Tuesday, August 30, 2016

Snort Subscriber Rule Set Update for 08/30/2016

Just released:
Snort Subscriber Rule Set Update for 08/30/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 1 new rules and made modifications to 6 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the blacklist, file-executable, file-other, file-pdf, malware-cnc, malware-other, os-solaris, protocol-snmp, pua-adware, scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Friday, August 26, 2016

Running Snort on Commodity Hardware - The pitfalls of large receive offload

While working on Snort integration for another project that does HTTP stream reassembly we came across some very strange behaviour:

During reassembly, fragments of the stream were missing or incorrectly reassembled.  Large chunks of the stream would be missing even though the packets that covered that piece of the stream's data had been received and processed.

At first we thought that this was a bug with the hardware checksum offload on the network card so we added '-k none' to the command line arguments. This seemed to resolve the issue, for the moment...

While testing the integration work we started noticing some very strange HTTP sessions: response codes that were very strange, invalid and missing, or truncated headers. This lead me to look into the issue again. Turning on full packet dumps showed me that the first packet in the reassembled stream coming from the Stream preprocessor was not the first packet in the stream, but instead a part of the response body.

The next step was to capture a pcap with tcpdump and use Snort in replay mode to reproduce the issue, this is where more strange things happened.  Using the pcap with Snort in replay mode, I could not reproduce the issue, but when watching the live stream it would fail ~3 out of 4 times.

This let me to look at what hardware acceleration features where enabled on the capture interface. It turned out that the card had large receive offload enabled (LRO) out of the box. This feature will automatically coalesce tcp frames in the same stream into larger frames rewriting all the headers to match the new larger frame.

Looking at the pcap showed that 2 frames in the stream had been coalesced into a larger 1900 byte frame, this frame was larger than Snort's default snaplen and being truncated. The truncation explained why '-k none' seemed to make it a little more reliable but not much. I tested both disabling LRO and raising the snaplen in Snort, both resolved the stream reassembly issues, and now your wondering which solution is the correct one. The answer is disabling LRO for a number of reasons, chief of which is:
  • LRO changes the stream that Snort sees on the wire, this means it can not do target based re-assembly and correctly detect common IDS avoidance techniques.

On Linux you can check the status of this feature using the following command, (replace "eth1" with the proper interface you are using as a sniffing interface):

ethtool -k eth1

And you can disable the feature as follows:

ethtool -K eth1 gro off
ethtool -L eth1 bro off

On FreeBSD you can see the interface flags in the output of ifconfig, to disable the features you can use the following command (replacing "em0" with the proper interface you are using as a sniffing interface):
ifconfig em0 -lro

Thursday, August 25, 2016

Snort Subscriber Rule Set Update for 08/25/2016

Just released:
Snort Subscriber Rule Set Update for 08/25/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 25 new rules and made modifications to 10 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-plugins, file-office, file-pdf, malware-cnc, malware-other, os-linux, protocol-snmp and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Tuesday, August 23, 2016

Snort Subscriber Rule Set Update for 08/23/2016

Just released:
Snort Subscriber Rule Set Update for 08/23/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 3 new rules and made modifications to 2 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
+Talos has added and modified multiple rules in the blacklist, browser-plugins, +file-office, file-pdf, malware-cnc, malware-other, os-linux, protocol-snmp and +server-webapp rule sets to provide coverage for emerging threats from these +technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Thursday, August 18, 2016

Snort Subscriber Rule Set Update for 08/18/2016

Just released:
Snort Subscriber Rule Set Update for 08/18/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 22 new rules and made modifications to 10 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-plugins, file-office, file-pdf, malware-cnc, malware-other, os-linux, protocol-snmp and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Wednesday, August 17, 2016

Snort Subscriber Rule Set Update for 08/16/2016

Just released:
Snort Subscriber Rule Set Update for 08/16/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 8 new rules and made modifications to 3 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the browser-plugins, file-flash, file-image, indicator-compromise, indicator-obfuscation, malware-cnc and server-other rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Friday, August 12, 2016

Snort Subscriber Rule Set Update for 08/12/2016

Just released:
Snort Subscriber Rule Set Update for 08/12/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 2 new rules and made modifications to 3 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the file-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Thursday, August 11, 2016

Snort Subscriber Rule Set Update for 08/11/2016

Just released:
Snort Subscriber Rule Set Update for 08/11/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 31 new rules and made modifications to 6 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the blacklist, exploit-kit, file-office, file-other, file-pdf, indicator-compromise, malware-cnc, netbios and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Snort++ Build 206 Available Now

Snort++ build 206 is now available on snort.org.  This is the latest monthly update available for download.  You can also get the latest updates from github (snortadmin/snort3) which is updated weekly.

Enhancements:
  • converted sd_pattern to use hyperscan
  • ported smb reassembly and raw commands processing, segmentation support
  • ported smb write and close command, deprecated dialect check, smb fingerprint
  • ported appid rule option as "appids"
  • ported appid detectors: kereberos, bittorrent, imap, pop
  • added appid counts for mdns, timbuktu, battlefield, bgp, and netbios services
  • added smtp.max_auth_command_line_len
  • added new_http_inspect unbounded POST alert
  • added oversize directory alert to new_http_inspect
  • snort2lua updates for new_http_inspect
Bug Fixes:
  • fixed asn1:print help
  • fixed event queue buffer log size
  • fixed make distcheck; thanks to jack jackson <jsakcon@gmail.com> for reporting the issue
  • fixed help text for rule options ack, fragoffset, seq, tos, ttl,  and win
  • fixed endianness issues with rule options seq and win
  • fixed rule option session binary vs all
  • fixed issue with icmp_seq and icmp_id field matching
  • fixed off-by-1 line number in rule parsing errors
  • fixed cmake make check issue with new_http_inspect
  • fixed new_http_inspect handling of 100 response
  • fixed dynamic build of new_http_inspect
  • fixed outstanding strndup calls
  • fixed static analysis issues
Other Changes:
  • moved http_inspect (old) to http_server (in extras)
  • moved new_http_inspect to http_inspect
  • code refactoring and cleanup
Please submit bugs, questions, and feedback to bugs@snort.org or the Snort-Users mailing list.

Happy Snorting!
The Snort Release Team

Tuesday, August 9, 2016

Snort Subscriber Rule Set Update for 08/09/2016, MSTuesday

Just released:
Snort Subscriber Rule Set Update for 08/09/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 38 new rules and made modifications to 4 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Synopsis:
Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.

Details:
Microsoft Security Bulletin MS16-095:
Microsoft Internet Explorer suffers from programming errors that may
lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 39810 through 39813,
39820 through 39823, 39826 through 39829, 39833 through 39834, and
39839 through 39840.

Microsoft Security Bulletin MS16-096:
A coding deficiency exists in Microsoft Edge that may lead to remove
code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 25459 through 25460.

New rules to detect attacks targeting these vulnerabilities are also
included in this release and are identified with GID 1, SIDs 39810
through 39811, 39822 through 39823, and 39833 through 39834.

Microsoft Security Bulletin MS16-097:
A coding deficiency exists in Microsoft Graphics Component that may
lead to remove code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 39824 through 39825
and 39843 through 39844.

Microsoft Security Bulletin MS16-098:
A coding deficiency exists in Microsoft Kernel-Mode drivers that may
lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 39808 through 39809,
39814 through 39815, and 39841 through 39842.

Microsoft Security Bulletin MS16-099:
A coding deficiency exists in Microsoft Office that may lead to remove
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 39816 through 39817,
39831 through 39832, and 39835 through 39838.

Microsoft Security Bulletin MS16-102:
A coding deficiency exists in Microsoft Windows PDF library that may
lead to remove code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 25459 through 25460.

Talos has added and modified multiple rules in the browser-ie,
file-office, file-pdf and os-windows rule sets to provide coverage for
emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Monday, August 8, 2016

Snort Subscriber Rule Set Update for 08/04/2016

Just released:
Snort Subscriber Rule Set Update for 08/04/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 31 new rules and made modifications to 4 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-flash, file-identify, file-other, file-pdf, malware-cnc, malware-other, protocol-voip and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Friday, August 5, 2016

Snort++ Update

Pushed build 205 to github (snortadmin/snort3):

  • ported smb segmentation support
  • converted sd_pattern to use hyperscan
  • fixed help text for rule options ack, fragoffset, seq, tos, ttl,  and win
  • fixed endianness issues with rule options seq and win
  • fixed rule option session binary vs all

Wednesday, August 3, 2016

Snort Community Ruleset Winner for July 2016

The July winner of our monthly signature contest for the community ruleset is rmkml

For more information on how to get involved, and how you can win your Snort prizes, please take a look at our blog post

Good luck to all of those submitting rules in the upcoming months. We look forward to a great August and beyond!