Thursday, December 22, 2016

Snort Subscriber Rule Set Update for 12/22/2016

Just released:
Snort Subscriber Rule Set Update for 12/22/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 11 new rules and made modifications to 5 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the blacklist, exploit-kit, file-flash, malware-cnc, os-windows, policy-other, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Snort++ Build 223 Available Now on Snort.org

Snort++ build 223 is now available on Snort.org.  This is the latest monthly update available for download.  You can also get the latest updates from github (snortadmin/snort3) which is updated weekly.

There are too many changes to list here so check the ChangeLog for details.

Enhancements:
  • port 2983 smb active response updates
  • add JavaScript normalization to new http_inspect
  • add MIME file processing to new http_inspect
  • add alternate fast patterns for dce_udp endianness
  • add dce auto detect to wizard
Bug Fixes:
  • fix appid service dispatch handling issue
    thanks to João Soares ; for reporting the issue
  • fix paf-type flushing of single segments
    thanks to João Soares for reporting the issue
  • fix modbus_data handling to not skip options
    thanks to FabianMalte.Kopp@b-tu.de for reporting the issue
  • fix comment in snort.lua re install directory use
    thanks to Yang Wang for sending the pull request
  • fix fast pattern selection when multiple designated
    thanks to j.mcdowell@titanicsystems.com for reporting the issue
  • fix image sizes to fit page
    thanks to wyatuestc for reporting the issue
  • change -L to -K in README and manual
    thanks to jncornett for reporting the issue
  • fix demonization
    thanks to João Soares for reporting the issue
Other Changes:
  • appid overhaul to address threading issues, leaks, and sanitizer and analyzer issues
  • fix appid pattern matching for http
  • fix reload crash with file inspector
  • fix various race conditions reported by thread sanitizer
  • fix thread termination segfaults after DAQ module initialization fails
  • several build fixes for non-x86, Illumos, and others
  • create pid file after dropping privileges
  • user manual was reorganized and expanded
Please submit bugs, questions, and feedback to bugs@snort.org or the Snort-Users mailing list.

Happy Snorting!
The Snort Release Team

Tuesday, December 20, 2016

IEC60870-5-104 Protocol Detection Rules

This post was authored by Marshall, Carlos Pacho, and reviewed by Warren Mercer.

Cisco Talos has released 33 Snort rules which are used to analyze/inspect IEC 60870-5-104 network traffic. These rules will help Industrial Control Systems/Supervisory Control and Data Acquisition (ICS/SCADA) asset owners to allow the identification of both normal and abnormal traffic in their environments.

In order for these rules to be effective they should be selectively turned on/enabled. SIDS 41053-41077 will detect various TypeIDs, if that specific TypeID is not in use then the rule should be enabled. SIDS 41078-41079 will detect IEC 104 traffic entering/exiting the ICS network. If 104 traffic is not supposed to enter/exit the ICS network then these sids should be enabled.

The rules will require both Snort $EXTERNAL_NET and $HOME_NET variables to be correctly configured for some of the rules to be effective. If a network does not have IEC 104 traffic these rules should not be enabled as they are only intended to detect IEC 104 traffic and will likely result in false positives (FPs) on non-IEC 104 traffic.

What is IEC 104?


IEC 104 is a network protocol that is commonly used in ICS/SCADA environments. Various ICS/SCADA devices use IEC 104 to communicate with other ICS devices such as, but not limited to, Programmable Logic Controllers, Remote Terminal Unit, etc.

Snort Rules Breakdown


The PROTOCOL-SCADA rules we have released will detect network traffic that complies with the IEC 104 standard and are intended to give an insight to ICS/SCADA network administrators awareness of activity on Operational Technology (OT) networks.

SIDS 41047-41052 will alert on the following:


  • STARTDT ACT
  • STARTDT CON
  • STOPDT ACT
  • STOPDT CON
  • TESTFR ACT
  • TESTFR CON

SIDS 41053-41077 will alert on the following TypeIDs:
  • counter interrogation command
  • clock sync command
  • interrogation command
  • read command
  • rest process command
  • test command with time tag
  • ack file
  • list directory
  • file ready
  • last section
  • end of initialization
  • bitstring of 32 bits
  • double command issued
  • regulating step command
  • single command
  • set point command
  • query Log
  • double point information
  • packed start events
  • integrated totals
  • measured value
  • single point information
  • step point information
  • parameter value


SIDS 41053-41077 will alert on normal IEC 104 traffic. An ICS/SCADA asset owner needs to enable/disable the rules they want to see alerts for. The asset owner should establish a baseline for normal (expected) traffic and enable rules that alert on unexpected traffic.

For example if a ICS network is running IEC 104, but the devices never use the the clock sync and list directory commands, then the clock sync and list directory Snort rules (SID 41074 & 41060) should be enabled. If those sids alert unexpectedly this could be indicative of malicious activity within the network and should be investigated. In order to enable a specific sid, edit the policy, search for the rule, and check the box to enable it.




SIDS 41077 and 41078-41079 will alert on the following abnormalities:


  • A unknown ASDU TypeID detected
  • IEC 104 traffic detected to/from $EXTERNAL_NET


SIDS 41077 and 41078-41079 should be enabled in most IEC 104 environments. These sids will detect two things. SIDS 41078-41079 will detect IEC 104 traffic entering/exiting the network to $EXTERNAL_NET. This variable must be configured in order for these rules to function correctly.. For example, $EXTERNAL_NET can be set any IP address outside of OT network. If IEC 104 traffic is seen exiting or entering the OT network this rule will alert. The second rule (SID 41077) will alert if an unknown TypeID is specified. Unknown TypeIDs are identified as those that not been specified in the IEC 104 protocol spec.

In order to set $HOME_NET and $EXTERNAL_NET in FirePower 6.1 navigate to "Objects" then select "Variable Set". From this menu you are able to set the variables. Additional FirePower documentation can be found here.



Conclusion


These 33 PROTOCOL-SCADA rules will assist ICS asset owners to analyse and inspect IEC 104 network traffic. In order for some of these rules to work $EXTERNAL_NET and $HOME_NET need to be configured. Furthermore these rules need to be enabled selectively and only on IEC 104 networks.

Snort Subscriber Rule Set Update for 12/20/2016

Just released:
Snort Subscriber Rule Set Update for 12/20/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 52 new rules and made modifications to 9 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the exploit-kit, file-flash, malware-cnc, os-linux, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Monday, December 19, 2016

Snort EOL dates have been updated.

With our recent release of Snort 2.9.9.0, as I stated in a previous blog post, this marks the beginning of the "end of life" for Snort 2.9.7.6.

We've updated the Snort EOL page today which marks the EOL for 2.9.7.6 (2017-03-14).

If you are interested on our "LTS" or Long Term Support version of Snort (2.9.8.3), I suggest you plan your migrations now.

2.9.8.3 will be supported until the next major release of Snort after 2.9.9.0.

If you want the newest features of the ruleset and Snort, we suggest you upgrade to 2.9.9.0, which is our current release.  For more on the features of Snort 2.9.9.0, please read out blog post.

Please remember, as per my previous blog post, 2.9.9.0's ruleset will not be backwards compatible to Snort 2.9.8.3 once the newer keywords are used.

Friday, December 16, 2016

Snort++ Update

Pushed build 222 to github (snortadmin/snort3):

  • add JavaScript Normalization to http_inspect
  • fix appid service check dispatch list
  • fix modbus_data handling to not skip options
    thanks to FabianMalte.Kopp@b-tu.de for reporting the issue
  • fix sensitive data filtering documentation issues
  • build: Illumos build fixes
  • build: Address some cppcheck concerns
  • miscellaneous const tweaks
  • reformat builtin rule text for consistency
  • reformat help text for consistency
  • refactor user manual for clarity
  • update default user manuals


Wednesday, December 14, 2016

Snort Subscriber Rule Set Update for 12/13/2016, release 2, Snort 2.9.9.0

Just released:
Snort Subscriber Rule Set Update for 12/13/2016, release 2


We welcome the introduction of the newest rule release from Talos. In this release we introduced 32 new rules and made modifications to 1 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the file-flash, indicator-compromise and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Snort 2.9.9.0 Manual has been updated!

We've uploaded the new version of the Snort Manual pdf to the documentation section of Snort.org.

We've also updated the HTML version of the manual, located at http://manual.snort.org

Please have a look at the new manual!

Snort 2.9.9.0 has been released!

Please join the Snort team as we welcome the addition of Snort 2.9.9.0 to general availability!

Snort 2.9.9.0 can be downloaded from the usual location on Snort.org.

The new keywords, when they are used, will cause older versions of Snort to fail.  (Meaning, you cannot use 2.9.9.0 rules in 2.9.8.3 and below, once those keywords are used.)

Below are the release notes:

Snort 2.9.9.0
[*] New additions
 
 *  New rule option for byte_math. See the Snort manual for details.

 *  Added bitmask and from_end operations to byte_test. See the Snort manual for details.

 *  Added a Buffer Dump utility to trace all of the buffers used by snort during inspection.
    Enable this by --enable-buffer-dump option to configure prior to building. See the Snort manual for details.

 *  Added new HTTP preprocessor alerts to detect multiple content encoding and multiple content length.

 *  Added support for SMTP Traffic detection over SSL (SMTPS).
[*] Improvements
 *  Fixed an issue which reduces extra service discovery to improve performance.

 *  Fixed multiple issues in AppID.
      - Reconstructed the call to port-service detection.
      - Fixed issue where AppId for Facebook over SPDY/HTTP 1.1 was incorrect.
      - Preventing third-party application identification for expected connections.

 *  Stability improvement for Stream preprocessor. 
      - Addressed incorrect flushing of packets whose size is greater than MAXIMUM_PAF_MAX.
      - Fixed an issue where incorrect length argument in memcpy caused out of bound memory access.

 *  Fixed multiple issues in HttpInspect preprocessor.
      - Handling chunk encoding followed by \r\r\r\n and \n\n\n\r\r\n.
      - Fixed an issue with LZMA flash decompression.

 *  Fixed mime data processing issue in SMTP stateless inspection.

 *  Added support to decode packets that contains VLAN with Secure Group Tag (SGT).
 
 *  Fixed Issue related to DLL-Load in Snort on windows platforms for CVE-2016-1417. 
The Snort Team would like to thank the following for their contributions in the Snort 2.9.9.0 release:

Secureworks
Marcel da Silva
Al Lewis
Steffen Ullrich

As always, join the conversation over on the Snort-Users list for any installation or upgrade assistance!



Tuesday, December 13, 2016

Snort Subscriber Rule Set Update for 12/13/2016, MSTuesday

Just released:
Snort Subscriber Rule Set Update for 12/13/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 58 new rules and made modifications to 4 additional rules.

There were no changes made to the snort.conf in this release.


Talos's rule release:
Synopsis:
Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.

Details:
Microsoft Security Bulletin MS16-144:
Microsoft Internet Explorer suffers from programming errors that may
lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 40940 through 40941,
40969 through 40970, 40975 through 40976, 40986 through 40989, and
40992 through 40993.

Microsoft Security Bulletin MS16-145:
Microsoft Edge suffers from programming errors that may lead to remote
code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 36452 and 39242 through 39243.

New rules to detect attacks targeting these vulnerabilities are also
included in this release and are identified with GID 1, SIDs 40946,
40949 through 40950, 40969 through 40976, and 40986 through 40987.

Microsoft Security Bulletin MS16-146:
A coding deficiency exists in Microsoft Graphics Component that may
lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 40967 through 40968
and 40982 through 40983.

Microsoft Security Bulletin MS16-147:
A coding deficiency exists in Microsoft Uniscribe that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 40942 through 40943.

Microsoft Security Bulletin MS16-148:
A coding deficiency exists in Microsoft Office that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 40938 through 40939,
40944 through 40945, 40951 through 40952, 40957 through 40966, and
40977 through 40978.

Microsoft Security Bulletin MS16-149:
A coding deficiency exists in Microsoft Windows that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 40953 through 40956
and 40984 through 40985.

Microsoft Security Bulletin MS16-151:
A coding deficiency exists in a Microsoft Kernel-Mode driver that may
lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 40947 through 40948
and 40990.

Microsoft Security Bulletin MS16-153:
A coding deficiency exists in Microsoft Common Log File System Driver
that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 40936 through 40937.

Talos has also added and modified multiple rules in the browser-ie,
file-executable, file-identify, file-office, file-other, file-pdf and
os-windows rule sets to provide coverage for emerging threats from
these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Friday, December 9, 2016

Snort++ Update

Pushed build 221 to github (snortadmin/snort3):
  • fix appid handling of sip inspection events
  • fix wizard to prevent use-after-free of service name
  • fix various issues reported by cppcheck
  • fix reload race condition
  • fix cmake + clang builds
  • add padding guards around hash key structs
  • update manual for dce_* inspectors
  • refactor IP address handling

Snort 2.9.9.0 is prepping for release!

We're preparing for our newest release of Snort, version 2.9.9.0.

As always, I try to let you all know as soon as I can on major version upgrades, as the release of 2.9.9.0 will activate the 90 day EOL trigger for 2.9.7.6.  Since 2.9.7.6 is what we consider our Long Term Support or "LTS" version, and there are about 150,000 users on this version, there are a ton of people that need to upgrade.

Snort 2.9.8.3 will take over as our LTS version as 2.9.9.x marches forward, and as always, we encourage people to stay on the most current version.

Snort 2.9.7.6 was released September 30th of 2015, with no less than 144 rule updates in that year.

So, for those of you on 2.9.7.6, if you do not want to move to the "edge" version of Snort (2.9.9.x) when it is released, I suggest you start moving to 2.9.8.3 now.

Following an upgrade and prior to turning off support, I'll send out an email to all the people who are downloading older versions of Snort rules, and encourage them to upgrade.

Start your upgrades!

Thursday, December 8, 2016

Snort Subscriber Rule Set Update for 12/08/2016

Just released:
Snort Subscriber Rule Set Update for 12/08/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 20 new rules and made modifications to 4 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the exploit-kit, file-executable, file-office, file-pdf and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, December 6, 2016

Snort Subscriber Rule Set Update for 12/06/2016

Just released:
Snort Subscriber Rule Set Update for 12/06/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 8 new rules and made modifications to 11 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

rmkml
40907

Yaser Mansour
40911


Talos's rule release:
Talos has added and modified multiple rules in the file-image, file-multimedia, malware-cnc, malware-other and server-other rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Friday, December 2, 2016

Snort++ Update


Pushed build 220 to github (snortadmin/snort3):

  • fixed uu and qp decode issue
  • fixed file signature calculation for ftp
  • fixed file resume blocking
  • fix 135:2 to be upon completion of 3-way handshake
  • fix memory leak with libcrypto use
  • fix multithreaded use of libcrypto
  • fix default snort2lua output for gtp and modbus
  • fix Lua ordering issue with net and port vars
  • fix miscellaneous multithreading issues with appid
  • fix comment in snort.lua re install directory use;
    thanks to Yang Wang for sending the pull request
  • add alternate fast patterns for dce_udp endianness
  • removed underscores from all peg counts
  • document sensitive data use
  • user manual refactoring and updates


    Thursday, December 1, 2016

    Snort Subscriber Rule Set Update for 12/01/2016

    Just released:
    Snort Subscriber Rule Set Update for 12/01/2016


    We welcome the introduction of the newest rule release from Talos. In this release we introduced 16 new rules and made modifications to 1 additional rules.

    There were no changes made to the snort.conf in this release.


    Talos's rule release:
    Talos has added and modified multiple rules in the browser-firefox, file-identify, file-other, malware-cnc, os-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

    In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

    Wednesday, November 30, 2016

    Snort Subscriber Rule Set Update for 11/30/2016

    Just released:
    Snort Subscriber Rule Set Update for 11/30/2016


    We welcome the introduction of the newest rule release from Talos. In this release we introduced 7 new rules.

    There were no changes made to the snort.conf in this release.



    Talos's rule release:
    Mozilla Firefox 0day Vulnerability: 
    A coding deficiency exists in Mozilla Firefox that may lead to remote code execution. A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 40888.
    Talos has also added and modified multiple rules in the browser-firefox, file-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


    In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

    Tuesday, November 29, 2016

    Snort Subscriber Rule Set Update for 11/29/2016

    Just released:
    Snort Subscriber Rule Set Update for 11/29/2016


    We welcome the introduction of the newest rule release from Talos. In this release we introduced 13 new rules and made modifications to 6 additional rules.

    There were no changes made to the snort.conf in this release.

    Talos's rule release:
    Talos has added and modified multiple rules in the deleted, file-executable, file-pdf, policy-other, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.

    In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

    Snort.org feature: Mailing list subscription upon signup

    For those of you that have been part of the Snort community for awhile, you know that the best place to go for help with your Snort installation, rule writing, even to keep tabs on the development of Snort, has been the mailing lists.

    When Snort's downloads were hosted on Sourceforge, (which we stopped doing at Snort 2.9.7.6), adding yourself to one of our four mailing lists was part of the experience.  So we wanted to make it simple for new users to add themselves to the mailing list, and get help with their installation and usage of Snort.

    As a new feature, when a new user is created on Snort.org, we give you the option of subscribing to one (or all) of our mailing lists.  You will still have to confirm your subscription, just like any other user, but hopefully this should help people find our list, archives, and the growing community of Snort users.

    With over 1,000 new signups a week on Snort.org, we hope that people will join our lists and participate with some of our more seasoned veterans!  We also hope that our seasoned veterans will help out the new guys, remember, we were all beginners once.

    Monday, November 28, 2016

    Snort Rules Infographic now available!

    Recently on Snort's Twitter account, we posted a picture of an infographic that one of our talented graphic artists Wendy created, and the response was fantastic.  It doesn't explain every rule option, but it is a fun art piece for your cube or office!



    So, we've made it available for download on Snort.org, under "Official Documentation".

    If you'd like to download and print it, we recommend a thick paper stock "mini-poster" type print, perhaps in an 11x17.  Please do not redistribute or sell these without OUR permission, you do not have authorization to do so.

    Copyright Cisco and/or its affiliates.  Snort, the Snort and Pig logo are registered trademarks of Cisco.  All rights reserved.


    Wednesday, November 23, 2016

    Snort Subscriber Rule Set Update for 11/23/2016

    Just released:
    Snort Subscriber Rule Set Update for 11/23/2016


    We welcome the introduction of the newest rule release from Talos. In this release we introduced 42 new rules and made modifications to 7 additional rules.

    There were no changes made to the snort.conf in this release.

    Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

    Yaser Mansour
    40831
    40832
    40833
    40834
    40835
    40836
    40839
    40840
    40841
    40842

    rmkml
    40866


    Talos's rule release:
    Talos has added and modified multiple rules in the blacklist, file-flash, file-office, indicator-compromise, malware-cnc, malware-other, pua-adware, pua-other, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.


    In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

    Tuesday, November 22, 2016

    Snort Subscriber Rule Set Update for 11/22/2016

    Just released:
    Snort Subscriber Rule Set Update for 11/22/2016


    We welcome the introduction of the newest rule release from Talos. In this release we introduced 18 new rules and made modifications to 24 additional rules.

    There were no changes made to the snort.conf in this release.

    Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

    Yaser Mansour
    40816
    40827


    Talos's rule release:
    Talos has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, exploit-kit, file-flash, file-other, file-pdf, indicator-compromise, malware-cnc, os-windows, protocol-icmp, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.


    In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

    Reporting False Positives with Snort.org

    Some users may not be aware, but you've been able to report false positives on Snort.org for years.  I say that users may not be aware, because quite unintentionally, the feature wasn't very easy to find.

    With today's rollout of version 5.1.1 of Snort.org, hopefully, we've fixed that.

    When visiting Snort.org, upon logging in:



    then clicking on your email in the same section after logging in, you will be taken to your User Preferences and information screen.

    On the left side of the screen, you will see the different sections in your user account:



    Including a new link at the bottom of the list for "False Positive".



    The screen looks like this:


    When you fill out this form and click submit, the pcap and description will enter directly into our analyst's queue for work, allowing us to process false positives quickly.

    In a future version of the Snort site, we are going to tie this feature directly into what we call, the "Analyst Console" here at Talos.  Allowing you to see the status of your false positive, as it is flowing through our system, automatically.  Allowing you to see when the rule will be fixed, and when it was released.  

    In the meantime, please use this system for your FP reports, help us improve the feature!

    Snort++ Update

    Pushed build 219 to github (snortadmin/snort3):
    • add dce auto detect to wizard
    • add MIME file processing to new http_inspect
    • add chapters on perf_monitor and file processing to user manual
    • appid refactoring and cleanup
    • many appid fixes for leaks, sanitizer, and analyzer issues
    • fix appid pattern matching for http
    • fix various race conditions reported by thread sanitizer
    • fix out-of-order FIN handling
    • fix cmake package name used in HS and HWLOC so that REQUIRED works
    • fix out-of-tree doc builds
    • fix image sizes to fit page
      thanks to wyatuestc for reporting the issue
    • fix fast pattern selection when multiple designated
      thanks to j.mcdowell@titanicsystems.com for reporting the issue
    • change -L to -K in README and manual
      thanks to jncornett for reporting the issue
    • support compiling catch tests in standalone source files
    • create pid file after dropping privileges
    • improve detection and use of CppUTest in non-standard locations

    Thursday, November 17, 2016

    Snort Subscriber Rule Set Update for 11/17/2016

    Just released:
    Snort Subscriber Rule Set Update for 11/17/2016


    We welcome the introduction of the newest rule release from Talos. In this release we introduced 31 new rules and made modifications to 10 additional rules.

    There were no changes made to the snort.conf in this release.

    Talos's rule release:
    Talos has added and modified multiple rules in the blacklist, browser-ie, file-flash, file-office, file-other, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.


    In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

    Tuesday, November 15, 2016

    Snort Subscriber Rule Set Update for 11/15/2016

    Just released:
    Snort Subscriber Rule Set Update for 11/15/2016


    We welcome the introduction of the newest rule release from Talos. In this release we introduced 21 new rules and made modifications to 4 additional rules.

    There were no changes made to the snort.conf in this release.

    Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

    Yaser Mansour
    40762
    40763
    40764


    Talos's rule release:
    Talos has added and modified multiple rules in the exploit-kit, file-other, file-pdf, malware-cnc, os-windows and server-other rule sets to provide coverage for emerging threats from these technologies.


    In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

    Wednesday, November 9, 2016

    New Snort Integrator System on Snort.org

    As part of our efforts to enhance the customer experience and better suit the account management needs of our Integrator customers we’ve revamped our Snort Integrator system on Snort.org

    In this new upgrade our new sub-registration process will give Integrators the ability to link active licenses to their master account via the Snort.org account portal. To accommodate the wide range of sub-user management needs, we have created options that allow our integrators to add customers manually via the Integrator Manager for smaller businesses. This can also be done through the Integrator API which allows our customers to add numerous sub-users at once, accommodating the needs of much larger businesses. This will allow our integrators to couple the user provisioning for the customer’s oinkcode directly into their own user provisioning systems for easy automation.

    As a benefit, the addition of this exciting new feature allows integrators to add and suspend their specific users, as needed, without interrupting the service for their other customers. We have also provided extensive documentation and example code written in Perl that can be used with our system to easily utilize the new integrator features.  All of this documentation can be found on your Integrator Account oinkcode page, after logging into Snort.org.

    As our Integrator program continues to grow, our Snort.org team is constantly striving to evolve our program. Our team aims to evolve the program in ways that will not only increase our customer satisfaction and partnerships, but prove mutually beneficial for the business management needs of our integrators. 

    You can view our most current list of integrators by clicking here.


    If you are interested in becoming a Snort Integrator please email snort-sub@cisco.com for more details on our program.

    Snort Subscriber Rule Set Update for 11/08/2016

    Just released:
    Snort Subscriber Rule Set Update for 11/08/2016

    We welcome the introduction of the newest rule release from Talos. In this release we introduced 16 new rules and made modifications to 4 additional rules.

    There were no changes made to the snort.conf in this release.

    Talos's rule release:
    Talos has added and modified multiple rules in the file-other rule sets to provide coverage for emerging threats from these technologies.


    In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

    PulledPork 0.7.2 has been released!

    The newest version of PulledPork has been released and is available for download from the PulledPork Github repository!

    This release fixes several bugs.  For those of you that haven't updated their version of PulledPork in awhile, this will fix many download issues you may have with the blacklist and official rulesets from Snort.org.

    Everyone using PulledPork should grab it, and for the stragglers left that still use oinkmaster, you should start upgrading too.  For those of you that have oinkmaster configurations, you'll see in the contrib directory, a community member has submitted a small perl script that converts your oinkmaster configuration files to pulledpork configuration files.

    Please start your upgrade engines, as Snort 2.9.9.0 should be released soon, and you'll want to be ready!

    Tuesday, November 8, 2016

    Snort Subscriber Rule Set Update for 11/08/2016, MSTuesday

    Just released:
    Snort Subscriber Rule Set Update for 11/08/2016


    We welcome the introduction of the newest rule release from Talos. In this release we introduced 93 new rules and made modifications to 10 additional rules.

    There were no changes made to the snort.conf in this release.

    Talos's rule release:
    Microsoft Security Bulletin MS16-129:
    A coding deficiency exists in Microsoft Edge that may lead to remote
    code execution.

    Rules to detect attacks targeting these vulnerabilities are included in
    this release and are identified with GID 1, SIDs 40647 through 40656,
    40659 through 40662, 40669 through 40670, 40683 through 40684, 40715
    through 40716, and 40721 through 40722.

    Microsoft Security Bulletin MS16-130:
    A coding deficiency exists in Microsoft Windows that may lead to remote
    code execution.

    Rules to detect attacks targeting these vulnerabilities are included in
    this release and are identified with GID 1, SIDs 40645 through 40646,
    40671 through 40672, and 40677 through 40678.

    Microsoft Security Bulletin MS16-132:
    A coding deficiency exists in Microsoft Graphics Component that may
    lead to remote code execution.

    Rules to detect attacks targeting these vulnerabilities are included in
    this release and are identified with GID 1, SIDs 40675 through 40676,
    40703 through 40706, and 40729 through 40730.

    Microsoft Security Bulletin MS16-133:
    A coding deficiency exists in Microsoft Office that may lead to remote
    code execution.

    Rules to detect attacks targeting these vulnerabilities are included in
    this release and are identified with GID 1, SIDs 40667 through 40668,
    40673 through 40674, 40679 through 40682, 40701 through 40702, 40711
    through 40712, 40717 through 40720, and 40723 through 40726.

    Microsoft Security Bulletin MS16-134:
    A coding deficiency exists in Microsoft Common Log File System Driver
    that may lead to an escalation of privilege.

    Rules to detect attacks targeting these vulnerabilities are included in
    this release and are identified with GID 1, SIDs 40657 through 40658
    and 40689 through 40692.

    Microsoft Security Bulletin MS16-135:
    A coding deficiency exists in Microsoft Kernel-Mode Drivers that may
    lead to an escalation of privilege.

    Rules to detect attacks targeting these vulnerabilities are included in
    this release and are identified with GID 1, SIDs 40663 through 40666
    and 40685 through 40688.

    Microsoft Security Bulletin MS16-138:
    A coding deficiency exists in Microsoft Virtual Hard Drive that may
    lead to an escalation of privilege.

    Rules to detect attacks targeting these vulnerabilities are included in
    this release and are identified with GID 1, SIDs 40693 through 40694.

    Microsoft Security Bulletin MS16-142:
    Microsoft Internet Explorer suffers from programming errors that may
    lead to an escalation of privilege.

    Rules to detect attacks targeting these vulnerabilities are included in
    this release and are identified with GID 1, SIDs 40669 through 40670,
    40713 through 40714, and 40721 through 40722.

    Talos has also added and modified multiple rules in the blacklist,
    browser-ie, exploit-kit, file-flash, file-image, file-office,
    file-other, file-pdf, malware-cnc and policy-other rule sets to provide
    coverage for emerging threats from these technologies.


    In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/downloads/#rule-downloads. Make sure and stay up to date to catch the most emerging threats!

    Sunday, November 6, 2016

    Snort Community Ruleset Winner for October 2016

    The October winner of our monthly signature contest for the community ruleset is Yaser Mansour!

    Congratulations and thank you for your contributions!

    For more information on how to get involved and how you can win your Snort prizes, please take a look at our blog post


    Good luck to all of those submitting rules in the upcoming months. We'll soon be revamping our signature contest (prizes included) so be sure to check back with our blog for updates! We look forward to a great November and beyond!

    Friday, November 4, 2016

    Snort++ Update

    Pushed build 218 to github (snortadmin/snort3):

    • fix shutdown stats
    • fix misc appid issues
    • rewrite appid loading of lua detectors
    • add sip inspector events for appid
    • update default manuals

    Thursday, November 3, 2016

    Snort Subscriber Rule Set Update for 11/03/2016

    Just released:
    Snort Subscriber Rule Set Update for 11/03/2016


    We welcome the introduction of the newest rule release from Talos. In this release we introduced 28 new rules and made modifications to 4 additional rules.

    There were no changes made to the snort.conf in this release.



    Talos's rule release:
    Talos has added and modified multiple rules in the file-flash, file-office, file-pdf, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


    In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/downloads/#rule-downloads. Make sure and stay up to date to catch the most emerging threats!

    Wednesday, November 2, 2016

    Snort Subscriber Rule Set Update for 11/01/2016

    Just released:
    Snort Subscriber Rule Set Update for 11/01/2016


    We welcome the introduction of the newest rule release from Talos. In this release we introduced 32 new rules and made modifications to 9 additional rules.

    There were no changes made to the snort.conf in this release.


    Talos's rule release:
    Talos has added and modified multiple rules in the file-flash, file-pdf, indicator-compromise, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


    In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/downloads/#rule-downloads. Make sure and stay up to date to catch the most emerging threats!

    Monday, October 31, 2016

    Snort++ Build 217 Available Now on Snort.org!

    Snort++ build 217 is now available on snort.org.  This is the latest monthly update available for download.  You can also get the latest updates from github (snortadmin/snort3) which is updated weekly.

    DAQ Changes:

    • updated DAQ - you *must* use DAQ 2.2.1
    • build: remove lingering libDAQ #ifdefs
    • expected: push expected flow information through the DAQ module
    • add libDAQ version to snort -V output

    Enhancements:

    • add inspector events from http_inspect to appid
    • add build configuration for thread sanitizer
    • added module trace facility
    • add support http file upload processing and process decode/detection depths
    • add rev to rule latency logs


    • port dce_udp fragments
    • port block malware over ftp for clients/servers that support REST command
    • port dce_udp packet processing
    • port sip changes to avoid using NAT ip when calculating callid
    • port dce_udp autodetect and session creation
    • update appid to 2983

    Bug Fixes:

    • fix appid error messages
    • fix flow reinitialization after expiration
    • fix release of blocked flow
    • fix 129:16 false positive
    • fix various unit test leaks
    • fix -Wmaybe-uninitialized issues
    • fix related to appid name with space and SSL position
    • fix various appid patterns and counts
    • fix fast pattern selection
    • fix file hash pruning issue
    • fix rate_filter action config and apply_to clean up
    • fix static analysis issues
    • fix analyzer/pig race condition
    • fix explicit obfuscation disable not working
    • fix ftp_data: Gracefully handle cleared flow data
    • fix LuaJIT rule option memory leak of plugin name
    • fix various appid issues - initial port is nearing completion
    • fix http_inspect event 119:66
    • fix ac_full initialization performance
    • fix stream_tcp left overlap on hpux, solaris
    • fix/remove 129:5 ("bad segment") events
    • file_mempool: fix initializing total pool size
    • fix bpf includes
    • fix builds for OpenSolaris

    Other Changes:

    • build: clean up some ICC warnings
    • change search_engine.debug_print_fast_pattern to show_fast_patterns
    • overhaul appid for multiple threads, memory leaks, and coding style
    • expected: expected cache revamp and related bugfixes
    • ftp_data: add expected data consumption to set service name and fix bugs
    • defaults: update FTP default config based on Snort2's hardcoded one
    • rename default_snort_manual.* to snort_manual.*
    • build docs only by explicit target (make html|pdf|text)
    • update default manuals to build 213
    • tolerate more spaces in ip lists
    • change default latency actions to none
    • deleted non-functional extra decoder for i4l_rawip

    Please submit bugs, questions, and feedback to bugs@snort.org or the Snort-Users mailing list.

    Happy Snorting!
    The Snort Release Team

    Sunday, October 30, 2016

    Snort++ Update

    Pushed (last Friday) build 217 to github (snortadmin/snort3):

    • update appid to 2983
    • add inspector events from http_inspect to appid
    • fix appid error messages
    • fix flow reinitialization after expiration
    • fix release of blocked flow
    • fix 129:16 false positive


    Friday, October 28, 2016

    Snort OpenAppID Detectors have been updated!

    An update has been released today for the Snort OpenAppID Detector content. This release, build 272, includes
    • A total of 2,813 detectors. 
    • It also includes some additional detectors that came in from the open source community. For more details on which contributions were included, we have added them in the AUTHORS file in this package.

    Available now for download from our downloads page, we look forward to you downloading and using the new features of 2.9.8.4's OpenAppID preprocessor and sharing your experiences with the community.

    The OpenAppID community has a mailing list specifically dedicated to the exchange and discussion of detector content.  Please visit the mailing lists page to sign up.

    Snort Subscriber Rule Set Update for 10/27/2016

    Just released:
    Snort Subscriber Rule Set Update for 10/27/2016


    We welcome the introduction of the newest rule release from Talos. In this release we introduced 35 new rules and made modifications to 6 additional rules.

    There were no changes made to the snort.conf in this release.

    Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

    Yaser Mansour
    40549
    40550
    40551
    40559


    Talos's rule release:
    Talos has added and modified multiple rules in the file-pdf, indicator-compromise, malware-cnc, os-linux, os-windows and server-other rule sets to provide coverage for emerging threats from these technologies.


    In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

    Wednesday, October 26, 2016

    Integrating Snort 2.9.8.x with AlienVault's OSSIM

    Another thanks goes out to Bill Parker, the author for many of excellent Snort guides.

    Integrating Snort 2.9.8.x with AlienVault's OSSIM installation guide can be found on our documentation page, so for those of you interested in OSSIM, but are unsure of how to get started, or how to integrate Snort into the offering, please go take a look.

    As always, we thank Bill for his documentation contributions, and welcome all documentation contributions for the Snort.org page!

    Crontabs, and how to fix them

    In previous blog entires you've heard me talk about the need to stagger your crontabs to lighten the load on Snort.org at certain times of the day.

    We've taken the liberty of creating a section on the oinkcode page about how to configure your crontab.

    If you log into Snort.org, click on your user account email address (found at the top right of the page).

    Navigate to "Oinkcode" on the left hand side:



    Follow the link to:



    You will see instructions for how to use your oinkcode, however, we've added a new section under:



    This will give you some default syntax for your crontab entry, along with a randomized time (it changes every time you refresh the page, so you can actually place a different time on all your sensors if you so choose) for pulledpork to execute.

    Please replace your crontab entry with one of our randomized times from the website, and that should lower the loads on downloads.

    Thanks!

    Snort Subscriber Rule Set Update for 10/25/2016, Release 2

    Just released:
    Snort Subscriber Rule Set Update for 10/25/2016


    We welcome the introduction of the newest rule release from Talos. In this release we introduced 2 new rules and made modifications to 0 additional rules.

    There were no changes made to the snort.conf in this release.



    Talos's rule release:
    Talos has added and modified multiple rules in the file-flash rule sets to provide coverage for emerging threats from these technologies.


    In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

    Snort Subscriber Rule Set Update for 10/25/2016

    Just released:
    Snort Subscriber Rule Set Update for 10/25/2016


    We welcome the introduction of the newest rule release from Talos. In this release we introduced 27 new rules and made modifications to 0 additional rules.

    There were no changes made to the snort.conf in this release.

    Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

    Yaser Mansour
    40541


    Talos's rule release:
    Talos has added and modified multiple rules in the blacklist, file-image, malware-cnc, os-linux, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.


    In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

    Friday, October 21, 2016

    Snort++ Update

    Pushed build 216 to github (snortadmin/snort3):

    • add build configuration for thread sanitizer
    • port dce_udp fragments
    • build: clean up some ICC warnings
    • fix various unit test leaks
    • fix -Wmaybe-uninitialized issues
    • fix related to appid name with space and SSL position

    Thursday, October 20, 2016

    Snort Subscriber Rule Set Update for 10/20/2016

    Just released:
    Snort Subscriber Rule Set Update for 10/20/2016


    We welcome the introduction of the newest rule release from Talos. In this release we introduced 25 new rules and made modifications to 50 additional rules.

    There were no changes made to the snort.conf in this release.



    Talos's rule release:
    Talos has added and modified multiple rules in the app-detect, blacklist, browser-ie, exploit-kit, file-flash, file-pdf, indicator-compromise, indicator-obfuscation, malware-cnc, malware-other, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.


    In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

    Tuesday, October 18, 2016

    Snort Subscriber Rule Set Update for 10/18/2016

    Just released:
    Snort Subscriber Rule Set Update for 10/18/2016


    We welcome the introduction of the newest rule release from Talos. In this release we introduced 30 new rules and made modifications to 5 additional rules.

    There were no changes made to the snort.conf in this release.

    Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

    Yaser Mansour
    40011
    40234
    40235


    Talos's rule release:
    Talos has added and modified multiple rules in the file-executable, file-office, file-pdf, malware-cnc, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.


    In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

    Friday, October 14, 2016

    Snort Subscriber Rule Set Update for 10/13/2016

    Just released:
    Snort Subscriber Rule Set Update for 10/13/2016


    We welcome the introduction of the newest rule release from Talos. In this release we introduced 18 new rules and made modifications to 2 additional rules.

    There were no changes made to the snort.conf in this release.

    Talos's rule release:
    Talos has added and modified multiple rules in the browser-other, file-flash, file-office, file-pdf, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.


    In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

    Snort++ Update

    Pushed build 215 to github (snortadmin/snort3):
    • added module trace facility
    • port block malware over ftp for clients/servers that support REST command
    • port dce_udp packet processing
    • change search_engine.debug_print_fast_pattern to show_fast_patterns
    • overhaul appid for multiple threads, memory leaks, and coding style
    • fix various appid patterns and counts
    • fix fast pattern selection
    • fix file hash pruning issue
    • fix rate_filter action config and apply_to clean up

    Wednesday, October 12, 2016

    Snort Subscriber Rule Set Update for 10/11/2016, Release Two

    Just released:
    Snort Subscriber Rule Set Update for 10/11/2016, Release two


    We welcome the introduction of the newest rule release from Talos. In this release we introduced 13 new rules and made modifications to 2 additional rules.

    There were no changes made to the snort.conf in this release.

    Talos's rule release:
    Talos has added and modified multiple rules in the exploit-kit, file-flash and malware-cnc rule sets to provide coverage for emerging threats from these technologies.


    In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

    Snort Subscriber Rule Set Update for 10/11/2016, MSTuesday

    Just released:
    Snort Subscriber Rule Set Update for 10/11/2016


    We welcome the introduction of the newest rule release from Talos. In this release we introduced 86 new rules and made modifications to 18 additional rules.

    There were no changes made to the snort.conf in this release.



    Talos's rule release:
    Microsoft Security Bulletin MS16-118: Microsoft Internet Explorer suffers from programming errors that may lead to remote code execution.

    Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 40364 through 40365, 40372 through 40375, 40378 through 40379, 40385 through 40386, 40396 through 40397, and 40420 through 40421.

    Microsoft Security Bulletin MS16-119: A coding deficiency exists in Microsoft Edge that may lead to remote code execution.

    Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 40366 through 40367, 40370 through 40371, 40383 through 40384, 40404 through 40405, 40420 through 40421, and 40423 through 40424.

    Microsoft Security Bulletin MS16-120: A coding deficiency exists in Microsoft Graphics Component that may lead to remote code execution.

    Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 39824 through 39825.

    New rules to detect attacks targeting these vulnerabilities are also included in this release and are identified with GID 1, SIDs 40408 through 40411 and 40425 through 40428.

    Microsoft Security Bulletin MS16-121: A coding deficiency exists in Microsoft Office that may lead to remote code execution.

    Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 40368 through 40369.

    Microsoft Security Bulletin MS16-123: A coding deficiency exists in a Microsoft Kernel mode driver that may lead to an escalation of privilege.

    Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 40376 through 40377, 40380 through 40381, 40392 through 40393, and 40418 through 40419.

    Microsoft Security Bulletin MS16-124: A coding deficiency exists in a Microsoft Windows Registry that may lead to an escalation of privilege.

    Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 40394 through 40395, 40400 through 40403, and 40412 through 40413.

    Microsoft Security Bulletin MS16-125: A coding deficiency exists in a Microsoft Diagnostic Hub that may lead to an escalation of privilege.

    Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 40398 through 40399.

    Microsoft Security Bulletin MS16-126: Microsoft Internet Explorer suffers from programming errors that may lead to an escalation of privilege.

    Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 40364 through 40365.

    Talos also has added and modified multiple rules in the browser-firefox, browser-ie, browser-other, browser-plugins, deleted, exploit-kit, file-flash, file-identify, file-office, file-other, file-pdf, indicator-compromise, malware-cnc, os-windows, protocol-dns, protocol-ftp, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.


    In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

    Saturday, October 8, 2016

    Snort++ Update

    Pushed build 214 to github (snortadmin/snort3):
    • updated DAQ - you must use DAQ 2.2.1
    • add libDAQ version to snort -V output
    • add support http file upload processing and process decode/detection depths
    • port sip changes to avoid using NAT ip when calculating callid
    • port dce_udp autodetect and session creation
    • fix static analysis issues
    • fix analyzer/pig race condition
    • fix explicit obfuscation disable not working
    • fix ftp_data: Gracefully handle cleared flow data
    • fix LuaJIT rule option memory leak of plugin name
    • fix various appid issues - initial port is nearing completion
    • fix http_inspect event 119:66
    • fix ac_full initialization performance
    • fix stream_tcp left overlap on hpux, solaris
    • fix/remove 129:5 ("bad segment") events
    • file_mempool: fix initializing total pool size
    • fix bpf includes
    • fix builds for OpenSolaris
    • expected: push expected flow information through the DAQ module
    • expected: expected cache revamp and related bugfixes
    • ftp_data: add expected data consumption to set service name and fix bugs
    • build: remove lingering libDAQ #ifdefs
    • defaults: update FTP default config based on Snort2's hardcoded one
    • rename default_snort_manual.* to snort_manual.*
    • build docs only by explicit target (make html|pdf|text)
    • update default manuals to build 213
    • tolerate more spaces in ip lists
    • add rev to rule latency logs
    • change default latency actions to none
    • deleted non-functional extra decoder for i4l_rawip

    Friday, October 7, 2016

    Snort Community Ruleset Winner for September 2016

    The September winner of our monthly signature contest for the community ruleset is rmkml! 

    For more information on how to get involved, and how you can win your Snort prizes, please take a look at our blog post


    Good luck to all of those submitting rules in the upcoming months. We'll soon be revamping our signature contest (prizes included) so be sure to check back with our blog for updates! We look forward to a great November and beyond!

    Thursday, October 6, 2016

    Snort Subscriber Rule Set Update for 10/06/2016

    Just released:
    Snort Subscriber Rule Set Update for 10/06/2016


    We welcome the introduction of the newest rule release from Talos. In this release we introduced 10 new rules and made modifications to 7 additional rules.

    There were no changes made to the snort.conf in this release.

    Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

    Avery Tarasov
    40251
    40252


    Talos's rule release:
    Talos has added and modified multiple rules in the browser-ie, exploit-kit, file-pdf, malware-cnc, protocol-dns and server-webapp rule sets to provide coverage for emerging threats from these technologies.


    In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

    Tuesday, October 4, 2016

    Snort Subscriber Rule Set Update for 10/04/2016

    Just released:
    Snort Subscriber Rule Set Update for 10/04/2016


    We welcome the introduction of the newest rule release from Talos. In this release we introduced 20 new rules and made modifications to 6 additional rules.

    There were no changes made to the snort.conf in this release.



    Talos's rule release:
    Talos has added and modified multiple rules in the app-detect, malware-cnc, protocol-scada, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.


    In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

    Thursday, September 29, 2016

    Snort Subscriber Rule Set Update for 09/29/2016

    Just released:
    Snort Subscriber Rule Set Update for 09/29/2016


    We welcome the introduction of the newest rule release from Talos. In this release we introduced 17 new rules and made modifications to 2 additional rules.

    Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset


    Talos's rule release:
    Talos has added and modified multiple rules in the app-detect, file-image, file-other, malware-cnc, protocol-scada, protocol-voip, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.


    In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

    Wednesday, September 28, 2016

    Snort++ Build 213 Available Now

    Snort++ build 213 is now available on snort.org.  This is the latest monthly update available for download.  You can also get the latest updates from github (snortadmin/snort3) which is updated weekly.

    Snort++ is very close to overtaking Snort 2.X and with any luck Alpha 4 will be completed with the next monthly release.  If you haven't tried out Snort++ now is a good time to do so.

    Enhancements:
    • added dce udp snort2lua
    • added file detection when they are transferred in segments in SMB2
    • added dce iface fast pattern for tcp
    • added --enable-tsc-clock to build/use TSC register (on x86)
    • updated latency to use ticks during runtime
    • updated default stream cache sizes to match 2.X
    • close tcp on rst in close wait, closing, fin wait 1, and fin wait 2
    • separate idle timeouts from session timeouts counts
    • ported full retransmit changes from snort 2X
    • ported Smbv2/3 file support
    • ported mpls encode fixes from 2983
    • ported smb file processing
    • ported the 2.9.8 ciscometadata decoder
    • ported the 2.9.8 double and triple vlan tagging changes
    • started dce_udp porting
    Bug Fixes:
    • fixed carved smb2 filenames
    • fixed multithread hyperscan mpse
    • fixed sd_pattern iterative validation
    • fixed another case of CPPUTest header order issues
    • fixed lua conflict with _L macro from ctype.h on OpenBSD
    • fixed hyperscan detection with nocase
    • fixed shutdown sequence
    • fixed --dirty-pig
    • fixed FreeBSD build re appid / service_rpc
    • fixed tcp_connector_test for OSX build
    • fixed binder make files to include binder.h
    • fixed double counting of ip and udp timeouts and prunes
    • fixed clearing of SYN - RST flows
    • fixed inverted detection_filter logic
    • fixed stream profile stats parents
    • fixed most bogus gap counts
    • fixed unit test for high availability, hyperscan, and regex
    • fixed for TCP high availability
    • fixed install of file_decomp.h for consistency between Snort and extras
    • fixed regex as fast pattern with hyperscan mpse
    • fixed http_inspect and tcp valgrind errors
    • fixed extra auto build from dist
    • numerous fixes, cleanup, and refactoring for appid
    • numerous fixes, cleanup, and refactoring for high availability
    Other Changes:
    • removed unused -w commandline option
    • added HA details to stream/* dev_notes
    • added stream.ip_frag_only to avoid tracking unwanted flows
    • added smtp client counters and unit tests
    • added appid counts for rsync
    • added http_inspect alerts for Transfer-Encoding and Content-Encoding abuse
    • tcp stream reassembly tweaks
    • use sd_pattern as a fast-pattern
    • rewrite and fix the rpc option
    • cleanup fragbits option implementation
    • finish up cutover to the new http_inspect by default
    • moved file capture to offload thread
    • updated style guide for 'using' statements and underscores
    • cmake: clean dead variables out of config.cmake.h
    • build: fixed 32-bit compiler warnings
    • build: fixed illumos/OpenSolaris build and remove SOLARIS/SUNOS defines
    • build: remove superfluous LINUX and MACOS definitions
    • build: remove superfluous OPENBSD and FREEBSD definitions
    • build: entering 'std' namespace should be after all headers are included
    • build: clean up u_int*_t usage
    • build: remove SPARC support
    • build: clean up some DAQ header inclusion creep
    • cleaned up compiler warnings

    Please submit bugs, questions, and feedback to bugs@snort.org or the Snort-Users mailing list.

    Happy Snorting!
    The Snort Release Team

    Tuesday, September 27, 2016

    Snort Subscriber Rule Set Update for 09/27/2016

    Just released:
    Snort Subscriber Rule Set Update for 09/27/2016


    We welcome the introduction of the newest rule release from Talos. In this release we introduced 11 new rules and made modifications to 20 additional rules.

    There were no changes made to the snort.conf in this release.



    Talos's rule release:
    Talos has added and modified multiple rules in the blacklist, browser-firefox, browser-ie, exploit-kit, file-image, file-office, indicator-shellcode, os-windows, protocol-dns and server-webapp rule sets to provide coverage for emerging threats from these technologies.


    In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

    Friday, September 23, 2016

    Snort++ Update

    Pushed build 211 to github (snortadmin/snort3):
    • fix hyperscan detection with nocase
    • fix shutdown sequence
    • fix --dirty-pig
    • fix FreeBSD build re appid / service_rpc

    Thursday, September 22, 2016

    Snort 2.9.8.2 is End of Life!

    Just a notification to remind everyone that Snort 2.9.8.2 is now End of Life (EOL).  In accordance with our EOL policy, 2.9.8.2 met its EOL date today.

    Now it is time to upgrade your engines, Snort 2.9.8.3 is the current version of Snort, and users should upgrade immediately.

    Thanks for all of your support!

    Snort Subscriber Rule Set Update for 09/22/2016

    Just released:
    Snort Subscriber Rule Set Update for 09/22/2016


    We welcome the introduction of the newest rule release from Talos. In this release we introduced 23 new rules and made modifications to 73 additional rules.



    Talos's rule release:
    Talos has added and modified multiple rules in the browser-ie, browser-plugins, file-flash, file-office, indicator-compromise, indicator-obfuscation, malware-cnc, server-mysql and server-webapp rule sets to provide coverage for emerging threats from these technologies.


    In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

    Wednesday, September 21, 2016

    Snort++ Update

    Pushed build 210 to github (snortadmin/snort3):
    • started dce_udp porting
    • added HA details to stream/* dev_notes
    • added stream.ip_frag_only to avoid tracking unwanted flows
    • updated default stream cache sizes to match 2.X
    • fixed tcp_connector_test for OSX build
    • fixed binder make files to include binder.h
    • fixed double counting of ip and udp timeouts and prunes
    • fixed clearing of SYN - RST flows
    Pushed build 209 to github last week:
    • add dce iface fast pattern for tcp
    • add --enable-tsc-clock to build/use TSC register (on x86)
    • update latency to use ticks during runtime
    • tcp stream reassembly tweaks
    • fix inverted detection_filter logic
    • fix stream profile stats parents
    • fix most bogus gap counts
    • unit test fixes for high availability, hyperscan, and regex

    Tuesday, September 20, 2016

    Snort Subscriber Rule Set Update for 09/20/2016

    Just released:
    Snort Subscriber Rule Set Update for 09/20/2016


    We welcome the introduction of the newest rule release from Talos. In this release we introduced 12 new rules and made modifications to 2 additional rules.

    There were no changes made to the snort.conf in this release.


    Talos's rule release:
    Talos has added and modified multiple rules in the blacklist, file-image, indicator-obfuscation, malware-cnc and server-other rule sets to provide coverage for emerging threats from these technologies.


    In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

    Monday, September 19, 2016

    Snort 2.9.8.2 is rapidly approaching!

    As you can see from our EOL page:

    https://www.snort.org/eol

    The EOL for Snort 2.9.8.2 is approaching in a couple days.   From our download statistics, the percentage of people is pretty small.

    Please try and update your engines this week to 2.9.8.3, the current version. We also look forward to the release of 2.9.9.0 in the coming weeks, so for those of you still on 2.9.7.6, the EOL for 2.9.7.6 will be the release of 2.9.9.0 + 90 days (as a reminder).

    So, 2.9.7.6 users, your EOL is coming too, and there are tens of thousands of you on that version.  It's upgrade time!

    Thursday, September 15, 2016

    Snort Subscriber Rule Set Update for 09/15/2016

    Just released:
    Snort Subscriber Rule Set Update for 09/15/2016


    We welcome the introduction of the newest rule release from Talos. In this release we introduced 3 new rules.

    There were no changes made to the snort.conf in this release.



    Talos's rule release:
    Talos has added and modified multiple rules in the malware-cnc rule sets to provide coverage for emerging threats from these technologies.


    In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

    Snort Subscriber Rule Set Update for 09/15/2016

    Just released:
    Snort Subscriber Rule Set Update for 09/15/2016


    We welcome the introduction of the newest rule release from Talos. In this release we introduced 36 new rules and made modifications to 6 additional rules.

    There were no changes made to the snort.conf in this release.

    Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

    El Cabezzon
    30034

    rmkml
    40184


    Talos's rule release:
    Talos has added and modified multiple rules in the blacklist, exploit-kit, file-flash, malware-cnc, malware-other, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


    In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

    Tuesday, September 13, 2016

    Snort Subscriber Rule Set Update for 09/13/2016

    Just released:
    Snort Subscriber Rule Set Update for 09/13/2016


    We welcome the introduction of the newest rule release from Talos. In this release we introduced 31 new rules and made modifications to 2 additional rules.

    There were no changes made to the snort.conf in this release.

    Talos's rule release:
    Talos has added and modified multiple rules in the and file-office rule sets to provide coverage for emerging threats from these technologies.


    In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!