Tuesday, January 17, 2017

Snort Subscriber Rule Set Update for 01/17/2017

Just released:
Snort Subscriber Rule Set Update for 01/17/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 108 new rules and made modifications to 22 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

James Lay
41318


Talos's rule release:
Talos has added and modified multiple rules in the blacklist, deleted, exploit-kit, file-executable, file-flash, file-image, file-other, file-pdf, indicator-shellcode and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Snort++ Update

Pushed build 224 to github (snortadmin/snort3):
  • fix various stream_tcp flush issues
  • fix various cmake issues
  • fix appid counting of kerberos flows
  • fix expected flow leak when expiring nodes during lookup
     thanks to João Soares <joaosoares11@hotmail.com> for reporting the issue
  • fix autoconf retrieving PCRE cppflags from pkg-config
  • fix stream_user reassembly
  • remove unused appid.thirdparty_appid_dir
  • build and install plugins as modules instead of libraries
  • obfuscate stream rebuilt payload
  • updates for latest zlib
  • disable smb2 processing when file service is disabled
  • refactor includes; prune the set of installed headers
  • don't build alert_sf_socket on OSX
  • added CPP flags used to build Snort to snort.pc for extras and other plugins to use

Thursday, January 12, 2017

Snort Subscriber Rule Set Update for 01/10/2017, MsTuesday

Just released:
Snort Subscriber Rule Set Update for 01/10/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 58 new rules and made modifications to 48 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset


Talos's rule release:
Microsoft Security Bulletin MS17-002:

A coding deficiency exists in Microsoft Office that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 41140 through 41141.

Microsoft Security Bulletin MS17-004:
A coding deficiency exists in Local Security Authority Subsystem
Service (LSASS) that may lead to a Denial of Service (DoS).

A previously released rule will detect attacks targeting these
vulnerabilities and has been updated with the appropriate reference
information. It is included in this release and is identified with GID
1, SID 40759.

Talos has added and modified multiple rules in the blacklist,
browser-ie, file-executable, file-flash, file-image, file-office,
file-other, file-pdf, malware-cnc, netbios, os-windows, policy-other
and server-webapp rule sets to provide coverage for emerging threats
from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Friday, January 6, 2017

Are you abusing Snort.org?

For those of the Snort community that remember the version of Snort.org prior (4.0) to the current one (5.0), you will remember that we only allowed users to download the ruleset once every fifteen minutes.  When we rolled out 5.0, we removed this restriction allowing people to download as often as they like.

This decision has caused some problems and people are abusing this system.  We have a select few that are attempting to download the ruleset once a second, hundreds of people several times a minute, and even more, once a minute.

While we are as eager as you are to get the rulesets into the hands of our users, once a second is far too often, and costs us in terms of bandwidth and utilization of the site.  While we could turn up the dial on resources for Snort.org, we don't feel that extra expense and bandwidth is necessary to compensate for the few that are abusing the system.

We don't want a few abusers to ruin the experience for everyone, so we have implemented throttling on a case by case basis.  Only for select oinkcodes and downloaders that we observe abusing the system.    There are two stages to this.


  1. Throttling, making it so you can only download a little bit more reasonably, and blocking you otherwise.
  2. Outright blocking.  You'll know if this is you, as you'll get a message that says "your IP has been blocked" in your 404 message.  We only have a couple IPs in this category right now.  Two of these IPs are responsible for 2.5 Million hits a day.

There are three ways you can end up in "Abuse land".


  • Excessive Downloading  
Attempting to download the ruleset or check for an update to the ruleset, more than 3x in five minutes.  Checking the site once every hour is recommended.  But if you are checking it more than 3 times within five minutes, that's a bit much.

  • Sharing an Oinkcode
While the license prohibits the sharing of an oinkcode and using an oinkcode for unauthorized means (which we are currently planning on fixing this problem as well), occasionally an oinkcode will get posted to a forum or mailing list.  People will then find this posted oinkcode and attempt to use it in their installations.  (We had a rash of this going around about a year ago with one particular oinkcode, and it was so bad, we had over 35M people downloading the ruleset with that one oinkcode every day.)  We'll have to change the oinkcode and throttle the usage of it.

  • Attempting to download a ruleset that doesn't exist
We still have people attempting to download the ruleset for Snort 2.2.0.  (13 years old at this point?)  While we return a 404, maybe if we tell people why they are receiving the 404, they may update?  (Wishful thinking on my part I think)

We have created an Abuse FAQ: https://snort.org/faq/abuse-of-snort-org, which will appear in the message you receive when you are throttled.


One of the good things about Snort.org's system is we only require an email address (soon we'll have to collect a zip code as well for tax purposes, more on that later) to create an account.  While we confirm these email addresses upon signup, adding thousands of new users to Snort.org a day, some people leave their jobs, their email addresses expire, mailboxes fill up, etc.  So despite our best efforts to contact these abusers they aren't adjusting their crontabs.  We sometimes receive a bounce from the email we send them or we receive no response at all.  We will no longer be contacting people on a case-by-case basis we're just going to start throttling you.

Please feel free to leave a comment here, or on the Snort-users mailing list if there are any questions.

Snort Subscriber Rule Set Update for 01/05/2017

Just released:
Snort Subscriber Rule Set Update for 01/05/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 18 new rules and made modifications to 22 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, file-image, file-office, file-other, file-pdf, indicator-compromise and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, January 5, 2017

Snort Subscriber Rule Set Update for 01/05/2017

Just released:
Snort Subscriber Rule Set Update for 01/05/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 7 new rules and made modifications to 63 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-firefox, browser-ie, file-flash, file-office, file-other, file-pdf, indicator-obfuscation, protocol-dns, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Wednesday, January 4, 2017

Snort Subscriber Rule Set Update for 01/03/2017

Just released:
Snort Subscriber Rule Set Update for 01/03/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 5 new rules and made modifications to 10 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, file-flash, file-office and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!