Thursday, June 22, 2017

Snort Subscriber Rule Set Update for 06/22/2017

Just released:
Snort Subscriber Rule Set Update for 06/22/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 43 new rules of which 1 are Shared Object rules and made modifications to 11 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, browser-plugins, browser-webkit, file-flash, file-image, file-multimedia, file-other, indicator-obfuscation, indicator-shellcode, malware-cnc, os-windows, protocol-ftp, protocol-scada, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Wednesday, June 21, 2017

Snort OpenAppID Detectors have been updated!

An update has been released today for the Snort OpenAppID Detector content. This release, build 283, includes
  • A total of 2,836 detectors. 
  • It also includes some additional detectors that came in from the open source community. For more details on which contributions were included, we have added them in the AUTHORS file in this package.

Available now for download from our downloads page, we look forward to you downloading and using the new features of 2.9.9.0's OpenAppID preprocessor and sharing your experiences with the community.

The OpenAppID community has a mailing list specifically dedicated to the exchange and discussion of detector content.  Please visit the mailing lists page to sign up.

Tuesday, June 20, 2017

Snort Subscriber Rule Set Update for 06/20/2017

Just released:
Snort Subscriber Rule Set Update for 06/20/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 43 new rules of which 5 are Shared Object rules and made modifications to 22 additional rules of which 10 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the blacklist, exploit-kit, file-image, file-other, file-pdf, indicator-obfuscation, malware-cnc, malware-other, os-windows, protocol-scada, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, June 15, 2017

Snort Subscriber Rule Set Update for 06/15/2017

Just released:
Snort Subscriber Rule Set Update for 06/15/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 16 new rules of which 1 are Shared Object rules and made modifications to 6 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-plugins, exploit-kit, file-flash, file-office, file-other, malware-cnc, os-solaris, protocol-rpc and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Snort++ Update

Pushed build 236 to github (snortadmin/snort3):
  • appid: clean up shutdown stats
  • appid: fix memory leak
  • conf: update defaults
  • decode: updated ipv6 valid next headers
  • detection: avoid superfluous leaf nodes in detection option trees
  • http_inspect: improved handling of badly terminated chunks
  • http_inspect: improved transfer-encoding header processing
  • ips options: add validation for range check types such as dsize
  • perf_monitor: add more tcp and udp peg counts
  • perf_monitor: update cpu tracker output to thread_#.cpu_*
  • port_scan: alert on all scan attempts so blocking is possible
  • port_scan: make fully configurable
  • sip: fix get body buffer for fast patterns
  • ssl: use stop-and-wait splitter (protocol aware splitter is next)
  • stream_ip: fix 123:7

Tuesday, June 13, 2017

Snort Subscriber Rule Set Update for 06/13/2017

Just released:
Snort Subscriber Rule Set Update for 06/13/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 28 new rules of which 3 are Shared Object rules and made modifications to 8 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.

Details:
Microsoft Vulnerability CVE-2017-0215:
A coding deficiency exists in Microsoft Device Guard Code Integrity
Policy that may lead to a security feature bypass.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 43157 through 43158.

Microsoft Vulnerability CVE-2017-8464:
A coding deficiency exists in Microsoft LNK that may lead to remote
code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 17042 and 24500.

Microsoft Vulnerability CVE-2017-8465:
A coding deficiency exists in Microsoft Win32k that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 43173 through 43174.

Microsoft Vulnerability CVE-2017-8466:
A coding deficiency exists in Microsoft Windows Cursor that may lead to
an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 43173 through 43174.

Microsoft Vulnerability CVE-2017-8468:
A coding deficiency exists in Microsoft Win32k that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 43173 through 43174.

Microsoft Vulnerability CVE-2017-8496:
Microsoft Edge suffers from programming errors that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 43165 through 43166.

Microsoft Vulnerability CVE-2017-8497:
Microsoft Edge suffers from programming errors that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 43169 through 43170.

Microsoft Vulnerability CVE-2017-8509:
A coding deficiency exists in Microsoft Office that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 43159 through 43160.

Microsoft Vulnerability CVE-2017-8510:
A coding deficiency exists in Microsoft Office that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 43171 through 43172.

Microsoft Vulnerability CVE-2017-8524:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 43163 through 43164.

Microsoft Vulnerability CVE-2017-8529:
Microsoft Edge and Microsoft Internet Explorer suffer from programming
errors that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 43161 through 43162.

Microsoft Vulnerability CVE-2017-8543:
A coding deficiency exists in Microsoft Windows Search that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 43175 through 43176.

Microsoft Vulnerability CVE-2017-8547:
Microsoft Internet Explorer suffers from programming errors that may
lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 43155 through 43156.

Talos has also added and modified multiple rules in the blacklist,
browser-ie, file-office, file-other, file-pdf, malware-cnc, os-windows,
policy-other, protocol-scada and server-webapp rule sets to provide
coverage for emerging threats from these technologies.



In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

New Snort Mailing Lists are alive!

This evening, if you are a member of the Snort Mailing lists (-users, -sigs, -devel, and/or -openappid) you should have received a welcome message to the new version of the respective list, at its new home on the new server.

You can see the list of Snort lists and of course join (if you are not already a member) here:

https://lists.snort.org/mailman/listinfo

All settings to the lists should be the same, and all users have been (or are being as I type this) migrated from the old lists on Sourceforge, to the new lists.

Effective immediately, I have set the moderation flag on the Sourceforge mailing lists, and all further email to those lists will be rejected with a message to post to the new list.  After an indeterminate period of time, I will decommission the old lists.

I am working with Sourceforge to get a dump of our archives, so we may retain that history on our servers, in the meantime you can find the archives for the mailing lists on Marc.  All emails on the new list will also be archived on Marc.

Hopefully everything went well, and I haven't inconvenienced too many people.  I sincerely apologize if I did.  I had been planning to move off of Sourceforge for years, and hadn't simply because of the history we had built there.  However, with their recent changes in policy, moving the lists at this time made sense.

Any feedback about the move, please contact me at: snort-users@lists.snort.org.

We look forward to seeing everyone on our new server, which is not only on an updated version of the mailman software, but also now without Sourceforge's ads at the bottom of every post!

Thanks for your patience and understanding.

Friday, June 9, 2017

Sourceforge Hosted Snort Mailing Lists

All—

Some recent changes from Sourceforge (where the Snort mailing lists have been hosted since the start of the project, nearly 20 years ago) to their Mailman infrastructure has left us unable to access the member list. Which means we can no longer unsubscribe, subscribe, ban, moderate, clear, or otherwise have any control over the subscribers of the mailing list. Something that as a community manager, prevents me from managing… the community…

The changes outlined here: https://sourceforge.net/blog/sourceforge-project-e-mail-policy-update/ put quite a hinderance on the ability to manage the lists, and therefore, we are looking into options of moving off of Sourceforge.

More news will come soon.

Snort Subscriber Rule Set Update for 06/08/2017

Just released:
Snort Subscriber Rule Set Update for 06/08/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 27 new rules of which 3 are Shared Object rules and made modifications to 5 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the app-detect, browser-ie, file-other, indicator-compromise, malware-cnc, policy-other, protocol-scada, protocol-voip and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Monday, June 5, 2017

Snort++ Update

Pushed build 235 to github (snortadmin/snort3):
  • http_inspect: improve handling of improper bare \r separator
  • appid: fix bug where TNS detector corrupted the flow data object
  • search_engine: set range for max_queue_events parameter
    thanks to Navdeep.Uniyal@neclab.eu for reporting the issue
  • arp_spoof: reject non-ethernet packets
  • stream_ip: remove dead code and tweak formatting
  • ipproto: remove unreachable code
  • control_mgmt: add support for daq module reload
  • control_mgmt: add support for unix sockets
  • doc: update default manuals
  • doc: update differences section
  • doc: update README

Thursday, June 1, 2017

Snort Subscriber Rule Set Update for 06/01/2017

Just released:
Snort Subscriber Rule Set Update for 06/01/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 16 new rules of which 1 are Shared Object rules and made modifications to 50 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, file-flash, file-multimedia, file-office, file-other, indicator-compromise, os-windows, protocol-dns, protocol-imap, server-other and sql rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, May 30, 2017

Snort Subscriber Rule Set Update for 05/30/2017

Just released:
Snort Subscriber Rule Set Update for 05/30/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 59 new rules of which 3 are Shared Object rules and made modifications to 20 additional rules of which 3 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, browser-plugins, file-flash, file-image, file-pdf, malware-cnc, os-windows, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, May 25, 2017

Snort Subscriber Rule Set Update for 05/25/2017

Just released:
Snort Subscriber Rule Set Update for 05/25/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 38 new rules of which 6 are Shared Object rules and made modifications to 119 additional rules of which 2 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, exploit-kit, file-executable, file-flash, file-image, file-office, file-other, file-pdf, indicator-compromise, malware-cnc, os-windows, policy-other, protocol-other, protocol-scada, protocol-snmp, server-apache, server-oracle, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, May 23, 2017

Snort Subscriber Rule Set Update for 05/23/2017

Just released:
Snort Subscriber Rule Set Update for 05/23/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 28 new rules and made modifications to 15 additional rules of which 3 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the file-flash, file-pdf, indicator-obfuscation, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Snort++ Update

Pushed build 234 to github (snortadmin/snort3):
  • byte_math: port rule option from 2X and add feature documentation
  • pgm: don't calculate checksum if header length is not divisible by 4
  • appid: fix sip event handling, http pattern lists, thread locals
  • build: fix issues with OpenSolaris and FreeBSD builds
  • cmake: fix issues with libpcap and miscellaneous
  • offload: refactor for initial (experimental) version of regex offload to other threads
  • cmg: revamp hex buffer dump format with 16 or 20 bytes per line
  • rules: reject positional parameters containing spaces

Wednesday, May 17, 2017

Snort 2.9.7.6 is *now* EOL!

Even though we announced the EOL of 2.9.7.6 back in March,  we kept 2.9.7.6 around for while to help the people that could not move off of 2.9.7.6 immediately.

However, our download count for 2.9.7.6 is down to "hey, I forgot about this install" levels, so we've removed the build from our package distribution.

In the near future we will have an announcement about adjusting our EOL schedule to better serve the community.  Keep your eyes on this blog!

WannaCry coverage infographic

We created an infographic to illustrate our coverage for the WannaCry Ransomware for another group, and we thought that the Snort community would love to have this as well



For more information on our coverage for WannaCry, check it out here.

Snort Subscriber Rule Set Update for 05/17/2017

Just released:
Snort Subscriber Rule Set Update for 05/17/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 19 new rules of which 1 are Shared Object rules and made modifications to 72 additional rules of which 9 are Shared Object rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the browser-plugins, file-identify, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, May 16, 2017

Snort Subscriber Rule Set Update for 05/16/2017

Just released:
Snort Subscriber Rule Set Update for 05/16/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 63 new rules of which 0 are Shared Object rules and made modifications to 10 additional rules of which 2 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-plugins, exploit-kit, file-image, file-office, file-other, file-pdf, malware-cnc, os-windows, protocol-ftp, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Friday, May 12, 2017

WannaCry Snort coverage

Lots of news out there this evening about a new Ransomware with auto-propogation ability. Please see our Talos blog post here: http://blog.talosintelligence.com/2017/05/wannacry.html

We have Snort coverage available in the form of rules:
42329-42332, 42340, 41978

This coverage is available in our Snort Subscriber Rule Set.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions.

Snort++ Vulnerabilities Found

Thanks go to Bhargava Shastry, who reported several issues to the Snort Team on Github for which two CVEs will be created.  Links to the issues on github are given at the end.  Fixes are on github now, tagged BUILD_233.  The bugs afflict all prior versions so please pull the latest.  Here is a description of the problems:

Ether Type Validation (CVE-2017-6657)

Since valid ether type and IP protocol numbers do not overlap, Snort++ stores all protocol decoders in a singe array.  That makes it possible to craft packets that have IP protocol numbers in the ether type field which will confuse the Snort++ decoder.   For example, an eth:llc:snap:icmp6 packet will cause a crash because there is no ip6 header with which to calculate the icmp6 checksum.  Affected decoders include gre, llc, trans_bridge, ciscometadata, linux_sll, and token_ring.  The fix adds a check in the packet manager to validate the ether type before indexing the decoder array.  An out of range ether type will will raise 116:473.

Buffer Overread (CVE-2017-6658)

Another problem with the decoder array was also discovered.  The size was off by one making it possible read past the end of array with an ether type of 0xFFFF.  Increasing the array size solves this problem.

The links to the github issues are given below.  Thanks again to Bhargava for reporting the issues.

https://github.com/snortadmin/snort3/issues/22
https://github.com/snortadmin/snort3/issues/23
https://github.com/snortadmin/snort3/issues/24
https://github.com/snortadmin/snort3/issues/25
https://github.com/snortadmin/snort3/issues/26
https://github.com/snortadmin/snort3/issues/27


Thursday, May 11, 2017

Snort Subscriber Rule Set Update for 05/11/2017

Just released:
Snort Subscriber Rule Set Update for 05/11/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 31 new rules of which 0 are Shared Object rules and made modifications to 45 additional rules of which 1 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, exploit-kit, file-flash, file-image, file-java, file-office, file-other, file-pdf, indicator-obfuscation, indicator-shellcode, malware-cnc, malware-other, protocol-dns, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Snort++ Update

Pushed build 233 to github (snortadmin/snort3):
  • packet manager: ensure ether type proto ids don't masquerade as ip proto ids
    thanks to Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de> for reporting the issue
  • codec manager: fix off-by-1 mapping array size
    thanks to Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de> for reporting the issue
  • codec: fix extraction of ether type from cisco metadata
  • appid: add new unit tests to the cmake build, fix missing lib reference to sfip
  • sfghash: clean up and add unit tests
  • http: fix 119:38 false positive
  • main: fix compiler warnings when SHELL is not enabled
  • perf_monitor: fix flatbuffers handling of empty strings
  • modbus: port fix for false positives on length field
  • http: port simple UTF decoding w/o byte order mark
  • build: updated code to resolve cppcheck warnings
  • cleanup: fix typos in source code string literals and comments
  • doc: fix typos

Tuesday, May 9, 2017

Snort Subscriber Rule Set Update for 05/09/2017, MSTuesday

Just released:
Snort Subscriber Rule Set Update for 05/09/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 73 new rules of which 0 are Shared Object rules and made modifications to 5 additional rules of which 5 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.

Details:
Microsoft Vulnerability CVE-2017-0290:
Microsoft Malware Protection Engine suffers from a programming error
that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42820 through 42821.

Microsoft Vulnerability CVE-2017-0077:
A coding deficiency exists in Microsoft Win32k that may lead to
information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42757 through 42758.

Microsoft Vulnerability CVE-2017-0171:
A coding deficiency exists in Microsoft Windows DNS that may lead to a
Denial of Service (DoS).

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 1, SID 42785.

Microsoft Vulnerability CVE-2017-0213:
A coding deficiency exists in Microsoft Windows COM that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42773 through 42774.

Microsoft Vulnerability CVE-2017-0214:
A coding deficiency exists in Microsoft Windows COM that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42759 through 42760.

Microsoft Vulnerability CVE-2017-0220:
A coding deficiency exists in Microsoft Windows Kernel that may lead to
information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42751 through 42752.

Microsoft Vulnerability CVE-2017-0221:
Microsoft Edge suffers from programming errors that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42798 through 42799.

Microsoft Vulnerability CVE-2017-0227:
Microsoft Edge suffers from programming errors that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42779 through 42780.

Microsoft Vulnerability CVE-2017-0228:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42811 through 42812.

Microsoft Vulnerability CVE-2017-0234:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42775 through 42776.

Microsoft Vulnerability CVE-2017-0236:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42749 through 42750.

Microsoft Vulnerability CVE-2017-0238:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42761 through 42762.

Microsoft Vulnerability CVE-2017-0240:
Microsoft Edge suffers from programming errors that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42781 through 42782.

Microsoft Vulnerability CVE-2017-0243:
A coding deficiency exists in Microsoft Office that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42755 through 42756.

Microsoft Vulnerability CVE-2017-0245:
A coding deficiency exists in Microsoft Win32k that may lead to
information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42769 through 42770.

Microsoft Vulnerability CVE-2017-0246:
A coding deficiency exists in Microsoft Win32k that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42771 through 42772.

Microsoft Vulnerability CVE-2017-0258:
A coding deficiency exists in Microsoft Windows Kernel that may lead to
information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42783 through 42784.

Microsoft Vulnerability CVE-2017-0259:
A coding deficiency exists in Microsoft Windows Kernel that may lead to
information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42763 through 42764.

Microsoft Vulnerability CVE-2017-0263:
A coding deficiency exists in Microsoft Win32k that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42765 through 42766.

Microsoft Vulnerability CVE-2017-0266:
Microsoft Edge suffers from programming errors that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42753 through 42754.

Talos also has added and modified multiple rules in the browser-ie,
exploit-kit, file-flash, file-image, file-office, file-pdf,
indicator-scan, os-windows, policy-other and server-webapp rule sets to
provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, May 4, 2017

Snort Subscriber Rule Set Update for 05/04/2017

Just released:
Snort Subscriber Rule Set Update for 05/04/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 308 new rules of which 9 are Shared Object rules and made modifications to 24 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the app-detect, blacklist, browser-ie, file-executable, file-flash, file-image, file-office, file-other, file-pdf, indicator-compromise, malware-cnc, os-windows, policy-other, protocol-dns, protocol-scada, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, May 2, 2017

Snort Subscriber Rule Set Update for 05/02/2017

Just released:
Snort Subscriber Rule Set Update for 05/02/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 28 new rules of which 1 are Shared Object rules and made modifications to 7 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, browser-plugins, file-executable, file-flash, file-other, file-pdf, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Friday, April 28, 2017

Snort++ Update

Pushed build 232 to github (snortadmin/snort3):
  • build: clean up Intel compiler warnings and remarks
  • build: fix FreeBSD compilation issues
  • cmake: fix building with and without flatbuffers present 
  • autoconf: check for lua.hpp as well as luajit.h to ensure C++ support 
  • shell: make commands non-blocking 
  • shell: allow multiple remote connections 
  • snort2lua: fix generated stream_tcp bindings 
  • snort2lua: fix basic error handling with non-conformant 2.X conf 
  • decode: fix 116:402 
  • dnp3:  fix 145:5 
  • appid: numerous fixes and cleanup 
  • http_server: removed (use new http_inspect instead) 
  • byte_jump: add bitmask and from_end (from 2.9.9 Snort) 
  • byte_extract: add bitmask (from 2.9.9 Snort) 
  • flatbuffers: add version to banner if present 
  • loggers: build alert_sf_socket on all platforms

Thursday, April 27, 2017

Snort Subscriber Rule Set Update for 04/27/2017

Just released:
Snort Subscriber Rule Set Update for 04/27/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 26 new rules of which 2 are Shared Object rules and cover zero days and made modifications to 7 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, exploit-kit, file-pdf, malware-cnc, os-windows, protocol-ftp, server-mysql and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Wednesday, April 26, 2017

Snorter -- an automatic Snort, Barnyard2, and PulledPork installation script.

Snorter

We all know that sometimes, the installation of the latest version of Snort, Barnyard2 and PulledPork could be pretty tedious, specially if you have to install lots of Snorts in different machines.

Cloning Hard Disks is the easy way to do it if all the machines in which we are going to install this IDS are the same but, what happens if you are using different machines, and you want to install Snort in all of them? It doesn’t matter if you install a Snort for PCAP analysis or for using it as IDPS: It’s hard work!

I made a guide some time ago where I explain, step by step, how to install and configure a Snort in a Debian based machine, but it was always the same: too long for the short time I have, chiefly if I wanted to do a fast PCAP analysis to discard malware infections or other network traces, for example. This is why I decided to convert my PDF guide into a bash script, which installs all dependencies and also creates a MySQL database for the alerts.

This is how Snorter was born.

The only thing you need is an Oinkcode, available for free in snort.org webpage, needed for automatically update the Snort rules, and the Network Interface which is going to be used (eth0, wlan0, etc…)

For installing, you only need to clone the repository:
git clone https://github.com/joanbono/Snorter
cd Snorter/src
bash Snorter.sh -o  -i

The script is mostly independent, the only interaction needed for the installation is the specification for the $HOME_NET and the $EXTERNAL_NET, but do not worry, is fully documented in the Manual.
Also, I have added a Dockerfile for testing, with the possibility to use websnort, a web interface which allows the analyst to upload a PCAP file and then see graphically the alerts, and adds to the Snorter an API option for submitting pcaps using curl.

I started this tool with the purpose of making my life easier, but the program has evolved, and now it’s time to share it.

The next step is to port it to Red Hat/CentOS, any help is welcome!

Feel free to open issues, improve the script and add more options, but, above all, enjoy the free time you will have from now.



This was a guest post by --
Joan Bono
IT Security Analyst at Ackcent

Snort Subscriber Rule Set Update for 04/25/2017

Snort Subscriber Rule Set Update for 04/25/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 64 new rules of which 8 are Shared Object rules, and made modifications to 8 additional rules.

Talos's rule release:
Talos has added and modified multiple rules in the file-identify, file-image, file-other, file-pdf, indicator-compromise, malware-cnc, os-windows, policy-other, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Monday, April 24, 2017

Snort Subscriber Rule Set Update for 04/20/2017

Just released:
Snort Subscriber Rule Set Update for 04/20/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 21 new rules and made modifications to 10 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the exploit-kit, file-other, file-pdf, indicator-compromise, malware-cnc, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Wednesday, April 19, 2017

Snort Subscriber Rule Set Update for 04/18/2017

Just released:
Snort Subscriber Rule Set Update for 04/18/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 35 new rules and made modifications to 3 additional rules.

There were no changes made to the snort.conf in this release.


Talos's rule release:
Talos has added and modified multiple rules in the deleted, file-identify, file-other, file-pdf, indicator-scan, os-solaris, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Monday, April 17, 2017

Snort Video Series

Want to get better acquainted with Snort and see an overview of Snort IPS? Want to see how you can install and configure Snort IPS on your machine? Look no further. In conjunction with Cisco Engineering Learning & Development, we created a video to give an overview of Snort installation, configuration, and deployment on a computer. The video is a great place for you to begin to understand Snort and see installation from start to finish. You can find the MP4 on our Documents page under Additional Resources section of our website titled Snort installation and configuration TechByte.


This is the first video in the TechByte series being created by Cisco Engineering Learning & Development and Snort. The next videos in this series coming later this year will be on How to Write a Snort Rule and Advanced Snort Rule Writing. Stay tuned.

Saturday, April 15, 2017

Snort Subscriber Rule Set Update for 04/15/2017, ShadowBrokers Coverage

Just released:
Snort Subscriber Rule Set Update for 04/15/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 9 new rules and made modifications to 1 additional rules.

There were no changes made to the snort.conf in this release.

Please read our Talos blog post on this release.

These rules are available in our Subscriber ruleset, and can be purchased through Snort.org with a credit card.

Talos's rule release:
Talos has added and modified multiple rules in the os-solaris and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Friday, April 14, 2017

Snort Subscriber Rule Set Update for 04/13/2017

Just released:
Snort Subscriber Rule Set Update for 04/13/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 27 new rules and made modifications to 5 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the file-identify, file-office, file-other, indicator-compromise, malware-backdoor, malware-cnc, os-solaris and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Wednesday, April 12, 2017

Snort Subscriber Rule Set Update for 04/11/2017, MsTuesday

Snort Subscriber Rule Set Update for 04/11/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 73 new rules and made modifications to 7 additional rules.

There were no changes made to the snort.conf in this release.

These rules are available in our Subscriber ruleset, and can be purchased through Snort.org with a credit card.

Talos's rule release:
Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.

Details:
Microsoft Vulnerability CVE-2017-0106:
A coding deficiency exists in Microsoft Outlook that may lead to remote
code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 41962 through 41963.

Microsoft Vulnerability CVE-2017-0155:
A coding deficiency exists in Microsoft Graphics that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42173 through 42174.

Microsoft Vulnerability CVE-2017-0156:
A coding deficiency exists in Microsoft Graphics Component that may
lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42199 through 42200.

Microsoft Vulnerability CVE-2017-0158:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42156 through 42157.

Microsoft Vulnerability CVE-2017-0160:
A coding deficiency exists in Microsoft .NET that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42185 through 42186.

Microsoft Vulnerability CVE-2017-0165:
A coding deficiency exists in Microsoft Windows that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42187 through 42188.

Microsoft Vulnerability CVE-2017-0166:
A coding deficiency exists in Microsoft LDAP that may lead to an
escalation of privilege.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 1, SID 42160.

Microsoft Vulnerability CVE-2017-0167:
A coding deficiency exists in Microsoft Windows Kernel that may lead to
information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42154 through 42155.

Microsoft Vulnerability CVE-2017-0188:
A coding deficiency exists in Microsoft Win32k that may lead to
information disclosure.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 41997 through 41998.

Microsoft Vulnerability CVE-2017-0189:
A coding deficiency exists in Microsoft Win32k that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42158 through 42159.

Microsoft Vulnerability CVE-2017-0192:
A coding deficiency exists in Microsoft ATMFD.dll that may lead to
information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42148 through 42151.

Microsoft Vulnerability CVE-2017-0194:
A coding deficiency exists in Microsoft Office that may lead to
information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42161 through 42162.

Microsoft Vulnerability CVE-2017-0197:
A coding deficiency exists in Microsoft Office that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42163 through 42164.

Microsoft Vulnerability CVE-2017-0199:
A coding deficiency exists in Microsoft Outlook that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42189 through 42190.

Microsoft Vulnerability CVE-2017-0200:
Microsoft Edge suffers from programming errors that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42210 through 42211.

Microsoft Vulnerability CVE-2017-0201:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42152 through 42153.

Microsoft Vulnerability CVE-2017-0202:
Microsoft Internet Explorer suffers from programming errors that may
lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42165 through 42166.

Microsoft Vulnerability CVE-2017-0204:
A coding deficiency exists in Microsoft Office that may lead to a
security feature bypass.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42167 through 42168.

Microsoft Vulnerability CVE-2017-0205:
Microsoft Edge suffers from programming errors that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42183 through 42184.

Microsoft Vulnerability CVE-2017-0210:
Microsoft Internet Explorer suffers from programming errors that may
lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42204 through 42205.

Microsoft Vulnerability CVE-2017-0211:
A coding deficiency exists in Microsoft Windows OLE that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42208 through 42209.

Talos has also added and modified multiple rules in the browser-ie,
deleted, file-flash, file-image, file-office, file-other, file-pdf,
malware-cnc, os-windows and server-webapp rule sets to provide coverage
for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Monday, April 10, 2017

Snort OpenAppID Detectors have been updated!

An update has been released today for the Snort OpenAppID Detector content. This release, build 280, includes
  • A total of 2,829 detectors. 
  • It also includes some additional detectors that came in from the open source community. For more details on which contributions were included, we have added them in the AUTHORS file in this package.

Available now for download from our downloads page, we look forward to you downloading and using the new features of 2.9.9.0's OpenAppID preprocessor and sharing your experiences with the community.

The OpenAppID community has a mailing list specifically dedicated to the exchange and discussion of detector content.  Please visit the mailing lists page to sign up.