Thursday, April 30, 2015

Snort Subscriber Rule Set Update for 04/30/2015

Just released:
Snort Subscriber Rule Set Update for 04/30/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 42 new rules and made modifications to 11 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

James Lay
34287
34291
34292


Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, file-flash, file-image, file-other, malware-cnc, pua-adware, server-other and sql rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Snort++ Build 150 Available

Snort++ build 150 is now available on snort.org.  This is the latest monthly update of the downloads.  You can also get the latest updates from github (snortadmin/snort3) which is updated weekly.

New features:

  • pop and imap inspectors ported
  • added publish-subscribe handling of data events
  • added data_log plugin example for pub-sub
  • added build of snort_manual.text if w3m is installed (all in one file)
  • added default_snort_manual.text w/o w3m

Bug fixes and enhancements:

  • fix http_inspect mpse search
  • fixed urg rule option
  • change daq.var to daq.vars to support multiple params; reported by Sancho Panza
  • ensure unknown sources are analyzed
  • fixed default validation issue reported by Sancho Panza
  • fixed xcode static analysis issues
  • change PT_DATA to IT_PASSIVE; supports named instances, reload, and consumers

Please submit bugs, questions, and feedback to bugs@snort.org or the Snort-Users mailing list.

Happy Snorting!
The Snort Release Team

Wednesday, April 29, 2015

Snort++ Inspection Events

One of the goals of Snort++ is to provide a more flexible framework for packet processing by implementing an event-driven approach.  Another is to produce data only when needed, to minimize expensive normalizations.  To help explain these concepts, let's start by examining how Snort processes packets.  The key steps are given in the following figure:

Snort 2X Packet Processing
The preprocess step is highly configurable.  Arbitrary preprocessors can be loaded dynamically at startup, configured in snort.conf, and then executed at runtime.  Basically, the preprocessors are put into a list which is iterated for each packet.  Recent versions have tweaked the list handling
some, but the same basic architecture has allowed Snort to grow from a sniffer, with no preprocessing, to a full-fledged IPS, with lots of preprocessing.

While this "list of plugins" approach has considerable flexibility, it hampers future development where the flow of data from one preprocessor to the next depends on traffic conditions, a common situation with advanced features like application identification.  In this case, a preprocessor like HTTP may be extracting and normalizing data that ultimately is not used, or app ID may be repeatedly checking for data that is just not available.

Callbacks help break out of the preprocess straightjacket.  This is where one preprocessor supplies another with a function to call when certain data is available.  Snort has started to take this approach to pass some HTTP and SIP preprocessor data to app ID.  However, it remains a peripheral feature and still requires the production of data that may not be consumed.

The basic processing steps Snort++ takes are similar to Snort's as seen in the following diagram.  The preprocess step employs specific inspector types instead of a generalized list, but the basic procedure includes stateless packet decoding, TCP stream reassembly, and service specific analysis in both cases.  (Snort++ provides hooks for arbitrary inspectors, but they are not central to basic flow processing and are not shown.)

Snort 3X Packet Processing

However, Snort++ also provides a more flexible mechanism than callback functions.  By using inspection events, it is possible for an inspector to supply data that other inspectors can process.  This is known as the observer pattern or publish-subscribe pattern.

Note that the normalized data is not actually published.  Instead, access to the data is published, and that means that subscribers can access the raw or normalized version(s) as needed.  Normalizations are done only on the first access, and subsequent accesses get the previously normalized data.  This results in just in time (JIT) processing.

A basic example of this in action is provided by the extra data_log plugin. It is a passive inspector, ie it does nothing until it receives the data it subscribed for ('other' in the above diagram).  By adding the following to your snort.lua configuration, you will get a simple URI logger:

data_log = { key = 'http_raw_uri' }

Inspection events coupled with pluggable inspectors provide a very flexible framework for implementing new features.  And JIT buffer stuffers allow Snort++ to work smarter, not harder.  These capabilities will be leveraged more and more as Snort++ development continues.  Look for weekly updates on github (snortadmin/snort3) and monthly updates on snort.org.

Tuesday, April 28, 2015

Snort Subscriber Rule Set Update for 04/28/2015

Just released:
Snort Subscriber Rule Set Update for 04/28/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 94 new rules and made modifications to 44 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
34236
34237

Avery Tarasov
34136

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, file-flash, file-multimedia, file-other, indicator-obfuscation, indicator-shellcode, malware-cnc, protocol-ftp, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Snort++ Update

Just pushed build 148 to github (snortadmin/snort3):
  • fixed default validation issue reported by Sancho Panza
  • refactored snort and snort_config modules
  • file id refactoring and cleanup
  • added publish-subscribe handling of data events
  • added data_log plugin example for pub-sub

Thursday, April 23, 2015

Snort Subscriber Rule Set Update for 04/23/2015

Just released:
Snort Subscriber Rule Set Update for 04/23/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 5 new rules and made modifications to 11 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, browser-other, exploit-kit, malware-cnc, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Snort++ Update

Just pushed build 147 to github (snortadmin/snort3):

  • change data plugins (PT_DATA) to passive inspector plugins (IT_PASSIVE); supports named instances, reloads, and consumers



Tuesday, April 21, 2015

Snort Subscriber Rule Set Update for 04/21/2015

Just released:
Snort Subscriber Rule Set Update for 04/21/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 44 new rules and made modifications to 5 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
34137
34144
34145
34146

Talos's rule release:
Talos is aware of a vulnerability affecting products from Microsoft Corporation
and Adobe.

Details:
Microsoft Security Advisory:
A publicly exploited vulnerability exists in Adobe Flash Player affecting
Microsoft Windows versions prior to Windows 8.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 34178 through 34179.

Talos has added and modified multiple rules in the browser-ie, browser-other,
file-flash, file-pdf, malware-cnc, os-other, os-windows, pua-adware and
server-other rule sets to provide coverage for emerging threats from these
technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Thursday, April 16, 2015

Snort Subscriber Rule Set Update for 04/16/2015

Just released:
Snort Subscriber Rule Set Update for 04/16/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 33 new rules and made modifications to 22 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-firefox, browser-plugins, exploit-kit, file-flash, file-image, file-multimedia, file-office, file-other, indicator-obfuscation, malware-cnc, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Snort++ Update

Just pushed build 146 to github (snortadmin/snort3):

  • added build of snort_manual.text if w3m is installed
  • added default_snort_manual.text w/o w3m
  • add Flow pointer to StreamSplitter::finish()

Wednesday, April 15, 2015

Talos has their own LinkedIn page now!

Just a quick note to let those of you interested in Talos and the goings on here, we now have a LinkedIn page available.

We're going to keep this packed with content from our outlets, blogs, and of course, our open Job postings.

Please feel free to head on over, join, and participate!

Tuesday, April 14, 2015

Snort Subscriber Rule Set Update for 04/14/2015, MSTuesday

Just released:
Snort Subscriber Rule Set Update for 04/14/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 45 new rules and made modifications to 5 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Microsoft Security Bulletin MS15-032:
Microsoft Internet Explorer suffers from programming errors that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 32442 through 32443, 34059 through
34060, 34064 through 34065, 34068 through 34071, 34074 through 34077, 34084
through 34085, and 34089 through 34090.

Microsoft Security Bulletin MS15-033:
A coding deficiency exists in Microsoft Office that may lead to remote code
execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 34062 through 34063, 34066 through
34067, 34086 through 34087, and 34093 through 34094.

Microsoft Security Bulletin MS15-034:
A coding deficiency exists in Microsoft HTTP.sys that may lead to remote code
execution.

A rule to detect attacks targeting this vulnerability is included in this
release and is identified with GID 1, SID 34061.

Microsoft Security Bulletin MS15-035:
A coding deficiency exists in a Microsoft graphics component that may lead to
remode code execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 34082 through 34083.

Microsoft Security Bulletin MS15-036:
A coding deficiency exists in Microsoft SharePoint Server that that may lead to
an escalation of privilege.

Previously released rules will detect attacks targeting this vulnerability and
have been updated with the appropriate reference information. They are included
in this release and are identified with GID 1, SIDs 7070 and 21782.

A new rule to detect attacks targeting this vulnerability is also included in
this release and is identified with GID 1, SID 34099.

Microsoft Security Bulletin MS15-037:
A coding deficiency exists in Microsoft Windows Task Scheduler that that may
lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 34091 through 34092.

Microsoft Security Bulletin MS15-038:
A coding deficiency exists in Microsoft Windows that that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 34078 through 34081 and 34095
through 34096.

Microsoft Security Bulletin MS15-039:
A coding deficiency exists in Microsoft XML Core Services that may allow a
security feature bypass.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 34097 through 34098.

Microsoft Security Bulletin MS15-041:
A coding deficiency exists in Microsoft .NET Framework that may lead to
information disclosure.

A rule to detect attacks targeting this vulnerability is included in this
release and is identified with GID 1, SID 34088.


Talos has also added and modified multiple rules in the browser-ie, deleted,
exploit-kit, file-executable, file-office, file-other, indicator-obfuscation,
os-windows, policy-other and server-other rule sets to provide coverage for
emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Friday, April 10, 2015

Snort++ Update

Just pushed build 145 to github (snortadmin/snort3):

  • abort PAF in current direction only
  • added StreamSplitter::finish()
  • allow relative flush point of zero
  • added Inspector::clear()
  • new http refactoring and cleanup
  • new http changes - events from splitter
  • fix dns assertion; remove unused variables

Thursday, April 9, 2015

Snort Subscriber Rule Set Update for 04/09/2015

Just released:
Snort Subscriber Rule Set Update for 04/09/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 12 new rules and made modifications to 3 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the exploit-kit, file-other, malware-cnc, os-windows, protocol-dns, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Tuesday, April 7, 2015

Snort Subscriber Rule Set Update for 04/07/2015

Just released:
Snort Subscriber Rule Set Update for 04/07/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 23 new rules and made modifications to 8 additional rules.

There were no changes made to the snort.conf in this release.


Talos's rule release:
Talos has added and modified multiple rules in the blacklist, file-flash, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Thursday, April 2, 2015

Snort Subscriber Rule Set Update for 04/02/2015

Just released:
Snort Subscriber Rule Set Update for 04/02/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 40 new rules and made modifications to 19 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-plugins, exploit-kit, file-flash, indicator-shellcode, malware-cnc, policy-other, protocol-voip and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!