Thursday, January 29, 2015

Snort Subscriber Rule Set Update for 01/29/2015, Glibc (GHOST) Vulnerability

Just released:
Snort Subscriber Rule Set Update for 01/29/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 58 new rules and made modifications to 16 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov
33219
33224
33227
33228

Yaser Mansour
33220
33221
33222
33223

Talos's rule release:
Synopsis: The VRT is aware of vulnerabilities affecting products using the GNU C
Library (Glibc).

Details:
CVE-2015-0235:
Exim mail server is exposed to a vulnerability in the GNU C Library
(Glibc) that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 33225 through 33226.

Talos has added and modified multiple rules in the blacklist,
deleted, exploit-kit, file-flash, indicator-compromise, malware-cnc and
server-webapp rule sets to provide coverage for emerging threats from
these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Snort++ build 135 is now available!

Snort++ build 135 is now available.  This is the first monthly update of the download on snort.org.  You can also get the latest updates from github (snortadmin/snort3) which is updated weekly.

Fixes for issues reported from the community:

  • fix cmake issues (reported by Y M)
  • add missing sanity checks and g++ dependency (reported by Bill Parker)
  • add general fp re-search solution for fp buffers further restricted during rule eval (reported by @rmkml)
  • fixes for large file support on 32-bit Linux systems (reported by Y M)

Partial code sync with Snort 2.9.7:

  • malloc info output with -v at shutdown (if supported)
  • sync Mpse and add SearchTool
  • sync for sfghash, sfxhash, tag, u2spewfoo, profiler and target based
  • addition of mime decoding stats and updates to mime detection limits
  • added md5, sha256, and sha512 rule options based on Snort 2.X protected_content
  • misc bug fixes and variable renaming

Other updates:

  • fix asciidoc formatting and update default manuals
  • updated source copyrights for 2015 and reformatted license foo for consistency
  • fix default init for new_http_inspect
  • fixed active rule actions (react, reject, rewrite)
  • moved http_inspect profile defaults to snort_defaults.lua
  • add generalized infractions tracking to new_http_inspect
  • updated snort2lua to override default tables (x = { t = v }; x.t.a = 1)
  • added pflog codecs
  • fixed stream_size rule option
  • snort2lua changed to add bindings for default ports if not explicitly configured
Please take a look, download, and test out this release for Snort++ and provide us feedback on the snort-users mailing list.

Http Server Profiles in Snort++

This post describes the changes to the Http Inspect config option "profile".

Snort 2.X allows users to select pre-defined HTTP server profiles using the config option "profile". The user can choose one of five predefined profiles. When defined, this option will set defaults for other config options within Http Inspect.

With Snort++, the user has the flexibility of defining and fine tuning custom profiles along with the five predefined profiles.

Comparison :

Snort 2.X conf:
preprocessor http_inspect_server: server default \
               profile apache ports { 80 3128 } max_headers 200
Snort 3.0 conf:
http_inspect = { profile = http_profile_apache }

http_inspect.profile.max_headers = 200 
binder =
{
    {
        when =
        {
            proto = 'tcp',
            ports = '80 3128',
        },
        use = { type = 'http_inspect' },
    },
} 
NOTE: The "profile" option now that points to a table "http_profile_apache" which is defined in "snort_defaults.lua" (as follows).
http_profile_apache =
{
    profile_type = 'apache',
    server_flow_depth = 300,
    client_flow_depth = 300,
    post_depth = -1,
    chunk_length = 500000,
    ascii = true,
    multi_slash = true,
    directory = true,
    webroot = true,
    utf_8 = true,
    apache_whitespace = true,
    non_strict = true,
    normalize_utf = true,
    normalize_javascript = false,
    max_header_length = 0,
    max_headers = 0,
    max_spaces = 200,
    max_javascript_whitespaces = 200,
    whitespace_chars ='0x9 0xb 0xc 0xd'
}
NOTE: The config option "max_headers" is set to 0 in the profile, but overwritten by "http_inspect.profile.max_headers = 200".

Conversion:

Snort2lua can convert the existing snort.conf with the "profile" option to Snort3.0 compatible "profile". Please refer to the Snort2Lua post for more details.
Examples:
"profile all" ==> "profile = http_profile_default"
"profile apache" ==> "profile = http_profile_apache"
"profile iis" ==> "profile = http_profile_iis"
"profile iis_40" ==> "profile = http_profile_iis_40"
"profile iis_50" ==> "profile = http_profile_iis_50"

Defining custom profiles:

The complete set of Http Inspect config options that a custom profile can configure can be found by running the following command:
snort --help-config http_inspect | grep http_inspect.profile
The new Http Inspect (new_http_inspect) implementation of config options is still under development.

Tuesday, January 27, 2015

Snort Subscriber Rule Set Update for 01/27/2015

Just released:
Snort Subscriber Rule Set Update for 01/27/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 28 new rules and made modifications to 17 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
33207

Avery Tarasov
33212

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, file-flash, file-multimedia, file-pdf, indicator-compromise, malware-cnc, malware-other, os-windows, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

OpenAppID Detection Webinar

Announced at RSA, Snort 2.9.7.0 with the OpenAppID preprocessor, rule keywords and new features have generated an immense amount of interest in the Snort community.

If you are not familiar with OpenAppID, you can check out all of our posts about the subject.

We wanted to hold a NEW Webinar in order for the Open Source Community to attend and get our latest updates. We encourage you all to ask questions and receive first hand feedback from the developers themselves.

To register for this Webinar, on Wednesday, February 4, 2015 at 10:00 AM EDT, please click below:

https://cisco.webex.com/ciscosales/k2/j.php?MTID=tedbb82b93de7bef444108e2ffacc6658 and register.  (This will also add this session to your calendar i.e. Microsoft Outlook)


Topic: OpenAppID Detection Webinar
Host: PRIYANKA RAJ
Date: Wednesday, February 4, 2015
Time: 10:00 am, Eastern Standard Time (New York, GMT-05:00)
Session Number: 202 112 473
Registration password: openappid


-------------------------------------------------------
For assistance
-------------------------------------------------------
You can contact PRIYANKA RAJ at:
priraj@cisco.com


Thank you. We look forward to having you on board with us!

Snort++ Update

Just pushed to github (snortadmin/snort3):

  • sync Mpse to 297, add SearchTool
  • 297 sync for sfghash, sfxhash, tag, u2spewfoo, profiler and target based
  • addition of mime decoding stats and updates to mime detection limits
  • snort2lua changed to add bindings for default ports if not explicitly configured
  • added md5, sha256, and sha512 rule options based on Snort 2.X protected_content

Thursday, January 22, 2015

Snort Subscriber Rule Set Update for 01/22/2015

Just released:
Snort Subscriber Rule Set Update for 01/22/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 32 new rules and made modifications to 6 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, browser-plugins, exploit-kit, file-flash and server-other rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Tuesday, January 20, 2015

Snort Subscriber Rule Set Update for 01/20/2015

Just released:
Snort Subscriber Rule Set Update for 01/20/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 57 new rules and made modifications to 6 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, file-flash, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Snort++ github Update

Just pushed:

  • fixes for large file support on 32-bit Linux systems (reported by Y M)
  • changed u2 base file name to unified2.log
  • updated doc based on tips/tricks blog
  • fixed active rule actions (react, reject, rewrite)
  • moved http_inspect profile defaults to snort_defaults.lua
  • add generalized infractions tracking to new_http_inspect
  • updated snort2lua to override default tables (x = { t = v }; x.t.a = 1)
  • additional codec refactoring
  • added pflog codecs
  • fixed stream_size rule option

Friday, January 16, 2015

Snort 2.9.5.6 End of Life is approaching

As a reminder, Snort 2.9.5.6 is approaching its End of Life next week (1-21-2014), at which point we will no longer be building and distributing that version of the ruleset.

While the amount of people that are downloading this ruleset is very small, we want to encourage you to upgrade to a currently supported version (2.9.6.2, 2.9.7.0) in order to stay current.

In addition, please review your Oinkmaster and PulledPork configuration to make sure it is downloading the correct version of the ruleset as well.  We have about 30,000 people a day that are requesting invalid versions, and would love to see those people migrate to a current version as well.

Especially those of you that are attempting to download version 2.2 of the ruleset, which we haven't produced in about 12 years.

In order to review our EOL dates and policies, please visit: https://snort.org/eol

Thursday, January 15, 2015

Snort++ Tips and Tricks

One of the goals of Snort++ is to make it easier to configure your sensor.  Here is a summary of tips and tricks you may find useful.

General Use


  • Snort tries hard not to error out too quickly.  It will report multiple semantic errors.
  • Snort always assumes the simplest mode of operation.  Eg, you can omit the -T option to validate the conf if you don't provide a packet source.
  • Warnings are not emitted unless --warn-* is specified.  --warn-all enables all warnings, and --pedantic makes such warnings fatal.
  • You can process multiple sources at one time by using the -z or --max-threads option.
  • To make it easy to find the important data, zero counts are not output at shutdown.

Lua Configuration


  • Configure the wizard and default bindings will be created based on configured inspectors.  No need to explicitly bind ports in this case.
  • You can override or add to your Lua conf with the --lua command line option.
  • The Lua conf is a live script that is executed when loaded.  You can add functions, grab environment variables, compute values, etc.
  • You can also rename symbols that you want to disable.  For example, changing normalizer to Xnormalizer will disable the normalizer.  This can be easier than commenting in some cases.
  • By default, symbols unknown to Snort++ are silently ignored.  You can generate warnings for them with --warn-unknown.  To ignore such symbols, export them in the environment variable SNORT_IGNORE.

Writing and Loading Rules


Snort++ rules allow arbitrary whitespace.  Multi-line rules make it easier to structure your rule for clarity.  There are multiple ways to add comments to your rules:
  • Like Snort, the # character starts a comment to end of line.  In addition, all lines between #begin and #end are comments.
  • The rem option allows you to write a comment that is conveyed with the rule.
  • C style multi-line comments are allowed, which means you can comment out portions of a rule while testing it out by putting the options between /* and */.
There are multiple ways to load rules too:
  • Set ips.rules or ips.include in your conf.
  • Snort2 include statements can be used in rules files.
  • Use -R to load a rules file.
  • Use --stdin-rules with command line redirection.
  • Use --lua to specify one or more rules as a command line argument.

Output Files


To make it simple to configure outputs when you run with multiple packet threads, output files are not explicitly configured.  Instead, you can use the options below to format the paths:
    logdir/[run_prefix][id#][x]name
  • logdir is set with -l and defaults to ./
  • run_prefix is set with --run-prefix else not used
  • id# is the packet thread number that writes the file; with one packet thread, id# (zero) is omitted without --id-zero
  • x is / if you use --id-subdir, else _ if id# is used
  • name is based on module name that writes the file
  • all text mode outputs default to stdout

Snort Subscriber Rule Set Update for 01/15/2015

Just released:
Snort Subscriber Rule Set Update for 01/15/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 47 new rules and made modifications to 7 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-firefox, browser-ie, browser-plugins, file-flash, file-office, file-other, file-pdf, indicator-compromise and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Tuesday, January 13, 2015

Snort Subscriber Rule Set Update for 01/13/2015, MSTues

Just released:
Snort Subscriber Rule Set Update for 01/13/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 12 new rules and made modifications to 7 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Red Sky Alliance
33047
33058
33059
33060

Talos's rule release:
Synopsis:
Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.

Details:
Microsoft Security Bulletin MS15-001:
A coding deficiency exists in Microsoft Windows that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 32965 through 32966.

Microsoft Security Bulletin MS15-002:
A coding deficiency exists in Microsoft Telnet Server that may lead to
remote code execution.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 1, SID 33050.

Microsoft Security Bulletin MS15-004:
A coding deficiency exists in the Microsoft CTSWebProxy ActiveX control
that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 33051 through 33052.

Microsoft Security Bulletin MS15-007:
A coding deficiency exists in Microsoft RADIUS services on domain
controllers that may lead to a Denial of Service (DoS).

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 33048 through 33049.

Microsoft Security Bulletin MS15-008:
A coding deficiency exists in Microsoft WebDAV that may lead to an
escalation of privilege.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 3, SID 33053.

Talos has added and modified multiple rules in the blacklist,
browser-plugins, file-multimedia and protocol-telnet rule sets to
provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Monday, January 12, 2015

Snort OpenAppID Detectors have been updated!

An update has been released today for the Snort OpenAppID Detector content.

This release, build 229, includes

  • A total of 2,612 detectors.
  • This was a maintenance release with some minor fixes and improvements

Available now for download from our downloads page, we look forward to you downloading and using the new features of 2.9.7.0's OpenAppID preprocessor and sharing your experiences with the community.

The OpenAppID community has a mailing list specifically dedicated to the exchange and discussion of detector content.  Please visit the mailing lists page to sign up.

Thursday, January 8, 2015

Snort Subscriber Rule Set Update for 01/08/2015

Just released:
Snort Subscriber Rule Set Update for 01/08/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 74 new rules and made modifications to 17 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-firefox, browser-ie, browser-plugins, exploit-kit, file-identify, file-other, malware-cnc, os-mobile, os-windows, policy-other, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Tuesday, January 6, 2015

Snort Subscriber Rule Set Update for 01/06/2015

Just released:
Snort Subscriber Rule Set Update for 01/06/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 66 new rules and made modifications to 14 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
32956
32957
32958

Talos's rule release:
Synopsis: Talos is aware of a vulnerability affecting products from Microsoft Corporation. 
Details: CVE-2015-0002: A coding deficiency exists in Microsoft Windows that may lead to an escalation of privilege. Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 32965 through 32966. 
Talos has also added and modified multiple rules in the blacklist, deleted, file-identify, file-office, file-other, indicator-compromise, malware-backdoor, malware-cnc, malware-other, malware-tools, os-linux, os-windows, policy-other, protocol-dns and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Snort++ Quick Update

A quick post on the Snort++ update process. As we make fixes or complete new features we are pushing the updates to github. You can grab the latest with:

First time:
    git clone git://github.com/snortadmin/snort3
Updates:
    cd snort3/
    git pull

We are pushing updates at least once a week so keep an eye on the ChangeLog to see what's new.  We will also be posting updated tarballs on snort.org/snort3 every month or so.

Thanks for the feedback. o")~