Snort Subscriber Rule Set Update for 12/28/2017

Just released:
Snort Subscriber Rule Set Update for 12/28/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 1 new rules of which 0 are Shared Object rules and made modifications to 357 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:

Talos has added and modified multiple rules in the and malware-cnc rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Snort Subscriber Rule Set Update for 12/21/2017

Just released:
Snort Subscriber Rule Set Update for 12/21/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 36 new rules of which 1 are Shared Object rules and made modifications to 39 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:

Talos has added and modified multiple rules in the blacklist, browser-firefox, browser-ie, browser-other, browser-plugins, file-flash, file-java, file-multimedia, file-office, file-other, malware-cnc, policy-other, protocol-scada, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Setting up Snort 3.0.0 on Ubuntu 14 and 16

A big thanks to our wonderful Snort community member, Noah Dietrich, who was gracious enough to write an installation and setup guide for Snort 3.0.0's most current build (as of today) (b241).

We placed this on the Snort.org Documents page under "Snort Setup Guides".  If you are interested in getting started with Snort 3.0's latest build, please check it out.

Snort Subscriber Rule Set Update for 12/19/2017

Just released:
Snort Subscriber Rule Set Update for 12/19/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 26 new rules of which 5 are Shared Object rules and made modifications to 613 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:

Talos has added and modified multiple rules in the browser-firefox, browser-ie, file-executable, file-other, malware-cnc, malware-other, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Snort++ Update

Pushed build 241 to github (snortadmin/snort3).  Another big list:

• alert_csv: various fixes to match alert_json
• alert_json: tcp_ack, tcp_seq, and tcp_win are (base 10) integers
• alert_json: various fixes
  thanks to Noah Dietrich <noah_dietrich@86penny.org> for reporting the issues
• appid: close all Lua states when thread exits
• appid: gracefully handle failed Lua state instantiation
  thanks to Noah Dietrich <noah_dietrich@86penny.org> for reporting the issue.
• appid: only update session flags and discovery state if service id actually set to http
• appid: patch to update the appid discovery state when an http event results in setting of the      service id for a flow
• appid: return false from is_third_party_appid_available when no third party module is available.
• appid: tweak warnings and errors
• binder: activate profiler support
• binder: add FIXIT re creating default bindings when the wizard is not configured
• binder: fix ingress / egress test
• binder: minor perf and readability tweaks
• build: fixed build issues on OSX with clang with cd_pbb, alert_json
• build: fixed several dyanmic modules on OSX / clang
• build: suppress appid warnings for valid case statement fall throughs
• byte_test: fix string bounds check
• catch: Update to Catch v2.0.1
• cmake: add --define to configure_cmake.sh for arbitrary defines
• codec: added wlan support for arp_spoof
• codec: updated MIPv6 and merged cd_pim.cc, cd_swpie.cc and cd_sun_ud.cc to cd_bad_proto.cc
  thanks to schrx3b6 for reporting the issue
• conf: remove OPTIONS from SIP and HTTP spells to avoid confusion with RTSP
• conf: remove client to server spells for FTP, IMAP, POP, and SMTP to avoid false pickups
• control: must execute from default policy only
• control: process flow first
• cppcheck: More miscellaneous fixes, mostly for new Catch
• daq: explicitly initialize more fields in SFDAQInstance constructor
• daq: handle real IP and port
• data_bus: also publish to default policy
• data_bus: refactor basic access for pub / sub
• dce: use service names from rules (dce_smb = netbios-ssn; dce_tcp / dce_udp = dcerpc)
• detection: fix option tree looping issue
• detection: rename ServiceInfo to SignatureServiceInfo
• doc: fix type in style section
• doc: update default manuals
• file api: move file verdict enforcement out of file policy
• file api: support file verdict delay during signature lookup
• file policy and file config update to allow user define customized file policy through file api
• file policy: add support for file event logging
• file_api: Set the FileContext verdict, not a local verdict
• file_id: add back the ref count for file config
• file_id: add interface to access file info from file capture
• file_id: support groups
• hash: Rename SFGHASH, SFXHASH, SFHASHFCN to something resonable
• http_inspect: add profiler support
• http_inspect: fix bugs related to stream interaction
• http_inspect: use configured max_pdu as base target reassembly size
• inspection: default policy mode depends on adaptor mode
• ips options: error if lookup fails due to bad case, typos, etc.
  thanks to Noah Dietrich <noah_dietrich@86penny.org> for reporting the issue
• memory: no stats output unless configured
• normalizer: added test mode
• normalizer: fix enable checks
• parsing: resolve paths from the current config directory instead of process directory
• policy: added inspection policy config.
• port_scan: add alert_all to make alerting on all events in window optional
• port_scan: fix flow checks
• profiler: fix focus of eventq
• reputation: tweak warning message
• rules: default msg = "no msg in rule"
• sfrt: remove cruft and reformat header
• shell: fixed crash when issuing control commands
• sip: use log splitter for tcp
• snort2lua: --bind-wizard will add a trailing binding to the default wizard in each binder
• snort2lua: Convert file_magic.conf to Lua format.
• snort2lua: added inspection uuid
• snort2lua: added na_policy_mode. added ability amend tables if created.
• snort2lua: added normalize_tcp: ftp
• snort2lua: fix stream_size: to_client, to_server conversion
• snort2lua: future proof --bind-wizard binding order
• snort2lua: no sticky buffer for relative pcre
• snort2lua: remove when udp from binding to support tcp too
• snort2lua: tweak const name for clarity (internal)
• snort2lua: urilen:<> --> bufferlen:<=>
• snort: do not dlclose plugins at shutdown during REG_TEST to avoid borked backtraces from LeakSanitizer
• soid: allow stub to contain any or all options
• --rule-to-*: use whole soid arg as suffix to rule and len identifiers; make static
• stream: change tcp idle timeout to 3600 to match 2.X nominal timeout
• stream_*: separate session profiler data from flow cache profiler data
• stream_ip: fix non-frag counting
• stream_size: fix eval packet checks
• stream_tcp: delete superfluous memsets to zero
• stream_tcp: ignore flush requests on unitialized sessions (early abort condition)
• stream_tcp: instantiate wizard only when needed
• stream_tcp: remove empty default state action
• stream_user: clear splitter properly
• target_based: Install header
• wizard: abort if no match
• wizard: activate profiler support
• wizard: usage is inspect

Snort Subscriber Rule Set Update for 12/14/2017

Just released:
Snort Subscriber Rule Set Update for 12/14/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 27 new rules of which 0 are Shared Object rules and made modifications to 29 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:

Talos has added and modified multiple rules in the browser-firefox, browser-ie, exploit-kit, file-image, file-other, file-pdf, malware-cnc, os-windows, protocol-dns, protocol-telnet and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Snort Subscriber Rule Set Update for 12/12/2017, MsTuesday

Just released:
Snort Subscriber Rule Set Update for 12/12/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 51 new rules of which 3 are Shared Object rules and made modifications to 34 additional rules of which 4 are Shared Object rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:

Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.

Details:
Microsoft Vulnerability CVE-2017-11885:
A coding deficiency exists in Windows RRAS Service that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45130 through 45131.

Microsoft Vulnerability CVE-2017-11886:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 37283 through 37284.

Microsoft Vulnerability CVE-2017-11888:
A coding deficiency exists in Microsoft Edge that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45121 through 45122.

Microsoft Vulnerability CVE-2017-11889:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 42749 through 42750.

Microsoft Vulnerability CVE-2017-11890:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45138 through 45139.

Microsoft Vulnerability CVE-2017-11893:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45162 through 45163.

Microsoft Vulnerability CVE-2017-11894:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45140 through 45141.

Microsoft Vulnerability CVE-2017-11895:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45142 through 45143.

Microsoft Vulnerability CVE-2017-11901:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45144 through 45145.

Microsoft Vulnerability CVE-2017-11903:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45146 through 45147.

Microsoft Vulnerability CVE-2017-11907:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45148 through 45149.

Microsoft Vulnerability CVE-2017-11909:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45150 through 45151.

Microsoft Vulnerability CVE-2017-11911:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45155 through 45156.

Microsoft Vulnerability CVE-2017-11913:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 40132 through 40133.

Microsoft Vulnerability CVE-2017-11914:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45128 through 45129.

Microsoft Vulnerability CVE-2017-11916:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45169 through 45170.

Microsoft Vulnerability CVE-2017-11918:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45160 through 45161.

Microsoft Vulnerability CVE-2017-11930:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45167 through 45168.

Microsoft Vulnerability CVE-2017-11935:
A coding deficiency exists in Microsoft Excel that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45123 through 45124.

Microsoft Vulnerability CVE-2017-11937:
A coding deficiency exists in Microsoft Malware Protection Engine that
may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45152 through 45153.

Talos also has added and modified multiple rules in the
browser-firefox, browser-ie, browser-plugins, file-multimedia,
file-office, file-other, file-pdf, indicator-compromise, os-windows,
policy-other, protocol-snmp and server-webapp rule sets to provide
coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

PulledPork 0.7.3 release!

Released last night, PulledPork 0.7.3 has hit the streets and is downloadable from the pulledpork Github page.

The release notes say the following:

This release includes bug fixes related to some versioning code in the latest version of Snort and other outstanding issues.

The next version of PulledPork will begin work on Snort 3 as we are looking forward to the first beta and compatible ruleset with the engine.

Snort Subscriber Rule Set Update for 12/07/2017

Just released:
Snort Subscriber Rule Set Update for 12/07/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 13 new rules of which 0 are Shared Object rules and made modifications to 804 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:

Talos has added and modified multiple rules in the blacklist, malware-cnc, malware-other, policy-social, protocol-rpc, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Snort Subscriber Rule Set Update for 12/05/2017

Just released:
Snort Subscriber Rule Set Update for 12/05/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 29 new rules of which 8 are Shared Object rules and made modifications to 182 additional rules of which 1 are Shared Object rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
44763
44764
44768
45090
45091
45092

Talos's rule release:

Talos has added and modified multiple rules in the deleted, file-flash, file-office, file-pdf, malware-cnc, protocol-scada, server-apache, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!