Friday, April 28, 2017

Snort++ Update

Pushed build 231 to github (snortadmin/snort3):
  • build: clean up Intel compiler warnings and remarks
  • build: fix FreeBSD compilation issues
  • cmake: fix building with and without flatbuffers present 
  • autoconf: check for lua.hpp as well as luajit.h to ensure C++ support 
  • shell: make commands non-blocking 
  • shell: allow multiple remote connections 
  • snort2lua: fix generated stream_tcp bindings 
  • snort2lua: fix basic error handling with non-conformant 2.X conf 
  • decode: fix 116:402 
  • dnp3:  fix 145:5 
  • appid: numerous fixes and cleanup 
  • http_server: removed (use new http_inspect instead) 
  • byte_jump: add bitmask and from_end (from 2.9.9 Snort) 
  • byte_extract: add bitmask (from 2.9.9 Snort) 
  • flatbuffers: add version to banner if present 
  • loggers: build alert_sf_socket on all platforms

Thursday, April 27, 2017

Snort Subscriber Rule Set Update for 04/27/2017

Just released:
Snort Subscriber Rule Set Update for 04/27/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 26 new rules of which 2 are Shared Object rules and cover zero days and made modifications to 7 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, exploit-kit, file-pdf, malware-cnc, os-windows, protocol-ftp, server-mysql and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Wednesday, April 26, 2017

Snorter -- an automatic Snort, Barnyard2, and PulledPork installation script.

Snorter

We all know that sometimes, the installation of the latest version of Snort, Barnyard2 and PulledPork could be pretty tedious, specially if you have to install lots of Snorts in different machines.

Cloning Hard Disks is the easy way to do it if all the machines in which we are going to install this IDS are the same but, what happens if you are using different machines, and you want to install Snort in all of them? It doesn’t matter if you install a Snort for PCAP analysis or for using it as IDPS: It’s hard work!

I made a guide some time ago where I explain, step by step, how to install and configure a Snort in a Debian based machine, but it was always the same: too long for the short time I have, chiefly if I wanted to do a fast PCAP analysis to discard malware infections or other network traces, for example. This is why I decided to convert my PDF guide into a bash script, which installs all dependencies and also creates a MySQL database for the alerts.

This is how Snorter was born.

The only thing you need is an Oinkcode, available for free in snort.org webpage, needed for automatically update the Snort rules, and the Network Interface which is going to be used (eth0, wlan0, etc…)

For installing, you only need to clone the repository:
git clone https://github.com/joanbono/Snorter
cd Snorter/src
bash Snorter.sh -o  -i

The script is mostly independent, the only interaction needed for the installation is the specification for the $HOME_NET and the $EXTERNAL_NET, but do not worry, is fully documented in the Manual.
Also, I have added a Dockerfile for testing, with the possibility to use websnort, a web interface which allows the analyst to upload a PCAP file and then see graphically the alerts, and adds to the Snorter an API option for submitting pcaps using curl.

I started this tool with the purpose of making my life easier, but the program has evolved, and now it’s time to share it.

The next step is to port it to Red Hat/CentOS, any help is welcome!

Feel free to open issues, improve the script and add more options, but, above all, enjoy the free time you will have from now.



This was a guest post by --
Joan Bono
IT Security Analyst at Ackcent

Snort Subscriber Rule Set Update for 04/25/2017

Snort Subscriber Rule Set Update for 04/25/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 64 new rules of which 8 are Shared Object rules, and made modifications to 8 additional rules.

Talos's rule release:
Talos has added and modified multiple rules in the file-identify, file-image, file-other, file-pdf, indicator-compromise, malware-cnc, os-windows, policy-other, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Monday, April 24, 2017

Snort Subscriber Rule Set Update for 04/20/2017

Just released:
Snort Subscriber Rule Set Update for 04/20/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 21 new rules and made modifications to 10 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the exploit-kit, file-other, file-pdf, indicator-compromise, malware-cnc, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Wednesday, April 19, 2017

Snort Subscriber Rule Set Update for 04/18/2017

Just released:
Snort Subscriber Rule Set Update for 04/18/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 35 new rules and made modifications to 3 additional rules.

There were no changes made to the snort.conf in this release.


Talos's rule release:
Talos has added and modified multiple rules in the deleted, file-identify, file-other, file-pdf, indicator-scan, os-solaris, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Monday, April 17, 2017

Snort Video Series

Want to get better acquainted with Snort and see an overview of Snort IPS? Want to see how you can install and configure Snort IPS on your machine? Look no further. In conjunction with Cisco Engineering Learning & Development, we created a video to give an overview of Snort installation, configuration, and deployment on a computer. The video is a great place for you to begin to understand Snort and see installation from start to finish. You can find the MP4 on our Documents page under Additional Resources section of our website titled Snort installation and configuration TechByte.


This is the first video in the TechByte series being created by Cisco Engineering Learning & Development and Snort. The next videos in this series coming later this year will be on How to Write a Snort Rule and Advanced Snort Rule Writing. Stay tuned.

Saturday, April 15, 2017

Snort Subscriber Rule Set Update for 04/15/2017, ShadowBrokers Coverage

Just released:
Snort Subscriber Rule Set Update for 04/15/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 9 new rules and made modifications to 1 additional rules.

There were no changes made to the snort.conf in this release.

Please read our Talos blog post on this release.

These rules are available in our Subscriber ruleset, and can be purchased through Snort.org with a credit card.

Talos's rule release:
Talos has added and modified multiple rules in the os-solaris and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Friday, April 14, 2017

Snort Subscriber Rule Set Update for 04/13/2017

Just released:
Snort Subscriber Rule Set Update for 04/13/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 27 new rules and made modifications to 5 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the file-identify, file-office, file-other, indicator-compromise, malware-backdoor, malware-cnc, os-solaris and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Wednesday, April 12, 2017

Snort Subscriber Rule Set Update for 04/11/2017, MsTuesday

Snort Subscriber Rule Set Update for 04/11/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 73 new rules and made modifications to 7 additional rules.

There were no changes made to the snort.conf in this release.

These rules are available in our Subscriber ruleset, and can be purchased through Snort.org with a credit card.

Talos's rule release:
Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.

Details:
Microsoft Vulnerability CVE-2017-0106:
A coding deficiency exists in Microsoft Outlook that may lead to remote
code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 41962 through 41963.

Microsoft Vulnerability CVE-2017-0155:
A coding deficiency exists in Microsoft Graphics that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42173 through 42174.

Microsoft Vulnerability CVE-2017-0156:
A coding deficiency exists in Microsoft Graphics Component that may
lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42199 through 42200.

Microsoft Vulnerability CVE-2017-0158:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42156 through 42157.

Microsoft Vulnerability CVE-2017-0160:
A coding deficiency exists in Microsoft .NET that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42185 through 42186.

Microsoft Vulnerability CVE-2017-0165:
A coding deficiency exists in Microsoft Windows that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42187 through 42188.

Microsoft Vulnerability CVE-2017-0166:
A coding deficiency exists in Microsoft LDAP that may lead to an
escalation of privilege.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 1, SID 42160.

Microsoft Vulnerability CVE-2017-0167:
A coding deficiency exists in Microsoft Windows Kernel that may lead to
information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42154 through 42155.

Microsoft Vulnerability CVE-2017-0188:
A coding deficiency exists in Microsoft Win32k that may lead to
information disclosure.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 41997 through 41998.

Microsoft Vulnerability CVE-2017-0189:
A coding deficiency exists in Microsoft Win32k that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42158 through 42159.

Microsoft Vulnerability CVE-2017-0192:
A coding deficiency exists in Microsoft ATMFD.dll that may lead to
information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42148 through 42151.

Microsoft Vulnerability CVE-2017-0194:
A coding deficiency exists in Microsoft Office that may lead to
information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42161 through 42162.

Microsoft Vulnerability CVE-2017-0197:
A coding deficiency exists in Microsoft Office that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42163 through 42164.

Microsoft Vulnerability CVE-2017-0199:
A coding deficiency exists in Microsoft Outlook that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42189 through 42190.

Microsoft Vulnerability CVE-2017-0200:
Microsoft Edge suffers from programming errors that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42210 through 42211.

Microsoft Vulnerability CVE-2017-0201:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42152 through 42153.

Microsoft Vulnerability CVE-2017-0202:
Microsoft Internet Explorer suffers from programming errors that may
lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42165 through 42166.

Microsoft Vulnerability CVE-2017-0204:
A coding deficiency exists in Microsoft Office that may lead to a
security feature bypass.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42167 through 42168.

Microsoft Vulnerability CVE-2017-0205:
Microsoft Edge suffers from programming errors that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42183 through 42184.

Microsoft Vulnerability CVE-2017-0210:
Microsoft Internet Explorer suffers from programming errors that may
lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42204 through 42205.

Microsoft Vulnerability CVE-2017-0211:
A coding deficiency exists in Microsoft Windows OLE that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 42208 through 42209.

Talos has also added and modified multiple rules in the browser-ie,
deleted, file-flash, file-image, file-office, file-other, file-pdf,
malware-cnc, os-windows and server-webapp rule sets to provide coverage
for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Monday, April 10, 2017

Snort OpenAppID Detectors have been updated!

An update has been released today for the Snort OpenAppID Detector content. This release, build 280, includes
  • A total of 2,829 detectors. 
  • It also includes some additional detectors that came in from the open source community. For more details on which contributions were included, we have added them in the AUTHORS file in this package.

Available now for download from our downloads page, we look forward to you downloading and using the new features of 2.9.9.0's OpenAppID preprocessor and sharing your experiences with the community.

The OpenAppID community has a mailing list specifically dedicated to the exchange and discussion of detector content.  Please visit the mailing lists page to sign up.

Friday, April 7, 2017

Snort++ Update

Pushed build 231 to github (snortadmin/snort3):
  • add decode of MPLS in IP
  • add 116:171 and 116:173 cases (label 0 or 2 in non-bottom of stack)
  • cleanup: remove dead code

Snort Subscriber Rule Set Update for 04/06/2017

Just released:
Snort Subscriber Rule Set Update for 04/06/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 20 new rules and made modifications to 65 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-flash, file-image, file-office, file-other, file-pdf, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Wednesday, April 5, 2017

Snort Subscriber Rule Set Update for 04/04/2017

Just released:
Snort Subscriber Rule Set Update for 04/04/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 15 new rules and made modifications to 9 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
42128
42129
42130



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, browser-plugins, deleted, exploit-kit, indicator-shellcode, malware-cnc, malware-tools, protocol-scada, server-webapp and x11 rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Monday, April 3, 2017

The 2017 Snort Scholarship Contest is now closed!

We are no longer accepting applications for the Snort scholarship award. We'd like to thank everyone that took the time to submit an application for consideration! 

The winners will be announced on or about May 29, 2017 here as well as our Snort Scholarship page at Snort.org.

Best of luck to all of the applicants!