Tuesday, March 31, 2015

Snort Subscriber Rule Set Update for 03/31/2015

Just released:
Snort Subscriber Rule Set Update for 03/31/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 54 new rules and made modifications to 23 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-chrome, browser-ie, exploit-kit, file-flash, file-other, file-pdf, malware-cnc, malware-other, policy-other, protocol-ftp and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Snort++ Build 144 Available Now

Snort++ build 144 is now available on snort.org.  We have a number of updates this time for you!

New features:

  • ported dns inspector
  • ported ssh inspector
  • added doc/usage.txt

Bug fixes and enhancements:
  • reworked autotools generation of api_options.h
  • updated default manuals
  • apply service from hosts when inspector already bound to flow
  • ensure direction and service are applied to packet regardless of flow state
  • enable active for react / reject only if used in configuration
  • eliminate dedicated nhttp chunk buffer
  • minor nhttp cleanup in StreamSplitter
  • fixed host lookup issue
  • folded classification.lua and reference.lua into snort_defaults.lua
  • apply defaults from parameter tables instead of relying on ctors etc.
  • fix static analysis issues reported by xcode
  • change policy names with a-b form to a_b for consistency
  • make all warnings optional
  • fix ip and tcp policy defines
  • fix ip and icmp flow client/server ip init
  • added build foo for lzma; refactored configure.ac
  • enhancements for checking compatibility of external plugins

You can also get the latest updates from github (snortadmin/snort3) which is updated weekly.

Please submit bugs, questions, and feedback to bugs@snort.org or the Snort-Users mailing list.

Happy Snorting!
The Snort Release Team

Thursday, March 26, 2015

Snort Subscriber Rule Set Update for 03/26/2015

Just released:
Snort Subscriber Rule Set Update for 03/26/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 25 new rules and made modifications to 5 additional rules.

There were no changes made to the snort.conf in this release.


Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-webkit, exploit-kit, file-flash, file-pdf, malware-cnc, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Snort++ Update

Just pushed build 143 to github (snortadmin/snort3):

  • added ssh inspector
  • apply service from hosts when inspector already bound to flow
  • ensure direction and service are applied to packet regardless of flow state
  • enable active for react / reject only if used in configuration
  • fixed use of bound ip and tcp policy if not set in hosts
  • eliminate dedicated nhttp chunk buffer
  • minor nhttp cleanup in StreamSplitter


Wednesday, March 25, 2015

Snort VIM Configuration posted!

Our own Victor Roemer of the Snort team has taken the time to write up his own VIM configuration for the Snort rules language.

I've posted a link to his github page over on the documentation page under "Additional Resources"

Thanks Victor!

Tuesday, March 24, 2015

Snort Subscriber Rule Set Update for 03/24/2015

Just released:
Snort Subscriber Rule Set Update for 03/24/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 20 new rules and made modifications to 16 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the browser-firefox, browser-ie, file-flash, malware-cnc, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Thursday, March 19, 2015

Snort Subscriber Rule Set Update for 03/19/2015

Just released:
Snort Subscriber Rule Set Update for 03/19/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 13 new rules and made modifications to 17 additional rules.

There were no changes made to the snort.conf in this release.


Talos's rule release:
Talos has added and modified multiple rules in the blacklist, file-image, file-other, malware-cnc, malware-other and server-other rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Snort++ Update

Just pushed build 142 to github (snortadmin/snort3):

  • fixed host lookup issue
  • folded classification.lua and reference.lua into snort_defaults.lua
  • apply defaults from parameter tables instead of relying on ctors etc.
  • fix static analysis issues reported by xcode
  • change policy names with a-b form to a_b for consistency
  • make all warnings optional
  • fix ip and tcp policy defines
  • fix ip and icmp flow client/server ip init
  • added plugin and logging examples to usage


Wednesday, March 18, 2015

Snort Subscriber Rule Set Update for 03/17/2015

Just released:
Snort Subscriber Rule Set Update for 03/17/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 41 new rules and made modifications to 20 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
33833
33834
33835

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, malware-cnc, protocol-voip, pua-adware, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Thursday, March 12, 2015

Snort 2.9.7.2 has been released!

Snort 2.9.7.2 is now available on snort.org at
http://www.snort.org/downloads in the Snort Stable Release section.

Release Notes:

2015-03-10 - Snort 2.9.7.2
[*] New additions
* Support for Cisco FabricPath decoding/encoding.

[*] Improvements
* Resolved an issue where the inline normalization preprocessor incorrectly
resized packets when 'preprocessor normalize_tcp: trim' was enabled.

* Resolved crash in file processing of HTTP continuations.


Snort Subscriber Rule Set Update for 03/12/2015

Just released:
Snort Subscriber Rule Set Update for 03/12/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 19 new rules and made modifications to 4 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
33815
33816
33818
33819
33820
33821
33822

Talos's rule release:
Talos has added and modified multiple rules in the file-flash, malware-backdoor, malware-cnc, os-windows, pua-adware, server-mail, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Basic Snort++ Usage

For the following examples "$my_path" is assumed to be the path to the Snort++ install directory. Additionally, it is assumed that "$my_path/bin" is in your PATH.

Environment


LUA_PATH is used directly by Lua to load and run required libraries. SNORT_LUA_PATH is used by Snort to load supplemental configuration files.
    export LUA_PATH=$my_path/include/snort/lua/\?.lua\;\;
    export SNORT_LUA_PATH=$my_path/etc/snort

Help


Print the help summary:
    snort --help
Get help on a specific module ("stream", for example):
    snort --help-module stream
Get help on the "-A" command line option:
    snort --help-options A
Grep for help on threads:
    snort --help-config | grep thread
Output help on "rule" options in AsciiDoc format:
    snort --markup --help-options rule
Note: Snort++ stops reading command-line options after the "--help-*" and "--list-*" options, so any other options should be placed before them.

Sniffing and Logging


Read a pcap:
    snort -r /path/to/my.pcap
Dump the packets to STDOUT:
    snort -r /path/to/my.pcap -K text
Dump packets with application data and layer 2 headers
    snort -r /path/to/my.pcap -K text -d -e
Note: Command line options must be specified separately. "snort -de" won't work. You can still concatenate options and their arguments, however, so "snort -Ktext" will work.

Dump packets from all pcaps in a directory:
    snort --pcap-dir /path/to/pcap/dir --pcap-filter '*.pcap' -K text -d -e
Log packets to a directory:
    snort --pcap-dir /path/to/pcap/dir --pcap-filter '*.pcap' -K pcap \
        -l /path/to/log/dir

Configuration


Validate a configuration file:
    snort -c $my_path/etc/snort/snort.lua
Validate a rules file and a configuration file:
    snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules
Read rules from stdin and validate:
    snort -c $my_path/etc/snort/snort.lua --stdin-rules < \
        $my_path/etc/snort/sample.rules
Enable warnings for Lua configurations and make warnings fatal:
    snort -c $my_path/etc/snort/snort.lua --warn-all --pedantic
Tell Snort++ where to look for additional Lua scripts:
    snort --script-path /path/to/script/dir

IDS Mode


Run Snort++ in IDS mode, reading packets from a pcap:
    snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \
        -r /path/to/my.pcap
Log any generated alerts to the console using the "-A" option:
    snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \
        -r /path/to/my.pcap -A alert_full
Add or modify a configuration from the command line using the "--lua" option:
    snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap \
        --lua 'ips = { enable_builtin_rules = true }'
Note: The "--lua" option can be specified multiple times.

Run Snort++ in IDS mode on an entire directory of pcaps, processing each input source on a separate thread:
    snort -c $my_path/etc/snort/snort.lua --pcap-dir /path/to/pcap/dir \
        --pcap-filter '*.pcap' --max-packet-threads 8

Output Files


To make it simple to configure outputs when you run with multiple packet threads, output files are not explicitly configured. Instead, you can use the options below to format the paths:
    /[][][]
Log to unified in the current directory:
    snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A unified2
Log to unified in the current directory with a different prefix:
    snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A unified2 \
        --run-prefix take2
Log to unified in /tmp:
    snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A unified2 \
        -l /tmp
Run 4 packet threads and log with thread number prefix (0-3):
    snort -c $my_path/etc/snort/snort.lua --pcap-dir /path/to/pcap/dir \
        --pcap-filter '*.pcap' -z 4 -A unified2
Run 4 packet threads and log in thread number subdirs (0-3):
    snort -c $my_path/etc/snort/snort.lua --pcap-dir /path/to/pcap/dir \
        --pcap-filter '*.pcap' -z 4 -A unified2 --id-subdir
NOTE: subdirectories are created automatically if required. Log filename is based on module name that writes the file. All text mode outputs default to stdout. These options can be combined.

Shell


You must build with --enable-shell to make the command line shell available.
Enable shell mode:
    snort --shell 
You will see the shell mode command prompt, which looks like this:
    o")~
(The prompt can be changed with the SNORT_PROMPT environment variable.)
You can pause immediately after loading the configuration and again before exiting with:
    snort --shell --pause 
In that case you must issue the resume() command to continue. Enter quit() to terminate Snort or detach() to exit the shell. You can list the available commands with help().
To enable local telnet access on port 12345:
    snort --shell -j 12345 
The command line interface is still under development. Suggestions are welcome.

Signals


The following examples assume that Snort++ is currently running and has a process ID of .

Modify and Reload Configuration:
    echo 'suppress = { { gid = 1, sid = 2215 } }' >> $my_path/etc/snort/snort.lua
    kill -hup 
Dump stats to stdout:
    kill -usr1 
Shutdown normally:
    kill -term 
Exit without flushing packets:
    kill -quit 
List available signals:
    snort --help-signals
Note: The available signals may vary from platform to platform.

Wednesday, March 11, 2015

Snort++ Update


Just pushed build 141 to github (snortadmin/snort3):
  • added build foo for lzma; refactored configure.ac
  • enhancements for checking compatibility of external plugins
  • added doc/usage.txt
Note that the plugin API was changed with this release to be more robust.  All plugins must be rebuilt.

Tuesday, March 10, 2015

Snort Subscriber Rule Set Update for 03/10/2015, MSTuesday

Just released:
Snort Subscriber Rule Set Update for 03/10/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 107 new rules and made modifications to 30 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Microsoft Security Bulletin MS15-018:
Microsoft Internet Explorer suffers from programming errors that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 33287 through 33288, 33707 through
33710, 33718 through 33721, 33726 through 33727, 33730 through 33731, 33736
through 33739, 33741 through 33744, and 33763 through 33764.

Microsoft Security Bulletin MS15-020:
A coding deficiency exists in Microsoft Windows Shell that may lead to remote
code execution.

A previously released rule will detect attacks targeting these vulnerabilities
and has been updated with the appropriate reference information. It is included
in this release and is identified with GID 1, SID 17042.

New rules to detect attacks targeting these vulnerabilities are also included
in this release and are identified with GID 1, SIDs 33775 through 33776.

Microsoft Security Bulletin MS15-021:
A coding deficiency exists in the Adobe Font Driver that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 33711 through 33714, 33722 through
33725, 33728 through 33729, and 33732 through 33733.

Microsoft Security Bulletin MS15-022:
A coding deficiency exists in Microsoft Office that may lead to an escalation
of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 33705 through 33706, 33715 through
33716, 33734 through 33735, and 33808 through 33809.

Microsoft Security Bulletin MS15-023:
A coding deficiency exists in a Microsoft Kernel Mode driver that may lead to
an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 33765 through 33770.

Microsoft Security Bulletin MS15-024:
A coding deficiency exists in Microsoft PNG image processing that may lead to
information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 33760 through 33761.

Microsoft Security Bulletin MS15-025:
A coding deficiency exists in the Microsoft Windows Kernel that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 33773 through 33774.

Microsoft Security Bulletin MS15-026:
A coding deficiency exists in Microsoft Exchange Server that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 33762, 33807, and 33810 through
33811.

Microsoft Security Bulletin MS15-027:
A coding deficiency exists in Microsoft Netlogon that may allow spoofing
attacks.

A previously released rule will detect attacks targeting this vulnerability and
has been updated with the appropriate reference information. It is included in
this release and is identified with GID 3, SID 15453.

Microsoft Security Bulletin MS15-028:
A coding deficiency exists in the Microsoft Task Scheduler that may allow a
security feature bypass.

A rule to detect attacks targeting this vulnerability is included in this
release and is identified with GID 1, SID 33717.

Microsoft Security Bulletin MS15-029:
A coding deficiency exists in a Microsoft graphics component that lead to
information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 33771 through 33772.

Microsoft Security Bulletin MS15-030:
A coding deficiency exists in Microsoft Remote Desktop protocol that may lead
to a Denial of Service (DoS).

A previously released rule will detect attacks targeting these vulnerabilities
and has been updated with the appropriate reference information. It is included
in this release and is identified with GID 1, SID 21232.

Microsoft Security Bulletin MS15-031:
A coding deficiency exists in Microsoft Schannel that may allow a security
feature bypass.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 33777 through 33806.

Talos has added and modified multiple rules in the blacklist, browser-ie,
file-image, file-office, file-other, malware-cnc, malware-other, os-windows,
server-mail and server-webapp rule sets to provide coverage for emerging
threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Thursday, March 5, 2015

Snort Subscriber Rule Set Update for 03/05/2015, OpenSSL

Just released:
Snort Subscriber Rule Set Update for 03/05/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 84 new rules and made modifications to 5 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
33677
33678

Talos's rule release:
OpenSSL RSA_EXPORT attack CVE-2015-0204:
A coding deficiency in OpenSSL exists that may lead to information disclosure.

Rules to detect attacks targeting this vulnerability are included in this
release and are identified with GID 1, 33686 through 33703.

Talos has also added and modified multiple rules in the blacklist,
browser-chrome, file-identify, file-other, malware-cnc, protocol-voip,
server-other and sql rule sets to provide coverage for emerging threats from
these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Wednesday, March 4, 2015

Snort Subscriber Rule Set Update for 03/03/2015

Just released:
Snort Subscriber Rule Set Update for 03/03/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 29 new rules and made modifications to 16 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour

33646
33647
33648
33650

Avery Tarasov

33649


Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-chrome, browser-ie, browser-other, browser-plugins, exploit-kit, file-identify, file-image, file-other, malware-cnc, pua-adware, server-mysql and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Monday, March 2, 2015

Snort++ Build 140 Available Now

Snort++ build 140 is now available.  This is the second monthly update of the downloads.  You can also get the latest updates from github (snortadmin/snort3) which is updated weekly.

Continued code sync with Snort 2.9.7:
  • sync 297 http xff, swf, and pdf updates
  • sync ftp with 297; replace stream event callbacks with FlowData virtuals
  • sync stream with 297
  • 297 sync of active and codecs
  • sync normalizations with 297
Other updates:
  • normalization refactoring, renaming
  • fix icmp4 encoding
  • fix encoder check for ip6 extensions
  • update documentation on new HTTP inspector, binder, and wizard
  • documented gotcha regarding rule variable definitions in Lua
  • uncrustify, see crusty.cfg
Please submit bugs, questions, and feedback to bugs@snort.org.

Happy Snorting!
The Snort Release Team