Monday, August 31, 2015

Snort++ Build 167 Available Now

Snort++ build 167 is now available on snort.org.  This is the latest monthly update of the downloads.  You can also get the latest updates from github (snortadmin/snort3) which is updated weekly.

New Features

  • support multiple script-path args and single files
  • flow depth support for new_http_inspect

Bug Fixes

  • fix xcode warnings
  • fix link error with g++ 4.8.3
  • piglet bug fixes
  • fix parameter range for those depending on loaded plugins; thanks to Siti Farhana Binti Lokman "sitifarhana.lokman@postgrad.manchester.ac.uk"; for reporting the issue
  • fixed port_scan packet selection
  • fixed rpc_decode sequence number handling and buffer setup
  • perf_monitor fixes for file output
  • fix ac_sparse_bands search method
  • fix unit test return value
  • fix documentation errors in user manual
  • fix unit test build on osx
  • DAQ packet header conditional compilation for piglet
  • cleanup debug macros
Other Changes

  • add usage examples with live interfaces; thanks to Aman Mangal "mangalaman93@gmail.com" for reporting the problem
  • TCP session refactoring and create libtcp
  • doc and build tweaks for piglets
  • expanded piglet interfaces and other enhancements
  • add catch.hpp include from https://github.com/philsquared/Catch
  • run catch unit tests after check unit tests
  • add range and default to command line args
  • add make targets for dev_guide.html and snort_online.html

Please submit bugs, questions, and feedback to bugs@snort.org or the Snort-Users mailing list.

Happy Snorting!
The Snort Release Team

Friday, August 28, 2015

Snort Subscriber Rule Set Update for 08/27/2015

Just released:
Snort Subscriber Rule Set Update for 08/27/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 47 new rules and made modifications to 36 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, exploit-kit, file-executable, file-flash, file-identify, file-image, file-other, file-pdf, malware-cnc, malware-other, os-windows, policy-other and sql rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Tuesday, August 25, 2015

Snort Subscriber Rule Set Update for 08/25/2015

Just released:
Snort Subscriber Rule Set Update for 08/25/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 48 new rules and made modifications to 7 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
35745
35746
35749
35750

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, file-flash, file-image, file-multimedia, file-office, file-pdf, indicator-compromise, indicator-obfuscation, malware-cnc, os-other, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Snort OpenAppID Detectors have been updated!

An update has been released today for the Snort OpenAppID Detector content.

This release, build 251, includes
  • A total of 2,633 detectors.
  • This was a maintenance release with some minor fixes and improvements
  • It also includes some additional detectors that came in from the open source community. For more details on which contributions were included, we have added them in the AUTHORS file in this package.
Available now for download from our downloads page, we look forward to you downloading and using the new features of 2.9.7.0's OpenAppID preprocessor and sharing your experiences with the community.

The OpenAppID community has a mailing list specifically dedicated to the exchange and discussion of detector content.  Please visit the mailing lists page to sign up.

Friday, August 21, 2015

Snort++ Update

Pushed build 166 to github (snortadmin/snort3):
  • fix link error with g++ 4.8.3
  • support multiple script-path args and single files
  • piglet bug fixes
  • add usage examples with live interfaces (thanks to Aman Mangal <mangalaman93@gmail.com> for reporting the issue)
  • fixed port_scan packet selection
  • fixed rpc_decode sequence number handling and buffer setup
  • perf_monitor fixes for file output

Tuesday, August 18, 2015

Snort Subscriber Rule Set Update for 08/18/2015, 2.9.7.2 EOL

Just released:
Snort Subscriber Rule Set Update for 08/18/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 55 new rules and made modifications to 17 additional rules.

Talos's rule release:
Microsoft Internet Explorer Vulnerability CVE-2015-2502: Microsoft Internet Explorer suffers from programming errors that may lead to remote code execution. 
Previously released rules will detect attacks targeting this vulnerability and have been updated with the appropriate reference information. They are included in this release and are identified with GID 1, SIDs 35536 through 35537. 
Talos has added and modified multiple rules in the blacklist, browser-plugins, file-flash, file-multimedia, file-pdf, indicator-compromise, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

2015 Snort Scholarship Winners!


Columbia, MD – August 18, 2015 – Snort® today announced that it has selected JT Blodgett and Richard McCaslin as the recipients of the 2015 Snort Scholarship. The scholarships, each worth $5,000, are awarded to university students around the world that use Snort to further their education and gain hands-on experience in network security.

To qualify, applicants must be enrolled in a university that uses Snort to protect its network or uses Snort as part of the curriculum in the classroom. The scholarships assist the winning students in completing their degrees and covering educational costs. Snort selected JT and Richard from a pool of tens of thousands of applicants, making this year the highest number of applicants to the Snort Scholarship in the history of the award:

JT Blodgett is pursuing a Bachelors of Science in Electrical Engineering and studying Cyber Security in the ACES program at the University of Maryland, College Park

Richard McCaslin is pursing a Masters of Science in IT - Information Assurance Concentration, at the University of Texas in San Antonio.

To assist the winning students in completing their degrees, Sourcefire has awarded each a $5,000 scholarship for educational costs at the students’ respective universities. 

Sourcefire, now a part of Cisco, developed the Snort Scholarship in 2004 as a way to give back to the open source and security communities. Since the inception of the Snort Scholarship program seven years ago, Sourcefire has recognized university students from around the world, including the United States, Australia, Turkey, Mexico, the Netherlands and Rwanda. 

Snort is the world’s most widely deployed intrusion detection and prevention technology with more than 400,000 registered users and over 5 million downloads to date.

Congratulations to our winners!

Monday, August 17, 2015

Snort 2.9.7.2 is now EOL!

Several weeks ago, I reminded everyone that Snort 2.9.7.2 was approaching it's end of life, and after I posted that, we saw tens of thousands of you move to an updated version, so thank you.  However, we still have several thousand on that version, and guess what?

Today is the day to move.

For more information on our EOL policy, please visit Snort.org's EOL page where all the current versions and expiration dates are listed.

The current version of Snort is 2.9.7.5, and is available from our downloads page on Snort.org.

Thanks for your support of Snort!

Snort 2.9.8 Beta has been released!

Join us as we welcome the newest Snort beta, 2.9.8!  Check out the following release notes:

Snort 2.9.8 Beta

[*] New additions

  • AppID is no longer experimental.
  • SMBv2/SMBv3 support for file inspection. 
  • Port override for metadata service in IPS rules.
  • AppID Lua detector performance profiling.
  • Perfmon dumps stats at fixed intervals from absolute time.
  • New preprocessor alert (18:120) to detect SSH tunneling over HTTP
  • New config option |disable_replace| to disable replace rule option.
  • New Stream configraution |log_asymmetric_traffic| to control logging to syslog.
  • New shell script in tools to create simple Lua detetors for AppID.

[*] Improvements

  • sfip_t refactored to use struct in6_addr for all ip addresses.
  • Post-detection callback for preprocessors.
  • AppID support for multiple server/client detectors evaluting on same flow.
  • AppID API for DNS packets.
  • Memory optimizations throughout.
  • Support sending UDP active responses.
  • Fix permon tracking of pruned packets.
  • Improved support for expected sessions.

You can download and use Snort 2.9.8 beta after downloading it from the Snort.org Downloads page under "Development Releases"

Feedback on Snort 2.9.8.0 Beta can be provided on the Snort-Devel mailing list!

Thank you for supporting Snort.

Friday, August 14, 2015

Snort Subscriber Rule Set License 3.1

Some of you may have noticed, upon sign in on Snort.org, you are being asked re-agree to the Snort Subscriber Rule Set license.  To make sure everyone is aware, I wanted to make sure I put out a blog post about the reset and highlight the changes that are being made to the Subscriber and Registered Rule Sets, and be as open as I can to answer any questions you may have.

Snort Subscriber Rule Set License 3.1

There are three changes to the ruleset, the first is here:
"1.5. “Limited Ruleset” means those Rules that have been expressly designated by Cisco Talos as “Limited Ruleset”, and are tagged or otherwise identified as “ruleset limited” in the ruleset."
The second is in paragraph 2.1:
"Notwithstanding the foregoing, under no circumstances may You distribute the Limited Ruleset, or any portion thereof, to a Registered User or to any third party or otherwise make the Limited Ruleset available to any third party or allow a third party to use the Limited Ruleset."
The third is in paragraph 2.2:
"Notwithstanding the foregoing, as a Registered User, You have no right or license under this Agreement to use, transfer, Modify, distribute, copy or reproduce the Limited Ruleset, or any portion thereof."
Let me break this down slightly easier, in plain english.

In upcoming weeks we will begin distributing detection and prevention to a completely new set of exploits and vulnerabilities.  The detection and prevention against these vulnerabilities (almost exclusively "zero day" type vulnerabilities) is going to be built and shipped, not only in our Shared Object rule format in a protected fashion, but will also only be made available to subscribers to the rule set as well as to Cisco FirePOWER customers.

To date, all content that has ever been in the subscriber ruleset, after 30 days, has been made available for free to the registered rule set.  That practice will still continue, except those things that are tagged "ruleset limited" in the metadata of the rule.  The rules, tagged in that fashion, again, will only be made available to subscribers, and we currently have no plans to make it available to registered users.  We currently have no plans of expanding the "limited" ruleset beyond this new set of exploits and vulnerabilities.

The VAST majority of our detection will remain exactly the way it has been for years.  Built and distributed to subscribers on the day it is released, then released 30 days later to registered users.

This offering is not only to provide detection for a new set of vulnerabilities and exploits to our customers, but also to add value to the Subscriber Rule Set, as to date, the only difference has been essentially, the release date.

A few questions you may have:

What do I have to do, if I am subscriber, to take advantage of this new detection coming?

Nothing.  It will be built into your ruleset.  If you are using pulledpork, or a custom method, to download, install, and use our Shared Object rules, then you are already good to go.

What do I have to do, if I am a registered user, and I don't want this new content?

Nothing.  You will continue to receive 30 day delayed content from the Snort Subscriber Rule Set, for free, without this new "limited" ruleset.

What do I have to do, if I am a registered user, and I do want this new content?

Subscribe.  As a reminder, the personal subscription is for home/educational use only, business subscribers have a flat rate of 399 a sensor to subscribe.  The easiest way to subscribe is via credit card, directly on Snort.org, which renews itself annually so you don't miss coverage.

What do I have to do, if I am a Snort Integrator, and I want to distribute this new content?

Nothing.  It will be built into your integrator offering already, you may re-distribute this content to your clients pursuant to the Integrator license you agreed to on Snort.org, or signed, when you became an Integrator.  As long as you are in good standing with us, you receive the content as part of your package.

What do I need to do, if I want to become a Snort Integrator, and redistribute the ruleset?

Start here first.  For those of you that are not Integrators, want to be, or used to be, you'll notice that we have eliminated the "minimum fee" we used to charge against all Integrators, and now your fee is solely based on royalty usage.

Will I be able to read the content of the rules?

Unfortunately no, we must distribute this detection in our protected Shared Object format.  (Not all Shared Object rule content is protected.)

This new content is offered to all personal, business, and Integrator subscribers of the Snort Subscriber Rule Set at no additional fee, we also have no plans of increasing the price of the ruleset, and have fought hard to keep the price the same.

Questions?

You can email us directly at snort-license@cisco.com.

Snort++ Update

Pushed build 165 to github (snortadmin/snort3):

  • flow depth support for new_http_inspect
  • TCP session refactoring and create libtcp
  • fix ac_sparse_bands search method
  • doc and build tweaks for piglets
  • expanded piglet interfaces and other enhancements
  • fix unit test return value
  • add catch.hpp include from https://github.com/philsquared/Catch
  • run catch unit tests after check unit tests
  • fix documentation errors in users manual


Thursday, August 13, 2015

Snort Subscriber Rule Set Update for 08/13/2015, Apple Quicktime Vulnerabilities

Just released:
Snort Subscriber Rule Set Update for 08/13/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 9 new rules and made modifications to 27 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Apple QuickTime Vulnerabilities CVE-2015-3788 through CVE-2015-3792: Apple QuickTime for Windows suffers from programming errors that may lead to remote code execution. 
A previously released rule will detect attacks targeting these vulnerabilities and has been updated with the appropriate reference information. It is included in this release and is identified with GID 1, SID 12746. 
New rules to detect attacks targeting these vulnerabilities are also included in this release and are identified with GID 1, SIDs 35560 through 35568. 
Talos has also added and modified multiple rules in the browser-ie, browser-other, file-flash, file-image, file-multimedia, file-office, netbios, os-windows, protocol-icmp and server-other rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Wednesday, August 12, 2015

Snort Subscriber Rule Set Update for 08/12/2015

Just released:
Snort Subscriber Rule Set Update for 08/12/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 29 new rules and made modifications to 5 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
35549


Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, browser-plugins, exploit-kit, file-flash, file-identify, malware-cnc, os-mobile, policy-other, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Tuesday, August 11, 2015

Snort Subscriber Rule Set Update for 08/11/2015, MSTuesday

Just released:
Snort Subscriber Rule Set Update for 08/11/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 58 new rules and made modifications to 4 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Microsoft Security Bulletin MS15-079:
Microsoft Internet Explorer suffers from programming errors that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 35473 through 35482, 35487 through
35488, 35493 through 35494, and 35507 through 35508.

Microsoft Security Bulletin MS15-080:
A coding deficiency exists in a Microsoft Graphics Component that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 35483 through 35486, 35489 through
35492, 35495 through 35498, 35513 through 35520, 35523 through 35526, and 35529
through 35530.

Microsoft Security Bulletin MS15-081:
A coding deficiency exists in Microsoft Office that may lead to remote code
execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 35501 through 35506, 35509 through
35512, 35521 through 35522, and 35527 through 35528.

Microsoft Security Bulletin MS15-090:
A coding deficiency exists in Microsoft Windows that may lead to escalation of
privilege.

Previously released rules will detect attacks targeting this vulnerability and
have been updated with the appropriate reference information. They are included
in this release and are identified with GID 1, SIDs 35139 through 35140.

Microsoft Security Bulletin MS15-091:
A coding deficiency exists in Microsoft Edge that may lead to remote code
execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 35499 through 35500.

Talos has also added and modified multiple rules in the browser-ie,
file-office, file-other and policy-other rule sets to provide coverage for
emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Friday, August 7, 2015

Snort++ Update

Pushed build 164 to github (snortadmin/snort3):

  • add range and default to command line args
  • fix unit test build on osx
  • DAQ packet header conditional compilation for piglet
  • add make targets for dev_guide.html and snort_online.html
  • cleanup debug macros
  • fix parameter range for those depending on loaded plugins (thanks to Siti Farhana Binti Lokman <sitifarhana.lokman@postgrad.manchester.ac.uk> for reporting the issue)

Thursday, August 6, 2015

Snort Subscriber Rule Set Update for 08/06/2015

Just released:
Snort Subscriber Rule Set Update for 08/06/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 41 new rules and made modifications to 10 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-firefox, browser-ie, browser-plugins, file-flash, file-identify, file-java, file-office, indicator-scan, malware-cnc, os-mobile and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Tuesday, August 4, 2015

Snort Subscriber Rule Set Update for 08/04/2015

Just released:
Snort Subscriber Rule Set Update for 08/04/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 15 new rules and made modifications to 8 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
35386
35387
35388
35389
35390
35391
35392
35393
35394

Talos's rule release:
Talos has added and modified multiple rules in the browser-plugins, file-office, file-pdf, malware-cnc, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.
In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Monday, August 3, 2015

OpenAppID in the IoE world

With the introduction of OpenAppID in 2014, we have received a lot of valuable feedback on what improvements and capabilities would be great to have in our product. Since then, we have managed to increase our capabilities and our coverage has been increased from 1,000 OpenAppID detectors to 2,600 and counting.

The case of having an open, application-focused detection language and processing module for Snort has attracted the attention of the Internet of Everything (IoE) world. There are countless devices out there using the internet on their own, varying from a remote IP based camera to an industrial based sensor in which may include some security features on them. 

With the combination of OpenAppID and Snort we are giving the capability to the open source community to create their own application-based protocols and classifications, which can be used to provide a better threat-centric solution on this field as well. 

Using this scripting based language, someone can quickly test and understand different protocols that IoE devices can provide. It can be used to provide further analytics when it comes to a specific device's behavior, and validate some of the protocol's data with the rest of the IoEs. It has been used to provide multi-layer based applications for identifying different behaviors and actions of specific protocols, and has given the ability to track an application state between different traffic patterns within the same application flow or even an external one.

In addition to that, operators can use these tools to control the access of specific IoEs based on the networks they are located. For example, someone can allow a device to operate from "Network Source A" -> "Network Destination B" only when the protocol is DNP3 Read. Any other type of DNP3 operation would not be allowed between that source and destination.

Policies like that can help create an additional level of security and with the combination of the IPS capabilities of snort, you can get the best of both worlds.

For more information, check out OpenAppID and our open source detectors at http://www.snort.org

Snort 2.9.7.x installation guide for Fedora 22 has been posted!

Thanks so much to Mr. William Parker for his contribution of the Fedora 22 installation guide for Snort 2.9.7.x.

I've posted it under "Snort Setup Guides" on the official Snort Documentation page.

Thanks to Mr. Parker for not only this guide but for all of his contributions on Snort.org!  The community is what makes it work!