Thursday, July 9, 2020

Snort rule update from July 9, 2020

This morning, Cisco Talos released the latest rule update for SNORTⓇ.

The latest release includes 1six new rule, two modified rules and 12 new shared object rules.

This release provides another rule covering the major vulnerability in F5 BIG-IP that's made headlines over the past week. Adversaries are using this vulnerability to target big-name organizations using the BIG-IP service.

Monday, July 6, 2020

Snort rule update for July 6 includes coverage for F5 BIG-IP vulnerability

Cisco Talos just released Snort coverage for a prominent vulnerability in F5’s BIG-IP.

BIG-IP is one of the most popular networking products on the modern market. This product is used to shape web traffic, access gateways, limit rates and much more. F5 disclosed a remote code execution over the weekend that was assigned a maximum 10 out of 10 severity score.

CVE-2020-5902 is a remote code execution vulnerability in BIG-IP's configuration interface. Users are urged to make their interfaces inaccessible to the internet and patch as soon as possible. The latest Snort rule set also includes rules 54462 to protect users from the exploitation of this vulnerability.

Thursday, July 2, 2020

Snort rule update from July 2, 2020

This morning, Cisco Talos released the latest rule update for SNORTⓇ.

The latest release includes 11 new rules and four new shared object rules.

This release provides new coverage against the NetWire trojan. Adversaries have recently been exploiting an old Microsoft Equation Editor vulnerability — CVE-2017-1182 — to deliver this malware as the final payload.

Tuesday, June 30, 2020

Snort rule update for June 30, 2020

This morning, Cisco Talos released the latest rule update for SNORTⓇ.

The latest release includes 18 new rules, four modified rules and six new shared object rules.

Today's release provides new coverage for the Zeus malware, which recently expanded with a new loader. There are also several new rules providing protection against the well-known Valak malware.

Tuesday, June 23, 2020

Snort rule update for June 23, 2020

This morning, Cisco Talos released the latest rule update for SNORTⓇ.

The latest release includes 15 new rules and one modified rule.

Today's release provides new coverage for the IndigoDrop malware, which Talos recently discovered and reported on. For more information on this threat, which is spreading Cobalt Strike beacons, read the full Talos blog here.

Tuesday, June 16, 2020

Snort rule update for June 16, 2020

This morning, Cisco Talos released the latest rule update for SNORTⓇ.

The latest release includes 10 new rules, 16 modified rules and eight new shared object rules.

Today's release provides new coverage for several different malware families, including the Agent adware, Nanocore RAT and Tinba dropper.

Updates to Snort guides for CentOS, rule writing in 3

Our documentation on Snort 3 running on CentOS and the Snort Rules Writing guide to Snort 3.

Thanks to community member Yaser for providing the updates.

The Snort 3 guide now has expanded information on logging options — such as syslog and JSON. There is also a new performance optimization section.

The Rules Writing guide has new syntax comparisons for various file_type detection for various Snort versions, as well as a comparison of app ID.

As always, you can view all of our guides on the Snort Documentation page.

Thursday, May 28, 2020

Snort rule update for May 28, 2020

This morning, Cisco Talos released the latest rule update for SNORTⓇ.

The latest release includes 30 new rules and 15 modified rules.

Today's release continues our wave of Trickbot rules, blocking the trojan that's been spread recently through COVID-19-themed spam emails. There are also new rules preventing the Copperhedge malware family from making outbound connections.

Tuesday, May 26, 2020

New Real-time Network Awareness (RNA) inspector feature added to Snort 3 beta

By Masud Hasan, additional contributions by Jon Munshaw and Joel Esler. 

As we near our “General Availability” (or GA) release of Snort 3.0 later this year, we’re going to be introducing content such as our videos, how-to guides and other installation documents. 

With our most recent release of Snort3’s beta, we added a new inspector “RNA“ to provide network visibility. For those of you that have been using Sourcefire products, you’ll remember this feature as “Real-Time Network Awareness”, a technology that we invented and patented back then.

In this initial release, RNA analyzes passing traffic to discover hosts with filtering based on IP/port/zone. It logs information about these hosts such as protocols, applications and user agents (collected from other modules), and operating systems (using predefined fingerprints). RNA does not generate or alter traffic on its own.  Keep in mind that this preprocessor is a work in progress for Open Source users, and more functionality will be added over time.

To enable host discovery (this feature is disabled by default), you’ll need to look at the config file referred by rna_conf_path (in your snort.conf) can have keywords:

Analyze                      # discover application, host, user (only host discovery is implemented)
AnalyzeHostUser     # discover application, host, user (same as Analyze)
AnalyzeApplication # discover application
AnalyzeHost             # discover application, host
AnalyzeUser             # discover application, user
portexclusion           # don't discover on this port 

Format:
config keyword [!]ip [zone]
portexclusion dst|src|both tcp|udp port ip 
Examples:

config AnalyzeHost 0.0.0.0/0 -1      # discover any ipv4 on any zone
config AnalyzeHost ::/0 2                 # discover any ipv6 on zone 2
config AnalyzeHost !1.2.3.4/16 3   # exclude this ipv4 range on zone 3
config Analyze !cafe:feed::0/64      # exclude this ipv6 range on any zone
portexclusion dst udp 53 8.8.8.8    # exclude this ip for UDP port 53 in destination direction
portexclusion both tcp 4000 ::0/0  # exclude any ipv6 for TCP port 4000 in both direction 
Note that exclusion has a higher priority than inclusion. The enable_logger config enables or disables sending RNA discovery events to EventManager::call_loggers. This type of event logger or reader is not implemented yet. However, since RNA stores host information into host_cache, to log the discovered hosts into a file, users can issue a socket command — host_cache.dump('file.out') — or add lua config — host_cache = { dump_file = 'file.out'}.

For example:
> cat rna.conf 
config AnalyzeHost 0.0.0.0/0 1
config AnalyzeHost 0.0.0.0/0 2
portexclusion dst tcp 80 0.0.0.0/0
> cat snort.lua 
stream = { }
stream_tcp = { }
host_cache = { dump_file = file.out' }
rna = { rna_conf_path = 'rna.conf' } 
Then, run Snort with TCP traffic, such as:
1.1.1.1:23 zone1 <--> 8.8.8.8:22 zone2
2.2.2.2:23 zone3 <--> 9.9.9.9:22 zone4
3.3.3.3:1234 zone1 <--> 2.2.2.2:80 zone2 
The following file.out will be generated when Snort closes, which demonstrates discovered hosts (in the least recently used order) after filtering from the traffic:
IP: 8.8.8.8
    hops: 255, time: 2000-01-01 00:00:00
macs size: 1
    mac: 02:09:08:07:06:05, ttl: 64, primary: 0, time: 2000-01-01 00:00:00

IP: 1.1.1.1
    hops: 255, time: 2000-01-01 00:00:00
macs size: 1
                   mac: 02:01:02:03:04:05, ttl: 64, primary: 0, time: 2000-01-01 00:00:00 
As always, feedback on this work-in-progress feature may be sent to the Snort Users mailing list.

Thursday, May 21, 2020

Snort rule update for May 21, 2020

This morning, Cisco Talos released the latest rule update for SNORTⓇ.

The latest release includes 16 new rules, 12 modified rules, nine modified shared object rules and six new shared object rules.

Today's release provides new coverage for the Trickbot malware family, which was recently used in a spam campaign associated with fake emails alleging to be from the U.S. Department of Labor. We also have rules protecting against CVE-2020-3280, a critical remote code execution vulnerability in Cisco Unified Contact Center.