Friday, April 28, 2017

Snort++ Update

Pushed build 231 to github (snortadmin/snort3):
  • build: clean up Intel compiler warnings and remarks
  • build: fix FreeBSD compilation issues
  • cmake: fix building with and without flatbuffers present 
  • autoconf: check for lua.hpp as well as luajit.h to ensure C++ support 
  • shell: make commands non-blocking 
  • shell: allow multiple remote connections 
  • snort2lua: fix generated stream_tcp bindings 
  • snort2lua: fix basic error handling with non-conformant 2.X conf 
  • decode: fix 116:402 
  • dnp3:  fix 145:5 
  • appid: numerous fixes and cleanup 
  • http_server: removed (use new http_inspect instead) 
  • byte_jump: add bitmask and from_end (from 2.9.9 Snort) 
  • byte_extract: add bitmask (from 2.9.9 Snort) 
  • flatbuffers: add version to banner if present 
  • loggers: build alert_sf_socket on all platforms

Thursday, April 27, 2017

Snort Subscriber Rule Set Update for 04/27/2017

Just released:
Snort Subscriber Rule Set Update for 04/27/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 26 new rules of which 2 are Shared Object rules and cover zero days and made modifications to 7 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, exploit-kit, file-pdf, malware-cnc, os-windows, protocol-ftp, server-mysql and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Wednesday, April 26, 2017

Snorter -- an automatic Snort, Barnyard2, and PulledPork installation script.

Snorter

We all know that sometimes, the installation of the latest version of Snort, Barnyard2 and PulledPork could be pretty tedious, specially if you have to install lots of Snorts in different machines.

Cloning Hard Disks is the easy way to do it if all the machines in which we are going to install this IDS are the same but, what happens if you are using different machines, and you want to install Snort in all of them? It doesn’t matter if you install a Snort for PCAP analysis or for using it as IDPS: It’s hard work!

I made a guide some time ago where I explain, step by step, how to install and configure a Snort in a Debian based machine, but it was always the same: too long for the short time I have, chiefly if I wanted to do a fast PCAP analysis to discard malware infections or other network traces, for example. This is why I decided to convert my PDF guide into a bash script, which installs all dependencies and also creates a MySQL database for the alerts.

This is how Snorter was born.

The only thing you need is an Oinkcode, available for free in snort.org webpage, needed for automatically update the Snort rules, and the Network Interface which is going to be used (eth0, wlan0, etc…)

For installing, you only need to clone the repository:
git clone https://github.com/joanbono/Snorter
cd Snorter/src
bash Snorter.sh -o  -i

The script is mostly independent, the only interaction needed for the installation is the specification for the $HOME_NET and the $EXTERNAL_NET, but do not worry, is fully documented in the Manual.
Also, I have added a Dockerfile for testing, with the possibility to use websnort, a web interface which allows the analyst to upload a PCAP file and then see graphically the alerts, and adds to the Snorter an API option for submitting pcaps using curl.

I started this tool with the purpose of making my life easier, but the program has evolved, and now it’s time to share it.

The next step is to port it to Red Hat/CentOS, any help is welcome!

Feel free to open issues, improve the script and add more options, but, above all, enjoy the free time you will have from now.



This was a guest post by --
Joan Bono
IT Security Analyst at Ackcent

Snort Subscriber Rule Set Update for 04/25/2017

Snort Subscriber Rule Set Update for 04/25/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 64 new rules of which 8 are Shared Object rules, and made modifications to 8 additional rules.

Talos's rule release:
Talos has added and modified multiple rules in the file-identify, file-image, file-other, file-pdf, indicator-compromise, malware-cnc, os-windows, policy-other, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Monday, April 24, 2017

Snort Subscriber Rule Set Update for 04/20/2017

Just released:
Snort Subscriber Rule Set Update for 04/20/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 21 new rules and made modifications to 10 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the exploit-kit, file-other, file-pdf, indicator-compromise, malware-cnc, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Wednesday, April 19, 2017

Snort Subscriber Rule Set Update for 04/18/2017

Just released:
Snort Subscriber Rule Set Update for 04/18/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 35 new rules and made modifications to 3 additional rules.

There were no changes made to the snort.conf in this release.


Talos's rule release:
Talos has added and modified multiple rules in the deleted, file-identify, file-other, file-pdf, indicator-scan, os-solaris, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Monday, April 17, 2017

Snort Video Series

Want to get better acquainted with Snort and see an overview of Snort IPS? Want to see how you can install and configure Snort IPS on your machine? Look no further. In conjunction with Cisco Engineering Learning & Development, we created a video to give an overview of Snort installation, configuration, and deployment on a computer. The video is a great place for you to begin to understand Snort and see installation from start to finish. You can find the MP4 on our Documents page under Additional Resources section of our website titled Snort installation and configuration TechByte.


This is the first video in the TechByte series being created by Cisco Engineering Learning & Development and Snort. The next videos in this series coming later this year will be on How to Write a Snort Rule and Advanced Snort Rule Writing. Stay tuned.

Saturday, April 15, 2017

Snort Subscriber Rule Set Update for 04/15/2017, ShadowBrokers Coverage

Just released:
Snort Subscriber Rule Set Update for 04/15/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 9 new rules and made modifications to 1 additional rules.

There were no changes made to the snort.conf in this release.

Please read our Talos blog post on this release.

These rules are available in our Subscriber ruleset, and can be purchased through Snort.org with a credit card.

Talos's rule release:
Talos has added and modified multiple rules in the os-solaris and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Friday, April 14, 2017

Snort Subscriber Rule Set Update for 04/13/2017

Just released:
Snort Subscriber Rule Set Update for 04/13/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 27 new rules and made modifications to 5 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the file-identify, file-office, file-other, indicator-compromise, malware-backdoor, malware-cnc, os-solaris and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Wednesday, April 12, 2017

Snort Subscriber Rule Set Update for 04/11/2017, MsTuesday

Snort Subscriber Rule Set Update for 04/11/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 73 new rules and made modifications to 7 additional rules.

There were no changes made to the snort.conf in this release.

These rules are available in our Subscriber ruleset, and can be purchased through Snort.org with a credit card.

Talos's rule release:
Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.

Details:
Microsoft Vulnerability CVE-2017-0106:
A coding deficiency exists in Microsoft Outlook that may lead to remote
code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 41962 through 41963.

Microsoft Vulnerability CVE-2017-0155:
A coding deficiency exists in Microsoft Graphics that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42173 through 42174.

Microsoft Vulnerability CVE-2017-0156:
A coding deficiency exists in Microsoft Graphics Component that may
lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42199 through 42200.

Microsoft Vulnerability CVE-2017-0158:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42156 through 42157.

Microsoft Vulnerability CVE-2017-0160:
A coding deficiency exists in Microsoft .NET that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42185 through 42186.

Microsoft Vulnerability CVE-2017-0165:
A coding deficiency exists in Microsoft Windows that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42187 through 42188.

Microsoft Vulnerability CVE-2017-0166:
A coding deficiency exists in Microsoft LDAP that may lead to an
escalation of privilege.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 1, SID 42160.

Microsoft Vulnerability CVE-2017-0167:
A coding deficiency exists in Microsoft Windows Kernel that may lead to
information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42154 through 42155.

Microsoft Vulnerability CVE-2017-0188:
A coding deficiency exists in Microsoft Win32k that may lead to
information disclosure.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 41997 through 41998.

Microsoft Vulnerability CVE-2017-0189:
A coding deficiency exists in Microsoft Win32k that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42158 through 42159.

Microsoft Vulnerability CVE-2017-0192:
A coding deficiency exists in Microsoft ATMFD.dll that may lead to
information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42148 through 42151.

Microsoft Vulnerability CVE-2017-0194:
A coding deficiency exists in Microsoft Office that may lead to
information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42161 through 42162.

Microsoft Vulnerability CVE-2017-0197:
A coding deficiency exists in Microsoft Office that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42163 through 42164.

Microsoft Vulnerability CVE-2017-0199:
A coding deficiency exists in Microsoft Outlook that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42189 through 42190.

Microsoft Vulnerability CVE-2017-0200:
Microsoft Edge suffers from programming errors that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42210 through 42211.

Microsoft Vulnerability CVE-2017-0201:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42152 through 42153.

Microsoft Vulnerability CVE-2017-0202:
Microsoft Internet Explorer suffers from programming errors that may
lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42165 through 42166.

Microsoft Vulnerability CVE-2017-0204:
A coding deficiency exists in Microsoft Office that may lead to a
security feature bypass.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42167 through 42168.

Microsoft Vulnerability CVE-2017-0205:
Microsoft Edge suffers from programming errors that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42183 through 42184.

Microsoft Vulnerability CVE-2017-0210:
Microsoft Internet Explorer suffers from programming errors that may
lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42204 through 42205.

Microsoft Vulnerability CVE-2017-0211:
A coding deficiency exists in Microsoft Windows OLE that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42208 through 42209.

Talos has also added and modified multiple rules in the browser-ie,
deleted, file-flash, file-image, file-office, file-other, file-pdf,
malware-cnc, os-windows and server-webapp rule sets to provide coverage
for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Monday, April 10, 2017

Snort OpenAppID Detectors have been updated!

An update has been released today for the Snort OpenAppID Detector content. This release, build 280, includes
  • A total of 2,829 detectors. 
  • It also includes some additional detectors that came in from the open source community. For more details on which contributions were included, we have added them in the AUTHORS file in this package.

Available now for download from our downloads page, we look forward to you downloading and using the new features of 2.9.9.0's OpenAppID preprocessor and sharing your experiences with the community.

The OpenAppID community has a mailing list specifically dedicated to the exchange and discussion of detector content.  Please visit the mailing lists page to sign up.

Friday, April 7, 2017

Snort++ Update

Pushed build 231 to github (snortadmin/snort3):
  • add decode of MPLS in IP
  • add 116:171 and 116:173 cases (label 0 or 2 in non-bottom of stack)
  • cleanup: remove dead code

Snort Subscriber Rule Set Update for 04/06/2017

Just released:
Snort Subscriber Rule Set Update for 04/06/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 20 new rules and made modifications to 65 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-flash, file-image, file-office, file-other, file-pdf, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Wednesday, April 5, 2017

Snort Subscriber Rule Set Update for 04/04/2017

Just released:
Snort Subscriber Rule Set Update for 04/04/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 15 new rules and made modifications to 9 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
42128
42129
42130



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, browser-plugins, deleted, exploit-kit, indicator-shellcode, malware-cnc, malware-tools, protocol-scada, server-webapp and x11 rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Monday, April 3, 2017

The 2017 Snort Scholarship Contest is now closed!

We are no longer accepting applications for the Snort scholarship award. We'd like to thank everyone that took the time to submit an application for consideration! 

The winners will be announced on or about May 29, 2017 here as well as our Snort Scholarship page at Snort.org.

Best of luck to all of the applicants!

Tuesday, March 28, 2017

Snort Subscriber Rule Set Update for 03/28/2017

Just released:
Snort Subscriber Rule Set Update for 03/28/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 306 new rules and made modifications to 15 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
37045
42059


Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, exploit-kit, file-executable, file-flash, file-image, file-multimedia, file-office, file-other, file-pdf, indicator-compromise, malware-cnc, os-linux, os-other, os-windows, policy-other, protocol-scada, protocol-snmp and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Monday, March 27, 2017

Snort++ Update

Pushed build 230 to github (snortadmin/snort3):
  • require hyperscan >= 4.4.0, check runtime support; thanks to justin.viiret@intel.com for submitting the patch 
  • fix search tool issue with empty pattern database; thanks to justin.viiret@intel.com for reporting the issue
  • fix sip_method to error out if sip not instantiated
  • major appid overhaul to address lingering concerns: refactor, cleanup, simplify
  • major detection overhaul to address lingering concerns: refactor, cleanup, release memory ASAP
  • add FlatBuffers output format to perf_monitor; also added tool to convert FlatBuffers files to yaml
  • add regex.fast_pattern; do not use for fast pattern unless explicitly indicated
  • update copyrights to 2017

Thursday, March 23, 2017

Snort Subscriber Rule Set Update for 03/23/2017

Just released:
Snort Subscriber Rule Set Update for 03/23/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 26 new rules and made modifications to 4 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
42059



Talos's rule release:
Talos has added and modified multiple rules in the file-flash, malware-cnc, malware-other, os-windows, policy-other, protocol-scada, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, March 21, 2017

Snort Subscriber Rule Set Update for 03/21/2017

Just released:
Snort Subscriber Rule Set Update for 03/21/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 33 new rules and made modifications to 7 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
42019
42021


Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-flash, indicator-obfuscation, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, March 14, 2017

Snort 2.9.7.6 is End of Life!

In accordance with our End of Life Policy, today's release marks the End of Life for Snort 2.9.7.6, as detailed in our blog post back in February.

Please start upgrading your Snort systems now if you are on Snort 2.9.7.6.

Snort Subscriber Rule Set Update for 03/14/2017, MSTuesday

Just released:
Snort Subscriber Rule Set Update for 03/14/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 77 new rules and made modifications to 62 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Synopsis:
Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.

Details:
Microsoft Security Bulletin MS17-006:
Microsoft Internet Explorer suffers from programming errors that may
lead to remote code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 41575 through 41576, 41585 through 41590, and 41625
through 41626.

New rules to detect attacks targeting these vulnerabilities are also
included in this release and are identified with GID 1, SIDs 41954
through 41957.

Microsoft Security Bulletin MS17-007:
Microsoft Edge suffers from programming errors that may lead to remote
code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 41553 through 41554, 41557 through 41562, 41573
through 41574, 41583 through 41584, 41593 through 41594, 41605 through
41606, and 41625 through 41626.

New rules to detect attacks targeting these vulnerabilities are also
included in this release and are identified with GID 1, SIDs 41936
through 41939, 41942 through 41945, 41948 through 41953, 41958 through
41959, 41968 through 41969, and 41987 through 41988.

Microsoft Security Bulletin MS17-009:
A coding deficiency exists in Microsoft Windows PDF Library that may
lead to remote code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 41601 through 41602.

Microsoft Security Bulletin MS17-010:
A coding deficiency exists in Microsoft Windows SMB Server that may
lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 41978 and 41983
through 41984.

Microsoft Security Bulletin MS17-011:
A coding deficiency exists in Microsoft Uniscribe that may lead to
remote code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 41597 through 41598.

New rules to detect attacks targeting these vulnerabilities are also
included in this release and are identified with GID 1, SIDs 41934
through 41935, 41940 through 41941, 41960 through 41961, 41966 through
41967, 41972 through 41975, 41985 through 41986, and 41991 through
41992.

Microsoft Security Bulletin MS17-012:
A coding deficiency exists in Microsoft Windows that may lead to remote
code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 41563 through 41564 and 41567 through 41572.

New rules to detect attacks targeting these vulnerabilities are also
included in this release and are identified with GID 1, SIDs 41989
through 41990.

Microsoft Security Bulletin MS17-013:
A coding deficiency exists in Microsoft Graphics Component that may
lead to remote code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 41591 through 41592.

New rules to detect attacks targeting these vulnerabilities are also
included in this release and are identified with GID 1, SIDs 41932
through 41933, 41946 through 41947, 41970 through 41971, and 41993
through 41994.

Microsoft Security Bulletin MS17-014:
A coding deficiency exists in Microsoft Office that may lead to remote
code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 41565 through 41566, 41577 through 41578, 41581
through 41582, 41597 through 41598, and 41797 through 41798.

New rules to detect attacks targeting these vulnerabilities are also
included in this release and are identified with GID 1, SIDs 41962
through 41965, 41976 through 41977, and 41979 through 41982.

Microsoft Security Bulletin MS17-017:
A coding deficiency exists in Microsoft Windows Kernel that may lead to
an escalation of privilege.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 40394 through 40395 and 41607 through 41610.

Microsoft Security Bulletin MS17-018:
A coding deficiency exists in Microsoft Windows Kernel-Mode Drivers
that may lead to an escalation of privilege.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 41579 through 41580.

New rules to detect attacks targeting these vulnerabilities are also
included in this release and are identified with GID 1, SIDs 41926
through 41931 and 41995 through 41998.

Microsoft Security Bulletin MS17-021:
A coding deficiency exists in Microsoft DirectShow that may lead to
information disclosure.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 41633 through 41634.

Microsoft Security Bulletin MS17-022:
A coding deficiency exists in Microsoft XML Core Services that may lead
to information disclosure.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 40364 through 40365.

Talos also has added and modified multiple rules in the browser-ie,
file-executable, file-flash, file-image, file-office, file-other,
file-pdf, os-other, os-windows and server-samba rule sets to provide
coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, March 9, 2017

Snort Subscriber Rule Set Update for 03/09/2017, Release 2 -- Apache Struts2 Content-Disposition

Just released:
Snort Subscriber Rule Set Update for 03/09/2017, Release 2


We welcome the introduction of the newest rule release from Talos. In this release we introduced 13 new rules and made modifications to 4 additional rules.

This rule pack introduces coverage for another attack vector to the recent Apache Struts2 vulnerability, through Content-Disposition.

There were no changes made to the snort.conf in this release.

These rules are available in our Subscriber ruleset, and can be purchased through Snort.org with a credit card.

Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Snort Subscriber Rule Set Update for 03/09/2017

Just released:
Snort Subscriber Rule Set Update for 03/09/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 70 new rules and made modifications to 46 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, browser-webkit, exploit-kit, file-other, os-linux, policy-other, protocol-dns and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, March 7, 2017

Snort Subscriber Rule Set Update for 03/07/2017, Release 2, Apache Struts2 Vulnerability

Just released:
Snort Subscriber Rule Set Update for 03/07/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 22 new rules and made modifications to 4 additional rules.

There were no changes made to the snort.conf in this release.

These rules are available in our Subscriber ruleset, and can be purchased through Snort.org with a credit card.

Talos's rule release:
Talos has added and modified multiple rules in the browser-plugins, file-office, indicator-obfuscation, policy-other, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Snort Subscriber Rule Set Update for 03/07/2017

Just released:
Snort Subscriber Rule Set Update for 03/07/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 27 new rules and made modifications to 7 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, browser-plugins, exploit-kit, file-image, file-other, indicator-scan, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, March 2, 2017

Snort Subscriber Rule Set Update for 03/02/2017

Just released:
Snort Subscriber Rule Set Update for 03/02/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 19 new rules and made modifications to 11 additional rules.



Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-pdf, indicator-compromise, malware-cnc, malware-tools, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Snort++ Alpha 4 Available Now!

The fourth alpha release of Snort++ is now available on snort.org.  If you haven't tried Snort++ yet, now is a good time to do so as this pig sports a superset of Snort 2.9.8.3 functionality:
  • Support for multiple packet processing threads 
  • Improved throughput and latency performance
  • Improved detection 
  • Modular design 
  • Plugin framework with over 200 plugins
  • More scalable memory profile
  • A brand new HTTP inspector
  • Service rules like alert http
  • Rule "sticky" buffers
  • LuaJIT configuration, loggers, and rule options
  • Auto-detect common services for portless configuration
  • Rewritten TCP handling
  • New rule parser and syntax
  • New performance monitor
  • New time and space profiling
  • New latency monitoring and enforcement
  • Automake or Cmake - your choice
  • Builtin help and generated reference documentation
The first beta release is expected around midyear at which point Talos will provide 3.0 rule downloads.  In the meantime, you can use the snort2lua utility packaged with Snort++ to convert 2.X rules and confs.

There are lots of enhancements and new features planned for Snort++, some of which are already in development.  As always, new downloads are posted to snort.org monthly.  You can also get the latest  updates from github (snortadmin/snort3) which is updated weekly.

Please submit bugs, questions, and feedback to bugs@snort.org or the Snort-Users mailing list.

Happy Snorting!
The Snort Release Team

Wednesday, March 1, 2017

2017 Snort Scholarship is now open!

We are currently accepting submissions for our 2017 Snort Scholarship award!

This year we will be awarding $10, 000 scholarship awards to two individuals pursuing a higher education degree that meets our eligibility criteria.

To be eligible for consideration, you must:

1. be eligible to receive your high school diploma or equivalent in 2017 as of the date Cisco receives your application.

2. provide reasonable evidence to Cisco that you are seeking a degree in computer science, information technology, computer networking, cyber security or similarly related field of study.

The deadline to apply for consideration is April 3, 2017.

For more information about contest rules, eligibility requirements, or to complete a submissions form, visit our Snort Scholarship page.

Best of luck!

Snort Subscriber Rule Set Update for 02/28/2017, 2nd Edition

Just released:
Snort Subscriber Rule Set Update for 02/28/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 28 new rules and made modifications to 3 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, file-multimedia, file-office, indicator-compromise, policy-other, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, February 28, 2017

EOL for Snort 2.9.7.6 is approaching!

As you can see from our EOL page, the End of Life (EOL) for Snort version 2.9.7.6's ruleset is approaching on March 13th.

Our download numbers are clearly illustrating that most people have moved from 2.9.7.6 to 2.9.8.3 or 2.9.9.0, which is great.  However, it appears there are still several thousand users on 2.9.7.6.


Please take the next week to move off of 2.9.7.6 and onto a more updated version before the EOL date hits!

Thanks

Snort Subscriber Rule Set Update for 02/28/2017

Just released:
Snort Subscriber Rule Set Update for 02/28/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 17 new rules and made modifications to 10 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the exploit-kit, file-flash, file-office, policy-other, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Monday, February 27, 2017

Snort Subscriber Rule Set Update for 02/24/2017

Just released:
Snort Subscriber Rule Set Update for 02/24/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 12 new rules and made modifications to 29 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, file-flash, file-other, indicator-obfuscation, indicator-shellcode and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Friday, February 24, 2017

Snort++ Update

Pushed build 227 to github (snortadmin/snort3):
  • allow arbitrary / unused gids in text rules
  • support DAQs w/o explicit sources (nfq, ipfw)
  • fix up peg help (remove _)
  • fix u2 logging of PDUs

Thursday, February 23, 2017

Snort Subscriber Rule Set Update for 02/23/2017

Just released:
Snort Subscriber Rule Set Update for 02/23/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 21 new rules and made modifications to 9 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour:
41710
41711
41712
41713



Talos's rule release:
Talos has added and modified multiple rules in the file-flash, file-office, file-pdf, indicator-compromise, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Wednesday, February 22, 2017

Snort Subscriber Rule Set Update for 02/21/2017

Just released:
Snort Subscriber Rule Set Update for 02/21/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 33 new rules and made modifications to 30 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
41663


Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-plugins, file-flash, malware-cnc, malware-other, protocol-scada, pua-adware, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Friday, February 17, 2017

Snort++ Update

Pushed build 226 to github (snortadmin/snort3):
  • add PDF/SWF decompression to http_inspect
  • add connectors to generated reference parts of manual
  • add feature documentation for HA, side_channel, and connectors
  • add feature documentation for http_inspect
  • update default manuals
  • fix privilege dropping and chroot behavior
  • fix perf_monitor segfault when tterm is called before tinit
  • fix stream_tcp counter underflow bug and handle max and instant stats
  • fix lzma length calculation bug
  • fix bogus 129:20 alerts
  • fix back orifice compiler warning with -O3
  • fix bug that could cause hang on ctl-C
  • fix memory leak after reload w/o changing search engine
  • fix off by one error when reassembling after TCP FIN received
  • fix cmake doc build to include plugins on SNORT_PLUGIN_PATH
  • fix compiler warnings in dce_http_server and dce_http_proxy
  • fix appid reload issue
  • snort2lua - changes for rpc over http
  • snort2lua - changes to convert config alertfile: <filename>
  • snort2lua - changes to add file_id when smb file inspection is on
  • snort2lua - add deprecated option stream5_tcp: log_asymmetric_traffic

Thursday, February 16, 2017

Snort Subscriber Rule Set Update for 02/16/2017

Just released:
Snort Subscriber Rule Set Update for 02/16/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 17 new rules and made modifications to 8 additional rules.

There were no changes made to the snort.conf in this release.


Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-flash, file-image, malware-cnc, malware-other, os-windows, policy-other, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, February 14, 2017

Snort Subscriber Rule Set Update for 02/14/2017

Just released:
Snort Subscriber Rule Set Update for 02/14/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 94 new rules and made modifications to 89 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-executable, file-flash, file-other, indicator-compromise, malware-backdoor, malware-cnc, malware-other, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, February 9, 2017

Snort Subscriber Rule Set Update for 02/09/2017, TicketBleed

Just released:
Snort Subscriber Rule Set Update for 02/09/2017, TicketBleed


We welcome the introduction of the newest rule release from Talos. In this release we introduced 29 new rules and made modifications to 284 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-office, file-pdf, indicator-compromise, indicator-obfuscation, malware-cnc, malware-other, policy-other, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.
Talos has published a blog post on this subject on the Talos Blog


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, February 7, 2017

Snort Subscriber Rule Set Update for 02/07/2017

Just released:
Snort Subscriber Rule Set Update for 02/07/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 20 new rules and made modifications to 2 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
41498


Talos's rule release:
Talos has added and modified multiple rules in the browser-plugins, file-office, file-pdf, policy-other, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Friday, February 3, 2017

Snort Subscriber Rule Set Update for 02/02/2017, WordPress Vulnerability, Microsoft 0day in SMB

Just released:
Snort Subscriber Rule Set Update for 02/02/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 14 new rules and made modifications to 7 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
41498


Talos's rule release:
CVE-2017-0016: A coding deficiency exists in Microsoft Windows SMB that may lead to remote code execution. 
A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 41499. 
This release also provides detection for a WordPress vulnerability using a authentication bypass.  This is the bug that was patched recently via a silent fix, and is particularly nasty.  Please upgrade your WordPress installation immediately if you have not done so.  As WordPress is so widely deployed, and the vulnerability is rather simple, we have placed these rules in the community ruleset for everyone's use.
Talos has also added and modified multiple rules in the browser-ie, browser-plugins, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!