Thursday, May 21, 2015

Snort Subscriber Rule Set Update for 05/21/2015

Just released:
Snort Subscriber Rule Set Update for 05/21/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 76 new rules and made modifications to 6 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the app-detect, blacklist, file-flash, file-multimedia, file-other, file-pdf, malware-backdoor, malware-cnc, os-windows, policy-other and server-other rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Mail Protocol Inspectors in Snort++

The latest release of Snort++ (build 152) includes the ported SMTP, POP and IMAP inspectors. This blog describes the changes to Snort's mail protocol preprocessors in Snort++.

Snort++'s mail inspectors are purely PDU based. The PDU boundaries in TCP stream are identified and divided which are then processed by these inspectors.

Changes to mail protocol inspectors config:

  • Memory related options such as memcap, max_mime_mem, disable are now deleted.
  • Ports are now added to bindings as follows:

binder =     {
        when =
        {
            proto = 'tcp',
            ports = '25 465 587 691 465 587 691',
        },
        use =
        {
            type = 'smtp',
        },
    },

  • Config options to disable alerts are deleted.
  • User can now search the for content in the decoded MIME attachments using the rule option "file_data" instead of "file_data:mime"

Changes to SMTP config:
  •  Deleted option inspection_type. SMTP inspector in Snort++ will always inspect SMTP statefully.
  • alt_max_command_line_len syntax has changed. The new syntax for this option is as follows:

smtp =
{
    alt_max_command_line_len =
    {
        {
            command = 'MAIL',
            length = 260,
        },
    },
}
  • All SMTP config options (such as normalize_cmds, data_cmds, valid_cmds etc) that take command or list of commands as arguments have the following syntax.

Eg:
   valid_cmds = [[ CMD1 CMD2 ... CMDn ]]

The following command will give you the complete list of options for the mail inspectors.

snort --help-config | grep 

Tuesday, May 19, 2015

Snort Subscriber Rule Set Update for 05/19/2015, Snort 2.9.7.3

Just released:
Snort Subscriber Rule Set Update for 05/19/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 24 new rules and made modifications to 8 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, exploit-kit, file-executable, file-flash, file-pdf, indicator-compromise, malware-cnc, malware-tools and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Snort 2.9.7.3 is now available!

Snort 2.9.7.3 is now available at http://www.snort.org/downloads in the Snort Stable Release Section.




Snort 2.9.7.3 Release Notes:
[*] New additions
  • Added PAF support for SIP based traffic
[*] Improvements
  • Resolved a backtracking issue where the 'protected_content' rule option was not matching on content following a content rule option that is not matched.
  • Resolved an issue where snort dropped privilege levels before attempting to delete its PID file created during the higher privilege level
  • Improved processing of SSLv3 traffic, IPv6 extensions, HTTPS session reassembly and normalization
  • Performance improvements for file preprocessor
  • Stability improvements for ftp_telnet preprocessor


Please start your updating engines, and drop us a line over at Snort-users with any issues.  

Snort OpenAppID Detectors have been updated!

An update has been released today for the Snort OpenAppID Detector content.

This release, build 241, includes
  • A total of 2,617 detectors.
  • This was a maintenance release with some minor fixes and improvements

Available now for download from our downloads page, we look forward to you downloading and using the new features of 2.9.7.0's OpenAppID preprocessor and sharing your experiences with the community.

The OpenAppID community has a mailing list specifically dedicated to the exchange and discussion of detector content.  Please visit the mailing lists page to sign up.

Friday, May 15, 2015

Snort++ Update

Just pushed build 152 to github (snortadmin/snort3):
  • fixed config error for inspection of rebuilt packets
  • ported smtp inspector from Snort
  • static analysis fix for new_http_inspect

Thursday, May 14, 2015

Snort Subscriber Rule Set Update for 05/14/2015

Just released:
Snort Subscriber Rule Set Update for 05/14/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 19 new rules and made modifications to 2 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov
34452
34453

Talos's rule release:
Talos has added and modified multiple rules in the app-detect, browser-plugins, malware-cnc, policy-other and server-other rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!