Tuesday, March 28, 2017

Snort Subscriber Rule Set Update for 03/28/2017

Just released:
Snort Subscriber Rule Set Update for 03/28/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 306 new rules and made modifications to 15 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
37045
42059


Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, exploit-kit, file-executable, file-flash, file-image, file-multimedia, file-office, file-other, file-pdf, indicator-compromise, malware-cnc, os-linux, os-other, os-windows, policy-other, protocol-scada, protocol-snmp and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Monday, March 27, 2017

Snort++ Update

Pushed build 230 to github (snortadmin/snort3):
  • require hyperscan >= 4.4.0, check runtime support; thanks to justin.viiret@intel.com for submitting the patch 
  • fix search tool issue with empty pattern database; thanks to justin.viiret@intel.com for reporting the issue
  • fix sip_method to error out if sip not instantiated
  • major appid overhaul to address lingering concerns: refactor, cleanup, simplify
  • major detection overhaul to address lingering concerns: refactor, cleanup, release memory ASAP
  • add FlatBuffers output format to perf_monitor; also added tool to convert FlatBuffers files to yaml
  • add regex.fast_pattern; do not use for fast pattern unless explicitly indicated
  • update copyrights to 2017

Thursday, March 23, 2017

Snort Subscriber Rule Set Update for 03/23/2017

Just released:
Snort Subscriber Rule Set Update for 03/23/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 26 new rules and made modifications to 4 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
42059



Talos's rule release:
Talos has added and modified multiple rules in the file-flash, malware-cnc, malware-other, os-windows, policy-other, protocol-scada, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, March 21, 2017

Snort Subscriber Rule Set Update for 03/21/2017

Just released:
Snort Subscriber Rule Set Update for 03/21/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 33 new rules and made modifications to 7 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
42019
42021


Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-flash, indicator-obfuscation, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, March 14, 2017

Snort 2.9.7.6 is End of Life!

In accordance with our End of Life Policy, today's release marks the End of Life for Snort 2.9.7.6, as detailed in our blog post back in February.

Please start upgrading your Snort systems now if you are on Snort 2.9.7.6.

Snort Subscriber Rule Set Update for 03/14/2017, MSTuesday

Just released:
Snort Subscriber Rule Set Update for 03/14/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 77 new rules and made modifications to 62 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Synopsis:
Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.

Details:
Microsoft Security Bulletin MS17-006:
Microsoft Internet Explorer suffers from programming errors that may
lead to remote code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 41575 through 41576, 41585 through 41590, and 41625
through 41626.

New rules to detect attacks targeting these vulnerabilities are also
included in this release and are identified with GID 1, SIDs 41954
through 41957.

Microsoft Security Bulletin MS17-007:
Microsoft Edge suffers from programming errors that may lead to remote
code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 41553 through 41554, 41557 through 41562, 41573
through 41574, 41583 through 41584, 41593 through 41594, 41605 through
41606, and 41625 through 41626.

New rules to detect attacks targeting these vulnerabilities are also
included in this release and are identified with GID 1, SIDs 41936
through 41939, 41942 through 41945, 41948 through 41953, 41958 through
41959, 41968 through 41969, and 41987 through 41988.

Microsoft Security Bulletin MS17-009:
A coding deficiency exists in Microsoft Windows PDF Library that may
lead to remote code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 41601 through 41602.

Microsoft Security Bulletin MS17-010:
A coding deficiency exists in Microsoft Windows SMB Server that may
lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 41978 and 41983
through 41984.

Microsoft Security Bulletin MS17-011:
A coding deficiency exists in Microsoft Uniscribe that may lead to
remote code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 41597 through 41598.

New rules to detect attacks targeting these vulnerabilities are also
included in this release and are identified with GID 1, SIDs 41934
through 41935, 41940 through 41941, 41960 through 41961, 41966 through
41967, 41972 through 41975, 41985 through 41986, and 41991 through
41992.

Microsoft Security Bulletin MS17-012:
A coding deficiency exists in Microsoft Windows that may lead to remote
code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 41563 through 41564 and 41567 through 41572.

New rules to detect attacks targeting these vulnerabilities are also
included in this release and are identified with GID 1, SIDs 41989
through 41990.

Microsoft Security Bulletin MS17-013:
A coding deficiency exists in Microsoft Graphics Component that may
lead to remote code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 41591 through 41592.

New rules to detect attacks targeting these vulnerabilities are also
included in this release and are identified with GID 1, SIDs 41932
through 41933, 41946 through 41947, 41970 through 41971, and 41993
through 41994.

Microsoft Security Bulletin MS17-014:
A coding deficiency exists in Microsoft Office that may lead to remote
code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 41565 through 41566, 41577 through 41578, 41581
through 41582, 41597 through 41598, and 41797 through 41798.

New rules to detect attacks targeting these vulnerabilities are also
included in this release and are identified with GID 1, SIDs 41962
through 41965, 41976 through 41977, and 41979 through 41982.

Microsoft Security Bulletin MS17-017:
A coding deficiency exists in Microsoft Windows Kernel that may lead to
an escalation of privilege.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 40394 through 40395 and 41607 through 41610.

Microsoft Security Bulletin MS17-018:
A coding deficiency exists in Microsoft Windows Kernel-Mode Drivers
that may lead to an escalation of privilege.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 41579 through 41580.

New rules to detect attacks targeting these vulnerabilities are also
included in this release and are identified with GID 1, SIDs 41926
through 41931 and 41995 through 41998.

Microsoft Security Bulletin MS17-021:
A coding deficiency exists in Microsoft DirectShow that may lead to
information disclosure.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 41633 through 41634.

Microsoft Security Bulletin MS17-022:
A coding deficiency exists in Microsoft XML Core Services that may lead
to information disclosure.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 40364 through 40365.

Talos also has added and modified multiple rules in the browser-ie,
file-executable, file-flash, file-image, file-office, file-other,
file-pdf, os-other, os-windows and server-samba rule sets to provide
coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, March 9, 2017

Snort Subscriber Rule Set Update for 03/09/2017, Release 2 -- Apache Struts2 Content-Disposition

Just released:
Snort Subscriber Rule Set Update for 03/09/2017, Release 2


We welcome the introduction of the newest rule release from Talos. In this release we introduced 13 new rules and made modifications to 4 additional rules.

This rule pack introduces coverage for another attack vector to the recent Apache Struts2 vulnerability, through Content-Disposition.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Snort Subscriber Rule Set Update for 03/09/2017

Just released:
Snort Subscriber Rule Set Update for 03/09/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 70 new rules and made modifications to 46 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, browser-webkit, exploit-kit, file-other, os-linux, policy-other, protocol-dns and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, March 7, 2017

Snort Subscriber Rule Set Update for 03/07/2017, Release 2, Apache Struts2 Vulnerability

Just released:
Snort Subscriber Rule Set Update for 03/07/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 22 new rules and made modifications to 4 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-plugins, file-office, indicator-obfuscation, policy-other, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Snort Subscriber Rule Set Update for 03/07/2017

Just released:
Snort Subscriber Rule Set Update for 03/07/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 27 new rules and made modifications to 7 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, browser-plugins, exploit-kit, file-image, file-other, indicator-scan, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, March 2, 2017

Snort Subscriber Rule Set Update for 03/02/2017

Just released:
Snort Subscriber Rule Set Update for 03/02/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 19 new rules and made modifications to 11 additional rules.



Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-pdf, indicator-compromise, malware-cnc, malware-tools, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Snort++ Alpha 4 Available Now!

The fourth alpha release of Snort++ is now available on snort.org.  If you haven't tried Snort++ yet, now is a good time to do so as this pig sports a superset of Snort 2.9.8.3 functionality:
  • Support for multiple packet processing threads 
  • Improved throughput and latency performance
  • Improved detection 
  • Modular design 
  • Plugin framework with over 200 plugins
  • More scalable memory profile
  • A brand new HTTP inspector
  • Service rules like alert http
  • Rule "sticky" buffers
  • LuaJIT configuration, loggers, and rule options
  • Auto-detect common services for portless configuration
  • Rewritten TCP handling
  • New rule parser and syntax
  • New performance monitor
  • New time and space profiling
  • New latency monitoring and enforcement
  • Automake or Cmake - your choice
  • Builtin help and generated reference documentation
The first beta release is expected around midyear at which point Talos will provide 3.0 rule downloads.  In the meantime, you can use the snort2lua utility packaged with Snort++ to convert 2.X rules and confs.

There are lots of enhancements and new features planned for Snort++, some of which are already in development.  As always, new downloads are posted to snort.org monthly.  You can also get the latest  updates from github (snortadmin/snort3) which is updated weekly.

Please submit bugs, questions, and feedback to bugs@snort.org or the Snort-Users mailing list.

Happy Snorting!
The Snort Release Team

Wednesday, March 1, 2017

2017 Snort Scholarship is now open!

We are currently accepting submissions for our 2017 Snort Scholarship award!

This year we will be awarding $10, 000 scholarship awards to two individuals pursuing a higher education degree that meets our eligibility criteria.

To be eligible for consideration, you must:

1. be eligible to receive your high school diploma or equivalent in 2017 as of the date Cisco receives your application.

2. provide reasonable evidence to Cisco that you are seeking a degree in computer science, information technology, computer networking, cyber security or similarly related field of study.

The deadline to apply for consideration is April 3, 2017.

For more information about contest rules, eligibility requirements, or to complete a submissions form, visit our Snort Scholarship page.

Best of luck!

Snort Subscriber Rule Set Update for 02/28/2017, 2nd Edition

Just released:
Snort Subscriber Rule Set Update for 02/28/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 28 new rules and made modifications to 3 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, file-multimedia, file-office, indicator-compromise, policy-other, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!