Security UPDATE--Supercharging Snort--June 15, 2005

1. In Focus: Supercharging Snort

2. Security News and Features

- Recent Security Vulnerabilities

- WSUS Available, Microsoft Update Now Live, MBSA 2.0 on the Way

- Cisco's New DDoS Protection Solution

- IIS 6.0 Enhancements in Windows 2003 SP1

3. Security Toolkit

- Security Matters Blog

- FAQ

4. New and Improved

- Manage Compliance and Vulnerability Remediation

==== Sponsor: Exchange & Outlook Administrator ====

Try a Sample Issue of Exchange & Outlook Administrator!

If you haven't seen Exchange & Outlook Administrator, you're missing out on key information that will go a long way towards preventing serious messaging problems and downtime. Request a sample issue today, and discover tools and solutions you won't find anywhere else to help you migrate, optimize, administer, backup, recover, and secure Exchange and Outlook. Order now!

http://www.exchangeadmin.com/rd.cfm?code=fsep2356up

==== 1. In Focus: Supercharging Snort ====

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Certainly you've heard of the open-source Intrusion Detection System/Intrusion Prevention System (IDS/IPS) Snort. Maybe you're one of the countless people who use it. If so, you know it's a great tool with a huge amount of support from the user community. You might also know that Sourcefire, the company behind Snort, offers a commercial version of Snort and other network-protection tools. When I recently visited the Snort.org Web site, I learned that you can now subscribe to the Sourcefire Vulnerability Research Team's certified rulesets, which means that you can receive the latest rulesets five days sooner than those rulesets are released to the general public.

http://www.snort.org/rules/why_subscribe.html

Maybe you write your own rules in addition to using rulesets available at the Snort Web site. As with the source code for any application, the way a rule is written affects the performance of Snort. Poorly written rules take more time to process. A few extra microseconds of processing time here and there might not seem like a big deal, but when you consider an overall traffic load, those microseconds add up to full seconds really fast, and of course those seconds add up to minutes. The more efficient your rules, the more efficiently your IDS runs and the less likely that some sort of anomalous traffic-dropping occurs.

So how can you determine how efficient your rules are? An easy way is to use the new TurboSnortRules online benchmarking tool, sponsored by VigilantMinds. TurboSnortRules is a Web-based service that lets you enter a rule and test its performance on various versions of Snort against a set of control data. The test output shows you how fast your rule operates on those selected versions.

http://www.turbosnortrules.org

As an example of how effective the service can be, take a look at the two sets of test results listed at the URLs below. Both tested rules are designed to detect Yahoo! Messenger logons. As you'll see in the results, one rule operates much faster than the other.

http://www.turbosnortrules.org/test_results.php?test_id=156

http://www.turbosnortrules.org/test_results.php?test_id=157

For another example, look at the two sets of test results for rules designed to detect the Mytob Trojan horse (at the first two URLs below). One rule operates faster than the other, but in this case, the difference in speed isn't as dramatic as in the comparison of the Yahoo! Messenger rules. Even so, every little bit of speed improvement helps. One slow rule could cause Snort to begin dropping packets, which could jeopardize your overall security. See the third URL below too, which graphically illustrates the damage one poorly written rule can do.

http://www.turbosnortrules.org/test_results.php?test_id=160

http://www.turbosnortrules.org/test_results.php?test_id=159

http://www.turbosnortrules.org/whatis-speed.php

Also at the TurboSnortRules site, you'll find a searchable database for looking up rules that are either part of the Snort distribution or that have been submitted to the site by administrators for testing. The database is a good way to find rules you might need but don't want to write yourself, and the related performance data shows you how well those rules perform. Another excellent resource at the site is the Snort Performance Wiki, which has a lot of useful suggestions about how to make Snort run as fast as possible.

==== Sponsor: Netopia ====

Cost Control Through Remote Control: A practical approach to reducing the cost of supporting PC's in a multi-platform environment

While the price for personal computers continues to decline, the actual cost to own and operate PCs continues to rise. In this free white paper get the insights and solutions into some of the less visible, but very real costs of PC and LAN ownership. You'll learn a practical approach to reducing the cost of supporting PC's and customers in a multi-platform environment. Plus -- you'll also get a Cost Savings Model for help desks that demonstrates the cost savings that can be realized by implementing remote control technology.

http://www.windowsitpro.com/whitepapers/netopia/costcontrol/index.cfm?code=secmid_0615

==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

http://www.windowsitpro.com/departments/departmentid/752/752.html

WSUS Available, Microsoft Update Now Live, MBSA 2.0 on the Way Have you been waiting for the release of the finished Windows Server Update Services (WSUS)? Wondering when the new Microsoft Update site will go live? Both are available now, and Microsoft Baseline Security Analyzer (MBSA) 2.0 is on the way.

http://www.windowsitpro.com/Article/ArticleID/46637

Cisco's New DDoS Protection Solution

Cisco Systems announced its new Distributed Denial of Service (DDoS) Protection solution that allows ISPs to protect their own networks, sell protected wholesale connections, and offer customers managed protection against DDoS attacks.

http://www.windowsitpro.com/Article/ArticleID/46638

IIS 6.0 Enhancements in Windows 2003 SP1

Although most of the major Windows Server 2003 Service Pack 1 (SP1) changes concentrate on the core OS, SP1 doesn't neglect Microsoft IIS. The service pack contains several significant enhancements to IIS 6.0, the Web server application that's bundled with Windows 2003. Michael Otey outlines those changes in this brief summary on our Web site.

http://www.windowsitpro.com/Article/ArticleID/46381

==== Resources and Events ====

True High Availability -- Going Beyond Backup and Data Replication

In this free Web seminar discover the various categories of high availability and disaster recovery solutions available and the pros and cons of each. You'll learn what solutions help you take preemptive, corrective action without resorting to a full system failover, or in extreme cases, that perform a non-disruptive, automatic switchover to a secondary server. Register Now!

http://www.windowsitpro.com/seminars/truehighavailability/index.cfm?code=0615emailannc

Attend the Black Hat Briefings

Attend the Black Hat Briefings & Training USA, July 23-28, 2005 in Las Vegas. World renowned security experts reveal tomorrow's threats today. Free of vendor pitches, the briefings are designed to be pragmatic regardless of your security environment. Featuring 25 hands-on training courses and 10 conference tracks. Lots of Windows stuff profiled.

http://www.blackhat.com

Get Ready for SQL Server 2005 Roadshow in Europe

Get the facts about migrating to SQL Server 2005. SQL Server experts will present real-world information about administration, development, and business intelligence to help you implement a best-practices migration to SQL Server 2005 and improve your database computing environment. Receive a 1-year membership to PASS and 1-year subscription to SQL Server Magazine. Register now!

http://www.windowsitpro.com/roadshows/sqlservereurope/index.cfm?code=0615emailannc

Streamline Desktop Deployments

Managing desktop software configurations doesn't have to be a manual process, resulting in unplanned costs, deployment delays, and client confusion. In this free Web seminar find out how to manage the software package preparation process and increase your desktop reliability, user satisfaction, and IT cost effectiveness. You'll learn how to simplify the deployment and configuration process, starting with the new-application request, review, and approval process and progressing through software packaging and deployment.

http://www.windowsitpro.com/seminars/SoftwarePackagingWorkflow/index.cfm?code=0615emailannc

Safeguard Your Exchange Servers -- Plus Receive A FREE eBook

Managing storage growth, providing application resiliency, and handling small errors and problems before they grow are all important aspects of boosting your Exchange uptime. In this free Web seminar discover how storage and application management techniques for Exchange can be used to improve the resiliency and performance of your Exchange infrastructure. Register now and get your free eBook!

http://www.windowsitpro.com/seminars/exchangeapplicationavailability/index.cfm?code=0615emailannc

Win A Windows IT Pro VIP Subscription -- Register And You Could Win!

In this free Web seminar, learn what the most common fax messaging challenges encountered in the workforce are and solutions for how to turn these common fax "headaches" into cost-effective, easy-to-use, business communications. You'll also receive a free industry white paper on fax deployment and integration techniques. Register now and you'll receive a 30-day software trial and a Starbucks gift card for attending!

http://www.windowsitpro.com/seminars/applicationintegration/index.cfm?code=0615emailannc

==== Featured White Paper ====

Security Management in a Multi-platform World

In this free white paper you'll learn how to reduce management overhead when dealing with multiple platforms and the costs and benefits of a centralized "holistic" approach to security management. Get the ins and outs of managing multi-platform security and how you can safely, securely, and sanely manage the security infrastructure of complex, multi-platform environments.

http://www.windowsitpro.com/Whitepapers/bindview/securitymanagement/index.cfm?code=0615emailannc

==== 3. Security Toolkit ====

Security Matters Blog

by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters

10 Security Patches Due June 14

Microsoft released 10 security updates on June 14, at least one of which is considered by the company to be critical. Seven of the patches are for Windows OSs, one corrects a problem in Windows Services for UNIX, the eighth corrects a problem in Exchange Server, and the ninth corrects a problem with Internet Security and Acceleration (ISA) Server and Small Business Server (SBS). Microsoft also scheduled a Webcast for today at 2 P.M. Eastern Time (11 A.M. Pacific Time) to discuss the security updates.

http://www.windowsitpro.com/Article/ArticleID/46709/46709.html

New Feature Pack for Windows Mobile 5.0 to Enhance Security

Speaking last week at TechEd 2005, Steve Ballmer, chief executive officer of Microsoft, announced that the company's new Messaging & Security Feature Pack for Windows Mobile 5.0 will allow administrators to remotely enforce IT policy, remove all information from a device, and reset a device to its original state, including the ability to erase local device memory when the correct password isn't entered within the designated number of attempts.

http://www.windowsitpro.com/Article/ArticleID/46640

FAQ

by John Savill, http://www.windowsitpro.com/windowsnt20002003faq

Q: Where is cached Universal Group information stored?

Find the answer at

http://www.windowsitpro.com/Article/ArticleID/46686

==== Announcements ====

(from Windows IT Pro and its partners)

Why Do You Need the Windows IT Pro Master CD?

There are three good reasons to order our latest Windows IT Pro Master CD. One, because it's a lightning-fast, portable tool that lets you search for solutions by topic, author, or issue. Two, because it includes our Top 100 Windows IT Pro Tips. Three, because you'll also receive exclusive, subscriber-only access to our entire online article database. Click here to discover even more reasons:

http://www.windowsitpro.com/rd.cfm?code=cdeu2256up

==== 4. New and Improved ====

by Renee Munshi, [email protected]

Manage Compliance and Vulnerability Remediation

Citadel Security Software is now shipping Hercules 4.0. The new version adds two new modules: Hercules Compliance Manager, for auditing and reporting security policy compliance, and Hercules Remediation Manager, for managing vulnerability remediation and enforcing security policies. Hercules is available as a full suite or as individual modules. Citadel also now offers Hercules as a hardware appliance and in a pricing model that lets you pay for compliance audits and remediation actions as they're performed--these appliance and pay-per-use features are designed to make Hercules more appealing to smaller businesses. For more information, visit

http://www.citadel.com

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to

[email protected].

Editor's note: Share Your Security Discoveries and Get $100

Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.

==== Sponsored Links ====

Ensuring Protection and Availability for Microsoft Exchange

Download this free white paper now!

http://www.windowsitpro.com/Whitepapers/nsisoftware/exchangeprotection/index.cfm?code=nlsplink

Quest Software

Eleven things you must know about quick AD recovery!

http://ad.doubleclick.net/clk;17412125;8214395;c?http://wm.quest.com/WITPNLSponlink11ThingsWPRMAD60105

A New Dimension in IT Infrastructure Management: Integrated KVM and Serial Console Control Systems

Reduce downtime, mean-time-to-repair, lower costs & improve ROI.

http://www.windowsitpro.com/whitepapers/raritan/integratedkvm/index.cfm?code=nlsplink

==== Contact Us ====

About the newsletter -- [email protected]

About technical questions -- http://www.windowsitpro.com/forums

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]