Tuesday, November 21, 2017

Snort Subscriber Rule Set Update for 11/21/2017, Adobe Vulns

Just released:
Snort Subscriber Rule Set Update for 11/21/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 105 new rules of which 4 are Shared Object rules and made modifications to 18 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.


Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-firefox, browser-ie, file-flash, file-image, file-office, file-other, file-pdf, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, November 16, 2017

Snort Subscriber Rule Set Update for 11/16/2017

Just released:
Snort Subscriber Rule Set Update for 11/16/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 18 new rules of which 0 are Shared Object rules and made modifications to 12 additional rules of which 2 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-image, file-pdf, indicator-compromise, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, November 14, 2017

Snort Subscriber Rule Set Update for 11/14/2017, MSTuesday

Just released:
Snort Subscriber Rule Set Update for 11/14/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 55 new rules of which 15 are Shared Object rules and made modifications to 11 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
44763
44764
44768


Talos's rule release:
Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.

Details:
Microsoft Vulnerability CVE-2017-11791:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44819 through 44820.

Microsoft Vulnerability CVE-2017-11837:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44809 through 44810.

Microsoft Vulnerability CVE-2017-11840:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44811 through 44812.

Microsoft Vulnerability CVE-2017-11841:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44813 through 44814.

Microsoft Vulnerability CVE-2017-11843:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44815 through 44816.

Microsoft Vulnerability CVE-2017-11845:
A coding deficiency exists in Microsoft Edge that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44817 through 44818.

Microsoft Vulnerability CVE-2017-11846:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44845 through 44846.

Microsoft Vulnerability CVE-2017-11847:
A coding deficiency exists in Microsoft Windows Kernel that may lead to
elevation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44833 through 44834.

Microsoft Vulnerability CVE-2017-11854:
A coding deficiency exists in Microsoft Word that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44838 through 44839.

Microsoft Vulnerability CVE-2017-11855:
A coding deficiency exists in Microsoft Internet Explorer that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44831 through 44832.

Microsoft Vulnerability CVE-2017-11856:
A coding deficiency exists in Microsoft Internet Explorer that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44829 through 44830.

Microsoft Vulnerability CVE-2017-11858:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44827 through 44828.

Microsoft Vulnerability CVE-2017-11861:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44825 through 44826.

Microsoft Vulnerability CVE-2017-11869:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44823 through 44824.

Microsoft Vulnerability CVE-2017-11873:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44843 through 44844.

Microsoft Vulnerability CVE-2017-11878:
A coding deficiency exists in Microsoft Excel that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44821 through 44822.

Talos also has added and modified multiple rules in the browser-ie,
file-image, file-office, file-other, file-pdf, indicator-compromise,
os-windows and server-webapp rule sets to provide coverage for emerging
threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, November 9, 2017

Snort Subscriber Rule Set Update for 11/09/2017

Just released:
Snort Subscriber Rule Set Update for 11/09/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 55 new rules of which 0 are Shared Object rules and made modifications to 27 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, file-identify, file-office, file-other, file-pdf, malware-cnc, malware-other, os-linux, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, November 7, 2017

Snort Subscriber Rule Set Update for 11/07/2017

Just released:
Snort Subscriber Rule Set Update for 11/07/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 24 new rules of which 1 are Shared Object rules and made modifications to 124 additional rules of which 1 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, browser-other, browser-plugins, exploit-kit, file-executable, file-identify, file-multimedia, file-office, file-other, malware-cnc, netbios, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Friday, November 3, 2017

Snort 3.0 with ElasticSearch, LogStash, and Kibana (ELK)

The Elastic Stack, consisting of Elasticsearch with Logstash and Kibana, commonly abbreviated "ELK", makes it easy to enrich, forward, and visualize log files.  ELK is especially good for getting the most from your Snort 3.0 logs.  This post will show you how to create a cool dashbaord:



The dashboard shows the following:
  • bring_da_heat - a heat map that plots event priority vs classification
  • apple_pie - a pie chart that shows total bytes transferred by app
  • greatest_hits - a data table that shows the rules generating the most events
  • global_hot_spots - a geo plot of the event source address*
  • size_o_gram - a histogram of logged packet / buffer sizes

Get Started

To get started, you will need to install the following:
Go ahead and get Snort 3.0 and ELK installed now if you haven't done so already.  There is plenty of help for that available elsewhere.  Some things to note:
  • The github repo is updated multiple times per week and the master branch is always clean so that is the best way to get Snort 3.0.
  • The base appid module is built into Snort 3.0 but you will need Open App ID to get the Lua detector plugins.
  • You can use the community rules in 3.0 format or translate other 2.X rules with snort2lua.

Run Snort

The next step is to get Snort running and generating events and app stats.  Add the following to the default config file (after the -c argument below):

appid =
{
    log_stats = true,
    app_detector_dir = 'ODP'
}

alert_json =
{
    fields = 'timestamp pkt_num proto pkt_gen pkt_len dir src_addr src_port dst_addr dst_port service rule priority class action b64_data'
}

The tokens in bold above and below are as follows:
  • ODP is the path where you installed Open App ID.  Note this path does not include the trailing /odp.
  • INSTALL is the install prefix you used when configuring your Snort 3.0 build.
  • RULES is the path containing the community rules.
  • PCAP is your favorite pcap.  You could use -i <iface> instead. 
This command will process your pcap and generate alerts.json and app_stats.log files in your current directory:

INSTALL/bin/snort \
-c INSTALL/etc/snort/snort.lua \
-R RULES/snort3-community.rules \
--plugin-path INSTALL/lib \
-r PCAP \
-A json -y -q > alerts.json

The JSON events are determined by the configured fields to look like this:

{ "timestamp" : "03/08/01-04:21:07.583700", "pkt_num" : 737, "proto" : "UDP", "pkt_gen" : "raw", "pkt_len" : 161, "dir" : "C2S", "src_addr" : "192.168.16.222", "src_port" : 3076, "dst_addr" : "239.255.255.250", "dst_port" : 1900, "service" : "unknown", "rule" : "1:1917:15", "priority" : 3, "class" : "Detection of a Network Scan", "action" : "allow", "b64_data" : "TS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSG9zdDoyMzkuMjU1LjI1NS4yNTA6MTkwMA0KU1Q6dXJuOnNjaGVtYXMtdXBucC1vcmc6ZGV2aWNlOkludGVybmV0R2F0ZXdheURldmljZToxDQpNYW46InNzZHA6ZGlzY292ZXIiDQpNWDozDQoNCg==" }

The app stats are in csv format with Unix timestamp, app, bytes to client, and bytes to server:

1059733200,FTP Data,4441712,185694921

Run ELK

Now lets process these logs with the elastic stack.  Start by running elasticsearch and kibana as follows:

cd elasticsearch-5.5.1/
bin/elasticsearch -v &

cd kibana-5.5.1-darwin-x86_64
bin/kibana &

I've got version 5.5.1 of ELK installed on OS X.  Adjust your paths as needed for your install of ELK.  We are using the default ports of 9200 for elasticsearch and 5601 for kibana.  You may need to adjust on your system.

Now we are ready to send the logs to elasticsearch using logstash.  Get the config files here.  Edit alert_json.txt and alert_apps.txt and set the path on the 3rd line to point to your log files.  Then you can run logstash like this:

cd logstash-5.5.1/
bin/logstash -f snort_json.txt &
bin/logstash -f snort_apps.txt &

Visualize

The logstash commands will populate the logstash-snort3j and logstash-snort3a indexes in elasticsearch.  At this point we can start working on the dashboard using kibana.  Point your browser to http://localhost:5601/ and follow these steps:
  1.   Click on the gear (Management), Index Patterns, + Create Index Pattern, set the name logstash-snort3j, and then click Create.
  2.   Edit b64_data (click pencil on right), set Format = String and Transform = Base64 Decode, and then click Update Field.
  3.   Click on the gear (Management), Index Patterns, + Create Index Pattern, set the name logstash-snort3a, and then click Create.
  4.   Click the scripted fields tab, + Add Scripted Field, set Name = app_total_bytes and Script = doc['bytes_to_client'].value+doc['bytes_to_server'].value and then click Create Field.
At this point you can click on the icons on the left for Discover, Visualize, and Dashboard to view the raw data, create tables, charts, etc., and build a dashboard.  This is really best done by just exploring and experimenting, however you can import the dashboard shown above by clicking Management, Saved Objects, Import and selecting snort_dash.json.  Tip: base your visualizations off saved searches so that you don't lose them when the data is deleted.

snort_csv.txt is also provided for use with snort -A csv if you want to process alerts in csv format.  The index name for that is logstash-snort3.

* Snort 3.0 supports the target rule option, so use that instead of source address if your rules have targets.  That gets the attacker correct for shellcode, etc.










Thursday, November 2, 2017

Snort Subscriber Rule Set Update for 11/02/2017

Just released:
Snort Subscriber Rule Set Update for 11/02/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 26 new rules of which 14 are Shared Object rules and made modifications to 2 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the indicator-compromise, policy-other, protocol-snmp and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!