Wednesday, November 30, 2016

Snort Subscriber Rule Set Update for 11/30/2016

Just released:
Snort Subscriber Rule Set Update for 11/30/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 7 new rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Mozilla Firefox 0day Vulnerability: 
A coding deficiency exists in Mozilla Firefox that may lead to remote code execution. A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 40888.
Talos has also added and modified multiple rules in the browser-firefox, file-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, November 29, 2016

Snort Subscriber Rule Set Update for 11/29/2016

Just released:
Snort Subscriber Rule Set Update for 11/29/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 13 new rules and made modifications to 6 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the deleted, file-executable, file-pdf, policy-other, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Snort.org feature: Mailing list subscription upon signup

For those of you that have been part of the Snort community for awhile, you know that the best place to go for help with your Snort installation, rule writing, even to keep tabs on the development of Snort, has been the mailing lists.

When Snort's downloads were hosted on Sourceforge, (which we stopped doing at Snort 2.9.7.6), adding yourself to one of our four mailing lists was part of the experience.  So we wanted to make it simple for new users to add themselves to the mailing list, and get help with their installation and usage of Snort.

As a new feature, when a new user is created on Snort.org, we give you the option of subscribing to one (or all) of our mailing lists.  You will still have to confirm your subscription, just like any other user, but hopefully this should help people find our list, archives, and the growing community of Snort users.

With over 1,000 new signups a week on Snort.org, we hope that people will join our lists and participate with some of our more seasoned veterans!  We also hope that our seasoned veterans will help out the new guys, remember, we were all beginners once.

Monday, November 28, 2016

Snort Rules Infographic now available!

Recently on Snort's Twitter account, we posted a picture of an infographic that one of our talented graphic artists Wendy created, and the response was fantastic.  It doesn't explain every rule option, but it is a fun art piece for your cube or office!



So, we've made it available for download on Snort.org, under "Official Documentation".

If you'd like to download and print it, we recommend a thick paper stock "mini-poster" type print, perhaps in an 11x17.  Please do not redistribute or sell these without OUR permission, you do not have authorization to do so.

Copyright Cisco and/or its affiliates.  Snort, the Snort and Pig logo are registered trademarks of Cisco.  All rights reserved.


Wednesday, November 23, 2016

Snort Subscriber Rule Set Update for 11/23/2016

Just released:
Snort Subscriber Rule Set Update for 11/23/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 42 new rules and made modifications to 7 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
40831
40832
40833
40834
40835
40836
40839
40840
40841
40842

rmkml
40866


Talos's rule release:
Talos has added and modified multiple rules in the blacklist, file-flash, file-office, indicator-compromise, malware-cnc, malware-other, pua-adware, pua-other, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, November 22, 2016

Snort Subscriber Rule Set Update for 11/22/2016

Just released:
Snort Subscriber Rule Set Update for 11/22/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 18 new rules and made modifications to 24 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
40816
40827


Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, exploit-kit, file-flash, file-other, file-pdf, indicator-compromise, malware-cnc, os-windows, protocol-icmp, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Reporting False Positives with Snort.org

Some users may not be aware, but you've been able to report false positives on Snort.org for years.  I say that users may not be aware, because quite unintentionally, the feature wasn't very easy to find.

With today's rollout of version 5.1.1 of Snort.org, hopefully, we've fixed that.

When visiting Snort.org, upon logging in:



then clicking on your email in the same section after logging in, you will be taken to your User Preferences and information screen.

On the left side of the screen, you will see the different sections in your user account:



Including a new link at the bottom of the list for "False Positive".



The screen looks like this:


When you fill out this form and click submit, the pcap and description will enter directly into our analyst's queue for work, allowing us to process false positives quickly.

In a future version of the Snort site, we are going to tie this feature directly into what we call, the "Analyst Console" here at Talos.  Allowing you to see the status of your false positive, as it is flowing through our system, automatically.  Allowing you to see when the rule will be fixed, and when it was released.  

In the meantime, please use this system for your FP reports, help us improve the feature!

Snort++ Update

Pushed build 219 to github (snortadmin/snort3):
  • add dce auto detect to wizard
  • add MIME file processing to new http_inspect
  • add chapters on perf_monitor and file processing to user manual
  • appid refactoring and cleanup
  • many appid fixes for leaks, sanitizer, and analyzer issues
  • fix appid pattern matching for http
  • fix various race conditions reported by thread sanitizer
  • fix out-of-order FIN handling
  • fix cmake package name used in HS and HWLOC so that REQUIRED works
  • fix out-of-tree doc builds
  • fix image sizes to fit page
    thanks to wyatuestc for reporting the issue
  • fix fast pattern selection when multiple designated
    thanks to j.mcdowell@titanicsystems.com for reporting the issue
  • change -L to -K in README and manual
    thanks to jncornett for reporting the issue
  • support compiling catch tests in standalone source files
  • create pid file after dropping privileges
  • improve detection and use of CppUTest in non-standard locations

Thursday, November 17, 2016

Snort Subscriber Rule Set Update for 11/17/2016

Just released:
Snort Subscriber Rule Set Update for 11/17/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 31 new rules and made modifications to 10 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, file-flash, file-office, file-other, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, November 15, 2016

Snort Subscriber Rule Set Update for 11/15/2016

Just released:
Snort Subscriber Rule Set Update for 11/15/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 21 new rules and made modifications to 4 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
40762
40763
40764


Talos's rule release:
Talos has added and modified multiple rules in the exploit-kit, file-other, file-pdf, malware-cnc, os-windows and server-other rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Wednesday, November 9, 2016

New Snort Integrator System on Snort.org

As part of our efforts to enhance the customer experience and better suit the account management needs of our Integrator customers we’ve revamped our Snort Integrator system on Snort.org

In this new upgrade our new sub-registration process will give Integrators the ability to link active licenses to their master account via the Snort.org account portal. To accommodate the wide range of sub-user management needs, we have created options that allow our integrators to add customers manually via the Integrator Manager for smaller businesses. This can also be done through the Integrator API which allows our customers to add numerous sub-users at once, accommodating the needs of much larger businesses. This will allow our integrators to couple the user provisioning for the customer’s oinkcode directly into their own user provisioning systems for easy automation.

As a benefit, the addition of this exciting new feature allows integrators to add and suspend their specific users, as needed, without interrupting the service for their other customers. We have also provided extensive documentation and example code written in Perl that can be used with our system to easily utilize the new integrator features.  All of this documentation can be found on your Integrator Account oinkcode page, after logging into Snort.org.

As our Integrator program continues to grow, our Snort.org team is constantly striving to evolve our program. Our team aims to evolve the program in ways that will not only increase our customer satisfaction and partnerships, but prove mutually beneficial for the business management needs of our integrators. 

You can view our most current list of integrators by clicking here.


If you are interested in becoming a Snort Integrator please email snort-sub@cisco.com for more details on our program.

Snort Subscriber Rule Set Update for 11/08/2016

Just released:
Snort Subscriber Rule Set Update for 11/08/2016

We welcome the introduction of the newest rule release from Talos. In this release we introduced 16 new rules and made modifications to 4 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the file-other rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

PulledPork 0.7.2 has been released!

The newest version of PulledPork has been released and is available for download from the PulledPork Github repository!

This release fixes several bugs.  For those of you that haven't updated their version of PulledPork in awhile, this will fix many download issues you may have with the blacklist and official rulesets from Snort.org.

Everyone using PulledPork should grab it, and for the stragglers left that still use oinkmaster, you should start upgrading too.  For those of you that have oinkmaster configurations, you'll see in the contrib directory, a community member has submitted a small perl script that converts your oinkmaster configuration files to pulledpork configuration files.

Please start your upgrade engines, as Snort 2.9.9.0 should be released soon, and you'll want to be ready!

Tuesday, November 8, 2016

Snort Subscriber Rule Set Update for 11/08/2016, MSTuesday

Just released:
Snort Subscriber Rule Set Update for 11/08/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 93 new rules and made modifications to 10 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Microsoft Security Bulletin MS16-129:
A coding deficiency exists in Microsoft Edge that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 40647 through 40656,
40659 through 40662, 40669 through 40670, 40683 through 40684, 40715
through 40716, and 40721 through 40722.

Microsoft Security Bulletin MS16-130:
A coding deficiency exists in Microsoft Windows that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 40645 through 40646,
40671 through 40672, and 40677 through 40678.

Microsoft Security Bulletin MS16-132:
A coding deficiency exists in Microsoft Graphics Component that may
lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 40675 through 40676,
40703 through 40706, and 40729 through 40730.

Microsoft Security Bulletin MS16-133:
A coding deficiency exists in Microsoft Office that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 40667 through 40668,
40673 through 40674, 40679 through 40682, 40701 through 40702, 40711
through 40712, 40717 through 40720, and 40723 through 40726.

Microsoft Security Bulletin MS16-134:
A coding deficiency exists in Microsoft Common Log File System Driver
that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 40657 through 40658
and 40689 through 40692.

Microsoft Security Bulletin MS16-135:
A coding deficiency exists in Microsoft Kernel-Mode Drivers that may
lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 40663 through 40666
and 40685 through 40688.

Microsoft Security Bulletin MS16-138:
A coding deficiency exists in Microsoft Virtual Hard Drive that may
lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 40693 through 40694.

Microsoft Security Bulletin MS16-142:
Microsoft Internet Explorer suffers from programming errors that may
lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 40669 through 40670,
40713 through 40714, and 40721 through 40722.

Talos has also added and modified multiple rules in the blacklist,
browser-ie, exploit-kit, file-flash, file-image, file-office,
file-other, file-pdf, malware-cnc and policy-other rule sets to provide
coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/downloads/#rule-downloads. Make sure and stay up to date to catch the most emerging threats!

Sunday, November 6, 2016

Snort Community Ruleset Winner for October 2016

The October winner of our monthly signature contest for the community ruleset is Yaser Mansour!

Congratulations and thank you for your contributions!

For more information on how to get involved and how you can win your Snort prizes, please take a look at our blog post


Good luck to all of those submitting rules in the upcoming months. We'll soon be revamping our signature contest (prizes included) so be sure to check back with our blog for updates! We look forward to a great November and beyond!

Friday, November 4, 2016

Snort++ Update

Pushed build 218 to github (snortadmin/snort3):

  • fix shutdown stats
  • fix misc appid issues
  • rewrite appid loading of lua detectors
  • add sip inspector events for appid
  • update default manuals

Thursday, November 3, 2016

Snort Subscriber Rule Set Update for 11/03/2016

Just released:
Snort Subscriber Rule Set Update for 11/03/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 28 new rules and made modifications to 4 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the file-flash, file-office, file-pdf, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/downloads/#rule-downloads. Make sure and stay up to date to catch the most emerging threats!

Wednesday, November 2, 2016

Snort Subscriber Rule Set Update for 11/01/2016

Just released:
Snort Subscriber Rule Set Update for 11/01/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 32 new rules and made modifications to 9 additional rules.

There were no changes made to the snort.conf in this release.


Talos's rule release:
Talos has added and modified multiple rules in the file-flash, file-pdf, indicator-compromise, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/downloads/#rule-downloads. Make sure and stay up to date to catch the most emerging threats!