Friday, July 29, 2016

Snort++ Update

Pushed build 204 to github (snortadmin/snort3):

  • fixed issue with icmp_seq and icmp_id field matching
  • fixed off-by-1 line number in rule parsing errors
  • fix cmake make check issue with new_http_inspect
  • added new_http_inspect unbounded POST alert

Thursday, July 28, 2016

Snort Subscriber Rule Set Update for 07/28/2016

Just released:
Snort Subscriber Rule Set Update for 07/28/2016

We welcome the introduction of the newest rule release from Talos. In this release we introduced 10 new rules and made modifications to 14 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

rmkml
39737

Avery Tarasov
39738

Yaser Mansour
39705



Talos's rule release:
Talos has added and modified multiple rules in the blacklist, file-executable, file-other, malware-backdoor, malware-cnc, malware-other, pua-adware and sql rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Wednesday, July 27, 2016

Snort Subscriber Rule Set Update for 07/26/2016

Snort Subscriber Rule Set Update for 07/26/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 23 new rules and made modifications to 5 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
37929


Talos's rule release:
Talos has added and modified multiple rules in the blacklist, file-flash, file-image, file-pdf, indicator-compromise, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Friday, July 22, 2016

Snort++ Update

Pushed build 203 to github (snortadmin/snort3):

  • add oversize directory alert to new_http_inspect
  • add appid counts for mdns, timbuktu, battlefield, bgp, and netbios services
  • continue smb port - write and close command, deprecated dialect check, smb fingerprint
  • fix outstanding strndup calls


Snort Subscriber Rule Set Update for 07/21/2016

Just released:
Snort Subscriber Rule Set Update for 07/21/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 36 new rules and made modifications to 9 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
39705



Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, browser-other, exploit-kit, file-flash, file-image, file-other, file-pdf, malware-cnc, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Tuesday, July 19, 2016

Snort Subscriber Rule Set Update for 07/19/2016

Just released:
Snort Subscriber Rule Set Update for 07/19/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 41 new rules and made modifications to 7 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, exploit-kit, file-flash, file-image, file-other, file-pdf, malware-cnc, malware-other, malware-tools and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Saturday, July 16, 2016

Snort Subscriber Rule Set Update for 07/14/2016

Just released:
Snort Subscriber Rule Set Update for 07/14/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 63 new rules and made modifications to 8 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
39573
39574
39575
39576
39577
39578
39579
39580
39581
39582
39583


Talos's rule release:
Talos has added and modified multiple rules in the exploit-kit, file-flash, file-image, file-multimedia, malware-cnc, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Friday, July 15, 2016

Snort++ Update

Pushed build 202 to github (snortadmin/snort3):

  • fix dynamic build of new_http_inspect
  • fix static analysis issues
  • fix new_http_inspect handling of 100 response
  • port appid detectors: kereberos, bittorrent, imap, pop
  • port smb reassembly and raw commands processing
  • snort2lua updates for new_http_inspect
  • code refactoring and cleanup

Wednesday, July 13, 2016

Snort Subscriber Rule Set Update for 07/12/2016, MSTuesday

Just released:
Snort Subscriber Rule Set Update for 07/12/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 43 new rules and made modifications to 9 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
39526
39527
39528
39529


Talos's rule release:
Synopsis:
Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.

Details:
Microsoft Security Bulletin MS16-084:
Microsoft Internet Explorer suffers from programming errors that may
lead to remote code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 38112 through 38113.

New rules to detect attacks targeting these vulnerabilities are also
included in this release and are identified with GID 1, SIDs 39484
through 39487, 39491 through 39492, 39499 through 39500, and 39510
through 39515.

Microsoft Security Bulletin MS16-085:
A coding deficiency exists in Microsoft Edge that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 39493 through 39494
and 39505 through 39507.

Microsoft Security Bulletin MS16-088:
A coding deficiency exists in Microsoft Office that may lead to remove
code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 16234, 18545, 18548, and 25631.

New rules to detect attacks targeting these vulnerabilities are also
included in this release and are identified with GID 1, SIDs 39503
through 39504 and 39518 through 39525.

Microsoft Security Bulletin MS16-090:
A coding deficiency exists in Microsoft Kernel-Mode drivers that may
lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 39478 through 39483,
39495 through 39496, 39508 through 39509, and 39516 through 39517.

Talos has added and modified multiple rules in the browser-ie,
file-office, file-pdf, indicator-obfuscation, malware-cnc and
policy-other rule sets to provide coverage for emerging threats from
these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Monday, July 11, 2016

Snort 2.9.9 Beta has been posted!

Join us as we welcome Snort 2.9.9 to the family, in beta form, with a couple really killer features!

Here's some release notes:

2016-05-12 - Snort 2.9.9 Beta
[*] New additions

 *  HTTP/2 support.
        HTTP2 SUPPORT IS STILL EXPERIMENTAL.
        By default, HTTP2 traffic is not supported. To enable it you need:
            * Install nghttp library from https://nghttp2.org/
            * If nghttp is not installed in default path, use with_libnghttp2_includes and
              with_libnghttp2_libraries to point to the correct path during "configure" step.
            * Enable HTTP2 support in http_inspect configuration with "legacy_mode no"
        Refer README.http_inspect for details.

 *  Buffer Dump feature.
        Enable buffer dump feature with "--enable-buffer-dump" configure option.

 *  Rule options - byte_math, bitmask and from_end.

[*] Improvements
 *  Performance improvements to AppID.

 *  Fixed Flash LZMA decompression issue.

 *  Added 802.11/wifi header support in ARP Preprocessor.

 *  Stability improvement for Stream6 preprocessor.

 *  Fixed multiple issues in HttpInspect preprocessor.

 *  Fixed an issue of incorrect masking of sensitive data.


Check out Snort 2.9.9, available for download on our site.  

Wednesday, July 6, 2016

Snort Community Ruleset Winner for June 2016

The June winner of our monthly signature contest for the community ruleset is Yaser Mansour!

For more information on how to get involved, and how you can win your Snort prizes, please take a look at our blog post.

Good luck to all of those submitting rules in the upcoming months. We look forward to a great July and beyond!

Tuesday, July 5, 2016

Snort Subscriber Rule Set Update for 07/05/2016

Just released:
Snort Subscriber Rule Set Update for 07/05/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 20 new rules and made modifications to 10 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Carriag Stanwyck
39443

rmkml
39444

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-other, file-flash, file-office, indicator-compromise, malware-cnc, protocol-tftp, pua-adware, server-mssql and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Friday, July 1, 2016

Snort 2.9.8.0 is now EOL!

Just a notification to remind everyone that Snort 2.9.8.0 is now End of Life (EOL).  In accordance with our EOL policy, and reminders we've posted here on the blog, 2.9.8.0 met it's EOL date today.

We released 2.9.8.0 in November of 2015.

Now it is time to upgrade your engines, Snort 2.9.8.3 is the current version of Snort, and we should upgrade immediately.

Thanks for all of your support!

Snort Subscriber Rule Set Update for 06/30/2016

Just released:
Snort Subscriber Rule Set Update for 06/30/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 53 new rules and made modifications to 7 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
39409
39410

James Lay
39411


Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-plugins, file-office, file-other, indicator-compromise, malware-cnc, protocol-scada, pua-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!