Thursday, February 4, 2016

Snort Subscriber Rule Set Update for 02/04/2016

Just released:
Snort Subscriber Rule Set Update for 02/04/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 24 new rules and made modifications to 7 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, browser-plugins, exploit-kit, file-flash, file-other, file-pdf, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Tuesday, February 2, 2016

Snort Subscriber Rule Set Update for 02/02/2016

Just released:
Snort Subscriber Rule Set Update for 02/02/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 27 new rules and made modifications to 16 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, browser-plugins, exploit-kit, file-flash, file-multimedia, file-other, malware-cnc, malware-other, os-solaris, protocol-tftp and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Snort++ Update

Snort++ build 186 is now available on snort.org.  This is the latest monthly update available for download.  You can also get the latest updates from github (snortadmin/snort3) which is updated weekly.

Bug Fixes:

  • fix xcode builds
  • fix static analysis issues
  • fix profiler depth bug
  • fixed fatal on failed IP rep segment allocation - thanks to Bill Parker
  • fixed build issue with Clang and thread_local
  • fixed rule option string unescape issue

Enhancements:

  • host_module and host_tracker updates
  • start perf_monitor rewrite - 1st of many updates
  • start dce2 port - 1st of many updates
  • initial host_tracker for new integrated netmap
  • continued tcp session refactoring
  • new_http_inspect refactoring for time and space considerations
  • added new_http_inpsect rule options
  • remove --enable-ppm - always enabled
  • update copyright to 2016, add missing license blocks
  • update default manuals
  • tweaked style guide wrt class declarations

Please submit bugs, questions, and feedback to bugs@snort.org or the Snort-Users mailing list.

Happy Snorting!
The Snort Release Team

Snort OpenAppID Detectors have been updated!

An update has been released today for the Snort OpenAppID Detector content.

This release, build 261, includes
  • A total of 2,802 detectors. 
  • It also includes some additional detectors that came in from the open source community. For more details on which contributions were included, we have added them in the AUTHORS file in this package.
Available now for download from our downloads page, we look forward to you downloading and using the new features of 2.9.7.0's and 2.9.8.0's OpenAppID preprocessor and sharing your experiences with the community.

The OpenAppID community has a mailing list specifically dedicated to the exchange and discussion of detector content.  Please visit the mailing lists page to sign up.

Thursday, January 28, 2016

How can you tell if Snort is properly running when using systemd (or a standard init.d startup script)? - Guest Post by Bill Parker

This is a Guest post by Bill Parker.  Bill writes many of the installation docs on Snort.org.  Please welcome him to the Snort Blog!

---

I receive more than a few emails from end users who are having difficultly determining if snort version 2.9.x is running on their server, though the quickest way to see if it is running is by using the commands 'ps' and 'grep'.

However, in many cases, there could be an issue with the 'snort.conf' file which can be found using the '-T' option to snort (run manually) to determine which line in snort.conf is causing difficulty.

On my system when snort is NOT running, the command below returns the following:

[bill@moocow ~]$ ps auxww | grep -i "snort"

bill      1025  0.0  0.2 116388  2164 pts/0    S+   09:01   0:00 grep --color=auto -i snort

If I use systemctl to check the status of snort, I get:

[root@moocow init.d]# systemctl status snort.service <--- here="" look="" p="">* snort.service - Snort NIDS Daemon
   Loaded: loaded (/usr/lib/systemd/system/snort.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
 
Jan 23 09:10:55 moocow systemd[1]: Stopped Snort NIDS Daemon.

Which shows that snort isn't currently running on my server.

However, when snort is running, the same command produces a slightly
different output:

[bill@moocow ~]$ ps auxww | grep -i "snort" <--- here="" look="" p="">
snort     1071 41.6 39.7 748988 404492 ?       Ssl  09:11   0:37 /usr/local/bin/snort -A fast -b -d -i enp0s8 -u snort -g snort -c /etc/snort/snort.conf -l /var/log/snort
bill      1090  0.0  0.2 116388  2204 pts/0    S+   09:13   0:00 grep --color=auto -i snort

Here is the output when systemctl is used instead of ps auxww | grep -i "snort":

When I start snort 2.9.8.x on Fedora 22, the output below is a partial
listing of the output that snort sends to /var/log/messages:

[root@moocow init.d]# systemctl status snort.service <--- font="" here="" look="">
* snort.service - Snort NIDS Daemon
   Loaded: loaded (/usr/lib/systemd/system/snort.service; disabled; vendor preset: disabled)
   Active: active (running) since Sun 2016-01-10 10:02:38 PST; 1min 33s ago
 Main PID: 1070 (snort)
   CGroup: /system.slice/snort.service
           `-1070 /usr/local/bin/snort -A fast -b -d -i enp0s8 -u snort -g sn...

Jan 10 10:03:26 moocow snort[1070]: Preprocessor Object: SF_IMAP  Version 1...1>
Jan 10 10:03:26 moocow snort[1070]: Preprocessor Object: SF_SSLPP  Version ...4>
Jan 10 10:03:26 moocow snort[1070]: Preprocessor Object: SF_DNP3  Version 1...1>
Jan 10 10:03:26 moocow snort[1070]: Preprocessor Object: SF_SSH  Version 1....3>
Jan 10 10:03:26 moocow snort[1070]: Preprocessor Object: SF_DNS  Version 1....4>
Jan 10 10:03:26 moocow snort[1070]: Preprocessor Object: SF_DCERPC2  Versio...3>
Jan 10 10:03:26 moocow snort[1070]: Preprocessor Object: SF_REPUTATION  Ver...1>
Jan 10 10:03:26 moocow snort[1070]: Preprocessor Object: SF_FTPTELNET  Vers...3>
Jan 10 10:03:26 moocow snort[1070]: Preprocessor Object: SF_SIP  Version 1....1>
Jan 10 10:03:26 moocow snort[1070]: Commencing packet processing (pid=1070)
Hint: Some lines were ellipsized, use -l to show in full.

On newer distributions of Linux, systemd has been implmented in favor of the old style init.d startup scripts, here is the README file from the /etc/init.d directory on my Fedora 22 Server system:

You are looking for the traditional init scripts in /etc/rc.d/init.d, and they are gone?

Here's an explanation on what's going on:

You are running a systemd-based OS where traditional init scripts have been replaced by native systemd services files. Service files provide very similar functionality to init scripts. To make use of service files simply invoke "systemctl", which will output a list of all currently running services (and other units). Use "systemctl list-unit-files" to get a listing of all known unit files, including stopped, disabled and masked ones. Use "systemctl start foobar.service" and "systemctl stop foobar.service" to start or stop a service, respectively. For further details, please refer to systemctl(1).

Note that traditional init scripts continue to function on a systemd system. An init script /etc/rc.d/init.d/foobar is implicitly mapped into a service unit foobar.service during system initialization.

Thank you!

Further reading:
        man:systemctl(1)
        man:systemd(1)
        http://0pointer.de/blog/projects/systemd-for-admins-3.html
        http://www.freedesktop.org/wiki/Software/systemd/Incompatibilities

Snort Subscriber Rule Set Update for 01/28/2016

Just released:
Snort Subscriber Rule Set Update for 01/28/2016

We welcome the introduction of the newest rule release from Talos. In this release we introduced 27 new rules and made modifications to 2 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, exploit-kit, file-pdf and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Tuesday, January 26, 2016

Snort Subscriber Rule Set Update for 01/26/2016

Just released:
Snort Subscriber Rule Set Update for 01/26/2016

We welcome the introduction of the newest rule release from Talos. In this release we introduced 27 new rules and made modifications to 10 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the app-detect, blacklist, browser-firefox, file-flash, file-identify, file-other, file-pdf, malware-cnc, os-windows, protocol-voip, server-other and sql rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!