Friday, February 16, 2018

Snort Subscriber Rule Set Update for 02/15/2018

Just released:
Snort Subscriber Rule Set Update for 02/15/2018


We welcome the introduction of the newest rule release from Talos. In this release we introduced 11 new rules of which 0 are Shared Object rules and made modifications to 46 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, browser-plugins, file-executable, file-flash, file-image, file-office, file-other, file-pdf, indicator-compromise, malware-cnc, protocol-ftp and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, February 13, 2018

Snort 3.0 Ruleset Announcement!

Join as we welcome the first official builds of the Snort 3 subscriber and registered ruleset to the family!

Today marks the first day that we will begin publishing the Snort 3 subscriber and registered rulesets along side of the Snort 2.x rulesets on Snort.org.  These are going to be downloadable via API (Oinkcode) the same as Snort 2.x rulesets, and will be published on the same dates.

The same subscription rules apply for Snort 3.  New rules will be added to the registered ruleset after a 30-day delay.  The licensing is the exact same as it is today on Snort 2.x.  Our license can be viewed here:  https://www.snort.org/snort_license

False Positives against Snort 3 rules can be filed by following the same instructions as Snort 2.x rules.  Instructions on how to file false positives can be found here: http://blog.snort.org/2016/11/reporting-false-positives-with-snortorg.html

There are a couple caveats to the Snort 3 ruleset:


  1. Keep in mind that the format and layout of the Snort 3 ruleset is different than Snort 2.  If you want to start testing the Alpha (and coming soon, Beta!) builds of Snort 3, and you have a custom ruleset, you can convert your Snort 2 ruleset into the Snort 3 language by using the snort2lua tool found in the Snort 3 tarball available on www.snort.org/downloads
  2. Shared Object rules are not part of this initial build.  We have not begun to transition the share object rules that we build for Snort 2.x’s rule tree into Snort 3.  Work on that will begin very soon.
  3. The files within the Snort 3 ruleset tarball are named slightly differently, this is on purpose, not only for a clean separation from the old rule set to the new one, but also, if someone writes the Snort-Sigs list asking for assistance with a rule and they are trying to run a Snort 3 rule on a Snort 2 engine, it’ll be easily identifiable. 
    1. For instance, in Snort 2.x rules, an example rule file may be named:  “server-webapp.rules
    2. In Snort 3’s rule package, the same file would be named: “snort3-server-webapp.rules
  4. We have removed all the old dead categories.  Exploit.rules, blacklist.rules, web-iis.rules and the like, all gone.


We look forward to people starting to use this ruleset and test it out.  Please provide us feedback on the Snort-sigs list.

Snort++ Build 243 Available Now on Snort.org

A new release of Snort++ (build 243) is now available on snort.org which includes lots of new functionality and important bug fixes.  Here is an overview of the updates since the prior release:

Important changes since the last release:


  • build: dropping automake support - only cmake tarballs provided
    (automake files are still included but will be removed soon)

Issues reported by the community:

  • alert_json: various fixes
    thanks to Noah Dietrich for reporting the issues
  • appid: gracefully handle failed Lua state instantiation
    thanks to Noah Dietrich for reporting the issue
  • build: add STATIC to add_library call of port_scan to build it statically
    thanks to Fabrice Fontaine
  • cd_pbb: initial version of codec for 802.1ah
    thanks to jan hugo prins  for reporting the issue
  • cd_pflog: fix comments
    thanks to Markus Lude for the 2X patch
  • http_inspect: handle borked reassembly gracefully
    thanks to João Soares for reporting the issue
  • ips options: error if lookup fails due to bad case, typos, etc.
    thanks to Noah Dietrich   for reporting the issue

New Features:

  • alert_json: added json event logger
  • arp_spoof: added wlan support
  • binder: added zones, network policy selection
  • daq: add support for DAQ_VERDICT_RETRY
  • daq: add support for packet trace
  • daq: add support tunnel bypass for IP 4IN4, IP 6IN6, GRE and MPLS by config and flags
  • dce_smb: added unicode filename support
  • file policy: add support for file event logging
  • http_inspect: added http_raw_buffer rule option
  • inspectors: added peg count for max concurrent sessions
  • loggers: added base64 encoder based on libb64 from devolve
  • modules: add usage designating global, context, inspect, or detect policy applicability
  • mss: add extra rule option to check mss
  • port_scan: add alert_all to make alerting on all events in window optional
  • snort2lua: --bind-wizard will add a trailing binding to the default wizard in each binder
  • snort2lua: convert file_magic.conf to Lua format.
  • snort2lua: bindings now merge and propagate to top level of corresponsing policy
  • snort2lua: '# alert' rules and pass comments in *.rules files
  • snort: -T does not compile mpse; --mem-check does
  • snort: add --dump-msg-map
  • snort: add warnings count to -T ouptut
  • target: add rule option to indicate target of attack
  • unified2: add legacy_events bool for out-of-date barnyard2
  • wscale: add extra rule option to check tcp window scaling

Bug Fixes:

  • byte_test: fixed string bounds check
  • content: fixed relative loop condition
  • dce: use service names from rules (dce_smb = netbios-ssn; dce_tcp / ce_udp = dcerpc)
  • detection: fixed option tree looping issue
  • detection: use detection limit (alt_dsize)
  • http_inspect: HTTP headers no longer avoid detection when message unexpectedly ends after status line or headers
  • http_inspect: apply request/response depth to packet data
  • pcre: fixed relative search with ^
  • shell: fixed --pause to accept control commands while in paused state
  • snort2lua: no sticky buffer for relative pcre
  • snort: fixed --dump-builtin-rules to accept optional module prefix
  • u2spewfoo: fixed build on FreeBSD
There are many other updates not mentioned.  Check the ChangeLog for a summary of changes including new features and build and bug fixes.

There are lots of enhancements and new features planned for Snort++, some of which are already in development.  As always, new downloads are posted to snort.org periodically.  You can also get the latest updates from github (snortadmin/snort3) which is updated weekly.

Please submit bugs, questions, and feedback to bugs@snort.org or the Snort-Users mailing list.

Happy Snorting!
The Snort Release Team

Snort Subscriber Rule Set Update for 02/13/2018, Snort 3 official ruleset!

Just released:
Snort Subscriber Rule Set Update for 02/13/2018


We welcome the introduction of the newest rule release from Talos. In this release we introduced 51 new rules of which 2 are Shared Object rules and made modifications to 7 additional rules of which 1 are Shared Object rules.

This release also marks the first official release of the registered and subscriber rulesets for Snort 3.0

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.

Details:
Microsoft Vulnerability CVE-2018-0742:
A coding deficiency exists in Microsoft Windows Kernel that may lead to
elevation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45649 through 45650.

Microsoft Vulnerability CVE-2018-0756:
A coding deficiency exists in Microsoft Windows Kernel that may lead to
elevation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45632 through 45635.

Microsoft Vulnerability CVE-2018-0825:
A coding deficiency exists in Microsoft StructuredQuery that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45624 through 45625.

Microsoft Vulnerability CVE-2018-0834:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45626 through 45629.

Microsoft Vulnerability CVE-2018-0835:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45628 through 45629.

Microsoft Vulnerability CVE-2018-0837:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45628 through 45629.

Microsoft Vulnerability CVE-2018-0838:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45628 through 45629.

Microsoft Vulnerability CVE-2018-0840:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45628 through 45629.

Microsoft Vulnerability CVE-2018-0841:
A coding deficiency exists in Microsoft Excel that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45654 through 45655.

Microsoft Vulnerability CVE-2018-0842:
A coding deficiency exists in Microsoft Windows that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45656 through 45657.

Microsoft Vulnerability CVE-2018-0844:
A coding deficiency exists in Microsoft Windows Common Log File System
(CLFS) driver that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45630 through 45631.

Microsoft Vulnerability CVE-2018-0846:
A coding deficiency exists in Microsoft Windows Common Log File System
(CLFS) driver that may lead to an escalation of privilege.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 40691 through 40692.

Microsoft Vulnerability CVE-2018-0858:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45659 through 45660.

Microsoft Vulnerability CVE-2018-0860:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45628 through 45629
and 45636 through 45637.

Microsoft Vulnerability CVE-2018-0866:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45673 through 45674.

Talos also has added and modified multiple rules in the browser-ie,
exploit-kit, file-office, file-other, file-pdf, malware-cnc,
os-windows, policy-other and server-webapp rule sets to provide
coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, February 8, 2018

Snort Subscriber Rule Set Update for 02/08/2018

Just released:
Snort Subscriber Rule Set Update for 02/08/2018


We welcome the introduction of the newest rule release from Talos. In this release we introduced 15 new rules of which 3 are Shared Object rules and made modifications to 13 additional rules of which 2 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the file-image, file-other, file-pdf, malware-backdoor, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, February 6, 2018

Snort Subscriber Rule Set Update for 02/06/2018

Just released:
Snort Subscriber Rule Set Update for 02/06/2018


We welcome the introduction of the newest rule release from Talos. In this release we introduced 13 new rules of which 10 are Shared Object rules and made modifications to 4 additional rules of which 2 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the file-image, file-other, file-pdf, malware-backdoor, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Saturday, February 3, 2018

Snort Subscriber Rule Set Update for 02/02/2018, Cisco ASA Coverage

Just released:
Snort Subscriber Rule Set Update for 02/02/2018


We welcome the introduction of the newest rule release from Talos. In this release we introduced 2 new rules of which 2 are Shared Object rules and made modifications to 2 additional rules of which 1 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the indicator-shellcode and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!