Tuesday, July 7, 2015

Snort Subscriber Rule Set Update for 07/07/2015, "Hacking Team" Adobe 0day, iOS Lockdown Vulnerability

Just released:
Snort Subscriber Rule Set Update for 07/07/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 30 new rules and made modifications to 4 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov
35068
35076


Talos's rule release:
Adobe Flash Player Vulnerability: Adobe Flash Player suffers from programming errors that may lead to remote code execution. Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 1, SIDs 35086 through 35089. 
iOS Lockdown Vulnerability: A programming error exists in iOS Lockdown service that may lead to remote code execution. Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 1, SIDs 35090 through 35091. 
Talos has also added and modified multiple rules in the blacklist, browser-firefox, exploit-kit, file-flash, malware-cnc, os-mobile and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Monday, July 6, 2015

Snort++ Alpha 2 Available Now!

The second alpha release of Snort++ is now available on snort.org, and it includes a lot of new features and functionality:

Snort features:

  • sync with Snort 297-177
  • ported dns inspector
  • ported ssh and ssl inspector
  • ported smtp, pop, and imap inspectors
  • ported sip inspector
  • ported file processing

New features:

  • added publish-subscribe handling of inspection events
  • added data_log plugin example for pub-sub
  • added build of snort_manual.text if w3m is installed
  • added file_magic.lua
  • added socket DAQ to input payload only with flow tuple
  • added hext DAQ to for packet input in hex and plain text
  • added file DAQ for plain file input (w/o packets)
  • added socket codec for use with above DAQs
  • added stream_user for payload only processing
  • added stream_file for file inspection and processing
  • added usage, bugs, and DAQ sections to user manual
  • added default_snort_manual.text w/o w3m
  • rewrote alert_csv with all new default format
  • changed stream_tcp to reassemble payload only
  • optionally omit ports or networks and ports in rule headers
  • updated new_http_inspect
  • rule protocols include services (like http) and file
  • allow abbreviated rule headers (omit networks and/or ports)
  • uncrustify, see crusty.cfg

The Snort++ project is gaining momentum.  With new developers coming on board we will finish porting all of Snort's functionality in the next few months.  Here are some things to look for in the third alpha release:
  • port open appID
  • port dcerpc2 inspector
  • port modbus and dnp3 inspectors
  • port side channel and HA functionality
  • rewrite of stream_tcp for greater functionality and performance
  • rewrite of perf stats
  • pipelined packet processing
  • hardware offloading support
  • next generation DAQ
  • next generation unified logging
  • Windows support
New downloads are posted to snort.org monthly.  You can also get the latest updates from github (snortadmin/snort3) which is updated weekly.

Please submit bugs, questions, and feedback to bugs@snort.org or the Snort-Users mailing list.

Happy Snorting!
The Snort Release Team

Thursday, July 2, 2015

Snort Subscriber Rule Set Update for 07/02/2015

Just released:
Snort Subscriber Rule Set Update for 07/02/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 30 new rules and made modifications to 4 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-firefox, browser-ie, browser-webkit, file-flash, file-multimedia, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Snort++ Update

Pushed build 159 to github (snortadmin/snort3):

  • added file processing to new_http_inspect
  • ported sip preprocessor
  • refactoring port group init and start up output
  • standardize / generalize fp buffers
  • add log_hext.width
  • tweak style guide
  • fix hosts table parsing
The 2nd Alpha release is coming soon!

Tuesday, June 30, 2015

Snort Subscriber Rule Set Update for 06/30/2015, Apple Quicktime CVE-2015-3667

Just released:
Snort Subscriber Rule Set Update for 06/30/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 31 new rules and made modifications to 24 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov
34994
34995
34996
34997


Talos's rule release:
Apple QuickTime CVE-2015-3667: A coding deficiency exists in Apple QuickTime that may lead to remote code execution. Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 1, SIDs 35022 through 35023. 
Talos has also added and modified multiple rules in the blacklist, browser-ie, browser-plugins, file-multimedia, file-office, indicator-obfuscation, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Friday, June 26, 2015

Snort++ Update

We are working hard on the next update and have many things in the works but nothing yet is far enough along to merit a push to github this week.  There will be something next week for sure, and the second alpha release is coming soon too.  :)

Wednesday, June 24, 2015

Snort Subscriber Rule Set Update for 06/24/2015, Adobe CVE-2015-3113

Just released:
Snort Subscriber Rule Set Update for 06/24/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 20 new rules and made modifications to 8 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Adobe Security Bulletin APSB15-14 (CVE-2015-3113):
Adobe Flash Player suffers from programming errors that may lead to remote code
execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 34988 through 34989.

Talos has also added and modified multiple rules in the file-flash,
file-office, file-other, indicator-compromise, malware-cnc, malware-other,
policy-other and server-webapp rule sets to provide coverage for emerging
threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!