Thursday, December 28, 2017

Snort Subscriber Rule Set Update for 12/28/2017

Just released:
Snort Subscriber Rule Set Update for 12/28/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 1 new rules of which 0 are Shared Object rules and made modifications to 357 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the and malware-cnc rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, December 21, 2017

Snort Subscriber Rule Set Update for 12/21/2017

Just released:
Snort Subscriber Rule Set Update for 12/21/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 36 new rules of which 1 are Shared Object rules and made modifications to 39 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-firefox, browser-ie, browser-other, browser-plugins, file-flash, file-java, file-multimedia, file-office, file-other, malware-cnc, policy-other, protocol-scada, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, December 19, 2017

Setting up Snort 3.0.0 on Ubuntu 14 and 16

A big thanks to our wonderful Snort community member, Noah Dietrich, who was gracious enough to write an installation and setup guide for Snort 3.0.0's most current build (as of today) (b241).

We placed this on the Snort.org Documents page under "Snort Setup Guides".  If you are interested in getting started with Snort 3.0's latest build, please check it out.

Snort Subscriber Rule Set Update for 12/19/2017

Just released:
Snort Subscriber Rule Set Update for 12/19/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 26 new rules of which 5 are Shared Object rules and made modifications to 613 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the browser-firefox, browser-ie, file-executable, file-other, malware-cnc, malware-other, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Friday, December 15, 2017

Snort++ Update

Pushed build 241 to github (snortadmin/snort3).  Another big list:
  • alert_csv: various fixes to match alert_json
  • alert_json: tcp_ack, tcp_seq, and tcp_win are (base 10) integers
  • alert_json: various fixes
    thanks to Noah Dietrich <noah_dietrich@86penny.org> for reporting the issues
  • appid: close all Lua states when thread exits
  • appid: gracefully handle failed Lua state instantiation
    thanks to Noah Dietrich <noah_dietrich@86penny.org> for reporting the issue.
  • appid: only update session flags and discovery state if service id actually set to http
  • appid: patch to update the appid discovery state when an http event results in setting of the      service id for a flow
  • appid: return false from is_third_party_appid_available when no third party module is available.
  • appid: tweak warnings and errors
  • binder: activate profiler support
  • binder: add FIXIT re creating default bindings when the wizard is not configured
  • binder: fix ingress / egress test
  • binder: minor perf and readability tweaks
  • build: fixed build issues on OSX with clang with cd_pbb, alert_json
  • build: fixed several dyanmic modules on OSX / clang
  • build: suppress appid warnings for valid case statement fall throughs
  • byte_test: fix string bounds check
  • catch: Update to Catch v2.0.1
  • cmake: add --define to configure_cmake.sh for arbitrary defines
  • codec: added wlan support for arp_spoof
  • codec: updated MIPv6 and merged cd_pim.cc, cd_swpie.cc and cd_sun_ud.cc to cd_bad_proto.cc
    thanks to schrx3b6 for reporting the issue
  • conf: remove OPTIONS from SIP and HTTP spells to avoid confusion with RTSP
  • conf: remove client to server spells for FTP, IMAP, POP, and SMTP to avoid false pickups
  • control: must execute from default policy only
  • control: process flow first
  • cppcheck: More miscellaneous fixes, mostly for new Catch
  • daq: explicitly initialize more fields in SFDAQInstance constructor
  • daq: handle real IP and port
  • data_bus: also publish to default policy
  • data_bus: refactor basic access for pub / sub
  • dce: use service names from rules (dce_smb = netbios-ssn; dce_tcp / dce_udp = dcerpc)
  • detection: fix option tree looping issue
  • detection: rename ServiceInfo to SignatureServiceInfo
  • doc: fix type in style section
  • doc: update default manuals
  • file api: move file verdict enforcement out of file policy
  • file api: support file verdict delay during signature lookup
  • file policy and file config update to allow user define customized file policy through file api
  • file policy: add support for file event logging
  • file_api: Set the FileContext verdict, not a local verdict
  • file_id: add back the ref count for file config
  • file_id: add interface to access file info from file capture
  • file_id: support groups
  • hash: Rename SFGHASH, SFXHASH, SFHASHFCN to something resonable
  • http_inspect: add profiler support
  • http_inspect: fix bugs related to stream interaction
  • http_inspect: use configured max_pdu as base target reassembly size
  • inspection: default policy mode depends on adaptor mode
  • ips options: error if lookup fails due to bad case, typos, etc.
    thanks to Noah Dietrich <noah_dietrich@86penny.org> for reporting the issue
  • memory: no stats output unless configured
  • normalizer: added test mode
  • normalizer: fix enable checks
  • parsing: resolve paths from the current config directory instead of process directory
  • policy: added inspection policy config.
  • port_scan: add alert_all to make alerting on all events in window optional
  • port_scan: fix flow checks
  • profiler: fix focus of eventq
  • reputation: tweak warning message
  • rules: default msg = "no msg in rule"
  • sfrt: remove cruft and reformat header
  • shell: fixed crash when issuing control commands
  • sip: use log splitter for tcp
  • snort2lua: --bind-wizard will add a trailing binding to the default wizard in each binder
  • snort2lua: Convert file_magic.conf to Lua format.
  • snort2lua: added inspection uuid
  • snort2lua: added na_policy_mode. added ability amend tables if created.
  • snort2lua: added normalize_tcp: ftp
  • snort2lua: fix stream_size: to_client, to_server conversion
  • snort2lua: future proof --bind-wizard binding order
  • snort2lua: no sticky buffer for relative pcre
  • snort2lua: remove when udp from binding to support tcp too
  • snort2lua: tweak const name for clarity (internal)
  • snort2lua: urilen:<> --> bufferlen:<=>
  • snort: do not dlclose plugins at shutdown during REG_TEST to avoid borked backtraces from LeakSanitizer
  • soid: allow stub to contain any or all options
  • --rule-to-*: use whole soid arg as suffix to rule and len identifiers; make static
  • stream: change tcp idle timeout to 3600 to match 2.X nominal timeout
  • stream_*: separate session profiler data from flow cache profiler data
  • stream_ip: fix non-frag counting
  • stream_size: fix eval packet checks
  • stream_tcp: delete superfluous memsets to zero
  • stream_tcp: ignore flush requests on unitialized sessions (early abort condition)
  • stream_tcp: instantiate wizard only when needed
  • stream_tcp: remove empty default state action
  • stream_user: clear splitter properly
  • target_based: Install header
  • wizard: abort if no match
  • wizard: activate profiler support
  • wizard: usage is inspect

Snort Subscriber Rule Set Update for 12/14/2017

Just released:
Snort Subscriber Rule Set Update for 12/14/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 27 new rules of which 0 are Shared Object rules and made modifications to 29 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the browser-firefox, browser-ie, exploit-kit, file-image, file-other, file-pdf, malware-cnc, os-windows, protocol-dns, protocol-telnet and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Wednesday, December 13, 2017

Snort Subscriber Rule Set Update for 12/12/2017, MsTuesday

Just released:
Snort Subscriber Rule Set Update for 12/12/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 51 new rules of which 3 are Shared Object rules and made modifications to 34 additional rules of which 4 are Shared Object rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.

Details:
Microsoft Vulnerability CVE-2017-11885:
A coding deficiency exists in Windows RRAS Service that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45130 through 45131.

Microsoft Vulnerability CVE-2017-11886:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 37283 through 37284.

Microsoft Vulnerability CVE-2017-11888:
A coding deficiency exists in Microsoft Edge that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45121 through 45122.

Microsoft Vulnerability CVE-2017-11889:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 42749 through 42750.

Microsoft Vulnerability CVE-2017-11890:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45138 through 45139.

Microsoft Vulnerability CVE-2017-11893:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45162 through 45163.

Microsoft Vulnerability CVE-2017-11894:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45140 through 45141.

Microsoft Vulnerability CVE-2017-11895:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45142 through 45143.

Microsoft Vulnerability CVE-2017-11901:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45144 through 45145.

Microsoft Vulnerability CVE-2017-11903:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45146 through 45147.

Microsoft Vulnerability CVE-2017-11907:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45148 through 45149.

Microsoft Vulnerability CVE-2017-11909:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45150 through 45151.

Microsoft Vulnerability CVE-2017-11911:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45155 through 45156.

Microsoft Vulnerability CVE-2017-11913:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 40132 through 40133.

Microsoft Vulnerability CVE-2017-11914:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45128 through 45129.

Microsoft Vulnerability CVE-2017-11916:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45169 through 45170.

Microsoft Vulnerability CVE-2017-11918:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45160 through 45161.

Microsoft Vulnerability CVE-2017-11930:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45167 through 45168.

Microsoft Vulnerability CVE-2017-11935:
A coding deficiency exists in Microsoft Excel that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45123 through 45124.

Microsoft Vulnerability CVE-2017-11937:
A coding deficiency exists in Microsoft Malware Protection Engine that
may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45152 through 45153.

Talos also has added and modified multiple rules in the
browser-firefox, browser-ie, browser-plugins, file-multimedia,
file-office, file-other, file-pdf, indicator-compromise, os-windows,
policy-other, protocol-snmp and server-webapp rule sets to provide
coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Friday, December 8, 2017

PulledPork 0.7.3 release!

Released last night, PulledPork 0.7.3 has hit the streets and is downloadable from the pulledpork Github page.

The release notes say the following:

This release includes bug fixes related to some versioning code in the latest version of Snort and other outstanding issues.

The next version of PulledPork will begin work on Snort 3 as we are looking forward to the first beta and compatible ruleset with the engine.

Thursday, December 7, 2017

Snort Subscriber Rule Set Update for 12/07/2017

Just released:
Snort Subscriber Rule Set Update for 12/07/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 13 new rules of which 0 are Shared Object rules and made modifications to 804 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the blacklist, malware-cnc, malware-other, policy-social, protocol-rpc, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, December 5, 2017

Snort Subscriber Rule Set Update for 12/05/2017

Just released:
Snort Subscriber Rule Set Update for 12/05/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 29 new rules of which 8 are Shared Object rules and made modifications to 182 additional rules of which 1 are Shared Object rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
44763
44764
44768
45090
45091
45092

Talos's rule release:
Talos has added and modified multiple rules in the deleted, file-flash, file-office, file-pdf, malware-cnc, protocol-scada, server-apache, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, November 30, 2017

Snort Subscriber Rule Set Update for 11/30/2017

Just released:
Snort Subscriber Rule Set Update for 11/30/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 21 new rules of which 0 are Shared Object rules and made modifications to 8 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-office, file-other, file-pdf, malware-cnc, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Wednesday, November 29, 2017

Snort Subscriber Rule Set Update for 11/28/2017

Just released:
Snort Subscriber Rule Set Update for 11/28/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 59 new rules of which 13 are Shared Object rules and made modifications to 19 additional rules of which 1 are Shared Object rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the browser-firefox, browser-ie, browser-other, file-image, file-other, file-pdf, indicator-compromise, malware-cnc, policy-other, protocol-tftp and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, November 21, 2017

Snort Subscriber Rule Set Update for 11/21/2017, Adobe Vulns

Just released:
Snort Subscriber Rule Set Update for 11/21/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 105 new rules of which 4 are Shared Object rules and made modifications to 18 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.


Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-firefox, browser-ie, file-flash, file-image, file-office, file-other, file-pdf, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, November 16, 2017

Snort Subscriber Rule Set Update for 11/16/2017

Just released:
Snort Subscriber Rule Set Update for 11/16/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 18 new rules of which 0 are Shared Object rules and made modifications to 12 additional rules of which 2 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, exploit-kit, file-image, file-pdf, indicator-compromise, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, November 14, 2017

Snort Subscriber Rule Set Update for 11/14/2017, MSTuesday

Just released:
Snort Subscriber Rule Set Update for 11/14/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 55 new rules of which 15 are Shared Object rules and made modifications to 11 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
44763
44764
44768


Talos's rule release:
Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.

Details:
Microsoft Vulnerability CVE-2017-11791:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44819 through 44820.

Microsoft Vulnerability CVE-2017-11837:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44809 through 44810.

Microsoft Vulnerability CVE-2017-11840:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44811 through 44812.

Microsoft Vulnerability CVE-2017-11841:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44813 through 44814.

Microsoft Vulnerability CVE-2017-11843:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44815 through 44816.

Microsoft Vulnerability CVE-2017-11845:
A coding deficiency exists in Microsoft Edge that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44817 through 44818.

Microsoft Vulnerability CVE-2017-11846:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44845 through 44846.

Microsoft Vulnerability CVE-2017-11847:
A coding deficiency exists in Microsoft Windows Kernel that may lead to
elevation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44833 through 44834.

Microsoft Vulnerability CVE-2017-11854:
A coding deficiency exists in Microsoft Word that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44838 through 44839.

Microsoft Vulnerability CVE-2017-11855:
A coding deficiency exists in Microsoft Internet Explorer that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44831 through 44832.

Microsoft Vulnerability CVE-2017-11856:
A coding deficiency exists in Microsoft Internet Explorer that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44829 through 44830.

Microsoft Vulnerability CVE-2017-11858:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44827 through 44828.

Microsoft Vulnerability CVE-2017-11861:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44825 through 44826.

Microsoft Vulnerability CVE-2017-11869:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44823 through 44824.

Microsoft Vulnerability CVE-2017-11873:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44843 through 44844.

Microsoft Vulnerability CVE-2017-11878:
A coding deficiency exists in Microsoft Excel that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44821 through 44822.

Talos also has added and modified multiple rules in the browser-ie,
file-image, file-office, file-other, file-pdf, indicator-compromise,
os-windows and server-webapp rule sets to provide coverage for emerging
threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, November 9, 2017

Snort Subscriber Rule Set Update for 11/09/2017

Just released:
Snort Subscriber Rule Set Update for 11/09/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 55 new rules of which 0 are Shared Object rules and made modifications to 27 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, file-identify, file-office, file-other, file-pdf, malware-cnc, malware-other, os-linux, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, November 7, 2017

Snort Subscriber Rule Set Update for 11/07/2017

Just released:
Snort Subscriber Rule Set Update for 11/07/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 24 new rules of which 1 are Shared Object rules and made modifications to 124 additional rules of which 1 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, browser-other, browser-plugins, exploit-kit, file-executable, file-identify, file-multimedia, file-office, file-other, malware-cnc, netbios, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Friday, November 3, 2017

Snort 3.0 with ElasticSearch, LogStash, and Kibana (ELK)

The Elastic Stack, consisting of Elasticsearch with Logstash and Kibana, commonly abbreviated "ELK", makes it easy to enrich, forward, and visualize log files.  ELK is especially good for getting the most from your Snort 3.0 logs.  This post will show you how to create a cool dashbaord:



The dashboard shows the following:
  • bring_da_heat - a heat map that plots event priority vs classification
  • apple_pie - a pie chart that shows total bytes transferred by app
  • greatest_hits - a data table that shows the rules generating the most events
  • global_hot_spots - a geo plot of the event source address*
  • size_o_gram - a histogram of logged packet / buffer sizes

Get Started

To get started, you will need to install the following:
Go ahead and get Snort 3.0 and ELK installed now if you haven't done so already.  There is plenty of help for that available elsewhere.  Some things to note:
  • The github repo is updated multiple times per week and the master branch is always clean so that is the best way to get Snort 3.0.
  • The base appid module is built into Snort 3.0 but you will need Open App ID to get the Lua detector plugins.
  • You can use the community rules in 3.0 format or translate other 2.X rules with snort2lua.

Run Snort

The next step is to get Snort running and generating events and app stats.  Add the following to the default config file (after the -c argument below):

appid =
{
    log_stats = true,
    app_detector_dir = 'ODP'
}

alert_json =
{
    fields = 'timestamp pkt_num proto pkt_gen pkt_len dir src_addr src_port dst_addr dst_port service rule priority class action b64_data'
}

The tokens in bold above and below are as follows:
  • ODP is the path where you installed Open App ID.  Note this path does not include the trailing /odp.
  • INSTALL is the install prefix you used when configuring your Snort 3.0 build.
  • RULES is the path containing the community rules.
  • PCAP is your favorite pcap.  You could use -i <iface> instead. 
This command will process your pcap and generate alerts.json and app_stats.log files in your current directory:

INSTALL/bin/snort \
-c INSTALL/etc/snort/snort.lua \
-R RULES/snort3-community.rules \
--plugin-path INSTALL/lib \
-r PCAP \
-A json -y -q > alerts.json

The JSON events are determined by the configured fields to look like this:

{ "timestamp" : "03/08/01-04:21:07.583700", "pkt_num" : 737, "proto" : "UDP", "pkt_gen" : "raw", "pkt_len" : 161, "dir" : "C2S", "src_addr" : "192.168.16.222", "src_port" : 3076, "dst_addr" : "239.255.255.250", "dst_port" : 1900, "service" : "unknown", "rule" : "1:1917:15", "priority" : 3, "class" : "Detection of a Network Scan", "action" : "allow", "b64_data" : "TS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSG9zdDoyMzkuMjU1LjI1NS4yNTA6MTkwMA0KU1Q6dXJuOnNjaGVtYXMtdXBucC1vcmc6ZGV2aWNlOkludGVybmV0R2F0ZXdheURldmljZToxDQpNYW46InNzZHA6ZGlzY292ZXIiDQpNWDozDQoNCg==" }

The app stats are in csv format with Unix timestamp, app, bytes to client, and bytes to server:

1059733200,FTP Data,4441712,185694921

Run ELK

Now lets process these logs with the elastic stack.  Start by running elasticsearch and kibana as follows:

cd elasticsearch-5.5.1/
bin/elasticsearch -v &

cd kibana-5.5.1-darwin-x86_64
bin/kibana &

I've got version 5.5.1 of ELK installed on OS X.  Adjust your paths as needed for your install of ELK.  We are using the default ports of 9200 for elasticsearch and 5601 for kibana.  You may need to adjust on your system.

Now we are ready to send the logs to elasticsearch using logstash.  Get the config files here.  Edit alert_json.txt and alert_apps.txt and set the path on the 3rd line to point to your log files.  Then you can run logstash like this:

cd logstash-5.5.1/
bin/logstash -f snort_json.txt &
bin/logstash -f snort_apps.txt &

Visualize

The logstash commands will populate the logstash-snort3j and logstash-snort3a indexes in elasticsearch.  At this point we can start working on the dashboard using kibana.  Point your browser to http://localhost:5601/ and follow these steps:
  1.   Click on the gear (Management), Index Patterns, + Create Index Pattern, set the name logstash-snort3j, and then click Create.
  2.   Edit b64_data (click pencil on right), set Format = String and Transform = Base64 Decode, and then click Update Field.
  3.   Click on the gear (Management), Index Patterns, + Create Index Pattern, set the name logstash-snort3a, and then click Create.
  4.   Click the scripted fields tab, + Add Scripted Field, set Name = app_total_bytes and Script = doc['bytes_to_client'].value+doc['bytes_to_server'].value and then click Create Field.
At this point you can click on the icons on the left for Discover, Visualize, and Dashboard to view the raw data, create tables, charts, etc., and build a dashboard.  This is really best done by just exploring and experimenting, however you can import the dashboard shown above by clicking Management, Saved Objects, Import and selecting snort_dash.json.  Tip: base your visualizations off saved searches so that you don't lose them when the data is deleted.

snort_csv.txt is also provided for use with snort -A csv if you want to process alerts in csv format.  The index name for that is logstash-snort3.

* Snort 3.0 supports the target rule option, so use that instead of source address if your rules have targets.  That gets the attacker correct for shellcode, etc.










Thursday, November 2, 2017

Snort Subscriber Rule Set Update for 11/02/2017

Just released:
Snort Subscriber Rule Set Update for 11/02/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 26 new rules of which 14 are Shared Object rules and made modifications to 2 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the indicator-compromise, policy-other, protocol-snmp and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Wednesday, November 1, 2017

Snort++ Update

Pushed build 240 to github (snortadmin/snort3).  It's been a while since posting so this is a big list!
  • active: fix packet modify vs resize handling
  • alert_csv: rename dgm_len to pkt_len
  • alert_csv: add b64_data, class, priority, service, vlan, and mpls options
  • alert_json: initial json event logger
  • alerts: add log_references to store and log rule references with alert_full
  • appid: enable SSL certificate pattern matching
  • appid: fix build with LuaJIT 2.1
  • appid: reorganize AppIdHttpSession to minimize padding
  • appid: add count for applications detected by port only
  • appid: create exptected flow immediately after ftp PORT command for active mode
  • appid: handle sip events before packets
  • appid: overhaul peg counting for discovered appids
  • appid: use ac_full search method since it supports find_all; force enable dfa flag
  • binder: added network policy selection
  • binder: added zones
  • binder: allow src and dst specifications for ports and nets
  • binder: check interface on packet instead of flow
  • binder: fixed nets check falling through on failure
  • build: clean up a few ICC 2018 and GCC 7 warnings
  • build: fix linking against external libiconv with autotools
  • build: fix numerous analyzer errors and leaks
  • build: fix numerous clang-tidy warnings
  • build: fix numerous cppcheck warnings
  • build: fix numerous valgrind errors
  • build: fixed issues on OSX
  • catch: update to Catch v1.10.0
  • cd_icmp6: fix encoded cksum calculation
  • cd_pbb: initial version of codec for 802.1ah; thanks to jan hugo prins <jhp@jhprins.org> for      reporting the issue
  • cd_pflog: fix comments; thanks to Markus Lude <markus.lude@gmx.de> for the 2X patch
  • content: fix relative loop condition
  • control: delete the old binder while reloading inspector
  • control: update binder with new inspector
  • daq: add support for DAQ_VERDICT_RETRY
  • daq: add support for packet trace
  • daq: add support tunnel bypass for IP 4IN4, IP 6IN6, GRE and MPLS by config and flags
  • data_log: update to new http_inspect
  • dce_rpc: remove connection-oriented rules from dce_smb module
  • dce_smb: unicode filename support
  • doc: add module usage and peg count type
  • doc: add POP, IMAP and SMTP to user manual features
  • doc: add port scan feature
  • flow key: support associating router solicit/reply packets to a single session
  • http_inspect: HTTP headers no longer avoid detection when message unexpectedly ends after status  line or headers
  • http_inspect: add random increment to message body division points
  • http_inspect: added http_raw_buffer rule option
  • http_inspect: create message sections with body data that has been dechunked and unzipped but not otherwise nortmalized
  • http_inspect: handle borked reassembly gracefully; thanks to João Soares <joaopsys@gmail.com> for reporting the issue
  • http_inspect: support for u2 extra data logging
  • http_inspect: test tool improvements
  • http_inspect: true IP enhancements
  • inspectors: add control type and ensure appid is run ahead of other controls
  • inspectors: add peg count for max concurrent sessions
  • ips: add uuid
  • loggers: add base64 encoder based on libb64 from devolve
  • loggers: use standard year/mon/day format
  • main: fix potential memory leak when queuing analyzer commands
  • memory: align allocator metadata such that returned memory is also max_align_t-aligned
  • memory: output basic startup heap stats
  • messages: output startup warnings and errors to stderr instead of stdout
  • messages: redirect stderr to syslog as well
  • modules: add usage designating global, context, inspect, or detect policy applicability
  • mss: add extra rule option to check mss
  • parser: disallow invalid port range !:65535 (!any)
  • parser: tweak performance
  • pcre: fix relative search with ^
  • pop: service name is pop3
  • replace: fix activation sequence
  • rules: warn only once per gid:sid of no fast pattern
  • search_engine: port the optimized port table compilation from 2.9.12
  • search_engines: Fix case sensitive ac_full DFA matching
  • shell: delete inspector from the default inspection policy
  • shell: fix --pause to accept control commands while in paused state
  • sip: sip_method can use data from any sip inspector of any inspection policy
  • snort.lua: align default conf closer to 2.X
  • snort.lua: expand default conf for completeness and clarity
  • snort_defaults.lua: update default servers and ports
  • snort2lua: correctly identify ftpbounce and sameip as unsupported rule options
  • snort2lua: added XFF configuration to unsupported list
  • snort2lua: added config protected_content to deleted list
  • snort2lua: added config_na_policy_mode to unsupported list
  • snort2lua: added dynamicoutput to deleted list
  • snort2lua: added firewall to unsupported list
  • snort2lua: added nap.rules zone translation
  • snort2lua: added nap_selector support
  • snort2lua: added nap_selector to unsupported list
  • snort2lua: added sf_unified2 to unsupported list and matching log/alert to deleted.
  • snort2lua: bindings now merge and propagate to top level of corresponsing policy
  • snort2lua: config policy_id converts to when ips_policy_id
  • snort2lua: convert dsize:a<>b to dsize:a<=>b for consistency with other rule options
  • snort2lua: do not convert sameip; handle same as ftpbounce (no longer supported)
  • snort2lua: enforced ordering to bindings in binder table
  • snort2lua: fix null char in -? output
  • snort2lua: fixed extra whitespace generation
  • snort2lua: logto is not supported
  • snort2lua: removed port dce proxy bindings to fix http_inspect conflicts
  • snort2lua: search_engine.split_any_any now defaults to true
  • snort: -T does not compile mpse; --mem-check does
  • snort: add warnings count to -T ouptut
  • snort: add --dump-msg-map
  • snort: exit with zero from usage
  • snort: fix --dump-builtin-rules to accept optional module prefix
  • stdlog: support snort 3> log for text alerts
  • target: add rule option to indicate target of attack
  • thread: add logging directory ID offset controlled by --id-offset option
  • u2spewfoo: fix build on FreeBSD
  • unified2: add legacy_events bool for out-of-date barnyard2
  • unified2: log buffers as cooked packets with legacy events
  • wscale: add extra rule option to check tcp window scaling

Tuesday, October 31, 2017

Snort Subscriber Rule Set Update for 10/31/2017

Just released:
Snort Subscriber Rule Set Update for 10/31/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 36 new rules of which 0 are Shared Object rules and made modifications to 54 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, browser-plugins, exploit-kit, file-office, file-other, indicator-obfuscation, malware-cnc, os-windows, policy-other, pua-adware, server-apache, server-MySQL and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, October 26, 2017

Snort Subscriber Rule Set Update for 10/26/2017

Just released:
Snort Subscriber Rule Set Update for 10/26/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 2 new rules of which 0 are Shared Object rules and made modifications to 13 additional rules of which 2 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the exploit-kit, malware-other, netbios, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Wednesday, October 25, 2017

Snort Subscriber Rule Set Update for 10/25/2017, BadRabbit

Just released:
Snort Subscriber Rule Set Update for 10/25/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 21 new rules of which 0 are Shared Object rules and made modifications to 5 additional rules of which 2 are Shared Object rules.  Included in this release are Snort rules which can contain the lateral movement of the BadRabbit (and other worms that function the same way).

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-plugins, malware-cnc, malware-other, netbios, os-windows, protocol-dns, protocol-ftp and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, October 24, 2017

Snort Subscriber Rule Set Update for 10/24/2017

Just released:
Snort Subscriber Rule Set Update for 10/24/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 11 new rules of which 0 are Shared Object rules and made modifications to 810 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, browser-other, exploit-kit, file-flash, file-identify, file-multimedia, file-office, malware-backdoor, malware-cnc, malware-other, netbios, os-windows, policy-other, protocol-imap, protocol-other, protocol-pop, protocol-rpc, protocol-voip, pua-other, server-mail, server-oracle, server-other and SQL rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, October 19, 2017

Snort Subscriber Rule Set Update for 10/19/2017

Just released:
Snort Subscriber Rule Set Update for 10/19/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 26 new rules of which 5 are Shared Object rules and made modifications to 6 additional rules of which 1 are Shared Object rules.

There were no changes made to the snort.conf in this release.


Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, indicator-compromise, indicator-obfuscation, malware-cnc, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, October 12, 2017

Snort Subscriber Rule Set Update for 10/12/2017

Just released:
Snort Subscriber Rule Set Update for 10/12/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 34 new rules of which 17 are Shared Object rules and made modifications to 11 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, file-flash, file-image, file-office, file-pdf, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Wednesday, October 11, 2017

Snort 2.9.11.0 has been released!

Please join the Snort team as we welcome the addition of Snort 2.9.11.0 to general availability!

Snort 2.9.11.0 can be downloaded from the usual location on Snort.org.

Below are the release notes:


Snort 2.9.11
[*] New additions


  • Changes to eliminate Snort restart when there are changes to the memory allocated for preprocessors, by releasing unused or least recently used memory when needed.
  • Added support for storing filenames in Unicode for SMB protocol.
  • Added implementation of hostPortCache versioning for unknown flows in AppID to detect and block BitTorrent.


[*] Improvements


  • Enhanced RTSP metadata parsing to match the user-agent field to detect RTSP traffic over Windows Media.
  • Performance improvement when SYN rate limit has reached and drop is configured as next action
  • Control-socket and side-channel support for FreeBSD platform.
  • Fixed issue in file signature lookup for retransmitted FTP packet.
  • Enhanced the processing of SIP/RTP future flows without ignoring them.
  • Changes made in PDF/SWF decompression by adding boundary to the size of the decompressed data.
  • Added a null check to prevent copy unless debugHostIp is configured in AppId.
  • Fixed issue where FTP file type block doesn't work for retried download.
  • Resolved issue where Snort is inappropriately handling traffic for which AppId was creating future flow.
  • Performance improvements for SIP/RTP audio and video data flow in AppId.
  • Performance and stability improvements in FTP preprocessor like incorrect referencing of ftp_data_session after its pruned.
  • Stability improvement by resolving valgrind reported issues in AppId.
  • Improved flushing mechanism for HTTP POST header.
  • Added changes to display AppId for IPv6 unified events.
  • Fixed issues with printing of messages for out-of-order packets.
  • Fixed issue in increment of detection filter counter when rule is used in multiple configurations.
  • Fixed dynamic preprocessor compilation failure in OpenBSD platform.
  • Added changes to improve performance of ipvar list comparison.
  • Enhanced SMTP client detection by allowing line folding and all authentication methods.

As always, join the conversation over on the Snort-Users list for any installation or upgrade assistance!

Tuesday, October 10, 2017

Snort Subscriber Rule Set Update for 10/10/2017, MSTuesday

Just released:
Snort Subscriber Rule Set Update for 10/10/2017, MSTuesday


We welcome the introduction of the newest rule release from Talos. In this release we introduced 33 new rules of which 6 are Shared Object rules and made modifications to 28 additional rules of which 2 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Synopsis:
Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.

Details:
Microsoft Vulnerability CVE-2017-11762:
A coding deficiency exists in Microsoft Graphics that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44518 through 44519.

Microsoft Vulnerability CVE-2017-11763:
A coding deficiency exists in Microsoft Graphics that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44528 through 44529.

Microsoft Vulnerability CVE-2017-11793:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44508 through 44509.

Microsoft Vulnerability CVE-2017-11798:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44532 through 44533.

Microsoft Vulnerability CVE-2017-11800:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also
included in this release and are identified with GID 1, SIDs 44333
through 44334.

Microsoft Vulnerability CVE-2017-11810:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44510 through 44511.

Microsoft Vulnerability CVE-2017-11822:
Microsoft Internet Explorer suffers from programming errors that may
lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44512 through 44513.

Microsoft Vulnerability CVE-2017-8689:
A coding deficiency exists in Microsoft Win32k that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44516 through 44517.

Microsoft Vulnerability CVE-2017-8694:
A coding deficiency exists in Microsoft Win32k that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44514 through 44515.

Microsoft Vulnerability CVE-2017-8727:
A coding deficiency exists in Microsoft Windows Shell that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44526 through 44527.

Talos also has added and modified multiple rules in the browser-ie,
file-image, file-office, file-other, os-windows and server-webapp rule
sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, October 5, 2017

Snort Subscriber Rule Set Update for 10/05/2017

Just released:
Snort Subscriber Rule Set Update for 10/05/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 21 new rules of which 4 are Shared Object rules and made modifications to 12 additional rules of which 1 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the blacklist, file-multimedia, file-other, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, October 3, 2017

Snort OpenAppID Detectors have been updated!

An update has been released today for the Snort OpenAppID Detector content. This release, build 290, includes
  • A total of 2,837 detectors. 
  • It also includes some additional detectors that came in from the open source community. For more details on which contributions were included, we have added them in the AUTHORS file in this package.

Available now for download from our downloads page, we look forward to you downloading and using the new features of 2.9.9.0's OpenAppID preprocessor and sharing your experiences with the community.

The OpenAppID community has a mailing list specifically dedicated to the exchange and discussion of detector content.  Please visit the mailing lists page to sign up.

Snort Subscriber Rule Set Update for 10/03/2017, DNSMasq

Just released:
Snort Subscriber Rule Set Update for 10/03/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 18 new rules of which 0 are Shared Object rules and made modifications to 6 additional rules of which 1 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the file-other, malware-cnc, malware-other, protocol-dns, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, September 28, 2017

Snort Subscriber Rule Set Update for 09/28/2017

Just released:
Snort Subscriber Rule Set Update for 09/28/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 28 new rules of which 2 are Shared Object rules and made modifications to 10 additional rules of which 2 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, browser-plugins, file-image, file-other, os-other, policy-other, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Wednesday, September 27, 2017

Snort Subscriber Rule Set Update for 09/26/2017

Just released:
Snort Subscriber Rule Set Update for 09/26/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 15 new rules of which 0 are Shared Object rules and made modifications to 21 additional rules of which 2 are Shared Object rules.

There were no changes made to the snort.conf in this release.


Talos's rule release:
Talos has added and modified multiple rules in the blacklist, file-identify, file-image, file-office, file-other, indicator-compromise, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Monday, September 25, 2017

Snort Video Series: Rule Writing


Want to see a how a Snort Rule is written and how rules can help protect your network? In conjunction with Cisco Engineering Learning & Development, we created a video to give an overview of what a Snort rule is made of and how you can use Snort rules to detect traffic on your network. The video is a great place for you to see the parts of a rule and a case of how you can apply it on your network.

You can find the MP4 on our Documents page under Additional Resources section of our website titled Basics of Snort Rule Writing TechByte.

Thursday, September 21, 2017

Snort Subscriber Rule Set Update for 09/21/2017

Just released:
Snort Subscriber Rule Set Update for 09/21/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 40 new rules of which 6 are Shared Object rules and made modifications to 6 additional rules of which 2 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the file-office, file-other, indicator-compromise, malware-cnc, protocol-dns, pua-adware, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, September 19, 2017

Snort Subscriber Rule Set Update for 09/19/2017

Just released:
Snort Subscriber Rule Set Update for 09/19/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 14 new rules of which 2 are Shared Object rules and made modifications to 5 additional rules of which 2 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, file-office, file-other, file-pdf, malware-cnc, scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, September 14, 2017

Snort Subscriber Rule Set Update for 09/14/2017

Just released:
Snort Subscriber Rule Set Update for 09/14/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 7 new rules of which 0 are Shared Object rules and made modifications to 853 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, file-office, malware-backdoor, malware-cnc, malware-other, malware-tools and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, September 12, 2017

Snort Subscriber Rule Set Update for 09/12/2017, MSTuesday

Just released:
Snort Subscriber Rule Set Update for 09/12/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 27 new rules of which 1 are Shared Object rules and made modifications to 9 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.

Details:
Microsoft Vulnerability CVE-2017-8682:
A coding deficiency exists in Microsoft Win32k Graphics that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44335 through 44336.

Microsoft Vulnerability CVE-2017-8728:
A coding deficiency exists in Microsoft PDF that may lead to remote
code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 42285 through 42286 and 42311 through 42312.

Microsoft Vulnerability CVE-2017-8731:
Microsoft Edge suffers from programming errors that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44331 through 44332.

Microsoft Vulnerability CVE-2017-8734:
Microsoft Edge suffers from programming errors that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44340 through 44341.

Microsoft Vulnerability CVE-2017-8737:
A coding deficiency exists in Microsoft PDF that may lead to remote
code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 42285 through 42286 and 42311 through 42312.

Microsoft Vulnerability CVE-2017-8738:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44333 through 44334.

Microsoft Vulnerability CVE-2017-8747:
Microsoft Internet Explorer suffers from programming errors that may
lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44356 through 44357.

Microsoft Vulnerability CVE-2017-8749:
Microsoft Internet Explorer suffers from programming errors that may
lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44349 through 44350.

Microsoft Vulnerability CVE-2017-8750:
Microsoft browsers suffer from programming errors that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44342 through 44343.

Microsoft Vulnerability CVE-2017-8753:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 42749 through 42750.

Microsoft Vulnerability CVE-2017-8757:
Microsoft Edge suffers from programming errors that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44338 through 44339.

Microsoft Vulnerability CVE-2017-8759:
A coding deficiency exists in the Microsoft .NET Framework that may
lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 44353 through 44354.

Talos also has added and modified multiple rules in the browser-ie,
file-flash, file-image, file-other, file-pdf, os-windows and
server-other rule sets to provide coverage for emerging threats from
these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Friday, September 8, 2017

Snort Subscriber Rule Set Update for 09/08/2017

Just released:
Snort Subscriber Rule Set Update for 09/08/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 2 new rules of which 2 are Shared Object rules and made modifications to 407 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
CVE-2017-12611: A coding deficiency exists in Apache Struts that may lead to remote code execution. Rules to detect attacks targeting this vulnerability are included in this release and are identified with GID 1, SIDs 44327 through 44330. 
Talos also has added and modified multiple rules in the file-executable, file-other, malware-cnc, policy-other, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, September 7, 2017

Snort Subscriber Rule Set Update for 09/06/2017, Apache Struts

Just released:
Snort Subscriber Rule Set Update for 09/06/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 19 new rules of which 0 are Shared Object rules and made modifications to 47 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
CVE-2017-9805:
A coding deficiency exists in Apache Struts that may lead to remote
code execution.

A rule to detect attacks targeting this vulnerability is included in
this release and is identified with GID 1, SID 44315.

Talos has added and modified multiple rules in the browser-firefox,
exploit-kit, file-identify, file-office, file-other, malware-cnc,
os-linux, os-windows and server-webapp rule sets to provide coverage
for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, September 5, 2017

Snort Subscriber Rule Set Update for 09/05/2017

Just released:
Snort Subscriber Rule Set Update for 09/05/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 67 new rules of which 43 are Shared Object rules and made modifications to 0 additional rules of which 11 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, browser-plugins, deleted, exploit-kit, file-identify, file-image, file-multimedia, file-office, file-other, file-pdf, indicator-obfuscation, malware-cnc, policy-other, server-mysql and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, August 31, 2017

Snort Subscriber Rule Set Update for 08/31/2017

Just released:
Snort Subscriber Rule Set Update for 08/31/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 42 new rules of which 9 are Shared Object rules and made modifications to 13 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the blacklist, browser-ie, file-flash, file-image, file-multimedia, file-other, file-pdf, malware-cnc, malware-other, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, August 29, 2017

Snort Subscriber Rule Set Update for 08/29/2017

Just released:
Snort Subscriber Rule Set Update for 08/29/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 83 new rules of which 16 are Shared Object rules and made modifications to 14 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the browser-firefox, browser-ie, deleted, file-flash, file-image, file-multimedia, file-office, file-other, file-pdf, indicator-obfuscation, malware-cnc, os-windows, policy-other, protocol-scada, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, August 24, 2017

Snort Subscriber Rule Set Update for 08/24/2017

Just released:
Snort Subscriber Rule Set Update for 08/24/2017


We welcome the introduction of the newest rule release from Talos. In this release we introduced 36 new rules of which 7 are Shared Object rules and made modifications to 4 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, browser-plugins, file-multimedia, file-office, file-other, file-pdf, indicator-compromise, malware-other, malware-tools and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!