Tuesday, September 10, 2019

Snort rule update for Sept. 10, 2019: Microsoft Patch Tuesday

The latest SNORT® rule release from Cisco Talos was just released. This new round of rules provides coverage for all of the vulnerabilities covered in Microsoft Patch Tuesday.

For more details on the 85 vulnerabilities Microsoft disclosed this week, head to the Talos blog.

In all, this release includes 45 new rules, 53 modified rules and four new shared object rules.

Thursday, September 5, 2019

Reminder: New shared object rule builds now available

Just a reminder that, as we wrote back in August, there are new shared object rule builds available as of this week's builds.

Snort rule update for Sept. 5, 2019

Cisco Talos just released the latest SNORT® rule update for all users. Talos urges all users to implement these rules as soon as possible to keep their networks and machines protected.

This release contains 29 new rules, 12 modified rules, one new shared object rule and two shared object rules.

Thursday's release provides coverage for vulnerabilities in several different web browsers, including Microsoft Edge and Internet Explorer, Safari and Google Chrome.

Tuesday, August 27, 2019

Snort rule update for Aug. 27, 2019

Cisco Talos just released the latest SNORT® rule update for all users. Talos urges all users to implement these rules as soon as possible to keep their networks and machines protected.

This release contains 76 new rules, 14 modified rules and nine new shared object rules.

Tuesday's release provides coverage for two critical vulnerabilities in the 220 series of Cisco smart switches for small businesses. There is also protection against the exploitation of an arbitrary file disclosure vulnerability in Pulse Secure SSL VPN.

Thursday, August 22, 2019

New Shared Object rule builds available September 2nd and additional EOL's

This is a notice that we will be adding additional Open Source Shared Object rule builds to our pipeline starting on September 2nd:

Alpine 3.10/i386
Alpine 3.10/x86-64
RHEL 8/x86-64
OpenSUSE 15.1/x86-64
OpenBSD 6.4/i386
OpenBSD 6.4/x86-64
OpenBSD 6.5/i386
OpenBSD 6.5/x86-64

and as previously noticed, but as a reminder, the following OSes will be EOL'ed on the same date:

CentOS 5.4
Debian 7
FC 25
FC 26
FreeBSD 8.1
FreeBSD 9.0
FreeBSD 10.0
OpenBSD 5.2
OpenBSD 5.3
RHEL 5.5
Slackware 13.1

As these OSes are also EOL.

Thank you



Snort rule update for Aug. 22, 2019

Cisco Talos just released the latest SNORT® rule update for all users. Talos urges all users to implement these rules as soon as possible to keep their networks and machines protected.

This release contains 56 new rules, four modified rules, 14 new shared object rules and 25 modified shared object rules.

Thursday's release provides coverage for two vulnerabilities Cisco recently disclosed — one of which is rated "critical."

Tuesday, August 20, 2019

Snort rule update for Aug. 20, 2019

We apologize for the lack of update blog posts over the past two weeks, but even Snortie needs a summer vacation!

Our latest rule update just dropped this morning, though, and we've got the breakdown for you.

This release contains 65 new rules, three new shared object rules, 20 modified rules and two modified shared object rules.

Thursday's release includes additional coverage for several of the vulnerabilities Microsoft disclosed as part of its monthly security update last week, as well protection against several spyware tools.

Monday, August 12, 2019

Snort Shared Object OSes to be removed

In order to deprecate older OS builds and enable builds for newer OSes, it has become time to purge old OSes from our Shared Object rule build system.

The following builds will be stopped on August 27th:

CentOS 5.4
Debian 7
FC 25
FC 26
FreeBSD 8.1
FreeBSD 9.0
FreeBSD 10.0
OpenBSD 5.2
OpenBSD 5.3
RHEL 5.5
Slackware 13.1


We are looking at a couple new builds to start after this step.  More information will be posted soon.

Friday, August 2, 2019

Snort 2.9.14.1 has been released!

Snort Community!

We know it's a Friday, so we don't expect everyone to run right out and update, but in trying to get everything done before Black hat / Defcon, we wanted to make sure that 2.9.14.1 was shipped before we all got on planes to head out to "Hacker Summer Camp".

We've just pushed 2.9.14.1 live on the website (snort.org/downloads).  Please head on over and check it out at your earliest convenience.

Release notes are essentially the same as 2.9.14.0, with one minor fix, so I'll repost those:

[*] New Additions

 * Added support for wild card port numbers in host cache and overwriting port service AppId.

 * Added support for new STLS client patterns to help better detect POP3S over SSL.

 * Added support for detecting Mac based SMTP Microsoft Outlook client application.

 * Added a new preprocessor alert 120:27 to alert if there is no proper end of header.

[*] Improvements / Fix

 * Improved appId detection for proxied traffic.

 * Fix for enabling flow profiling mode without restarting snort detection engine.

 * Fixed packet drop scenario.


Thanks so much for bearing with us while we figured out the little bug with packet acquisition.

As always, feedback can be directed to the Snort-users list.  Happy Snorting!

Thursday, August 1, 2019

Snort rule update for Aug. 1, 2019

Cisco Talos just released the latest SNORT® rule update for all users. Talos urges all users to implement these rules as soon as possible to keep their networks and machines protected.

This release contains 31 new rules, 11 new shared object rules, 61 modified rules and one modified shared object rules.

Thursday's release includes new protections against the EvilGnome malware, fixes for several Microsoft and Apple vulnerabilities and coverage for a vulnerability in Palo Alto Networks' VPN service.

Tuesday, July 30, 2019

Snort rule update for July 30, 2019

Cisco Talos just released the latest SNORT® rule update for all users. Talos urges all users to implement these rules as soon as possible to keep their networks and machines protected.

This release contains 21 new rules, nine new shared object rules, 138 modified rules and five modified shared object rules.

Thursday's release includes coverage for several different malware families recently used in the wild, including Godlua, Ratsnif and SoftCell.

Thursday, July 25, 2019

Snort rule update for July 25, 2019

Cisco Talos just released the latest SNORT® rule update for all users. Talos urges all users to implement these rules as soon as possible to keep their networks and machines protected.

This release contains six new rules, 13 new shared object rules and four modified rules.

Thursday's release provides protection against a series of vulnerabilities and exploits targeted toward Industrial Control Systems. Security researchers recently discovered 12 bugs in products from three different companies that could allow an attacker to take over SCADA software belonging to vital infrastructures such as water and power suppliers.

Tuesday, July 23, 2019

Snort rule update for July, 23, 2019

Cisco Talos just released the latest SNORT® rule update for all users. Talos urges all users to implement these rules as soon as possible to keep their networks and machines protected.

This release contains six new rules — two of which are shared object rules, as well as two modified rules.

Thursday's release provides protection against a vulnerability in Windows win32k that attackers have exploited in the wild.

Thursday, July 18, 2019

Snort rule update for July 18, 2019

Cisco Talos just released the latest SNORT® rule update for all users. Talos urges all users to implement these rules as soon as possible to keep their networks and machines protected.

This release contains 21 new rules — 10 of which are shared object rules, as well as five modified rules.

Thursday's release provides protection against a critical vulnerability in Cisco Vision Dynamic Signage Director, as well as a remote code execution bug in a popular plugin for WordPress.

Tuesday, July 16, 2019

Snort rule update for July 16, 2019

Cisco Talos just released the latest SNORT® rule update for all users. Talos urges all users to implement these rules as soon as possible to keep their networks and machines protected.

This release contains 24 new rules — four of which are shared object rules, as well as five modified rules.

Tuesday's release fixes a high-profile vulnerability in the Zoom web meeting software and also provides new coverage for several different malware families.

Thursday, July 11, 2019

Snort rule update for July 11, 2019

Just released:
Snort Subscriber Rule Set Update for July 11, 2019

Cisco Talos released the latest SNORTⓇ rule set today. This release includes 28 new rules and four modified rules, none of which are shared object rules.

This release provides new coverage for CVE-2017-11882, CVE-2018-0802 and CVE-2018-0798. These vulnerabilities in Microsoft Equation Editor — which have previous patches — are being exploited by a threat actor to deliver malware and send malicious RTF documents to users. Based on this new intelligence, this latest update includes new coverage for these bugs: SIDs 50684, 50685 and 50689-50695.

There were no changes made to the snort.conf in this release.

Tuesday, July 9, 2019

Snort rule update for July 9, 2019 — Microsoft Patch Tuesday

The latest SNORT® rule release from Cisco Talos was just released. This new round of rules provides coverage for all of the vulnerabilities covered in Microsoft Patch Tuesday.

For more details on the 77 vulnerabilities Microsoft disclosed this week, head to the Talos blog

Tuesday, July 2, 2019

Snort rule update for July 2, 2019

Just released:
Snort Subscriber Rule Set Update for July 2, 2019

Cisco Talos released the latest SNORTⓇ rule set today. This release includes 102 new rules and 10 modified rules, none of which are shared object rules.

This release provides new coverage for the Scranos malware, a data-stealing attack that its creators recently revitalized. The series of new rules prevents Scranos from making an outbound connection and also blocks it from downloading its final payload.

There were no changes made to the snort.conf in this release.

Thursday, June 27, 2019

Snort rule update for June 27, 2019

Just released:
Snort Subscriber Rule Set Update for June 27, 2019

Cisco Talos released the latest SNORTⓇ rule set today. This release includes 10 new rules, five of which are shared object rules. There are also six modified rules, one of which is a shared object rule.

In this release, we have new protection from critical vulnerabilities Cisco recently disclosed in Data Center Network (DNA) Management. There is also protection from any attacks attempting to exploit a critical flaw in Mozilla Firefox that attackers have actively used in the wild.

There were no changes made to the snort.conf in this release.

Tuesday, June 25, 2019

Snort rule update for June 25, 2019

Just released:
Snort Subscriber Rule Set Update for June 25, 2019

Cisco Talos released the latest SNORTⓇ rule set this morning. This release includes five new rules, two shared object rules and two modified rules.

This release provides protection from a recent Netwire variant spotted in the wild. Attackers have been delivering the malware through a zero-day vulnerability in the Mozilla Firefox web browser. Rules 50498 and 50500 prevent Netwire from downloading its final payload.

There were no changes made to the snort.conf in this release.

Thursday, June 20, 2019

Snort rule update for June 19, 2019

Just released:
Snort Subscriber Rule Set Update for June 19, 2019

Cisco Talos released the latest SNORTⓇ rule set overnight. This release includes 24 new rules, 10 of which are shared object rules. There are also four modified rules, two of which are shared object rules.

This release provides coverage for several vulnerabilities Cisco recently disclosed in its Prime Service Catalog and some RV routers. Several different models of RV routers contain bugs in their web-based interface that could allow malicious actors to carry out denial-of-service attacks.

There were no changes made to the snort.conf in this release.

Tuesday, June 18, 2019

Snort rule update for June 18, 2019

Just released:
Snort Subscriber Rule Set Update for June 18, 2019

Cisco Talos released the latest SNORTⓇ rule set today. This release includes 12 new rules and 10 modified, none of which are shared object rules.

This release provides protection against the new HiddenWasp malware, which has been spotted in the wild targeting Linux systems. This attack shares similarities with other, previous Linux malware. Researchers believe some of the code may have even copy and pasted from other actors.

There were no changes made to the snort.conf in this release.

Thursday, June 6, 2019

Snort rule update for June 6, 2019

Just released:
Snort Subscriber Rule Set Update for June 6, 2019

Cisco Talos released the latest SNORTⓇ rule set today. This release includes 46 new rules, two of which are shared object rules. There are no modified rules in this release.

In this release, we have new protections for a series of serious vulnerabilities in the Kace K1000 systems management appliance from Quest, as well as bugs in VMware.

There were no changes made to the snort.conf in this release.

Tuesday, June 4, 2019

Snort rule update for June 4, 2019

Just released:
Snort Subscriber Rule Set Update for June 4, 2019

Cisco Talos released the latest SNORTⓇ rule set today. This release includes 19 new rules, two of which are shared object rules. There are also two modified shared object rules.

This release provides coverage for a vulnerability in a popular WordPress plugin that's being exploited in the wild by attackers to inject malicious JavaScript into sites. There's also protection against a recently patched bug in Apple WebKit.

There were no changes made to the snort.conf in this release.

Tuesday, May 28, 2019

Snort rule update for May 28, 2019

Just released:
Snort Subscriber Rule Set Update for May 28, 2019

Cisco Talos released the latest SNORTⓇ rule set today. This release includes 46 new and five modified rules, none of which are shared object rules.

This release provides coverage for several vulnerabilities in Adobe Acrobat Reader, which Adobe disclosed earlier this month as part of their monthly security update. There is also coverage for a recently disclosed privilege escalation zero-day vulnerability in Windows Installer.

There were no changes made to the snort.conf in this release.

Thursday, May 23, 2019

Snort rule update for May 23, 2019

Just released:
Snort Subscriber Rule Set Update for May 23, 2019

Cisco Talos released the latest SNORTⓇ rule set today. This release includes 29 new and 27 modified rules, none of which are shared object rules.

This release provides coverage for JasperLoader, a malware loader we've reported on several times. Most recently, we discovered JasperLoader being used in targeted attacks against users in Italy.

There were no changes made to the snort.conf in this release.

Tuesday, May 21, 2019

Snort rule update for May 20, 2019

Just released:
Snort Subscriber Rule Set Update for May 20, 2019

Last night, Cisco Talos released the latest SNORTⓇ rule set. This release includes 18 new rules, three of which are shared object rules. There are also eight modified rules.

This release includes coverage for indicators associated with CVE-2019-0708, a remote code execution vulnerability in Microsoft Remote Desktop Services — formerly known as Terminal Services. This is a highly publicized vulnerability from Microsoft, which the company disclosed last week as part of its monthly security update. The vulnerability is wormable, meaning future malware that exploits this bug could spread from system to system.

There were no changes made to the snort.conf in this release.

Thursday, May 16, 2019

Snort rule update for May 16, 2019

Just released:
Snort Subscriber Rule Set Update for May 16, 2019

Cisco Talos just released the newest SNORT® rule set. This release includes seven new and modified rules, including three shared object rules each.

This release mainly provides coverage for the vulnerabilities Cisco disclosed last week in several of its products, including Prime Infrastructure and WebEx.

There were no changes made to the snort.conf in this release.

Wednesday, May 15, 2019

Entries for the Snort scholarship are now closed

Thanks to everyone who applied to our 2019 SNORTⓇ scholarship this year. Entries are now closed.

Please keep an eye on the blog here or on our Twitter account in the coming weeks, where we'll announce the winners!

Tuesday, May 14, 2019

Snort rule update for May 14, 2019 — Microsoft Patch Tuesday

Just released:
Snort Subscriber Rule Set Update for May 14, 2019

The newest SNORTⓇ rule set is here from Cisco Talos. In this release, we introduced 53 new rules, five of which are shared object rules. There are also two modified rules.

This release covers Microsoft Patch Tuesday, which included fixes for 79 vulnerabilities. You can read more about the bugs that Microsoft disclosed over at the Talos blog.

Thursday, May 9, 2019

Snort rule update for May 9, 2019

Just released:
Snort Subscriber Rule Set Update for May 9, 2019

Cisco Talos just released the newest SNORT® rule set. This release includes 24 new rules, none of which are shared object rules. There are now modified rules in this release.

This release provides new coverage for a slew of malware families, including FormBook, Pirpi and the recently disocvered BuckEye.

There were no changes made to the snort.conf in this release.

Tuesday, May 7, 2019

Snort rule update for May 7, 2019

Just released:
Snort Subscriber Rule Set Update for May 7, 2019

Cisco Talos just released the newest SNORT® rule set. This release includes 27 new rules, six of which are shared object rules. There are also seven modified rules, four of which are shared object rules.

This release provides additional coverage for vulnerabilities in Oracle WebLogic. Multiple researchers have discovered attackers exploiting these bugs to deliver a variety of malware, most recently Gandcrab.

There were no changes made to the snort.conf in this release.

Thursday, May 2, 2019

Snort rule update for May 2, 2019

Just released:
Snort Subscriber Rule Set Update for May 2, 2019

Cisco Talos just released the newest SNORT® rule set. This release includes 34 new rules, four of which are shared object rules. There are also seven modified rules, one of which is a shared object rules.

This release is the first of a number of additions to the max-detect policy to make it a heavily detection-focused policy. As such, performance will be impacted if this policy is enabled. It's highly recommended that users test this policy's performance before deploying it in production environments. Therefore, there are a large number of modified rules today that could make downloading this set take longer than usual.

There were no changes made to the snort.conf in this release.

Tuesday, April 30, 2019

Snort rule update for April 30, 2019

Just released:
Snort Subscriber Rule Set Update for April 30, 2019

Cisco Talos just released the newest SNORT® rule set. This release includes 34 new rules, four of which are shared object rules. There are also seven modified rules, one of which is a shared object rules.

This release provides protection from attackers exploiting a zero-day vulnerability in Oracle WebLogic servers. Attackers are exploiting this bug to deliver a new ransomware called "Sodinokibi."

There were no changes made to the snort.conf in this release.

Tuesday, April 23, 2019

Snort rule update for April 23, 2019

Just released:
Snort Subscriber Rule Set Update for April 23, 2019

Cisco Talos just released the newest SNORT® rule set. This release includes 11 new rules, four of which are shared object rules. There are also 15 modified rules, none of which are shared object rules.

This release provides new coverage for the infamous Emotet malware traditionally spread via spam. There are also two new rules for Microsoft Windows IOleCvt vulnerability disclosed earlier this month as part of Microsoft's monthly security update.

There were no changes made to the snort.conf in this release.

Thursday, April 18, 2019

Snort rule update for April 18, 2019

Just released:
Snort Subscriber Rule Set Update for April 18, 2019

Cisco Talos just released the newest SNORT® rule set. This release includes 22 new rules, 11 of which are shared object rules. There are also nine modified rules, none of which are shared object rules.

This release provides coverage for a critical flaw in Cisco's ASR 9000 series of routers. In all, the company disclosed 29 vulnerabilities, but the most serious one had a severity rating of 9.8 out of a possible 10.

Wednesday, April 17, 2019

Snort blog comments are now disabled

As the topic of the post says, blog comments on this blog are now disabled.

Why?

99% (percentage is entirely made up, but most likely more accurate than non-accurate) of all the comments were spam.  The majority of my time moderating the comments on the blog was spent mashing the "Spam" button.

Every once in awhile a real comment would appear on the blog, and 99% of those comments were answered by me answering with "Go to the mailing lists".

So, in the interest of my sanity, and the fact that the mailing lists provide a better answer and conversational interaction than a blog comment ever could, I've disabled blog comments.

Please direct your questions to the Snort mailing lists: https://www.snort.org/community

Thanks all!

Tuesday, April 16, 2019

Snort rule update for April 16, 2019

Just released:
Snort Subscriber Rule Set Update for April 16, 2019

Cisco Talos just released the newest SNORT® rule set. This release includes 39 new rules, 12 of which are shared object rules. There are also three modified rules, none of which are shared object rules.

This release provides coverage for a zero-day vulnerability in Microsoft Internet Explorer. This bug could allow an attacker to steal files from a user's machine, even if they are not actively using the web browser.

Monday, April 15, 2019

Applications for 2019 Snort scholarship are now open


Are you a high school student planning on acquiring a college technology degree? Let Snort help you get there.

The Snort Scholarship program is back this year, and once again, we are awarding two $10,000 to two individuals attending an accredited college or university in the 2019-2020 academic year.

You can apply for the scholarship here.

To be eligible for the scholarship, you must:

  • Have or be eligible to receive your high school diploma or an equivalent in 2019 as of the date Cisco receives your application.
  • Provide reasonable evidence to Cisco that you are seeking a degree in computer science, information technology, computer networking, cybersecurity or a similarly related field of study from a school located in the U.S. or a U.S. territory. 

To apply for the scholarship, you must answer a series of short essay questions, which will be our main basis for how we select the winners. You must submit your application by May 15, 2019.

For more information about contest rules, eligibility requirements, or to complete a submission, visit our Snort Scholarship page.

Thursday, April 11, 2019

Snort rule update for April 11, 2019

Just released:
Snort Subscriber Rule Set Update for April 11, 2019

Cisco Talos just released the newest SNORT® rule set. This release includes 33 new rules, two of which are shared object rules. There are also seven modified rules.

In addition to our new rules today, we also have a new version of Snort: 2.9.13.0. Here's a roundup of the new improvements and features.

Snort 2.9.13.0 has been released

Please join us as we welcome SNORTⓇ 2.9.13.0 to the family.

The release notes for the newest version are below:

New Additions
  • Snort now supports reload on snort rules update.
  • Addition of a scenario to add a packet to blacklist verdict to ensure the new session will be allowed.
  • Handled a new pre-processor alert in case of the improper end of t HTTP header.
Improvements
  • Modified the calculation of file hash for FTP/HTTP with offset values.
  • Fixed portal authentication connection stuck in half closed state.
  • Updated UDP global timeout for a non-standard port.
This release also patched the following two vulnerabilities:

As always, we welcome feedback and community participation in Snort on the snort-users mailing list.


Tuesday, April 9, 2019

Snort rule update for April 9, 2019 — Microsoft Patch Tuesday

Just released:
Snort Subscriber Rule Set Update for April 9, 2019

The newest SNORTⓇ rule set is here from Cisco Talos. In this release, we introduced 80 new rules, eight of which are shared object rules. There are also 10 modified rules.

This release covers Microsoft Patch Tuesday, which included fixes for 74 vulnerabilities. You can read more about the bugs that Microsoft disclosed over at the Talos blog.

Friday, April 5, 2019

Update to Snort OpenAppID detectors

We recently released an update to the Snort OpenAppID Detector content.

This release, build 319, includes a total of 2,836 detectors, as well as some additional detectors that came in from the open-source community. For more details on which contributions we included, we have added them to the "Authors" file in this package.f

The update is available for download now from our downloads page. We look forward to you downloading and using the new features of 2.9.12.0's OpenAppID preprocessor and sharing your experiences with the community.

The OpenAppID community has a mailing list specifically dedicated to the exchange and discussion of detector content.  Please visit the mailing lists page to sign up.

Thursday, April 4, 2019

Snort rule update for April 4, 2019

Just released:
Snort Subscriber Rule Set Update for April 4, 2019

Cisco Talos just released the newest SNORT® rule set. This release includes 23 new rules and five modified rules, none of which are shared object rules.

This release provides new coverage for the Rietspoof malware discovered earlier this year. The trojan has been spread via instant messages on the Skype video chat platform.

Tuesday, April 2, 2019

Snort rule update for April 2, 2019

Just released:
Snort Subscriber Rule Set Update for April 2, 2019

Cisco Talos just released the newest SNORT® rule set. This release includes 33 new rules, three of which are shared object rules. There are also three modified rules and four modified shared object rules.

This release provides coverage for a bug in Huawei's PCManager software that could allow an attacker to bypass security protections in the Windows kernel. There's also a new rule to protect the RV series of Cisco routers, which have been under attack for several months.

Thursday, March 28, 2019

Snort rule update for March 28, 2019

Just released:
Snort Subscriber Rule Set Update for March 28, 2019

Cisco Talos just released the newest SNORT® rule set. This release includes 29 new rules, 15 of which are shared object rules. There are also 1,396 modified rules.

The bulk of these modified rules simply add references for the MITRE ATT&ACK framework. The MITRE ATT&CK Framework is described in this wiki, which provides a thorough overview of all known attack techniques that currently or have been employed by adversaries in the wild. Each documented technique is accompanied by explanations, examples, detection recommendations, and the related actor(s) that have employed the technique. Talos has added these additional references in the SIDs to provide attack context information for our customers, and to support integration with other systems or reporting requirements.

This release provides coverage for several vulnerabilities Cisco disclosed this week in IOS XE. These bugs could allow an attacker to gain access to sensitive configuration information on many of Cisco's small and home office (SOHO) routers.

Tuesday, March 26, 2019

Snort rule update for March 26, 2019

Just released:
Snort Subscriber Rule Set Update for March 26, 2019

Cisco Talos just released the newest SNORT® rule set. This release includes 52 new rules and four modified rules, none of which are shared object rules.

In this release, we provide coverage for two serious WordPress vulnerabilities that the company patched last week. Both bugs exist in plugins for the content management system and could allow an attacker to execute extensions over top of websites. There's also protection from the IceID banking trojan and the Yatron ransomware.

Thursday, March 21, 2019

Snort rule update for March 21, 2019

Just released:
Snort Subscriber Rule Set Update for March 21, 2019

Cisco Talos just released the newest SNORT® rule set. This release includes 20 new rules, three new shared object rules and one modified rule.

In this release, we have coverage for a new variant of the Mirai botnet. Recently, researchers discovered a new wave of attacks targeting presentation software and devices. There is also protection against several critical vulnerabilities Cisco recently patched in some of its IP phones.

Tuesday, March 19, 2019

Snort rule update for March 19, 2019

Just released:
Snort Subscriber Rule Set Update for March 19, 2019

Cisco Talos just released the newest SNORT® rule set. This release includes 50 new rules and six modified rules, none of which are shared object rules.

This release provides coverage for a wide range of vulnerabilities and malware. Most notably, there are new protections from the Rising Sun malware, which was recently linked to the Lazarus Group APT.

Tuesday, March 12, 2019

Snort rule update for March 12, 2019 — Microsoft Patch Tuesday

Just released:
Snort Subscriber Rule Set Update for Feb. 12, 2019

The newest SNORTⓇ rule set is here from Cisco Talos. In this release, we introduced 38 new rules and four shared object rules. There are also 16 modified rules, none of which are shared object rules.

This release covers Microsoft Patch Tuesday, which included fixes for 64 vulnerabilities. You can read more about the bugs that Microsoft disclosed over at the Talos blog.

Thursday, March 7, 2019

Snort rule update for March 7, 2019

Just released:
Snort Subscriber Rule Set Update for March 7, 2019

Cisco Talos just released the newest SNORT® rule set. This release includes three new rules, 15 new shared object rules and seven modified rules, none of which are shared object rules.

In this release, we provide coverage for several vulnerabilities in Cisco products. Most recently, the company published the details of several high-profile bugs that put the Nexus line of switches at risk due to the NX-OS operating system.

Tuesday, March 5, 2019

Snort rule update for March 5, 2019

Just released:
Snort Subscriber Rule Set Update for March 5, 2019

Cisco Talos just released the newest SNORT® rule set. This release includes eight new and modified rules, none of which are shared object rules.

This release provides coverage for two malware families: Crytekk, a ransomware that infects users via a malicious, phony PayPal page, and Arescrypt, another ransomware.

Tuesday, February 26, 2019

Snort rule update for Feb. 26, 2019

Just released:
Snort Subscriber Rule Set Update for Feb. 26, 2019

Cisco Talos just released the newest SNORT® rule set. This release includes 25 new and eight modified rules, none of which are shared object rules.

In this release, we continue to provide coverage for the Adobe Acrobat and Reader vulnerabilities disclosed earlier this month. There's also a rule protecting users against a recent critical vulnerability discovered in the Drupal project that could allow an attacker to gain remote code execution privileges.

Thursday, February 21, 2019

Snort rule update for Feb. 21, 2019

Just released:
Snort Subscriber Rule Set Update for Feb. 21, 2019

Cisco Talos just released the newest SNORT® rule set. This release includes 15 new rules, five of which are shared object rules. There are also three modified rules, none of which are shared object rules.

In this release, we continue to provide coverage for the Adobe vulnerabilities the company disclosed last week.

Tuesday, February 19, 2019

Snort rule update for Feb. 19, 2019

Just released:
Snort Subscriber Rule Set Update for Feb. 19, 2019

Cisco Talos just released the newest SNORT® rule set. This release includes 26 new rules and six modified rules, none of which are shared object rules.

In this release, we provide additional coverage for the slew of vulnerabilities Adobe disclosed last week, as well as protection against the Keymarble malware.

Thursday, February 14, 2019

Snort rule update for Feb. 14, 2019

Just released:
Snort Subscriber Rule Set Update for Feb. 14, 2019

The newest SNORT® rule set was released today, courtesy of Cisco Talos. This release includes 14 new rules, five of which are shared object rules. There are also two modified rules.

In this release, we provide coverage for several vulnerabilities in Adobe Acrobat Reader. Adobe released security updates for several of their products earlier this week.

Tuesday, February 12, 2019

Snort rule update for Feb. 12, 2019 — Microsoft Patch Tuesday

Just released:
Snort Subscriber Rule Set Update for Feb. 12, 2019

The newest SNORTⓇ rule set is here from Cisco Talos. In this release, we introduced 50 new rules, none of which are shared object rules. There are also eight modified rules, including two that are shared object rules.

This release covers Microsoft Patch Tuesday, which included fixes for 49 vulnerabilities. You can read more about the bugs that Microsoft disclosed over at the Talos blog.

Thursday, February 7, 2019

Snort rule update for Feb. 7, 2019

Just released:
Snort Subscriber Rule Set Update for Feb. 7, 2019

Cisco Talos just released the newest SNORT® rule set. This release includes 30 new rules and two modified rules, none of which are shared object rules.

This release includes numerous rules for DarthMiner, a cryptocurrency miner targeting Macs. The malware aims to infiltrate machines and then steal users' cryptocurrency-related logins.

Wednesday, February 6, 2019

The most-used Snort signatures of 2018

Despite headline-making cyber attacks popping up again and again in 2018, SNORT® was still on the front lines protecting users on a day-to-day basis.

Snort signatures protected our customers from some of the most common attacks that, even though they aren't as widely known, could be just as disruptive as something like Olympic Destroyer, a malware Cisco Talos discovered early last year.

To get an idea of what attackers used most last year, we broke down the Snort rules that fired most frequently. See the full list over at the Talos blog here.

Tuesday, February 5, 2019

Snort rule update for Feb. 5, 2019

Just released:
Snort Subscriber Rule Set Update for Feb. 5, 2019

The newest SNORT® rule set was just released, courtesy of Cisco Talos. This release includes 14 new rules, including three shared object rules. There are also four modified rules, none of which are shared object rules.

Tuesday, January 29, 2019

Snort rule update for Jan. 29, 2019

Just released:
Snort Subscriber Rule Set Update for Jan. 29, 2019

Cisco Talos released the newest SNORT® rule set today. This release includes 63 new rules, 10 of which are shared object rules. There are also two modified rules, one of which is a shared object rule.

This release provides new coverage for the Mongo Lock ransomware, which targets accessible and unprotected MongoDB databases, as well as the Qakbot banking trojan.

Thursday, January 24, 2019

Snort rule update for Jan. 24, 2019

Just released:
Snort Subscriber Rule Set Update for Jan. 24, 2019

The latest SNORTⓇ  rule set is here from Cisco Talos. This release includes 12 new rules and 17 new shared object rules, along with six modified rules, none of which are shared object rules.

In this release, Talos provides coverage for several vulnerabilities that Cisco recently disclosed in some of its products, including WebEx Teams and the RV series of wireless routers.

Tuesday, January 22, 2019

Time for a change

To the Snort community,

It’s been 20 years since that fateful December night when I sent the first release of Snort over to Ken Williams at PacketStorm.  It was my first attempt at working on an open source project and another step for me in the process of learning about security tools, their application and the reasons they work and don’t work.  Almost exactly two years later, Snort was something of a phenomenon and I decided to try to make it my day job by founding Sourcefire and “going pro.”  Here we are now, 20 years down the road with over 100 releases of Snort under our belt — the global standard for describing and detecting network-based threats. 

In 2013, Sourcefire was acquired by Cisco, and Snort became the foundation for Cisco’s core NGFW and NGIPS products. Last year, Snort 3 entered beta, and the integration work is underway by our NGFW team to make it the future of Cisco’s platform.

This has been an amazing journey and I can’t help but be proud of everything that has been accomplished and all the people who made it happen, both within the organization that I serve as well as from the open source community that grew up around Snort.  After Sourcefire was acquired by Cisco, I stepped into the Chief Architect role for the Security Business Group and worked on the technology strategy and design for the company’s security portfolio and evangelized our approach to the world. 

Now, after five years with Cisco, it’s time for me to move on to the next adventure and also move from being on the team the behind Snort to the user community that surrounds it. 

Taking this big step away from Snort doesn’t worry me because I know that we’ve built not just world-class technology, but also a world-class team here at Cisco and still, even after all this time, one of the best security communities in the world.  I expect that will continue with me over *here* instead of over *there,* if you take my meaning. 

Snort’s in great hands at Cisco with a team that’s committed to open source and big plans for the future of the technology. Russ Combs, who has written a vast majority of the code for Snort 3 (it’s awesome, check it out — we need beta feedback!), will remain as the lead developer. Joel Esler will continue as Community Manager and maintain the bridge between the team and the open source community.

I’ll be blogging periodically on Medium as I move on to my next adventure. If you’re interested, my inaugural post to talk a little more about the journey so far is available here.

Thanks to all of you for everything that you have done to help make my little “rainy days and weekends” obsession into what it has become. This entire journey has been an amazing testament to the power of the open source methodology of software developed for and by communities to innovate and drive technology that everyone wants to use. Without this passionate, engaged community I know that Snort would have been nothing. Again, thank you all so much!


-Marty
January 2019

Snort rule update for Jan. 22, 2019

Just released:
Snort Subscriber Rule Set Update for Jan. 22, 2019

Cisco Talos just released the newest SNORTⓇ  rule set. This release includes 46 new rules and 11 modified rules, none of which are shared object rules.

This release provides coverage for a heap overflow vulnerability in Adobe Acrobat Pro and new malware variants from the Rocke APT, known for their cryptocurrency miners.

Thursday, January 17, 2019

Snort blog post for Jan. 17, 2019

Just released:
Snort Subscriber Rule Set Update for Jan. 17, 2019

The newest SNORTⓇ  rule set is here from Cisco Talos. This release includes 35 new rules and three modified rules, none of which are shared object rules.

This release provides coverage for several malware families, including a new variant of Bitter remote access tool and the FlawedGrace RAT.

Tuesday, January 15, 2019

Snort rule update for Jan. 15, 2019

Just released:
Snort Subscriber Rule Set Update for Jan. 15, 2019

Cisco Talos released the newest SNORTⓇ rule set today. In this release, we introduced 22 new rules, six of which are shared object rules. There are also 11 modified rules, including two shared object rules.

This release provides coverage for a series of malware families, including WindTail — which has shown the ability to avoid detection by antivirus software, and a variant of MuddyWater that's recently been deployed by the Seedworm group.

Friday, January 11, 2019

Snort OpenAppID Detectors have been updated

An update has been released today for the Snort OpenAppID Detector content. This release, build 308, includes:
  • A total of 2,833 detectors. 
  • It also includes some additional detectors that came in from the open source community. For more details on which contributions were included, we have added them in the AUTHORS file in this package.
Available now for download from our downloads page, we look forward to you downloading and using the new features of 2.9.12.0's OpenAppID preprocessor and sharing your experiences with the community.

The OpenAppID community has a mailing list specifically dedicated to the exchange and discussion of detector content.  Please visit the mailing lists page to sign up.

Thursday, January 10, 2019

Snort rule update for Jan. 10, 2019

Just released:
Snort Subscriber Rule Set Update for Jan. 10, 2019

Cisco Talos released the newest SNORTⓇ rule set today. In this release, we introduced 19 new rules, none of which are shared object rules. There are also 56 modified rules.

This release continues to provide coverage for a slew of bugs that Adobe reported in Acrobat and Reader earlier this month. It also includes new protection against the UPPERCUT backdoor, most recently seen in the wild being used by APT10.

Wednesday, January 9, 2019

Snort 2.9.11.0 end-of-life reminder

This is a reminder that SNORTⓇ version 2.9.11.0 will be shut down tomorrow, Jan. 10.

We first notified users that this version of Snort was reaching its end of life in October as the number of users began to wane. We encouraged everyone to update to the latest version of Snort to avoid any service interruptions.

We are working on revising Snort’s end-of-life policy for other versions going forward. We will begin to shut down versions of Snort that make up 10 percent or less of our downloads or superseded versions have been around for five years, which ever comes first. We will release more details about this in the future.

Snort.org and the Documentation Saga: A Survey

Cisco users with Firepower Threat Defense (FTD) on an Adaptive Security Appliance (ASA) are running SNORTⓇ, our open-source intrusion protection system, under the hood, along with a suite of other Talos-fueled security processes. Snort monitors traffic by sniffing packets and comparing their contents against tens of thousands of rules written to find all kinds of malware and other malicious activity. Our analysts are constantly creating new rules to cover vulnerabilities in a wide range of products. The highly active open-source community around Snort adds rules for general and niche network configurations, as well.

Tuesday, January 8, 2019

Snort rule update for Jan. 8, 2019 — Microsoft Patch Tuesday

Just released:
Snort Subscriber Rule Set Update for Jan. 8, 2019

The newest SNORTⓇ rule set is here from Cisco Talos. In this release, we introduced 50 new rules, none of which are shared object rules. There are also eight modified rules, including two that are shared object rules.

This release covers Microsoft Patch Tuesday, which included fixes for 49 vulnerabilities. You can read more about the bugs that Microsoft disclosed over at the Talos blog.

Monday, January 7, 2019

The return of the Snort community rule contest

After a brief hiatus, the SNORTⓇ community rule contest is back. Here at Snort, we always strive to improve our detection. And we appreciate it when our community joins in the fight against the bad guys.

We are reviving the contest as a way to thank those of you who regularly engage with us and submit rules that we wind up deploying. While the old contest ran on a monthly basis, this time around, we will be giving out prizes on a quarterly basis.

Each quarter, we will give out a Snort-themed prize — whether it be a calendar, T-shirt, mug or something else exciting — to the community member who submits the most rules to us during that time. Be sure to follow us on Twitter each quarter to see who the winner is. If you are the winner, be sure to keep an eye out in your inbox for details on how to claim your prize.

We are accepting signatures into the community ruleset (GPLv2 licensed) via the Snort-Sigs mailing list, which anyone may join here. If you’d like to submit to the Snort ruleset please include your rule and research behind it (pcap, ASCII dump, references, etc.).

When we receive a signature, we will follow our standard internal procedures (which involves heavy QA of the signature, testing, optimization for performance, and perhaps sending the rule out to our internal and external testing groups).

You may reference the Snort Users Manual for general rules questions, as well as of course discussing it among fellow Snort rule writers in the aforementioned mailing list.

The rules will be released in the Snort rule set and are available to our customers and the Snort community as a whole via our normal community rule distribution process, published daily, with full attribution given to the author.

As always, false positive reports belong here after logging in.

The highest submitter for accepted rules for each quarter will receive some Snort goodies. Keep in mind that we must accept the rules for them to be counted toward your total for the quarter. For example, if you write a rule for an ICMP response on the network, we are not going to accept it.

We thank the community in advance for rule submissions, as well as continued submission of false positive reports.

Thursday, January 3, 2019

Snort Subscriber Rule Set Update for 01/03/2019

Just released:
Snort Subscriber Rule Set Update for 01/03/2019


We welcome the introduction of the newest rule release from Talos. In this release we introduced 18 new rules of which 1 are Shared Object rules and made modifications to 8 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset


Talos's rule release:
Talos has added and modified multiple rules in the deleted, file-other, file-pdf and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!