Wednesday, September 30, 2015

Snort 2.9.7.6 has been released!

Please join us in welcoming the newest release of Snort, Version 2.9.7.6!

Below are the release notes for this version:


2015-08-17 Snort 2.9.7.6
[*] New additions
  * Added support for detecting 'SSH tunneling over HTTP'.

[*] Improvements
  * Behavioral change in file processing to block malware files in inline-test mode also.

  * Improvements to XFF handling in case of pipelined HTTP requests. 

  * Stability improvements for Stream6 preprocessor.

  * Resolved an issue where min_ttl decoder was dropping packets in alert mode also.

  * Added improved support to inspect unlimited packets in HTTP.

  * Resolved an issue where reputation config incorrectly displayed 'blacklist' in
    priority field even though 'whitelist' option was configured.


The Snort Team would like to thank the following community members for their contributions to Snort 2.9.7.6:

Mike Cox
Gabriel Corre
Bill Parker
Avery Rozar

If you'd like to be a contributor to Snort, large or small, code changes or manual corrections, we'd love to have you.   Please join our Snort-devel mailing list and submit your ideas/changes/corrections there.

Tuesday, September 29, 2015

Snort Subscriber Rule Set Update for 09/29/2015

Just released:
Snort Subscriber Rule Set Update for 09/29/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 30 new rules and made modifications to 308 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
36202

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-firefox, browser-ie, browser-other, browser-plugins, exploit-kit, file-flash, file-image, file-java, file-multimedia, file-office, file-other, file-pdf, indicator-shellcode, malware-cnc, malware-other, os-other, policy-other, protocol-ftp, protocol-rpc, protocol-voip, server-mail, server-other and sql rule sets to provide coverage for emerging threats from these technologies.
In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Snort OpenAppID Detectors have been updated!

An update has been released today for the Snort OpenAppID Detector content.

This release, build 252, includes
  • A total of 2,636 detectors.
  • This was a maintenance release with some minor fixes and improvements
  • It also includes some additional detectors that came in from the open source community. For more details on which contributions were included, we have added them in the AUTHORS file in this package.
Available now for download from our downloads page, we look forward to you downloading and using the new features of 2.9.7.0's OpenAppID preprocessor and sharing your experiences with the community.

The OpenAppID community has a mailing list specifically dedicated to the exchange and discussion of detector content.  Please visit the mailing lists page to sign up.

Friday, September 25, 2015

Snort++ Update

Pushed build 171 to github (snortadmin/snort3):
  • fix metadata:service to work like 2x
  • fixed issues when building with LINUX_SMP
  • fixed frag tracker accounting
  • fix Xcode builds
  • implement 116:281 decoder rule
  • udpated snort2lua
  • add cpputest for unit testing
  • don't apply cooked verdicts to raw packets

Thursday, September 24, 2015

Snort Subscriber Rule Set Update for 09/24/2015

Just released:
Snort Subscriber Rule Set Update for 09/24/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 22 new rules and made modifications to 10 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, deleted, file-flash, file-pdf, malware-cnc, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Wednesday, September 23, 2015

Snort Subscriber Rule Set Update for 09/22/2015

Just released:
Snort Subscriber Rule Set Update for 09/23/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 82 new rules and made modifications to 28 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, file-flash, file-identify, file-multimedia, file-office, indicator-obfuscation, malware-cnc, protocol-dns and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Friday, September 18, 2015

Snort++ Update

Pushed build 170 to github (snortadmin/snort3):
  • removed unused control socket defines from cmake
  • fixed build error with valgrind build option
  • cleanup *FLAGS use in configure.ac
  • change configure.ac compiler search order to prefer clang over gcc
  • update where to get dnet
  • update usage and bug list
  • move extra daqs and extra hext logger to main source tree
  • fix breakloop in file daq
  • fix plain file processing
  • fix detection of stream_user and stream_file data
  • log innermost proto for type of broken packets

Thursday, September 17, 2015

Snort Subscriber Rule Set Update for 09/17/2015

Just released:
Snort Subscriber Rule Set Update for 09/17/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 41 new rules and made modifications to 30 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the app-detect, browser-ie, exploit-kit, file-identify, file-office, file-pdf, indicator-obfuscation, malware-cnc, protocol-dns and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Wednesday, September 16, 2015

Snort Subscriber Rule Set Update for 09/15/2015, SYNful Knock Malware

Just released:
Snort Subscriber Rule Set Update for 09/15/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 18 new rules and made modifications to 0 additional rules.

There were no changes made to the snort.conf in this release.


Talos's rule release:
SYNful Knock Backdoor Connection Attempt: Routers have been discovered running malicious router images containing backdoors. A rule to detect C&C traffic corresponding with this malware is included in this release and is identified with GID 1, SID 36054. 
Talos has also added and modified multiple rules in the blacklist and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Thursday, September 10, 2015

Snort Subscriber Rule Set Update for 09/10/2015

Just released:
Snort Subscriber Rule Set Update for 09/10/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 15 new rules and made modifications to 4 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the file-flash, file-office, indicator-compromise, indicator-obfuscation, malware-backdoor, malware-cnc, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Snort++ Update

Pushed build 169 to github (snortadmin/snort3):
  • fix chunked manual install
  • add event direction bug
  • fix OpenBSD build
  • convert check unit tests to catch
  • code cleanup
  • fix dev guide builds from top_srcdir

Tuesday, September 8, 2015

Snort Subscriber Rule Set Update for 09/08/2015, MSTuesday

Just released:
Snort Subscriber Rule Set Update for 09/08/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 80 new rules and made modifications to 7 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Microsoft Security Bulletin MS15-094:
Microsoft Internet Explorer suffers from programming errors that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 35955 through 35960, 35963 through
35972, 35975 through 35976, 35990 through 35993, 35998 through 35999, 36004
through 36009, and 36018 through 36021.

Microsoft Security Bulletin MS15-095:
A coding deficiency exists in Microsoft Edge that may lead to remote code
execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 35963 through 35966.

Microsoft Security Bulletin MS15-097:
A coding deficiency exists in a Microsoft Graphics Component that may lead to
remote code execution.

Previously released rules will detect attacks targeting this vulnerability and
have been updated with the appropriate reference information. They are included
in this release and are identified with GID 1, SIDs 33765 through 33766 and
35719 through 35720.

New rules to detect attacks targeting these vulnerabilities are also included
in this release and are identified with GID 1, SIDs 35973 through 35974, 35984
through 35989, 35994 through 35995, and 36016 through 36017.

Microsoft Security Bulletin MS15-098:
A coding deficiency exists in Microsoft Windows Journal that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 35961 through 35962.

Microsoft Security Bulletin MS15-099:
A coding deficiency exists in Microsoft Office that may lead to remote code
execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 35996 through 35997 and 36000
through 36003.

Microsoft Security Bulletin MS15-100:
A coding deficiency exists in Microsoft Windows Media Center that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 35982 through 35983.

Microsoft Security Bulletin MS15-101:
A coding deficiency exists in the Microsoft .NET Framework that may lead to
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 36014 through 36015.

Microsoft Security Bulletin MS15-102:
A coding deficiency exists in Microsoft Task Management that may lead to
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 35977 through 35978 and 36010
through 36013.

Talos has also added and modified multiple rules in the app-detect, browser-ie,
file-executable, file-flash, file-identify, file-office, file-other,
malware-other and server-mail rule sets to provide coverage for emerging
threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Friday, September 4, 2015

Snort++ Update

Pushed build 168 to github (snortadmin/snort3):

  • fixed build of chunked manual (thanks to Bill Parker for reporting the issue)
  • const cleanup
  • new_http_inspect cookie processing updates
  • fixed cmake build issue with SMP stats enabled
  • fixed compiler warnings
  • added unit tests
  • updated error messages in u2spewfoo
  • changed error format for consistency with Snort
  • fixed u2spewfoo build issue
  • added strdup sanity checks (thanks to Bill Parker for reporting the issue)
  • DNS bug fix for TCP
  • added --catch-tags [footag],[bartag] for unit test selection

Thursday, September 3, 2015

Snort Subscriber Rule Set Update for 09/03/2015, Limited Ruleset 0day Coverage!

Just released:
Snort Subscriber Rule Set Update for 09/03/2015

This is the first ruleset to contain information released under the "limited ruleset" clause of the 3.1 Snort Subscriber Rule Set License.  You may recall the blog post written in August that outlined the updates to the license.  As a reminder, this additional content is only available:

  • As part of the Subscriber Rule Set (and will never be made available in the Registered Rule Set)
  • In Shared Object pre-compiled format
Please read the above blog post to gain access to this new detection functionality, which is entirely comprised of "0day" exploit and vulnerability coverage.  You will see coverage for vulnerabilities in a variety of software, including Internet Explorer and Adobe Reader that have never been released before.


We welcome the introduction of the newest rule release from Talos. In this release we introduced 92 new rules and made modifications to 25 additional rules.

There were no changes made to the snort.conf in this release.


Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, browser-plugins, file-flash, file-identify, file-multimedia, file-other, file-pdf, indicator-compromise, malware-other, malware-tools, netbios, policy-other, protocol-dns, protocol-imap, protocol-scada, server-mail, server-mysql and server-webapp rule sets to provide coverage for emerging threats from these technologies.
In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Wednesday, September 2, 2015

IP Blacklist feed has moved locations!

For those of you using the IP Blacklist feed on labs.snort.org, we've had to move the URL to the new link.

You can find it at the following URL: http://talosintel.com/feeds/ip-filter.blf

The pulledpork.conf that is currently in Github has been updated to use the new URL, so a fresh download of pulledpork will help you.

Check it out!

Tuesday, September 1, 2015

Snort Subscriber Rule Set Update for 09/01/2015

Just released:
Snort Subscriber Rule Set Update for 09/01/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 18 new rules and made modifications to 15 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-chrome, browser-ie, exploit-kit, file-flash, file-image, file-other, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!