Monday, October 31, 2016

Snort++ Build 217 Available Now on Snort.org!

Snort++ build 217 is now available on snort.org.  This is the latest monthly update available for download.  You can also get the latest updates from github (snortadmin/snort3) which is updated weekly.

DAQ Changes:

  • updated DAQ - you *must* use DAQ 2.2.1
  • build: remove lingering libDAQ #ifdefs
  • expected: push expected flow information through the DAQ module
  • add libDAQ version to snort -V output

Enhancements:

  • add inspector events from http_inspect to appid
  • add build configuration for thread sanitizer
  • added module trace facility
  • add support http file upload processing and process decode/detection depths
  • add rev to rule latency logs


  • port dce_udp fragments
  • port block malware over ftp for clients/servers that support REST command
  • port dce_udp packet processing
  • port sip changes to avoid using NAT ip when calculating callid
  • port dce_udp autodetect and session creation
  • update appid to 2983

Bug Fixes:

  • fix appid error messages
  • fix flow reinitialization after expiration
  • fix release of blocked flow
  • fix 129:16 false positive
  • fix various unit test leaks
  • fix -Wmaybe-uninitialized issues
  • fix related to appid name with space and SSL position
  • fix various appid patterns and counts
  • fix fast pattern selection
  • fix file hash pruning issue
  • fix rate_filter action config and apply_to clean up
  • fix static analysis issues
  • fix analyzer/pig race condition
  • fix explicit obfuscation disable not working
  • fix ftp_data: Gracefully handle cleared flow data
  • fix LuaJIT rule option memory leak of plugin name
  • fix various appid issues - initial port is nearing completion
  • fix http_inspect event 119:66
  • fix ac_full initialization performance
  • fix stream_tcp left overlap on hpux, solaris
  • fix/remove 129:5 ("bad segment") events
  • file_mempool: fix initializing total pool size
  • fix bpf includes
  • fix builds for OpenSolaris

Other Changes:

  • build: clean up some ICC warnings
  • change search_engine.debug_print_fast_pattern to show_fast_patterns
  • overhaul appid for multiple threads, memory leaks, and coding style
  • expected: expected cache revamp and related bugfixes
  • ftp_data: add expected data consumption to set service name and fix bugs
  • defaults: update FTP default config based on Snort2's hardcoded one
  • rename default_snort_manual.* to snort_manual.*
  • build docs only by explicit target (make html|pdf|text)
  • update default manuals to build 213
  • tolerate more spaces in ip lists
  • change default latency actions to none
  • deleted non-functional extra decoder for i4l_rawip

Please submit bugs, questions, and feedback to bugs@snort.org or the Snort-Users mailing list.

Happy Snorting!
The Snort Release Team

Sunday, October 30, 2016

Snort++ Update

Pushed (last Friday) build 217 to github (snortadmin/snort3):

  • update appid to 2983
  • add inspector events from http_inspect to appid
  • fix appid error messages
  • fix flow reinitialization after expiration
  • fix release of blocked flow
  • fix 129:16 false positive


Friday, October 28, 2016

Snort OpenAppID Detectors have been updated!

An update has been released today for the Snort OpenAppID Detector content. This release, build 272, includes
  • A total of 2,813 detectors. 
  • It also includes some additional detectors that came in from the open source community. For more details on which contributions were included, we have added them in the AUTHORS file in this package.

Available now for download from our downloads page, we look forward to you downloading and using the new features of 2.9.8.4's OpenAppID preprocessor and sharing your experiences with the community.

The OpenAppID community has a mailing list specifically dedicated to the exchange and discussion of detector content.  Please visit the mailing lists page to sign up.

Snort Subscriber Rule Set Update for 10/27/2016

Just released:
Snort Subscriber Rule Set Update for 10/27/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 35 new rules and made modifications to 6 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
40549
40550
40551
40559


Talos's rule release:
Talos has added and modified multiple rules in the file-pdf, indicator-compromise, malware-cnc, os-linux, os-windows and server-other rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Wednesday, October 26, 2016

Integrating Snort 2.9.8.x with AlienVault's OSSIM

Another thanks goes out to Bill Parker, the author for many of excellent Snort guides.

Integrating Snort 2.9.8.x with AlienVault's OSSIM installation guide can be found on our documentation page, so for those of you interested in OSSIM, but are unsure of how to get started, or how to integrate Snort into the offering, please go take a look.

As always, we thank Bill for his documentation contributions, and welcome all documentation contributions for the Snort.org page!

Crontabs, and how to fix them

In previous blog entires you've heard me talk about the need to stagger your crontabs to lighten the load on Snort.org at certain times of the day.

We've taken the liberty of creating a section on the oinkcode page about how to configure your crontab.

If you log into Snort.org, click on your user account email address (found at the top right of the page).

Navigate to "Oinkcode" on the left hand side:



Follow the link to:



You will see instructions for how to use your oinkcode, however, we've added a new section under:



This will give you some default syntax for your crontab entry, along with a randomized time (it changes every time you refresh the page, so you can actually place a different time on all your sensors if you so choose) for pulledpork to execute.

Please replace your crontab entry with one of our randomized times from the website, and that should lower the loads on downloads.

Thanks!

Snort Subscriber Rule Set Update for 10/25/2016, Release 2

Just released:
Snort Subscriber Rule Set Update for 10/25/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 2 new rules and made modifications to 0 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the file-flash rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Snort Subscriber Rule Set Update for 10/25/2016

Just released:
Snort Subscriber Rule Set Update for 10/25/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 27 new rules and made modifications to 0 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
40541


Talos's rule release:
Talos has added and modified multiple rules in the blacklist, file-image, malware-cnc, os-linux, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Friday, October 21, 2016

Snort++ Update

Pushed build 216 to github (snortadmin/snort3):

  • add build configuration for thread sanitizer
  • port dce_udp fragments
  • build: clean up some ICC warnings
  • fix various unit test leaks
  • fix -Wmaybe-uninitialized issues
  • fix related to appid name with space and SSL position

Thursday, October 20, 2016

Snort Subscriber Rule Set Update for 10/20/2016

Just released:
Snort Subscriber Rule Set Update for 10/20/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 25 new rules and made modifications to 50 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the app-detect, blacklist, browser-ie, exploit-kit, file-flash, file-pdf, indicator-compromise, indicator-obfuscation, malware-cnc, malware-other, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Tuesday, October 18, 2016

Snort Subscriber Rule Set Update for 10/18/2016

Just released:
Snort Subscriber Rule Set Update for 10/18/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 30 new rules and made modifications to 5 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
40011
40234
40235


Talos's rule release:
Talos has added and modified multiple rules in the file-executable, file-office, file-pdf, malware-cnc, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Friday, October 14, 2016

Snort Subscriber Rule Set Update for 10/13/2016

Just released:
Snort Subscriber Rule Set Update for 10/13/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 18 new rules and made modifications to 2 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the browser-other, file-flash, file-office, file-pdf, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Snort++ Update

Pushed build 215 to github (snortadmin/snort3):
  • added module trace facility
  • port block malware over ftp for clients/servers that support REST command
  • port dce_udp packet processing
  • change search_engine.debug_print_fast_pattern to show_fast_patterns
  • overhaul appid for multiple threads, memory leaks, and coding style
  • fix various appid patterns and counts
  • fix fast pattern selection
  • fix file hash pruning issue
  • fix rate_filter action config and apply_to clean up

Wednesday, October 12, 2016

Snort Subscriber Rule Set Update for 10/11/2016, Release Two

Just released:
Snort Subscriber Rule Set Update for 10/11/2016, Release two


We welcome the introduction of the newest rule release from Talos. In this release we introduced 13 new rules and made modifications to 2 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the exploit-kit, file-flash and malware-cnc rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Snort Subscriber Rule Set Update for 10/11/2016, MSTuesday

Just released:
Snort Subscriber Rule Set Update for 10/11/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 86 new rules and made modifications to 18 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Microsoft Security Bulletin MS16-118: Microsoft Internet Explorer suffers from programming errors that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 40364 through 40365, 40372 through 40375, 40378 through 40379, 40385 through 40386, 40396 through 40397, and 40420 through 40421.

Microsoft Security Bulletin MS16-119: A coding deficiency exists in Microsoft Edge that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 40366 through 40367, 40370 through 40371, 40383 through 40384, 40404 through 40405, 40420 through 40421, and 40423 through 40424.

Microsoft Security Bulletin MS16-120: A coding deficiency exists in Microsoft Graphics Component that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 39824 through 39825.

New rules to detect attacks targeting these vulnerabilities are also included in this release and are identified with GID 1, SIDs 40408 through 40411 and 40425 through 40428.

Microsoft Security Bulletin MS16-121: A coding deficiency exists in Microsoft Office that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 40368 through 40369.

Microsoft Security Bulletin MS16-123: A coding deficiency exists in a Microsoft Kernel mode driver that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 40376 through 40377, 40380 through 40381, 40392 through 40393, and 40418 through 40419.

Microsoft Security Bulletin MS16-124: A coding deficiency exists in a Microsoft Windows Registry that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 40394 through 40395, 40400 through 40403, and 40412 through 40413.

Microsoft Security Bulletin MS16-125: A coding deficiency exists in a Microsoft Diagnostic Hub that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 40398 through 40399.

Microsoft Security Bulletin MS16-126: Microsoft Internet Explorer suffers from programming errors that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 40364 through 40365.

Talos also has added and modified multiple rules in the browser-firefox, browser-ie, browser-other, browser-plugins, deleted, exploit-kit, file-flash, file-identify, file-office, file-other, file-pdf, indicator-compromise, malware-cnc, os-windows, protocol-dns, protocol-ftp, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Saturday, October 8, 2016

Snort++ Update

Pushed build 214 to github (snortadmin/snort3):
  • updated DAQ - you must use DAQ 2.2.1
  • add libDAQ version to snort -V output
  • add support http file upload processing and process decode/detection depths
  • port sip changes to avoid using NAT ip when calculating callid
  • port dce_udp autodetect and session creation
  • fix static analysis issues
  • fix analyzer/pig race condition
  • fix explicit obfuscation disable not working
  • fix ftp_data: Gracefully handle cleared flow data
  • fix LuaJIT rule option memory leak of plugin name
  • fix various appid issues - initial port is nearing completion
  • fix http_inspect event 119:66
  • fix ac_full initialization performance
  • fix stream_tcp left overlap on hpux, solaris
  • fix/remove 129:5 ("bad segment") events
  • file_mempool: fix initializing total pool size
  • fix bpf includes
  • fix builds for OpenSolaris
  • expected: push expected flow information through the DAQ module
  • expected: expected cache revamp and related bugfixes
  • ftp_data: add expected data consumption to set service name and fix bugs
  • build: remove lingering libDAQ #ifdefs
  • defaults: update FTP default config based on Snort2's hardcoded one
  • rename default_snort_manual.* to snort_manual.*
  • build docs only by explicit target (make html|pdf|text)
  • update default manuals to build 213
  • tolerate more spaces in ip lists
  • add rev to rule latency logs
  • change default latency actions to none
  • deleted non-functional extra decoder for i4l_rawip

Friday, October 7, 2016

Snort Community Ruleset Winner for September 2016

The September winner of our monthly signature contest for the community ruleset is rmkml! 

For more information on how to get involved, and how you can win your Snort prizes, please take a look at our blog post


Good luck to all of those submitting rules in the upcoming months. We'll soon be revamping our signature contest (prizes included) so be sure to check back with our blog for updates! We look forward to a great November and beyond!

Thursday, October 6, 2016

Snort Subscriber Rule Set Update for 10/06/2016

Just released:
Snort Subscriber Rule Set Update for 10/06/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 10 new rules and made modifications to 7 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov
40251
40252


Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, exploit-kit, file-pdf, malware-cnc, protocol-dns and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Tuesday, October 4, 2016

Snort Subscriber Rule Set Update for 10/04/2016

Just released:
Snort Subscriber Rule Set Update for 10/04/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 20 new rules and made modifications to 6 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the app-detect, malware-cnc, protocol-scada, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!