Thursday, August 30, 2018

Snort rule update for Aug. 30, 2018


Just released:
Snort Subscriber Rule Set Update for Aug. 30, 2018

We know everyone is still buzzing about the announcement yesterday that Snort 3 is now in beta, but the protection of our users still comes first, so as always, we have the new rule update for Snort here.

In this release, we introduced 16 new rules, of which four are Shared Object rules. There are also two modified rules.

This release covers several vulnerabilities in Cisco products, including TelePresence. We are also continuing development of new rules for the slew of Adobe vulnerabilities that have been disclosed over the past few weeks.

There were no changes made to the snort.conf in this release.

Cisco Talos's rule release:

  • New SO rules: 4
  • New Rules: 14
  • Modified Rules: 2

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 U.S. a year for personal users. Be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats.

Wednesday, August 29, 2018

Snort 3 beta available now!

We know our customers and community members have been waiting a while for this — so we are thrilled to announce that Snort 3 (build 247) is available in beta now. Snort 3 is a redesign of Snort 2 with a number of significant improvements.

Here are some highlights you should know about before downloading:
  • Configuration — We use LuaJIT for configuration. The config syntax is simple, consistent, and executable. LuaJIT plugins for rule options and loggers are supported, too.
  • Detection — We have worked closely with Cisco Talos to update rules to meet their needs, including a feature they call "sticky buffers." With the use of the Hyperscan search engine, regex fast patterns make rules faster and more accurate.
  • HTTP — We have a new and stateful HTTP inspector that currently handles 99 percent of the HTTP Evader cases, and will soon cover all of them. There are many new features, as well, including new rule options. HTTP/2 support is under development.
  • Performance — We have substantially increased performance for deep packet inspection.  Snort 3 supports multiple packet-processing threads, and scales linearly with a much smaller amount of memory required for shared configs, like rule engines.
  • JSON event logging — These can be used to integrate with tools such as the Elastic Stack.  See this blog post for more details.
  • Plugins — Snort 3 was designed to be extensible and there are over 225 of plugins of various types. It is easy to add your own codec, inspector, rule action, rule option, or logger.  SO rules are plugins, too, and it is much easier to add your own.
You can get Snort 3 from snort.org or from GitHub.

These packages / repositories are available:
  • snort3 — The main engine source code and plugins
  • snort3_extra — Other experimental and example plugins
  • snort3_demo — A test suite with working examples
We push updates to GitHub multiple times per week, and the master branch is always stable.

In addition to the cool new features, Snort 3 also supports all the capabilities of Snort 2.9.11, but we aren't done. Coming soon, we have:
  • Next generation DAQ
  • Connection events
  • Search engine acceleration
  • ... and much more.
Please submit bugs, questions, and feedback to bugs@snort.org or the Snort-Users mailing list.

Happy Snorting!
The Snort Release Team

Tuesday, August 28, 2018

Snort Rule Update for Aug. 28, 2018

Cisco Talos has just released the new Snort Rule update for Aug. 28, 2018.

In this release, we introduced 31 new rules, two of which are Shared Object rules. There were no rule modifications in this release.

The new rules provide additional coverage for several critical vulnerabilities in Adobe Reader that could allow an attacker to arbitrarily execute code on a victim machine. There is also protection against the recently discovered Marap malware, which has been spotted in the wild targeting financial institutions.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

PT Security — 47567 and 47427

Yaser — 47639, 47640 and 47650

Talos's rule release:


  • New SO rules: 2
  • New Rules: 29

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 U.S. a year for personal users, be sure and see our business pricing as well here. Make sure and stay up to date to catch the most emerging threats.

Thursday, August 23, 2018

Snort Rule update for Aug. 23, 2018

Cisco Talos has just released the news Snort Rule update for Aug. 23, 2018.

In this release, we introduced one new rule and made modifications to three additional rules. We continue to protect users against several different vulnerabilities in Adobe products, including Acrobat Reader and Pro.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser — 47627

Talos's rule release:

  • New SO rules: 0 
  • Modified SO Rules: 0 
  • New Rules: 1 
  • Modified Rules: 3
In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, August 21, 2018

Snort Rule Update for Aug. 21, 2018

Just released:
Snort Subscriber Rule Set Update for Aug. 21, 2018

We welcome the introduction of the newest rule release from Talos. In this release, we introduced 40 new rules, of which four are Shared Object rules. There are also seven modifications to rules, of which two are Shared Object rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
New SO rules: 4 Modified SO Rules 2 New Rules: 36 Modified Rules: 7
In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, August 16, 2018

Snort OpenAppID Detectors have been updated!

An update has been released today for the Snort OpenAppID Detector content. This release, build 303, includes
  • A total of 2,828 detectors. 
  • It also includes some additional detectors that came in from the open source community. For more details on which contributions were included, we have added them in the AUTHORS file in this package.

Available now for download from our downloads page, we look forward to you downloading and using the new features of 2.9.11.0's OpenAppID preprocessor and sharing your experiences with the community.

The OpenAppID community has a mailing list specifically dedicated to the exchange and discussion of detector content.  Please visit the mailing lists page to sign up.

New Snort Subscriber Rule Set for Aug. 16, 2018


Just released:
Snort Subscriber Rule Set Update for Aug. 16, 2018

The newest rule release from Talos was released this morning. In this release, we introduced 47 new rules. Of those, three are shared object rules and made modifications to five additional rules, none of which are shared object rules.

There are several notable new rules in this release, including coverage for multiple "important" bugs in Adobe Flash Player (rules 47529 - 47535, 45768 and 45769). There's also new protections against the Plead malware family, which is a remotely controlled backdoor (rules 47566 and 47567).

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Yaser: 47556 and 47557

Talos's rule release:

  • New SO rules: Three

  • No modified SO Rules

  • New Rules: 44

  • Modified Rules: Five
In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 U.S. a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats.

Tuesday, August 14, 2018

Snort Subscriber Rule Set Update for 08/14/2018, MSTuesday

Just released:
Snort Subscriber Rule Set Update for 08/14/2018

We welcome the introduction of the newest rule release from Talos. In this release we introduced 55 new rules of which 6 are Shared Object rules and made modifications to 10 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.


Talos's rule release:
Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.

Details:
Microsoft Vulnerability CVE-2018-8266:
A coding deficiency exists in Microsoft Chakra Scripting Engine that
may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 47490 through 47491.

Microsoft Vulnerability CVE-2018-8344:
A coding deficiency exists in Microsoft Graphics that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 47519 through 47520.

Microsoft Vulnerability CVE-2018-8345:
A coding deficiency exists in Microsoft LNK that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 47476 through 47477.

Microsoft Vulnerability CVE-2018-8353:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 45877 through 45878.

Microsoft Vulnerability CVE-2018-8355:
A coding deficiency exists in Microsoft Chakra Scripting Engine that
may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 47492 through 47493.

Microsoft Vulnerability CVE-2018-8371:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 46548 through 46549.

Microsoft Vulnerability CVE-2018-8372:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 47478 through 47479.

Microsoft Vulnerability CVE-2018-8376:
A coding deficiency exists in Microsoft PowerPoint that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 47482 through 47483.

Microsoft Vulnerability CVE-2018-8379:
A coding deficiency exists in Microsoft Excel that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 47495 through 47496.

Microsoft Vulnerability CVE-2018-8383:
A coding deficiency exists in Microsoft Edge that may lead to spoofing.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 47474 through 47475.

Microsoft Vulnerability CVE-2018-8384:
A coding deficiency exists in Microsoft Chakra Scripting Engine that
may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 47480 through 47481.

Microsoft Vulnerability CVE-2018-8387:
A coding deficiency exists in Microsoft Edge that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 47486 through 47487.

Microsoft Vulnerability CVE-2018-8389:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 47484 through 47485.

Microsoft Vulnerability CVE-2018-8401:
A coding deficiency exists in DirectX Graphics Kernel that may lead to
an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 47517 through 47518.

Microsoft Vulnerability CVE-2018-8403:
A coding deficiency exists in Microsoft Browser that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 47488 through 47489.

Microsoft Vulnerability CVE-2018-8404:
A coding deficiency exists in Microsoft Win32k that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 47503 through 47504.

Microsoft Vulnerability CVE-2018-8405:
A coding deficiency exists in DirectX Graphics Kernel that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 47515 through 47516.

Microsoft Vulnerability CVE-2018-8406:
A coding deficiency exists in DirectX Graphics Kernel that may lead to
an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 47512 through 47513.

Microsoft Vulnerability CVE-2018-8414:
A coding deficiency exists in Microsoft Windows Shell that may lead to
remote code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 46999 through 47002.

Talos also has added and modified multiple rules in the browser-ie,
file-executable, file-office, file-other, indicator-compromise,
malware-cnc, os-windows and server-webapp rule sets to provide coverage
for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, August 9, 2018

Snort Subscriber Rule Set Update for 08/09/2018

Just released:
Snort Subscriber Rule Set Update for 08/09/2018


We welcome the introduction of the newest rule release from Talos. In this release we introduced 16 new rules of which 0 are Shared Object rules and made modifications to 11 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-ie, browser-plugins, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, August 7, 2018

Snort Subscriber Rule Set Update for 08/07/2018

Just released:
Snort Subscriber Rule Set Update for 08/07/2018


We welcome the introduction of the newest rule release from Talos. In this release we introduced 30 new rules of which 10 are Shared Object rules and made modifications to 13 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the browser-other, file-image, file-office, file-other, file-pdf, indicator-compromise, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Friday, August 3, 2018

Snort Subscriber Rule Set Update for 08/03/2018

Just released:
Snort Subscriber Rule Set Update for 08/03/2018


We welcome the introduction of the newest rule release from Talos. In this release we introduced 1 new rules of which 0 are Shared Object rules and made modifications to 4 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.


Talos's rule release:
Microsoft Vulnerability CVE-2018-8414: A coding deficiency exists in Microsoft Windows OS that may lead to remote code execution with minimal to no user interaction. Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information.

They are also included in this release and are identified with GID 1, SIDs 46999 through 47002. Talos also has added and modified multiple rules in the malware-cnc rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Thursday, August 2, 2018

Snort Subscriber Rule Set Update for 08/02/2018

Just released:
Snort Subscriber Rule Set Update for 08/02/2018


We welcome the introduction of the newest rule release from Talos. In this release we introduced 14 new rules of which 1 are Shared Object rules and made modifications to 2 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos has added and modified multiple rules in the file-other, malware-cnc, policy-other, protocol-voip, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!