Friday, February 17, 2017

Snort++ Update

Pushed build 226 to github (snortadmin/snort3):
  • add PDF/SWF decompression to http_inspect
  • add connectors to generated reference parts of manual
  • add feature documentation for HA, side_channel, and connectors
  • add feature documentation for http_inspect
  • update default manuals
  • fix privilege dropping and chroot behavior
  • fix perf_monitor segfault when tterm is called before tinit
  • fix stream_tcp counter underflow bug and handle max and instant stats
  • fix lzma length calculation bug
  • fix bogus 129:20 alerts
  • fix back orifice compiler warning with -O3
  • fix bug that could cause hang on ctl-C
  • fix memory leak after reload w/o changing search engine
  • fix off by one error when reassembling after TCP FIN received
  • fix cmake doc build to include plugins on SNORT_PLUGIN_PATH
  • fix compiler warnings in dce_http_server and dce_http_proxy
  • fix appid reload issue
  • snort2lua - changes for rpc over http
  • snort2lua - changes to convert config alertfile: <filename>
  • snort2lua - changes to add file_id when smb file inspection is on
  • snort2lua - add deprecated option stream5_tcp: log_asymmetric_traffic

Thursday, February 16, 2017

Snort Subscriber Rule Set Update for 02/16/2017

Just released:
Snort Subscriber Rule Set Update for 02/16/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 17 new rules and made modifications to 8 additional rules.

There were no changes made to the snort.conf in this release.


Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-flash, file-image, malware-cnc, malware-other, os-windows, policy-other, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, February 14, 2017

Snort Subscriber Rule Set Update for 02/14/2017

Just released:
Snort Subscriber Rule Set Update for 02/14/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 94 new rules and made modifications to 89 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-executable, file-flash, file-other, indicator-compromise, malware-backdoor, malware-cnc, malware-other, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, February 9, 2017

Snort Subscriber Rule Set Update for 02/09/2017, TicketBleed

Just released:
Snort Subscriber Rule Set Update for 02/09/2017, TicketBleed


We welcome the introduction of the newest rule release from Talos. In this release we introduced 29 new rules and made modifications to 284 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-office, file-pdf, indicator-compromise, indicator-obfuscation, malware-cnc, malware-other, policy-other, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.
Talos has published a blog post on this subject on the Talos Blog


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, February 7, 2017

Snort Subscriber Rule Set Update for 02/07/2017

Just released:
Snort Subscriber Rule Set Update for 02/07/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 20 new rules and made modifications to 2 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
41498


Talos's rule release:
Talos has added and modified multiple rules in the browser-plugins, file-office, file-pdf, policy-other, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Friday, February 3, 2017

Snort Subscriber Rule Set Update for 02/02/2017, WordPress Vulnerability, Microsoft 0day in SMB

Just released:
Snort Subscriber Rule Set Update for 02/02/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 14 new rules and made modifications to 7 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
41498


Talos's rule release:
CVE-2017-0016: A coding deficiency exists in Microsoft Windows SMB that may lead to remote code execution. 
A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 41499. 
This release also provides detection for a WordPress vulnerability using a authentication bypass.  This is the bug that was patched recently via a silent fix, and is particularly nasty.  Please upgrade your WordPress installation immediately if you have not done so.  As WordPress is so widely deployed, and the vulnerability is rather simple, we have placed these rules in the community ruleset for everyone's use.
Talos has also added and modified multiple rules in the browser-ie, browser-plugins, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, February 2, 2017

Snort++ Build 225 Available Now on Snort.org!

Snort++ build 225 is now available on Snort.org.  This is the latest monthly update available for download.  You can also get the latest updates from github (snortadmin/snort3) which is updated weekly.

There are too many changes to list here so check the ChangeLog for details.

Enhancements:
  • implement RPC over HTTP by adding dce_http_server and dce_http_proxy
  • port disable_replace option from snort 2.x and add snort2lua support
  • port ssh tunnel over http detection
Bug Fixes:
  • fix stream splitter handling during final flush of session data
  • fix appid to use HTTP inspection events to detect webdav methods
  • fix unit test build to work w/o REG_TEST
  • fix shell to add missing newline to Lua execution error responses
  • fix support for content strings with escaped quotes ("foo\"bar")
  •    thanks to secres@linuxmail.org for reporting the issue
  • fix various reload issues
  • fix various thread sanitizer issues
  • fix session disposal to always be after logging
  • fix appid pattern matching issues
  • fix appid dns flow counts
  • fix shell resume after command line --pause
  • fix sd_pattern validation boundary conditions
Other Changes:
  • build: don't disable asserts when compiling with code coverage
  • autoconf: update to latest versions of autoconf-archive macros
  • main: add asynchronous, broadcastable analyzer commands
  • add salt to flow hash
  • normalize peg names to lower snake_case
  • update default manuals
Please submit bugs, questions, and feedback to bugs@snort.org or the Snort-Users mailing list.

Happy Snorting!
The Snort Release Team