[ISN] Security UPDATE -- Supercharging Snort -- June 15, 2005

InfoSec News isn at c4i.org
Thu Jun 16 03:16:49 EDT 2005


This email newsletter comes to you free and is supported by the 
following advertisers, which offer products and services in which 
you might be interested. Please take a moment to visit these 
advertisers' Web sites and show your support for Security UPDATE. 

Exchange & Outlook Administrator

Cost Control Through Remote Control: A practical approach to reducing 
the cost of supporting PC's in a multi-platform environment


1. In Focus: Supercharging Snort

2. Security News and Features
   - Recent Security Vulnerabilities
   - WSUS Available, Microsoft Update Now Live, MBSA 2.0 on the Way
   - Cisco's New DDoS Protection Solution
   - IIS 6.0 Enhancements in Windows 2003 SP1

3. Security Toolkit
   - Security Matters Blog
   - FAQ

4. New and Improved
   - Manage Compliance and Vulnerability Remediation


==== Sponsor: Exchange & Outlook Administrator ====

Try a Sample Issue of Exchange & Outlook Administrator!
   If you haven't seen Exchange & Outlook Administrator, you're missing 
out on key information that will go a long way towards preventing 
serious messaging problems and downtime. Request a sample issue today, 
and discover tools and solutions you won't find anywhere else to help 
you migrate, optimize, administer, backup, recover, and secure Exchange 
and Outlook. Order now!


==== 1. In Focus: Supercharging Snort ====
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Certainly you've heard of the open-source Intrusion Detection 
System/Intrusion Prevention System (IDS/IPS) Snort. Maybe you're one of 
the countless people who use it. If so, you know it's a great tool with 
a huge amount of support from the user community. You might also know 
that Sourcefire, the company behind Snort, offers a commercial version 
of Snort and other network-protection tools. When I recently visited 
the Snort.org Web site, I learned that you can now subscribe to the 
Sourcefire Vulnerability Research Team's certified rulesets, which 
means that you can receive the latest rulesets five days sooner than 
those rulesets are released to the general public. 

Maybe you write your own rules in addition to using rulesets available 
at the Snort Web site. As with the source code for any application, the 
way a rule is written affects the performance of Snort. Poorly written 
rules take more time to process. A few extra microseconds of processing 
time here and there might not seem like a big deal, but when you 
consider an overall traffic load, those microseconds add up to full 
seconds really fast, and of course those seconds add up to minutes. The 
more efficient your rules, the more efficiently your IDS runs and the 
less likely that some sort of anomalous traffic-dropping occurs.

So how can you determine how efficient your rules are? An easy way is 
to use the new TurboSnortRules online benchmarking tool, sponsored by 
VigilantMinds. TurboSnortRules is a Web-based service that lets you 
enter a rule and test its performance on various versions of Snort 
against a set of control data. The test output shows you how fast your 
rule operates on those selected versions. 

As an example of how effective the service can be, take a look at the 
two sets of test results listed at the URLs below. Both tested rules 
are designed to detect Yahoo! Messenger logons. As you'll see in the 
results, one rule operates much faster than the other. 

For another example, look at the two sets of test results for rules 
designed to detect the Mytob Trojan horse (at the first two URLs 
below). One rule operates faster than the other, but in this case, the 
difference in speed isn't as dramatic as in the comparison of the 
Yahoo! Messenger rules. Even so, every little bit of speed improvement 
helps. One slow rule could cause Snort to begin dropping packets, which 
could jeopardize your overall security. See the third URL below too, 
which graphically illustrates the damage one poorly written rule can 

Also at the TurboSnortRules site, you'll find a searchable database for 
looking up rules that are either part of the Snort distribution or that 
have been submitted to the site by administrators for testing. The 
database is a good way to find rules you might need but don't want to 
write yourself, and the related performance data shows you how well 
those rules perform. Another excellent resource at the site is the 
Snort Performance Wiki, which has a lot of useful suggestions about how 
to make Snort run as fast as possible. 


==== Sponsor: Netopia ====

Cost Control Through Remote Control: A practical approach to reducing 
the cost of supporting PC's in a multi-platform environment
   While the price for personal computers continues to decline, the 
actual cost to own and operate PCs continues to rise. In this free 
white paper get the insights and solutions into some of the less 
visible, but very real costs of PC and LAN ownership. You'll learn a 
practical approach to reducing the cost of supporting PC's and 
customers in a multi-platform environment. Plus -- you'll also get a 
Cost Savings Model for help desks that demonstrates the cost savings 
that can be realized by implementing remote control technology.


==== 2. Security News and Features ====

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at

WSUS Available, Microsoft Update Now Live, MBSA 2.0 on the Way
   Have you been waiting for the release of the finished Windows Server 
Update Services (WSUS)? Wondering when the new Microsoft Update site 
will go live? Both are available now, and Microsoft Baseline Security 
Analyzer (MBSA) 2.0 is on the way. 

Cisco's New DDoS Protection Solution
   Cisco Systems announced its new Distributed Denial of Service (DDoS) 
Protection solution that allows ISPs to protect their own networks, 
sell protected wholesale connections, and offer customers managed 
protection against DDoS attacks.

IIS 6.0 Enhancements in Windows 2003 SP1
   Although most of the major Windows Server 2003 Service Pack 1 (SP1) 
changes concentrate on the core OS, SP1 doesn't neglect Microsoft IIS. 
The service pack contains several significant enhancements to IIS 6.0, 
the Web server application that's bundled with Windows 2003. Michael 
Otey outlines those changes in this brief summary on our Web site. 


==== Resources and Events ====

True High Availability -- Going Beyond Backup and Data Replication
   In this free Web seminar discover the various categories of high 
availability and disaster recovery solutions available and the pros and 
cons of each. You'll learn what solutions help you take preemptive, 
corrective action without resorting to a full system failover, or in 
extreme cases, that perform a non-disruptive, automatic switchover to a 
secondary server. Register Now!

Attend the Black Hat Briefings
   Attend the Black Hat Briefings & Training USA, July 23-28, 2005 in 
Las Vegas. World renowned security experts reveal tomorrow's threats 
today. Free of vendor pitches, the briefings are designed to be 
pragmatic regardless of your security environment. Featuring 25 hands-
on training courses and 10 conference tracks. Lots of Windows stuff 

Get Ready for SQL Server 2005 Roadshow in Europe
   Get the facts about migrating to SQL Server 2005. SQL Server experts 
will present real-world information about administration, development, 
and business intelligence to help you implement a best-practices 
migration to SQL Server 2005 and improve your database computing 
environment. Receive a 1-year membership to PASS and 1-year 
subscription to SQL Server Magazine. Register now!

Streamline Desktop Deployments
   Managing desktop software configurations doesn't have to be a manual 
process, resulting in unplanned costs, deployment delays, and client 
confusion. In this free Web seminar find out how to manage the software 
package preparation process and increase your desktop reliability, user 
satisfaction, and IT cost effectiveness. You'll learn how to simplify 
the deployment and configuration process, starting with the new-
application request, review, and approval process and progressing 
through software packaging and deployment.

Safeguard Your Exchange Servers -- Plus Receive A FREE eBook
   Managing storage growth, providing application resiliency, and 
handling small errors and problems before they grow are all important 
aspects of boosting your Exchange uptime. In this free Web seminar 
discover how storage and application management techniques for Exchange 
can be used to improve the resiliency and performance of your Exchange 
infrastructure. Register now and get your free eBook!

Win A Windows IT Pro VIP Subscription -- Register And You Could Win!
   In this free Web seminar, learn what the most common fax messaging 
challenges encountered in the workforce are and solutions for how to 
turn these common fax "headaches" into cost-effective, easy-to-use, 
business communications. You'll also receive a free industry white 
paper on fax deployment and integration techniques. Register now and 
you'll receive a 30-day software trial and a Starbucks gift card for 


==== Featured White Paper ====

Security Management in a Multi-platform World
   In this free white paper you'll learn how to reduce management 
overhead when dealing with multiple platforms and the costs and 
benefits of a centralized "holistic" approach to security management. 
Get the ins and outs of managing multi-platform security and how you 
can safely, securely, and sanely manage the security infrastructure of 
complex, multi-platform environments.


==== 3. Security Toolkit ==== 

Security Matters Blog 
   by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=C2D3:4FB69

10 Security Patches Due June 14
   Microsoft released 10 security updates on June 14, at least one of 
which is considered by the company to be critical. Seven of the patches 
are for Windows OSs, one corrects a problem in Windows Services for 
UNIX, the eighth corrects a problem in Exchange Server, and the ninth
corrects a problem with Internet Security and Acceleration (ISA) Server 
and Small Business Server (SBS). Microsoft also scheduled a Webcast for 
today at 2 P.M. Eastern Time (11 A.M. Pacific Time) to discuss the 
security updates. 

New Feature Pack for Windows Mobile 5.0 to Enhance Security
   Speaking last week at TechEd 2005, Steve Ballmer, chief executive 
officer of Microsoft, announced that the company's new Messaging & 
Security Feature Pack for Windows Mobile 5.0 will allow administrators 
to remotely enforce IT policy, remove all information from a device, 
and reset a device to its original state, including the ability to 
erase local device memory when the correct password isn't entered 
within the designated number of attempts.

   by John Savill, http://list.windowsitpro.com/t?ctl=C2CF:4FB69 

Q: Where is cached Universal Group information stored? 

Find the answer at


==== Announcements ====
   (from Windows IT Pro and its partners)

Why Do You Need the Windows IT Pro Master CD?
   There are three good reasons to order our latest Windows IT Pro 
Master CD. One, because it's a lightning-fast, portable tool that lets 
you search for solutions by topic, author, or issue. Two, because it 
includes our Top 100 Windows IT Pro Tips. Three, because you'll also 
receive exclusive, subscriber-only access to our entire online article 
database. Click here to discover even more reasons:


==== 4. New and Improved ====
   by Renee Munshi, products at windowsitpro.com

Manage Compliance and Vulnerability Remediation
   Citadel Security Software is now shipping Hercules 4.0. The new 
version adds two new modules: Hercules Compliance Manager, for auditing 
and reporting security policy compliance, and Hercules Remediation 
Manager, for managing vulnerability remediation and enforcing security 
policies. Hercules is available as a full suite or as individual 
modules. Citadel also now offers Hercules as a hardware appliance and 
in a pricing model that lets you pay for compliance audits and 
remediation actions as they're performed--these appliance and pay-per-
use features are designed to make Hercules more appealing to smaller 
businesses. For more information, visit

Tell Us About a Hot Product and Get a T-Shirt!
   Have you used a product that changed your IT experience by saving 
you time or easing your daily burden? Tell us about the product, and 
we'll send you a T-shirt if we write about the product in a future 
Windows IT Pro What's Hot column. Send your product suggestions with 
information about how the product has helped you to 
   whatshot at windowsitpro.com.

Editor's note: Share Your Security Discoveries and Get $100
   Share your security-related discoveries, comments, or problems and 
solutions in the Windows IT Security print newsletter's Reader to 
Reader column. Email your contributions (500 words or less) to 
r2rwinitsec at windowsitpro.com. If we print your submission, you'll 
get $100. We edit submissions for style, grammar, and length.


==== Sponsored Links ====

Ensuring Protection and Availability for Microsoft Exchange
   Download this free white paper now!

Quest Software
   Eleven things you must know about quick AD recovery!

A New Dimension in IT Infrastructure Management: Integrated KVM and 
Serial Console Control Systems
   Reduce downtime, mean-time-to-repair, lower costs & improve ROI.


==== Contact Us ==== 

About the newsletter -- letters at windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=C2D4:4FB69
About product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- emedia_opps at windowsitpro.com


This email newsletter is brought to you by Windows IT Security, 
the leading publication for IT professionals securing the Windows 
enterprise from external intruders and controlling access for 
internal users. Subscribe today.

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2005, Penton Media, Inc. All rights reserved.

More information about the ISN mailing list