Thursday, March 5, 2015

Snort Subscriber Rule Set Update for 03/05/2015, OpenSSL

Just released:
Snort Subscriber Rule Set Update for 03/05/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 84 new rules and made modifications to 5 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
33677
33678

Talos's rule release:
OpenSSL RSA_EXPORT attack CVE-2015-0204:
A coding deficiency in OpenSSL exists that may lead to information disclosure.

Rules to detect attacks targeting this vulnerability are included in this
release and are identified with GID 1, 33686 through 33703.

Talos has also added and modified multiple rules in the blacklist,
browser-chrome, file-identify, file-other, malware-cnc, protocol-voip,
server-other and sql rule sets to provide coverage for emerging threats from
these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Wednesday, March 4, 2015

Snort Subscriber Rule Set Update for 03/03/2015

Just released:
Snort Subscriber Rule Set Update for 03/03/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 29 new rules and made modifications to 16 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour

33646
33647
33648
33650

Avery Tarasov

33649


Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-chrome, browser-ie, browser-other, browser-plugins, exploit-kit, file-identify, file-image, file-other, malware-cnc, pua-adware, server-mysql and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Monday, March 2, 2015

Snort++ Build 140 Available Now

Snort++ build 140 is now available.  This is the second monthly update of the downloads.  You can also get the latest updates from github (snortadmin/snort3) which is updated weekly.

Continued code sync with Snort 2.9.7:
  • sync 297 http xff, swf, and pdf updates
  • sync ftp with 297; replace stream event callbacks with FlowData virtuals
  • sync stream with 297
  • 297 sync of active and codecs
  • sync normalizations with 297
Other updates:
  • normalization refactoring, renaming
  • fix icmp4 encoding
  • fix encoder check for ip6 extensions
  • update documentation on new HTTP inspector, binder, and wizard
  • documented gotcha regarding rule variable definitions in Lua
  • uncrustify, see crusty.cfg
Please submit bugs, questions, and feedback to bugs@snort.org.

Happy Snorting!
The Snort Release Team

Thursday, February 26, 2015

Snort 3.0's new http_inspect preprocessor!

One of the major undertakings for Snort 3.0 is developing a completely new HTTP inspector. It is incomplete right now but you can examine the work-in-progress. You can configure it by adding:
    new_http_inspect = {}
to your snort.lua configuration file. Or you can read it in the source code under src/service_inspectors/nhttp_inspect.

The classic HTTP preprocessor is still available in the alpha release as http_inspect. It’s probably the better choice for now if you just want to do some work and do not feel like experimenting. Be sure not to configure both old and new HTTP inspectors at the same time.

So why a new HTTP inspector?

For starters it is object-oriented. That’s good for us because we maintain this software. But it should also be really nice for open-source developers. You can make meaningful changes and additions to HTTP processing without having to understand the whole thing. In fact much of the new HTTP inspector’s knowledge of HTTP is centralized in a series of tables where it can be easily reviewed and modified. Many significant changes can be made just by updating these tables.

New_http_inspect is the first inspector written specifically for the new Snort 3.0 architecture. That provides access to one of the very best features of Snort 3.0: purely PDU-based inspection. Classic http_inspect processes HTTP messages, but even while doing so it is constantly aware of IP packets and how they divide up the TCP data stream. The same HTTP message might be processed differently depending on how the sender (bad guy) divided it up into IP packets.

New_http_inspect is free of this burden and can focus exclusively on HTTP. That makes it much more simple, easier to test, and less prone to false positives. It also greatly reduces the opportunity for adversaries to probe the inspector for weak spots by adjusting packet boundaries to disguise bad behavior.

Dealing solely with HTTP messages also opens the door for developing major new features. The new_http_inspect design supports true stateful processing. Want to ask questions that involve both the client request and the server response? Or different requests in the same session? These things are possible.

Another new feature on the horizon is HTTP/2 analysis. HTTP/2 derives from Google’s SPDY project and is in the process of being standardized. Despite the name, it is better to think of HTTP/2 not as a newer version of HTTP/1.1, but rather a separate protocol layer that runs under HTTP/1.1 and on top of TLS or TCP. It’s a perfect fit for the new Snort 3.0 architecture because a new HTTP/2 inspector would naturally output HTTP/1.1 messages but not any underlying packets. Exactly what the new_http_inspect wants to input.

New_http_inspect is taking a very different approach to HTTP header fields. Classic http_inspect divides all the HTTP headers following the start line into cookies and everything else. It normalizes the two pieces using a generic process and puts them in buffers that one can write rules against. There is some limited support for examining individual headers within the inspector but it is very specific.

The new concept is that every header should be normalized in an appropriate and specific way and individually made available for the user to write rules against it. If for example a header is supposed to be a date then normalization means put that date in a standard format.

There is still a great deal of work to be done to make all this happen. One major open area is what to do with all this power? Protocol processing is getting ahead of rule-writing capabilities.

What do you want the new_http_inspect to do for you? What kind of rules do you want to be able to write that are currently difficult or impossible? What correlations would you like to be able to examine? Send your ideas to the open source mailing lists. We take them very seriously.

Snort++ Update

Just pushed build 139 to github (snortadmin/snort3):
  • sync 297 http XFF, SWF, and PDF updates
  • additional http_inspect cleanup
  • documented gotcha regarding rule variable definitions in Lua

Snort Subscriber Rule Set Update for 02/26/2015

Just released:
Snort Subscriber Rule Set Update for 02/26/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 43 new rules and made modifications to 199 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, browser-webkit, file-flash, file-image, file-other, file-pdf, malware-backdoor, malware-cnc, os-other, protocol-voip, pua-p2p, server-mysql and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Wednesday, February 25, 2015

Possible Packet Loss issues during reassembly for Snort

William Parker was nice enough to write up this quick white paper on how to diagnose and remediate some possible packet loss issues found during reassembly for Snort.

I've posted the white paper on our documentation page on Snort.org (under Additional Resources) and here's a link to it directly.

Thanks Bill for always contributing great content for the site!