Thursday, October 12, 2017

Snort Subscriber Rule Set Update for 10/12/2017

Just released:
Snort Subscriber Rule Set Update for 10/12/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 34 new rules of which 17 are Shared Object rules and made modifications to 11 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, file-flash, file-image, file-office, file-pdf, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Wednesday, October 11, 2017

Snort 2.9.11.0 has been released!

Please join the Snort team as we welcome the addition of Snort 2.9.11.0 to general availability!

Snort 2.9.11.0 can be downloaded from the usual location on Snort.org.

Below are the release notes:


Snort 2.9.11
[*] New additions


  • Changes to eliminate Snort restart when there are changes to the memory allocated for preprocessors, by releasing unused or least recently used memory when needed.
  • Added support for storing filenames in Unicode for SMB protocol.
  • Added implementation of hostPortCache versioning for unknown flows in AppID to detect and block BitTorrent.


[*] Improvements


  • Enhanced RTSP metadata parsing to match the user-agent field to detect RTSP traffic over Windows Media.
  • Performance improvement when SYN rate limit has reached and drop is configured as next action
  • Control-socket and side-channel support for FreeBSD platform.
  • Fixed issue in file signature lookup for retransmitted FTP packet.
  • Enhanced the processing of SIP/RTP future flows without ignoring them.
  • Changes made in PDF/SWF decompression by adding boundary to the size of the decompressed data.
  • Added a null check to prevent copy unless debugHostIp is configured in AppId.
  • Fixed issue where FTP file type block doesn't work for retried download.
  • Resolved issue where Snort is inappropriately handling traffic for which AppId was creating future flow.
  • Performance improvements for SIP/RTP audio and video data flow in AppId.
  • Performance and stability improvements in FTP preprocessor like incorrect referencing of ftp_data_session after its pruned.
  • Stability improvement by resolving valgrind reported issues in AppId.
  • Improved flushing mechanism for HTTP POST header.
  • Added changes to display AppId for IPv6 unified events.
  • Fixed issues with printing of messages for out-of-order packets.
  • Fixed issue in increment of detection filter counter when rule is used in multiple configurations.
  • Fixed dynamic preprocessor compilation failure in OpenBSD platform.
  • Added changes to improve performance of ipvar list comparison.
  • Enhanced SMTP client detection by allowing line folding and all authentication methods.

As always, join the conversation over on the Snort-Users list for any installation or upgrade assistance!

Tuesday, October 10, 2017

Snort Subscriber Rule Set Update for 10/10/2017, MSTuesday

Just released:
Snort Subscriber Rule Set Update for 10/10/2017, MSTuesday


We welcome the introduction of the newest rule release from Talos. In this release we introduced 33 new rules of which 6 are Shared Object rules and made modifications to 28 additional rules of which 2 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Synopsis:
Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.

Details:
Microsoft Vulnerability CVE-2017-11762:
A coding deficiency exists in Microsoft Graphics that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44518 through 44519.

Microsoft Vulnerability CVE-2017-11763:
A coding deficiency exists in Microsoft Graphics that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44528 through 44529.

Microsoft Vulnerability CVE-2017-11793:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44508 through 44509.

Microsoft Vulnerability CVE-2017-11798:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44532 through 44533.

Microsoft Vulnerability CVE-2017-11800:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also
included in this release and are identified with GID 1, SIDs 44333
through 44334.

Microsoft Vulnerability CVE-2017-11810:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44510 through 44511.

Microsoft Vulnerability CVE-2017-11822:
Microsoft Internet Explorer suffers from programming errors that may
lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44512 through 44513.

Microsoft Vulnerability CVE-2017-8689:
A coding deficiency exists in Microsoft Win32k that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44516 through 44517.

Microsoft Vulnerability CVE-2017-8694:
A coding deficiency exists in Microsoft Win32k that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44514 through 44515.

Microsoft Vulnerability CVE-2017-8727:
A coding deficiency exists in Microsoft Windows Shell that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44526 through 44527.

Talos also has added and modified multiple rules in the browser-ie,
file-image, file-office, file-other, os-windows and server-webapp rule
sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, October 5, 2017

Snort Subscriber Rule Set Update for 10/05/2017

Just released:
Snort Subscriber Rule Set Update for 10/05/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 21 new rules of which 4 are Shared Object rules and made modifications to 12 additional rules of which 1 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the blacklist, file-multimedia, file-other, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, October 3, 2017

Snort OpenAppID Detectors have been updated!

An update has been released today for the Snort OpenAppID Detector content. This release, build 290, includes
  • A total of 2,837 detectors. 
  • It also includes some additional detectors that came in from the open source community. For more details on which contributions were included, we have added them in the AUTHORS file in this package.

Available now for download from our downloads page, we look forward to you downloading and using the new features of 2.9.9.0's OpenAppID preprocessor and sharing your experiences with the community.

The OpenAppID community has a mailing list specifically dedicated to the exchange and discussion of detector content.  Please visit the mailing lists page to sign up.

Snort Subscriber Rule Set Update for 10/03/2017, DNSMasq

Just released:
Snort Subscriber Rule Set Update for 10/03/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 18 new rules of which 0 are Shared Object rules and made modifications to 6 additional rules of which 1 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the file-other, malware-cnc, malware-other, protocol-dns, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!