Tuesday, July 22, 2014

Snort Subscriber Rule Set EOL dates have been updated!

As always when a new version of Snort comes out, I update the EOL date versions found here:

https://www.snort.org/eol

So, take a look there and see if you are affected, and if so, be sure and stay current and update Snort!  https://www.snort.org/downloads

Snort Subscriber Rule Set Update for 07/22/2014

Just released:
Snort Subscriber Rule Set Update for 07/22/2014

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 46 new rules and made modifications to 7 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov
31452
31453
31454
31456
31457
31458
31463
31464
31465
31466
31467
31468
31472

Nathan Fowler & Nick Mavis
31455

In VRT's rule release:
The VRT has added and modified multiple rules in the blacklist, browser-ie, exploit, exploit-kit, file-flash, file-office, malware-cnc, malware-other, malware-tools and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Monday, July 21, 2014

Snort Rule Downloaders, we don't support "edge" anymore.

On the previous Snort.org, we had a mechanism that allowed for the download of the latest ruleset, called "edge".  A very low percentage of people used it.

In fact, about 0.03% of people used it, so this mechanism has been retired.

Those of you that used the snortrules-snapshot-edge.tar.gz download method, need to shift the word "edge" to your respective four digit number for the version of Snort you are using.  2962 is the most current version.

So, for example, snortrules-snapshot-2962.tar.gz.  We recommend using PulledPork to manage and download rule set, as it will auto-detect the version of Snort you are using.

We apologize for any inconvenience this may cause.  We'll monitor the situation, and if necessary, will be emailing you individually about the use of "edge" being discontinued.

Please check your pulledpork.conf or oinkmaster.conf and see if you are downloading "edge".

Friday, July 18, 2014

Upgrading Snort to 2.9.6.2, the ruleset.

In the past, when a new version of Snort was released, Registered Rule Users had to wait for 30 days before they could upgrade to the newest version of Snort in order to receive the rule feed.

No longer.

As I mentioned in a previous post on the subject, we now are pushing updates to the Registered and Subscriber rulesets at the same time.  If you navigate to the Snort.org downloads page, you'll notice that you can immediately download the Registered ruleset for Snort version 2.9.6.2.

This means that people can now stay current with their version of Snort, no more waiting to upgrade and no more delays in getting the latest features!

Thursday, July 17, 2014

Snort Subscriber Rule Set Update for 07/17/2014

Snort Subscriber Rule Set Update for 07/17/2014

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 18 new rules and made modifications to 20 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour:
31444
31445
31446
31447
31448
31449
31450

Avery Tarasov:
31442

In VRT's rule release:
The VRT has added and modified multiple rules in the bad-traffic, blacklist, browser-firefox, browser-ie, file-office, file-pdf, malware-cnc, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.
In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Wednesday, July 16, 2014

Snort 2.9.6.2 is now available!

Snort 2.9.6.2 is now available on Snort.org at https://www.snort.org/downloads!

Snort 2.9.6.2 includes changes for the for the following:

[*] New additions
* Added the ability to specify additional custom 'x-forwarder-for' http field names.
A new http inspection configuration element is used to specify a set of
field names and their respective precedence order.

* Added cache flow timeout for IP.

[*] Improvements
* Fixed handling of ICMPv6 traffic.

* Fixed inline stream reassembly during file processing.

* Addressed race condition issue with Perfmon stats file rollover.

See the Release Notes and ChangeLog for more details!

Please submit bugs, questions, and feedback to bugs@snort.org

Happy Snorting!
The Snort Release Team

Tuesday, July 15, 2014

Snort Subscriber Rule Set Update for 07/15/2014

Just released:
Snort Subscriber Rule Set Update for 07/15/2014

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 14 new rules and made modifications to 11 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The VRT has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, file-office, file-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

OpenAppId Detector Developer Guide has been posted!

If you take a look at the new dedicated section to OpenAppId on Snort.org, at https://www.snort.org/downloads, you will see that we include a new OpenAppId Detector Developer Guide.

This document details the fields necessary to author your own OpenAppId content and put it to use in Snort 2.9.7.0's beta release, also on the downloads page.

We encourage you to download the guide, Snort 2.9.7.0, and the OpenAppId detector content, set it up, take a look, test it out and give us feedback on the OpenAppId mailing list.

We're excited to see what you all are making, and the feedback about OpenAppId has been great.

Monday, July 14, 2014

Snort Subscriber Rule Set Update

In the post about the new website, I had a section about our new rule packaging structure.  Let me expand on it a bit so that everyone understands.

The Rule Set is broken down like this:

  • Community
    • GPLv2
    • Built from your submissions, tested and approved, by us.
    • Published daily
    • Always free.
  • Registered
    • Snort Subscriber Rule Set License (No re-use without fee, and no distribution without fee)
    • 30-day delay on new content
    • Updated content (outside the 30 day window) is updated every release
    • Published at least twice a week, Tuesdays and Thursdays.  
    • Free, with license agreement on Snort.org
    • Contains the Community Ruleset
  • Subscriber
    • Snort Subscriber Rule Set License (No re-use without fee, and no distribution without fee)
    • Released at the same time as content for the Cisco NGIPS (Sourcefire NGIPS) is released to customers.
    • Three different license levels
      • Personal
        • 29.99 a year/sensor
      • Business
        • 399.99 a year/sensor
      • Integrator
        • Integrate the Snort Subscriber Rule Set into your platform.
        • Your logo on our site as an authorized reseller
        • Our logo on your site and offerings
    • Published at least twice a week, Tuesdays and Thursdays
    • Contains the Community Ruleset
If you are familiar with the way our rule set was structured, you'll see some beneficial changes:
  • Our price for business Subscribers is now 399.99 a year/sensor.  This will make calculations easier.
  • Registered users now get updated content. If the rule was authored outside of the 30-day "new content" window, all users now receive updates to that content.  
  • In addition, we have renamed the rule set to "Snort Subscriber Rule Set".  Still developed by the same great team here at Cisco.
This should make things much simpler for everyone, and we hope you enjoy the content.

Introducing the new look of the Snort.org blog!

When we were redesigning Snort.org, we noticed the blog didn't match the design and colors we had established for the site.

So we decided to refresh the look of the Snort blog as well.  We hope you enjoy the new look and feel.  Thanks so much for supporting Snort!


Thursday, July 10, 2014

Snort Subscriber Rule Set Update for 07/10/2014

Just released:
Snort Subscriber Rule Set Update for 07/10/2014

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 18 new rules and made modifications to 26 additional rules.

There were no changes made to the snort.conf in this release.


In VRT's rule release:
Synopsis: This release adds and modifies rules in several categories. 
Details: The Sourcefire VRT has added and modified multiple rules in the browser-firefox, browser-ie, browser-plugins, file-office, malware-backdoor, malware-cnc, os-windows, policy-other, pua-adware, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

OpenAppID Training Videos: Integration with Splunk



In this video we will describe on how you can integrate the OpenAppID application statistics to work with Splunk's visualization tools.

Subscribe to the Snort OpenAppId Mailing list to participate in the discussion!

https://www.snort.org/community

Wednesday, July 9, 2014

The New Snort.org is here!

When the Cisco acquisition was announced, we created a list of things we wanted to accomplish right away, and right at the top of that list was a complete refresh of the outward facing platforms. The old snort.org was written in 2005. Except for moving to AWS several years ago, largely, it was the only major update to the system in those 9 years.

We wanted to design a snort.org that provided a next-level user and purchase experience as well as the ability to roll out new product offerings in the future and have one hub for all of it.

We’ve tried to make the user experience as optimal as possible, so I thought I’d run down a few housekeeping notes:

  • Layout
    • Much cleaner!  You’ll notice as you navigate around the site, a very simple layout.  We’ve moved most of the content from the old site over, so you should be able to find just about everything.  
    • All documentation for the rules is now available via the search field at the top left of every page.  Type in what you are looking for, hit enter.  No special syntax is needed for the GID and SID anymore, even though it’s still supported.
    • Almost everything on the site is accessible by two clicks.  There are some exceptions of course, but we tried to keep it as simple as possible.
  • User Management
    • We've eliminated the concept of a separate username apart from your email address. All usernames are now simply your email address.  If you do not know the email address assigned to your account, or if all you have is your oinkcode, you may contact us at snort-site@cisco.com and we'll help you out.
    • Passwords have been moved over from the old system intact. You can reset them at anytime.
    • Oinkcodes can now be reset.  If you accidentally post your Oinkcode on the mailing list or in a bug report, you can go in and click a button to regenerate it.
  • Purchasing Process
    • The whole process has been vastly simplified.
      • No longer do you have to move between pages to make a purchase, or receive a generic error.  You enter your credit card on the site, and it is stored as a token.  The actual credit card number is stored with our credit card vendor.  At no time does your credit card ever touch snort.org
      • The two tier pricing structure has been eliminated. No longer is there the "499$ for 1-5 sensors”. Our pricing structure is now 399$ for a business license across the board. 
      • Your card will be automatically charged annually for your purchase unless you cancel, this is new.  We've had this in the license for sometime, but the old website didn't have the capability.  You will receive two reminders of the expiration of your subscription.  30 days before expiration, and 7 days before.

New Features:

  • Rules
    • The “Snort Subscriber Rule Set”, has had three components for years.  Community, Registered, and Subscriber.  However, we’ve changed the way that the “Registered Rules” offering works.
    • Registered Rules
      • Up until now, the Registered Rule Set was 30 days behind.  This included new and updated content.  No longer!
      • Now, only new content isn’t included.  This means, if we make an update to an older rule, Registered Rule Subscribers get the new updates right away.  After 30 days the "new" content will be made available to Registered users as well.

  • PulledPork URLs
    • The URL structure for the rules is simpler.  We will still support the present/older format for about a year.  We can’t support the format forever, we still have people trying to download version 2.2 of the Snort ruleset once an hour, even though the ruleset hasn’t existed in almost 10 years!
  • All new “Get Started” Section
    • Choose your platform, Copy and paste the commands, done.




We are very enthusiastic about the new site and its future roadmap.  If you have suggestions, feedback, ideas or even compliments, please send them our way at snort-site@cisco.com and we'll take a look!

NOTE:  DNS will take a bit to update, so not everyone will see the site at the same time.  Be patient for us!

Tuesday, July 8, 2014

Snort Subscriber Rule Set Update for 07/08/2014

Just released:
Snort Subscriber Rule Set Update for 07/08/2014

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 6 new rules and made modifications to 5 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis: The VRT is aware of vulnerabilities affecting products from Adobe Systems. 
Details: Adobe Security Bulletin APSB14-17: A coding deficiency exists in Adobe Flash Player that may lead to remote code execution. Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 1, SIDs 31392 through 31397.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Snort Subscriber Rule Set Update for 07/08/2014, MSTues

Just released:
Snort Subscriber Rule Set Update for 07/08/2014

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 19 new rules and made modifications to 21 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
Synopsis:
The Sourcefire VRT is aware of vulnerabilities affecting products from
Microsoft Corporation.

Details:
Microsoft Security Bulletin MS14-037:
Internet Explorer suffers from programming errors that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 31380 through 31391.

The Sourcefire VRT has also added and modified multiple rules in the
browser-ie, exploit-kit, file-multimedia, file-office, malware-tools
and server-webapp rule sets to provide coverage for emerging threats
from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

OpenAppID Training Videos: How to create a custom detector



In this video we will describe the process on how we have created a detector for VMWare's vSphere Console.

It demostrates the use of the client_registerPattern and matchSimplePattern API which are used to compare the raw packets of a specific TCP session.

Subscribe to the Snort OpenAppId Mailing list to participate in the discussion!

https://www.snort.org/community

Wednesday, July 2, 2014

Snort OpenAppID Detector Beta available!

We've released a new version of the OpenAppId content, and we wanted to share a few points about what we've added:

* Increased the coverage of our application detectors to an additional 800 detectors which brings our total coverage to 2,207 detectors. Some of those detectors include application based subclassifications such as "LinkedIn Upload", expanded coverage to protocol based detectors, different messaging platforms like the Kik Messenger and new torrent clients like uTorrent.

For more information about the list of detectors they can be viewed in the appMapping.data file.

* Improvements over the application detection that are based on SSL traffic

* Along with Snort 2.9.7.0 beta we have included the Open Source Detectors Developer Guide document which can be used for anyone that would like to write their own openappid detectors.

You can download Snort 2.9.7.0 beta and the OpenAppId content at https://www.snort.org/downloads in the Development section.

Tuesday, July 1, 2014

Snort 2.9.7 Beta is now available!

Snort 2.9.7 Beta is now available on snort.org at
https://www.snort.org/downloads in the Development section.

A new DAQ build is also available that updatessupport for a few operating
systems.

Snort 2.9.7 includes a major new feature for to Application Identification,
our openappid capability.

[*] New additions
* Application Identification Preprocessor, when used in conjunction with
   open app ID detector content, that will identify application protocol,
   client, server, and web applications (including those using SSL) and
   include the info in Snort alert data. In addition, a new rule option
   keyword 'appid' that can be used to constrain Snort rules based on one
   or more applications that are identified for the connection.
   See README.appid for details.

* A new protected_content rule option that is used to match against a  content
   that is hashed.  It can be used to obscure the full context of the rule from
   the administrator.

* Protocol Aware Flushing (PAF) improvements for SMTP, POP, and IMAP to
   more accurately process different portions of email messages and file
   attachments.

* Added ability to test normalization behavior without modifying network traffic.
   When configured using na_policy_mode:inline-test, statistics will be gathered
   on packet normalizations that would have occurred, allowing less disruptive
   testing of inline deployments.

* The HTTP Inspection preprocessor now has the ability to decompress
   DEFLATE and LZMA compressed flash content and DEFLATE compressed PDF
   content from http responses when configured with the new decompress_swf
   and decompress_pdf options. This enhancement can be used with existing rule
   options that already match against decompressed equivalents.

* Added improved XFF support to HttpInspect. It is now possible to specify custom
   HTTP headers to use in place of 'X-Fowarded-For'. In situations where traffic may
   contain multiple XFF-like headers, it is possible to specify which headers hold
   precedence.

* Added control socket command to dump packets.

* The Stream5 preprocessor functionality is now split between the new Session and
   Stream preprocessors.  This makes for easier tracking of sessions independent of
   TCP stream reassembly.

[*] Improvements
* Update active response to allow for responses of 1500+ bytes that span
   multiple TCP packets.

* Check limits of multiple configurations to not exceed a maximum ID of 4095.

* Updated the error output of byte_test, byte_jump, byte_extract to
   including details on offending options for a given rule.

* Update build and install scripts to install preprocessor and engine libraries
   into user specified libdir.

* Improved performance of IP Reputation preprocessor.

* The control socket will now report success when reloading empty IP Reputation
whitelists/blacklists.

* All TCP normalizations can now be enabled individually. See README.normalize for
   details on usingthe new options. For consistency with other options, the "urp"
   tcp normalization keyword nowenables the normalization instead of disabling it.

* Lowered memory demand of Unicode -> ASCII mapping in HttpInspect.

* Updated profiler output to remove duplicate results when using multiple configurations.

* Improved performance of FTP reassembly.

* Improved compatibility with Mac OSX 10.9 (Mavericks), OpenBSD, FreeBSD, and DragonFlyBSD.



Snort Subscriber Rule Set Update for 07/01/2014

Just released:
Snort Subscriber Rule Set Update for 07/01/2014


We welcome the introduction of the newest rule release from the VRT. In this release we introduced 5 new rules and made modifications to 4 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov:
31315


In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, exploit, file-flash, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!