Monday, February 29, 2016

Snort 2.9.6.2 EOL Reminder!

Reminder for the 12,000 or so of you that are still on 2.9.6.2...

Its EOL is rapidly approaching (next week), and we should EOL it on 3/7/2016 (Monday).

Meaning, barring anything jarring this week, this Thursday (3/3/2016) should be the last day for Snort 2.9.6.2 builds of the ruleset.

The current version is 2.9.8.0, so, if you haven't upgraded yet, start your engines this week!

Friday, February 26, 2016

Snort++ Update

Pushed build 189 to github (snortadmin/snort3):

16/02/26 - build 189
  • snort2lua for dce2 port (in progress)
  • replace ppm with latency
  • added rule latency
  • fixed more address sanitizer bugs
  • fixed use of debug vs debug-msgs
  • add missing ips option hash and == methods
  • perf_monitor configuration
  • fix linux + clang build errors
  • trough rewrite
16/02/22 - build 188
  • added delete/delete[] replacements for no throw overload; thanks to Ramya Potluri for reporting the issue
  • fixed a detection option comparison bug which wasted time and space
  • disable perf_monitor by default since the reporting interval should be set
  • memory manager updates
  • valgrind and unsanitary address fixes
  • snort2lua updates for dce2
  • build issue fix - make non-GNU strerror_r() the default case
  • packet latency updates
  • perfmon updates

Thursday, February 25, 2016

Snort Subscriber Rule Set Update for 02/25/2016

Just released:
Snort Subscriber Rule Set Update for 02/25/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 5 new rules and made modifications to 6 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Wednesday, February 24, 2016

Snort Subscriber Rule Set Update for 02/23/2016

Just released:
Snort Subscriber Rule Set Update for 02/23/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 111 new rules and made modifications to 54 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
36541
37814
37815
37817

Avery Tarasov
37816


Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, browser-other, browser-plugins, file-executable, file-flash, file-identify, file-java, file-office, file-other, file-pdf, indicator-obfuscation, indicator-shellcode, malware-cnc, os-solaris, os-windows, policy-other, protocol-imap, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Tuesday, February 23, 2016

Snort++ Update

Pushed build 187 to github (snortadmin/snort3):

  • added delete/delete[] replacements for no throw overload; thanks to Ramya Potluri for reporting the issue
  • fixed a detection option comparison bug which wasted time and space
  • disable perf_monitor by default since the reporting interval should be set
  • memory manager updates
  • valgrind and unsanitary address fixes
  • snort2lua updates for dce2
  • build issue fix - make non-GNU strerror_r() the default case
  • packet latency updates
  • perfmon updates

Thursday, February 18, 2016

Snort Subscriber Rule Set Update for 02/18/2016

Just released:
Snort Subscriber Rule Set Update for 02/18/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 54 new rules and made modifications to 120 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov
37733


Talos's rule release:
Talos has added and modified multiple rules in the browser-firefox, browser-ie, browser-plugins, browser-webkit, exploit-kit, file-executable, file-flash, file-java, file-office, file-other, file-pdf, indicator-obfuscation, malware-cnc, netbios, os-windows, policy-other, protocol-dns, server-apache and sql rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Tuesday, February 16, 2016

Snort Subscriber Rule Set Update for 02/16/2016

Just released:
Snort Subscriber Rule Set Update for 02/16/2016

We welcome the introduction of the newest rule release from Talos. In this release we introduced 11 new rules and made modifications to 11 additional rules.

There were no changes made to the snort.conf in this release.


Talos's rule release:
Talos has added and modified multiple rules in the browser-plugins, exploit-kit, file-flash, file-office, malware-cnc, malware-tools, netbios, policy-other, protocol-pop and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Saturday, February 13, 2016

Snort Subscriber Rule Set Update for 02/13/2016

Just released:
Snort Subscriber Rule Set Update for 02/13/2016

You're asking "Did you guys just publish a rule release on a Saturday?"


Yes. 


We welcome the introduction of the newest rule release from Talos. In this release we introduced 22 new rules and made modifications to 6 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release: 

Talos has added and modified multiple rules in the browser-plugins, file-flash,
file-java, file-multimedia, file-other, os-windows and server-webapp rule sets
to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Friday, February 12, 2016

Snort++ Update

Pushed build 187 to github (snortadmin/snort3):
  • file capture added - initial version writes from packet thread
  • added support for http 0.9 to new_http_inspect
  • added URI normalization of headers, cookies, and post bodies to new_http_inspect
  • configure_cmake.sh updates to better support scripting
  • updated catch header (used for some unit tests)
  • continued dce2 port
  • fixed misc clang and dynamic plugin build issues
  • fixed static analysis issues and crash in new_http_inspect
  • fixed tcp paws issue
  • fixed normalization stats
  • fixed issues reported by Bill Parker
  • refactoring updates to tcp session
  • refactoring updates to profiler

Thursday, February 11, 2016

Coverage for CVE-2016-1287 in the Snort Subscriber Rule Set

We've been receiving a lot of questions regarding our coverage for the Cisco ASA IKEv1 and IKEv2 Buffer Overflow Vulnerability.

We wanted to let our customers know that we released coverage for this vulnerability on December 1, 2015 in the form of a Shared Object rule.  Detection was enabled by default in the balanced policy (on by default for Open Source in the Snort Subscriber Rule Set).  Following the patch, yesterday that rule was converted from a Shared Object rule to a plaintext rule and released in the ruleset.

Since this is a modification to an existing rule, and the release date was over 30 days ago, it's available to all Registered users and Subscribers of the Snort Subscriber Rule Set.

As is the case with all of our Shared Object rules, to include the Zero Days that Talos has discovered and disclosed to the appropriate vendors, you'll want to stay up to date as much as possible with the ruleset.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Thank you!

Snort Subscriber Rule Set Update for 02/11/2016

Just released:
Snort Subscriber Rule Set Update for 02/11/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 31 new rules and made modifications to 13 additional rules.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
37521
37522
37523

There were no changes made to the snort.conf in this release.


Talos's rule release:
Talos has added and modified multiple rules in the browser-firefox, browser-ie, browser-plugins, exploit-kit, file-flash, file-other, malware-cnc, malware-tools, os-linux, os-windows, pua-adware, server-other and sql rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Wednesday, February 10, 2016

Snort Subscriber Rule Set Update for 02/09/2016, MSTuesday

Just released:
Snort Subscriber Rule Set Update for 02/09/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 73 new rules and made modifications to 7 additional rules.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
37620
37621
37552

There were no changes made to the snort.conf in this release.

Talos's rule release:
Microsoft Security Bulletin MS16-009:
Microsoft Internet Explorer suffers from programming errors that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 37553 through 37554, 37571 through
37574, 37581 through 37582, 37596 through 37597, 37602 through 37605, and 37616
through 37617.

Microsoft Security Bulletin MS16-011:
A coding deficiency exists in Microsoft Edge that may lead to remote code
execution.

Previously released rules will detect attacks targeting this vulnerability and
have been updated with the appropriate reference information. They are included
in this release and are identified with GID 1, SIDs 36986 through 36987.

New rules to detect attacks targeting these vulnerabilities are also included
in this release and are identified with GID 1, SIDs 37575 through 37576, and
37608 through 37615.

Microsoft Security Bulletin MS16-012:
A coding deficiency exists in the Microsoft Windows PDF library that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 37565 through 37566 and 37594
through 37595.

Microsoft Security Bulletin MS16-013:
A coding deficiency exists in Microsoft Windows Journal that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 37577 through 37578.

Microsoft Security Bulletin MS16-014:
A coding deficiency exists in Microsoft Windows that may lead to remote code
execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 37555 through 37558, 37567 through
37570, and 37588 through 37591.

Microsoft Security Bulletin MS16-015:
A coding deficiency exists in Microsoft Office that may lead to remote code
execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 37559 through 37564, 37579 through
37580, 37592 through 37593, 37598 through 37601, and 37606 through 37607.

Microsoft Security Bulletin MS16-016:
A coding deficiency exists in Microsoft WebDAV that may lead to an escalation
of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 37586 through 37587.

Microsoft Security Bulletin MS16-018:
A coding deficiency exists in a Microsoft Windows kernel-mode driver that may
lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 37584 through 37585.

Talos has added and modified multiple rules in the browser-ie, file-identify,
file-image, file-office, file-other, file-pdf, indicator-shellcode,
malware-cnc, os-windows, pua-adware and server-webapp rule sets to provide
coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Thursday, February 4, 2016

Snort Subscriber Rule Set Update for 02/04/2016

Just released:
Snort Subscriber Rule Set Update for 02/04/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 24 new rules and made modifications to 7 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, browser-plugins, exploit-kit, file-flash, file-other, file-pdf, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Tuesday, February 2, 2016

Snort Subscriber Rule Set Update for 02/02/2016

Just released:
Snort Subscriber Rule Set Update for 02/02/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 27 new rules and made modifications to 16 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, browser-plugins, exploit-kit, file-flash, file-multimedia, file-other, malware-cnc, malware-other, os-solaris, protocol-tftp and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Snort++ Update

Snort++ build 186 is now available on snort.org.  This is the latest monthly update available for download.  You can also get the latest updates from github (snortadmin/snort3) which is updated weekly.

Bug Fixes:

  • fix xcode builds
  • fix static analysis issues
  • fix profiler depth bug
  • fixed fatal on failed IP rep segment allocation - thanks to Bill Parker
  • fixed build issue with Clang and thread_local
  • fixed rule option string unescape issue

Enhancements:

  • host_module and host_tracker updates
  • start perf_monitor rewrite - 1st of many updates
  • start dce2 port - 1st of many updates
  • initial host_tracker for new integrated netmap
  • continued tcp session refactoring
  • new_http_inspect refactoring for time and space considerations
  • added new_http_inpsect rule options
  • remove --enable-ppm - always enabled
  • update copyright to 2016, add missing license blocks
  • update default manuals
  • tweaked style guide wrt class declarations

Please submit bugs, questions, and feedback to bugs@snort.org or the Snort-Users mailing list.

Happy Snorting!
The Snort Release Team

Snort OpenAppID Detectors have been updated!

An update has been released today for the Snort OpenAppID Detector content.

This release, build 261, includes
  • A total of 2,802 detectors. 
  • It also includes some additional detectors that came in from the open source community. For more details on which contributions were included, we have added them in the AUTHORS file in this package.
Available now for download from our downloads page, we look forward to you downloading and using the new features of 2.9.7.0's and 2.9.8.0's OpenAppID preprocessor and sharing your experiences with the community.

The OpenAppID community has a mailing list specifically dedicated to the exchange and discussion of detector content.  Please visit the mailing lists page to sign up.