matt

Great article by Russ McRee. Worth a read if you’re considering how to deploy, or what extra uses Snort can have on your network.

http://holisticinfosec.org/toolsmith/docs/march2007.pdf

Very well written Russ!

Matt