Friday, April 28, 2017

Snort++ Update

Pushed build 231 to github (snortadmin/snort3):
  • build: clean up Intel compiler warnings and remarks
  • build: fix FreeBSD compilation issues
  • cmake: fix building with and without flatbuffers present 
  • autoconf: check for lua.hpp as well as luajit.h to ensure C++ support 
  • shell: make commands non-blocking 
  • shell: allow multiple remote connections 
  • snort2lua: fix generated stream_tcp bindings 
  • snort2lua: fix basic error handling with non-conformant 2.X conf 
  • decode: fix 116:402 
  • dnp3:  fix 145:5 
  • appid: numerous fixes and cleanup 
  • http_server: removed (use new http_inspect instead) 
  • byte_jump: add bitmask and from_end (from 2.9.9 Snort) 
  • byte_extract: add bitmask (from 2.9.9 Snort) 
  • flatbuffers: add version to banner if present 
  • loggers: build alert_sf_socket on all platforms

Thursday, April 27, 2017

Snort Subscriber Rule Set Update for 04/27/2017

Just released:
Snort Subscriber Rule Set Update for 04/27/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 26 new rules of which 2 are Shared Object rules and cover zero days and made modifications to 7 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, exploit-kit, file-pdf, malware-cnc, os-windows, protocol-ftp, server-mysql and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Wednesday, April 26, 2017

Snorter -- an automatic Snort, Barnyard2, and PulledPork installation script.

Snorter

We all know that sometimes, the installation of the latest version of Snort, Barnyard2 and PulledPork could be pretty tedious, specially if you have to install lots of Snorts in different machines.

Cloning Hard Disks is the easy way to do it if all the machines in which we are going to install this IDS are the same but, what happens if you are using different machines, and you want to install Snort in all of them? It doesn’t matter if you install a Snort for PCAP analysis or for using it as IDPS: It’s hard work!

I made a guide some time ago where I explain, step by step, how to install and configure a Snort in a Debian based machine, but it was always the same: too long for the short time I have, chiefly if I wanted to do a fast PCAP analysis to discard malware infections or other network traces, for example. This is why I decided to convert my PDF guide into a bash script, which installs all dependencies and also creates a MySQL database for the alerts.

This is how Snorter was born.

The only thing you need is an Oinkcode, available for free in snort.org webpage, needed for automatically update the Snort rules, and the Network Interface which is going to be used (eth0, wlan0, etc…)

For installing, you only need to clone the repository:
git clone https://github.com/joanbono/Snorter
cd Snorter/src
bash Snorter.sh -o  -i

The script is mostly independent, the only interaction needed for the installation is the specification for the $HOME_NET and the $EXTERNAL_NET, but do not worry, is fully documented in the Manual.
Also, I have added a Dockerfile for testing, with the possibility to use websnort, a web interface which allows the analyst to upload a PCAP file and then see graphically the alerts, and adds to the Snorter an API option for submitting pcaps using curl.

I started this tool with the purpose of making my life easier, but the program has evolved, and now it’s time to share it.

The next step is to port it to Red Hat/CentOS, any help is welcome!

Feel free to open issues, improve the script and add more options, but, above all, enjoy the free time you will have from now.



This was a guest post by --
Joan Bono
IT Security Analyst at Ackcent

Snort Subscriber Rule Set Update for 04/25/2017

Snort Subscriber Rule Set Update for 04/25/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 64 new rules of which 8 are Shared Object rules, and made modifications to 8 additional rules.

Talos's rule release:
Talos has added and modified multiple rules in the file-identify, file-image, file-other, file-pdf, indicator-compromise, malware-cnc, os-windows, policy-other, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Monday, April 24, 2017

Snort Subscriber Rule Set Update for 04/20/2017

Just released:
Snort Subscriber Rule Set Update for 04/20/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 21 new rules and made modifications to 10 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the exploit-kit, file-other, file-pdf, indicator-compromise, malware-cnc, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Wednesday, April 19, 2017

Snort Subscriber Rule Set Update for 04/18/2017

Just released:
Snort Subscriber Rule Set Update for 04/18/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 35 new rules and made modifications to 3 additional rules.

There were no changes made to the snort.conf in this release.


Talos's rule release:
Talos has added and modified multiple rules in the deleted, file-identify, file-other, file-pdf, indicator-scan, os-solaris, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Monday, April 17, 2017

Snort Video Series

Want to get better acquainted with Snort and see an overview of Snort IPS? Want to see how you can install and configure Snort IPS on your machine? Look no further. In conjunction with Cisco Engineering Learning & Development, we created a video to give an overview of Snort installation, configuration, and deployment on a computer. The video is a great place for you to begin to understand Snort and see installation from start to finish. You can find the MP4 on our Documents page under Additional Resources section of our website titled Snort installation and configuration TechByte.


This is the first video in the TechByte series being created by Cisco Engineering Learning & Development and Snort. The next videos in this series coming later this year will be on How to Write a Snort Rule and Advanced Snort Rule Writing. Stay tuned.