Tuesday, January 29, 2019

Snort rule update for Jan. 29, 2019

Just released:
Snort Subscriber Rule Set Update for Jan. 29, 2019

Cisco Talos released the newest SNORT® rule set today. This release includes 63 new rules, 10 of which are shared object rules. There are also two modified rules, one of which is a shared object rule.

This release provides new coverage for the Mongo Lock ransomware, which targets accessible and unprotected MongoDB databases, as well as the Qakbot banking trojan.

Thursday, January 24, 2019

Snort rule update for Jan. 24, 2019

Just released:
Snort Subscriber Rule Set Update for Jan. 24, 2019

The latest SNORTⓇ  rule set is here from Cisco Talos. This release includes 12 new rules and 17 new shared object rules, along with six modified rules, none of which are shared object rules.

In this release, Talos provides coverage for several vulnerabilities that Cisco recently disclosed in some of its products, including WebEx Teams and the RV series of wireless routers.

Tuesday, January 22, 2019

Time for a change

To the Snort community,

It’s been 20 years since that fateful December night when I sent the first release of Snort over to Ken Williams at PacketStorm.  It was my first attempt at working on an open source project and another step for me in the process of learning about security tools, their application and the reasons they work and don’t work.  Almost exactly two years later, Snort was something of a phenomenon and I decided to try to make it my day job by founding Sourcefire and “going pro.”  Here we are now, 20 years down the road with over 100 releases of Snort under our belt — the global standard for describing and detecting network-based threats. 

In 2013, Sourcefire was acquired by Cisco, and Snort became the foundation for Cisco’s core NGFW and NGIPS products. Last year, Snort 3 entered beta, and the integration work is underway by our NGFW team to make it the future of Cisco’s platform.

This has been an amazing journey and I can’t help but be proud of everything that has been accomplished and all the people who made it happen, both within the organization that I serve as well as from the open source community that grew up around Snort.  After Sourcefire was acquired by Cisco, I stepped into the Chief Architect role for the Security Business Group and worked on the technology strategy and design for the company’s security portfolio and evangelized our approach to the world. 

Now, after five years with Cisco, it’s time for me to move on to the next adventure and also move from being on the team the behind Snort to the user community that surrounds it. 

Taking this big step away from Snort doesn’t worry me because I know that we’ve built not just world-class technology, but also a world-class team here at Cisco and still, even after all this time, one of the best security communities in the world.  I expect that will continue with me over *here* instead of over *there,* if you take my meaning. 

Snort’s in great hands at Cisco with a team that’s committed to open source and big plans for the future of the technology. Russ Combs, who has written a vast majority of the code for Snort 3 (it’s awesome, check it out — we need beta feedback!), will remain as the lead developer. Joel Esler will continue as Community Manager and maintain the bridge between the team and the open source community.

I’ll be blogging periodically on Medium as I move on to my next adventure. If you’re interested, my inaugural post to talk a little more about the journey so far is available here.

Thanks to all of you for everything that you have done to help make my little “rainy days and weekends” obsession into what it has become. This entire journey has been an amazing testament to the power of the open source methodology of software developed for and by communities to innovate and drive technology that everyone wants to use. Without this passionate, engaged community I know that Snort would have been nothing. Again, thank you all so much!

January 2019

Snort rule update for Jan. 22, 2019

Just released:
Snort Subscriber Rule Set Update for Jan. 22, 2019

Cisco Talos just released the newest SNORTⓇ  rule set. This release includes 46 new rules and 11 modified rules, none of which are shared object rules.

This release provides coverage for a heap overflow vulnerability in Adobe Acrobat Pro and new malware variants from the Rocke APT, known for their cryptocurrency miners.

Thursday, January 17, 2019

Snort blog post for Jan. 17, 2019

Just released:
Snort Subscriber Rule Set Update for Jan. 17, 2019

The newest SNORTⓇ  rule set is here from Cisco Talos. This release includes 35 new rules and three modified rules, none of which are shared object rules.

This release provides coverage for several malware families, including a new variant of Bitter remote access tool and the FlawedGrace RAT.

Tuesday, January 15, 2019

Snort rule update for Jan. 15, 2019

Just released:
Snort Subscriber Rule Set Update for Jan. 15, 2019

Cisco Talos released the newest SNORTⓇ rule set today. In this release, we introduced 22 new rules, six of which are shared object rules. There are also 11 modified rules, including two shared object rules.

This release provides coverage for a series of malware families, including WindTail — which has shown the ability to avoid detection by antivirus software, and a variant of MuddyWater that's recently been deployed by the Seedworm group.

Friday, January 11, 2019

Snort OpenAppID Detectors have been updated

An update has been released today for the Snort OpenAppID Detector content. This release, build 308, includes:
  • A total of 2,833 detectors. 
  • It also includes some additional detectors that came in from the open source community. For more details on which contributions were included, we have added them in the AUTHORS file in this package.
Available now for download from our downloads page, we look forward to you downloading and using the new features of's OpenAppID preprocessor and sharing your experiences with the community.

The OpenAppID community has a mailing list specifically dedicated to the exchange and discussion of detector content.  Please visit the mailing lists page to sign up.

Thursday, January 10, 2019

Snort rule update for Jan. 10, 2019

Just released:
Snort Subscriber Rule Set Update for Jan. 10, 2019

Cisco Talos released the newest SNORTⓇ rule set today. In this release, we introduced 19 new rules, none of which are shared object rules. There are also 56 modified rules.

This release continues to provide coverage for a slew of bugs that Adobe reported in Acrobat and Reader earlier this month. It also includes new protection against the UPPERCUT backdoor, most recently seen in the wild being used by APT10.

Wednesday, January 9, 2019

Snort end-of-life reminder

This is a reminder that SNORTⓇ version will be shut down tomorrow, Jan. 10.

We first notified users that this version of Snort was reaching its end of life in October as the number of users began to wane. We encouraged everyone to update to the latest version of Snort to avoid any service interruptions.

We are working on revising Snort’s end-of-life policy for other versions going forward. We will begin to shut down versions of Snort that make up 10 percent or less of our downloads or superseded versions have been around for five years, which ever comes first. We will release more details about this in the future.

Snort.org and the Documentation Saga: A Survey

Cisco users with Firepower Threat Defense (FTD) on an Adaptive Security Appliance (ASA) are running SNORTⓇ, our open-source intrusion protection system, under the hood, along with a suite of other Talos-fueled security processes. Snort monitors traffic by sniffing packets and comparing their contents against tens of thousands of rules written to find all kinds of malware and other malicious activity. Our analysts are constantly creating new rules to cover vulnerabilities in a wide range of products. The highly active open-source community around Snort adds rules for general and niche network configurations, as well.

Tuesday, January 8, 2019

Snort rule update for Jan. 8, 2019 — Microsoft Patch Tuesday

Just released:
Snort Subscriber Rule Set Update for Jan. 8, 2019

The newest SNORTⓇ rule set is here from Cisco Talos. In this release, we introduced 50 new rules, none of which are shared object rules. There are also eight modified rules, including two that are shared object rules.

This release covers Microsoft Patch Tuesday, which included fixes for 49 vulnerabilities. You can read more about the bugs that Microsoft disclosed over at the Talos blog.

Monday, January 7, 2019

The return of the Snort community rule contest

After a brief hiatus, the SNORTⓇ community rule contest is back. Here at Snort, we always strive to improve our detection. And we appreciate it when our community joins in the fight against the bad guys.

We are reviving the contest as a way to thank those of you who regularly engage with us and submit rules that we wind up deploying. While the old contest ran on a monthly basis, this time around, we will be giving out prizes on a quarterly basis.

Each quarter, we will give out a Snort-themed prize — whether it be a calendar, T-shirt, mug or something else exciting — to the community member who submits the most rules to us during that time. Be sure to follow us on Twitter each quarter to see who the winner is. If you are the winner, be sure to keep an eye out in your inbox for details on how to claim your prize.

We are accepting signatures into the community ruleset (GPLv2 licensed) via the Snort-Sigs mailing list, which anyone may join here. If you’d like to submit to the Snort ruleset please include your rule and research behind it (pcap, ASCII dump, references, etc.).

When we receive a signature, we will follow our standard internal procedures (which involves heavy QA of the signature, testing, optimization for performance, and perhaps sending the rule out to our internal and external testing groups).

You may reference the Snort Users Manual for general rules questions, as well as of course discussing it among fellow Snort rule writers in the aforementioned mailing list.

The rules will be released in the Snort rule set and are available to our customers and the Snort community as a whole via our normal community rule distribution process, published daily, with full attribution given to the author.

As always, false positive reports belong here after logging in.

The highest submitter for accepted rules for each quarter will receive some Snort goodies. Keep in mind that we must accept the rules for them to be counted toward your total for the quarter. For example, if you write a rule for an ICMP response on the network, we are not going to accept it.

We thank the community in advance for rule submissions, as well as continued submission of false positive reports.

Thursday, January 3, 2019

Snort Subscriber Rule Set Update for 01/03/2019

Just released:
Snort Subscriber Rule Set Update for 01/03/2019

We welcome the introduction of the newest rule release from Talos. In this release we introduced 18 new rules of which 1 are Shared Object rules and made modifications to 8 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset

Talos's rule release:
Talos has added and modified multiple rules in the deleted, file-other, file-pdf and server-webapp rule sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!