Friday, April 29, 2016

Snort++ Update

Pushed build 196 to github (snortadmin/snort3):

  • added packet_capture module
  • initial high availability for UDP
  • changed memory_manager to use absolute instead of relative cap
  • cmake and pkgconfig fixes
  • updated catch headers to v1.4.0
  • static analysis memory leak fixes
  • added file capture stats
  • DAQ interface refactoring
  • perf_monitor refactoring
  • unicode map file for new_http_inspect
  • continued dce2 port
  • update extras to better serve as examples
  • cleanup use of protocol numbers and identifiers
  • continued stream_tcp refactoring


Thursday, April 28, 2016

Snort Subscriber Rule Set Update for 04/28/2016

Just released:
Snort Subscriber Rule Set Update for 04/28/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 41 new rules and made modifications to 7 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, file-flash, file-office, indicator-obfuscation, malware-cnc, malware-other, protocol-dns and server-other rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Tuesday, April 26, 2016

Snort Subscriber Rule Set Update for 04/26/2016

Just released:
Snort Subscriber Rule Set Update for 04/26/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 31 new rules and made modifications to 6 additional rules.

There were no changes made to the snort.conf in this release.

Talos would also like to thank the following researchers for the rules that they have contributed to the community ruleset, which were released in this rule pack:

Yaser Mansour
38603
38606
38607
38608
38610
38619
38620
38621

Rmkml
38604
38605


Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-other, file-other, indicator-compromise, indicator-obfuscation, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Friday, April 22, 2016

Snort Subscriber Rule Set Update for 04/21/2016, Release 2

Just released:
Snort Subscriber Rule Set Update for 04/21/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 18 new rules and made modifications to 8 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the app-detect and malware-cnc rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Thursday, April 21, 2016

Snort Subscriber Rule Set Update for 04/21/2016

Just released:
Snort Subscriber Rule Set Update for 04/21/2016

We welcome the introduction of the newest rule release from Talos. In this release we introduced 16 new rules and made modifications to 6 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

rmkml
17904 (Modified)
38580
38581

Brian Scameheorn
38594

Yaser Mansour
38584
38585
38586
38587
38588


Talos's rule release:
Talos has added and modified multiple rules in the blacklist, exploit-kit, file-office, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Tuesday, April 19, 2016

Snort Subscriber Rule Set Update for 04/19/2016

Just released:
Snort Subscriber Rule Set Update for 04/19/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 34 new rules and made modifications to 22 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
38514
38515
38516
38517
38510
38509
38557
38558
38559
38560
38561
38562
38563
38664
38565
38566


Talos's rule release:
Talos has added and modified multiple rules in the exploit-kit, file-flash, file-office, file-other, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Thursday, April 14, 2016

Snort Subscriber Rule Set Update for 04/14/2016

Just released:
Snort Subscriber Rule Set Update for 04/14/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 35 new rules and made modifications to 41 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
38509
38510
38514
38515
38516
38517


Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, exploit-kit, file-flash, indicator-obfuscation, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Wednesday, April 13, 2016

Snort OpenAppID Detectors have been updated!

An update has been released today for the Snort OpenAppID Detector content.
This release, build 265, includes
  • A total of 2,808 detectors. 
  • It also includes some additional detectors that came in from the open source community. For more details on which contributions were included, we have added them in the AUTHORS file in this package.

Available now for download from our downloads page, we look forward to you downloading and using the new features of 2.9.7.0's and 2.9.8.0's OpenAppID preprocessor and sharing your experiences with the community.

The OpenAppID community has a mailing list specifically dedicated to the exchange and discussion of detector content.  Please visit the mailing lists page to sign up.

Snort Subscriber Rule Set Update for 04/12/2016, MsTuesday

Just released:
Snort Subscriber Rule Set Update for 04/12/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 51 new rules and made modifications to 5 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Rmkml
38457


Talos's rule release:
Microsoft Security Bulletin MS16-037:
Microsoft Internet Explorer suffers from programming errors that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 38465 through 38470, 38491 through
38492, and 38503 through 38508.

Microsoft Security Bulletin MS16-038:
A coding deficiency exists in Microsoft Edge that may lead to remote code
execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 38473 through 38474, 38479 through
38480, and 38483 through 38486.

Microsoft Security Bulletin MS16-039:
A coding deficiency exists in Microsoft Graphics Component that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 38459 through 38460, 38487 through
38488, and 38493 through 38494.

Microsoft Security Bulletin MS16-040:
A coding deficiency exists in Microsoft XML Core Service that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 38463 through 38464.

Microsoft Security Bulletin MS16-041:
A coding deficiency exists in the Microsoft .NET Framework that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 38469 through 38470.

Microsoft Security Bulletin MS16-042:
A coding deficiency exists in Microsoft Office that may lead to remote code
execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 36751 through 36752, 38471 through
38472, 38481 through 38482, and 38495 through 38496.

Microsoft Security Bulletin MS16-044:
A coding deficiency exists in Microsoft Windows OLE that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 38489 through 38490.

Microsoft Security Bulletin MS16-046:
A coding deficiency exists in Microsoft Secondary Logon that may lead to an
escalation of privilege.

A rule to detect attacks targeting this vulnerability is included in this
release and is identified with GID 1, SID 38458.

Microsoft Security Bulletin MS16-047:
A coding deficiency exists in Microsoft SAM and LSAD Remote Protocols that may
lead to a downgrade attack.

A rule to detect attacks targeting this vulnerability is included in this
release and is identified with GID 1, SID 38462.

Microsoft Security Bulletin MS16-048:
A coding deficiency exists in Microsoft CRSS that may lead to a security
feature bypass.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 38475 through 38476.

Talos has added and modified multiple rules in the browser-ie, browser-plugins,
exploit-kit, file-office, file-other and os-windows rule sets to provide
coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Friday, April 8, 2016

Snort Subscriber Rule Set Update for 04/08/2016

Just released:
Snort Subscriber Rule Set Update for 04/08/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 23 new rules and made modifications to 16 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Rmkml
38457


Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, browser-plugins, exploit-kit, file-flash, malware-other and policy-other rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Snort++ Update

Pushed build 194 to github (snortadmin/snort3):
  • added iterative pruning for out of memory condition
  • added preemptive pruning to memory manager
  • dce segmentation changes
  • dce smb header checks port - non segmented packets
  • added thread timing stats to perf_monitor
  • fixed so rule input / output
  • fixed protocol numbering issues
  • fixed 129:18
  • update extra version to alpha 4 - thanks to Henry Luciano <cuncator@mote.org> for reporting the issue
  • remove legacy/unused obfuscation api
  • fixed clang, gcc, and icc, build warnings
  • fixed static analysis issues
  • fixed memory leaks (more to go)

Thursday, April 7, 2016

Snort Subscriber Rule Set Update for 04/07/2016

Just released:
Snort Subscriber Rule Set Update for 04/07/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 0 new rules and made modifications to 34 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the and server-other rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Snort Subscriber Rule Set Update for 04/07/2016

Just released:
Snort Subscriber Rule Set Update for 04/07/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 41 new rules and made modifications to 5 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset


Talos's rule release:
CVE-2016-1019:
A coding deficiency exists in Adobe Flash that may lead to remote code
execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 38429 through 38434.

Talos has added and modified multiple rules in the deleted, file-flash,
file-office and server-webapp rule sets to provide coverage for emerging
threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Wednesday, April 6, 2016

Snort Community Ruleset winner for March, 2016

It comes without a surprise to us that our first winner for our monthly signature contest for the community ruleset is Yaser Mansour!

Yaser is one of our great community members that has been submitting rules, answering mailing list posts, and submitted documentation for Snort for several years.

It's with great pleasure that we award him the prize for submitting the most community rules into the community ruleset for the month of March, 2016.

His prize will be a brand new Snort.org T-shirt.  These shirts are so new that they aren't even back from the printer!  But rest assured, we'll be getting this one out to Yaser soon!

For more information on how to get involved, and how you can win your Snort prizes, please take a look at our blog post on the subject.

We look forward to a great month of April and beyond!

Tuesday, April 5, 2016

Snort Subscriber Rule Set Update for 04/05/2016

Just released:
Snort Subscriber Rule Set Update for 04/05/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 11 new rules and made modifications to 6 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset

Yaser Mansour
38385
38386
38387
38388

Talos's rule release:
Talos has added and modified multiple rules in the browser-other, browser-plugins, browser-webkit, file-flash, file-office, malware-cnc, protocol-voip and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!