Thursday, April 12, 2018

Snort Subscriber Rule Set Update for 04/12/2018

Just released:
Snort Subscriber Rule Set Update for 04/12/2018


We welcome the introduction of the newest rule release from Talos. In this release we introduced 33 new rules of which 5 are Shared Object rules and made modifications to 1 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the file-pdf, malware-backdoor, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, April 10, 2018

Snort Subscriber Rule Set Update for 04/10/2018, MSTuesday

Just released:
Snort Subscriber Rule Set Update for 04/10/2018


We welcome the introduction of the newest rule release from Talos. In this release we introduced 103 new rules of which 21 are Shared Object rules and made modifications to 10 additional rules of which 4 are Shared Object rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.

Details:
Microsoft Vulnerability CVE-2018-0870:
A coding deficiency exists in Microsoft Internet Explorer that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46243 through 46246.

Microsoft Vulnerability CVE-2018-0920:
A coding deficiency exists in Microsoft Excel that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46196 through 46197.

Microsoft Vulnerability CVE-2018-0950:
A coding deficiency exists in Microsoft Office that may lead to
information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46266 through 46267.

Microsoft Vulnerability CVE-2018-0980:
A coding deficiency exists in Microsoft Chakra Scripting Engine that
may lead to remote code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 45628 through 45629.

Microsoft Vulnerability CVE-2018-0986:
A coding deficiency exists in Microsoft Malware Protection Engine that
may lead to remote code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 46163 through 46164.

Microsoft Vulnerability CVE-2018-0988:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46198 through 46199.

Microsoft Vulnerability CVE-2018-0990:
A coding deficiency exists in Microsoft Chakra Scripting Engine that
may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46194 through 46195.

Microsoft Vulnerability CVE-2018-0991:
A coding deficiency exists in Microsoft Internet Explorer that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46206 through 46207.

Microsoft Vulnerability CVE-2018-0993:
A coding deficiency exists in Microsoft Chakra Scripting Engine that
may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46212 through 46213.

Microsoft Vulnerability CVE-2018-0994:
A coding deficiency exists in Microsoft Chakra Scripting Engine that
may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46220 through 46221.

Microsoft Vulnerability CVE-2018-0995:
A coding deficiency exists in Microsoft Chakra Scripting Engine that
may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46176 through 46177.

Microsoft Vulnerability CVE-2018-0996:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46218 through 46219.

Microsoft Vulnerability CVE-2018-0997:
A coding deficiency exists in Microsoft Internet Explorer that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46220 through 46221.

Microsoft Vulnerability CVE-2018-0998:
Microsoft Edge suffers from programming errors that may lead to a
security feature bypass.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46226 through 46227.

Microsoft Vulnerability CVE-2018-1001:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46228 through 46229.

Microsoft Vulnerability CVE-2018-1003:
A coding deficiency exists in Microsoft JET Database Engine that may
lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46233 through 46234.

Microsoft Vulnerability CVE-2018-1004:
A coding deficiency exists in Microsoft Windows VBScript Engine that
may lead to remote code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 37283 through 37284.

Microsoft Vulnerability CVE-2018-1010:
A coding deficiency exists in Microsoft Graphics that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46200 through 46201.

Microsoft Vulnerability CVE-2018-1011:
A coding deficiency exists in Microsoft Excel that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46192 through 46193.

Microsoft Vulnerability CVE-2018-1012:
A coding deficiency exists in Microsoft Graphics that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46230 through 46231.

Microsoft Vulnerability CVE-2018-1013:
A coding deficiency exists in Microsoft Graphics that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46188 through 46189.

Microsoft Vulnerability CVE-2018-1015:
A coding deficiency exists in Microsoft Graphics that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46214 through 46215.

Microsoft Vulnerability CVE-2018-1016:
A coding deficiency exists in Microsoft Graphics that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46186 through 46187.

Microsoft Vulnerability CVE-2018-1018:
A coding deficiency exists in Microsoft Internet Explorer that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46204 through 46205.

Microsoft Vulnerability CVE-2018-1023:
A coding deficiency exists in Microsoft Browser that may lead to remote
code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 37283 through 37284.

Microsoft Vulnerability CVE-2018-1026:
A coding deficiency exists in Microsoft Office that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46184 through 46185.

Microsoft Vulnerability CVE-2018-1027:
A coding deficiency exists in Microsoft Excel that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46208 through 46209.

Microsoft Vulnerability CVE-2018-1028:
A coding deficiency exists in Microsoft Office Graphics that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46182 through 46183.

Microsoft Vulnerability CVE-2018-1029:
A coding deficiency exists in Microsoft Excel that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46180 through 46181.

Microsoft Vulnerability CVE-2018-1030:
A coding deficiency exists in Microsoft Office that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46178 through 46179.


Talos also has added and modified multiple rules in the browser-ie,
file-flash, file-image, file-office, file-other, file-pdf, malware-cnc,
os-windows, policy-other and server-webapp rule sets to provide
coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Friday, April 6, 2018

Requiring at least TLS 1.2 for Snort.org

Later this month, (currently planning) around April 25th, we will be forcing everyone who visits Snort.org, either via API (oinkcode) or the website to at least negotiate at TLS version 1.2 or 1.3.

Today we do not enforce this restriction, but as we move more and more things here at Snort / Talos / ClamAV to a more secure environment, we want to make sure everyone is doing so, at the best possible encryption level.

We already enforce HTTPS for every connection to any host on the snort.org domain (to include blog.snort.org starting this week, in case you didn't notice), and all HTTP connections are now redirected to HTTPS.  This change hasn't had any negative impact (as far as we can tell), as only 7% of connections in the past month to the snort.org domain were over HTTP.

What we are concerned about, are very old installations of Snort boxes out there that haven't been updated in some time (we know they exist), not being able to connect to Snort.org anymore.

We are assuming the majority of these to be blocked already, as they are attempting to download version "2.4.4" of the ruleset for example.

However, In an abundance of caution, and to isolate any issues that this may have, I figured I'd write this blog post just in case.

Thursday, April 5, 2018

Snort Subscriber Rule Set Update for 04/05/2018

Just released:
Snort Subscriber Rule Set Update for 04/05/2018


We welcome the introduction of the newest rule release from Talos. In this release we introduced 9 new rules of which 0 are Shared Object rules and made modifications to 1 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Microsoft Vulnerability CVE-2018-0986: A coding deficiency exists in Microsoft Malware Protection Engine that may lead to remote code execution. Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46163 through 46164. Talos has also added and modified multiple rules in the file-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Snort Subscriber Rule Set Update for 04/03/2018

Just released:
Snort Subscriber Rule Set Update for 04/03/2018


We welcome the introduction of the newest rule release from Talos. In this release we introduced 27 new rules of which 14 are Shared Object rules and made modifications to 5 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov
46129


Talos's rule release:
Talos has added and modified multiple rules in the file-image,
file-java, malware-cnc, os-linux and server-webapp rule sets to provide
coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Wednesday, April 4, 2018

2018 Snort Scholarship is now open!

We are currently accepting submissions for our 2018 Snort Scholarship award!

This year we will be awarding $10,000 to two individuals pursuing a higher education degree that meets our eligibility criteria. 
To be eligible to submit an Application and participate in the Drawing, you must: 
(1) have or be eligible to receive your high school diploma or equivalent in 2018 as of the date Cisco receives your Application, and
(2) provide reasonable evidence to Cisco that you are seeking a degree in computer science, information technology, computer networking, cyber security or similarly related field of study from a school located in the United States or a United States Territory.
Company Personnel and their immediate family members are ineligible.
The deadline to apply for consideration is May 2, 2018. 
For more information about contest rules, eligibility requirements, or to complete a submissions for, visit our Snort Scholarship page
Best of luck!

Thursday, March 29, 2018

Snort Subscriber Rule Set Update for 03/29/2018

Just released:
Snort Subscriber Rule Set Update for 03/29/2018


We welcome the introduction of the newest rule release from Talos. In this release we introduced 34 new rules of which 18 are Shared Object rules and made modifications to 15 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
46066
46067
46068
46069
46070


Talos's rule release:
Talos has added and modified multiple rules in the file-image, file-office, file-other, malware-cnc, policy-other, protocol-other, protocol-snmp, protocol-voip, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Friday, March 23, 2018

Snort Subscriber Rule Set Update for 03/23/2018

Just released:
Snort Subscriber Rule Set Update for 03/23/2018


We welcome the introduction of the newest rule release from Talos. In this release we introduced 8 new rules of which 0 are Shared Object rules and made modifications to 0 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, March 22, 2018

Snort Subscriber Rule Set Update for 03/22/2018

Just released:
Snort Subscriber Rule Set Update for 03/22/2018


We welcome the introduction of the newest rule release from Talos. In this release we introduced 8 new rules of which 0 are Shared Object rules and made modifications to 2 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the file-pdf and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, March 20, 2018

Snort Subscriber Rule Set Update for 03/20/2018

Just released:
Snort Subscriber Rule Set Update for 03/20/2018


We welcome the introduction of the newest rule release from Talos. In this release we introduced 34 new rules of which 16 are Shared Object rules and made modifications to 18 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
45960
45961
45962
45963
45964
45965
45966
45967
45968
45983


Talos's rule release:
Talos has added and modified multiple rules in the app-detect, exploit-kit, file-image, file-other, file-pdf, malware-backdoor, malware-cnc, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Monday, March 19, 2018

Snort Subscriber Rule Set Update for 03/15/2018

Just released:
Snort Subscriber Rule Set Update for 03/15/2018


We welcome the introduction of the newest rule release from Talos. In this release we introduced 26 new rules of which 0 are Shared Object rules and made modifications to 22 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-plugins, deleted, malware-cnc, os-windows, pua-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Friday, March 16, 2018

Snort++ Update

Pushed build 244 to github (snortadmin/snort3:
  • appid: unit-tests for http detector plugins
  • build: address compiler warnings, spell check and static analyzer issues
  • build: extirpate autotools usage
  • build: fix compilation issue on FreeBSD with extra
  • byte_jump: updated byte_jump post_offset option to support variable
  • cmake: update CMake config to use GNUInstallDirs and match automake
  • daq: hext DAQ can generate start of flow and end of flow meta events
  • doc: add documentation for ftp telnet
  • doc: fix including config_changes.txt when ruby is not present
  • doc: update ftp time format link
  • doc: updates for HTTP/2
  • http_inspect: handle white space before chunk length
  • inspectors: probes run regardless of active policy
  • logger: update Hext Logger to subscribe and log DAQ Meta Packets
  • main: reload hosts while reloading config
  • memory: override C++14 delete operators as well
  • packet tracer: added ability to direct logging to file
  • perf_monitor: fixed flow_ip outputting erroneous values
  • perf_monitor: query modules for stats only after they have all loaded
  • snort: --rule-to-text [<delim>] raw string output
  • snort: allow colon separated directories for --daq-dir
  • snort: wrap SO_PUBLIC APIs (classes, functions exported public from snort) in the 'snort' namespace
Note that autotools support has been removed so you must use cmake to build.  If you have been using autotools, there is a configure_cmake.sh script available that functions similar to configure.

Wednesday, March 14, 2018

Snort Subscriber Rule Set Update for 03/13/2018, MsTuesday

Just released:
Snort Subscriber Rule Set Update for 03/13/2018


We welcome the introduction of the newest rule release from Talos. In this release we introduced 72 new rules of which 3 are Shared Object rules and made modifications to 20 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.

Details:
Microsoft Vulnerability CVE-2018-0817:
A coding deficiency exists in Microsoft Windows GDI that may lead to
elevation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45881 through 45882.

Microsoft Vulnerability CVE-2018-0872:
A coding deficiency exists in Microsoft Chakra Scripting Engine that
may lead to remote code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 42749 through 42750.

Microsoft Vulnerability CVE-2018-0874:
A coding deficiency exists in Microsoft Chakra Scripting Engine that
may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45875 through 45876.

Microsoft Vulnerability CVE-2018-0877:
A coding deficiency exists in Microsoft Windows Desktop Bridge VFS that
may lead to elevation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45873 through 45874.

Microsoft Vulnerability CVE-2018-0880:
A coding deficiency exists in Microsoft Windows Desktop Bridge that may
lead to elevation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45902 through 45903.

Microsoft Vulnerability CVE-2018-0882:
A coding deficiency exists in Microsoft Windows Desktop Bridge that may
lead to elevation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45900 through 45901.

Microsoft Vulnerability CVE-2018-0883:
A coding deficiency exists in Microsoft Shell that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45892 through 45895.

Microsoft Vulnerability CVE-2018-0889:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45887 through 45888.

Microsoft Vulnerability CVE-2018-0893:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45898 through 45899.

Microsoft Vulnerability CVE-2018-0903:
A coding deficiency exists in Microsoft Access that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45883 through 45884.

Microsoft Vulnerability CVE-2018-0922:
A coding deficiency exists in Microsoft Office that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45879 through 45880.

Microsoft Vulnerability CVE-2018-0930:
A coding deficiency exists in Microsoft Chakra Scripting Engine that
may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45889 through 45890.

Microsoft Vulnerability CVE-2018-0933:
A coding deficiency exists in Microsoft Chakra Scripting Engine that
may lead to remote code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 45378 through 45379 and 45628 through 45629.

Microsoft Vulnerability CVE-2018-0934:
A coding deficiency exists in Microsoft Chakra Scripting Engine that
may lead to remote code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 45628 through 45629.

Microsoft Vulnerability CVE-2018-0935:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45877 through 45878.

Talos also has added and modified multiple rules in the browser-ie,
deleted, exploit-kit, file-executable, file-office, file-other,
indicator-compromise, malware-backdoor, malware-cnc, os-windows,
protocol-dns, protocol-scada and server-webapp rule sets to provide
coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, March 8, 2018

Snort Subscriber Rule Set Update for 03/08/2018

Just released:
Snort Subscriber Rule Set Update for 03/08/2018


We welcome the introduction of the newest rule release from Talos. In this release we introduced 22 new rules of which 1 are Shared Object rules and made modifications to 3 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the file-other, file-pdf, os-windows, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, March 6, 2018

Snort Subscriber Rule Set Update for 03/06/2018

Just released:
Snort Subscriber Rule Set Update for 03/06/2018


We welcome the introduction of the newest rule release from Talos. In this release we introduced 33 new rules of which 5 are Shared Object rules and made modifications to 12 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-other, file-other, file-pdf, malware-cnc, malware-other, malware-tools, policy-other, protocol-ftp, pua-other, server-iis, server-mysql, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Monday, March 5, 2018

Shared Object Rule OS build change is coming

Similar to my recent post, we will also be removing OpenSUSE 11/12 and Debian 6 from active support for Shared Object rules.

We have replaced those systems with support for:

OpenSUSE LEAP 15.0 x86-64
OpenSUSE LEAP 42.3 x86_64
Debian 7/8/9 for both 32bit and x64

Please provide us feedback here, or on the Snort-Sigs mailing list!  Thank you!

Talos Snort configuration files have been updated

I just posted the updated Talos Snort configuration files to the Documentation page on Snort.org.

Keeping in mind that the snort.conf file that ships with the Snort tarball is only up to date, when that tarball ships.  In order to make sure you stay updated to the latest recommended configurations, its recommended that the snort.conf is also kept current.

Talos keeps the tedious nature of updating the snort.conf in mind, and we try to minimize the amount of changes done.

Snort 3.0.0-a4 installation guide on OpenSUSE 42.3 has been posted

Thanks to our community member Boris Gomez, I've uploaded his recent copy of an installation guide for Snort 3 on OpenSUSE 42.3 to the Snort Documentation page.

We'll be sending some swag out to Boris very soon.

If you'd like to contribute to the Snort Documentation page, we'd love to hear from you!

Thursday, March 1, 2018

Snort Subscriber Rule Set Update for 03/01/2018

Just released:
Snort Subscriber Rule Set Update for 03/01/2018


We welcome the introduction of the newest rule release from Talos. In this release we introduced 42 new rules of which 1 are Shared Object rules and made modifications to 5 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the file-image, file-other, file-pdf, indicator-obfuscation, os-windows, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Shared Object Rule OS build change is coming

In an upcoming release,  (we are targeting March 8th), we will be removing Ubuntu 10 and Ubuntu 12 from our Shared Object (SO) precompiled rule build system.

We have already added SO builds for Ubuntu 14, 16, and 17, in both 32bit and x64 to replace the older EOL'ed versions of Ubuntu.

Please provide us feedback here, or on the Snort-Sigs mailing list!  Thank you!


Wednesday, February 28, 2018

Snort Subscriber Rule Set Update for 02/27/2018

Just released:
Snort Subscriber Rule Set Update for 02/27/2018


We welcome the introduction of the newest rule release from Talos. In this release we introduced 36 new rules of which 4 are Shared Object rules and made modifications to 201 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the app-detect, browser-chrome, file-flash, file-office, file-other, indicator-compromise, indicator-obfuscation, malware-backdoor, malware-cnc, malware-other, malware-tools, netbios, os-linux, os-windows, policy-other, protocol-dns, protocol-imap, protocol-other, protocol-pop, protocol-scada, protocol-voip, server-apache, server-iis, server-mail, server-mysql, server-other, server-samba and sql rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Friday, February 23, 2018

Shared Object rules supported OSes

In our next build of the ruleset, we will remove the following OSes from active builds (because they are just ancient at this point):


  • Fedora Core 12/i386
  • Fedora Core 12/x86_64
  • Fedora Core 14/i386
  • Fedora Core 14/x86_64
The following builds will be added:


  • Fedora Core 25/i386
  • Fedora Core 25/x86_64
  • Fedora Core 26/i386
  • Fedora Core 26/x86_64
  • Fedora Core 27/x86_64
Will update the "Supported OSes" Page soon.

Thursday, February 22, 2018

Snort Subscriber Rule Set Update for 02/22/2018

Just released:
Snort Subscriber Rule Set Update for 02/22/2018


We welcome the introduction of the newest rule release from Talos. In this release we introduced 41 new rules of which 25 are Shared Object rules and made modifications to 4 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-webkit, file-office, file-other, file-pdf, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Wednesday, February 21, 2018

Snort Subscriber Rule Set Update for 02/20/2018

Just released:
Snort Subscriber Rule Set Update for 02/20/2018


We welcome the introduction of the newest rule release from Talos. In this release we introduced 11 new rules of which 2 are Shared Object rules and made modifications to 150 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, browser-plugins, file-image, file-multimedia, file-office, file-other, file-pdf, malware-cnc, os-linux, os-other, os-windows, policy-other, protocol-dns and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Friday, February 16, 2018

Snort Subscriber Rule Set Update for 02/15/2018

Just released:
Snort Subscriber Rule Set Update for 02/15/2018


We welcome the introduction of the newest rule release from Talos. In this release we introduced 11 new rules of which 0 are Shared Object rules and made modifications to 46 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, browser-plugins, file-executable, file-flash, file-image, file-office, file-other, file-pdf, indicator-compromise, malware-cnc, protocol-ftp and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, February 13, 2018

Snort 3.0 Ruleset Announcement!

Join as we welcome the first official builds of the Snort 3 subscriber and registered ruleset to the family!

Today marks the first day that we will begin publishing the Snort 3 subscriber and registered rulesets along side of the Snort 2.x rulesets on Snort.org.  These are going to be downloadable via API (Oinkcode) the same as Snort 2.x rulesets, and will be published on the same dates.

The same subscription rules apply for Snort 3.  New rules will be added to the registered ruleset after a 30-day delay.  The licensing is the exact same as it is today on Snort 2.x.  Our license can be viewed here:  https://www.snort.org/snort_license

False Positives against Snort 3 rules can be filed by following the same instructions as Snort 2.x rules.  Instructions on how to file false positives can be found here: http://blog.snort.org/2016/11/reporting-false-positives-with-snortorg.html

There are a couple caveats to the Snort 3 ruleset:


  1. Keep in mind that the format and layout of the Snort 3 ruleset is different than Snort 2.  If you want to start testing the Alpha (and coming soon, Beta!) builds of Snort 3, and you have a custom ruleset, you can convert your Snort 2 ruleset into the Snort 3 language by using the snort2lua tool found in the Snort 3 tarball available on www.snort.org/downloads
  2. Shared Object rules are not part of this initial build.  We have not begun to transition the share object rules that we build for Snort 2.x’s rule tree into Snort 3.  Work on that will begin very soon.
  3. The files within the Snort 3 ruleset tarball are named slightly differently, this is on purpose, not only for a clean separation from the old rule set to the new one, but also, if someone writes the Snort-Sigs list asking for assistance with a rule and they are trying to run a Snort 3 rule on a Snort 2 engine, it’ll be easily identifiable. 
    1. For instance, in Snort 2.x rules, an example rule file may be named:  “server-webapp.rules
    2. In Snort 3’s rule package, the same file would be named: “snort3-server-webapp.rules
  4. We have removed all the old dead categories.  Exploit.rules, blacklist.rules, web-iis.rules and the like, all gone.


We look forward to people starting to use this ruleset and test it out.  Please provide us feedback on the Snort-sigs list.

Snort++ Build 243 Available Now on Snort.org

A new release of Snort++ (build 243) is now available on snort.org which includes lots of new functionality and important bug fixes.  Here is an overview of the updates since the prior release:

Important changes since the last release:


  • build: dropping automake support - only cmake tarballs provided
    (automake files are still included but will be removed soon)

Issues reported by the community:

  • alert_json: various fixes
    thanks to Noah Dietrich for reporting the issues
  • appid: gracefully handle failed Lua state instantiation
    thanks to Noah Dietrich for reporting the issue
  • build: add STATIC to add_library call of port_scan to build it statically
    thanks to Fabrice Fontaine
  • cd_pbb: initial version of codec for 802.1ah
    thanks to jan hugo prins  for reporting the issue
  • cd_pflog: fix comments
    thanks to Markus Lude for the 2X patch
  • http_inspect: handle borked reassembly gracefully
    thanks to João Soares for reporting the issue
  • ips options: error if lookup fails due to bad case, typos, etc.
    thanks to Noah Dietrich   for reporting the issue

New Features:

  • alert_json: added json event logger
  • arp_spoof: added wlan support
  • binder: added zones, network policy selection
  • daq: add support for DAQ_VERDICT_RETRY
  • daq: add support for packet trace
  • daq: add support tunnel bypass for IP 4IN4, IP 6IN6, GRE and MPLS by config and flags
  • dce_smb: added unicode filename support
  • file policy: add support for file event logging
  • http_inspect: added http_raw_buffer rule option
  • inspectors: added peg count for max concurrent sessions
  • loggers: added base64 encoder based on libb64 from devolve
  • modules: add usage designating global, context, inspect, or detect policy applicability
  • mss: add extra rule option to check mss
  • port_scan: add alert_all to make alerting on all events in window optional
  • snort2lua: --bind-wizard will add a trailing binding to the default wizard in each binder
  • snort2lua: convert file_magic.conf to Lua format.
  • snort2lua: bindings now merge and propagate to top level of corresponsing policy
  • snort2lua: '# alert' rules and pass comments in *.rules files
  • snort: -T does not compile mpse; --mem-check does
  • snort: add --dump-msg-map
  • snort: add warnings count to -T ouptut
  • target: add rule option to indicate target of attack
  • unified2: add legacy_events bool for out-of-date barnyard2
  • wscale: add extra rule option to check tcp window scaling

Bug Fixes:

  • byte_test: fixed string bounds check
  • content: fixed relative loop condition
  • dce: use service names from rules (dce_smb = netbios-ssn; dce_tcp / ce_udp = dcerpc)
  • detection: fixed option tree looping issue
  • detection: use detection limit (alt_dsize)
  • http_inspect: HTTP headers no longer avoid detection when message unexpectedly ends after status line or headers
  • http_inspect: apply request/response depth to packet data
  • pcre: fixed relative search with ^
  • shell: fixed --pause to accept control commands while in paused state
  • snort2lua: no sticky buffer for relative pcre
  • snort: fixed --dump-builtin-rules to accept optional module prefix
  • u2spewfoo: fixed build on FreeBSD
There are many other updates not mentioned.  Check the ChangeLog for a summary of changes including new features and build and bug fixes.

There are lots of enhancements and new features planned for Snort++, some of which are already in development.  As always, new downloads are posted to snort.org periodically.  You can also get the latest updates from github (snortadmin/snort3) which is updated weekly.

Please submit bugs, questions, and feedback to bugs@snort.org or the Snort-Users mailing list.

Happy Snorting!
The Snort Release Team

Snort Subscriber Rule Set Update for 02/13/2018, Snort 3 official ruleset!

Just released:
Snort Subscriber Rule Set Update for 02/13/2018


We welcome the introduction of the newest rule release from Talos. In this release we introduced 51 new rules of which 2 are Shared Object rules and made modifications to 7 additional rules of which 1 are Shared Object rules.

This release also marks the first official release of the registered and subscriber rulesets for Snort 3.0

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.

Details:
Microsoft Vulnerability CVE-2018-0742:
A coding deficiency exists in Microsoft Windows Kernel that may lead to
elevation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45649 through 45650.

Microsoft Vulnerability CVE-2018-0756:
A coding deficiency exists in Microsoft Windows Kernel that may lead to
elevation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45632 through 45635.

Microsoft Vulnerability CVE-2018-0825:
A coding deficiency exists in Microsoft StructuredQuery that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45624 through 45625.

Microsoft Vulnerability CVE-2018-0834:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45626 through 45629.

Microsoft Vulnerability CVE-2018-0835:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45628 through 45629.

Microsoft Vulnerability CVE-2018-0837:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45628 through 45629.

Microsoft Vulnerability CVE-2018-0838:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45628 through 45629.

Microsoft Vulnerability CVE-2018-0840:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45628 through 45629.

Microsoft Vulnerability CVE-2018-0841:
A coding deficiency exists in Microsoft Excel that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45654 through 45655.

Microsoft Vulnerability CVE-2018-0842:
A coding deficiency exists in Microsoft Windows that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45656 through 45657.

Microsoft Vulnerability CVE-2018-0844:
A coding deficiency exists in Microsoft Windows Common Log File System
(CLFS) driver that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45630 through 45631.

Microsoft Vulnerability CVE-2018-0846:
A coding deficiency exists in Microsoft Windows Common Log File System
(CLFS) driver that may lead to an escalation of privilege.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 40691 through 40692.

Microsoft Vulnerability CVE-2018-0858:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45659 through 45660.

Microsoft Vulnerability CVE-2018-0860:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45628 through 45629
and 45636 through 45637.

Microsoft Vulnerability CVE-2018-0866:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45673 through 45674.

Talos also has added and modified multiple rules in the browser-ie,
exploit-kit, file-office, file-other, file-pdf, malware-cnc,
os-windows, policy-other and server-webapp rule sets to provide
coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, February 8, 2018

Snort Subscriber Rule Set Update for 02/08/2018

Just released:
Snort Subscriber Rule Set Update for 02/08/2018


We welcome the introduction of the newest rule release from Talos. In this release we introduced 15 new rules of which 3 are Shared Object rules and made modifications to 13 additional rules of which 2 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the file-image, file-other, file-pdf, malware-backdoor, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, February 6, 2018

Snort Subscriber Rule Set Update for 02/06/2018

Just released:
Snort Subscriber Rule Set Update for 02/06/2018


We welcome the introduction of the newest rule release from Talos. In this release we introduced 13 new rules of which 10 are Shared Object rules and made modifications to 4 additional rules of which 2 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the file-image, file-other, file-pdf, malware-backdoor, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Saturday, February 3, 2018

Snort Subscriber Rule Set Update for 02/02/2018, Cisco ASA Coverage

Just released:
Snort Subscriber Rule Set Update for 02/02/2018


We welcome the introduction of the newest rule release from Talos. In this release we introduced 2 new rules of which 2 are Shared Object rules and made modifications to 2 additional rules of which 1 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the indicator-shellcode and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Friday, February 2, 2018

Snort Subscriber Rule Set Update for 02/01/2018

Just released:
Snort Subscriber Rule Set Update for 02/01/2018


We welcome the introduction of the newest rule release from Talos. In this release we introduced 1 new rules of which 0 are Shared Object rules and made modifications to 92 additional rules of which 20 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, browser-webkit, exploit-kit, file-flash, file-java, file-multimedia, file-office, indicator-scan, netbios, os-windows, protocol-dns, protocol-icmp, protocol-nntp, protocol-rpc, protocol-tftp, server-iis, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Wednesday, January 31, 2018

Snort Subscriber Rule Set Update for 01/31/2018

Just released:
Snort Subscriber Rule Set Update for 01/31/2018


We welcome the introduction of the newest rule release from Talos. In this release we introduced 20 new rules of which 1 are Shared Object rules and made modifications to 1581 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-firefox, browser-ie, browser-plugins, exploit-kit, file-executable, file-flash, file-identify, file-image, file-java, file-multimedia, file-office, file-other, file-pdf, indicator-compromise, indicator-obfuscation, indicator-scan, malware-cnc, malware-other, netbios, os-linux, os-windows, policy-other, protocol-dns, protocol-ftp, protocol-imap, protocol-telnet, protocol-voip, pua-other, server-apache, server-iis, server-mail, server-mssql, server-mysql, server-oracle, server-other, server-samba and sql rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, January 30, 2018

Snort Subscriber Rule Set Update for 01/30/2018

Just released:
Snort Subscriber Rule Set Update for 01/30/2018


We welcome the introduction of the newest rule release from Talos. In this release we introduced 21 new rules of which 0 are Shared Object rules and made modifications to 708 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, browser-other, browser-plugins, file-flash, file-identify, file-image, file-multimedia, file-office, file-other, file-pdf, indicator-compromise, indicator-obfuscation, indicator-scan, malware-cnc, malware-other, os-mobile, os-other, os-solaris, os-windows, policy-other, protocol-dns, protocol-other, protocol-scada, pua-other, server-other, server-samba and sql rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, January 25, 2018

Snort Subscriber Rule Set Update for 01/25/2018

Just released:
Snort Subscriber Rule Set Update for 01/25/2018

We welcome the introduction of the newest rule release from Talos. In this release we introduced 29 new rules of which 4 are Shared Object rules and made modifications to 1523 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
45545


Talos's rule release:
Talos has added and modified multiple rules in the browser-chrome, browser-ie, browser-plugins, exploit-kit, file-executable, file-flash, file-image, file-multimedia, file-office, file-other, file-pdf, malware-cnc, os-windows, policy-other, protocol-dns, protocol-other, protocol-scada, protocol-telnet, pua-adware, server-mail, server-mssql, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, January 23, 2018

Snort Subscriber Rule Set Update for 01/23/2018

Just released:
Snort Subscriber Rule Set Update for 01/23/2018


We welcome the introduction of the newest rule release from Talos. In this release we introduced 28 new rules of which 6 are Shared Object rules and made modifications to 1445 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-firefox, browser-ie, browser-plugins, file-executable, file-flash, file-image, file-office, file-other, file-pdf, indicator-compromise, malware-cnc, netbios, os-linux, os-other, os-windows, policy-other, protocol-dns, protocol-snmp, server-apache, server-mysql, server-other and sql rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Friday, January 19, 2018

Snort Subscriber Rule Set Update for 01/19/2018

Just released:
Snort Subscriber Rule Set Update for 01/19/2018


We welcome the introduction of the newest rule release from Talos. In this release we introduced 14 new rules of which 0 are Shared Object rules and made modifications to 6 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the app-detect, file-office, malware-cnc, malware-other, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Snort Subscriber Rule Set Update for 01/18/2018

Just released:
Snort Subscriber Rule Set Update for 01/18/2018


We welcome the introduction of the newest rule release from Talos. In this release we introduced 24 new rules of which 2 are Shared Object rules and made modifications to 1001 additional rules of which 6 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the app-detect, browser-firefox, browser-ie, browser-other, exploit-kit, file-flash, file-identify, file-image, file-multimedia, file-office, file-other, file-pdf, indicator-compromise, indicator-scan, malware-cnc, os-other, os-windows, policy-other, protocol-dns, protocol-ftp, protocol-other, protocol-pop, protocol-voip, server-apache, server-mail, server-mysql, server-oracle, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, January 16, 2018

Snort Subscriber Rule Set Update for 01/16/2018

Just released:
Snort Subscriber Rule Set Update for 01/16/2018


We welcome the introduction of the newest rule release from Talos. In this release we introduced 37 new rules of which 2 are Shared Object rules and made modifications to 13 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, malware-cnc, os-other, policy-other, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, January 11, 2018

Snort Subscriber Rule Set Update for 01/11/2018

Just released:
Snort Subscriber Rule Set Update for 01/11/2018


We welcome the introduction of the newest rule release from Talos. In this release we introduced 12 new rules of which 0 are Shared Object rules and made modifications to 10 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser Mansour
45397
45398
45400
45411
45412


Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, file-office, file-pdf, policy-other, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, January 9, 2018

Snort Subscriber Rule Set Update for 01/09/2018, MSTuesday

Just released:
Snort Subscriber Rule Set Update for 01/09/2018


We welcome the introduction of the newest rule release from Talos. In this release we introduced 37 new rules of which 0 are Shared Object rules and made modifications to 36 additional rules of which 1 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.

Details:
Microsoft Vulnerability CVE-2018-0758:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45383 through 45384.

Microsoft Vulnerability CVE-2018-0762:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45389 through 45390.

Microsoft Vulnerability CVE-2018-0769:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45376 through 45377.

Microsoft Vulnerability CVE-2018-0773:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45395 through 45396.

Microsoft Vulnerability CVE-2018-0774:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45387 through 45388.

Microsoft Vulnerability CVE-2018-0775:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45391 through 45392.

Microsoft Vulnerability CVE-2018-0776:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45378 through 45379.

Microsoft Vulnerability CVE-2018-0777:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45374 through 45375.

Microsoft Vulnerability CVE-2018-0797:
A coding deficiency exists in Microsoft Word that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 45402 through 45403.

Talos also has added and modified multiple rules in the
browser-firefox, browser-ie, file-flash, file-office, file-other,
file-pdf, malware-cnc, os-other, os-windows, policy-other,
protocol-voip, pua-adware, server-apache, server-other and sql rule
sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Friday, January 5, 2018

Snort Subscriber Rule Set Update for 01/04/2018, Release #2, Intel Vulnerabilities

Snort Subscriber Rule Set Update for 01/04/2018, Release #2, Intel Vulnerabilities

We welcome the introduction of the newest rule release from Talos. In this release we introduced 12 new rules of which 0 are Shared Object rules and made modifications to 0 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.


Talos's rule release:
Spectre and Meltdown CVE-2017-5753, CVE-2017-5715 and CVE-2017-5754: A design flaw exists in modern CPUs that may lead to information disclosure. 
Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45357 through 45368.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, January 4, 2018

Snort 2.9.11.1 has been released!

Snort 2.9.11.1 has been released!

Release Notes:

2017-12-06 - Snort 2.9.11.1

New Additions


  • Added support to block portscan. In addition to tracking the scanning packets, action(drop/sdrop/reject) will be taken for all the packets, which means Snort will block the packet and generate logs.
  • Added support to re-evaluate reputation after reputation update for all flows except those that have already been blacklisted.

Improvements


  • Fixed issue to detect RTP up to two SSRC switches in each traffic direction.
  • Fixed issues related to HTTP POST header flushing, calling file processing directly if it is not a multipart header and changes to avoid expensive copy of segment data by not splitting them when flushing headers.
  • Fixed issue of triggering protocol sweep alert when there are multiple destinations from single source ip protocol scan.
  • Added changes to fix IP portscan for protocol other than ICMP and fixed issue of bad fragment size event not being generated for oversized packets.
  • Added changes to use raw data in case of PDF and SWF files during file processing for SHA calculation and Malware Cloud Lookup.
  • Fixed issue of correct session matching for TCP SYN packets without window scale option so that FTP data channels match the same rule as FTP control channels.
  • Fixed issue of applying new configuration in file inspection after Snort reload.

We'd like to thank the following Snort Community members for working us to fix issues released in 2.9.11.1:

Markus Lude
BlueSky
David Binderman

You can download Snort version 2.9.11.1 from it's usual location on Snort.org.  Talos will be releasing the ruleset for 2.9.11.1 later today (January 4th, 2018).

As always, you can report issues with Snort via our Snort-devel mailing list, and continue discussion for users on our Snort-users mailing list.

Thanks for your support of Snort and Happy New Year!

Snort Subscriber Rule Set Update for 01/04/2018

Just released:
Snort Subscriber Rule Set Update for 01/04/2018


We welcome the introduction of the newest rule release from Talos. In this release we introduced 94 new rules of which 0 are Shared Object rules and made modifications to 24 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, browser-other, browser-plugins, file-flash, file-image, file-java, file-multimedia, file-other, indicator-compromise, malware-cnc, policy-other, server-apache, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Wednesday, January 3, 2018

Snort Subscriber Rule Set Update for 01/02/2018

Just released:
Snort Subscriber Rule Set Update for 01/02/2018


We welcome the introduction of the newest rule release from Talos. In this release we introduced 2 new rules of which 0 are Shared Object rules and made modifications to 107 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the file-pdf, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!