Monday, July 31, 2017

Snort 3 Community Rules have been posted!

As our development and deployment of Snort 3 (Codenamed: Snort++) continues, we've posted the first community ruleset on Snort.org.  We announced this last week at BlackHat at the Cisco booth by Patrick Mullen.  These rules have the same AUTHORS and LICENSE file as the 2.x version of the community ruleset, except all the rules contained have been converted to the Snort 3 rule language.

So for example the rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ismdoor variant outbound connection"; flow:to_server,established; content:"commandId="; fast_pattern:only; http_uri; content:"/Home/"; depth:6; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.vectranetworks.com/blog/an-analysis-of-the-shamoon-2-malware-attack; classtype:trojan-activity; sid:42129; rev:1;)

In Snort 3, will now look like this:

 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS ( msg:"MALWARE-CNC Win.Trojan.Ismdoor variant outbound connection"; flow:to_server,established; http_uri; content:"commandId=",fast_pattern,nocase; content:"/Home/",depth 6; metadata:impact_flag red,policy balanced-ips drop,policy security-ips drop,ruleset community; service:http; reference:url,blog.vectranetworks.com/blog/an-analysis-of-the-shamoon-2-malware-attack; classtype:trojan-activity; sid:42129; rev:1; )

You can notice the difference in syntax, in the italicized sections above.

You can download the ruleset on our downloads page on Snort.org.

This can't be automated yet with pulledpork, as pulledpork doesn't understand the Snort 3 format yet, but as time marches on, this evolutionary problem will correct itself.

We look forward to the thousands and thousands of users on Snort 3 to download and try this ruleset out from Talos.