Thursday, September 29, 2016

Snort Subscriber Rule Set Update for 09/29/2016

Just released:
Snort Subscriber Rule Set Update for 09/29/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 17 new rules and made modifications to 2 additional rules.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset


Talos's rule release:
Talos has added and modified multiple rules in the app-detect, file-image, file-other, malware-cnc, protocol-scada, protocol-voip, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Wednesday, September 28, 2016

Snort++ Build 213 Available Now

Snort++ build 213 is now available on snort.org.  This is the latest monthly update available for download.  You can also get the latest updates from github (snortadmin/snort3) which is updated weekly.

Snort++ is very close to overtaking Snort 2.X and with any luck Alpha 4 will be completed with the next monthly release.  If you haven't tried out Snort++ now is a good time to do so.

Enhancements:
  • added dce udp snort2lua
  • added file detection when they are transferred in segments in SMB2
  • added dce iface fast pattern for tcp
  • added --enable-tsc-clock to build/use TSC register (on x86)
  • updated latency to use ticks during runtime
  • updated default stream cache sizes to match 2.X
  • close tcp on rst in close wait, closing, fin wait 1, and fin wait 2
  • separate idle timeouts from session timeouts counts
  • ported full retransmit changes from snort 2X
  • ported Smbv2/3 file support
  • ported mpls encode fixes from 2983
  • ported smb file processing
  • ported the 2.9.8 ciscometadata decoder
  • ported the 2.9.8 double and triple vlan tagging changes
  • started dce_udp porting
Bug Fixes:
  • fixed carved smb2 filenames
  • fixed multithread hyperscan mpse
  • fixed sd_pattern iterative validation
  • fixed another case of CPPUTest header order issues
  • fixed lua conflict with _L macro from ctype.h on OpenBSD
  • fixed hyperscan detection with nocase
  • fixed shutdown sequence
  • fixed --dirty-pig
  • fixed FreeBSD build re appid / service_rpc
  • fixed tcp_connector_test for OSX build
  • fixed binder make files to include binder.h
  • fixed double counting of ip and udp timeouts and prunes
  • fixed clearing of SYN - RST flows
  • fixed inverted detection_filter logic
  • fixed stream profile stats parents
  • fixed most bogus gap counts
  • fixed unit test for high availability, hyperscan, and regex
  • fixed for TCP high availability
  • fixed install of file_decomp.h for consistency between Snort and extras
  • fixed regex as fast pattern with hyperscan mpse
  • fixed http_inspect and tcp valgrind errors
  • fixed extra auto build from dist
  • numerous fixes, cleanup, and refactoring for appid
  • numerous fixes, cleanup, and refactoring for high availability
Other Changes:
  • removed unused -w commandline option
  • added HA details to stream/* dev_notes
  • added stream.ip_frag_only to avoid tracking unwanted flows
  • added smtp client counters and unit tests
  • added appid counts for rsync
  • added http_inspect alerts for Transfer-Encoding and Content-Encoding abuse
  • tcp stream reassembly tweaks
  • use sd_pattern as a fast-pattern
  • rewrite and fix the rpc option
  • cleanup fragbits option implementation
  • finish up cutover to the new http_inspect by default
  • moved file capture to offload thread
  • updated style guide for 'using' statements and underscores
  • cmake: clean dead variables out of config.cmake.h
  • build: fixed 32-bit compiler warnings
  • build: fixed illumos/OpenSolaris build and remove SOLARIS/SUNOS defines
  • build: remove superfluous LINUX and MACOS definitions
  • build: remove superfluous OPENBSD and FREEBSD definitions
  • build: entering 'std' namespace should be after all headers are included
  • build: clean up u_int*_t usage
  • build: remove SPARC support
  • build: clean up some DAQ header inclusion creep
  • cleaned up compiler warnings

Please submit bugs, questions, and feedback to bugs@snort.org or the Snort-Users mailing list.

Happy Snorting!
The Snort Release Team

Tuesday, September 27, 2016

Snort Subscriber Rule Set Update for 09/27/2016

Just released:
Snort Subscriber Rule Set Update for 09/27/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 11 new rules and made modifications to 20 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-firefox, browser-ie, exploit-kit, file-image, file-office, indicator-shellcode, os-windows, protocol-dns and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Friday, September 23, 2016

Snort++ Update

Pushed build 211 to github (snortadmin/snort3):
  • fix hyperscan detection with nocase
  • fix shutdown sequence
  • fix --dirty-pig
  • fix FreeBSD build re appid / service_rpc

Thursday, September 22, 2016

Snort 2.9.8.2 is End of Life!

Just a notification to remind everyone that Snort 2.9.8.2 is now End of Life (EOL).  In accordance with our EOL policy, 2.9.8.2 met its EOL date today.

Now it is time to upgrade your engines, Snort 2.9.8.3 is the current version of Snort, and users should upgrade immediately.

Thanks for all of your support!

Snort Subscriber Rule Set Update for 09/22/2016

Just released:
Snort Subscriber Rule Set Update for 09/22/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 23 new rules and made modifications to 73 additional rules.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, browser-plugins, file-flash, file-office, indicator-compromise, indicator-obfuscation, malware-cnc, server-mysql and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Wednesday, September 21, 2016

Snort++ Update

Pushed build 210 to github (snortadmin/snort3):
  • started dce_udp porting
  • added HA details to stream/* dev_notes
  • added stream.ip_frag_only to avoid tracking unwanted flows
  • updated default stream cache sizes to match 2.X
  • fixed tcp_connector_test for OSX build
  • fixed binder make files to include binder.h
  • fixed double counting of ip and udp timeouts and prunes
  • fixed clearing of SYN - RST flows
Pushed build 209 to github last week:
  • add dce iface fast pattern for tcp
  • add --enable-tsc-clock to build/use TSC register (on x86)
  • update latency to use ticks during runtime
  • tcp stream reassembly tweaks
  • fix inverted detection_filter logic
  • fix stream profile stats parents
  • fix most bogus gap counts
  • unit test fixes for high availability, hyperscan, and regex

Tuesday, September 20, 2016

Snort Subscriber Rule Set Update for 09/20/2016

Just released:
Snort Subscriber Rule Set Update for 09/20/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 12 new rules and made modifications to 2 additional rules.

There were no changes made to the snort.conf in this release.


Talos's rule release:
Talos has added and modified multiple rules in the blacklist, file-image, indicator-obfuscation, malware-cnc and server-other rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Monday, September 19, 2016

Snort 2.9.8.2 is rapidly approaching!

As you can see from our EOL page:

https://www.snort.org/eol

The EOL for Snort 2.9.8.2 is approaching in a couple days.   From our download statistics, the percentage of people is pretty small.

Please try and update your engines this week to 2.9.8.3, the current version. We also look forward to the release of 2.9.9.0 in the coming weeks, so for those of you still on 2.9.7.6, the EOL for 2.9.7.6 will be the release of 2.9.9.0 + 90 days (as a reminder).

So, 2.9.7.6 users, your EOL is coming too, and there are tens of thousands of you on that version.  It's upgrade time!

Thursday, September 15, 2016

Snort Subscriber Rule Set Update for 09/15/2016

Just released:
Snort Subscriber Rule Set Update for 09/15/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 3 new rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the malware-cnc rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Snort Subscriber Rule Set Update for 09/15/2016

Just released:
Snort Subscriber Rule Set Update for 09/15/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 36 new rules and made modifications to 6 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

El Cabezzon
30034

rmkml
40184


Talos's rule release:
Talos has added and modified multiple rules in the blacklist, exploit-kit, file-flash, malware-cnc, malware-other, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Tuesday, September 13, 2016

Snort Subscriber Rule Set Update for 09/13/2016

Just released:
Snort Subscriber Rule Set Update for 09/13/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 31 new rules and made modifications to 2 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the and file-office rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Snort Subscriber Rule Set Update for 09/13/2016, MSTuesday

Just released:
Snort Subscriber Rule Set Update for 09/13/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 85 new rules and made modifications to 12 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Microsoft Security Bulletin MS16-104:
Microsoft Internet Explorer suffers from programming errors that may
lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 40073 through 40074,
40077 through 40078, 40084 through 40095, 40108 through 40109, 40132
through 40133, and 40146.

Microsoft Security Bulletin MS16-105:
A coding deficiency exists in Microsoft Exchange that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 40073 through 40074,
40098 through 40101, 40108 through 40109, 40123 through 40124, and
40134 through 40141.

Microsoft Security Bulletin MS16-106:
A coding deficiency exists in Microsoft Graphics Component that may
lead to remove code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 40096 through 40097
and 40112 through 40113.

Microsoft Security Bulletin MS16-107:
A coding deficiency exists in Microsoft Office that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 40075 through 40076,
40079 through 40080, 40082 through 40083, 40102 through 40107, 40116
through 40117, 40121 through 40122, 40142 through 40143, and 40147
through 40148.

Microsoft Security Bulletin MS16-110:
A coding deficiency exists in Microsoft Windows that may lead to remote
code execution.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 1, SID 40129.

Microsoft Security Bulletin MS16-111:
A coding deficiency exists in Microsoft Windows Kernel that may lead to
an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 40110 through 40111,
40114 through 40115, and 40127 through 40128.

Microsoft Security Bulletin MS16-115:
A coding deficiency exists in Microsoft Windows PDF library that may
lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 40144 through 40145.

Microsoft Security Bulletin MS16-116:
A coding deficiency exists in Microsoft OLE Automation VBScript
Scripting Engine that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 40149 through 40150.

Talos has added and modified multiple rules in the blacklist,
browser-ie, deleted, file-identify, file-image, file-office,
file-other, file-pdf, indicator-compromise, indicator-scan,
malware-cnc, os-other, os-windows, policy-other, protocol-voip and
server-webapp rule sets to provide coverage for emerging threats from
these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Friday, September 9, 2016

Snort++ Update

Pushed build 208 to github (snortadmin/snort3):
  • fixed TCP high availability
  • fixed install of file_decomp.h for consistency between Snort and extras
  • added smtp client counters and unit tests
  • ported Smbv2/3 file support
  • ported mpls encode fixes from 2983
  • cleaned up compiler warnings

    Thursday, September 8, 2016

    Snort Subscriber Rule Set Update for 09/08/2016

    Just released:
    Snort Subscriber Rule Set Update for 09/08/2016


    We welcome the introduction of the newest rule release from Talos. In this release we introduced 18 new rules and made modifications to 20 additional rules.

    There were no changes made to the snort.conf in this release.



    Talos's rule release:
    Talos has added and modified multiple rules in the blacklist, browser-ie, file-image, file-other, malware-cnc, malware-other, os-linux and server-webapp rule sets to provide coverage for emerging threats from these technologies.


    In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

    Wednesday, September 7, 2016

    Snort Subscriber Rule Set Update for 09/06/2016

    Snort Subscriber Rule Set Update for 09/06/2016


    We welcome the introduction of the newest rule release from Talos. In this release we introduced 20 new rules and made modifications to 17 additional rules.

    There were no changes made to the snort.conf in this release.

    Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

    rmkml
    40015

    Carriag Stanwyck
    40037


    Talos's rule release:
    Talos has added and modified multiple rules in the browser-ie, exploit-kit, file-flash, file-identify, malware-cnc, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.


    In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

    Friday, September 2, 2016

    Snort++ Update

    Pushed build 207 to github (snortadmin/snort3):
    • ported smb file processing
    • ported the 2.9.8 ciscometadata decoder
    • ported the 2.9.8 double and triple vlan tagging changes
    • use sd_pattern as a fast-pattern
    • rewrite and fix the rpc option
    • cleanup fragbits option implementation
    • finish up cutover to the new http_inspect by default
    • added appid counts for rsync
    • added http_inspect alerts for Transfer-Encoding and Content-Encoding abuse
    • moved file capture to offload thread
    • numerous fixes, cleanup, and refactoring for appid
    • numerous fixes, cleanup, and refactoring for high availability
    • fixed regex as fast pattern with hyperscan mpse
    • fixed http_inspect and tcp valgrind errors
    • fixed extra auto build from dist

    Thursday, September 1, 2016

    Snort Subscriber Rule Set Update for 09/01/2016

    Just released:
    Snort Subscriber Rule Set Update for 09/01/2016


    We welcome the introduction of the newest rule release from Talos. In this release we introduced 84 new rules and made modifications to 45 additional rules.

    There were no changes made to the snort.conf in this release.

    Talos's rule release:
    Talos has added and modified multiple rules in the blacklist, browser-firefox, browser-ie, browser-plugins, deleted, exploit-kit, file-flash, file-identify, file-office, file-other, indicator-compromise, malware-cnc, malware-other, policy-other, policy-social, protocol-dns, protocol-snmp and server-webapp rule sets to provide coverage for emerging threats from these technologies.

    In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!