Tuesday, December 29, 2015

Snort 2.9.7.5 is EOL!

Snort 2.9.7.5 is officially supposed to EOL today, however, since many people are out on vacation through New Years, we've decided to keep the build system up until after the holidays.  

The current version of Snort is 2.9.8.0.   Those of you on older versions, please start upgrading.  

Monday, December 28, 2015

Snort Subscriber Rule Set Update for 12/28/2015, Adobe Flash

Just released:
Snort Subscriber Rule Set Update for 12/28/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 4 new rules and made modifications to 2 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the file-flash and malware-cnc rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Tuesday, December 22, 2015

Snort Subscriber Rule Set Update for 12/22/2015

Just released:
Snort Subscriber Rule Set Update for 12/22/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 48 new rules and made modifications to 9 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the file-flash, file-multimedia, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Monday, December 21, 2015

Snort Subscriber Rule Set Update for 12/21/2015

Just released:
Snort Subscriber Rule Set Update for 12/21/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 30 new rules and made modifications to 17 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the file-flash, file-identify, file-office, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Thursday, December 17, 2015

Snort 2.9.8.0 Ruleset Released!

We apologize for the delay.  Starting with today's rule release, Snort 2.9.8.0's ruleset is now shipping along side our other rulesets.

Snort Subscriber Rule Set Update for 12/17/2015, Snort 2.9.8.0 Ruleset

Just released:
Snort Subscriber Rule Set Update for 12/17/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 38 new rules and made modifications to 5 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the app-detect, blacklist, browser-plugins, file-flash, file-other, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Tuesday, December 15, 2015

Snort Subscriber Rule Set Update for 12/15/2015

Just released:
Snort Subscriber Rule Set Update for 12/15/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 42 new rules and made modifications to 8 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the app-detect, blacklist, browser-plugins, file-flash, file-other, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Monday, December 14, 2015

Snort OpenAppID Detectors have been updated!

An update has been released today for the Snort OpenAppID Detector content.

This release, build 259, includes
  • A total of 2,803 detectors. 
  • An additional 76 detectors have been open sourced on this release.
  • It also includes some additional detectors that came in from the open source community. For more details on which contributions were included, we have added them in the AUTHORS file in this package.
Available now for download from our downloads page, we look forward to you downloading and using the new features of 2.9.7.0's and 2.9.8.0's OpenAppID preprocessor and sharing your experiences with the community.

The OpenAppID community has a mailing list specifically dedicated to the exchange and discussion of detector content.  Please visit the mailing lists page to sign up.

Snort++ Alpha 3 Available Now!

The third alpha release of Snort++ is now available on snort.org, and it includes a lot of new features and functionality:

Snort features:

  • sync with Snort 297-262
  • ported reputation inspector
  • ported dnp3 and modbus inspectors
  • ported gtp inspector

New features:

  • pigliet plugin test harness
  • file policy support
  • added regex rule option based on hyperscan
  • added fast pattern matching based on hyperscan
  • new time and space profiling

Work in progress:

  • the all new HTTP inspector
  • a rewrite of TCP packet and session handling

The priority for the fourth and final alpha release is parity with Snort 2.X (i.e. a superset of 2.X functionality).  Here are some things to look for in the final alpha release:

  • port open appID
  • port dcerpc2 inspector
  • port sensitive data inspector
  • finish rewrite of stream_tcp for greater functionality and performance
  • finish rewrite of side channel and HA functionality
  • finish rewrite of perf stats
  • finish next generation DAQ


There are several new features in the works that will be delayed by the effort to overtake Snort 2.X but this strategy will ultimately allow us to move even quicker.

Windows support is also affected but not forgotten.  We will eventually provide a full featured Snort++ for Windows.

New downloads are posted to snort.org monthly.  You can also get the latest updates from github (snortadmin/snort3) which is updated weekly.

Please submit bugs, questions, and feedback to bugs@snort.org or the
Snort-Users mailing list.

Happy Snorting!
The Snort Release Team

Friday, December 11, 2015

Snort++ Update

Pushed build 183 to github (snortadmin/snort3):

  • added memory profiling feature
  • added regex fast pattern support
  • ported reputation preprocessor from 2.X
  • synced to 297-262
  • removed '_q' search method flavors - all are now queued
  • removed PPM_TEST
  • build and memory leak fixes

Thursday, December 10, 2015

Snort Subscriber Rule Set Update for 12/10/2015

Just released:
Snort Subscriber Rule Set Update for 12/10/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 22 new rules and made modifications to 2489 additional rules.

The reason for the large amount of changes was our annual policy rebalancing that we announced several years ago here.  Every year adjustments are made to the ruleset to ensure it is in-line with current and emerging threats.   Old rules are retired to improve performance while maintaining detection for current security issues.

There were no changes made to the snort.conf in this release.


Talos's rule release:
Talos has added and modified multiple rules in the app-detect, browser-chrome, browser-firefox, browser-ie, browser-other, browser-plugins, browser-webkit, exploit-kit, file-executable, file-flash, file-image, file-java, file-multimedia, file-office, file-other, file-pdf, malware-cnc, netbios, os-other, os-windows, policy-other, policy-social, protocol-dns, protocol-ftp, protocol-icmp, protocol-rpc, protocol-scada, protocol-services, protocol-snmp, protocol-telnet, protocol-tftp, server-apache, server-iis, server-mail, server-oracle, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Tuesday, December 8, 2015

Snort Subscriber Rule Set Update for 12/08/2015, MSTuesday

Just released:
Snort Subscriber Rule Set Update for 12/08/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 100 new rules and made modifications to 9 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Microsoft Security Bulletin MS15-124:
Microsoft Internet Explorer suffers from programming errors that may lead to
remote code execution.

Previously released rules will detect attacks targeting this vulnerability and
have been updated with the appropriate reference information. They are included
in this release and are identified with GID 1, SIDs 36673 through 36674.

New rules to detect attacks targeting these vulnerabilities are also included
in this release and are identified with GID 1, SIDs 36917 through 36923, 36926
through 36929, 36934 through 36951, 36954 through 36957, 36962 through 36963,
36968 through 36969, 36978 through 36983, 36986 through 36988, 36991 through
36992, 37003 through 37004, and 37009 through 37010.

Microsoft Security Bulletin MS15-125:
A coding deficiency exists in Microsoft Edge that may lead to remote code
execution.

Previously released rules will detect attacks targeting this vulnerability and
have been updated with the appropriate reference information. They are included
in this release and are identified with GID 1, SIDs 36673 through 36674.

New rules to detect attacks targeting these vulnerabilities are also included
in this release and are identified with GID 1, SIDs 36917, 36932 through 36933,
36942 through 36943, 36950 through 36951, and 36984 through 36985.

Microsoft Security Bulletin MS15-126:
A coding deficiency exists in Microsoft JScript and VBScript that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 36922 through 36923.

Microsoft Security Bulletin MS15-128:
A coding deficiency exists in Microsoft Graphics Component that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 36964 through 36967.

Microsoft Security Bulletin MS15-129:
A coding deficiency exists in Microsoft Silverlight that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 36997 through 36998.

Microsoft Security Bulletin MS15-130:
A coding deficiency exists in Microsoft Uniscribe that may lead to remote code
execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 36952 through 36953.

Microsoft Security Bulletin MS15-131:
A coding deficiency exists in Microsoft Office that may lead to remote code
execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 36924 through 36925, 36958 through
36961, 36974 through 36975, and 37011 through 37013.

Microsoft Security Bulletin MS15-132:
A coding deficiency exists in Microsoft Windows that may lead to an escalation
of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 36930 through 36931, 36993 through
36996, and 36999 through 37002.

Microsoft Security Bulletin MS15-134:
A coding deficiency exists in Microsoft Media Center that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 36972 through 36973.

Microsoft Security Bulletin MS15-135:
A coding deficiency exists in a Microsoft Kernel mode driver that may lead to
an escalation of privilege.

Previously released rules will detect attacks targeting this vulnerability and
have been updated with the appropriate reference information. They are included
in this release and are identified with GID 1, SIDs 35149 through 35150.

New rules to detect attacks targeting these vulnerabilities are also included
in this release and are identified with GID 1, 36970 through 36971, 36976
through 36977, and 36989 through 36990.

Talos has added and modified multiple rules in the browser-ie, browser-plugins,
deleted, file-office, file-other, malware-cnc and policy-other rule sets to
provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Friday, December 4, 2015

Snort++ Update

Pushed build 181 to github (snortadmin/snort3):

  • perf profiling enhancements
  • fixed build issues and memory leaks
  • continued pattern match refactoring
  • fix spurious sip_method matching

Thursday, December 3, 2015

Snort Subscriber Rule Set Update for 12/03/2015

Just released:
Snort Subscriber Rule Set Update for 12/03/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 10 new rules and made modifications to 4 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Tuesday, December 1, 2015

Snort Subscriber Rule Set Update for 12/01/2015

Just released:
Snort Subscriber Rule Set Update for 12/01/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 15 new rules and made modifications to 14 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, browser-plugins, exploit-kit, file-flash, file-office, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Monday, November 30, 2015

Snort 2.9.8.0 has been released!

Please join us in welcoming Snort 2.9.8.0 to the family! The following are the release notes:

Snort 2.9.8.0
[*] New additions
* SMBv2/SMBv3 support for file inspection.

* Port override for metadata service in IPS rules.

* AppID Lua detector performance profiling.

* Perfmon dumps stats at fixed intervals from absolute time.

* New preprocessor alert (120:18) to detect SSH tunneling over HTTP

* New config option |disable_replace| to disable replace rule option.

* New Stream configuration |log_asymmetric_traffic| to control logging to syslog.

* New shell script in tools to create simple Lua detectors for AppID.

[*] Improvements
* sfip_t refactored to use struct in6_addr for all ip addresses.

* Post-detection callback for preprocessors.

* AppID support for multiple server/client detectors evaluating on same flow.

* AppID API for DNS packets.

* Memory optimizations throughout.

* Support sending UDP active responses.

* Fix perfmon tracking of pruned packets.

* Stability improvements for AppID.

* Stability improvements for Stream6 preprocessor.

* Added improved support to block malware in FTP preprocessor.

* Added support to differentiate between active and passive FTP connections.

* Improvements done in Stream6 preprocessor to avoid having duplicate packets
in the DAQ retry queue.

* Resolved an issue where reputation config incorrectly displayed 'blacklist' in
priority field even though 'whitelist' option was configured.

* Added support for multiple expected sessions created per packet

* Active response now supports MPLS


As always Snort can be downloaded from the Snort Downloads page on Snort.org! Please provide your feedback via the Snort Mailing lists!

We'd like to thank the following Snort Community members for their submissions to Snort which have been released in Snort 2.9.8.0:

Mike Cox
Gabriel Corre
Alexander Bubnov

Wednesday, November 25, 2015

Snort++ Update

Pushed build 180 to github (snortadmin/snort3):

  • ported dnp3 preprocessor and rule options from 2.X
  • fixed various valgrind issues with stats from sip, imap, pop, and smtp
  • fixed captured length of some icmp6 types
  • added support for hyperscan search method using rule contents (regex to follow)
  • fixed various log pcap issues
  • squelch repeated ip6 ooo extensions and bad options per packet
  • fixed arp inspection bug

Tuesday, November 24, 2015

Snort Subscriber Rule Set Update for 11/24/2015

Just released:
Snort Subscriber Rule Set Update for 11/24/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 34 new rules and made modifications to 119 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, browser-plugins, exploit-kit, file-flash, file-image, file-multimedia, file-office, file-other, file-pdf, indicator-compromise, indicator-shellcode, netbios, os-linux, os-windows, policy-other, policy-social, protocol-dns, protocol-snmp, server-apache, server-iis, server-mail, server-mysql, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Friday, November 20, 2015

Snort++ Update

Pushed build 179 to github (snortadmin/snort3):

  • user manaul updates
  • fix perf_monitor.max_file_size default to work on 32-bit systems, thanks to noah_dietrich@86penny.org for reporting the issue
  • fix bogus 116:431 events
  • decode past excess ip6 extensions and bad options
  • add iface to alert_csv.fields
  • add hyperscan fast pattern search engine - functional but not yet used
  • remove --enable-perf-profiling so it is always built
  • perf profiling changes in preparation for memory profiling
  • remove obsolete LibDAQ preprocessor conditionals
  • fix arp inspection
  • search engine refactoring

Thursday, November 19, 2015

Snort Subscriber Rule Set Update for 11/19/2015

Just released:
Snort Subscriber Rule Set Update for 11/19/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 29 new rules and made modifications to 2 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, file-flash, indicator-compromise, malware-cnc and server-other rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Tuesday, November 17, 2015

Snort Subscriber Rule Set Update for 11/17/2015

Just released:
Snort Subscriber Rule Set Update for 11/17/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 16 new rules and made modifications to 4 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-flash, file-image and server-other rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Saturday, November 14, 2015

Snort Subscriber Rule Set Update for 11/14/2015

Just released:
Snort Subscriber Rule Set Update for 11/14/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 20 new rules and made modifications to 16 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-firefox, browser-ie, browser-plugins, exploit-kit, malware-cnc, os-windows, protocol-icmp, protocol-voip, server-other and sql rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Friday, November 13, 2015

Snort++ Update

Pushed build 178 to github (snortadmin/snort3):
  • document runtime link issue with hyperscan on osx
  • fix pathname generation for event trace file
  • new_http_inspect tweaks
  • remove --enable-ppm-test


Thursday, November 12, 2015

Snort Subscriber Rule Set Update for 11/12/2015

Just released:
Snort Subscriber Rule Set Update for 11/12/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 17 new rules and made modifications to 5 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-plugins, exploit-kit, file-other, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Wednesday, November 11, 2015

Snort Subscriber Rule Set Update for 11/11/2015

Just released:
Snort Subscriber Rule Set Update for 11/11/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 6 new rules and made modifications to 0 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Microsoft Security Bulletin MS15-116 (CVE-2015-6123):
A coding deficiency exists in Microsoft Office for Mac that may lead to url
redirection.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 36766 through 36767.

Talos has added and modified multiple rules in the blacklist, exploit-kit and
malware-cnc rule sets to provide coverage for emerging threats from these
technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Snort Subscriber Rule Set Update for 11/10/2015, MsTuesday

Just released:
Snort Subscriber Rule Set Update for 11/10/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 113 new rules and made modifications to 16 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Microsoft Security Bulletin MS15-112:
Microsoft Internet Explorer suffers from programming errors that may lead to
remote code execution.

Previously released rules will detect attacks targeting this vulnerability and
have been updated with the appropriate reference information. They are included
in this release and are identified with GID 1, SIDs 35199 through 35200, 35956,
and 35958.

New rules to detect attacks targeting these vulnerabilities are also included
in this release and are identified with GID 1, SIDs 36671 through 36696, 36699
through 36702, 36738 through 36739, 36742 through 36743, 36746 through 36747,
36753 through 36754, and 36759 through 36760.

Microsoft Security Bulletin MS15-114:
A coding deficiency exists in Microsoft Windows Journal that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 36697 through 36698.

Microsoft Security Bulletin MS15-115:
A coding deficiency exists in Microsoft Windows that may lead to remote code
execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 36703 through 36704, 36709 through
36710, 36718 through 36719, 36722 through 36723, 36736 through 36737, 36749
through 36750, and 36761 through 36762.

Microsoft Security Bulletin MS15-116:
A coding deficiency exists in Microsoft Office that may lead to remote code
execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 36707 through 36708, 36714 through
36717, 36720 through 36721, 36740 through 36741, and 36751 through 36752.

Microsoft Security Bulletin MS15-117:
A coding deficiency exists in Microsoft Windows NDIS that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 36744 through 36745.

Microsoft Security Bulletin MS15-118:
A coding deficiency exists in the Microsoft .NET Framework that may lead to an
escalation of privilege.

A previously released rule will detect attacks targeting these vulnerabilities
and has been updated with the appropriate reference information. It is included
in this release and is identified with GID 1, SID 20258.

New rules to detect attacks targeting these vulnerabilities are also included
in this release and are identified with GID 1, SIDs 36712 through 36713.

Microsoft Security Bulletin MS15-119:
A coding deficiency exists in Microsoft Winsock that may lead to an escalation
of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 36705 through 36706.

Microsoft Security Bulletin MS15-123:
A coding deficiency exists in Skype for Business and Microsoft Lync that may
lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 36733 through 36735.

Talos has added and modified multiple rules in the blacklist, browser-ie,
browser-plugins, file-flash, file-identify, file-office, file-other,
indicator-compromise, malware-cnc, os-windows and server-webapp rule sets to
provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Friday, November 6, 2015

Snort++ Build 177 Available Now

Snort++ build 177 is now available on Snort.org.  This is the latest monthly update available for download.  You can also get the latest updates from github (snortadmin/snort3) which is updated weekly.

Bug Fixes

  • fixed teredo payload detection
  • fix ppm config
  • fixed 116:297
  • fixed dynamic builds
  • fixed profiler configuration
  • fixed ppm event logging
  • fixed -B switch
  • don't create pid file unless requested
  • remove pid lock file
  • perfmonitor fixes
  • prevent tcp session restart on rebuilt payloads; thanks to rmkml for reporting the issue
  • reverted tcp syn only logic to match 2X
  • ensure ip6 extension decoder state is reset for ip4 too since ip4 packets may have ip6 next proto
  • fix cmake for hyperscan

Enhancements

  • update old http_inspect to allow spaces in uri
  • added null check suggested by Bill Parker
  • ssl and dns stats updates
  • tcp reassembly refactoring
  • profiler rewrite
  • added gzip support to new_http_inspect
  • added regex rule option based on hyperscan
  • ported gtp preprocessor and rule options from 2.X
  • ported modbus preprocessor and rule options from 2.X
  • added unit test build for cmake (already in autotools builds)
  • decouple -D, -M, -q
  • delete -E
  • ssl stats updates
  • added pkt_num rule option to extras
  • added filename to reload commands
  • convert README to markdown for pretty github rendering; contributed by gavares@gmail.com

Please submit bugs, questions, and feedback to bugs@snort.org or the Snort-Users mailing list.

Happy Snorting!
The Snort Release Team

Thursday, November 5, 2015

Snort Subscriber Rule Set Update for 11/05/2015

Just released:
Snort Subscriber Rule Set Update for 11/05/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 15 new rules and made modifications to 9 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the browser-plugins, exploit-kit, malware-cnc, protocol-icmp and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Wednesday, November 4, 2015

Snort OpenAppID Detectors have been updated!

An update has been released today for the Snort OpenAppID Detector content.

This release, build 254, includes
  • A total of 2,727 detectors. 
  • An additional 91 detectors have been open sourced on this release.
  • It also includes some additional detectors that came in from the open source community. For more details on which contributions were included, we have added them in the AUTHORS file in this package.
Available now for download from our downloads page, we look forward to you downloading and using the new features of 2.9.7.0's and 2.9.8.0's OpenAppID preprocessor and sharing your experiences with the community.

The OpenAppID community has a mailing list specifically dedicated to the exchange and discussion of detector content.  Please visit the mailing lists page to sign up.

Tuesday, November 3, 2015

Snort Subscriber Rule Set Update for 11/03/2015

Just released:
Snort Subscriber Rule Set Update for 11/03/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 25 new rules and made modifications to 16 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the browser-plugins, exploit-kit, file-java, file-office, file-pdf, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Friday, October 30, 2015

Snort++ Update

Pushed build 176 to github (snortadmin/snort3):
  • tcp reassembly refactoring
  • profiler rewrite
  • added gzip support to new_http_inspect
  • added regex rule option based on hyperscan

Thursday, October 29, 2015

Snort Subscriber Rule Set Update for 10/29/2015

Just released:
Snort Subscriber Rule Set Update for 10/29/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 16 new rules and made modifications to 11 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, exploit-kit, file-flash, indicator-compromise, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Are you getting 404 errors attempting to download the community ruleset?

Yesterday, it came to our attention during some routine cleanup and maintenance that there were about 15,000 people attempting to download a Community Rule file directly from an older S3 Bucket. (Which hadn't been updated in over a year.)

The link directly into the S3 bucket was apparently in use by the default pulledpork.conf, and many people had not updated it to the newest link now available on Snort.org.

I have submitted a pull request against the pulledpork.conf to correct that link, and that should be fixed shortly.

However, for those of you that need to change your installation, please find this line in your PulledPork.conf:

https://github.com/shirkdog/pulledpork/blob/master/etc/pulledpork.conf#L21

Which looks like this:

rule_url=https://s3.amazonaws.com/snort-org/www/rules/community/|community-rules.tar.gz|Community

and change it to:

rule_url=https://snort.org/downloads/community/|community-rules.tar.gz|Community

This will ensure that you are pulling the correct community rules file.

Sorry for any lack of notice, we figured these were old installations without any updates, and didn't realize that it was actually in the default pulledpork.conf.

Please update to the new rule file and join the hundreds of thousands of users that download that rule file on a daily basis!

As always, if you'd like to contribute to the community ruleset, please send your rules to either the Snort-sigs or directly to Talos.


Tuesday, October 27, 2015

Snort Subscriber Rule Set Update for 10/27/2015

Just released:
Snort Subscriber Rule Set Update for 10/27/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 35 new rules and made modifications to 9 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the browser-webkit, exploit-kit, file-flash, file-multimedia, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Friday, October 23, 2015

Snort++ Update

Pushed build 175 to github (snortadmin/snort3):
  • ported gtp preprocessor and rule options from 2.X
  • ported modbus preprocessor and rule options from 2.X
  • fixed 116:297
  • added unit test build for cmake (already in autotools builds)
  • fixed dynamic builds (187 plugins, 138 dynamic)

Thursday, October 22, 2015

Snort Subscriber Rule Set Update for 10/22/2015

Just released:
Snort Subscriber Rule Set Update for 10/22/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 25 new rules and made modifications to 6 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, deleted, exploit-kit, file-flash, file-multimedia, malware-cnc, policy-other, protocol-dns and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Wednesday, October 21, 2015

Snort Subscriber Rule Set Update for 10/21/2015

Just released:
Snort Subscriber Rule Set Update for 10/21/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 4 new rules and made modifications to 10 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
CVE-2015-7848, CVE-2015-7849, CVE-2015-7850, CVE-2015-7851, CVE-2015-7852,
CVE-2015-7853, CVE-2015-7854, and CVE-2015-7871:
NTP suffers from programming errors that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities
and have been updated with the appropriate reference information. They are
included in this release and are identified with GID 1, SIDs 35831, and 36250
through 36253.

A new rule to detect attacks targeting these vulnerabilities is also included
in this release and is identified with GID 1, SID 36536.


Talos has also added and modified multiple rules in the blacklist, browser-ie,
browser-plugins and server-other rule sets to provide coverage for emerging
threats from these technologies.ure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Tuesday, October 20, 2015

Snort 2.9.7.3 is now End of Life!

In accordance with our End-Of-Life (eol) policy, today's rule release was the last for Snort Version 2.9.7.3.

If you are on that version of Snort (or older) please consider transitioning to the most up to date version of Snort (Currently 2.9.7.6) immediately.

Snort Subscriber Rule Set Update for 10/20/2015

Just released:
Snort Subscriber Rule Set Update for 10/20/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 38 new rules and made modifications to 36 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, exploit-kit, file-flash, file-identify, file-java, file-multimedia, file-office, file-other, malware-cnc, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Friday, October 16, 2015

Snort++ Update

Pushed build 174 to github (snortadmin/snort3):

  • legacy daemonization cleanup
  • decouple -D, -M, -q
  • delete -E
  • initial rewrite of profiler
  • don't create pid file unless requested
  • unlink pid lock file
  • new_http_inspect header processing, normalization, and decompression tweaks
  • convert README to markdown for pretty github rendering (contributed by gavares@gmail.com)
  • perfmonitor fixes
  • ssl stats updates


Thursday, October 15, 2015

Snort Subscriber Rule Set Update for 10/15/2015

Just released:
Snort Subscriber Rule Set Update for 10/15/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 35 new rules and made modifications to 5 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, exploit-kit, file-flash, malware-cnc and server-other rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Wednesday, October 14, 2015

Snort 2.9.7.3 EOL is approaching fast!

Just a reminder, the End-Of-Life (EOL) for Snort 2.9.7.3 is approaching fast on 2015-10-20!

If you are one of the 10,000 or so users of Snort 2.9.7.3, please start transitioning your systems to the current release, 2.9.7.6.

As always, please review Snort's EOL policy on Snort.org.  Thanks!

Tuesday, October 13, 2015

Snort Subscriber Rule Set Update for 10/13/2015, MSTuesday

Just released:
Snort Subscriber Rule Set Update for 10/13/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 60 new rules and made modifications to 13 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Microsoft Security Bulletin MS15-106:
Microsoft Internet Explorer suffers from programming errors that may lead to
remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities
and have been updated with the appropriate reference information. They are
included in this release and are identified with GID 1, SIDs 34393 through
34394.

New rules to detect attacks targeting these vulnerabilities are also included
in this release and are identified with GID 1, SIDs 36407 through 36414, 36417
through 36422, 36431 through 36432, 36437 through 36444, 36447 through 36448,
36450 through 36451, and 36458 through 36459.

Microsoft Security Bulletin MS15-107:
A coding deficiency exists in Microsoft Edge that may lead to information
disclosure.

A rule to detect attacks targeting this vulnerability is included in this
release and is identified with GID 1, SID 36452.

Microsoft Security Bulletin MS15-108:
A coding deficiency exists in Microsoft JScript and VBScript that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 36419 through 36422.

Microsoft Security Bulletin MS15-109:
A coding deficiency exists in Microsoft Windows Shell that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 36401 through 36402 and 36423
through 36424.

Microsoft Security Bulletin MS15-110:
A coding deficiency exists in Microsoft Office that may lead to remote code
execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 36425 through 36430.

Microsoft Security Bulletin MS15-111:
A coding deficiency exists in the Microsoft Windows Kernel that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 36403 through 36406, 36415 through
36416, and 36445 through 36446.

Talos has also added and modified multiple rules in the browser-ie, browser-plugins, exploit-kit, file-flash, file-multimedia, file-office, file-other, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Friday, October 9, 2015

Snort++ Update

Pushed build 173 to github (snortadmin/snort3):
  • added pkt_num rule option to extras
  • fix final -> finalize changes for extras
  • moved alert_unixsock and log_null to extras
  • removed duplicate pat_stats source from extras
  • prevent tcp session restart on rebuilt packets (thanks to rmkml for reporting the issue)
  • fixed profiler configuration
  • fixed ppm event logging
  • added filename to reload commands
  • fixed -B switch
  • reverted tcp syn only logic to match 2X
  • ensure ip6 extension decoder state is reset for ip4 too since ip4 packets may have ip6 next proto
  • update default manuals

Thursday, October 8, 2015

Snort Subscriber Rule Set Update for 10/08/2015

Just released:
Snort Subscriber Rule Set Update for 10/08/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 66 new rules and made modifications to 1 additional rule.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-other, browser-plugins, deleted, exploit-kit, file-flash, malware-cnc, malware-other, os-mobile, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Wednesday, October 7, 2015

Snort 2.9.8.0 Release Candidate has been released!

Snort 2.9.8 Release Candidate has been posted for download!  Please check out the below release notes:


2015-08-28 - Snort 2.9.8_rc
[*] New additions
  • Port override for metadata service in IPS rules.
  • SMBv2/SMBv3 support for file inspection.
  • AppID Lua detector performance profiling.
  • Perfmon dumps stats at fixed intervals from absolute time.
  • New preprocessor alert (18:120) to detect SSH tunneling over HTTP
  • New config option |disable_replace| to disable replace rule option.
  • New Stream configuration |log_asymmetric_traffic| to control logging to syslog.
  • New shell script in tools to create simple Lua detectors for AppID.
[*] Improvements
  • Added support to differentiate between active and passive FTP connections.
  • sfip_t refactored to use struct in6_addr for all ip addresses.
  • Post-detection callback for preprocessors.
  • AppID support for multiple server/client detectors evaluating on same flow.
  • AppID API for DNS packets.
  • Memory optimizations throughout.
  • Support sending UDP active responses.
  • Fix perfmon tracking of pruned packets.
  • Stability improvements for AppID.
  • Stability improvements for Stream6 preprocessor.
  • Added improved support to block malware in FTP preprocessor.
  • Improvements done in Stream6 preprocessor to avoid having duplicate packets in the DAQ retry queue.
  • Resolved an issue where reputation config incorrectly displayed 'blacklist' in priority field even though 'whitelist' option was configured.




As always, please download, check it out, and provide feedback to the community and developers on the Snort-Users or Snort-Devel lists.

Tuesday, October 6, 2015

Snort Subscriber Rule Set Update for 10/06/2015

Just released:
Snort Subscriber Rule Set Update for 10/06/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 52 new rules and made modifications to 15 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-plugins, exploit-kit, file-flash, file-image, file-office, file-other, file-pdf, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Friday, October 2, 2015

Snort++ Build 172 Available Now

Snort++ build 172 is now available on snort.org.  This is the latest monthly update available for download.  You can also get the latest updates from github (snortadmin/snort3) which is updated weekly.

Bug Fixes:

  • apply ppm.fastpath config correctly
  • fix file_decomp error logic
  • enable active response without flow
  • fix metadata:service to work like 2x
  • fixed issues when building with LINUX_SMP
  • fixed frag tracker accounting
  • fix Xcode builds
  • don't apply cooked verdicts to raw packets
  • fixed build error with valgrind build option
  • fix breakloop in file daq
  • fix plain file processing
  • fix detection of stream_user and stream_file data
  • fix chunked manual install
  • fix OpenBSD build
  • fix dev guide builds from top_srcdir
  • fixed build of chunked manual (thanks to Bill Parker for reporting the issue)
  • fixed cmake build issue with SMP stats enabled
  • fixed compiler warnings
  • fixed u2spewfoo build issue
  • dns bug fix for tcp

Doc Updates:

  • update manual related to liblzma
  • update bug list
  • update where to get dnet
  • update usage

Build Changes:

  • move extra daqs and extra hext logger to main source tree
  • move non-ethernet codecs to extras
  • removed unused control socket defines from cmake
  • cleanup *FLAGS use in configure.ac
  • change configure.ac compiler search order to prefer clang over gcc

Test Changes:
  • convert check unit tests to catch
  • added --catch-tags [footag],[bartag] for unit test selection
  • add cpputest for unit testing
Other Changes:
  • implement 116:281 decoder rule
  • updated snort2lua
  • log innermost proto for type of broken packets
  • new_http_inspect cookie processing updates
  • updated error messages in u2spewfoo
  • added strdup sanity checks (thanks to Bill Parker for reporting the issue)
Please submit bugs, questions, and feedback to bugs@snort.org or the Snort-Users mailing list.

Happy Snorting!
The Snort Release Team

Snort Subscriber Rule Set Update for 10/01/2015

Just released:
Snort Subscriber Rule Set Update for 10/01/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 27 new rules and made modifications to 31 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour

36064
36065
36066
36198
36199

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, file-flash, file-identify, file-other, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Wednesday, September 30, 2015

Snort 2.9.7.6 has been released!

Please join us in welcoming the newest release of Snort, Version 2.9.7.6!

Below are the release notes for this version:


2015-08-17 Snort 2.9.7.6
[*] New additions
  * Added support for detecting 'SSH tunneling over HTTP'.

[*] Improvements
  * Behavioral change in file processing to block malware files in inline-test mode also.

  * Improvements to XFF handling in case of pipelined HTTP requests. 

  * Stability improvements for Stream6 preprocessor.

  * Resolved an issue where min_ttl decoder was dropping packets in alert mode also.

  * Added improved support to inspect unlimited packets in HTTP.

  * Resolved an issue where reputation config incorrectly displayed 'blacklist' in
    priority field even though 'whitelist' option was configured.


The Snort Team would like to thank the following community members for their contributions to Snort 2.9.7.6:

Mike Cox
Gabriel Corre
Bill Parker
Avery Rozar

If you'd like to be a contributor to Snort, large or small, code changes or manual corrections, we'd love to have you.   Please join our Snort-devel mailing list and submit your ideas/changes/corrections there.

Tuesday, September 29, 2015

Snort Subscriber Rule Set Update for 09/29/2015

Just released:
Snort Subscriber Rule Set Update for 09/29/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 30 new rules and made modifications to 308 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
36202

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-firefox, browser-ie, browser-other, browser-plugins, exploit-kit, file-flash, file-image, file-java, file-multimedia, file-office, file-other, file-pdf, indicator-shellcode, malware-cnc, malware-other, os-other, policy-other, protocol-ftp, protocol-rpc, protocol-voip, server-mail, server-other and sql rule sets to provide coverage for emerging threats from these technologies.
In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Snort OpenAppID Detectors have been updated!

An update has been released today for the Snort OpenAppID Detector content.

This release, build 252, includes
  • A total of 2,636 detectors.
  • This was a maintenance release with some minor fixes and improvements
  • It also includes some additional detectors that came in from the open source community. For more details on which contributions were included, we have added them in the AUTHORS file in this package.
Available now for download from our downloads page, we look forward to you downloading and using the new features of 2.9.7.0's OpenAppID preprocessor and sharing your experiences with the community.

The OpenAppID community has a mailing list specifically dedicated to the exchange and discussion of detector content.  Please visit the mailing lists page to sign up.

Friday, September 25, 2015

Snort++ Update

Pushed build 171 to github (snortadmin/snort3):
  • fix metadata:service to work like 2x
  • fixed issues when building with LINUX_SMP
  • fixed frag tracker accounting
  • fix Xcode builds
  • implement 116:281 decoder rule
  • udpated snort2lua
  • add cpputest for unit testing
  • don't apply cooked verdicts to raw packets

Thursday, September 24, 2015

Snort Subscriber Rule Set Update for 09/24/2015

Just released:
Snort Subscriber Rule Set Update for 09/24/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 22 new rules and made modifications to 10 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, deleted, file-flash, file-pdf, malware-cnc, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Wednesday, September 23, 2015

Snort Subscriber Rule Set Update for 09/22/2015

Just released:
Snort Subscriber Rule Set Update for 09/23/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 82 new rules and made modifications to 28 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, file-flash, file-identify, file-multimedia, file-office, indicator-obfuscation, malware-cnc, protocol-dns and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Friday, September 18, 2015

Snort++ Update

Pushed build 170 to github (snortadmin/snort3):
  • removed unused control socket defines from cmake
  • fixed build error with valgrind build option
  • cleanup *FLAGS use in configure.ac
  • change configure.ac compiler search order to prefer clang over gcc
  • update where to get dnet
  • update usage and bug list
  • move extra daqs and extra hext logger to main source tree
  • fix breakloop in file daq
  • fix plain file processing
  • fix detection of stream_user and stream_file data
  • log innermost proto for type of broken packets

Thursday, September 17, 2015

Snort Subscriber Rule Set Update for 09/17/2015

Just released:
Snort Subscriber Rule Set Update for 09/17/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 41 new rules and made modifications to 30 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the app-detect, browser-ie, exploit-kit, file-identify, file-office, file-pdf, indicator-obfuscation, malware-cnc, protocol-dns and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Wednesday, September 16, 2015

Snort Subscriber Rule Set Update for 09/15/2015, SYNful Knock Malware

Just released:
Snort Subscriber Rule Set Update for 09/15/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 18 new rules and made modifications to 0 additional rules.

There were no changes made to the snort.conf in this release.


Talos's rule release:
SYNful Knock Backdoor Connection Attempt: Routers have been discovered running malicious router images containing backdoors. A rule to detect C&C traffic corresponding with this malware is included in this release and is identified with GID 1, SID 36054. 
Talos has also added and modified multiple rules in the blacklist and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Thursday, September 10, 2015

Snort Subscriber Rule Set Update for 09/10/2015

Just released:
Snort Subscriber Rule Set Update for 09/10/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 15 new rules and made modifications to 4 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the file-flash, file-office, indicator-compromise, indicator-obfuscation, malware-backdoor, malware-cnc, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Snort++ Update

Pushed build 169 to github (snortadmin/snort3):
  • fix chunked manual install
  • add event direction bug
  • fix OpenBSD build
  • convert check unit tests to catch
  • code cleanup
  • fix dev guide builds from top_srcdir

Tuesday, September 8, 2015

Snort Subscriber Rule Set Update for 09/08/2015, MSTuesday

Just released:
Snort Subscriber Rule Set Update for 09/08/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 80 new rules and made modifications to 7 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Microsoft Security Bulletin MS15-094:
Microsoft Internet Explorer suffers from programming errors that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 35955 through 35960, 35963 through
35972, 35975 through 35976, 35990 through 35993, 35998 through 35999, 36004
through 36009, and 36018 through 36021.

Microsoft Security Bulletin MS15-095:
A coding deficiency exists in Microsoft Edge that may lead to remote code
execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 35963 through 35966.

Microsoft Security Bulletin MS15-097:
A coding deficiency exists in a Microsoft Graphics Component that may lead to
remote code execution.

Previously released rules will detect attacks targeting this vulnerability and
have been updated with the appropriate reference information. They are included
in this release and are identified with GID 1, SIDs 33765 through 33766 and
35719 through 35720.

New rules to detect attacks targeting these vulnerabilities are also included
in this release and are identified with GID 1, SIDs 35973 through 35974, 35984
through 35989, 35994 through 35995, and 36016 through 36017.

Microsoft Security Bulletin MS15-098:
A coding deficiency exists in Microsoft Windows Journal that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 35961 through 35962.

Microsoft Security Bulletin MS15-099:
A coding deficiency exists in Microsoft Office that may lead to remote code
execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 35996 through 35997 and 36000
through 36003.

Microsoft Security Bulletin MS15-100:
A coding deficiency exists in Microsoft Windows Media Center that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 35982 through 35983.

Microsoft Security Bulletin MS15-101:
A coding deficiency exists in the Microsoft .NET Framework that may lead to
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 36014 through 36015.

Microsoft Security Bulletin MS15-102:
A coding deficiency exists in Microsoft Task Management that may lead to
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 35977 through 35978 and 36010
through 36013.

Talos has also added and modified multiple rules in the app-detect, browser-ie,
file-executable, file-flash, file-identify, file-office, file-other,
malware-other and server-mail rule sets to provide coverage for emerging
threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Friday, September 4, 2015

Snort++ Update

Pushed build 168 to github (snortadmin/snort3):

  • fixed build of chunked manual (thanks to Bill Parker for reporting the issue)
  • const cleanup
  • new_http_inspect cookie processing updates
  • fixed cmake build issue with SMP stats enabled
  • fixed compiler warnings
  • added unit tests
  • updated error messages in u2spewfoo
  • changed error format for consistency with Snort
  • fixed u2spewfoo build issue
  • added strdup sanity checks (thanks to Bill Parker for reporting the issue)
  • DNS bug fix for TCP
  • added --catch-tags [footag],[bartag] for unit test selection

Thursday, September 3, 2015

Snort Subscriber Rule Set Update for 09/03/2015, Limited Ruleset 0day Coverage!

Just released:
Snort Subscriber Rule Set Update for 09/03/2015

This is the first ruleset to contain information released under the "limited ruleset" clause of the 3.1 Snort Subscriber Rule Set License.  You may recall the blog post written in August that outlined the updates to the license.  As a reminder, this additional content is only available:

  • As part of the Subscriber Rule Set (and will never be made available in the Registered Rule Set)
  • In Shared Object pre-compiled format
Please read the above blog post to gain access to this new detection functionality, which is entirely comprised of "0day" exploit and vulnerability coverage.  You will see coverage for vulnerabilities in a variety of software, including Internet Explorer and Adobe Reader that have never been released before.


We welcome the introduction of the newest rule release from Talos. In this release we introduced 92 new rules and made modifications to 25 additional rules.

There were no changes made to the snort.conf in this release.


Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, browser-plugins, file-flash, file-identify, file-multimedia, file-other, file-pdf, indicator-compromise, malware-other, malware-tools, netbios, policy-other, protocol-dns, protocol-imap, protocol-scada, server-mail, server-mysql and server-webapp rule sets to provide coverage for emerging threats from these technologies.
In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Wednesday, September 2, 2015

IP Blacklist feed has moved locations!

For those of you using the IP Blacklist feed on labs.snort.org, we've had to move the URL to the new link.

You can find it at the following URL: http://talosintel.com/feeds/ip-filter.blf

The pulledpork.conf that is currently in Github has been updated to use the new URL, so a fresh download of pulledpork will help you.

Check it out!

Tuesday, September 1, 2015

Snort Subscriber Rule Set Update for 09/01/2015

Just released:
Snort Subscriber Rule Set Update for 09/01/2015


We welcome the introduction of the newest rule release from Talos. In this release we introduced 18 new rules and made modifications to 15 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-chrome, browser-ie, exploit-kit, file-flash, file-image, file-other, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Monday, August 31, 2015

Snort++ Build 167 Available Now

Snort++ build 167 is now available on snort.org.  This is the latest monthly update of the downloads.  You can also get the latest updates from github (snortadmin/snort3) which is updated weekly.

New Features

  • support multiple script-path args and single files
  • flow depth support for new_http_inspect

Bug Fixes

  • fix xcode warnings
  • fix link error with g++ 4.8.3
  • piglet bug fixes
  • fix parameter range for those depending on loaded plugins; thanks to Siti Farhana Binti Lokman "sitifarhana.lokman@postgrad.manchester.ac.uk"; for reporting the issue
  • fixed port_scan packet selection
  • fixed rpc_decode sequence number handling and buffer setup
  • perf_monitor fixes for file output
  • fix ac_sparse_bands search method
  • fix unit test return value
  • fix documentation errors in user manual
  • fix unit test build on osx
  • DAQ packet header conditional compilation for piglet
  • cleanup debug macros
Other Changes

  • add usage examples with live interfaces; thanks to Aman Mangal "mangalaman93@gmail.com" for reporting the problem
  • TCP session refactoring and create libtcp
  • doc and build tweaks for piglets
  • expanded piglet interfaces and other enhancements
  • add catch.hpp include from https://github.com/philsquared/Catch
  • run catch unit tests after check unit tests
  • add range and default to command line args
  • add make targets for dev_guide.html and snort_online.html

Please submit bugs, questions, and feedback to bugs@snort.org or the Snort-Users mailing list.

Happy Snorting!
The Snort Release Team

Friday, August 28, 2015

Snort Subscriber Rule Set Update for 08/27/2015

Just released:
Snort Subscriber Rule Set Update for 08/27/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 47 new rules and made modifications to 36 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, exploit-kit, file-executable, file-flash, file-identify, file-image, file-other, file-pdf, malware-cnc, malware-other, os-windows, policy-other and sql rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Tuesday, August 25, 2015

Snort Subscriber Rule Set Update for 08/25/2015

Just released:
Snort Subscriber Rule Set Update for 08/25/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 48 new rules and made modifications to 7 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
35745
35746
35749
35750

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, file-flash, file-image, file-multimedia, file-office, file-pdf, indicator-compromise, indicator-obfuscation, malware-cnc, os-other, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Snort OpenAppID Detectors have been updated!

An update has been released today for the Snort OpenAppID Detector content.

This release, build 251, includes
  • A total of 2,633 detectors.
  • This was a maintenance release with some minor fixes and improvements
  • It also includes some additional detectors that came in from the open source community. For more details on which contributions were included, we have added them in the AUTHORS file in this package.
Available now for download from our downloads page, we look forward to you downloading and using the new features of 2.9.7.0's OpenAppID preprocessor and sharing your experiences with the community.

The OpenAppID community has a mailing list specifically dedicated to the exchange and discussion of detector content.  Please visit the mailing lists page to sign up.

Friday, August 21, 2015

Snort++ Update

Pushed build 166 to github (snortadmin/snort3):
  • fix link error with g++ 4.8.3
  • support multiple script-path args and single files
  • piglet bug fixes
  • add usage examples with live interfaces (thanks to Aman Mangal <mangalaman93@gmail.com> for reporting the issue)
  • fixed port_scan packet selection
  • fixed rpc_decode sequence number handling and buffer setup
  • perf_monitor fixes for file output

Tuesday, August 18, 2015

Snort Subscriber Rule Set Update for 08/18/2015, 2.9.7.2 EOL

Just released:
Snort Subscriber Rule Set Update for 08/18/2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 55 new rules and made modifications to 17 additional rules.

Talos's rule release:
Microsoft Internet Explorer Vulnerability CVE-2015-2502: Microsoft Internet Explorer suffers from programming errors that may lead to remote code execution. 
Previously released rules will detect attacks targeting this vulnerability and have been updated with the appropriate reference information. They are included in this release and are identified with GID 1, SIDs 35536 through 35537. 
Talos has added and modified multiple rules in the blacklist, browser-plugins, file-flash, file-multimedia, file-pdf, indicator-compromise, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

2015 Snort Scholarship Winners!


Columbia, MD – August 18, 2015 – Snort® today announced that it has selected JT Blodgett and Richard McCaslin as the recipients of the 2015 Snort Scholarship. The scholarships, each worth $5,000, are awarded to university students around the world that use Snort to further their education and gain hands-on experience in network security.

To qualify, applicants must be enrolled in a university that uses Snort to protect its network or uses Snort as part of the curriculum in the classroom. The scholarships assist the winning students in completing their degrees and covering educational costs. Snort selected JT and Richard from a pool of tens of thousands of applicants, making this year the highest number of applicants to the Snort Scholarship in the history of the award:

JT Blodgett is pursuing a Bachelors of Science in Electrical Engineering and studying Cyber Security in the ACES program at the University of Maryland, College Park

Richard McCaslin is pursing a Masters of Science in IT - Information Assurance Concentration, at the University of Texas in San Antonio.

To assist the winning students in completing their degrees, Sourcefire has awarded each a $5,000 scholarship for educational costs at the students’ respective universities. 

Sourcefire, now a part of Cisco, developed the Snort Scholarship in 2004 as a way to give back to the open source and security communities. Since the inception of the Snort Scholarship program seven years ago, Sourcefire has recognized university students from around the world, including the United States, Australia, Turkey, Mexico, the Netherlands and Rwanda. 

Snort is the world’s most widely deployed intrusion detection and prevention technology with more than 400,000 registered users and over 5 million downloads to date.

Congratulations to our winners!

Monday, August 17, 2015

Snort 2.9.7.2 is now EOL!

Several weeks ago, I reminded everyone that Snort 2.9.7.2 was approaching it's end of life, and after I posted that, we saw tens of thousands of you move to an updated version, so thank you.  However, we still have several thousand on that version, and guess what?

Today is the day to move.

For more information on our EOL policy, please visit Snort.org's EOL page where all the current versions and expiration dates are listed.

The current version of Snort is 2.9.7.5, and is available from our downloads page on Snort.org.

Thanks for your support of Snort!

Snort 2.9.8 Beta has been released!

Join us as we welcome the newest Snort beta, 2.9.8!  Check out the following release notes:

Snort 2.9.8 Beta

[*] New additions

  • AppID is no longer experimental.
  • SMBv2/SMBv3 support for file inspection. 
  • Port override for metadata service in IPS rules.
  • AppID Lua detector performance profiling.
  • Perfmon dumps stats at fixed intervals from absolute time.
  • New preprocessor alert (18:120) to detect SSH tunneling over HTTP
  • New config option |disable_replace| to disable replace rule option.
  • New Stream configraution |log_asymmetric_traffic| to control logging to syslog.
  • New shell script in tools to create simple Lua detetors for AppID.

[*] Improvements

  • sfip_t refactored to use struct in6_addr for all ip addresses.
  • Post-detection callback for preprocessors.
  • AppID support for multiple server/client detectors evaluting on same flow.
  • AppID API for DNS packets.
  • Memory optimizations throughout.
  • Support sending UDP active responses.
  • Fix permon tracking of pruned packets.
  • Improved support for expected sessions.

You can download and use Snort 2.9.8 beta after downloading it from the Snort.org Downloads page under "Development Releases"

Feedback on Snort 2.9.8.0 Beta can be provided on the Snort-Devel mailing list!

Thank you for supporting Snort.