Tuesday, November 30, 2021

Snort rule update for Nov. 30, 2021

The newest SNORTⓇ rule update from Cisco Talos is now available.

Tuesday morning's release includes a new rule to protect against the high-profile DarkSide ransomware. The group, also known as DarkMatter, targeted several high-profile companies across the globe this year, including two companies in the U.S. food and agriculture sector. 

This new rule detects when the ransomware attempts to make an outbound connection.

Here's a full breakdown of the rest of today's rule update:

Shared object rulesModified shared object rulesNew rulesModified rules
10 0195

Snort OpenAppID Detectors have been updated

 SNORTⓇ released a new update today for its OpenAppID Detector content.

This release — build 349 — includes:
  • 3,123 detectors. 
  • Additional detectors from the open-source community. For more details on which contributions were included, we have added them to the "Authors" file in this package.
The release is available now on our Downloads page. We look forward to users downloading and using the new features. If you have any feedback,  please share it with the OpenAppID mailing list.

The OpenAppID package is also compatible with our most recent Snort 3 releases.

For more information regarding the applications that are included in the open-source version of OpenAppID, feel free to visit our new application portal at appid.cisco.com.

Monday, November 29, 2021

Snort 2.9.18.0 end of life

This is the notification that SNORTⓇ 2.9.18.0 will reach its End of Life (EOL) tomorrow, Nov. 30, 2021.  

Users can upgrade to the latest version of Snort 3. For more on the benefits of Snort 3, click here. Alternatively, users can update to any newer version of Snort 2.9.

Tuesday, November 23, 2021

Snort 3.1.17.0 has been released — Check out this new version!

    

The SNORTⓇ team recently released a new version of Snort 3 on Snort.org and the Snort 3 GitHub.

 

Snort 3.1.17.0 contains several new features and bug fixes. Here's a complete rundown of what's new in this version. Users are encouraged to update as soon as possible and to upgrade to Snort 3 if they have not already done so.

Here's a rundown of all the changes and new features in this latest version of Snort 3.

Tuesday, November 16, 2021

Snort rule update for Nov. 12, 2021

The newest SNORTⓇ rule update from Cisco Talos is now available.

Tuesday morning's release includes a new rule to protect against the SQUIRRELWAFFLE attack we detailed in late October. SQUIRRELWAFFLE provides threat actors with an initial foothold onto systems and their network environments that can then be used to facilitate further compromise or additional malware infections depending on how adversaries choose to attempt to monetize their access. 

Here's a full breakdown of the rest of today's rule update:

Shared object rulesModified shared object rulesNew rulesModified rules
01239

Thursday, November 4, 2021

Snort rule update for Nov. 4, 2021

The newest SNORTⓇ rule update from Cisco Talos is now available.

We apologize that these rule blog posts have not been as frequent recently — our comms team was on a bit of a fall break. But, we're excited to let everyone know about today's rule release. 

We have multiple rules available to protect against the exploitation of multiple vulnerabilities Cisco disclosed in some of their routers that could allow unauthenticated attackers to log in using hard-coded credentials or default SSH keys.

Here's a full breakdown of the rest of Tuesday's rule update:

Shared object rulesModified shared object rulesNew rulesModified rules
12 0141

Wednesday, November 3, 2021

Snort 3.1.16.0 has been released!

   

The SNORTⓇ team recently released a new version of Snort 3 on Snort.org and the Snort 3 GitHub.

 
Snort 3.1.16.0 contains several new features and bug fixes. Here's a complete rundown of what's new in this version. Users are encouraged to update as soon as possible and to upgrade to Snort 3 if they have not already done so.

Changes in this release (since 3.1.15.0):

  • appid: during initialization, skip loading of Lua detectors that don't have validate function
  • appid: in packet threads, skip loading of detectors that don't have validate function on reload
  • appid: provide API to give client_app_detection_type
  • codec: geneve - ensure injected packets have geneve port in outer udp header
  • detection: refactor mpse serialization
  • detection: rename PortGroup to the more apt RuleGroup (and related)
  • detection: replace PortGroup::alloc/free with ctor/dtor
  • doc: add SIP built-in rule documentation
  • doc: update built-in rule doc for SMTP, IMAP and POP inspectors
  • doc: update built-in rules documentation for dns module
  • doc: update built-in rules documentation for ftp-telnet
  • doc: updated builtin rules documentation for gtp module
  • flow: fix warning in flow_cache.cc
  • flow: use the same pkt_type to link and unlink unidirectional flows
  • http2_inspect: refactor decoded_headers_buffer for hpack decoding
  • http_inspect: eliminate cumulative js data processing
  • http_inspect: handle unordered PDUs for inline/external JavaScript normalization
  • http_inspect: improve file decompression
  • hyperscan: sort patterns for dump / load stability
  • ips: correct fast pattern port group counts
  • mpse: add md5 check to deserialization
  • reload: add logs to track reload process
  • reload: move out reload progress flag to reload tracker
  • search_engine: support hyperscan serialization
  • search_engine: support port group serialization
  • sip: track memory for sip sessions
  • ssl: disable inspection on alert only at fatal level
  • stream_tcp: fix init_wscale() to take into account the DECODE_TCP_WS flag
  • tcp: remove the obsolete GNUC block from TcpOption::next()
  • tcp: stop on the EOL option in TcpOptIteratorIter::operator++()
  • utils: add get methods to peek in internal buffer
  • utils: correct Normalizer's output upon the next scan
  • wizard: update globbing and max_pattern

Snort 3 is the next generation of the Snort Intrusion Prevention System. The GitHub page will walk users through what Snort 3 has to offer and guide users through the steps of getting set up — from download to demo. Users unfamiliar with Snort should start with the Snort Resources page and the Snort 101 video series

You can subscribe to Talos' newest rule detection functionality for as low as $29 a year with a personal account. Be sure and see our business pricing as well here. Make sure and stay up to date to catch the most emerging threats.

Friday, October 29, 2021

Snort 3.1.15.0 has been released -- Check out this new version!

   

The SNORTⓇ team recently released a new version of Snort 3 on Snort.org and the Snort 3 GitHub.

 

Snort 3.1.15.0 contains several new features and bug fixes. Here's a complete rundown of what's new in this version. Users are encouraged to update as soon as possible and to upgrade to Snort 3 if they have not already done so.

Since the API inside of Snort3 has changed with this version, if you are using the LightSPD package, you will need to use the latest release (posted yesterday, October 28, 2021).

Tuesday, October 19, 2021

Snort rule update for Oct. 19, 2021

The newest SNORTⓇ rule update is available this morning from Cisco Talos.

Our rule release includes detection content for several different malware families, including the AndroSpy backdoor and Quasar RAT, a .NET-based malware used by a variety of attackers.

Here's a full breakdown of the rest of Tuesday's rule update:

Shared object rulesModified shared object rulesNew rulesModified rules
0230

Thursday, October 14, 2021

Snort rule update for Oct. 14, 2021

Cisco Talos released the newest SNORTⓇ rule update today.  This release includes protections against several vulnerabilities including the Trend Micro Encryption Email Gateway and the phpMyAdmin tool.

Here's a full breakdown of the rest of Thursday's rule update:

Shared object rulesModified shared object rulesNew rulesModified rules
2250