Sunday, June 26, 2016

Snort 2.9.8.0 is approaching EOL

As you can see from our EOL page:

https://www.snort.org/eol

The EOL for Snort 2.9.8.0 is approaching in a couple days.   From our download statistics, the percentage of people is pretty small, so it shouldn't be a great impact.  

Please try and update your engines this week to 2.9.8.3, the current version. Thanks!

Thursday, June 23, 2016

Snort++ Build 201 Available Now

Snort++ build 201 is now available on snort.org.  This is the latest monthly update available for download.  You can also get the latest updates from github (snortadmin/snort3) which is updated weekly.

Enhancements:

  • add configure --enable-hardened-build
  • add configure --pie (position independent executable)
  • add new_http_inspect alert for loss of sync
  • add peg counts for new_http_inspect
  • add peg counts for sd_pattern
  • add file_log inspector to log file events
  • add filename support to file daq
  • update file processing configuration
  • add high availability support for udp and icmp
  • add support for safe C library
  • add new http_inspect alerts abusive content-length and transfer-encodings
  • add \b matching to sensitive data
  • add obfuscation for sensitive data
  • add support for unprivileged operation
  • convert legacy allocations to memory manager for better memory profiling
  • add double-decoding to new_http_inspect
  • add obfuscation support for cmg and unified2
Bug Fixes:
  • various snort2lua updates and fixes
  • fix default prime tables for internal hash functions
  • fix new_http_inspect bounds issues
  • miscellaneous cmake and auto tools build fixes
  • add / update unit tests
  • fix additional memory leaks
  • fix compiler warnings
  • fix static analysis issues
  • fix handling of bpf file failures
  • fix link with dynamic DAQ
  • fix multi-DAQ instance configuration
  • prevent profiler double counting on recursion
Other Changes:
  • initial appid port - in progress
  • continued porting of dce_rpc - smb transaction processing
  • openssl is now a mandatory dependency
  • DAQ 2.1 has many updates - see the ChangeLog for details
Please submit bugs, questions, and feedback to bugs@snort.org or the Snort-Users mailing list.

Happy Snorting!
The Snort Release Team

Snort Subscriber Rule Set Update for 06/23/2016

Just released:
Snort Subscriber Rule Set Update for 06/23/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 21 new rules and made modifications to 1 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the file-office and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Snort Rule Downloads, Crontabs, and you.

At Snort we have an extensive amount of monitoring taking place to make sure the health of Snort.org is as optimal as we can make it.

One of the things we monitor is response time, or how long it takes, from the time your browser requests Snort.org, to the time we fulfill the entire page or whatever is being loaded.  We strive for a sub-100ms response time.

We'd like to go faster, but look, this is reality, nothing is perfect, and Snort is a very complex beast.

Setting aside the millions of hits a day at Snort.org gets, lets concentrate on the people that have PulledPork and Oinkmaster checking for new rules, automatically, in a crontab.  We have nearly 500,000 PulledPork requests a day, and this "GET" request is very quick.  Since we generally release rule packs on Tuesdays and Thursdays, most of the people hitting Snort.org for the md5 of the rulepack, find out the md5 hasn't changed, and move on.

Unless of course, we deploy a new rule pack, that md5 changes, then you grab the full rule pack.  Working exactly as intended.  We love pulledpork for this, and we wish the rest of the oinkmaster users would move off of oinkmaster, as it helps us alleviate a lot of load on the server.

We use load balancing, and even Cloudflare in front of Snort.org to cache the majority of requests to the site.  In fact, about 85% of the content served from Snort.org is cached.

The remainder of this traffic, for the most part, is document and rule downloads.

This only becomes a problem, basically, at the top of the hour.  (Our downloaders love 12pm and 4pm the most for some reason).  At every hour, we have huge spikes of traffic, caused by people running pulledpork (or, for some reason, oinkmaster) in a cron to download the ruleset on the hour.

It's perfectly fine that you do this.

However, if we can encourage, say, 10% of you, to randomize your crontab's time, even to 10 minutes past the hour, the response time on our servers would drop tremendously.  (Now, don't everyone go set their crontab to 10 past the hour, it was just an example!)

Please keep in mind that no one has complained about the response time of the site, and we aren't overly concerned with the issue.  We just prefer to head this off at the pass, before it becomes an issue.

We add over 1,000 new users to the site every week, and with well over 500,000 active users on Snort.org now, and we show no signs of slowing down.  In fact, by all the metrics we track, activity is increasing.  This is fantastic, and we love that the fact that our community is strong.

However, if we can adjust some of our crontab run times for the rule update software that you all are running, we can keep the experience as optimal as we can for everyone for a long time to come.

I appreciate you doing so, thanks a lot!

Keep Snorting!

Snort++ Update

Pushed build 201 to github (snortadmin/snort3):
  • initial appid port - in progress
  • add configure --enable-hardened-build
  • add configure --pie (position independent executable)
  • add new_http_inspect alert for loss of sync
  • add peg counts for new_http_inspect
  • add peg counts for sd_pattern
  • add file_log inspector to log file events
  • add filename support to file daq
  • add high availability support for udp and icmp
  • add support for safe C library
  • continue porting of dce_rpc - smb transaction processing (part 2)
  • various snort2lua updates and fixes
  • fix default prime tables for internal hash functions
  • fix new_http_inspect bounds issues
  • fix icc warnings
  • miscellaneous cmake and auto tools build fixes
  • openssl is now a mandatory dependency


Wednesday, June 22, 2016

Snort 2.9.8.3 has been released!

Please join us in welcoming Snort 2.9.8.3 to the family!

Please see below for the release notes:

2016-04-25 - Snort 2.9.8.3
[*] Improvements
 *  Stability improvement for Stream6 preprocessor

 *  Fixed multiple issues in HttpInspect preprocessor

 *  Fixed an issue of incorrect masking of sensitive data

You can download Snort at our downloads site at Snort.org.

Tuesday, June 21, 2016

Snort Subscriber Rule Set Update for 06/21/2016

Just released:
Snort Subscriber Rule Set Update for 06/21/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 7 new rules and made modifications to 7 additional rules.

Port 5450 as added to http_inspect and stream5


Talos's rule release:
Talos has added and modified multiple rules in the file-pdf, indicator-obfuscation, malware-cnc, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!