Monday, July 31, 2017

Snort 3 Community Rules have been posted!

As our development and deployment of Snort 3 (Codenamed: Snort++) continues, we've posted the first community ruleset on Snort.org.  We announced this last week at BlackHat at the Cisco booth by Patrick Mullen.  These rules have the same AUTHORS and LICENSE file as the 2.x version of the community ruleset, except all the rules contained have been converted to the Snort 3 rule language.

So for example the rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ismdoor variant outbound connection"; flow:to_server,established; content:"commandId="; fast_pattern:only; http_uri; content:"/Home/"; depth:6; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.vectranetworks.com/blog/an-analysis-of-the-shamoon-2-malware-attack; classtype:trojan-activity; sid:42129; rev:1;)

In Snort 3, will now look like this:

 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Ismdoor variant outbound connection"; flow:to_server,established; http_uri; content:"commandId=",fast_pattern,nocase; content:"/Home/",depth 6; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,blog.vectranetworks.com/blog/an-analysis-of-the-shamoon-2-malware-attack; classtype:trojan-activity; sid:42129; rev:1; )

You can notice the difference in syntax, in the italicized sections above.

You can download the ruleset on our downloads page on Snort.org.

This can't be automated yet with pulledpork, as pulledpork doesn't understand the Snort 3 format yet, but as time marches on, this evolutionary problem will correct itself.

We look forward to the thousands and thousands of users on Snort 3 to download and try this ruleset out from Talos.

Friday, July 28, 2017

Snort++ Build 239 Available Now on Snort.org

A new release of Snort++ is now available on Snort.org which includes lots of new functionality and important bug fixes.  Here is an overview of the updates since the prior release:

Important changes since the last release:
  • DAQ: version 2.2.2 now required
  • rules: removed sample.rules; Talos now publishes Snort 3 community rules on snort.org
  • rules: promoted metadata:service to a separate option since it is not metadata
  • mpse: removed Intel Soft CPM support (use Hyperscan!)
  • unified2: deprecated ip4 and ip6 specific events and added a single event for both
  • http_server: removed old inspector (use new http_inspect instead)
  • hyperscan: now require version >= 4.4.0
  • loggers: removed units options; all limits expressed in MB
Issues reported by the community:
  • logging: fixed handling of out of range timeval
    thanks to kamil@frankowicz.me for reporting the issue
  • rules: tolerate spaces in positional parameters
    thanks to Joao Soares for reporting the issue
  • search_engine: set range for max_queue_events parameter
    thanks to Navdeep.Uniyal@neclab.eu for reporting the issue
  • packet manager: ensure ether type proto ids don't masquerade as ip proto ids
    thanks to Bhargava Shastry  for reporting the issue
  • codec manager: fixed off-by-1 mapping array size
    thanks to Bhargava Shastry for reporting the issue
  • hyperscan: check runtime support
    thanks to justin.viiret@intel.com for submitting the patch
  • mpse: fixed issue with empty pattern database
    thanks to justin.viiret@intel.com for reporting the issue

New Features:
  • perf_monitor: added FlatBuffers output and JSON formatter
  • also added tool to convert FlatBuffers files to yaml
  • alerts: improved -A cmg formatting
  • numerous control socket and shell updates
  • byte_math and bitmask: ported rule option from 2X
  • regex: added fast_pattern; do not use for fast pattern unless explicitly indicated
  • detection: added new trace capability to debug rules
  • output: added packet trace feature
  • port_scan: now fully configurable
There are many other updates not mentioned.  Check the ChangeLog for a summary of changes including new features and build and bug fixes.

There are lots of enhancements and new features planned for Snort++, some of which are already in development.  As always, new downloads are posted to snort.org periodically.  You can also get the latest updates from github (snortadmin/snort3) which is updated weekly.

Please submit bugs, questions, and feedback to bugs@snort.org or the Snort-Users mailing list.

Happy Snorting!
The Snort Release Team

Snort Subscriber Rule Set Update for 07/27/2017

Just released:
Snort Subscriber Rule Set Update for 07/27/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 64 new rules of which 8 are Shared Object rules and made modifications to 9 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-firefox, browser-ie, exploit-kit, file-flash, file-image, file-other, malware-cnc, os-windows, policy-other, protocol-dns, protocol-nntp, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, July 25, 2017

Snort Subscriber Rule Set Update for 07/25/2017

Just released:
Snort Subscriber Rule Set Update for 07/25/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 63 new rules of which 0 are Shared Object rules and made modifications to 21 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-firefox, browser-ie, browser-plugins, file-executable, file-office, file-other, file-pdf, indicator-compromise, indicator-obfuscation, malware-other, os-linux, os-windows, server-oracle, server-other and SQL rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, July 20, 2017

Snort Subscriber Rule Set Update for 07/20/2017

Just released:
Snort Subscriber Rule Set Update for 07/20/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 48 new rules of which 4 are Shared Object rules and made modifications to 28 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-firefox, browser-ie, browser-plugins, file-executable, file-identify, file-office, file-other, malware-cnc, policy-other, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, July 18, 2017

Snort Subscriber Rule Set Update for 07/18/2017

Just released:
Snort Subscriber Rule Set Update for 07/18/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 35 new rules and made modifications to 29 additional rules of which 1 are Shared Object rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
43562
43563
43564


Talos's rule release:
Talos has added and modified multiple rules in the app-detect, browser-ie, browser-other, file-multimedia, file-other, file-pdf, indicator-compromise, malware-cnc, os-windows, policy-other, server-apache, server-mail, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, July 13, 2017

Snort Subscriber Rule Set Update for 07/13/2017

Just released:
Snort Subscriber Rule Set Update for 07/13/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 28 new rules of which 5 are Shared Object rules and made modifications to 18 additional rules of which 3 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, browser-plugins, file-flash, file-image, file-office, file-other, indicator-compromise, policy-other, protocol-dns, server-apache, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Snort++ Update

Pushed build 237 to github (snortadmin/snort3):

  • build: add support for appending EXTRABUILD to the BUILD string
  • build: clean up some ICC 2017 warnings
  • build: clean up some GCC 7 warnings
  • build: support OpenSSL 1.1.0 API
  • build: clean up some cppcheck warnings
  • appid: port some missing 2.9.X FEAT_OPEN_APPID code
  • appid: fix thread-unsafe sharing of HTTP pattern tables
  • DAQ: fix leaking instance memory when configure fails
  • daq_hext and daq_file: pass PCI via query method
  • icmp6: reject non-ip6, raise 116:474
  • http_inspect: header normalization improvements
  • http_inspect: port fixes for UTF decoding
  • http_inspect: added 119:87 - 119:90 for expect / continue issues
  • http_inspect: added 119:91 for Transfer-Encoding header not valid for HTTP 1.0
  • http_inspect: added 119:92 for Content-Transfer-Encoding
  • http_inspect: added 119:93 for issues with chunked message trailers
  • PDF decompression: fix missing reset in state machine transition
  • ftp_server: implement splitter to improve EOF processing
  • port_scan: merge global settings into main module and other improvements
  • perf_monitor: add JSON formatter
  • ssl: add splitter to improve PDU processing
  • detection: fix segfault in DetectionEngine::idle sans thread_init
  • rules: tolerate spaces in positional parameters
    thanks to Joao Soares for reporting the issue
  • ip and tcp options: fix max length handling and clean up logging
  • cmg: improved alert formatting
  • doc: updates re control channel
  • snort2lua: added line number and file name to error output
  • snort2lua: fix removal of ignore_ports in stream_tcp.small_segments
  • snort2lua: fix heap-use-after-free for preprocessors and configs with no arguments
  • snort2lua: update for port_scan
 It's been a while since posting here but we have been pushing to github multiple times per week.  :)

Tuesday, July 11, 2017

Snort Subscriber Rule Set Update for 07/11/2017, MsTuesday

Just released:
Snort Subscriber Rule Set Update for 07/11/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 74 new rules of which 8 are Shared Object rules and made modifications to 7 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.

Details:
Microsoft Vulnerability CVE-2017-0243:
A coding deficiency exists in Microsoft Office that may lead to remote
code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 42755 through 42756.

Microsoft Vulnerability CVE-2017-8577:
A coding deficiency exists in Microsoft Win32k that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 43490 through 43491.

Microsoft Vulnerability CVE-2017-8578:
A coding deficiency exists in Microsoft Win32k that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 43473 through 43474.

Microsoft Vulnerability CVE-2017-8594:
Microsoft Internet Explorer suffers from programming errors that may
lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 43521 through 43522.

Microsoft Vulnerability CVE-2017-8598:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 43469 through 43470.

Microsoft Vulnerability CVE-2017-8601:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 43465 through 43466.

Microsoft Vulnerability CVE-2017-8605:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 42753 through 42754.

Microsoft Vulnerability CVE-2017-8617:
Microsoft Edge suffers from programming errors that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 43460 through 43463.

Microsoft Vulnerability CVE-2017-8618:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 43471 through 43472.

Microsoft Vulnerability CVE-2017-8619:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 43492 through 43493.


Talos also has added and modified multiple rules in the browser-ie,
browser-other, browser-plugins, file-flash, file-other,
indicator-compromise, malware-cnc, os-windows, server-apache and
server-webapp rule sets to provide coverage for emerging threats from
these technologies.



In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, July 6, 2017

Snort Subscriber Rule Set Update for 07/06/2017

Just released:
Snort Subscriber Rule Set Update for 07/06/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 15 new rules of which 3 are Shared Object rules and made modifications to 3 additional rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, file-flash, file-office, file-pdf, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Monday, July 3, 2017

Snort Subscriber Rule Set Update for 07/03/2017

Just released:
Snort Subscriber Rule Set Update for 07/03/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 12 new rules and made modifications to 1 additional rule.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the file-pdf and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Saturday, July 1, 2017

Snort Subscriber Rule Set Update for 06/29/2017

Just released:
Snort Subscriber Rule Set Update for 06/29/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 65 new rules and made modifications to 16 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the browser-firefox, browser-ie, browser-plugins, file-flash, file-identify, file-image, file-other, indicator-compromise, malware-cnc, netbios, os-other, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!