Thursday, December 22, 2016

Snort Subscriber Rule Set Update for 12/22/2016

Just released:
Snort Subscriber Rule Set Update for 12/22/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 11 new rules and made modifications to 5 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the blacklist, exploit-kit, file-flash, malware-cnc, os-windows, policy-other, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Snort++ Build 223 Available Now on Snort.org

Snort++ build 223 is now available on Snort.org.  This is the latest monthly update available for download.  You can also get the latest updates from github (snortadmin/snort3) which is updated weekly.

There are too many changes to list here so check the ChangeLog for details.

Enhancements:
  • port 2983 smb active response updates
  • add JavaScript normalization to new http_inspect
  • add MIME file processing to new http_inspect
  • add alternate fast patterns for dce_udp endianness
  • add dce auto detect to wizard
Bug Fixes:
  • fix appid service dispatch handling issue
    thanks to João Soares ; for reporting the issue
  • fix paf-type flushing of single segments
    thanks to João Soares for reporting the issue
  • fix modbus_data handling to not skip options
    thanks to FabianMalte.Kopp@b-tu.de for reporting the issue
  • fix comment in snort.lua re install directory use
    thanks to Yang Wang for sending the pull request
  • fix fast pattern selection when multiple designated
    thanks to j.mcdowell@titanicsystems.com for reporting the issue
  • fix image sizes to fit page
    thanks to wyatuestc for reporting the issue
  • change -L to -K in README and manual
    thanks to jncornett for reporting the issue
  • fix demonization
    thanks to João Soares for reporting the issue
Other Changes:
  • appid overhaul to address threading issues, leaks, and sanitizer and analyzer issues
  • fix appid pattern matching for http
  • fix reload crash with file inspector
  • fix various race conditions reported by thread sanitizer
  • fix thread termination segfaults after DAQ module initialization fails
  • several build fixes for non-x86, Illumos, and others
  • create pid file after dropping privileges
  • user manual was reorganized and expanded
Please submit bugs, questions, and feedback to bugs@snort.org or the Snort-Users mailing list.

Happy Snorting!
The Snort Release Team

Tuesday, December 20, 2016

IEC60870-5-104 Protocol Detection Rules

This post was authored by Marshall, Carlos Pacho, and reviewed by Warren Mercer.

Cisco Talos has released 33 Snort rules which are used to analyze/inspect IEC 60870-5-104 network traffic. These rules will help Industrial Control Systems/Supervisory Control and Data Acquisition (ICS/SCADA) asset owners to allow the identification of both normal and abnormal traffic in their environments.

In order for these rules to be effective they should be selectively turned on/enabled. SIDS 41053-41077 will detect various TypeIDs, if that specific TypeID is not in use then the rule should be enabled. SIDS 41078-41079 will detect IEC 104 traffic entering/exiting the ICS network. If 104 traffic is not supposed to enter/exit the ICS network then these sids should be enabled.

The rules will require both Snort $EXTERNAL_NET and $HOME_NET variables to be correctly configured for some of the rules to be effective. If a network does not have IEC 104 traffic these rules should not be enabled as they are only intended to detect IEC 104 traffic and will likely result in false positives (FPs) on non-IEC 104 traffic.

What is IEC 104?


IEC 104 is a network protocol that is commonly used in ICS/SCADA environments. Various ICS/SCADA devices use IEC 104 to communicate with other ICS devices such as, but not limited to, Programmable Logic Controllers, Remote Terminal Unit, etc.

Snort Rules Breakdown


The PROTOCOL-SCADA rules we have released will detect network traffic that complies with the IEC 104 standard and are intended to give an insight to ICS/SCADA network administrators awareness of activity on Operational Technology (OT) networks.

SIDS 41047-41052 will alert on the following:


  • STARTDT ACT
  • STARTDT CON
  • STOPDT ACT
  • STOPDT CON
  • TESTFR ACT
  • TESTFR CON

SIDS 41053-41077 will alert on the following TypeIDs:
  • counter interrogation command
  • clock sync command
  • interrogation command
  • read command
  • rest process command
  • test command with time tag
  • ack file
  • list directory
  • file ready
  • last section
  • end of initialization
  • bitstring of 32 bits
  • double command issued
  • regulating step command
  • single command
  • set point command
  • query Log
  • double point information
  • packed start events
  • integrated totals
  • measured value
  • single point information
  • step point information
  • parameter value


SIDS 41053-41077 will alert on normal IEC 104 traffic. An ICS/SCADA asset owner needs to enable/disable the rules they want to see alerts for. The asset owner should establish a baseline for normal (expected) traffic and enable rules that alert on unexpected traffic.

For example if a ICS network is running IEC 104, but the devices never use the the clock sync and list directory commands, then the clock sync and list directory Snort rules (SID 41074 & 41060) should be enabled. If those sids alert unexpectedly this could be indicative of malicious activity within the network and should be investigated. In order to enable a specific sid, edit the policy, search for the rule, and check the box to enable it.




SIDS 41077 and 41078-41079 will alert on the following abnormalities:


  • A unknown ASDU TypeID detected
  • IEC 104 traffic detected to/from $EXTERNAL_NET


SIDS 41077 and 41078-41079 should be enabled in most IEC 104 environments. These sids will detect two things. SIDS 41078-41079 will detect IEC 104 traffic entering/exiting the network to $EXTERNAL_NET. This variable must be configured in order for these rules to function correctly.. For example, $EXTERNAL_NET can be set any IP address outside of OT network. If IEC 104 traffic is seen exiting or entering the OT network this rule will alert. The second rule (SID 41077) will alert if an unknown TypeID is specified. Unknown TypeIDs are identified as those that not been specified in the IEC 104 protocol spec.

In order to set $HOME_NET and $EXTERNAL_NET in FirePower 6.1 navigate to "Objects" then select "Variable Set". From this menu you are able to set the variables. Additional FirePower documentation can be found here.



Conclusion


These 33 PROTOCOL-SCADA rules will assist ICS asset owners to analyse and inspect IEC 104 network traffic. In order for some of these rules to work $EXTERNAL_NET and $HOME_NET need to be configured. Furthermore these rules need to be enabled selectively and only on IEC 104 networks.

Snort Subscriber Rule Set Update for 12/20/2016

Just released:
Snort Subscriber Rule Set Update for 12/20/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 52 new rules and made modifications to 9 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the exploit-kit, file-flash, malware-cnc, os-linux, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Monday, December 19, 2016

Snort EOL dates have been updated.

With our recent release of Snort 2.9.9.0, as I stated in a previous blog post, this marks the beginning of the "end of life" for Snort 2.9.7.6.

We've updated the Snort EOL page today which marks the EOL for 2.9.7.6 (2017-03-14).

If you are interested on our "LTS" or Long Term Support version of Snort (2.9.8.3), I suggest you plan your migrations now.

2.9.8.3 will be supported until the next major release of Snort after 2.9.9.0.

If you want the newest features of the ruleset and Snort, we suggest you upgrade to 2.9.9.0, which is our current release.  For more on the features of Snort 2.9.9.0, please read out blog post.

Please remember, as per my previous blog post, 2.9.9.0's ruleset will not be backwards compatible to Snort 2.9.8.3 once the newer keywords are used.

Friday, December 16, 2016

Snort++ Update

Pushed build 222 to github (snortadmin/snort3):

  • add JavaScript Normalization to http_inspect
  • fix appid service check dispatch list
  • fix modbus_data handling to not skip options
    thanks to FabianMalte.Kopp@b-tu.de for reporting the issue
  • fix sensitive data filtering documentation issues
  • build: Illumos build fixes
  • build: Address some cppcheck concerns
  • miscellaneous const tweaks
  • reformat builtin rule text for consistency
  • reformat help text for consistency
  • refactor user manual for clarity
  • update default user manuals


Wednesday, December 14, 2016

Snort Subscriber Rule Set Update for 12/13/2016, release 2, Snort 2.9.9.0

Just released:
Snort Subscriber Rule Set Update for 12/13/2016, release 2


We welcome the introduction of the newest rule release from Talos. In this release we introduced 32 new rules and made modifications to 1 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the file-flash, indicator-compromise and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Snort 2.9.9.0 Manual has been updated!

We've uploaded the new version of the Snort Manual pdf to the documentation section of Snort.org.

We've also updated the HTML version of the manual, located at http://manual.snort.org

Please have a look at the new manual!

Snort 2.9.9.0 has been released!

Please join the Snort team as we welcome the addition of Snort 2.9.9.0 to general availability!

Snort 2.9.9.0 can be downloaded from the usual location on Snort.org.

The new keywords, when they are used, will cause older versions of Snort to fail.  (Meaning, you cannot use 2.9.9.0 rules in 2.9.8.3 and below, once those keywords are used.)

Below are the release notes:

Snort 2.9.9.0
[*] New additions
 
 *  New rule option for byte_math. See the Snort manual for details.

 *  Added bitmask and from_end operations to byte_test. See the Snort manual for details.

 *  Added a Buffer Dump utility to trace all of the buffers used by snort during inspection.
    Enable this by --enable-buffer-dump option to configure prior to building. See the Snort manual for details.

 *  Added new HTTP preprocessor alerts to detect multiple content encoding and multiple content length.

 *  Added support for SMTP Traffic detection over SSL (SMTPS).
[*] Improvements
 *  Fixed an issue which reduces extra service discovery to improve performance.

 *  Fixed multiple issues in AppID.
      - Reconstructed the call to port-service detection.
      - Fixed issue where AppId for Facebook over SPDY/HTTP 1.1 was incorrect.
      - Preventing third-party application identification for expected connections.

 *  Stability improvement for Stream preprocessor. 
      - Addressed incorrect flushing of packets whose size is greater than MAXIMUM_PAF_MAX.
      - Fixed an issue where incorrect length argument in memcpy caused out of bound memory access.

 *  Fixed multiple issues in HttpInspect preprocessor.
      - Handling chunk encoding followed by \r\r\r\n and \n\n\n\r\r\n.
      - Fixed an issue with LZMA flash decompression.

 *  Fixed mime data processing issue in SMTP stateless inspection.

 *  Added support to decode packets that contains VLAN with Secure Group Tag (SGT).
 
 *  Fixed Issue related to DLL-Load in Snort on windows platforms for CVE-2016-1417. 
The Snort Team would like to thank the following for their contributions in the Snort 2.9.9.0 release:

Secureworks
Marcel da Silva
Al Lewis
Steffen Ullrich

As always, join the conversation over on the Snort-Users list for any installation or upgrade assistance!



Tuesday, December 13, 2016

Snort Subscriber Rule Set Update for 12/13/2016, MSTuesday

Just released:
Snort Subscriber Rule Set Update for 12/13/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 58 new rules and made modifications to 4 additional rules.

There were no changes made to the snort.conf in this release.


Talos's rule release:
Synopsis:
Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.

Details:
Microsoft Security Bulletin MS16-144:
Microsoft Internet Explorer suffers from programming errors that may
lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 40940 through 40941,
40969 through 40970, 40975 through 40976, 40986 through 40989, and
40992 through 40993.

Microsoft Security Bulletin MS16-145:
Microsoft Edge suffers from programming errors that may lead to remote
code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 36452 and 39242 through 39243.

New rules to detect attacks targeting these vulnerabilities are also
included in this release and are identified with GID 1, SIDs 40946,
40949 through 40950, 40969 through 40976, and 40986 through 40987.

Microsoft Security Bulletin MS16-146:
A coding deficiency exists in Microsoft Graphics Component that may
lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 40967 through 40968
and 40982 through 40983.

Microsoft Security Bulletin MS16-147:
A coding deficiency exists in Microsoft Uniscribe that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 40942 through 40943.

Microsoft Security Bulletin MS16-148:
A coding deficiency exists in Microsoft Office that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 40938 through 40939,
40944 through 40945, 40951 through 40952, 40957 through 40966, and
40977 through 40978.

Microsoft Security Bulletin MS16-149:
A coding deficiency exists in Microsoft Windows that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 40953 through 40956
and 40984 through 40985.

Microsoft Security Bulletin MS16-151:
A coding deficiency exists in a Microsoft Kernel-Mode driver that may
lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 40947 through 40948
and 40990.

Microsoft Security Bulletin MS16-153:
A coding deficiency exists in Microsoft Common Log File System Driver
that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 40936 through 40937.

Talos has also added and modified multiple rules in the browser-ie,
file-executable, file-identify, file-office, file-other, file-pdf and
os-windows rule sets to provide coverage for emerging threats from
these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Friday, December 9, 2016

Snort++ Update

Pushed build 221 to github (snortadmin/snort3):
  • fix appid handling of sip inspection events
  • fix wizard to prevent use-after-free of service name
  • fix various issues reported by cppcheck
  • fix reload race condition
  • fix cmake + clang builds
  • add padding guards around hash key structs
  • update manual for dce_* inspectors
  • refactor IP address handling

Snort 2.9.9.0 is prepping for release!

We're preparing for our newest release of Snort, version 2.9.9.0.

As always, I try to let you all know as soon as I can on major version upgrades, as the release of 2.9.9.0 will activate the 90 day EOL trigger for 2.9.7.6.  Since 2.9.7.6 is what we consider our Long Term Support or "LTS" version, and there are about 150,000 users on this version, there are a ton of people that need to upgrade.

Snort 2.9.8.3 will take over as our LTS version as 2.9.9.x marches forward, and as always, we encourage people to stay on the most current version.

Snort 2.9.7.6 was released September 30th of 2015, with no less than 144 rule updates in that year.

So, for those of you on 2.9.7.6, if you do not want to move to the "edge" version of Snort (2.9.9.x) when it is released, I suggest you start moving to 2.9.8.3 now.

Following an upgrade and prior to turning off support, I'll send out an email to all the people who are downloading older versions of Snort rules, and encourage them to upgrade.

Start your upgrades!

Thursday, December 8, 2016

Snort Subscriber Rule Set Update for 12/08/2016

Just released:
Snort Subscriber Rule Set Update for 12/08/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 20 new rules and made modifications to 4 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the exploit-kit, file-executable, file-office, file-pdf and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, December 6, 2016

Snort Subscriber Rule Set Update for 12/06/2016

Just released:
Snort Subscriber Rule Set Update for 12/06/2016


We welcome the introduction of the newest rule release from Talos. In this release we introduced 8 new rules and made modifications to 11 additional rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

rmkml
40907

Yaser Mansour
40911


Talos's rule release:
Talos has added and modified multiple rules in the file-image, file-multimedia, malware-cnc, malware-other and server-other rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Friday, December 2, 2016

Snort++ Update


Pushed build 220 to github (snortadmin/snort3):

  • fixed uu and qp decode issue
  • fixed file signature calculation for ftp
  • fixed file resume blocking
  • fix 135:2 to be upon completion of 3-way handshake
  • fix memory leak with libcrypto use
  • fix multithreaded use of libcrypto
  • fix default snort2lua output for gtp and modbus
  • fix Lua ordering issue with net and port vars
  • fix miscellaneous multithreading issues with appid
  • fix comment in snort.lua re install directory use;
    thanks to Yang Wang for sending the pull request
  • add alternate fast patterns for dce_udp endianness
  • removed underscores from all peg counts
  • document sensitive data use
  • user manual refactoring and updates


    Thursday, December 1, 2016

    Snort Subscriber Rule Set Update for 12/01/2016

    Just released:
    Snort Subscriber Rule Set Update for 12/01/2016


    We welcome the introduction of the newest rule release from Talos. In this release we introduced 16 new rules and made modifications to 1 additional rules.

    There were no changes made to the snort.conf in this release.


    Talos's rule release:
    Talos has added and modified multiple rules in the browser-firefox, file-identify, file-other, malware-cnc, os-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

    In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!