Monday, November 30, 2015

Snort 2.9.8.0 has been released!

Please join us in welcoming Snort 2.9.8.0 to the family! The following are the release notes:

Snort 2.9.8.0
[*] New additions
* SMBv2/SMBv3 support for file inspection.

* Port override for metadata service in IPS rules.

* AppID Lua detector performance profiling.

* Perfmon dumps stats at fixed intervals from absolute time.

* New preprocessor alert (120:18) to detect SSH tunneling over HTTP

* New config option |disable_replace| to disable replace rule option.

* New Stream configuration |log_asymmetric_traffic| to control logging to syslog.

* New shell script in tools to create simple Lua detectors for AppID.

[*] Improvements
* sfip_t refactored to use struct in6_addr for all ip addresses.

* Post-detection callback for preprocessors.

* AppID support for multiple server/client detectors evaluating on same flow.

* AppID API for DNS packets.

* Memory optimizations throughout.

* Support sending UDP active responses.

* Fix perfmon tracking of pruned packets.

* Stability improvements for AppID.

* Stability improvements for Stream6 preprocessor.

* Added improved support to block malware in FTP preprocessor.

* Added support to differentiate between active and passive FTP connections.

* Improvements done in Stream6 preprocessor to avoid having duplicate packets
in the DAQ retry queue.

* Resolved an issue where reputation config incorrectly displayed 'blacklist' in
priority field even though 'whitelist' option was configured.

* Added support for multiple expected sessions created per packet

* Active response now supports MPLS


As always Snort can be downloaded from the Snort Downloads page on Snort.org! Please provide your feedback via the Snort Mailing lists!

We'd like to thank the following Snort Community members for their submissions to Snort which have been released in Snort 2.9.8.0:

Mike Cox
Gabriel Corre
Alexander Bubnov

Wednesday, November 25, 2015

Snort++ Update

Pushed build 180 to github (snortadmin/snort3):

  • ported dnp3 preprocessor and rule options from 2.X
  • fixed various valgrind issues with stats from sip, imap, pop, and smtp
  • fixed captured length of some icmp6 types
  • added support for hyperscan search method using rule contents (regex to follow)
  • fixed various log pcap issues
  • squelch repeated ip6 ooo extensions and bad options per packet
  • fixed arp inspection bug

Tuesday, November 24, 2015

Snort Subscriber Rule Set Update for 11/24/2015

Just released:
Snort Subscriber Rule Set Update for 11/24/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 34 new rules and made modifications to 119 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, browser-plugins, exploit-kit, file-flash, file-image, file-multimedia, file-office, file-other, file-pdf, indicator-compromise, indicator-shellcode, netbios, os-linux, os-windows, policy-other, policy-social, protocol-dns, protocol-snmp, server-apache, server-iis, server-mail, server-mysql, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Friday, November 20, 2015

Snort++ Update

Pushed build 179 to github (snortadmin/snort3):

  • user manaul updates
  • fix perf_monitor.max_file_size default to work on 32-bit systems, thanks to noah_dietrich@86penny.org for reporting the issue
  • fix bogus 116:431 events
  • decode past excess ip6 extensions and bad options
  • add iface to alert_csv.fields
  • add hyperscan fast pattern search engine - functional but not yet used
  • remove --enable-perf-profiling so it is always built
  • perf profiling changes in preparation for memory profiling
  • remove obsolete LibDAQ preprocessor conditionals
  • fix arp inspection
  • search engine refactoring

Thursday, November 19, 2015

Snort Subscriber Rule Set Update for 11/19/2015

Just released:
Snort Subscriber Rule Set Update for 11/19/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 29 new rules and made modifications to 2 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, file-flash, indicator-compromise, malware-cnc and server-other rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Tuesday, November 17, 2015

Snort Subscriber Rule Set Update for 11/17/2015

Just released:
Snort Subscriber Rule Set Update for 11/17/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 16 new rules and made modifications to 4 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-flash, file-image and server-other rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Saturday, November 14, 2015

Snort Subscriber Rule Set Update for 11/14/2015

Just released:
Snort Subscriber Rule Set Update for 11/14/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 20 new rules and made modifications to 16 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-firefox, browser-ie, browser-plugins, exploit-kit, malware-cnc, os-windows, protocol-icmp, protocol-voip, server-other and sql rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Friday, November 13, 2015

Snort++ Update

Pushed build 178 to github (snortadmin/snort3):
  • document runtime link issue with hyperscan on osx
  • fix pathname generation for event trace file
  • new_http_inspect tweaks
  • remove --enable-ppm-test


Thursday, November 12, 2015

Snort Subscriber Rule Set Update for 11/12/2015

Just released:
Snort Subscriber Rule Set Update for 11/12/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 17 new rules and made modifications to 5 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-plugins, exploit-kit, file-other, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Wednesday, November 11, 2015

Snort Subscriber Rule Set Update for 11/11/2015

Just released:
Snort Subscriber Rule Set Update for 11/11/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 6 new rules and made modifications to 0 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Microsoft Security Bulletin MS15-116 (CVE-2015-6123):
A coding deficiency exists in Microsoft Office for Mac that may lead to url
redirection.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 36766 through 36767.

Talos has added and modified multiple rules in the blacklist, exploit-kit and
malware-cnc rule sets to provide coverage for emerging threats from these
technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Snort Subscriber Rule Set Update for 11/10/2015, MsTuesday

Just released:
Snort Subscriber Rule Set Update for 11/10/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 113 new rules and made modifications to 16 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Microsoft Security Bulletin MS15-112:
Microsoft Internet Explorer suffers from programming errors that may lead to
remote code execution.

Previously released rules will detect attacks targeting this vulnerability and
have been updated with the appropriate reference information. They are included
in this release and are identified with GID 1, SIDs 35199 through 35200, 35956,
and 35958.

New rules to detect attacks targeting these vulnerabilities are also included
in this release and are identified with GID 1, SIDs 36671 through 36696, 36699
through 36702, 36738 through 36739, 36742 through 36743, 36746 through 36747,
36753 through 36754, and 36759 through 36760.

Microsoft Security Bulletin MS15-114:
A coding deficiency exists in Microsoft Windows Journal that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 36697 through 36698.

Microsoft Security Bulletin MS15-115:
A coding deficiency exists in Microsoft Windows that may lead to remote code
execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 36703 through 36704, 36709 through
36710, 36718 through 36719, 36722 through 36723, 36736 through 36737, 36749
through 36750, and 36761 through 36762.

Microsoft Security Bulletin MS15-116:
A coding deficiency exists in Microsoft Office that may lead to remote code
execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 36707 through 36708, 36714 through
36717, 36720 through 36721, 36740 through 36741, and 36751 through 36752.

Microsoft Security Bulletin MS15-117:
A coding deficiency exists in Microsoft Windows NDIS that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 36744 through 36745.

Microsoft Security Bulletin MS15-118:
A coding deficiency exists in the Microsoft .NET Framework that may lead to an
escalation of privilege.

A previously released rule will detect attacks targeting these vulnerabilities
and has been updated with the appropriate reference information. It is included
in this release and is identified with GID 1, SID 20258.

New rules to detect attacks targeting these vulnerabilities are also included
in this release and are identified with GID 1, SIDs 36712 through 36713.

Microsoft Security Bulletin MS15-119:
A coding deficiency exists in Microsoft Winsock that may lead to an escalation
of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 36705 through 36706.

Microsoft Security Bulletin MS15-123:
A coding deficiency exists in Skype for Business and Microsoft Lync that may
lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 36733 through 36735.

Talos has added and modified multiple rules in the blacklist, browser-ie,
browser-plugins, file-flash, file-identify, file-office, file-other,
indicator-compromise, malware-cnc, os-windows and server-webapp rule sets to
provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Friday, November 6, 2015

Snort++ Build 177 Available Now

Snort++ build 177 is now available on Snort.org.  This is the latest monthly update available for download.  You can also get the latest updates from github (snortadmin/snort3) which is updated weekly.

Bug Fixes

  • fixed teredo payload detection
  • fix ppm config
  • fixed 116:297
  • fixed dynamic builds
  • fixed profiler configuration
  • fixed ppm event logging
  • fixed -B switch
  • don't create pid file unless requested
  • remove pid lock file
  • perfmonitor fixes
  • prevent tcp session restart on rebuilt payloads; thanks to rmkml for reporting the issue
  • reverted tcp syn only logic to match 2X
  • ensure ip6 extension decoder state is reset for ip4 too since ip4 packets may have ip6 next proto
  • fix cmake for hyperscan

Enhancements

  • update old http_inspect to allow spaces in uri
  • added null check suggested by Bill Parker
  • ssl and dns stats updates
  • tcp reassembly refactoring
  • profiler rewrite
  • added gzip support to new_http_inspect
  • added regex rule option based on hyperscan
  • ported gtp preprocessor and rule options from 2.X
  • ported modbus preprocessor and rule options from 2.X
  • added unit test build for cmake (already in autotools builds)
  • decouple -D, -M, -q
  • delete -E
  • ssl stats updates
  • added pkt_num rule option to extras
  • added filename to reload commands
  • convert README to markdown for pretty github rendering; contributed by gavares@gmail.com

Please submit bugs, questions, and feedback to bugs@snort.org or the Snort-Users mailing list.

Happy Snorting!
The Snort Release Team

Thursday, November 5, 2015

Snort Subscriber Rule Set Update for 11/05/2015

Just released:
Snort Subscriber Rule Set Update for 11/05/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 15 new rules and made modifications to 9 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the browser-plugins, exploit-kit, malware-cnc, protocol-icmp and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Wednesday, November 4, 2015

Snort OpenAppID Detectors have been updated!

An update has been released today for the Snort OpenAppID Detector content.

This release, build 254, includes
  • A total of 2,727 detectors. 
  • An additional 91 detectors have been open sourced on this release.
  • It also includes some additional detectors that came in from the open source community. For more details on which contributions were included, we have added them in the AUTHORS file in this package.
Available now for download from our downloads page, we look forward to you downloading and using the new features of 2.9.7.0's and 2.9.8.0's OpenAppID preprocessor and sharing your experiences with the community.

The OpenAppID community has a mailing list specifically dedicated to the exchange and discussion of detector content.  Please visit the mailing lists page to sign up.

Tuesday, November 3, 2015

Snort Subscriber Rule Set Update for 11/03/2015

Just released:
Snort Subscriber Rule Set Update for 11/03/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 25 new rules and made modifications to 16 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the browser-plugins, exploit-kit, file-java, file-office, file-pdf, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!