Thursday, October 19, 2017

Snort Subscriber Rule Set Update for 10/19/2017

Just released:
Snort Subscriber Rule Set Update for 10/19/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 26 new rules of which 5 are Shared Object rules and made modifications to 6 additional rules of which 1 are Shared Object rules.

There were no changes made to the snort.conf in this release.


Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, indicator-compromise, indicator-obfuscation, malware-cnc, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, October 12, 2017

Snort Subscriber Rule Set Update for 10/12/2017

Just released:
Snort Subscriber Rule Set Update for 10/12/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 34 new rules of which 17 are Shared Object rules and made modifications to 11 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, file-flash, file-image, file-office, file-pdf, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Wednesday, October 11, 2017

Snort 2.9.11.0 has been released!

Please join the Snort team as we welcome the addition of Snort 2.9.11.0 to general availability!

Snort 2.9.11.0 can be downloaded from the usual location on Snort.org.

Below are the release notes:


Snort 2.9.11
[*] New additions


  • Changes to eliminate Snort restart when there are changes to the memory allocated for preprocessors, by releasing unused or least recently used memory when needed.
  • Added support for storing filenames in Unicode for SMB protocol.
  • Added implementation of hostPortCache versioning for unknown flows in AppID to detect and block BitTorrent.


[*] Improvements


  • Enhanced RTSP metadata parsing to match the user-agent field to detect RTSP traffic over Windows Media.
  • Performance improvement when SYN rate limit has reached and drop is configured as next action
  • Control-socket and side-channel support for FreeBSD platform.
  • Fixed issue in file signature lookup for retransmitted FTP packet.
  • Enhanced the processing of SIP/RTP future flows without ignoring them.
  • Changes made in PDF/SWF decompression by adding boundary to the size of the decompressed data.
  • Added a null check to prevent copy unless debugHostIp is configured in AppId.
  • Fixed issue where FTP file type block doesn't work for retried download.
  • Resolved issue where Snort is inappropriately handling traffic for which AppId was creating future flow.
  • Performance improvements for SIP/RTP audio and video data flow in AppId.
  • Performance and stability improvements in FTP preprocessor like incorrect referencing of ftp_data_session after its pruned.
  • Stability improvement by resolving valgrind reported issues in AppId.
  • Improved flushing mechanism for HTTP POST header.
  • Added changes to display AppId for IPv6 unified events.
  • Fixed issues with printing of messages for out-of-order packets.
  • Fixed issue in increment of detection filter counter when rule is used in multiple configurations.
  • Fixed dynamic preprocessor compilation failure in OpenBSD platform.
  • Added changes to improve performance of ipvar list comparison.
  • Enhanced SMTP client detection by allowing line folding and all authentication methods.

As always, join the conversation over on the Snort-Users list for any installation or upgrade assistance!

Tuesday, October 10, 2017

Snort Subscriber Rule Set Update for 10/10/2017, MSTuesday

Just released:
Snort Subscriber Rule Set Update for 10/10/2017, MSTuesday


We welcome the introduction of the newest rule release from Talos. In this release we introduced 33 new rules of which 6 are Shared Object rules and made modifications to 28 additional rules of which 2 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Synopsis:
Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.

Details:
Microsoft Vulnerability CVE-2017-11762:
A coding deficiency exists in Microsoft Graphics that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44518 through 44519.

Microsoft Vulnerability CVE-2017-11763:
A coding deficiency exists in Microsoft Graphics that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44528 through 44529.

Microsoft Vulnerability CVE-2017-11793:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44508 through 44509.

Microsoft Vulnerability CVE-2017-11798:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44532 through 44533.

Microsoft Vulnerability CVE-2017-11800:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also
included in this release and are identified with GID 1, SIDs 44333
through 44334.

Microsoft Vulnerability CVE-2017-11810:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44510 through 44511.

Microsoft Vulnerability CVE-2017-11822:
Microsoft Internet Explorer suffers from programming errors that may
lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44512 through 44513.

Microsoft Vulnerability CVE-2017-8689:
A coding deficiency exists in Microsoft Win32k that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44516 through 44517.

Microsoft Vulnerability CVE-2017-8694:
A coding deficiency exists in Microsoft Win32k that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44514 through 44515.

Microsoft Vulnerability CVE-2017-8727:
A coding deficiency exists in Microsoft Windows Shell that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44526 through 44527.

Talos also has added and modified multiple rules in the browser-ie,
file-image, file-office, file-other, os-windows and server-webapp rule
sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, October 5, 2017

Snort Subscriber Rule Set Update for 10/05/2017

Just released:
Snort Subscriber Rule Set Update for 10/05/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 21 new rules of which 4 are Shared Object rules and made modifications to 12 additional rules of which 1 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the blacklist, file-multimedia, file-other, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, October 3, 2017

Snort OpenAppID Detectors have been updated!

An update has been released today for the Snort OpenAppID Detector content. This release, build 290, includes
  • A total of 2,837 detectors. 
  • It also includes some additional detectors that came in from the open source community. For more details on which contributions were included, we have added them in the AUTHORS file in this package.

Available now for download from our downloads page, we look forward to you downloading and using the new features of 2.9.9.0's OpenAppID preprocessor and sharing your experiences with the community.

The OpenAppID community has a mailing list specifically dedicated to the exchange and discussion of detector content.  Please visit the mailing lists page to sign up.

Snort Subscriber Rule Set Update for 10/03/2017, DNSMasq

Just released:
Snort Subscriber Rule Set Update for 10/03/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 18 new rules of which 0 are Shared Object rules and made modifications to 6 additional rules of which 1 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the file-other, malware-cnc, malware-other, protocol-dns, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, September 28, 2017

Snort Subscriber Rule Set Update for 09/28/2017

Just released:
Snort Subscriber Rule Set Update for 09/28/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 28 new rules of which 2 are Shared Object rules and made modifications to 10 additional rules of which 2 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, browser-plugins, file-image, file-other, os-other, policy-other, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Wednesday, September 27, 2017

Snort Subscriber Rule Set Update for 09/26/2017

Just released:
Snort Subscriber Rule Set Update for 09/26/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 15 new rules of which 0 are Shared Object rules and made modifications to 21 additional rules of which 2 are Shared Object rules.

There were no changes made to the snort.conf in this release.


Talos's rule release:
Talos has added and modified multiple rules in the blacklist, file-identify, file-image, file-office, file-other, indicator-compromise, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Monday, September 25, 2017

Snort Video Series: Rule Writing


Want to see a how a Snort Rule is written and how rules can help protect your network? In conjunction with Cisco Engineering Learning & Development, we created a video to give an overview of what a Snort rule is made of and how you can use Snort rules to detect traffic on your network. The video is a great place for you to see the parts of a rule and a case of how you can apply it on your network.

You can find the MP4 on our Documents page under Additional Resources section of our website titled Basics of Snort Rule Writing TechByte.

Thursday, September 21, 2017

Snort Subscriber Rule Set Update for 09/21/2017

Just released:
Snort Subscriber Rule Set Update for 09/21/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 40 new rules of which 6 are Shared Object rules and made modifications to 6 additional rules of which 2 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the file-office, file-other, indicator-compromise, malware-cnc, protocol-dns, pua-adware, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, September 19, 2017

Snort Subscriber Rule Set Update for 09/19/2017

Just released:
Snort Subscriber Rule Set Update for 09/19/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 14 new rules of which 2 are Shared Object rules and made modifications to 5 additional rules of which 2 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, file-office, file-other, file-pdf, malware-cnc, scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, September 14, 2017

Snort Subscriber Rule Set Update for 09/14/2017

Just released:
Snort Subscriber Rule Set Update for 09/14/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 7 new rules of which 0 are Shared Object rules and made modifications to 853 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, file-office, malware-backdoor, malware-cnc, malware-other, malware-tools and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, September 12, 2017

Snort Subscriber Rule Set Update for 09/12/2017, MSTuesday

Just released:
Snort Subscriber Rule Set Update for 09/12/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 27 new rules of which 1 are Shared Object rules and made modifications to 9 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.

Details:
Microsoft Vulnerability CVE-2017-8682:
A coding deficiency exists in Microsoft Win32k Graphics that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44335 through 44336.

Microsoft Vulnerability CVE-2017-8728:
A coding deficiency exists in Microsoft PDF that may lead to remote
code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 42285 through 42286 and 42311 through 42312.

Microsoft Vulnerability CVE-2017-8731:
Microsoft Edge suffers from programming errors that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44331 through 44332.

Microsoft Vulnerability CVE-2017-8734:
Microsoft Edge suffers from programming errors that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44340 through 44341.

Microsoft Vulnerability CVE-2017-8737:
A coding deficiency exists in Microsoft PDF that may lead to remote
code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 42285 through 42286 and 42311 through 42312.

Microsoft Vulnerability CVE-2017-8738:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44333 through 44334.

Microsoft Vulnerability CVE-2017-8747:
Microsoft Internet Explorer suffers from programming errors that may
lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44356 through 44357.

Microsoft Vulnerability CVE-2017-8749:
Microsoft Internet Explorer suffers from programming errors that may
lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44349 through 44350.

Microsoft Vulnerability CVE-2017-8750:
Microsoft browsers suffer from programming errors that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44342 through 44343.

Microsoft Vulnerability CVE-2017-8753:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 42749 through 42750.

Microsoft Vulnerability CVE-2017-8757:
Microsoft Edge suffers from programming errors that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44338 through 44339.

Microsoft Vulnerability CVE-2017-8759:
A coding deficiency exists in the Microsoft .NET Framework that may
lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44353 through 44354.

Talos also has added and modified multiple rules in the browser-ie,
file-flash, file-image, file-other, file-pdf, os-windows and
server-other rule sets to provide coverage for emerging threats from
these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Friday, September 8, 2017

Snort Subscriber Rule Set Update for 09/08/2017

Just released:
Snort Subscriber Rule Set Update for 09/08/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 2 new rules of which 2 are Shared Object rules and made modifications to 407 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
CVE-2017-12611: A coding deficiency exists in Apache Struts that may lead to remote code execution. Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 1, SIDs 44327 through 44330. 
Talos also has added and modified multiple rules in the file-executable, file-other, malware-cnc, policy-other, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, September 7, 2017

Snort Subscriber Rule Set Update for 09/06/2017, Apache Struts

Just released:
Snort Subscriber Rule Set Update for 09/06/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 19 new rules of which 0 are Shared Object rules and made modifications to 47 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
CVE-2017-9805:
A coding deficiency exists in Apache Struts that may lead to remote
code execution.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 1, SID 44315.

Talos has added and modified multiple rules in the browser-firefox,
exploit-kit, file-identify, file-office, file-other, malware-cnc,
os-linux, os-windows and server-webapp rule sets to provide coverage
for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, September 5, 2017

Snort Subscriber Rule Set Update for 09/05/2017

Just released:
Snort Subscriber Rule Set Update for 09/05/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 67 new rules of which 43 are Shared Object rules and made modifications to 0 additional rules of which 11 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, browser-plugins, deleted, exploit-kit, file-identify, file-image, file-multimedia, file-office, file-other, file-pdf, indicator-obfuscation, malware-cnc, policy-other, server-mysql and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, August 31, 2017

Snort Subscriber Rule Set Update for 08/31/2017

Just released:
Snort Subscriber Rule Set Update for 08/31/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 42 new rules of which 9 are Shared Object rules and made modifications to 13 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, file-flash, file-image, file-multimedia, file-other, file-pdf, malware-cnc, malware-other, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, August 29, 2017

Snort Subscriber Rule Set Update for 08/29/2017

Just released:
Snort Subscriber Rule Set Update for 08/29/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 83 new rules of which 16 are Shared Object rules and made modifications to 14 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the browser-firefox, browser-ie, deleted, file-flash, file-image, file-multimedia, file-office, file-other, file-pdf, indicator-obfuscation, malware-cnc, os-windows, policy-other, protocol-scada, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, August 24, 2017

Snort Subscriber Rule Set Update for 08/24/2017

Just released:
Snort Subscriber Rule Set Update for 08/24/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 36 new rules of which 7 are Shared Object rules and made modifications to 4 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, browser-plugins, file-multimedia, file-office, file-other, file-pdf, indicator-compromise, malware-other, malware-tools and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Wednesday, August 23, 2017

Snort Subscriber Rule Set Update for 08/22/2017

Just released:
Snort Subscriber Rule Set Update for 08/22/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 57 new rules of which 1 are Shared Object rules and made modifications to 17 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Rmkml
43587

Yaser Mansour
43981
43982
44004
44005
44006
44007
44008



Talos's rule release:
Talos has added and modified multiple rules in the browser-firefox, browser-ie, browser-other, browser-plugins, deleted, file-flash, file-identify, file-image, file-multimedia, file-office, file-other, file-pdf, indicator-compromise, malware-cnc, protocol-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, August 17, 2017

Snort Subscriber Rule Set Update for 08/17/2017

Just released:
Snort Subscriber Rule Set Update for 08/17/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 14 new rules of which 0 are Shared Object rules and made modifications to 7 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-firefox, file-flash, file-multimedia, file-office, file-other, file-pdf, indicator-obfuscation, malware-cnc, policy-other, protocol-dns, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, August 15, 2017

Snort Subscriber Rule Set Update for 08/15/2017

Just released:
Snort Subscriber Rule Set Update for 08/15/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 81 new rules of which 0 are Shared Object rules and made modifications to 22 additional rules of which 1 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-chrome, browser-firefox, browser-ie, browser-plugins, exploit-kit, file-image, file-multimedia, file-other, file-pdf, indicator-compromise, malware-backdoor, malware-cnc, malware-other, os-windows, protocol-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, August 10, 2017

Snort Subscriber Rule Set Update for 08/10/2017

Just released:
Snort Subscriber Rule Set Update for 08/10/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 14 new rules of which 0 are Shared Object rules and made modifications to 4 additional rules of which 1 are Shared Object rules.

There were no changes made to the snort.conf in this release.

This release also starts the releases for rules for Snort Version 2.9.11.0.  Released in Beta, today.


Talos's rule release:
Talos has added and modified multiple rules in the exploit-kit, file-multimedia, file-other, file-pdf, malware-backdoor, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

2.9.11.0 beta has been released!

Join us as we welcome Snort 2.9.11.0 to the family, in beta form!


Right off the bat, you will notice that we are going from 2.9.9.0 to 2.9.11.0, skipping over 2.9.10.0. Just to clarify, 2.9.10.0 was an internal only release. We decided not to ship it to the public because timing of back to back 2.9.10 and 2.9.11 releases, and thought it would be better for the community to just release one instead of two. All 2.9.10 features and fixes are in 2.9.11, so you're not missing anything, just making it easier on the community.


We will be modifying the EOL slightly, as we are going to be keeping versions around a little longer. We aren't quite sure what this will look like yet, but rest assured we will be updating the blog when we do.


Here's some release notes:


  • New additions
    • Changes to eliminate Snort restart when there are changes to the memory allocated for preprocessors, by releasing unused or least recently used memory when needed.



  • Improvements
    • Enhanced RTSP metadata parsing to match the user-agent field to detect RTSP traffic over Windows Media.
    • Performance improvement when SYN rate limit has reached and drop is configured as next action
    • Control-socket and side-channel support for FreeBSD platform.
    • Fixed an issue where IoQ driver was getting into bad state due to non-graceful exit.
    • Fixed issue in file signature lookup for retransmitted FTP packet.
    • Enhanced the processing of SIP/RTP future flows without ignoring them.
    • Changes made in PDF/SWF decompression by adding boundary to the size of the decompressed data.
    • Added a null check to prevent copy unless debugHostIp is configured in AppId.
    • Fixed issue where FTP file type block doesn't work for retried download.
    • Resolved issue where Snort is inappropriately handling traffic for which AppId was creating future flow.
    • Performance improvements for SIP/RTP audio and video data flow in AppId.
    • Performance and stability improvements in FTP preprocessor like incorrect referencing of ftp_data_session after its pruned.
    • Stability improvement by resolving valgrind reported issues in AppId.
    • Improved flushing mechanism for HTTP POST header.



Check out Snort 2.9.11.0, available for download on our site.

Wednesday, August 9, 2017

Snort Subscriber Rule Set Update for 08/08/2017, Release Two

Just released:
Snort Subscriber Rule Set Update for 08/08/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 5 new rules of which 0 are Shared Object rules and made modifications to 2 additional rules of which 1 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the exploit-kit and os-other rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, August 8, 2017

Snort 2.9.9.x on OpenSuSE Leap 42.2 setup guide has been posted!

Written by community member Boris Gomez, we've posted a setup guide that he provided, for Snort 2.9.9.x on OpenSuSE Leap 42.2.

Please take a look our documentation page, check it out, and let Boris know of any issues you find!

Snort Subscriber Rule Set Update for 08/08/2017, MSTuesday

Just released:
Snort Subscriber Rule Set Update for 08/08/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 34 new rules of which 10 are Shared Object rules and made modifications to 24 additional rules of which 1 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Details:
Microsoft Vulnerability CVE-2017-0250:
A coding deficiency exists in Microsoft JET Database Engine that may
lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 43847 through 43848.

Microsoft Vulnerability CVE-2017-8625:
Microsoft Internet Explorer suffers from programming errors that may
lead to a security feature bypass.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 43851 through 43852.

Talos has also added and modified multiple rules in the file-identify,
file-image, file-multimedia, file-office, file-other, file-pdf,
os-windows, policy-other and server-webapp rule sets to provide
coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, August 3, 2017

Snort Subscriber Rule Set Update for 08/03/2017

Just released:
Snort Subscriber Rule Set Update for 08/03/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 151 new rules of which 1 are Shared Object rules and made modifications to 49 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, browser-other, browser-plugins, exploit-kit, file-executable, file-flash, file-image, file-office, file-other, file-pdf, indicator-compromise, indicator-obfuscation, malware-backdoor, malware-cnc, protocol-other, protocol-voip and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, August 1, 2017

Snort Subscriber Rule Set Update for 08/01/2017

Just released:
Snort Subscriber Rule Set Update for 08/01/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 44 new rules of which 0 are Shared Object rules and made modifications to 21 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
43809
43810
43811
43812
43813



Talos's rule release:
Talos has added and modified multiple rules in the browser-firefox, browser-ie, file-office, file-other, malware-backdoor, os-windows, policy-other, server-iis, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Monday, July 31, 2017

Snort 3 Community Rules have been posted!

As our development and deployment of Snort 3 (Codenamed: Snort++) continues, we've posted the first community ruleset on Snort.org.  We announced this last week at BlackHat at the Cisco booth by Patrick Mullen.  These rules have the same AUTHORS and LICENSE file as the 2.x version of the community ruleset, except all the rules contained have been converted to the Snort 3 rule language.

So for example the rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ismdoor variant outbound connection"; flow:to_server,established; content:"commandId="; fast_pattern:only; http_uri; content:"/Home/"; depth:6; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.vectranetworks.com/blog/an-analysis-of-the-shamoon-2-malware-attack; classtype:trojan-activity; sid:42129; rev:1;)

In Snort 3, will now look like this:

 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Ismdoor variant outbound connection"; flow:to_server,established; http_uri; content:"commandId=",fast_pattern,nocase; content:"/Home/",depth 6; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,blog.vectranetworks.com/blog/an-analysis-of-the-shamoon-2-malware-attack; classtype:trojan-activity; sid:42129; rev:1; )

You can notice the difference in syntax, in the italicized sections above.

You can download the ruleset on our downloads page on Snort.org.

This can't be automated yet with pulledpork, as pulledpork doesn't understand the Snort 3 format yet, but as time marches on, this evolutionary problem will correct itself.

We look forward to the thousands and thousands of users on Snort 3 to download and try this ruleset out from Talos.

Friday, July 28, 2017

Snort++ Build 239 Available Now on Snort.org

A new release of Snort++ is now available on Snort.org which includes lots of new functionality and important bug fixes.  Here is an overview of the updates since the prior release:

Important changes since the last release:
  • DAQ: version 2.2.2 now required
  • rules: removed sample.rules; Talos now publishes Snort 3 community rules on snort.org
  • rules: promoted metadata:service to a separate option since it is not metadata
  • mpse: removed Intel Soft CPM support (use Hyperscan!)
  • unified2: deprecated ip4 and ip6 specific events and added a single event for both
  • http_server: removed old inspector (use new http_inspect instead)
  • hyperscan: now require version >= 4.4.0
  • loggers: removed units options; all limits expressed in MB
Issues reported by the community:
  • logging: fixed handling of out of range timeval
    thanks to kamil@frankowicz.me for reporting the issue
  • rules: tolerate spaces in positional parameters
    thanks to Joao Soares for reporting the issue
  • search_engine: set range for max_queue_events parameter
    thanks to Navdeep.Uniyal@neclab.eu for reporting the issue
  • packet manager: ensure ether type proto ids don't masquerade as ip proto ids
    thanks to Bhargava Shastry  for reporting the issue
  • codec manager: fixed off-by-1 mapping array size
    thanks to Bhargava Shastry for reporting the issue
  • hyperscan: check runtime support
    thanks to justin.viiret@intel.com for submitting the patch
  • mpse: fixed issue with empty pattern database
    thanks to justin.viiret@intel.com for reporting the issue

New Features:
  • perf_monitor: added FlatBuffers output and JSON formatter
  • also added tool to convert FlatBuffers files to yaml
  • alerts: improved -A cmg formatting
  • numerous control socket and shell updates
  • byte_math and bitmask: ported rule option from 2X
  • regex: added fast_pattern; do not use for fast pattern unless explicitly indicated
  • detection: added new trace capability to debug rules
  • output: added packet trace feature
  • port_scan: now fully configurable
There are many other updates not mentioned.  Check the ChangeLog for a summary of changes including new features and build and bug fixes.

There are lots of enhancements and new features planned for Snort++, some of which are already in development.  As always, new downloads are posted to snort.org periodically.  You can also get the latest updates from github (snortadmin/snort3) which is updated weekly.

Please submit bugs, questions, and feedback to bugs@snort.org or the Snort-Users mailing list.

Happy Snorting!
The Snort Release Team

Snort Subscriber Rule Set Update for 07/27/2017

Just released:
Snort Subscriber Rule Set Update for 07/27/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 64 new rules of which 8 are Shared Object rules and made modifications to 9 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-firefox, browser-ie, exploit-kit, file-flash, file-image, file-other, malware-cnc, os-windows, policy-other, protocol-dns, protocol-nntp, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, July 25, 2017

Snort Subscriber Rule Set Update for 07/25/2017

Just released:
Snort Subscriber Rule Set Update for 07/25/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 63 new rules of which 0 are Shared Object rules and made modifications to 21 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-firefox, browser-ie, browser-plugins, file-executable, file-office, file-other, file-pdf, indicator-compromise, indicator-obfuscation, malware-other, os-linux, os-windows, server-oracle, server-other and SQL rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, July 20, 2017

Snort Subscriber Rule Set Update for 07/20/2017

Just released:
Snort Subscriber Rule Set Update for 07/20/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 48 new rules of which 4 are Shared Object rules and made modifications to 28 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-firefox, browser-ie, browser-plugins, file-executable, file-identify, file-office, file-other, malware-cnc, policy-other, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, July 18, 2017

Snort Subscriber Rule Set Update for 07/18/2017

Just released:
Snort Subscriber Rule Set Update for 07/18/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 35 new rules and made modifications to 29 additional rules of which 1 are Shared Object rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
43562
43563
43564


Talos's rule release:
Talos has added and modified multiple rules in the app-detect, browser-ie, browser-other, file-multimedia, file-other, file-pdf, indicator-compromise, malware-cnc, os-windows, policy-other, server-apache, server-mail, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, July 13, 2017

Snort Subscriber Rule Set Update for 07/13/2017

Just released:
Snort Subscriber Rule Set Update for 07/13/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 28 new rules of which 5 are Shared Object rules and made modifications to 18 additional rules of which 3 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, file-flash, file-image, file-office, file-other, indicator-compromise, policy-other, protocol-dns, server-apache, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Snort++ Update

Pushed build 237 to github (snortadmin/snort3):

  • build: add support for appending EXTRABUILD to the BUILD string
  • build: clean up some ICC 2017 warnings
  • build: clean up some GCC 7 warnings
  • build: support OpenSSL 1.1.0 API
  • build: clean up some cppcheck warnings
  • appid: port some missing 2.9.X FEAT_OPEN_APPID code
  • appid: fix thread-unsafe sharing of HTTP pattern tables
  • DAQ: fix leaking instance memory when configure fails
  • daq_hext and daq_file: pass PCI via query method
  • icmp6: reject non-ip6, raise 116:474
  • http_inspect: header normalization improvements
  • http_inspect: port fixes for UTF decoding
  • http_inspect: added 119:87 - 119:90 for expect / continue issues
  • http_inspect: added 119:91 for Transfer-Encoding header not valid for HTTP 1.0
  • http_inspect: added 119:92 for Content-Transfer-Encoding
  • http_inspect: added 119:93 for issues with chunked message trailers
  • PDF decompression: fix missing reset in state machine transition
  • ftp_server: implement splitter to improve EOF processing
  • port_scan: merge global settings into main module and other improvements
  • perf_monitor: add JSON formatter
  • ssl: add splitter to improve PDU processing
  • detection: fix segfault in DetectionEngine::idle sans thread_init
  • rules: tolerate spaces in positional parameters
    thanks to Joao Soares for reporting the issue
  • ip and tcp options: fix max length handling and clean up logging
  • cmg: improved alert formatting
  • doc: updates re control channel
  • snort2lua: added line number and file name to error output
  • snort2lua: fix removal of ignore_ports in stream_tcp.small_segments
  • snort2lua: fix heap-use-after-free for preprocessors and configs with no arguments
  • snort2lua: update for port_scan
 It's been a while since posting here but we have been pushing to github multiple times per week.  :)

Tuesday, July 11, 2017

Snort Subscriber Rule Set Update for 07/11/2017, MsTuesday

Just released:
Snort Subscriber Rule Set Update for 07/11/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 74 new rules of which 8 are Shared Object rules and made modifications to 7 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.

Details:
Microsoft Vulnerability CVE-2017-0243:
A coding deficiency exists in Microsoft Office that may lead to remote
code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 42755 through 42756.

Microsoft Vulnerability CVE-2017-8577:
A coding deficiency exists in Microsoft Win32k that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 43490 through 43491.

Microsoft Vulnerability CVE-2017-8578:
A coding deficiency exists in Microsoft Win32k that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 43473 through 43474.

Microsoft Vulnerability CVE-2017-8594:
Microsoft Internet Explorer suffers from programming errors that may
lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 43521 through 43522.

Microsoft Vulnerability CVE-2017-8598:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 43469 through 43470.

Microsoft Vulnerability CVE-2017-8601:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 43465 through 43466.

Microsoft Vulnerability CVE-2017-8605:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 42753 through 42754.

Microsoft Vulnerability CVE-2017-8617:
Microsoft Edge suffers from programming errors that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 43460 through 43463.

Microsoft Vulnerability CVE-2017-8618:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 43471 through 43472.

Microsoft Vulnerability CVE-2017-8619:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 43492 through 43493.


Talos also has added and modified multiple rules in the browser-ie,
browser-other, browser-plugins, file-flash, file-other,
indicator-compromise, malware-cnc, os-windows, server-apache and
server-webapp rule sets to provide coverage for emerging threats from
these technologies.



In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, July 6, 2017

Snort Subscriber Rule Set Update for 07/06/2017

Just released:
Snort Subscriber Rule Set Update for 07/06/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 15 new rules of which 3 are Shared Object rules and made modifications to 3 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, file-flash, file-office, file-pdf, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Monday, July 3, 2017

Snort Subscriber Rule Set Update for 07/03/2017

Just released:
Snort Subscriber Rule Set Update for 07/03/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 12 new rules and made modifications to 1 additional rule.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the file-pdf and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Saturday, July 1, 2017

Snort Subscriber Rule Set Update for 06/29/2017

Just released:
Snort Subscriber Rule Set Update for 06/29/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 65 new rules and made modifications to 16 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the browser-firefox, browser-ie, browser-plugins, file-flash, file-identify, file-image, file-other, indicator-compromise, malware-cnc, netbios, os-other, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, June 27, 2017

Snort Subscriber Rule Set Update for 06/27/2017

Just released:
Snort Subscriber Rule Set Update for 06/27/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 78 new rules of which 0 are Shared Object rules and made modifications to 26 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-firefox, browser-ie, browser-plugins, browser-webkit, exploit-kit, file-flash, file-image, file-multimedia, file-office, file-other, file-pdf, malware-cnc, os-windows, policy-other, protocol-scada, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, June 22, 2017

Snort Subscriber Rule Set Update for 06/22/2017

Just released:
Snort Subscriber Rule Set Update for 06/22/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 43 new rules of which 1 are Shared Object rules and made modifications to 11 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, browser-plugins, browser-webkit, file-flash, file-image, file-multimedia, file-other, indicator-obfuscation, indicator-shellcode, malware-cnc, os-windows, protocol-ftp, protocol-scada, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Wednesday, June 21, 2017

Snort OpenAppID Detectors have been updated!

An update has been released today for the Snort OpenAppID Detector content. This release, build 283, includes
  • A total of 2,836 detectors. 
  • It also includes some additional detectors that came in from the open source community. For more details on which contributions were included, we have added them in the AUTHORS file in this package.

Available now for download from our downloads page, we look forward to you downloading and using the new features of 2.9.9.0's OpenAppID preprocessor and sharing your experiences with the community.

The OpenAppID community has a mailing list specifically dedicated to the exchange and discussion of detector content.  Please visit the mailing lists page to sign up.

Tuesday, June 20, 2017

Snort Subscriber Rule Set Update for 06/20/2017

Just released:
Snort Subscriber Rule Set Update for 06/20/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 43 new rules of which 5 are Shared Object rules and made modifications to 22 additional rules of which 10 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the blacklist, exploit-kit, file-image, file-other, file-pdf, indicator-obfuscation, malware-cnc, malware-other, os-windows, protocol-scada, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, June 15, 2017

Snort Subscriber Rule Set Update for 06/15/2017

Just released:
Snort Subscriber Rule Set Update for 06/15/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 16 new rules of which 1 are Shared Object rules and made modifications to 6 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-plugins, exploit-kit, file-flash, file-office, file-other, malware-cnc, os-solaris, protocol-rpc and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Snort++ Update

Pushed build 236 to github (snortadmin/snort3):
  • appid: clean up shutdown stats
  • appid: fix memory leak
  • conf: update defaults
  • decode: updated ipv6 valid next headers
  • detection: avoid superfluous leaf nodes in detection option trees
  • http_inspect: improved handling of badly terminated chunks
  • http_inspect: improved transfer-encoding header processing
  • ips options: add validation for range check types such as dsize
  • perf_monitor: add more tcp and udp peg counts
  • perf_monitor: update cpu tracker output to thread_#.cpu_*
  • port_scan: alert on all scan attempts so blocking is possible
  • port_scan: make fully configurable
  • sip: fix get body buffer for fast patterns
  • ssl: use stop-and-wait splitter (protocol aware splitter is next)
  • stream_ip: fix 123:7

Tuesday, June 13, 2017

Snort Subscriber Rule Set Update for 06/13/2017

Just released:
Snort Subscriber Rule Set Update for 06/13/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 28 new rules of which 3 are Shared Object rules and made modifications to 8 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.

Details:
Microsoft Vulnerability CVE-2017-0215:
A coding deficiency exists in Microsoft Device Guard Code Integrity
Policy that may lead to a security feature bypass.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 43157 through 43158.

Microsoft Vulnerability CVE-2017-8464:
A coding deficiency exists in Microsoft LNK that may lead to remote
code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 17042 and 24500.

Microsoft Vulnerability CVE-2017-8465:
A coding deficiency exists in Microsoft Win32k that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 43173 through 43174.

Microsoft Vulnerability CVE-2017-8466:
A coding deficiency exists in Microsoft Windows Cursor that may lead to
an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 43173 through 43174.

Microsoft Vulnerability CVE-2017-8468:
A coding deficiency exists in Microsoft Win32k that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 43173 through 43174.

Microsoft Vulnerability CVE-2017-8496:
Microsoft Edge suffers from programming errors that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 43165 through 43166.

Microsoft Vulnerability CVE-2017-8497:
Microsoft Edge suffers from programming errors that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 43169 through 43170.

Microsoft Vulnerability CVE-2017-8509:
A coding deficiency exists in Microsoft Office that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 43159 through 43160.

Microsoft Vulnerability CVE-2017-8510:
A coding deficiency exists in Microsoft Office that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 43171 through 43172.

Microsoft Vulnerability CVE-2017-8524:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 43163 through 43164.

Microsoft Vulnerability CVE-2017-8529:
Microsoft Edge and Microsoft Internet Explorer suffer from programming
errors that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 43161 through 43162.

Microsoft Vulnerability CVE-2017-8543:
A coding deficiency exists in Microsoft Windows Search that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 43175 through 43176.

Microsoft Vulnerability CVE-2017-8547:
Microsoft Internet Explorer suffers from programming errors that may
lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 43155 through 43156.

Talos has also added and modified multiple rules in the blacklist,
browser-ie, file-office, file-other, file-pdf, malware-cnc, os-windows,
policy-other, protocol-scada and server-webapp rule sets to provide
coverage for emerging threats from these technologies.



In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

New Snort Mailing Lists are alive!

This evening, if you are a member of the Snort Mailing lists (-users, -sigs, -devel, and/or -openappid) you should have received a welcome message to the new version of the respective list, at its new home on the new server.

You can see the list of Snort lists and of course join (if you are not already a member) here:

https://lists.snort.org/mailman/listinfo

All settings to the lists should be the same, and all users have been (or are being as I type this) migrated from the old lists on Sourceforge, to the new lists.

Effective immediately, I have set the moderation flag on the Sourceforge mailing lists, and all further email to those lists will be rejected with a message to post to the new list.  After an indeterminate period of time, I will decommission the old lists.

I am working with Sourceforge to get a dump of our archives, so we may retain that history on our servers, in the meantime you can find the archives for the mailing lists on Marc.  All emails on the new list will also be archived on Marc.

Hopefully everything went well, and I haven't inconvenienced too many people.  I sincerely apologize if I did.  I had been planning to move off of Sourceforge for years, and hadn't simply because of the history we had built there.  However, with their recent changes in policy, moving the lists at this time made sense.

Any feedback about the move, please contact me at: snort-users@lists.snort.org.

We look forward to seeing everyone on our new server, which is not only on an updated version of the mailman software, but also now without Sourceforge's ads at the bottom of every post!

Thanks for your patience and understanding.

Friday, June 9, 2017

Sourceforge Hosted Snort Mailing Lists

All—

Some recent changes from Sourceforge (where the Snort mailing lists have been hosted since the start of the project, nearly 20 years ago) to their Mailman infrastructure has left us unable to access the member list. Which means we can no longer unsubscribe, subscribe, ban, moderate, clear, or otherwise have any control over the subscribers of the mailing list. Something that as a community manager, prevents me from managing… the community…

The changes outlined here: https://sourceforge.net/blog/sourceforge-project-e-mail-policy-update/ put quite a hinderance on the ability to manage the lists, and therefore, we are looking into options of moving off of Sourceforge.

More news will come soon.

Snort Subscriber Rule Set Update for 06/08/2017

Just released:
Snort Subscriber Rule Set Update for 06/08/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 27 new rules of which 3 are Shared Object rules and made modifications to 5 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the app-detect, browser-ie, file-other, indicator-compromise, malware-cnc, policy-other, protocol-scada, protocol-voip and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Monday, June 5, 2017

Snort++ Update

Pushed build 235 to github (snortadmin/snort3):
  • http_inspect: improve handling of improper bare \r separator
  • appid: fix bug where TNS detector corrupted the flow data object
  • search_engine: set range for max_queue_events parameter
    thanks to Navdeep.Uniyal@neclab.eu for reporting the issue
  • arp_spoof: reject non-ethernet packets
  • stream_ip: remove dead code and tweak formatting
  • ipproto: remove unreachable code
  • control_mgmt: add support for daq module reload
  • control_mgmt: add support for unix sockets
  • doc: update default manuals
  • doc: update differences section
  • doc: update README

Thursday, June 1, 2017

Snort Subscriber Rule Set Update for 06/01/2017

Just released:
Snort Subscriber Rule Set Update for 06/01/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 16 new rules of which 1 are Shared Object rules and made modifications to 50 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, file-flash, file-multimedia, file-office, file-other, indicator-compromise, os-windows, protocol-dns, protocol-imap, server-other and sql rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, May 30, 2017

Snort Subscriber Rule Set Update for 05/30/2017

Just released:
Snort Subscriber Rule Set Update for 05/30/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 59 new rules of which 3 are Shared Object rules and made modifications to 20 additional rules of which 3 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, browser-plugins, file-flash, file-image, file-pdf, malware-cnc, os-windows, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, May 25, 2017

Snort Subscriber Rule Set Update for 05/25/2017

Just released:
Snort Subscriber Rule Set Update for 05/25/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 38 new rules of which 6 are Shared Object rules and made modifications to 119 additional rules of which 2 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, exploit-kit, file-executable, file-flash, file-image, file-office, file-other, file-pdf, indicator-compromise, malware-cnc, os-windows, policy-other, protocol-other, protocol-scada, protocol-snmp, server-apache, server-oracle, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, May 23, 2017

Snort Subscriber Rule Set Update for 05/23/2017

Just released:
Snort Subscriber Rule Set Update for 05/23/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 28 new rules and made modifications to 15 additional rules of which 3 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the file-flash, file-pdf, indicator-obfuscation, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!