Thursday, January 29, 2015

Snort Subscriber Rule Set Update for 01/29/2015, Glibc (GHOST) Vulnerability

Just released:
Snort Subscriber Rule Set Update for 01/29/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 58 new rules and made modifications to 16 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov
33219
33224
33227
33228

Yaser Mansour
33220
33221
33222
33223

Talos's rule release:
Synopsis: The VRT is aware of vulnerabilities affecting products using the GNU C
Library (Glibc).

Details:
CVE-2015-0235:
Exim mail server is exposed to a vulnerability in the GNU C Library
(Glibc) that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 33225 through 33226.

Talos has added and modified multiple rules in the blacklist,
deleted, exploit-kit, file-flash, indicator-compromise, malware-cnc and
server-webapp rule sets to provide coverage for emerging threats from
these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Snort++ build 135 is now available!

Snort++ build 135 is now available.  This is the first monthly update of the download on snort.org.  You can also get the latest updates from github (snortadmin/snort3) which is updated weekly.

Fixes for issues reported from the community:

  • fix cmake issues (reported by Y M)
  • add missing sanity checks and g++ dependency (reported by Bill Parker)
  • add general fp re-search solution for fp buffers further restricted during rule eval (reported by @rmkml)
  • fixes for large file support on 32-bit Linux systems (reported by Y M)

Partial code sync with Snort 2.9.7:

  • malloc info output with -v at shutdown (if supported)
  • sync Mpse and add SearchTool
  • sync for sfghash, sfxhash, tag, u2spewfoo, profiler and target based
  • addition of mime decoding stats and updates to mime detection limits
  • added md5, sha256, and sha512 rule options based on Snort 2.X protected_content
  • misc bug fixes and variable renaming

Other updates:

  • fix asciidoc formatting and update default manuals
  • updated source copyrights for 2015 and reformatted license foo for consistency
  • fix default init for new_http_inspect
  • fixed active rule actions (react, reject, rewrite)
  • moved http_inspect profile defaults to snort_defaults.lua
  • add generalized infractions tracking to new_http_inspect
  • updated snort2lua to override default tables (x = { t = v }; x.t.a = 1)
  • added pflog codecs
  • fixed stream_size rule option
  • snort2lua changed to add bindings for default ports if not explicitly configured
Please take a look, download, and test out this release for Snort++ and provide us feedback on the snort-users mailing list.

Http Server Profiles in Snort++

This post describes the changes to the Http Inspect config option "profile".

Snort 2.X allows users to select pre-defined HTTP server profiles using the config option "profile". The user can choose one of five predefined profiles. When defined, this option will set defaults for other config options within Http Inspect.

With Snort++, the user has the flexibility of defining and fine tuning custom profiles along with the five predefined profiles.

Comparison :

Snort 2.X conf:
preprocessor http_inspect_server: server default \
               profile apache ports { 80 3128 } max_headers 200
Snort 3.0 conf:
http_inspect = { profile = http_profile_apache }

http_inspect.profile.max_headers = 200 
binder =
{
    {
        when =
        {
            proto = 'tcp',
            ports = '80 3128',
        },
        use = { type = 'http_inspect' },
    },
} 
NOTE: The "profile" option now that points to a table "http_profile_apache" which is defined in "snort_defaults.lua" (as follows).
http_profile_apache =
{
    profile_type = 'apache',
    server_flow_depth = 300,
    client_flow_depth = 300,
    post_depth = -1,
    chunk_length = 500000,
    ascii = true,
    multi_slash = true,
    directory = true,
    webroot = true,
    utf_8 = true,
    apache_whitespace = true,
    non_strict = true,
    normalize_utf = true,
    normalize_javascript = false,
    max_header_length = 0,
    max_headers = 0,
    max_spaces = 200,
    max_javascript_whitespaces = 200,
    whitespace_chars ='0x9 0xb 0xc 0xd'
}
NOTE: The config option "max_headers" is set to 0 in the profile, but overwritten by "http_inspect.profile.max_headers = 200".

Conversion:

Snort2lua can convert the existing snort.conf with the "profile" option to Snort3.0 compatible "profile". Please refer to the Snort2Lua post for more details.
Examples:
"profile all" ==> "profile = http_profile_default"
"profile apache" ==> "profile = http_profile_apache"
"profile iis" ==> "profile = http_profile_iis"
"profile iis_40" ==> "profile = http_profile_iis_40"
"profile iis_50" ==> "profile = http_profile_iis_50"

Defining custom profiles:

The complete set of Http Inspect config options that a custom profile can configure can be found by running the following command:
snort --help-config http_inspect | grep http_inspect.profile
The new Http Inspect (new_http_inspect) implementation of config options is still under development.

Tuesday, January 27, 2015

Snort Subscriber Rule Set Update for 01/27/2015

Just released:
Snort Subscriber Rule Set Update for 01/27/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 28 new rules and made modifications to 17 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
33207

Avery Tarasov
33212

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, file-flash, file-multimedia, file-pdf, indicator-compromise, malware-cnc, malware-other, os-windows, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

OpenAppID Detection Webinar

Announced at RSA, Snort 2.9.7.0 with the OpenAppID preprocessor, rule keywords and new features have generated an immense amount of interest in the Snort community.

If you are not familiar with OpenAppID, you can check out all of our posts about the subject.

We wanted to hold a NEW webinar in order for the Open Source Community to attend and get our latest updates. We encourage you all to ask questions and receive first hand feedback from the developers themselves.

To register for the Webinar, on Wednesday, February 4, 2014 at 10:00 AM EDT, please click below:

https://cisco.webex.com/ciscosales/k2/j.php?MTID=t23e73ff4a9a210df73da5473f1eaa91b (This will also add this session to your calendar i.e. Microsoft Outlook)


Topic: OpenAppID Detection
Host: Priyanka S. Raj
Date: Wednesday, February 4, 2015
Time: 10:00 am, Eastern Standard Time (New York, GMT-05:00)
Session Number: 202 283 442
Session Password: openappid

-------------------------------------------------------
To start the session
-------------------------------------------------------
1. Go to https://cisco.webex.com/ciscosales/k2/j.php?MTID=tcd7084b9b6b0f9bbbc008e99a9765bf9 
2. Log in to your account.
3. Click "Start Now".
4. Follow the instructions that appear on your screen.


Thank you. We look forward to having you on board with us!

Snort++ Update

Just pushed to github (snortadmin/snort3):

  • sync Mpse to 297, add SearchTool
  • 297 sync for sfghash, sfxhash, tag, u2spewfoo, profiler and target based
  • addition of mime decoding stats and updates to mime detection limits
  • snort2lua changed to add bindings for default ports if not explicitly configured
  • added md5, sha256, and sha512 rule options based on Snort 2.X protected_content

Thursday, January 22, 2015

Snort Subscriber Rule Set Update for 01/22/2015

Just released:
Snort Subscriber Rule Set Update for 01/22/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 32 new rules and made modifications to 6 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, browser-plugins, exploit-kit, file-flash and server-other rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!