Friday, May 29, 2015

Snort Subscriber Rule Set Update for 05/28/2015

Just released:
Snort Subscriber Rule Set Update for 05/28/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 1 new rules and made modifications to 345 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, browser-plugins, deleted, file-executable, file-flash, file-image, file-multimedia, file-office, file-other, malware-cnc, netbios, os-windows, protocol-dns, protocol-icmp and server-other rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Thursday, May 28, 2015

Snort++ DAQ and Logger Updates

There are several changes in recent updates that provide new ways to input packets and output event data. Much of the change is driven by development and test needs but you may find the new capabilities useful as well. Here is a brief summary:

Hext DAQ Added

Input raw packets or TCP payload with 4-tuple. Input in hex or quoted text.

Configure with:

    stream_user = { }

Use with:

    --daq-dir ~/install/lib/snort_extra/daqs
    --daq hext
    [--daq-var dlt=1] # optional raw ethernet
    -r  | -i tty

Example input:

    $packet 10.1.2.3 48620 -> 10.9.8.7 80

    "GET / HTTP/1.1\r\n"
    "Host: localhost\r\n"
    "\r\n"
Example raw eithernet input (set the dlt):

    # 0 [98]

    x02 09 08 07 06 05 02 01 02 03 04 05 08 00 45 00 00 54 00 03  # ..............E..T..
    x00 00 40 06 5C 8E 0A 01 02 03 0A 09 08 07 BD EC 00 50 00 00  # ..@.\............P..
    x00 02 00 00 00 02 50 10 20 00 7D D5 00 00 47 45 54 20 2F 74  # ......P.  .}...GET /t
    x72 69 67 67 65 72 2F 31 20 48 54 54 50 2F 31 2E 31 0D 0A 48  # rigger/1 HTTP/1.1..H
    x6F 73 74 3A 20 6C 6F 63 61 6C 68 6F 73 74 0D 0A 0D 0A        # ost: localhost....

Additional commands are available to specify packets, clients, and servers. Check the user manual for details.

File DAQ Added

Do detection, file type identification, and file signature calculations on plain files (no packets needed).

Configure with:

    stream_file = { }

    file_id =
    {
        enable_type = true,
        enable_signature = true,
        file_rules = file_magic
    }

Use with:

    --daq file
    -r 

This will print out file type and signature stats so you can see how Snort++ will process a file w/o having to put it in a pcap. You can also use --pcap-dir and --max-packet-threads to quickly process a whole directory. Use -s to process with larger "packets" (ie buffers). Note that the output is still being cleaned up.

In addition to basic file processing, you can do the usual detection with IPS rules.

Socket DAQ Added

Snort will accept up to two connections and bridge them together, passing the payload through detection.

Configure with:

    stream_user = { }

Use with:

    --plugin-path ~/install/lib/snort_extra
    --daq-dir ~/install/lib/snort_extra/daqs
    --daq socket

For example, you can do:

    $ nc localhost 8000
    client

    $ nc localhost 8000
    server

"client" or "server" are output to indicate which end of the flow you are on.

Socket Codec Added

Required to use the socket DAQ. Also required to use the hext DAQ when not in raw mode.  The socket codec counts include packets you don't explicitly generate. The socket DAQ will automatically generate a start and end of flow packets as connections are opened and closed. The hext DAQ automatically generates an end of flow packet at end of file.

Hext Logger Added

Dump TCP stream payload with 4-tuple information (default mode) or all full packets (raw mode) suitable for input with the hext DAQ.

Use with:

    --plugin-path ~/install/lib/snort_extra
    -L hext:
To get:
    $packet 10.1.2.3 48620 -> 10.9.8.7 80

    x47 45 54 20 2F 74 72 69 67 67 65 72 2F 31 20 48 54 54 50 2F  # GET /trigger/1 HTTP/
    x31 2E 31 0D 0A 48 6F 73 74 3A 20 6C 6F 63 61 6C 68 6F 73 74  # 1.1..Host: localhost
    x0D 0A 0D 0A                                                  # ....

    $packet 10.9.8.7 80 -> 10.1.2.3 48620

    x48 54 54 50 2F 31 2E 31 20 32 30 30 20 4F 4B 0D 0A 43 6F 6E  # HTTP/1.1 200 OK..Con
    x74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 31 32 0D 0A 0D 0A     # tent-Length: 12....

CSV Logger Updated

This logger was completely rewritten and is a good choice for logging a custom format with a simple config.

With -A csv you get the default format for alerts like this (timestamp, pkt_num, proto, pkt_gen, dgm_len, dir, src_ap, dst_ap, rule, action):

   08/01-04:55:34.510034, 573345, TCP, raw, 940, C2S, 192.168.22.13:1357, 199.221.131.110:80, 1: 5808:9, allow
   08/01-04:58:18.107004, 623410, TCP, stream_tcp, 401, C2S, 192.168.16.25:3510, 207.46.134.62:  80, 1:18758:8, allow

Test Logger Deleted

This logger is obviated with the updated CSV logger which can be configured to output in the old default test format.

Use:

    --lua "alert_csv = { fields = 'pkt_num gid sid rev', separator = '\t' }"

To get:

    573345  1   5808    9
    623410  1   18758   8

Snort++ Update

Just pushed build 154 to github (snortadmin/snort3):

  • new_http_inspect parsing and event handling updates
  • initial port of file capture from Snort
  • stream_tcp reassembles payload only
  • remove obsolete REG_TEST logging
  • refactor encode_format*()
  • rewrite alert_csv with default suitable for reg tests and debugging
  • dump 20 hex bytes per line instead of 16
  • add raw mode hext DAQ and logger; fix dns inspector typo for tcp checks
  • document raw hext mode
  • cleanup flush flags vs dir
  • add alert_csv.separator, delete alert_test
  • tweak log config; rename daq/log user to hext
  • cleanup logging
  • stream_tcp refactoring and cleanup


Tuesday, May 26, 2015

Snort Subscriber Rule Set Update for 05/26/2015

Just released:
Snort Subscriber Rule Set Update for 05/26/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 30 new rules and made modifications to 86 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, file-flash, file-identify, file-other, file-pdf, malware-cnc, malware-other, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Friday, May 22, 2015

Snort++ Update

Just pushed build 153 to github (snortadmin/snort3):
  • new_http_inspect parsing updates
  • update u2 to output data only packets
  • added DAQs for socket, user, and file in extras
  • changed -K to -L (log type)
  • added stream_user for payload processing
  • added stream_file for file processing

Thursday, May 21, 2015

Snort Subscriber Rule Set Update for 05/21/2015

Just released:
Snort Subscriber Rule Set Update for 05/21/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 76 new rules and made modifications to 6 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the app-detect, blacklist, file-flash, file-multimedia, file-other, file-pdf, malware-backdoor, malware-cnc, os-windows, policy-other and server-other rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Mail Protocol Inspectors in Snort++

The latest release of Snort++ (build 152) includes the ported SMTP, POP and IMAP inspectors. This blog describes the changes to Snort's mail protocol preprocessors in Snort++.

Snort++'s mail inspectors are purely PDU based. The PDU boundaries in TCP stream are identified and divided which are then processed by these inspectors.

Changes to mail protocol inspectors config:

  • Memory related options such as memcap, max_mime_mem, disable are now deleted.
  • Ports are now added to bindings as follows:

binder =     {
        when =
        {
            proto = 'tcp',
            ports = '25 465 587 691 465 587 691',
        },
        use =
        {
            type = 'smtp',
        },
    },

  • Config options to disable alerts are deleted.
  • User can now search the for content in the decoded MIME attachments using the rule option "file_data" instead of "file_data:mime"

Changes to SMTP config:
  •  Deleted option inspection_type. SMTP inspector in Snort++ will always inspect SMTP statefully.
  • alt_max_command_line_len syntax has changed. The new syntax for this option is as follows:

smtp =
{
    alt_max_command_line_len =
    {
        {
            command = 'MAIL',
            length = 260,
        },
    },
}
  • All SMTP config options (such as normalize_cmds, data_cmds, valid_cmds etc) that take command or list of commands as arguments have the following syntax.

Eg:
   valid_cmds = [[ CMD1 CMD2 ... CMDn ]]

The following command will give you the complete list of options for the mail inspectors.

snort --help-config | grep 

Tuesday, May 19, 2015

Snort Subscriber Rule Set Update for 05/19/2015, Snort 2.9.7.3

Just released:
Snort Subscriber Rule Set Update for 05/19/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 24 new rules and made modifications to 8 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, exploit-kit, file-executable, file-flash, file-pdf, indicator-compromise, malware-cnc, malware-tools and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Snort 2.9.7.3 is now available!

Snort 2.9.7.3 is now available at http://www.snort.org/downloads in the Snort Stable Release Section.




Snort 2.9.7.3 Release Notes:
[*] New additions
  • Added PAF support for SIP based traffic
[*] Improvements
  • Resolved a backtracking issue where the 'protected_content' rule option was not matching on content following a content rule option that is not matched.
  • Resolved an issue where snort dropped privilege levels before attempting to delete its PID file created during the higher privilege level
  • Improved processing of SSLv3 traffic, IPv6 extensions, HTTPS session reassembly and normalization
  • Performance improvements for file preprocessor
  • Stability improvements for ftp_telnet preprocessor


Please start your updating engines, and drop us a line over at Snort-users with any issues.  

Snort OpenAppID Detectors have been updated!

An update has been released today for the Snort OpenAppID Detector content.

This release, build 241, includes
  • A total of 2,617 detectors.
  • This was a maintenance release with some minor fixes and improvements

Available now for download from our downloads page, we look forward to you downloading and using the new features of 2.9.7.0's OpenAppID preprocessor and sharing your experiences with the community.

The OpenAppID community has a mailing list specifically dedicated to the exchange and discussion of detector content.  Please visit the mailing lists page to sign up.

Friday, May 15, 2015

Snort++ Update

Just pushed build 152 to github (snortadmin/snort3):
  • fixed config error for inspection of rebuilt packets
  • ported smtp inspector from Snort
  • static analysis fix for new_http_inspect

Thursday, May 14, 2015

Snort Subscriber Rule Set Update for 05/14/2015

Just released:
Snort Subscriber Rule Set Update for 05/14/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 19 new rules and made modifications to 2 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov
34452
34453

Talos's rule release:
Talos has added and modified multiple rules in the app-detect, browser-plugins, malware-cnc, policy-other and server-other rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Tuesday, May 12, 2015

Snort Subscriber Rule Set Update for 05/12/2015, MSTuesday

Just released:
Snort Subscriber Rule Set Update for 05/12/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 97 new rules and made modifications to 31 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

James Lay
34365

Yaser Mansour
34366
34370

Avery Tarasov
34367
34368

Talos's rule release:
Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.

Details:
Microsoft Security Bulletin MS15-043:
Microsoft Internet Explorer suffers from programming errors that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 34379 through 34384, 34391 through
34392, 34405 through 34412, 34415, 34417 through 34425, 34430 through 34433,
34436 through 34437, and 34444 through 34445.

Microsoft Security Bulletin MS15-044:
A coding deficiency exists in Microsoft GDI+ that may lead to remote code
execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 34440 through 34441.

Microsoft Security Bulletin MS15-045:
A coding deficiency exists in Microsoft Windows Journal that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 34371 through 34372, 34385 through
34390, 34399 through 34400, and 34403 through 34404.

Microsoft Security Bulletin MS15-046:
A coding deficiency exists in Microsoft Office that may lead to remote code
execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 34428 through 34429.

Microsoft Security Bulletin MS15-048:
A coding deficiency exists in the Microsoft .NET Framework that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 34401 through 34402 and 34434
through 34435.

Microsoft Security Bulletin MS15-051:
A coding deficiency exists in Microsoft Kernel-Mode drivers that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 34377 through 34378, 34413 through
34414, and 34442 through 34443.

Microsoft Security Bulletin MS15-052:
A coding deficiency exists in the Microsoft Kernel that may lead to a security
feature bypass.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 34426 through 34427.

Microsoft Security Bulletin MS15-053:
A coding deficiency exists in the Microsoft JScript and VBScript scripting
engines that may lead to a security feature bypass.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 34393 through 34394.

Microsoft Security Bulletin MS15-054:
A coding deficiency exists in Microsoft Management Console that may lead to a
Denial of Service (DoS).

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 34438 through 34439.


Talos has also added and modified multiple rules in the blacklist, browser-ie,
file-flash, file-identify, file-office, file-other, malware-cnc, malware-other,
malware-tools, os-windows and server-webapp rule sets to provide coverage for
emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Friday, May 8, 2015

Snort++ Update

Just pushed build 151 to github (snortadmin/snort3):

  • new_http_inspect aborts on obvious non-HTTP ttraffic
  • new_http_inspect memory reduction changes
  • new_http_inspect parsing updates
  • doc tweaks
  • fix http inspect use of decompress_swf and decompress_pdf
  • ensure that autotools and cmake install the same files in the same dirs
  • add doc/online_manual.sh to generate an all-in-1 HTML manual with embedded images


Thursday, May 7, 2015

Snort Subscriber Rule Set Update for 05/07/2015

Just released:
Snort Subscriber Rule Set Update for 05/07/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 13 new rules and made modifications to 4043 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-chrome, browser-firefox, browser-ie, browser-other, browser-plugins, browser-webkit, content-replace, exploit-kit, file-executable, file-flash, file-identify, file-image, file-java, file-multimedia, file-office, file-other, file-pdf, indicator-compromise, indicator-obfuscation, indicator-scan, indicator-shellcode, malware-cnc, malware-other, netbios, os-linux, os-mobile, os-other, os-solaris, os-windows, policy-other, policy-social, protocol-dns, protocol-ftp, protocol-icmp, protocol-imap, protocol-pop, protocol-rpc, protocol-scada, protocol-services, protocol-snmp, protocol-telnet, protocol-tftp, protocol-voip, pua-other, server-apache, server-iis, server-mail, server-mssql, server-mysql, server-oracle, server-other, server-samba, server-webapp and x11 rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Tuesday, May 5, 2015

Snort Subscriber Rule Set Update for 05/05/2015, Max-Detection Policy

Just released:
Snort Subscriber Rule Set Update for 05/05/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 14 new rules and made modifications to 8 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov
34318

Yaser Mansour
34307
34308
34309
34310
34311
34312
34313
34314
34315
34316
34317
34335

Talos's rule release:
A new base policy, Maximum Detection, has been added in this release. The
Maximum Detection policy will grow to encompass a selection of vulnerabilities
from 2005 or later with a CVSS score of at least 7.5, along with critical
malware and exploit kit rules.

The "Maximum Detection" policy favors detection over rated throughput. In some
situations this policy can and will cause significant throughput reductions.
Cisco's Talos continues to recommend the "Balanced Connectivity and Security"
policy for most networks, and the "Security Over Connectivity" policy for
customers with more rigorous security requirements.

Talos has also added and modified multiple rules in the browser-ie,
exploit-kit, file-other and server-webapp rule sets to provide coverage for
emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!