Wednesday, June 29, 2016

Snort.conf examples have been posted!

When changes are made to the Snort.conf, we update our example configuration page on Snort.org in order to provide the latest updates to the community.  The Snort.conf that ships with the Snort tarball is only updated upon version release.

Please take a look at the latest updates to the Snort.conf on our website, download and use these, as appropriate.

Tuesday, June 28, 2016

Snort Subscriber Rule Set Update for 06/28/2016

Just released:
Snort Subscriber Rule Set Update for 06/28/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 8 new rules and made modifications to 4 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the browser-plugins, file-java, pua-adware and sql rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Sunday, June 26, 2016

Snort 2.9.8.0 is approaching EOL

As you can see from our EOL page:

https://www.snort.org/eol

The EOL for Snort 2.9.8.0 is approaching in a couple days.   From our download statistics, the percentage of people is pretty small, so it shouldn't be a great impact.  

Please try and update your engines this week to 2.9.8.3, the current version. Thanks!

Thursday, June 23, 2016

Snort++ Build 201 Available Now

Snort++ build 201 is now available on snort.org.  This is the latest monthly update available for download.  You can also get the latest updates from github (snortadmin/snort3) which is updated weekly.

Enhancements:

  • add configure --enable-hardened-build
  • add configure --pie (position independent executable)
  • add new_http_inspect alert for loss of sync
  • add peg counts for new_http_inspect
  • add peg counts for sd_pattern
  • add file_log inspector to log file events
  • add filename support to file daq
  • update file processing configuration
  • add high availability support for udp and icmp
  • add support for safe C library
  • add new http_inspect alerts abusive content-length and transfer-encodings
  • add \b matching to sensitive data
  • add obfuscation for sensitive data
  • add support for unprivileged operation
  • convert legacy allocations to memory manager for better memory profiling
  • add double-decoding to new_http_inspect
  • add obfuscation support for cmg and unified2
Bug Fixes:
  • various snort2lua updates and fixes
  • fix default prime tables for internal hash functions
  • fix new_http_inspect bounds issues
  • miscellaneous cmake and auto tools build fixes
  • add / update unit tests
  • fix additional memory leaks
  • fix compiler warnings
  • fix static analysis issues
  • fix handling of bpf file failures
  • fix link with dynamic DAQ
  • fix multi-DAQ instance configuration
  • prevent profiler double counting on recursion
Other Changes:
  • initial appid port - in progress
  • continued porting of dce_rpc - smb transaction processing
  • openssl is now a mandatory dependency
  • DAQ 2.1 has many updates - see the ChangeLog for details
Please submit bugs, questions, and feedback to bugs@snort.org or the Snort-Users mailing list.

Happy Snorting!
The Snort Release Team

Snort Subscriber Rule Set Update for 06/23/2016

Just released:
Snort Subscriber Rule Set Update for 06/23/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 21 new rules and made modifications to 1 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the file-office and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Snort Rule Downloads, Crontabs, and you.

At Snort we have an extensive amount of monitoring taking place to make sure the health of Snort.org is as optimal as we can make it.

One of the things we monitor is response time, or how long it takes, from the time your browser requests Snort.org, to the time we fulfill the entire page or whatever is being loaded.  We strive for a sub-100ms response time.

We'd like to go faster, but look, this is reality, nothing is perfect, and Snort is a very complex beast.

Setting aside the millions of hits a day at Snort.org gets, lets concentrate on the people that have PulledPork and Oinkmaster checking for new rules, automatically, in a crontab.  We have nearly 500,000 PulledPork requests a day, and this "GET" request is very quick.  Since we generally release rule packs on Tuesdays and Thursdays, most of the people hitting Snort.org for the md5 of the rulepack, find out the md5 hasn't changed, and move on.

Unless of course, we deploy a new rule pack, that md5 changes, then you grab the full rule pack.  Working exactly as intended.  We love pulledpork for this, and we wish the rest of the oinkmaster users would move off of oinkmaster, as it helps us alleviate a lot of load on the server.

We use load balancing, and even Cloudflare in front of Snort.org to cache the majority of requests to the site.  In fact, about 85% of the content served from Snort.org is cached.

The remainder of this traffic, for the most part, is document and rule downloads.

This only becomes a problem, basically, at the top of the hour.  (Our downloaders love 12pm and 4pm the most for some reason).  At every hour, we have huge spikes of traffic, caused by people running pulledpork (or, for some reason, oinkmaster) in a cron to download the ruleset on the hour.

It's perfectly fine that you do this.

However, if we can encourage, say, 10% of you, to randomize your crontab's time, even to 10 minutes past the hour, the response time on our servers would drop tremendously.  (Now, don't everyone go set their crontab to 10 past the hour, it was just an example!)

Please keep in mind that no one has complained about the response time of the site, and we aren't overly concerned with the issue.  We just prefer to head this off at the pass, before it becomes an issue.

We add over 1,000 new users to the site every week, and with well over 500,000 active users on Snort.org now, and we show no signs of slowing down.  In fact, by all the metrics we track, activity is increasing.  This is fantastic, and we love that the fact that our community is strong.

However, if we can adjust some of our crontab run times for the rule update software that you all are running, we can keep the experience as optimal as we can for everyone for a long time to come.

I appreciate you doing so, thanks a lot!

Keep Snorting!

Snort++ Update

Pushed build 201 to github (snortadmin/snort3):
  • initial appid port - in progress
  • add configure --enable-hardened-build
  • add configure --pie (position independent executable)
  • add new_http_inspect alert for loss of sync
  • add peg counts for new_http_inspect
  • add peg counts for sd_pattern
  • add file_log inspector to log file events
  • add filename support to file daq
  • add high availability support for udp and icmp
  • add support for safe C library
  • continue porting of dce_rpc - smb transaction processing (part 2)
  • various snort2lua updates and fixes
  • fix default prime tables for internal hash functions
  • fix new_http_inspect bounds issues
  • fix icc warnings
  • miscellaneous cmake and auto tools build fixes
  • openssl is now a mandatory dependency


Wednesday, June 22, 2016

Snort 2.9.8.3 has been released!

Please join us in welcoming Snort 2.9.8.3 to the family!

Please see below for the release notes:

2016-04-25 - Snort 2.9.8.3
[*] Improvements
 *  Stability improvement for Stream6 preprocessor

 *  Fixed multiple issues in HttpInspect preprocessor

 *  Fixed an issue of incorrect masking of sensitive data

You can download Snort at our downloads site at Snort.org.

Tuesday, June 21, 2016

Snort Subscriber Rule Set Update for 06/21/2016

Just released:
Snort Subscriber Rule Set Update for 06/21/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 7 new rules and made modifications to 7 additional rules.

Port 5450 as added to http_inspect and stream5


Talos's rule release:
Talos has added and modified multiple rules in the file-pdf, indicator-obfuscation, malware-cnc, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Friday, June 17, 2016

Snort Subscriber Rule Set Update for 06/16/2016

Just released:
Snort Subscriber Rule Set Update for 06/16/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 56 new rules and made modifications to 6 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the file-flash and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Tuesday, June 14, 2016

Snort Subscriber Rule Set Update for 06/14/2016, MsTuesday

Just released:
Snort Subscriber Rule Set Update for 06/14/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 79 new rules and made modifications to 18 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.

Details:
Microsoft Security Bulletin MS16-063:
Microsoft Internet Explorer suffers from programming errors that may
lead to remote code execution.

A previously released rule will detect attacks targeting these
vulnerabilities and has been updated with the appropriate reference
information. It is included in this release and is identified with GID
1, SID 20258.

New rules to detect attacks targeting these vulnerabilities are also
included in this release and are identified with GID 1, SIDs 20258,
39207 through 39208, 39227, 39230 through 39231, 39234 through 39235,
and 39242 through 39259.

Microsoft Security Bulletin MS16-068:
A coding deficiency exists in Microsoft Edge that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 39199 through 39200,
39205 through 39206, 39219 through 39220, 39228 through 39229, 39232
through 39233, and 39238 through 39239.

Microsoft Security Bulletin MS16-069:
A coding deficiency exists in Microsoft Jscript and VBScript that may
lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 39211 through 39212
and 39236 through 39237.

Microsoft Security Bulletin MS16-070:
A coding deficiency exists in Microsoft Office that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 39203 through 39204
and 39221 through 39224.

Microsoft Security Bulletin MS16-073:
A coding deficiency exists in Microsoft Kernel Mode Drivers that may
lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 39193 through 39196
and 39217 through 39218.

Microsoft Security Bulletin MS16-074:
A coding deficiency exists in Microsoft Graphics Component that may
lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 39209 through 39210,
39260 through 39261, and 39266 through 39267.

Microsoft Security Bulletin MS16-075:
A coding deficiency exists in Microsoft Windows SMB Server that may
lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 39213 through 39216.

Microsoft Security Bulletin MS16-077:
A coding deficiency exists in Microsoft Web Proxy Autodiscovery (WPAD)
that may lead to an escalation of privilege.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 1, SID 39227.

Microsoft Security Bulletin MS16-078:
A coding deficiency exists in Microsoft Windows Diagnostic Hub that may
lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 39225 through 39226.

Talos has added and modified multiple rules in the browser-ie,
file-flash, file-image, file-office, file-other, malware-cnc,
os-windows, pua-toolbars and server-webapp rule sets to provide
coverage for emerging threats from these technologies.



In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Friday, June 10, 2016

Snort Subscriber Rule Set Update for 06/09/2016

Just released:
Snort Subscriber Rule Set Update for 06/09/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 31 new rules and made modifications to 12 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
39159
39160
39163
39164


Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, file-image, file-office, file-pdf, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Snort++ Update

Pushed build 200 to github (snortadmin/snort3):

  • continue porting of dce_rpc - smb transaction processing
  • tweak autotools build foo
  • add / update unit tests
  • fix additional memory leaks
  • fix compiler warnings
  • fix static analysis issues
  • fix handling of bpf file failures


Tuesday, June 7, 2016

Snort Subscriber Rule Set Update for 06/07/2016

Just released:
Snort Subscriber Rule Set Update for 06/07/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 11 new rules and made modifications to 22 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, file-image, file-office, file-pdf, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Monday, June 6, 2016

Snort OpenAppID Detectors have been updated!

An update has been released today for the Snort OpenAppID Detector content. This release, build 270, includes
  • A total of 2,816 detectors. 
  • It also includes some additional detectors that came in from the open source community. For more details on which contributions were included, we have added them in the AUTHORS file in this package.

Available now for download from our downloads page, we look forward to you downloading and using the new features of 2.9.8.2's OpenAppID preprocessor and sharing your experiences with the community.

The OpenAppID community has a mailing list specifically dedicated to the exchange and discussion of detector content.  Please visit the mailing lists page to sign up.

Friday, June 3, 2016

Snort++ Update

Pushed build 199 to github (snortadmin/snort3):

  • add new http_inspect alerts abusive content-length and transfer-encodings
  • add \b matching to sensitive data
  • add obfuscation for sensitive data
  • add support for unprivileged operation
  • fix link with dynamic DAQ
  • convert legacy allocations to memory manager for better memory profiling

Snort Community Ruleset winner for May, 2016

The May winner of our monthly signature contest for the community ruleset is James Lay!

His prize will be one of our awesome new Snort.org T-shirts!

For more information on how to get involved, and how you can win your Snort prizes, please take a look at our blog post.

Good luck to all of those submitting rules in the upcoming months. We look forward to a great June and beyond!


Snort Subscriber Rule Set Update for 06/02/2016

Just released:
Snort Subscriber Rule Set Update for 06/02/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 38 new rules and made modifications to no additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the exploit-kit, file-image, file-office, file-pdf and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!