Friday, January 31, 2014

Snort Community Rules Attribution I missed yesterday

Apologizes to Yaser Mansour yesterday, we published three of his rules, and I didn't include his rules in the Community list!

So, thanks to Yaser Mansour for his rules:
29492
29493
29494

The community ruleset is doing great.  We've added hundreds of rules since its inception in March, and I get more inquiries all the time about contributing!

Thursday, January 30, 2014

Sourcefire VRT Certified Snort Rules Update for 01/30/2014

Just released:
Sourcefire VRT Certified Snort Rules Update for 01/30/2014

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 19 new rules and made modifications to 15 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-webkit, exploit-kit, file-java, file-multimedia, malware-cnc, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Snort 2.9.6.0's manual has been posted!

As many of you may know, the Snort Manual is always included within the tarball in the /docs directory.

However, I always keep the PDF on http://www.snort.org/docs and the HTML version over at http://manual.snort.org updated as well.  I've just updated the two manuals to the latest version.

Thanks!

Snort 2.9.6.0 Install Guides have been posted!

William Parker diligently has updated his great Install Guides for Snort 2.9.6.0 and sent them in.  I've uploaded them to the usual spot here: http://www.snort.org/docs

Thanks so much William, your guides and contributions to the community are great!

Wednesday, January 29, 2014

EOL dates posted for Snort 2.9.4.6 and Snort 2.9.5.5

Greetings everyone.  Just wanted to update the site now that we have released Snort 2.9.6.0 with the new EOL dates for VRT rules support for Snort versions 2.9.4.6 and Snort 2.9.5.5.

Please take a look at the updated dates and plan accordingly!

https://www.snort.org/eol

Make sure your review the policy, and if there are any questions, please be sure and ask.

Tuesday, January 28, 2014

Sourcefire VRT Certified Snort Rules Update for 01/28/2014

Just released:
Sourcefire VRT Certified Snort Rules Update for 01/28/2014

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 3 new rules and made modifications to 1 additional rule.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the policy-social rule set to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Friday, January 24, 2014

Snort 2.9.6.0 is now available!

Snort 2.9.6.0 is now available on Snort.org, at https://www.snort.org/downloads in the Latest Release section.

[*] New additions
* Add support to do file specific processing within DCERPC preprocessor for
files being transferred over SMB. 
* File capture and storage -- saves files as they traverse the network via a
new preprocessor that ties in support within HTTP, FTP, SMTP, POP, IMAP,
and SMB. See README.file and README.file_server (under tools/file_server)
for details. 
* Add <= and >= operators to byte_test rule option. 
* Update SMTP to detect Cyrus SASL authentication attack. 
* Add capability to capture a single session from start to end. 
* EXPERIMENTAL: Add support to leverage file type identification in snort
rules. See README.file_ips for details. 
[*] Improvements 
* Only inject active responses when a TCP session is established. 
* Update the POP and IMAP protocols to support simple PAF for improved
identification and capture of files. 
* Update SMTP, POP, IMAP to improve inspection when mime boundaries are
split across packets. 
* Address issue to address end of line incorrectly for Quoted Printable
email attachments. 
* Handle out of order SSL handshake in SMTP when STARTTLS is used and
fix checks for SSL type only within the SSL hand shake. 
* Update sensitive data preprocessor to handle a stateful search of
patterns across multiple packets. 
* Address a few issues in the Snort manual and other READMEs for flowbits
and tunneling. 
* Save off packet data for quicker debugging in case of a SIGABRT or SIGBUS. 
* Fix alignment of sfxhash node for SPARC platforms.


See the Release Notes and ChangeLog for more details.

 Please submit bugs, questions, and feedback to bugs@snort.org.

 Happy Snorting! The Snort Release Team

Wednesday, January 22, 2014

Sourcefire VRT Certified Snort Rules Update for 01/22/2014

Just released:
Sourcefire VRT Certified Snort Rules Update for 01/22/2014

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 63 new rules and made modifications to 42 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov:
29395
29396
29397
29398
29399

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the app-detect, blacklist, browser-firefox, browser-plugins, exploit-kit, file-identify, file-image, file-java, file-multimedia, file-office, file-other, file-pdf, indicator-compromise, malware-cnc, os-mobile, policy-spam, protocol-icmp, protocol-rpc, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, January 21, 2014

Libpcap 1.5.3 has been released

A quick follow up to an earlier post I put up on the blog concerning Libpcap version 1.5.2: http://blog.snort.org/2014/01/reported-libpcap-152-issues.html

Libpcap has release 1.5.3 which appears to fix the issues caused by 1.5.2.  We haven't fully tested it, but under initial assessment, it seems to clear up the issues.

Thursday, January 16, 2014

Sourcefire VRT Certified Snort Rules Update for 01/16/2014

Just released:
Sourcefire VRT Certified Snort Rules Update for 01/16/2014

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 35 new rules and made modifications to 2 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour:
29377
29378
29379
29380

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the app-detect, blacklist, browser-webkit, dos, exploit-kit, file-identify, file-pdf, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.
In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, January 14, 2014

Sourcefire VRT Certified Snort Rules Update for 01/14/2014, MSTuesday

Just released:
Sourcefire VRT Certified Snort Rules Update for 01/14/2014

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 46 new rules and made modifications to 37 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov:
29349

In VRT's rule release:
Microsoft Security Bulletin MS14-002:
A programming error in the Microsoft Windows Kernel-Mode NDProxy Driver
could lead to an escalation of privilege.

Previously released rules will detect attacks targeting this
vulnerability and have been updated with the appropriate reference
information. They are included in this release and are identified with
GID 1, 28867 through 28872.

The Sourcefire VRT has also added and modified multiple rules in the app-detect, blacklist, exploit-kit, file-office, file-pdf, malware-cnc, os-windows, protocol-dns, protocol-imap, protocol-scada, pua-p2p and web-client rule sets to provide coverage for emerging threats from these technologies.
In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Reported Libpcap 1.5.2 issues.

All,

Just to let you know we've been made aware of an apparent issue with Libpcap 1.5.2 on Linux. (Snort hangs upon start up.)  1.5.2 is working fine on FreeBSD in our initial testing.

Libpcap 1.4.0 is working perfectly fine and we recommend you use that until a fix is pushed into Libpcap.

Thursday, January 9, 2014

Sourcefire VRT Certified Snort Rules Update for 01/09/2014

Just released:
Sourcefire VRT Certified Snort Rules Update for 01/09/2014

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 117 new rules and made modifications to 64 additional rules.

There was one change made to the snort.conf in this release:
Port 7071 was added to http_inspect, HTTP_PORTS, and Stream5

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov:
29126
29127
29216
29217
29220
29259
29260
29261
29262
29263
29300

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, file-flash, file-identify, file-java, file-office, file-other, indicator-obfuscation, malware-cnc, netbios, os-windows, protocol-rpc, protocol-scada, pua-toolbars and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Tuesday, January 7, 2014

Sourcefire VRT Certified Snort Rules Update for 01/07/2014

Just released:
Sourcefire VRT Certified Snort Rules Update for 01/07/2014

We welcome the introduction of the newest rule release from the VRT. In this release we introduced 53 new rules and made modifications to 656 additional rules.

There were no changes made to the snort.conf in this release.

The VRT would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov:
29167

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-identify, file-java, file-other, indicator-obfuscation, malware-backdoor, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!

Thursday, January 2, 2014

Sourcefire VRT Certified Snort Rules Update for 12/31/2013

Sourcefire VRT Certified Snort Rules Update for 12/31/2013


We welcome the introduction of the newest rule release from the VRT. In this release we introduced 73 new rules and made modifications to 10 additional rules.

There were no changes made to the snort.conf in this release.

In VRT's rule release:
The Sourcefire VRT has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, exploit-kit, file-office, indicator-compromise, malware-backdoor, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to the VRT's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at http://www.snort.org/store. Make sure and stay up to date to catch the most emerging threats!