Friday, October 30, 2015

Snort++ Update

Pushed build 176 to github (snortadmin/snort3):
  • tcp reassembly refactoring
  • profiler rewrite
  • added gzip support to new_http_inspect
  • added regex rule option based on hyperscan

Thursday, October 29, 2015

Snort Subscriber Rule Set Update for 10/29/2015

Just released:
Snort Subscriber Rule Set Update for 10/29/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 16 new rules and made modifications to 11 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, exploit-kit, file-flash, indicator-compromise, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Are you getting 404 errors attempting to download the community ruleset?

Yesterday, it came to our attention during some routine cleanup and maintenance that there were about 15,000 people attempting to download a Community Rule file directly from an older S3 Bucket. (Which hadn't been updated in over a year.)

The link directly into the S3 bucket was apparently in use by the default pulledpork.conf, and many people had not updated it to the newest link now available on Snort.org.

I have submitted a pull request against the pulledpork.conf to correct that link, and that should be fixed shortly.

However, for those of you that need to change your installation, please find this line in your PulledPork.conf:

https://github.com/shirkdog/pulledpork/blob/master/etc/pulledpork.conf#L21

Which looks like this:

rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community

and change it to:

rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community

This will ensure that you are pulling the correct community rules file.

Sorry for any lack of notice, we figured these were old installations without any updates, and didn't realize that it was actually in the default pulledpork.conf.

Please update to the new rule file and join the hundreds of thousands of users that download that rule file on a daily basis!

As always, if you'd like to contribute to the community ruleset, please send your rules to either the Snort-sigs or directly to Talos.


Tuesday, October 27, 2015

Snort Subscriber Rule Set Update for 10/27/2015

Just released:
Snort Subscriber Rule Set Update for 10/27/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 35 new rules and made modifications to 9 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the browser-webkit, exploit-kit, file-flash, file-multimedia, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Friday, October 23, 2015

Snort++ Update

Pushed build 175 to github (snortadmin/snort3):
  • ported gtp preprocessor and rule options from 2.X
  • ported modbus preprocessor and rule options from 2.X
  • fixed 116:297
  • added unit test build for cmake (already in autotools builds)
  • fixed dynamic builds (187 plugins, 138 dynamic)

Thursday, October 22, 2015

Snort Subscriber Rule Set Update for 10/22/2015

Just released:
Snort Subscriber Rule Set Update for 10/22/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 25 new rules and made modifications to 6 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, deleted, exploit-kit, file-flash, file-multimedia, malware-cnc, policy-other, protocol-dns and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Wednesday, October 21, 2015

Snort Subscriber Rule Set Update for 10/21/2015

Just released:
Snort Subscriber Rule Set Update for 10/21/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 4 new rules and made modifications to 10 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
CVE-2015-7848, CVE-2015-7849, CVE-2015-7850, CVE-2015-7851, CVE-2015-7852,
CVE-2015-7853, CVE-2015-7854, and CVE-2015-7871:
NTP suffers from programming errors that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities
and have been updated with the appropriate reference information. They are
included in this release and are identified with GID 1, SIDs 35831, and 36250
through 36253.

A new rule to detect attacks targeting these vulnerabilities is also included
in this release and is identified with GID 1, SID 36536.


Talos has also added and modified multiple rules in the blacklist, browser-ie,
browser-plugins and server-other rule sets to provide coverage for emerging
threats from these technologies.ure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Tuesday, October 20, 2015

Snort 2.9.7.3 is now End of Life!

In accordance with our End-Of-Life (eol) policy, today's rule release was the last for Snort Version 2.9.7.3.

If you are on that version of Snort (or older) please consider transitioning to the most up to date version of Snort (Currently 2.9.7.6) immediately.

Snort Subscriber Rule Set Update for 10/20/2015

Just released:
Snort Subscriber Rule Set Update for 10/20/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 38 new rules and made modifications to 36 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, exploit-kit, file-flash, file-identify, file-java, file-multimedia, file-office, file-other, malware-cnc, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Friday, October 16, 2015

Snort++ Update

Pushed build 174 to github (snortadmin/snort3):

  • legacy daemonization cleanup
  • decouple -D, -M, -q
  • delete -E
  • initial rewrite of profiler
  • don't create pid file unless requested
  • unlink pid lock file
  • new_http_inspect header processing, normalization, and decompression tweaks
  • convert README to markdown for pretty github rendering (contributed by gavares@gmail.com)
  • perfmonitor fixes
  • ssl stats updates


Thursday, October 15, 2015

Snort Subscriber Rule Set Update for 10/15/2015

Just released:
Snort Subscriber Rule Set Update for 10/15/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 35 new rules and made modifications to 5 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, exploit-kit, file-flash, malware-cnc and server-other rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Wednesday, October 14, 2015

Snort 2.9.7.3 EOL is approaching fast!

Just a reminder, the End-Of-Life (EOL) for Snort 2.9.7.3 is approaching fast on 2015-10-20!

If you are one of the 10,000 or so users of Snort 2.9.7.3, please start transitioning your systems to the current release, 2.9.7.6.

As always, please review Snort's EOL policy on Snort.org.  Thanks!

Tuesday, October 13, 2015

Snort Subscriber Rule Set Update for 10/13/2015, MSTuesday

Just released:
Snort Subscriber Rule Set Update for 10/13/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 60 new rules and made modifications to 13 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Microsoft Security Bulletin MS15-106:
Microsoft Internet Explorer suffers from programming errors that may lead to
remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities
and have been updated with the appropriate reference information. They are
included in this release and are identified with GID 1, SIDs 34393 through
34394.

New rules to detect attacks targeting these vulnerabilities are also included
in this release and are identified with GID 1, SIDs 36407 through 36414, 36417
through 36422, 36431 through 36432, 36437 through 36444, 36447 through 36448,
36450 through 36451, and 36458 through 36459.

Microsoft Security Bulletin MS15-107:
A coding deficiency exists in Microsoft Edge that may lead to information
disclosure.

A rule to detect attacks targeting this vulnerability is included in this
release and is identified with GID 1, SID 36452.

Microsoft Security Bulletin MS15-108:
A coding deficiency exists in Microsoft JScript and VBScript that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 36419 through 36422.

Microsoft Security Bulletin MS15-109:
A coding deficiency exists in Microsoft Windows Shell that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 36401 through 36402 and 36423
through 36424.

Microsoft Security Bulletin MS15-110:
A coding deficiency exists in Microsoft Office that may lead to remote code
execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 36425 through 36430.

Microsoft Security Bulletin MS15-111:
A coding deficiency exists in the Microsoft Windows Kernel that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 36403 through 36406, 36415 through
36416, and 36445 through 36446.

Talos has also added and modified multiple rules in the browser-ie, browser-plugins, exploit-kit, file-flash, file-multimedia, file-office, file-other, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Friday, October 9, 2015

Snort++ Update

Pushed build 173 to github (snortadmin/snort3):
  • added pkt_num rule option to extras
  • fix final -> finalize changes for extras
  • moved alert_unixsock and log_null to extras
  • removed duplicate pat_stats source from extras
  • prevent tcp session restart on rebuilt packets (thanks to rmkml for reporting the issue)
  • fixed profiler configuration
  • fixed ppm event logging
  • added filename to reload commands
  • fixed -B switch
  • reverted tcp syn only logic to match 2X
  • ensure ip6 extension decoder state is reset for ip4 too since ip4 packets may have ip6 next proto
  • update default manuals

Thursday, October 8, 2015

Snort Subscriber Rule Set Update for 10/08/2015

Just released:
Snort Subscriber Rule Set Update for 10/08/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 66 new rules and made modifications to 1 additional rule.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-other, browser-plugins, deleted, exploit-kit, file-flash, malware-cnc, malware-other, os-mobile, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Wednesday, October 7, 2015

Snort 2.9.8.0 Release Candidate has been released!

Snort 2.9.8 Release Candidate has been posted for download!  Please check out the below release notes:


2015-08-28 - Snort 2.9.8_rc
[*] New additions
  • Port override for metadata service in IPS rules.
  • SMBv2/SMBv3 support for file inspection.
  • AppID Lua detector performance profiling.
  • Perfmon dumps stats at fixed intervals from absolute time.
  • New preprocessor alert (18:120) to detect SSH tunneling over HTTP
  • New config option |disable_replace| to disable replace rule option.
  • New Stream configuration |log_asymmetric_traffic| to control logging to syslog.
  • New shell script in tools to create simple Lua detectors for AppID.
[*] Improvements
  • Added support to differentiate between active and passive FTP connections.
  • sfip_t refactored to use struct in6_addr for all ip addresses.
  • Post-detection callback for preprocessors.
  • AppID support for multiple server/client detectors evaluating on same flow.
  • AppID API for DNS packets.
  • Memory optimizations throughout.
  • Support sending UDP active responses.
  • Fix perfmon tracking of pruned packets.
  • Stability improvements for AppID.
  • Stability improvements for Stream6 preprocessor.
  • Added improved support to block malware in FTP preprocessor.
  • Improvements done in Stream6 preprocessor to avoid having duplicate packets in the DAQ retry queue.
  • Resolved an issue where reputation config incorrectly displayed 'blacklist' in priority field even though 'whitelist' option was configured.




As always, please download, check it out, and provide feedback to the community and developers on the Snort-Users or Snort-Devel lists.

Tuesday, October 6, 2015

Snort Subscriber Rule Set Update for 10/06/2015

Just released:
Snort Subscriber Rule Set Update for 10/06/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 52 new rules and made modifications to 15 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-plugins, exploit-kit, file-flash, file-image, file-office, file-other, file-pdf, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Friday, October 2, 2015

Snort++ Build 172 Available Now

Snort++ build 172 is now available on snort.org.  This is the latest monthly update available for download.  You can also get the latest updates from github (snortadmin/snort3) which is updated weekly.

Bug Fixes:

  • apply ppm.fastpath config correctly
  • fix file_decomp error logic
  • enable active response without flow
  • fix metadata:service to work like 2x
  • fixed issues when building with LINUX_SMP
  • fixed frag tracker accounting
  • fix Xcode builds
  • don't apply cooked verdicts to raw packets
  • fixed build error with valgrind build option
  • fix breakloop in file daq
  • fix plain file processing
  • fix detection of stream_user and stream_file data
  • fix chunked manual install
  • fix OpenBSD build
  • fix dev guide builds from top_srcdir
  • fixed build of chunked manual (thanks to Bill Parker for reporting the issue)
  • fixed cmake build issue with SMP stats enabled
  • fixed compiler warnings
  • fixed u2spewfoo build issue
  • dns bug fix for tcp

Doc Updates:

  • update manual related to liblzma
  • update bug list
  • update where to get dnet
  • update usage

Build Changes:

  • move extra daqs and extra hext logger to main source tree
  • move non-ethernet codecs to extras
  • removed unused control socket defines from cmake
  • cleanup *FLAGS use in configure.ac
  • change configure.ac compiler search order to prefer clang over gcc

Test Changes:
  • convert check unit tests to catch
  • added --catch-tags [footag],[bartag] for unit test selection
  • add cpputest for unit testing
Other Changes:
  • implement 116:281 decoder rule
  • updated snort2lua
  • log innermost proto for type of broken packets
  • new_http_inspect cookie processing updates
  • updated error messages in u2spewfoo
  • added strdup sanity checks (thanks to Bill Parker for reporting the issue)
Please submit bugs, questions, and feedback to bugs@snort.org or the Snort-Users mailing list.

Happy Snorting!
The Snort Release Team

Snort Subscriber Rule Set Update for 10/01/2015

Just released:
Snort Subscriber Rule Set Update for 10/01/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 27 new rules and made modifications to 31 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour

36064
36065
36066
36198
36199

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, file-flash, file-identify, file-other, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!