Tuesday, November 24, 2020

Snort rule update for Nov. 21, 2020

Cisco Talos released the newest SNORTⓇ rule update this morning.

This morning's release includes protection against several different malware families. There are a few new rules specifically defending against the Zbot (aka Zeus, Zloader, etc.) which was recently spotted targeting adult websites. Other malware families covered in this release include Razy and Zusy.

Here's a breakdown of this morning's rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
250330

Thursday, November 19, 2020

Snort 2.9.17.0 has been released

Join us as we are pleased to release a bug fix version of Snort 2.9.17.0!  First, some release notes:

Snort 2.9.17.0

New Additions

  • Added support for s7Commplus protocol.
  • Support for allowing common names across rule options.
  • Added support to detect TCP Fast Open packets.
Improvements / Fix
  • Added support for HTTP range field parsing to detect if HTTP response/request is indeed partial or full content.
  • Miscellaneous SMB bug fixes.
  • Fixed TCP segment queue hole issue as per the RFC793 recommendation for OOO Ack packet handling.
  • Fixed multiple static analysis issues.
  • Fixed DNS application detector failing to detect DNS traffic in some scenarios
  • Fixed complier warnings
  • Fix to populate original IP in dropped events when inline normalization is enabled in unified2 output method
  • Fixed handling of encrypted traffic by the SIP preprocessor
  • Added port 853 to the SSL detector for DNS over TLS runs on SSL
    • Also improved SIP preprocessor to detect SSL encrypted SIP traffic better
  • Fixes to byte_math operation
  • Fixed GCC 10.1.1 compile issues
  • Fixed incorrect filtering of UDP traffic when "ignore_any_rules" is configured
  • Fix to address some cases of ambiguous codes between SMTP & FTP and when SMTP server does not support EHLO
  • Fixed AppID caching proxy IP instead of tunneled IP in the dynamic cache during ultrasurf traffic
  • Fixed popup message on Windows uninstall operation
  • Added message to ask users to choose 4.1.1 of winpcap when on Windows.

As always this maintenance release of Snort 2.9.17.0 is available on our Snort downloads page.  For any questions, please feel free to visit our Snort-Users mailing list.

Snort rule update for Nov. 19, 2020

A new rule update is out this morning for SNORTⓇ.

Cisco Talos' newest release includes new rules for the Cisco Integrated Management Controller that protect against a recently disclosed critical vulnerability. There are also new rules protecting against the exploitation of a different critical bug in Cisco's IoT Field Network Director that could allow an adversary to access the back-end database of the affected device and read, alter or drop information.

Here's a breakdown of this morning's rule release:

Shared object rules Modified shared object rules New rules Modified rules
11 5 18 1

Wednesday, November 18, 2020

Snort OpenAppID Detectors have been updated

SNORTⓇ released a new update today for the Snort OpenAppID Detector content.

This release — build 339 — includes:
  • A total of 2,927 detectors. 
  • Additional detectors from the open-source community. For more details on which contributions were included, we have added them to the "Authors" file in this package.
The release is available now on our downloads page. We look forward to users downloading and using the new features of 2.9.16.1's OpenAppID preprocessor and sharing your experiences with the community.

The OpenAppID package is also compatible with our Snort 3.0 release.

The OpenAppID community has a mailing list specifically dedicated to the exchange and discussion of detector content. Please visit the mailing lists page to sign up.

Tuesday, November 17, 2020

Snort rule update for Nov. 17, 2020

Cisco Talos just released the newest SNORTⓇ rule update

This set of rules includes a bunch of new protection against a critical bug in the Cisco Security Manager software that could allow a remote attacker without credentials to execute arbitrary code on the victim's device. The latest Security Manager update also patches these exploits. There are two other high-severity vulnerabilities Cisco also disclosed this week.

Here's a breakdown of this afternoon's rule release:

Shared object rules Modified shared object rules New rules Modified rules
8 0 88 2

Tuesday, November 10, 2020

Snort rule update for Nov. 10, 2020 — Microsoft Patch Tuesday

 The latest SNORT® rule release from Cisco Talos has arrived. This new round of rules provides coverage for all of the vulnerabilities covered in Microsoft Patch Tuesday.

For more details on the vulnerabilities Microsoft disclosed this week, head to the Talos blog.

Here's a breakdown of this evening's rule release:

Shared object rules Modified shared object rules New rules Modified rules
6 3 65 9

Tuesday, October 20, 2020

Snort rule update for Oct. 20, 2020

Cisco Talos released the newest set of rules for SNORTⓇ this morning.

Shared object rules Modified shared object rules New rules Modified rules
11 0 50 503

Tuesday's release is full of new rules protecting against various malware strains. Among them are new protections against Emotet, which is now disguising itself as a fake Windows update. There's also new coverage for the Cerber ransomware and the UPATRE trojan.

Thursday, October 15, 2020

Better application logging with Snort3



By Costas Kleopa.


With the introduction of OpenAppID in SNORT®, we started to provide application-based information for our network flows. A user could enable the AppID preprocessor, load our Open Detector Package (snort-openappid.tgz) from the Snort Downloads page and — with the integration of any third-party tools — we could provide a deeper graphical representation of what’s running over a network. (See the blog here for an example showing Integration with Splunk.) The app_stats logging configuration allowed us to report some basic statistics on what type of traffic we can see per application and the overall traffic size we see during a specific recurring time interval.  


We also provide additional AppID-based control via the IPS rules. These IPS rules were allowing us to block/alert the actual application and ultimately log this information on a per-packet basis. The combination of alert/logging in IPS rules partially met a use case that the field has been asking for, which is logging the application per connection. Unfortunately, this was not the best solution, since this was causing us to report this information per packet and could cause some performance issues with a lot of duplicate data. 

Snort rule update for Oct. 15, 2020

Cisco Talos released the newest set of rules for SNORTⓇ this morning.

Shared object rules Modified shared object rules New rules Modified rules
0 0 11 506

Thursday's release has a new rule to protect against Emotet. The botnet is still out there, and is now using lure documents that promise to provide a Windows operating system update.

Tuesday, October 13, 2020

Snort rule update for Oct. 13, 2020

Cisco Talos released the newest SNORTⓇ rule update, coinciding with Microsoft Patch Tuesday. Here's an overview of today's rule release:

Shared object rules Modified shared object rules New rules Modified rules
6 0 59 513

Thursday's release provides several rules to protect against vulnerabilities in an array of Microsoft's products. For more on Patch Tuesday, check out the full blog over on the Talos site here