[ISN] Security UPDATE -- Supercharging Snort -- June 15, 2005
isn at c4i.org
Thu Jun 16 03:16:49 EDT 2005
This email newsletter comes to you free and is supported by the
following advertisers, which offer products and services in which
you might be interested. Please take a moment to visit these
advertisers' Web sites and show your support for Security UPDATE.
Exchange & Outlook Administrator
Cost Control Through Remote Control: A practical approach to reducing
the cost of supporting PC's in a multi-platform environment
1. In Focus: Supercharging Snort
2. Security News and Features
- Recent Security Vulnerabilities
- WSUS Available, Microsoft Update Now Live, MBSA 2.0 on the Way
- Cisco's New DDoS Protection Solution
- IIS 6.0 Enhancements in Windows 2003 SP1
3. Security Toolkit
- Security Matters Blog
4. New and Improved
- Manage Compliance and Vulnerability Remediation
==== Sponsor: Exchange & Outlook Administrator ====
Try a Sample Issue of Exchange & Outlook Administrator!
If you haven't seen Exchange & Outlook Administrator, you're missing
out on key information that will go a long way towards preventing
serious messaging problems and downtime. Request a sample issue today,
and discover tools and solutions you won't find anywhere else to help
you migrate, optimize, administer, backup, recover, and secure Exchange
and Outlook. Order now!
==== 1. In Focus: Supercharging Snort ====
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
Certainly you've heard of the open-source Intrusion Detection
System/Intrusion Prevention System (IDS/IPS) Snort. Maybe you're one of
the countless people who use it. If so, you know it's a great tool with
a huge amount of support from the user community. You might also know
that Sourcefire, the company behind Snort, offers a commercial version
of Snort and other network-protection tools. When I recently visited
the Snort.org Web site, I learned that you can now subscribe to the
Sourcefire Vulnerability Research Team's certified rulesets, which
means that you can receive the latest rulesets five days sooner than
those rulesets are released to the general public.
Maybe you write your own rules in addition to using rulesets available
at the Snort Web site. As with the source code for any application, the
way a rule is written affects the performance of Snort. Poorly written
rules take more time to process. A few extra microseconds of processing
time here and there might not seem like a big deal, but when you
consider an overall traffic load, those microseconds add up to full
seconds really fast, and of course those seconds add up to minutes. The
more efficient your rules, the more efficiently your IDS runs and the
less likely that some sort of anomalous traffic-dropping occurs.
So how can you determine how efficient your rules are? An easy way is
to use the new TurboSnortRules online benchmarking tool, sponsored by
VigilantMinds. TurboSnortRules is a Web-based service that lets you
enter a rule and test its performance on various versions of Snort
against a set of control data. The test output shows you how fast your
rule operates on those selected versions.
As an example of how effective the service can be, take a look at the
two sets of test results listed at the URLs below. Both tested rules
are designed to detect Yahoo! Messenger logons. As you'll see in the
results, one rule operates much faster than the other.
For another example, look at the two sets of test results for rules
designed to detect the Mytob Trojan horse (at the first two URLs
below). One rule operates faster than the other, but in this case, the
difference in speed isn't as dramatic as in the comparison of the
Yahoo! Messenger rules. Even so, every little bit of speed improvement
helps. One slow rule could cause Snort to begin dropping packets, which
could jeopardize your overall security. See the third URL below too,
which graphically illustrates the damage one poorly written rule can
Also at the TurboSnortRules site, you'll find a searchable database for
looking up rules that are either part of the Snort distribution or that
have been submitted to the site by administrators for testing. The
database is a good way to find rules you might need but don't want to
write yourself, and the related performance data shows you how well
those rules perform. Another excellent resource at the site is the
Snort Performance Wiki, which has a lot of useful suggestions about how
to make Snort run as fast as possible.
==== Sponsor: Netopia ====
Cost Control Through Remote Control: A practical approach to reducing
the cost of supporting PC's in a multi-platform environment
While the price for personal computers continues to decline, the
actual cost to own and operate PCs continues to rise. In this free
white paper get the insights and solutions into some of the less
visible, but very real costs of PC and LAN ownership. You'll learn a
practical approach to reducing the cost of supporting PC's and
customers in a multi-platform environment. Plus -- you'll also get a
Cost Savings Model for help desks that demonstrates the cost savings
that can be realized by implementing remote control technology.
==== 2. Security News and Features ====
Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these
WSUS Available, Microsoft Update Now Live, MBSA 2.0 on the Way
Have you been waiting for the release of the finished Windows Server
Update Services (WSUS)? Wondering when the new Microsoft Update site
will go live? Both are available now, and Microsoft Baseline Security
Analyzer (MBSA) 2.0 is on the way.
Cisco's New DDoS Protection Solution
Cisco Systems announced its new Distributed Denial of Service (DDoS)
Protection solution that allows ISPs to protect their own networks,
sell protected wholesale connections, and offer customers managed
protection against DDoS attacks.
IIS 6.0 Enhancements in Windows 2003 SP1
Although most of the major Windows Server 2003 Service Pack 1 (SP1)
changes concentrate on the core OS, SP1 doesn't neglect Microsoft IIS.
The service pack contains several significant enhancements to IIS 6.0,
the Web server application that's bundled with Windows 2003. Michael
Otey outlines those changes in this brief summary on our Web site.
==== Resources and Events ====
True High Availability -- Going Beyond Backup and Data Replication
In this free Web seminar discover the various categories of high
availability and disaster recovery solutions available and the pros and
cons of each. You'll learn what solutions help you take preemptive,
corrective action without resorting to a full system failover, or in
extreme cases, that perform a non-disruptive, automatic switchover to a
secondary server. Register Now!
Attend the Black Hat Briefings
Attend the Black Hat Briefings & Training USA, July 23-28, 2005 in
Las Vegas. World renowned security experts reveal tomorrow's threats
today. Free of vendor pitches, the briefings are designed to be
pragmatic regardless of your security environment. Featuring 25 hands-
on training courses and 10 conference tracks. Lots of Windows stuff
Get Ready for SQL Server 2005 Roadshow in Europe
Get the facts about migrating to SQL Server 2005. SQL Server experts
will present real-world information about administration, development,
and business intelligence to help you implement a best-practices
migration to SQL Server 2005 and improve your database computing
environment. Receive a 1-year membership to PASS and 1-year
subscription to SQL Server Magazine. Register now!
Streamline Desktop Deployments
Managing desktop software configurations doesn't have to be a manual
process, resulting in unplanned costs, deployment delays, and client
confusion. In this free Web seminar find out how to manage the software
package preparation process and increase your desktop reliability, user
satisfaction, and IT cost effectiveness. You'll learn how to simplify
the deployment and configuration process, starting with the new-
application request, review, and approval process and progressing
through software packaging and deployment.
Safeguard Your Exchange Servers -- Plus Receive A FREE eBook
Managing storage growth, providing application resiliency, and
handling small errors and problems before they grow are all important
aspects of boosting your Exchange uptime. In this free Web seminar
discover how storage and application management techniques for Exchange
can be used to improve the resiliency and performance of your Exchange
infrastructure. Register now and get your free eBook!
Win A Windows IT Pro VIP Subscription -- Register And You Could Win!
In this free Web seminar, learn what the most common fax messaging
challenges encountered in the workforce are and solutions for how to
turn these common fax "headaches" into cost-effective, easy-to-use,
business communications. You'll also receive a free industry white
paper on fax deployment and integration techniques. Register now and
you'll receive a 30-day software trial and a Starbucks gift card for
==== Featured White Paper ====
Security Management in a Multi-platform World
In this free white paper you'll learn how to reduce management
overhead when dealing with multiple platforms and the costs and
benefits of a centralized "holistic" approach to security management.
Get the ins and outs of managing multi-platform security and how you
can safely, securely, and sanely manage the security infrastructure of
complex, multi-platform environments.
==== 3. Security Toolkit ====
Security Matters Blog
by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=C2D3:4FB69
10 Security Patches Due June 14
Microsoft released 10 security updates on June 14, at least one of
which is considered by the company to be critical. Seven of the patches
are for Windows OSs, one corrects a problem in Windows Services for
UNIX, the eighth corrects a problem in Exchange Server, and the ninth
corrects a problem with Internet Security and Acceleration (ISA) Server
and Small Business Server (SBS). Microsoft also scheduled a Webcast for
today at 2 P.M. Eastern Time (11 A.M. Pacific Time) to discuss the
New Feature Pack for Windows Mobile 5.0 to Enhance Security
Speaking last week at TechEd 2005, Steve Ballmer, chief executive
officer of Microsoft, announced that the company's new Messaging &
Security Feature Pack for Windows Mobile 5.0 will allow administrators
to remotely enforce IT policy, remove all information from a device,
and reset a device to its original state, including the ability to
erase local device memory when the correct password isn't entered
within the designated number of attempts.
by John Savill, http://list.windowsitpro.com/t?ctl=C2CF:4FB69
Q: Where is cached Universal Group information stored?
Find the answer at
==== Announcements ====
(from Windows IT Pro and its partners)
Why Do You Need the Windows IT Pro Master CD?
There are three good reasons to order our latest Windows IT Pro
Master CD. One, because it's a lightning-fast, portable tool that lets
you search for solutions by topic, author, or issue. Two, because it
includes our Top 100 Windows IT Pro Tips. Three, because you'll also
receive exclusive, subscriber-only access to our entire online article
database. Click here to discover even more reasons:
==== 4. New and Improved ====
by Renee Munshi, products at windowsitpro.com
Manage Compliance and Vulnerability Remediation
Citadel Security Software is now shipping Hercules 4.0. The new
version adds two new modules: Hercules Compliance Manager, for auditing
and reporting security policy compliance, and Hercules Remediation
Manager, for managing vulnerability remediation and enforcing security
policies. Hercules is available as a full suite or as individual
modules. Citadel also now offers Hercules as a hardware appliance and
in a pricing model that lets you pay for compliance audits and
remediation actions as they're performed--these appliance and pay-per-
use features are designed to make Hercules more appealing to smaller
businesses. For more information, visit
Tell Us About a Hot Product and Get a T-Shirt!
Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Tell us about the product, and
we'll send you a T-shirt if we write about the product in a future
Windows IT Pro What's Hot column. Send your product suggestions with
information about how the product has helped you to
whatshot at windowsitpro.com.
Editor's note: Share Your Security Discoveries and Get $100
Share your security-related discoveries, comments, or problems and
solutions in the Windows IT Security print newsletter's Reader to
Reader column. Email your contributions (500 words or less) to
r2rwinitsec at windowsitpro.com. If we print your submission, you'll
get $100. We edit submissions for style, grammar, and length.
==== Sponsored Links ====
Ensuring Protection and Availability for Microsoft Exchange
Download this free white paper now!
Eleven things you must know about quick AD recovery!
A New Dimension in IT Infrastructure Management: Integrated KVM and
Serial Console Control Systems
Reduce downtime, mean-time-to-repair, lower costs & improve ROI.
==== Contact Us ====
About the newsletter -- letters at windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=C2D4:4FB69
About product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- emedia_opps at windowsitpro.com
This email newsletter is brought to you by Windows IT Security,
the leading publication for IT professionals securing the Windows
enterprise from external intruders and controlling access for
internal users. Subscribe today.
Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department
Copyright 2005, Penton Media, Inc. All rights reserved.
More information about the ISN