OSS Secret Weapon Deployed

The open source security community through the auspices of the Open Information Security Foundation (OISF) http://www.openinfosecfoundation.org have released the beta version of the next generation intrusion prevention system, Meerkat. The Suricata Engine will run on multiple platforms, and will change the paradigm in malware detection.

Will Metcalf, the maintainer of the Snort Inline project, today made the following announcement on behalf of Matt Jonkman (project leader) of Emerging Threats:

It's been about three years in the making, but the day has finally come!
We have the first release of the Suricata Engine! The engine is an Open
Source Next Generation Intrusion Detection and Prevention Tool, not
intended to just replace or emulate the existing tools in the industry,
but to bring new ideas and technologies to the field.

The Suricata Engine and the HTP Library are available to use under the
GPLv2.

The HTP Library is an HTTP normalizer and parser written by Ivan Ristic
of Mod Security fame for the OISF. This integrates and provides very
advanced processing of HTTP streams for Suricata. The HTP library is
required by the engine, but may also be used independently in a range of
applications and tools.

This is considered a Beta Release as we are seeking feedback from the
community. This release has many of the major new features we wanted to
add to the industry, but certainly not all. We intend to get this base
engine out and stable, and then continue to add new features. We expect
several new releases in the month of January culminating in a production
quality release shortly thereafter.

The engine and the HTP Library are available here:
http://www.openinfosecfoundation.org/index.php/download-suricata

Please join the oisf-users mailing list to discuss and share feedback.
The developers will be there ready to help you test.
http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

As this is a first release we don't really have a "what's New" section
because everything is new. But we do have a number of new ideas and new
concepts to Intrusion Detection to note. Some of those are listed below:

Multi-Threading
Amazing that multi-threading is new to IDS, but it is, and we've got it!

Automatic Protocol Detection
The engine not only has keywords for IP, TCP, UDP and ICMP, but also has
HTTP, TLS, FTP and SMB! A user can now write a rule to detect a match
within an HTTP stream for example regardless of the port the stream
occurs on. This is going to revolutionize malware detection and control.
Detections for more layer 7 protocols are on the way.

Gzip Decompression
The HTP Parser will decode Gzip compressed streams, allowing much more
detailed matching within the engine.

Independent HTP Library
The HTP Parser will be of great use to many other applications such as
proxies, filters, etc. The parser is available as a library also under
GPLv2 for easy integration ito other tools.

Standard Input Methods
You can use NFQueue, IPFRing, and the standard LibPcap to capture
traffic. IPFW support coming shortly.

Unified2 Output
You can use your standard output tools and methods with the new engine,
100% compatible!

Flow Variables
It's possible to capture information out of a stream and save that in a
variable which can then be matched again later.

Fast IP Matching
The engine will automatically take rules that are IP matches only (such
as the RBN and compromised IP lists at Emerging Threats) and put them
into a special fast matching preprocessor.

HTTP Log Module
All HTTP requests can be automatically output into an apache-style log
format file. Very useful for monitoring and logging activity completely
independent of rulesets and matching. Should you need to do so you could
use the engine only as an HTTP logging sniffer.


Coming Very Soon: (Within a few weeks)

Global Flow Variables
The ability to store more information from a stream or match (actual
data, not just setting a bit), and storing that information for a period
of time. This will make comparing values across many streams and time
possible.

Graphics Card Acceleration
Using CUDA and OpenCL we will be able to make use of the massive
processing power of even old graphics cards to accelerate your IDS.
Offloading the very computationally intensive functions of the sensor
will greatly enhance performance.

IP Reputation
Hard to summarize in a sentence, but Reputation will allow sensors and
organizations to share intelligence and eliminate many false positives.

Windows Binaries
As soon as we have a reasonably stable body of code.

The list could go on and on. Please take a few minutes to download the
engine and try it out and let us know what you think. We're not
comfortable calling it production ready at the moment until we get your
feedback, and we have a few features to complete. We really need your
feedback and input. We intend to put out a series of small releases in
the two to three weeks to come, and then a production ready major
release shortly thereafter. Phase two of our development plan will then
begin where we go after some major new features such as IP Reputation
shortly.

http://www.openinfosecfoundation.org

Brian Krebs Leaving The Washington Post

In another sign of the decline of print media, Brian Krebs, the world's number one journalist in the fight against Internet-based crime, is leaving The Washington Post.

Brian Krebs last column appeared December 24th:

Farewell 2009, and The Washington Post

This will be the last post for the Security Fix blog. Dec. 31 marks my final day at The Washington Post Company.

Over the last 15 years, I've reported hundreds of stories for washingtonpost.com and the paper edition. I have authored more than 1,300 blog posts since we launched Security Fix back in March 2005. Dozens of investigative reports that first appeared online later were "reverse published" in the newspaper, including eight front-page stories and a Post Magazine cover.

Through it all, you - the reader - have been my most valuable source, most reliable critic, and most persistent muse. Loyal readers are the reason Security Fix has consistently been among the most-visited blogs on washingtonpost.com. Thank you.

I will continue to remain engaged in this increasingly vital news beat. Please stay in touch for updates in the New Year. I can be reached directly at this e-mail address.

Brian has led the way in the fight against Russian organized crime's assault on the Internet. Among his notable articles are:

Russian Business Network: Down, But Not Out:
http://blog.washingtonpost.com/securityfix/2007/11/russian_business_network_down.html

Mapping the Russian Business Network:
http://blog.washingtonpost.com/securityfix/2007/10/mapping_the_russian_business_n.html

Taking on the Russian Business Network:
http://blog.washingtonpost.com/securityfix/2007/10/taking_on_the_russian_business.html

Shadowy Russian Firm Seen as Conduit for Cybercrime:
http://www.washingtonpost.com/wp-dyn/content/story/2007/10/12/ST2007101202661.html?hpid=moreheadlines

Estonia Incident Demonstrated Power of Russia-Based Cyber Networks:
http://www.washingtonpost.com/wp-dyn/content/article/2007/10/12/AR2007101201700.html?sub=new

The loss of Krebs indicates that The Washington Post Company may be in serious financial trouble.

Brian is creating a new web site at http://www.krebsonsecurity.com/

He can be reached at: krebsonsecurity@gmail.com

James McQuaid

RBN Assists Global Iranian Crackdown

Research Center of Islamic Republic of Iran Broadcasting operating in RBN IP space

The Iranian government has launched a "Global Crackdown" against their opposition in actions consequent to their monitoring of Facebook and other social media. Note the Slashdot post referring to The Wall Street Journal article:

Slashdot post: Iranian Crackdown Goes Global
http://politics.slashdot.org/story/09/12/05/2044243/Iranian-Crackdown-Goes-Global

Wall Street Journal article: Iranian Crackdown Goes Global
http://online.wsj.com/article/SB125978649644673331.html

"Tehran's leadership faces its biggest crisis since it first came to power in 1979, as Iranians at home and abroad attack its legitimacy in the wake of June's allegedly rigged presidential vote. An opposition effort, the 'Green Movement,' is gaining a global following of regular Iranians who say they never previously considered themselves activists. The regime has been cracking down hard at home. And now, a Wall Street Journal investigation shows, it is extending that crackdown to Iranians abroad as well. Part of the effort involves tracking the Facebook, Twitter and YouTube activity of Iranians around the world, and identifying them at opposition protests abroad. People who criticize Iran's regime online or in public demonstrations are facing threats intended to silence them."

Caught by surprise with the power of social media during the disputed election, Tehran has commissioned white paper studies by the Research Center of Islamic Republic of Iran Broadcasting (crspa.ir) to "study the role of social capital in knowledge sharing".

The crspa.ir web site has been assisted by the Russian Business Network at the well known RBN IP address 61.61.61.61, which is home to the many of the RBN's spam, scam, and malware DNS servers.

www.crspa.ir is a CNAME forward view entry to crspa.ir:

Research Center of Islamic Republic of Iran Broadcasting operating from RBN IP space: 5 December 2009

Warning: IP address 61.61.61.61 may damage your computer
http://safeweb.norton.com/report/show?url=new-look-at-life.ru&x=0&y=0
Norton Safe Web reports that new-look-at-life.ru installs the Infostealer virus, a keystroke logger used to steal identities and financial information.
http://www.siteadvisor.com/sites/holeuse.com
The McAfee SiteAdvisor reviewer notes that holeuse.com "is an Identity Theft and Credit Card Fraud ring."

---

There is also a CNAME entry at RBN IP address: 222.170.127.100

Research Center of Islamic Republic of Iran Broadcasting operating from RBN IP space: 6 December 2009

Warning: IP address 222.170.127.100 may damage your computer
http://www.siteadvisor.com/sites/sing-sing-sing.ru
The McAfee SiteAdvisor reviewer notes that sing-sing-sing.ru is spamming domain "responsible for millions of junk mails that can lead to malware, phishing sites, or exploits."
http://safeweb.norton.com/report/show?url=getyourpower.ru&x=8&y=5
Norton Safe Web reports that getyourpower.ru installs the Infostealer virus, a keystroke logger used to steal identities and financial information.

---

Third scummy RBN Server with CNAME forward view entry for www.crspa.ir:

Research Center of Islamic Republic of Iran Broadcasting operating from RBN IP address 58.218.250.107: 7 December 2009

Warning: IP address 58.218.250.107 may damage your computer
http://www.siteadvisor.com/sites/brownarea.com
The McAfee SiteAdvisor reviewer noted that brownarea.com are "Specialists in: credit-card fraud; hacking, hijacking, using viruses to get control of computers, that act as a zombie in botnets."

crspa.ir is a CNAME alias for www.rcirib.ir:

Research Center of Islamic Republic of Iran Broadcasting in Iranian IP space

The Research Center of Islamic Republic of Iran Broadcasting owns two domains:

crspa.ir is Research Center of Islamic Republic of Iran Broadcasting


rcrib.ir is Research Center of Islamic Republic of Iran Broadcasting

It will be interesting to see if the Iranian hacktivists target these RBN servers.

James McQuaid
emergingthreats.net
Most Recent Update: 7 December 2009