Friday, July 31, 2015

Snort++ Build 163 Available Now

Snort++ build 163 is now available on snort.org.  This is the latest monthly update of the downloads.  You can also get the latest updates from github (snortadmin/snort3) which is updated weekly.

New Features:

  • added piglet plugin test harness -  use this to write LuaJIT test scripts to validate your plugin
  • added doc/dev_guide.sh - use this to generate an annotated view of the headers

Bug fixes:

  • added Lua stack manager and updated code that manipulated a persistent lua_State; thanks to Sancho Panza <sancho@posteo.de> for reporting the issue
  • added missing private IP address block; thanks to Bill Parker <wp02855@gmail.com> for reporting the issue
  • fixed endianness in private IP address check
  • fixed build of dynamic plugins
  • fixed build dependency tracking

Other Changes:

  • BitOp rewrite

Please submit bugs, questions, and feedback to bugs@snort.org or the Snort-Users mailing list.

Happy Snorting!
The Snort Release Team

Thursday, July 30, 2015

Snort Subscriber Rules Update 2015-07-30

Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the blacklist, browser-chrome, browser-plugins, file-multimedia, file-pdf, malware-backdoor, malware-cnc, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.


For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Tuesday, July 28, 2015

Attention FreeBSD Snort users!

In the past, and up until this most recent release of Snort 2.9.7.5, FreeBSD has downloaded its packages from SourceForge's Snort repository.

This is no longer the case.

Starting with this release (2.9.7.5) FreeBSD's port system now retrieves Snort from it's proper home, Snort.org, as we hope all package maintainers for Snort do.

In the future we will be moving all the historical versions off of SourceForge into a more appropriate place as well.  As always, we will keep our users updated via this blog of any changes we make to the systems.

Thanks!

Snort Subscriber Rule Set Update for 07/28/2015

Just released:
Snort Subscriber Rule Set Update for 07/28/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 36 new rules and made modifications to 12 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
35353

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-plugins, file-flash, file-image, file-pdf, malware-backdoor and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Monday, July 27, 2015

Snort 2.9.7.2 EOL is approaching!

Just as a reminder, Snort 2.9.7.2 is approaching it's EOL (end of life) on August 17, 2015.  For more information on our EOL policy, please make sure and visit our EOL page on Snort.org.

Our current version of Snort is 2.9.7.5, and we love our users to be using the most current code and updated ruleset, please start planning your migrations and shifting your software over from 2.9.7.2 to 2.9.7.5 now.

Thanks!

Thursday, July 23, 2015

Snort 2.9.7.5 is now available on Snort.org!

Snort 2.9.7.5 is now available on Snort.org!

https://www.snort.org/downloads in the Latest Release section.

[*] Improvements

* Added improved support to the Stream preprocessor for asynchronous TCP traffic.

* Active response no longer sets the FIN flag on the last segment sent.

Please submit bugs, questions, and feedback to bugs@snort.org.


Happy Snorting!

The Snort Release Team

Snort++: The new HTTP inspector is coming along nicely

It’s been a while since I last wrote about the new HTTP inspector (new_http_inspect) for Snort 3.0. It’s time for an update on our progress.

Rewriting http_inspect has given me a real appreciation for the original. In this business we don’t always show proper respect for old software. I’ve come to understand how many difficult problems http_inspect solves, how much real-world messiness it deals with, and how it remains fast and efficient in spite of these things. Many really smart people have contributed to it over the years.

That’s a lot of expectations to live up to and it has been a lot of work. But it is paying off because new_http_inspect is approaching a critical mass of features. Over the next few months we will complete the remaining core capabilities including gzip decompression and flow depth limits. That’s when the real fun begins as we start to add powerful new features such as support for HTTP/2.0 and other advanced web protocols.

Perhaps the most fundamental difference in new_http_inspect is true separation of HTTP from the lower protocol layers. new_http_inspect is a module that inspects HTTP protocol messages. That sounds obvious and even trite but classic http_inspect does something slightly different. It separately inspects pieces of HTTP protocol taken from the underlying TCP segments and it does this in a fairly stateless way. Heroic redevelopment efforts in recent years have largely overcome this weakness but it still has many subtle effects on how features work. Here are two examples where we hope the big-picture approach of new_http_inspect will be simpler to use and easier to understand.

Flow Depth


HTTP messages can be very long. A single response may include a file with many megabytes of data. Snort can run detection rules on all of it if you like. But you may not want to because detection is hard work and if you have a lot of traffic you may discover you need bigger, badder, and especially more machines to run Snort on. Meanwhile most of the malware tends to be in scripts near the beginning of the message body and not embedded in the middle of a video someone is downloading. It’s normal to set a parameter called "flow depth” which limits the amount of data Snort runs through detection to a reasonable amount.

If you look in the classic Snort Manual you can find the “server_flow_depth” and “client_flow_depth” parameters under 2.2.7 HTTP Inspect. In my copy almost all of page 69 is devoted to explaining them. Sometimes the limit is per TCP segment and other times it is per TCP connection. The HTTP headers may be included in the limit or only the message body. It can matter whether the traffic was zipped. It might be all used up by a jumbo cookie in the headers even if you are not inspecting cookies at all.

It can be difficult to figure out whether your detection rules are going to cover a situation. It may depend on things that shouldn’t matter, like how the bad guy cleverly divided his message up into packets and whether he tossed in an extra large chocolate chip cookie as a distraction.

The approach for new_http_inspect is simple. The flow depth is the first N bytes of the message body. That’s the part of the message body that detection rules can search. TCP segment boundaries don’t matter. Reusing the TCP connection for multiple messages doesn’t matter. Zipping doesn’t matter because the unzipped size is always used. You can still set different limits for client messages (POST/PUT) and server responses.

Detection Buffers


new_http_inspect will simplify the rule-writing process and improve detection efficiency by better organizing the data buffers provided to detection. It divides HTTP messages into separate sections for the start line, the rest of the headers, and the message body (in 16K blocks). Already things are better because TCP segment boundaries become irrelevent and cannot be manipulated by an attacker to avoid detection. Searches for specific items only need to be performed within the section of the message that might contain them, improving efficiency and minimizing false positives. Keywords that identify specific message features such as URI (http_uri) and message headers (http_header) will be supplemented by new keywords to further narrow the search. Among those planned are subcomponents of the URI including path, query, host, and authority; the reason phrase; and individual message header fields. The latter is already implemented and eliminates the need to write rules that search all message headers trying to match the name of a specific header field followed by a colon, white space, and the field value. Instead the rule specifies the name of the specific header field to examine followed by the field value you want to match.

The new approach also makes it easy to search for combinations of things that are in different message parts. Suppose you want to search for a particular URI fragment combined with a signature in the POST body. In classic Snort that is hard to do unless the entire message is small and processed all at once. new_http_inspect is aware of the entire HTTP message. When a POST body section is received it can be searched for the signature while simultaneously searching the stored URI for a match. This principle can even be extended to matching the requested URI with a signature in the response from the server.

One of the biggest questions is what to do next? What new features would you like to see for new_http_inspect? This is an opportunity for a good idea to have a really major impact on the future of Snort. Send your suggestions to the snort-devel mailing list.

Snort++ Update

Pushed build 162 to github (snortadmin/snort3):
  • enable build dependency tracking
  • cleanup automake and cmake foo
  • updated bug list
  • fixed Lua stack management issue (thanks to Sancho Panza (sancho@posteo.de) for reporting the issue)
  • piglet updates and fixes
  • dev guide - convert snort includes into links
  • fixup includes

Wednesday, July 22, 2015

Snort Subscriber Rule Set Update for 07/22/2015

Just released:
Snort Subscriber Rule Set Update for 07/22/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 42 new rules and made modifications to 6 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
35312

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, exploit-kit, file-office, file-other, file-pdf, malware-cnc, malware-other, protocol-tftp, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Monday, July 20, 2015

Snort Subscriber Rule Set Update for 07/20/2015, Microsoft Out of Band Release

Just released:
Snort Subscriber Rule Set Update for 07/20/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 6 new rules and made modifications to 1 additional rules.

There were no changes made to the snort.conf in this release.


Talos's rule release:
Microsoft Vulnerability CVE-2015-2426: 
A coding deficiency exists in Microsoft Windows ATMFD that may lead to remote code execution. Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 35304 through 35305. 
Talos has added and modified multiple rules in the file-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Thursday, July 16, 2015

Snort++: Introducing Piglet

In any sort of software development, having lightweight and thorough test coverage is essential. The scope of tests can range from the small (unit tests) to the large (regressions tests). When developing new plugins for Snort++, it can be useful to test individual plugin methods. These sort of tests -- the ones that lie somewhere between unit tests and regressions in scope -- are problematic. Unit testing plugin methods would require extensive mocking and stubbing and hence too much knowledge of Snort++ internals. On the other hand, it may be difficult to setup regression tests to trigger specific plugin methods; even then, there is very limited control over the range of inputs each method might receive.

We now have a new feature, called the Piglet test harness, that fills the gap in test scope.

The Piglet test harness allows you to use Lua scripts to exercise individual methods. Let's say you are developing a new Snort++ inspector called FooInspector. For simplicity's sake, all FooInspector will do is unset the PKT_FROM_CLIENT flag on a packet if it is set:
// foo_inspector.cc
// ... Plugin boilerplate omitted

class FooFlowData;

class FooInspector : public Inspector
{
public:
    FooInspector() { }
    void eval(Packet*) override;
}

void FooInspector::eval(Packet* p)
{
    if ( !p->from_client() )
        return;

    p->packet_flags &= ~PKT_FROM_CLIENT;
}

// ... Plugin boilerplate omitted

Now we create a test harness script to setup a Packet, call FooInspector.eval() on it, and then inspect the packet flags:
-- foo.lua
-- Required plugin header
plugin =
{
    type = "piglet",
    version = 1,
    name = ""
}

PKT_FROM_CLIENT = 0x80

-- Piglet test harness header
piglet =
{
    name = "make sure that FooInspector foos",

    -- Plugin type
    type = "inspector",

    -- Plugin name
    target = "foo_inspector",

    -- Test entry point
    test = function()
        local buf = RawBuffer.new(1024)
        local p = Packet.new(buf, 0, 100)
        p:set_fields({
            packet_flags = PKT_FROM_CLIENT
        })

        -- Call FooInspector.eval()
        Inspector.eval(p)

        if p:get_fields().packet_flags == 0 then
            -- test passed
            return true
        end

        -- test failed
        return false 
    end
}

To run Snort in Piglet mode, we must first compile with piglet mode enabled. In CMake, do this by running cmake with -DENABLE_PIGLET:BOOL=ON. If you are using autotools, pass the --enable-piglet flag to configure. Then, simply run snort with --script-path set to the directory containing the test script and the --piglet flag.
snort --piglet --script-path=/path/to/foo/tests
You'll get some libcheck-like output indicating whether each test passed or failed. More example scripts can be found in the /piglet_scripts folder in the source tree. For more on plugin development and piglet usage, see the Extending section in the Snort manual.


Snort Subscriber Rule Set Update for 07/16/2015

Just released:
Snort Subscriber Rule Set Update for 07/16/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 79 new rules and made modifications to 670 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-flash, file-identify, file-multimedia, file-office, file-pdf, indicator-compromise, malware-cnc, netbios, os-windows, protocol-imap, protocol-voip, pua-other, server-mail, server-oracle, server-other and sql rule sets to provide coverage for emerging threats from these technologies.
In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Snort++ Update

Pushed build 161 to github (snortadmin/snort3):
  • added piglet plugin test harness
  • added piglet_scripts with codec and inspector examples
  • added doc/dev_guide.sh
  • added dev_notes.txt in each src/ subdir
  • scrubbed headers
More about piglet in the next post.  If you have asciidoc and GNU source-highlight, run dev_guide.sh to produce /tmp/dev_guide.html, an annotated guide to the source tree.

Tuesday, July 14, 2015

Snort Subscriber Rule Set Update for 07/14/2015, MSTuesday

Just released:
Snort Subscriber Rule Set Update for 07/14/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 109 new rules and made modifications to 5 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Microsoft Security Bulletin MS15-058:
Microsoft SQL Server suffers from programming errors that may lead to remote
code execution.

A rule to detect attacks targeting this vulnerability is included in this
release and is identified with GID 1, SID 35198.

Microsoft Security Bulletin MS15-065:
Microsoft Internet Explorer suffers from programming errors that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 35116 through 35117, 35119 through
35128, 35133 through 35134, 35139 through 35140, 35145 through 35146, 35152
through 35159, 35164 through 35165, 35170 through 35173, 35178 through 35185,
35192 through 35197, 35199 through 35200, and 35203 through 35214.

Microsoft Security Bulletin MS15-067:
A coding deficiency exists in Microsoft RDP that may lead to remote code
execution.

A rule to detect attacks targeting this vulnerability is included in this
release and is identified with GID 1, SID 35151.

Microsoft Security Bulletin MS15-069:
Microsoft Windows suffers from programming errors that may lead to remote code
execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 35166 through 35169 and 35215
through 35216.

Microsoft Security Bulletin MS15-070:
Coding deficiencies exist in Microsoft Office that may lead to remote code
execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 35129 through 35130, 35137 through
35138, 35141 through 35144, 35176 through 35177, 35190 through 35191, and 35201
through 35202.

Microsoft Security Bulletin MS15-072:
A coding deficiency exists in Microsoft Graphics Components that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 35160 through 35163.

Microsoft Security Bulletin MS15-073:
Coding deficiencies exist in Microsoft Kernel-Mode drivers that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 35131 through 35132, 35135 through
35136, and 35149 through 35150.

Microsoft Security Bulletin MS15-075:
A coding deficiency exists in Microsoft OLE that may lead to an escalation of
privilege.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 35186 through 35189.

Microsoft Security Bulletin MS15-076:
A coding deficiency exists in Microsoft Remote Procedure Call that may lead to
an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 35174 through 35175.

Talos has also added and modified multiple rules in the browser-ie,
browser-webkit, file-flash, file-office, os-windows, policy-other and
server-other rule sets to provide coverage for emerging threats from these
technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Friday, July 10, 2015

Snort Subscriber Rule Set Update for 07/10/2015, OpenSSL

Just released:
Snort Subscriber Rule Set Update for 07/10/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 3 new rules and made modifications to 0 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
OpenSSL Vulnerability CVE-2015-1793: A coding deficiency in OpenSSL exists that may lead to a security feature bypass. A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 35111. 
Talos has also added and modified multiple rules in the server-other rule set to provide coverage for emerging threats.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Thursday, July 9, 2015

Snort OpenAppID Detectors have been updated!

An update has been released today for the Snort OpenAppID Detector content.

This release, build 247, includes
  • A total of 2,631 detectors.
  • This was a maintenance release with some minor fixes and improvements
  • It also includes some additional detectors that came in from the open source community. For more details on which contributions were included, we have added them in the AUTHORS file in this package.
We want to give a special thanks to our open source community member Yaser Mansour for his valuable contributions in this release.

Available now for download from our downloads page, we look forward to you downloading and using the new features of 2.9.7.0's OpenAppID preprocessor and sharing your experiences with the community.

The OpenAppID community has a mailing list specifically dedicated to the exchange and discussion of detector content.  Please visit the mailing lists page to sign up.

Snort++ Rule Changes

Snort++ has some cool new rule features you may want to know about, including abbreviated rule headers and support for more rule protocols.  The basic rule structure is:

    action proto src_nets src_ports dir dst_nets dst_ports ( body )

where:

  • action is alert, drop, block, etc.
  • proto is ip, icmp, tcp, udp, http, ftp, ..., or file
  • src_nets and dst_nets are an IP address or list
  • src_ports and dst_ports are a port, port list, or any
  • nets and ports may be literals or variables
  • dir is either -> for unidirectional or <> for bidirectional

Here is a simplified example:

    alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any
    (
        flow:to_client,established;
        file_data; content: "readystatechange";
        metadata:service http, service imap, service pop3;
        sid:27568; rev:1;
    )

Note that this is specifying FILE_DATA_PORTS and 3 different services.  We can simplfiy that a little now:

    alert file $EXTERNAL_NET -> $HOME_NET
    (
        flow:to_client,established;
        file_data; content: "readystatechange";
        sid:27568; rev:2;
    )

Revision 2 of this rule uses the new file protocol and omits ports and services.  This means:
  • Detection is better because we aren't limited to the specified proto, ports, or services.
  • Performance is better because we don't need to search raw TCP packets or service specific file data.
  • And that comes with using *less* memory for the search engine because we reduce the number of rule groups.
To detect this file regardless of networks or direction, do something like revision 3:

    alert file
    (
        file_data; content: "readystatechange";
        sid:27568; rev:3;
    )

(Note that file_data implies flow:established in Snort++.)

More details:
  • If you omit ports they default to any.
  • If you omit networks, you they default to any.
  • If you omit networks, you must omit ports and direction too.
  • Protocol must be configured via the binder or wizard.
  • AppID will provide additional service protocols when that is ported.
  • File rules must have file_data fast patterns.
  • Service rules may have file_data fast patterns.
  • Ports must match for service rules (like alert http).
  • Port handling is not changed wrt metadata:service.
Also keep an eye on the enhanced start up and shutdown stats to help tune your rules.  We will cover fast patterns and rule groups in a future post.

Wednesday, July 8, 2015

Happy Birthday to the new Snort.org!

July 9th marks the 1 year anniversary of the new Snort.org platform.  While we've had some small stumbling blocks, interesting attacks, and huge increase in traffic from the system, it's been functioning exceptionally well.

We'd love to hear your feedback, what can we make better?  What is difficult?  Are things easy to find?

Please write us at snort-site@cisco.com and let us know!

Snort Subscriber Rule Set Update for 07/08/2015

Just released:
Snort Subscriber Rule Set Update for 07/08/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 17 new rules and made modifications to 5 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.

Details:
CVE-2015-2387:
A coding deficiency exists in the Microsoft Windows ATMFD.dll font driver that
may lead to remote code execution.

Rules to detect attacks targeting this vulnerability are included in this
release and are identified with GID 1, SIDs 35105 through 35108.

Talos has also added and modified multiple rules in the blacklist, file-flash,
file-other, malware-cnc, os-windows and server-other rule sets to provide
coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Tuesday, July 7, 2015

Snort Subscriber Rule Set Update for 07/07/2015, "Hacking Team" Adobe 0day, iOS Lockdown Vulnerability

Just released:
Snort Subscriber Rule Set Update for 07/07/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 30 new rules and made modifications to 4 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov
35068
35076


Talos's rule release:
Adobe Flash Player Vulnerability: Adobe Flash Player suffers from programming errors that may lead to remote code execution. Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 1, SIDs 35086 through 35089. 
iOS Lockdown Vulnerability: A programming error exists in iOS Lockdown service that may lead to remote code execution. Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 1, SIDs 35090 through 35091. 
Talos has also added and modified multiple rules in the blacklist, browser-firefox, exploit-kit, file-flash, malware-cnc, os-mobile and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Monday, July 6, 2015

Snort++ Alpha 2 Available Now!

The second alpha release of Snort++ is now available on snort.org, and it includes a lot of new features and functionality:

Snort features:

  • sync with Snort 297-177
  • ported dns inspector
  • ported ssh and ssl inspector
  • ported smtp, pop, and imap inspectors
  • ported sip inspector
  • ported file processing

New features:

  • added publish-subscribe handling of inspection events
  • added data_log plugin example for pub-sub
  • added build of snort_manual.text if w3m is installed
  • added file_magic.lua
  • added socket DAQ to input payload only with flow tuple
  • added hext DAQ to for packet input in hex and plain text
  • added file DAQ for plain file input (w/o packets)
  • added socket codec for use with above DAQs
  • added stream_user for payload only processing
  • added stream_file for file inspection and processing
  • added usage, bugs, and DAQ sections to user manual
  • added default_snort_manual.text w/o w3m
  • rewrote alert_csv with all new default format
  • changed stream_tcp to reassemble payload only
  • optionally omit ports or networks and ports in rule headers
  • updated new_http_inspect
  • rule protocols include services (like http) and file
  • allow abbreviated rule headers (omit networks and/or ports)
  • uncrustify, see crusty.cfg

The Snort++ project is gaining momentum.  With new developers coming on board we will finish porting all of Snort's functionality in the next few months.  Here are some things to look for in the third alpha release:
  • port open appID
  • port dcerpc2 inspector
  • port modbus and dnp3 inspectors
  • port side channel and HA functionality
  • rewrite of stream_tcp for greater functionality and performance
  • rewrite of perf stats
  • pipelined packet processing
  • hardware offloading support
  • next generation DAQ
  • next generation unified logging
  • Windows support
New downloads are posted to snort.org monthly.  You can also get the latest updates from github (snortadmin/snort3) which is updated weekly.

Please submit bugs, questions, and feedback to bugs@snort.org or the Snort-Users mailing list.

Happy Snorting!
The Snort Release Team

Thursday, July 2, 2015

Snort Subscriber Rule Set Update for 07/02/2015

Just released:
Snort Subscriber Rule Set Update for 07/02/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 30 new rules and made modifications to 4 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-firefox, browser-ie, browser-webkit, file-flash, file-multimedia, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Snort++ Update

Pushed build 159 to github (snortadmin/snort3):

  • added file processing to new_http_inspect
  • ported sip preprocessor
  • refactoring port group init and start up output
  • standardize / generalize fp buffers
  • add log_hext.width
  • tweak style guide
  • fix hosts table parsing
The 2nd Alpha release is coming soon!