Thursday, December 17, 2020

Removing opensource.gz from rule releases

For many years, we have distributed a file called “opensource.gz," which contained the plaintext rule documents for each of our SNORTⓇ rules.  Since the release of this document, our documentation has improved by leaps and bounds as a result of our most recent project led by our own Kri Dontje, you can read more about those improvements in our prior blog post

Since our documentation is now more “living” and is released with every rule update, we’ve made the decision to no longer chew up the bandwidth to distribute opensource.gz, and instead point your browsers and tools to the official authority for Snort rule docs: Snort.org

The format for rule documentation links is as follows. For example, https://snort.org/rule_docs/1-56720.  Replacing the SID at the end of URL with the SID you are looking for will take you to the most updated document.  

Tools available on the internet and integrators of our ruleset onto their boxes are encouraged to create these links to Snort.org directly from their interfaces as well. 

We DO NOT encourage scraping the data, so please don’t set your “for loop’ed” cURL commands to iterate through the docs and download them — our system may block you. The docs are updated at least twice a week, so we want you to link to them to ensure you are getting the most updated version. 

The latest version of PulledPork will no longer request the opensource.gz file, and future requests for opensource.gz will be met with a 422, 404 or 403 error. 

Snort rule update for Dec. 17, 2020

The latest SNORTⓇ rule update is available now, courtesy of Cisco Talos.

Thursday's release contains numerous rules to protect against various malware families. Among the new rules is one to detect the Egregor ransomware, which is recently experiencing a surge and has even infected retail chain K-Mart's network.

If you haven't already, please check out all of Talos' coverage around the SolarWinds incident. We have new rules protecting against the exploitation of the backdoor in question. And we also have previous detection for the FireEye products affected by this attack.

Here's a breakdown of this morning's rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
90524

Wednesday, December 9, 2020

Snort rule update for Dec. 9, 2020 — FireEye breach detection guidance

Cyber security firm FireEye recently disclosed an incident that was reported to have resulted in the inadvertent disclosure of various internally developed offensive security tools (OSTs) that were used across FireEye red-team engagements.

Some of these tools appear to be based on well-known offensive frameworks like Cobalt Strike. This is even evident in the naming convention used in the coverage designated by FireEye. 

FireEye provided a list of CVEs in their blog to allow customers to assess their vulnerability to the tools. Here is the existing coverage for those CVEs:

Additionally, we've released several new rules that protect against these vulnerabilities, specifically defending against the use of Cobalt Strike. For more, check our full rule advisory here.

Tuesday, December 8, 2020

Snort rule update for Dec. 8, 2020 — Microsoft Patch Tuesday

The latest SNORT® rule release from Cisco Talos has arrived. This new round of rules provides coverage for all of the vulnerabilities covered in Microsoft Patch Tuesday.

For more details on the vulnerabilities Microsoft disclosed this week, head to the Talos blog.

Here's a breakdown of this evening's rule release:

Shared object rules Modified shared object rules New rules Modified rules
0 0 9 3

Monday, December 7, 2020

Soft Release: lightSPD, the new rules package for Snort 3



By Patrick Mullen.

Today, we released a new rules and configurations package style, named lightSPD, for Snort 3. 

This is only a "soft" release at this time, so information will be light, but we at Talos wanted to give users the opportunity to take a sneak peek at what is to come. This blog post assumes a basic understanding of running Snort 3. If you need to get up to speed, please download and install Snort 3 and read the documentation for running Snort 3 located on GitHub here. As always, you can find the basics of Snort on our Resources page.

One of the biggest features of the lightSPD package is that it contains configurations for all versions of Snort 3 in one package, and, new to open-source users, it contains multiple policy configurations, rather than just rule sets. Using lightSPD, users can select Snort configurations that are tailored more toward speed or more toward detection and depth of inspection.  

Thursday, December 3, 2020

Snort rule update for Dec. 3, 2020

The latest SNORTⓇ rule release is out this morning, courtesy of Cisco Talos.

Today's rule update includes several new rules protecting against some of the most prevalent malware families in the wild. There are two rules, specifically, for the ever-present Emotet botnet, which is surging at the end of 2020 after a somewhat quiet summer and fall period.

Here's a breakdown of Tuesday's rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
20154

Tuesday, December 1, 2020

Snort rule update for Dec. 1, 2020

This morning, Cisco Talos released the newest SNORTⓇ rule update.

Our latest release includes new rules protecting against the Remcos and Zeus malware, along with several other malware families. 

Here's a breakdown of Tuesday's rule release:

Shared object rules Modified shared object rules New rules Modified rules
2 0 15 8

Tuesday, November 24, 2020

Snort rule update for Nov. 21, 2020

Cisco Talos released the newest SNORTⓇ rule update this morning.

This morning's release includes protection against several different malware families. There are a few new rules specifically defending against the Zbot (aka Zeus, Zloader, etc.) which was recently spotted targeting adult websites. Other malware families covered in this release include Razy and Zusy.

Here's a breakdown of this morning's rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
250330

Thursday, November 19, 2020

Snort 2.9.17.0 has been released

Join us as we are pleased to release a bug fix version of Snort 2.9.17.0!  First, some release notes:

Snort 2.9.17.0

New Additions

  • Added support for s7Commplus protocol.
  • Support for allowing common names across rule options.
  • Added support to detect TCP Fast Open packets.
Improvements / Fix
  • Added support for HTTP range field parsing to detect if HTTP response/request is indeed partial or full content.
  • Miscellaneous SMB bug fixes.
  • Fixed TCP segment queue hole issue as per the RFC793 recommendation for OOO Ack packet handling.
  • Fixed multiple static analysis issues.
  • Fixed DNS application detector failing to detect DNS traffic in some scenarios
  • Fixed complier warnings
  • Fix to populate original IP in dropped events when inline normalization is enabled in unified2 output method
  • Fixed handling of encrypted traffic by the SIP preprocessor
  • Added port 853 to the SSL detector for DNS over TLS runs on SSL
    • Also improved SIP preprocessor to detect SSL encrypted SIP traffic better
  • Fixes to byte_math operation
  • Fixed GCC 10.1.1 compile issues
  • Fixed incorrect filtering of UDP traffic when "ignore_any_rules" is configured
  • Fix to address some cases of ambiguous codes between SMTP & FTP and when SMTP server does not support EHLO
  • Fixed AppID caching proxy IP instead of tunneled IP in the dynamic cache during ultrasurf traffic
  • Fixed popup message on Windows uninstall operation
  • Added message to ask users to choose 4.1.1 of winpcap when on Windows.

As always this maintenance release of Snort 2.9.17.0 is available on our Snort downloads page.  For any questions, please feel free to visit our Snort-Users mailing list.

Snort rule update for Nov. 19, 2020

A new rule update is out this morning for SNORTⓇ.

Cisco Talos' newest release includes new rules for the Cisco Integrated Management Controller that protect against a recently disclosed critical vulnerability. There are also new rules protecting against the exploitation of a different critical bug in Cisco's IoT Field Network Director that could allow an adversary to access the back-end database of the affected device and read, alter or drop information.

Here's a breakdown of this morning's rule release:

Shared object rules Modified shared object rules New rules Modified rules
11 5 18 1

Wednesday, November 18, 2020

Snort OpenAppID Detectors have been updated

SNORTⓇ released a new update today for the Snort OpenAppID Detector content.

This release — build 339 — includes:
  • A total of 2,927 detectors. 
  • Additional detectors from the open-source community. For more details on which contributions were included, we have added them to the "Authors" file in this package.
The release is available now on our downloads page. We look forward to users downloading and using the new features of 2.9.16.1's OpenAppID preprocessor and sharing your experiences with the community.

The OpenAppID package is also compatible with our Snort 3.0 release.

The OpenAppID community has a mailing list specifically dedicated to the exchange and discussion of detector content. Please visit the mailing lists page to sign up.

Tuesday, November 17, 2020

Snort rule update for Nov. 17, 2020

Cisco Talos just released the newest SNORTⓇ rule update

This set of rules includes a bunch of new protection against a critical bug in the Cisco Security Manager software that could allow a remote attacker without credentials to execute arbitrary code on the victim's device. The latest Security Manager update also patches these exploits. There are two other high-severity vulnerabilities Cisco also disclosed this week.

Here's a breakdown of this afternoon's rule release:

Shared object rules Modified shared object rules New rules Modified rules
8 0 88 2

Tuesday, November 10, 2020

Snort rule update for Nov. 10, 2020 — Microsoft Patch Tuesday

 The latest SNORT® rule release from Cisco Talos has arrived. This new round of rules provides coverage for all of the vulnerabilities covered in Microsoft Patch Tuesday.

For more details on the vulnerabilities Microsoft disclosed this week, head to the Talos blog.

Here's a breakdown of this evening's rule release:

Shared object rules Modified shared object rules New rules Modified rules
6 3 65 9

Tuesday, October 20, 2020

Snort rule update for Oct. 20, 2020

Cisco Talos released the newest set of rules for SNORTⓇ this morning.

Shared object rules Modified shared object rules New rules Modified rules
11 0 50 503

Tuesday's release is full of new rules protecting against various malware strains. Among them are new protections against Emotet, which is now disguising itself as a fake Windows update. There's also new coverage for the Cerber ransomware and the UPATRE trojan.

Thursday, October 15, 2020

Better application logging with Snort3



By Costas Kleopa.


With the introduction of OpenAppID in SNORT®, we started to provide application-based information for our network flows. A user could enable the AppID preprocessor, load our Open Detector Package (snort-openappid.tgz) from the Snort Downloads page and — with the integration of any third-party tools — we could provide a deeper graphical representation of what’s running over a network. (See the blog here for an example showing Integration with Splunk.) The app_stats logging configuration allowed us to report some basic statistics on what type of traffic we can see per application and the overall traffic size we see during a specific recurring time interval.  


We also provide additional AppID-based control via the IPS rules. These IPS rules were allowing us to block/alert the actual application and ultimately log this information on a per-packet basis. The combination of alert/logging in IPS rules partially met a use case that the field has been asking for, which is logging the application per connection. Unfortunately, this was not the best solution, since this was causing us to report this information per packet and could cause some performance issues with a lot of duplicate data. 

Snort rule update for Oct. 15, 2020

Cisco Talos released the newest set of rules for SNORTⓇ this morning.

Shared object rules Modified shared object rules New rules Modified rules
0 0 11 506

Thursday's release has a new rule to protect against Emotet. The botnet is still out there, and is now using lure documents that promise to provide a Windows operating system update.

Tuesday, October 13, 2020

Snort rule update for Oct. 13, 2020

Cisco Talos released the newest SNORTⓇ rule update, coinciding with Microsoft Patch Tuesday. Here's an overview of today's rule release:

Shared object rules Modified shared object rules New rules Modified rules
6 0 59 513

Thursday's release provides several rules to protect against vulnerabilities in an array of Microsoft's products. For more on Patch Tuesday, check out the full blog over on the Talos site here

Thursday, October 8, 2020

How Talos is handling the transition to Snort 3



By Josh Williams. 

The release of Snort 3 brings with it some exciting changes in rule syntax and capabilities. These changes will make our rules easier to read and understand and will increase in speed. Before we get into these new changes, let's talk about what's staying the same. Cisco Talos will continue our current rule release schedule of Tuesdays and Thursdays with periodic additional releases when major vulnerabilities or malware appear in the wild.  

While moving to Snort 3 comes with a lot of improvements, we also understand that not everyone can switch over right away. We plan to continue releasing Snort 2 versions of rules until seven to 10 years after Snort 2's end of life. This will allow any users who can't upgrade quickly plenty of time to get everything in order. The only downside is that they'll be missing out on Snort 3's improvements. 

Snort rule update for Oct. 8, 2020

A new SNORTⓇ rule release is available this morning, courtesy of Cisco Talos. Here's an overview at this rule set:

Shared object rules Modified shared object rules New rules Modified rules
0 0 5 501

Thursday's release provides a few new rules protecting against the Emotet botnet. Everyone already knows about Emotet, but it continues to grow, most recently targeting state and other local government agencies, according to a recent advisory from the U.S. Cybersecurity and Infrastructure Security Agency.

Thursday, October 1, 2020

Snort rule update for Oct. 1, 2020

A new SNORTⓇ rule release is available this morning, courtesy of Cisco Talos. Here's an overview at this rule set:

Shared object rules Modified shared object rules New rules Modified rules
0 0 17 9

Thursday's release provides new rules protecting against several malware families, including the Razy trojan and the Gamarue botnet.

How to use Snort2lua



By Bhagya Tholpady. 

One of the major differences between Snort 2.X and Snort 3.X is configuration. Snort 2.X configuration files are written in Snort-specific syntax while Snort 3.0 configuration files are written in Lua. Hence, a valid Snort 2.X configuration won’t work with Snort 3 unless it’s converted to Lua. This can be done by using a tool called “Snort2lua” found under the tools/snort2lua directory in the distribution. 

Tuesday, September 29, 2020

Snort rule update for Sept. 29, 2020

 Cisco Talos released the newest SNORTⓇ rule set this morning.

This release includes eight new rules, four new shared object rules, two modified shared object rules and 20 modified rules.

Tuesday's release includes new rules protecting against a vulnerability in the WordPress Nexos plugin, along with a rule to prevent the Uppercut malware from downloading its payload.

Monday, September 28, 2020

New guide for installing Snort 3.0.3 on CentOS

We are excited to release a new guide on the Snort Resources page today to assist users with installing Snort 3.0.3 on CentOS. 

Thanks to user Yaser Mansour for all of their contributions to this document. This is one of the best ways to help out the rest of the Snort community — by submitting things like documentation, guides and answers to our Snort mailing lists.

This guide walks through installing, configuring and testing Snort 3 on CentOS, version 8.1. Some of the
configurations may not be applicable to production sensors. The author encourages all users to test the steps in this guide before enacting permanent changes.

If you haven't already, you can check out the first official release candidate for Snort 3. Stay tuned for a full, public release of Snort 3 later this year.

Converting custom Snort 2 rules for Snort 3 compatibility



By John Levy.

Snort 3 introduces many improvements to simplify rule-writing and increase rule syntax consistency, while at the same time increasing detection robustness and granularity. Converting Snort 2 rules to Snort 3 is a painless process, and this document, while not an exhaustive guide, walks users through some of the more fundamental and significant changes users will need to make to update their custom rules for Snort 3 compatibility.

Thursday, September 24, 2020

Snort rule update for Sept. 24, 2020

Cisco Talos released the newest SNORTⓇ rule set this afternoon.

This release includes 14 new rules, 14 new shared object rules and 51 modified rules.

Thursday's release includes new protection against the Mekotio banking trojan, which disguises itself in a pop-up window. There is also coverage for several vulnerabilities Cisco disclosed in its IOS operating system today.

Wednesday, September 23, 2020

Official Snort 3 release candidate available now



By Jon Munshaw. 

We are thrilled to announce that Snort 3 is out of beta with the release candidate for Snort 3.0.3. Snort 3.1.0 general availability will be available in roughly a month. 

Snort 3 has been in beta for several months now, and we would like to thank all the users who’ve provided us feedback during that period that we’ve used to polish this product. 

Monday, September 21, 2020

Improve Snort 3 performance with Hyperscan



By Steve Chew. 

Snort 3 includes native support for Hyperscan pattern matching.  Hyperscan is an open-source, high-performance, regular expression-matching library from Intel that runs on x86 platforms. It supports a large subset of the PCRE syntax and takes advantage of the Intel SIMD instructions. However, it is not yet available for ARM processors. 

Hyperscan provides a significant boost for Snort 3's IPS fast pattern matching when compared to the other available search engines. Hyperscan is up to two times faster than the ac_full engine and three times faster than ac_bfna. Snort 3 will see the most benefit from Hyperscan when using a large ruleset and when doing deep flow inspection.

Thursday, September 17, 2020

New version of PulledPork available on GitHub

The Snort community welcomes a new version of PulledPork on GitHub today.

Version 0.7.4 now supports Snort 3 and points to the new, correct, location of the IP blocklist. PulledPork is a Perl script that allows users to download new rules as soon as new vulnerabilities or exploits are discovered.

Here are some of the other changes in this version:

  • Supports updating of Snort 3.0 signatures (0.8 will be released when Snort 3.0 moves out of BETA).
  • Fixed some of the logic to allow updating with Perl on Windows
  • ability to modify rules via regex in modifysid.conf
  • Removal of opensource.gz processing (will speed up signature updating)
  • Updated OS Distro list to match so_rules
  • Added error checking around writing to directories that do not exist (i.e., block_list)
  • Updated for new location of block list

Snort rule update for Sept. 17, 2020

Cisco Talos released the newest SNORTⓇ rule set this morning.

This release includes 43 new rules, three modified rules and two new shared object rules.

Thursday's release includes new protection against the Nitol backdoor, the Zeus (aka Zbot) trojan and more.

Tuesday, September 15, 2020

Snort rule update for Sept. 15, 2020

The newest SNORTⓇ ruleset is out this morning, courtesy of Cisco Talos.

The latest update is a big one. We've got 418 new rules, three modified rules and six new shared object rules.

Tuesday's release is packed with new rules to protect against a variety of malware families, including Zeus (aka Zbot), DarkKomet and Gh0stRAT. There is also new coverage for vulnerabilities in the Pulse VPN service. The U.S. Cybersecurity and Infrastructure Security Agency released a warning this week saying that state-sponsored actors are exploiting some previously disclosed vulnerabilities.

Friday, September 11, 2020

Snort rule update for Sept. 10, 2020

Cisco Talos released a new SNORTⓇ rule set yesterday. Our apologies, as this blog post is going up a day late. 

The latest update includes 14 new rules.

Thursday's release included new protections against some notable malware families, including the Delf downloader, which was recently part of a spam campaign in Spain. There are also two rules targeting the DarkSide ransomware, which recently debuted using several professional techniques to give the group a more formal appearance.

Tuesday, September 8, 2020

Snort rule update for Sept. 8, 2020 — Microsoft Patch Tuesday

The latest SNORT® rule release from Cisco Talos has arrived. This new round of rules provides coverage for all of the vulnerabilities covered in Microsoft Patch Tuesday.

For more details on the vulnerabilities Microsoft disclosed this week, head to the Talos blog.

In all, this release includes 173 new rules, 12 modified rules and two modified shared object rules.

Thursday, September 3, 2020

Snort rule update for Sept. 3, 2020

Cisco Talos released a new SNORTⓇ rule set this afternoon. 

The latest update includes 108 new rules and six new shared object rules.

Thursday's release deals mainly with malware. There are dozens of rules protecting against a variety of malware families, including Zusy, the Trickbot trojan and the infamous Emotet botnet.

Tuesday, September 1, 2020

Snort rule update for Sept. 1, 2020

This morning, Cisco Talos released a new SNORTⓇ rule set

The latest update includes 19 new rules and two new shared object rules.

Tuesday's release provides multiple new rules defending against the Lockbit ransomware. The ransomware-as-a-service was most recently spotted targeting users with COVID-19-themed lures

Thursday, August 27, 2020

Snort rule update for Aug. 27, 2020

The newest SNORTⓇ rule set is here, courtesy of Cisco Talos.

The latest update includes 28 new rules, four modified rules and four new shared object rules.

Thursday's release includes coverage for the GoldenSpy malware, which was recently discovered hidden on tax software. There are also a few rules protecting against the recently discovered Duri campaign that delivers malware via HTML smuggling.

Tuesday, August 25, 2020

Snort rule update for Aug. 24, 2020

 Cisco Talos released the newest SNORTⓇ rule set this morning. 

The latest update includes 30 new rules, 10 modified rules and two new shared object rules.

Tuesday's release is loaded with new detection for some infamous malware families, including the Remcos remote access trojan (RAT), the Zeus ransomware and Gafgyt.

Monday, August 24, 2020

Snort OpenAppID Detectors have been updated

SNORTⓇ released a new update today for the Snort OpenAppID Detector content.

This release — build 337 — includes:
  • A total of 2,917 detectors. 
  • Additional detectors from the open-source community. For more details on which contributions were included, we have added them to the AUTHORS file in this package.
The release is available now on our downloads page. We look forward to users downloading and using the new features of 2.9.16.1's OpenAppID preprocessor and sharing your experiences with the community.

The OpenAppID package is also compatible with our Snort 3.0 release.

The OpenAppID community has a mailing list specifically dedicated to the exchange and discussion of detector content. Please visit the mailing lists page to sign up.

Thursday, August 20, 2020

Snort rule update for Aug. 20, 2020

Cisco Talos released the newest SNORTⓇ rule set this morning. 

The latest update includes 18 new rules, five modified rules and four new shared object rules. 

Thursday's release includes several new rules to protect against a decades-old vulnerability recently discovered in Windows machines. The bug could allow an adversary to stop the print spooler process. There's also coverage for CVE-2020-12648, an arbitrary code execution vulnerability in the TinyMCE HTML text editor.

Tuesday, August 18, 2020

Snort rule update for Aug. 18, 2020

 Cisco Talos released the newest SNORTⓇ rule set this afternoon. 

The latest update includes 36 new rules, one modified rule and three new shared object rules. 

Tuesday's release provides new coverage several malware families, including the Sodinokibi ransomware and the Emotet spam botnet. 

One rule, 54793, protects against a newly discovered malware family from a state-sponsored actor. Drovorub, which was first reported on by American intelligence agencies, is a fully formed rootkit targeting Linux machines and networks. A report from CISA and the FBI highlighted this Snort rule.

Thursday, August 13, 2020

Snort rule update for Aug. 13, 2020

The latest rule update for SNORTⓇ is live this morning. 

Cisco Talos' latest release includes six new rules and eight modified rules.

Thursday's release provides new coverage for the Nanocore RAT, which was recently spotted targeting manufacturing companies in India.

Wednesday, August 12, 2020

New guide for installing Snort 3.0.2 on CentOS

We are excited to release a new guide on the Snort Resources page today to assist users with installing Snort 3.0.2, build 4, on CentOS. 

Thanks to user Yaser for all of their contributions to this document. 

This guide walks through installing, configuring and testing Snort 3 on CentOS, version 8.1. Some of the
configurations may not be applicable to production sensors. The author encourages all users to test the steps in this guide before enacting permanent changes.

Build 5 for Snort 3.0.2 available on GitHub

 The SNORT® development team released a new update to Snort 3 (aka Snort++) on GitHub today. 

How rules are improving in Snort 3

 

By Russ Combs and Jon Munshaw. 

There are many ways the user experience will improve in Snort 3 compared to previous versions. We've already outlined things like the improved speed and new features that’ll be in the full release later this year. Now, it’s time to look at what the full Snort 3 release means for the rules themselves. 

Cisco Talos releases new rule sets at least twice a week, and sometimes more depending upon any urgent vulnerabilities or exploits that appear in the wild. With Snort 3, rules are going to be more effective, faster and easier to understand. 

Here’s a look at some of the major changes to Snort rules with Snort 3. There are many more benefits that we’ll get into as well as we get closer to release. 

  • All rules must now have a SID 
  • The SID “0” is not allowed 
  • Deleted active/dynamic rules, unused rule_state.action and metadata engine shared 
  • Removed metadata: rule-flushing. With PDU flushing, some rules could miss attacks 
  • Changed metadata:service one[ to service:one[, two] 
  • soid is now a non-metadata option 
  • Metadata is now truly metadata. There won’t be any effect on detection, as Snort 3 ignores metadata internal structure/syntax. You can use the command line option --metadata-filter to select rules.  Eg snort --c snort.lua --tweaks security -rule-path path/to/talos/rules --metadata-filter "policy security-ips" will select all rules from the security policy. 
  • Snort 3 will automatically determine when something is fast_pattern only. 
  • Rules can fast-pattern sensitive data using Hyperscan with sd_pattern 
  • Deleted the uricontent option. Users should now only use sticky buffer uricontent:”foo” 
  • Deleted urilen raw and norm. Users should now use http_raw_uri and http_uri instead 
  • Added sticky buffers. Buffer selector option smust now also precede contents and remain in effect until changed 
  • Deleted the following PCRE options: B, U, P, H, M, C, I, D, K, S and Y. Users should use sticky buffers instead. 
  • Deleted the unused http_encode option 
  • urilen was replaced with the generic bufferlen, which applies to the current sticky buffer 
  • Added an option selector to http_header 
  • The new http_inspect has new buffers and rule options. Eg: http_param will set the detection cursor to the value of the specified HTTP parameter key which may be in the query or body. 
  • Added alert file and alert service rules 
  • There are #begin and #end comments to allow rule writers to easily comment out multiple lines 
  • Nets and/or ports can now be omitted from rule headers 
  • Snort 3 parses all rules and outputs all errors before quitting 
  • The symbol =< in a byte test is now recognized as a syntax error. The correct symbol is <= 
  • All text mode outputs default to stdout 
  • Changed default logging mode to “-L none” 
  • Deleted log_ascii 
  • Snort 3 now queues decoder and inspector events to the main event queue before IPS policy is selected. Since some events may not be enabled, the queue needs to be sized larger than they would be in Snort 2. 
  • Snort 3 added these fast pattern buffers:  http_raw_uri, http_raw_header, http_stat_code, http_stat_msg, http_cookie, http_method 
  • Unlike Snort 2, the use of service rules does not prevent the use of port rules. 
  • Snort 3 does not require the hosts table (attribute table in Snort 2) in order to use services. 
  • Rules can be included in a config or loaded from the command line with -R file, --rule-path dir, or --stdin-rules. 

Tuesday, August 11, 2020

Snort rule update for Aug. 11, 2020 — Microsoft Patch Tuesday

 The latest SNORT® rule release from Cisco Talos has arrived. This new round of rules provides coverage for all of the vulnerabilities covered in Microsoft Patch Tuesday.

For more details on the vulnerabilities Microsoft disclosed this week, head to the Talos blog.

In all, this release includes 55 new rules, 76 modified rules and seven new shared object rules.

Thursday, August 6, 2020

New Snort 3 release available on GitHub

The SNORT® development team released a new update to Snort 3 (aka Snort++) on GitHub today. 

Snort rule update for Aug. 6, 2020

Cisco Talos released the newest SNORTⓇ rule update this morning.

The latest release includes five new rules, 49 modified rules and nine new shared o.

Thursday's release provides expanded coverage for the vulnerabilities Cisco disclosed in its Data Center Network Manager and the AnyConnect VPN client. There's also a new rule preventing the Ursnif malware from making an outbound connection to its command and control (C2).

Wednesday, August 5, 2020

The major differences that set Snort 3 apart from Snort 2



By Russ Combs and Jon Munshaw. 

We are inching closer to the final release of Snort 3.  

Snort 3.0 is an updated version of the SNORT® Intrusion Prevention System that features a new design and a superset of Snort 2.X functionality that results in better efficacy, performance, scalability, usability and extensibility. 

There are many benefits of upgrading to Snort 3 once the final release is here. In the coming weeks, we’ll be outlining many of these changes to answer users’ most burning questions and assist everyone in the transition.  

Snort 2.9.16.1 has been released

Join us as we are pleased to release a bug fix version of Snort 2.9.16.1!  First, some release notes:

Snort 2.9.16.1

New Additions
  • Added support for GCC version 10.1.1.
Improvements/Fixes
  • Added packet counters to make sure flows with one-way data don't stay pending forever.
  • Fixed potential race condition between reload and exit path.
As always this maintenance release of Snort 2.9.16.1 is available on our Snort downloads page.  For any questions, please feel free to visit our Snort-Users mailing list.

Tuesday, August 4, 2020

Snort rule update for Aug. 4, 2020

Cisco Talos released the newest SNORTⓇ rule update this morning.

The latest release includes 13 new rules, three modified rules and four new shared object rules.

Tuesday's release provides expanded coverage for the WastedLocker ransomware. This malware family recently expanded its scope, going after several high-profile targets. You can read more about WastedLocker in Talos' research post here.

Thursday, July 30, 2020

Snort rule update for July 30, 2020

The newest Cisco Talos rule release for SNORTⓇ is here.

The latest release includes 21 new rules, four shared object rules and one modified shared object rule.

This release includes new coverage for several different malware families, including the Nanocore RAT and Gh0stRAT. There is also protection against the exploitation of a recently disclosed critical vulnerability in Cisco's Data Center Network Manager.

Tuesday, July 28, 2020

Snort rule update for July 28, 2020

This morning, Cisco Talos released a new rule update for SNORTⓇ.

The latest release includes 14 new rules and six new shared object rules.

This release includes several new rules to protect against the Hakbit ransomware attack that researchers discovered last month. Hakbit, so far, has targeted numerous organizations in Europe via phishing emails with malicious Excel files attached.

Thursday, July 23, 2020

Snort rule update for July 23, 2020

This morning, Cisco Talos released a new rule update for SNORTⓇ.

The latest release includes 30 new rules, four modified rules and seven new shared object rules.

Today's release provides coverage to protect against the Prometei botnet. Talos discovered this botnet mining Monero cryptocurrency recently. For more information, check out all of Talos' research here.

Tuesday, July 21, 2020

Snort rule update for July 21, 2020

There is a new SNORTⓇ rule update available this morning from Cisco Talos.

The latest release includes six new rules, five modified rules and 10 new shared object rules.

Today's release continues our coverage of Microsoft Patch Tuesday. There are new rules that defend against vulnerabilities in Microsoft WalletService that the company disclosed last Tuesday.

Thursday, July 16, 2020

Snort rule update on July 16, 2020 — Additional coverage for Windows DNS vulnerability

Cisco Talos released a second rule update for SNORTⓇ on Thursday, providing additional rules to cover a critical vulnerability in Windows DNS.

Microsoft first disclosed CVE-2020-1350 on Tuesday as part of its monthly security update. While there was one Snort rule released Tuesday to defend against the exploitation of this bug, we have since expanded our coverage with three new rules released today. The vulnerability received a severity score of 10 out of the maximum 10. An adversary could exploit this bug to infect Windows servers with malware and create malicious DNS queries.

Snort rule update for July 16, 2020

Cisco Talos released the latest rule update for SNORTⓇ this afternoon, coinciding with Microsoft Patch Tuesday.

The latest release includes 16 new rules, two modified rules and 23 new shared object rules.

Today's release provides several rules to protect users against vulnerabilities Cisco recently disclosed in its RV series of routers and switches. Adversaries could use these bugs to obtain administrative-level privileges on the devices.

Tuesday, July 14, 2020

Snort rule update for July 14, 2020

Cisco Talos released the latest rule update for SNORTⓇ this afternoon, coinciding with Microsoft Patch Tuesday.

The latest release includes 35 new rules, two modified shared object rules and six new shared object rules.

This release provides coverage for many of the vulnerabilities Microsoft disclosed Tuesday as part of its monthly security update. Most notably, there is a DNS vulnerability that was assigned a severity 10 out of 10. Talos also discovered six critical bugs included this month which affected AMD and Intel chips.

Thursday, July 9, 2020

Snort rule update from July 9, 2020

This morning, Cisco Talos released the latest rule update for SNORTⓇ.

The latest release includes 1six new rule, two modified rules and 12 new shared object rules.

This release provides another rule covering the major vulnerability in F5 BIG-IP that's made headlines over the past week. Adversaries are using this vulnerability to target big-name organizations using the BIG-IP service.

Monday, July 6, 2020

Snort rule update for July 6 includes coverage for F5 BIG-IP vulnerability

Cisco Talos just released Snort coverage for a prominent vulnerability in F5’s BIG-IP.

BIG-IP is one of the most popular networking products on the modern market. This product is used to shape web traffic, access gateways, limit rates and much more. F5 disclosed a remote code execution over the weekend that was assigned a maximum 10 out of 10 severity score.

CVE-2020-5902 is a remote code execution vulnerability in BIG-IP's configuration interface. Users are urged to make their interfaces inaccessible to the internet and patch as soon as possible. The latest Snort rule set also includes rules 54462 to protect users from the exploitation of this vulnerability.

Thursday, July 2, 2020

Snort rule update from July 2, 2020

This morning, Cisco Talos released the latest rule update for SNORTⓇ.

The latest release includes 11 new rules and four new shared object rules.

This release provides new coverage against the NetWire trojan. Adversaries have recently been exploiting an old Microsoft Equation Editor vulnerability — CVE-2017-1182 — to deliver this malware as the final payload.

Tuesday, June 30, 2020

Snort rule update for June 30, 2020

This morning, Cisco Talos released the latest rule update for SNORTⓇ.

The latest release includes 18 new rules, four modified rules and six new shared object rules.

Today's release provides new coverage for the Zeus malware, which recently expanded with a new loader. There are also several new rules providing protection against the well-known Valak malware.

Tuesday, June 23, 2020

Snort rule update for June 23, 2020

This morning, Cisco Talos released the latest rule update for SNORTⓇ.

The latest release includes 15 new rules and one modified rule.

Today's release provides new coverage for the IndigoDrop malware, which Talos recently discovered and reported on. For more information on this threat, which is spreading Cobalt Strike beacons, read the full Talos blog here.

Tuesday, June 16, 2020

Snort rule update for June 16, 2020

This morning, Cisco Talos released the latest rule update for SNORTⓇ.

The latest release includes 10 new rules, 16 modified rules and eight new shared object rules.

Today's release provides new coverage for several different malware families, including the Agent adware, Nanocore RAT and Tinba dropper.

Updates to Snort guides for CentOS, rule writing in 3

Our documentation on Snort 3 running on CentOS and the Snort Rules Writing guide to Snort 3.

Thanks to community member Yaser for providing the updates.

The Snort 3 guide now has expanded information on logging options — such as syslog and JSON. There is also a new performance optimization section.

The Rules Writing guide has new syntax comparisons for various file_type detection for various Snort versions, as well as a comparison of app ID.

As always, you can view all of our guides on the Snort Documentation page.

Thursday, May 28, 2020

Snort rule update for May 28, 2020

This morning, Cisco Talos released the latest rule update for SNORTⓇ.

The latest release includes 30 new rules and 15 modified rules.

Today's release continues our wave of Trickbot rules, blocking the trojan that's been spread recently through COVID-19-themed spam emails. There are also new rules preventing the Copperhedge malware family from making outbound connections.

Tuesday, May 26, 2020

New Real-time Network Awareness (RNA) inspector feature added to Snort 3 beta

By Masud Hasan, additional contributions by Jon Munshaw and Joel Esler. 

As we near our “General Availability” (or GA) release of Snort 3.0 later this year, we’re going to be introducing content such as our videos, how-to guides and other installation documents. 

With our most recent release of Snort3’s beta, we added a new inspector “RNA“ to provide network visibility. For those of you that have been using Sourcefire products, you’ll remember this feature as “Real-Time Network Awareness”, a technology that we invented and patented back then.

In this initial release, RNA analyzes passing traffic to discover hosts with filtering based on IP/port/zone. It logs information about these hosts such as protocols, applications and user agents (collected from other modules), and operating systems (using predefined fingerprints). RNA does not generate or alter traffic on its own.  Keep in mind that this preprocessor is a work in progress for Open Source users, and more functionality will be added over time.

To enable host discovery (this feature is disabled by default), you’ll need to look at the config file referred by rna_conf_path (in your snort.conf) can have keywords:

Analyze                      # discover application, host, user (only host discovery is implemented)
AnalyzeHostUser     # discover application, host, user (same as Analyze)
AnalyzeApplication # discover application
AnalyzeHost             # discover application, host
AnalyzeUser             # discover application, user
portexclusion           # don't discover on this port 

Format:
config keyword [!]ip [zone]
portexclusion dst|src|both tcp|udp port ip 
Examples:

config AnalyzeHost 0.0.0.0/0 -1      # discover any ipv4 on any zone
config AnalyzeHost ::/0 2                 # discover any ipv6 on zone 2
config AnalyzeHost !1.2.3.4/16 3   # exclude this ipv4 range on zone 3
config Analyze !cafe:feed::0/64      # exclude this ipv6 range on any zone
portexclusion dst udp 53 8.8.8.8    # exclude this ip for UDP port 53 in destination direction
portexclusion both tcp 4000 ::0/0  # exclude any ipv6 for TCP port 4000 in both direction 
Note that exclusion has a higher priority than inclusion. The enable_logger config enables or disables sending RNA discovery events to EventManager::call_loggers. This type of event logger or reader is not implemented yet. However, since RNA stores host information into host_cache, to log the discovered hosts into a file, users can issue a socket command — host_cache.dump('file.out') — or add lua config — host_cache = { dump_file = 'file.out'}.

For example:
> cat rna.conf 
config AnalyzeHost 0.0.0.0/0 1
config AnalyzeHost 0.0.0.0/0 2
portexclusion dst tcp 80 0.0.0.0/0
> cat snort.lua 
stream = { }
stream_tcp = { }
host_cache = { dump_file = file.out' }
rna = { rna_conf_path = 'rna.conf' } 
Then, run Snort with TCP traffic, such as:
1.1.1.1:23 zone1 <--> 8.8.8.8:22 zone2
2.2.2.2:23 zone3 <--> 9.9.9.9:22 zone4
3.3.3.3:1234 zone1 <--> 2.2.2.2:80 zone2 
The following file.out will be generated when Snort closes, which demonstrates discovered hosts (in the least recently used order) after filtering from the traffic:
IP: 8.8.8.8
    hops: 255, time: 2000-01-01 00:00:00
macs size: 1
    mac: 02:09:08:07:06:05, ttl: 64, primary: 0, time: 2000-01-01 00:00:00

IP: 1.1.1.1
    hops: 255, time: 2000-01-01 00:00:00
macs size: 1
                   mac: 02:01:02:03:04:05, ttl: 64, primary: 0, time: 2000-01-01 00:00:00 
As always, feedback on this work-in-progress feature may be sent to the Snort Users mailing list.

Thursday, May 21, 2020

Snort rule update for May 21, 2020

This morning, Cisco Talos released the latest rule update for SNORTⓇ.

The latest release includes 16 new rules, 12 modified rules, nine modified shared object rules and six new shared object rules.

Today's release provides new coverage for the Trickbot malware family, which was recently used in a spam campaign associated with fake emails alleging to be from the U.S. Department of Labor. We also have rules protecting against CVE-2020-3280, a critical remote code execution vulnerability in Cisco Unified Contact Center.

Wednesday, May 20, 2020

Snort 3 installation guide update for Ubuntu 18 & 19

By Noah Dietrich.

Today, we released Noah's installation guide for the newest version of Snort 3 for Ubuntu 18 and 19. We've provided some highlights below, but you can view the full log of changes, along with a guide of setting up Snort 3 on Ubuntu, here.

Major changes in this release:
  • Tested with Snort 3.0.1 b2
  • Ubuntu 20 LTS support added
  • Ubuntu 19 support removed
  • Removed old environmental variables
  • Added new IP commands to replace ipconfig on Ubuntu 20 
Minor Changes:
  • SafeC updated to 3.5.1
  • Gperftools updated from 2.7.0 to 2.7.90
  • Boost headers updated from 1.71.0 to 1.72.0
  • Hyperscan updated from 5.2.0 to 5.2.1
  • Flatbuffers updated from 1.11 to 1.12
  • Updated openAppId to 12159
  • Replaced community rules with registered rules
  • Updated from Splunk 7.x to Splunk 8.x
  • Configure Splunk startup to use systemD rather than init.
  • Added libcmocka-dev libraries to support DAQ requirements.

Tuesday, May 19, 2020

Snort rule update for May 19, 2020

This morning, Cisco Talos released the latest rule update for SNORTⓇ.

The latest release includes 20 new rules, four modified rules, seven new shared-object rules and two modified shared-object rules.

Today's release provides new coverage for the Hancitor malware family, which has become increasingly popular in COVID-19-themed phishing campaigns.

Thursday, May 14, 2020

Snort rule update for May 14, 2020

This morning, Cisco Talos released the latest rule update for SNORTⓇ.

The latest release includes 26 new rules and more than 1,000 modified rules.

Today's release provides new coverage for the Ursnif malware family, which was recently spotted in the wild using COVID-19-themed lure documents. There are also new rules that detect common PowerShell techniques used by the Cobalt Strike family.

Tuesday, May 12, 2020

Snort rule update for May 12, 2020 — Microsoft Patch Tuesday

The latest SNORT® rule release from Cisco Talos has arrived. This new round of rules provides coverage for all of the vulnerabilities covered in Microsoft Patch Tuesday.

For more details on the vulnerabilities Microsoft disclosed this week, head to the Talos blog.

In all, this release includes 83 new rules, two modified rules and five new shared object rules.

Tuesday, May 5, 2020

Snort rule update for May 5, 2020

This morning, Cisco Talos released the latest rule update for SNORTⓇ.

The latest release includes 41 new rules, 24 modified rules and two new shared object rules.

Today's release provides new coverage for several different malware families, including Gh0stRAT, the Zbot trojan and the Kuluoz botnet.

Thursday, April 23, 2020

Snort++ beta available now

The final beta version of Snort 3 is available now. Due to some internal constraints, the version is 3.0.1, but it is not the first official 3.0 release. The 3.0 release candidate is planned for later this year.

There are many changes since the last update. Here are a few highlights:

  • Several tweaks files are available to quickly configure your security posture relative to the default configuration.
  • The C++ compiler supported feature set requirement is now C++14.
  • A new VXLAN codec is available.
  • Improved content literal searches with updated Boyer-Moore and Hyperscan alternatives.
  • The HTTP/2 inspector is nearly complete.
  • Faster startup by using multiple threads to compile rule groups (Hyperscan only).
  • A new Talos logger is available.
  • More robust Lua error detection and whitelisting.
  • Numerous updates to enable on the fly reloading of most configurations.
  • A new network awareness inspector is added (RNA).
  • snort_config.lua and SNORT_LUA_PATH are eliminated for simpler configuration.

There are many other updates not mentioned. Check the ChangeLog for a summary of changes including new features, build and bug fixes and performance enhancements.

There are still lots of enhancements and new features planned for Snort++, some of which are already in development. As always, new downloads are posted to snort.org periodically. You can also get the latest updates from GitHub. Watch these repos to keep up with the latest:

  • snort3 – main codebase.
  • snort3_extra – plugin examples, experimental, and test code.
  • snort3_demo – a test suite demonstrating key features and including a performance analysis suite.
  • libdaq – the latest, greatest DAQ which is required for Snort 3.

You will also want to grab the latest registered Talos rule set.

Please submit bugs, questions, and feedback to Bugs or the Snort-Users mailing list.

Happy Snorting!
The Snort Release Team

Tuesday, April 21, 2020

Snort rule update for April 21, 2020

This morning, Cisco Talos released the latest rule update for SNORTⓇ.

The latest release includes 34 new rules, four new shared object rules and three modified rules.

Today's release provides new coverage for several different malware families, including the Feejar trojan, the Kuluoz botnet and the Vobfus worm.

Thursday, April 16, 2020

To all PFsense users: Please update your "Rules Update Start Time"

Attention Pfsense users:

We recently were in touch with the package maintainer for Snort on pfsense, to which he was so kind to update the "Rules Update Start Time" to be random on install in version v3.2.9.10_3.

For more information about this update, please check out Bill's forum post here.

This update randomizes the start time of the Rules Update for every installation so that we don't have every installation of pfsense in the world simultaneously hitting Snort.org to check for updates all in the same second. As you can imagine, this causes quite a bit of a traffic spike on the site.

What we'd like is for all pfsense users is to either update their package, or to change the "Rules Update Start Time" entry to some random minute in the hour.  Obviously not all at :15, :30 or :45, but pick a more random time.

This will help up tremendously to load balance out the amount of traffic headed to Snort.org.


Tuesday, April 14, 2020

Snort rule update for April 14, 2020 — Microsoft Patch Tuesday

The latest SNORT® rule release from Cisco Talos has arrived. This new round of rules provides coverage for all of the vulnerabilities covered in Microsoft Patch Tuesday.

For more details on the vulnerabilities Microsoft disclosed this week, head to the Talos blog.

In all, this release includes 22 new rules, four modified rules and one new shared object rule.

Monday, April 13, 2020

Snort 2.9.16.0 has been released

We just released Snort major release, 2.9.16.0  Take a look at the release notes below for more information:

Snort version 2.9.16.0

New Additions


  • Added support for early inspection of HTTP payload before flushing in pre-ack mode. This feature can be enabled using fast_blocking in http inspect configuration.
  • Added 64-bit support for Windows 10 operating system.
  • Added support for glibc version 2.30.

Improvements and fixes

  • Fixed file policy not working with character prefix in chunk size.
  • Updated the file magic to detect ALZ file types.
  • Addressed an issue when out-of-order FIN is received by dropping it.
  • Normalize randomly encoded nulls interspersed in the HTTP server response to UTF-8.
As always, feedback on this release and any other release may be sent to the Snort mailing lists.

You may download this latest version of Snort from our downloads site.

Tuesday, April 7, 2020

Snort rule update for April 7, 2020

This morning, Cisco Talos released the latest rule update for SNORTⓇ.

The latest release includes 15 new rules, one modified rule and 12 new shared object rules.

Some of the new rules include new protections against two critical vulnerabilities in the popular ThemeREX WordPress plugin. There is also coverage for a pair of critical use-after-free vulnerabilities in Mozilla Firefox that have been used recently in targeted attacks.

Thursday, April 2, 2020

Snort rule update for April 2, 2020 — Microsoft Patch Tuesday

Apologies for the radio silence on the blog over the past week weeks. The Snort communications team was settling into a new schedule. But that doesn't mean the rule updates haven't been rolling in.

We just released a new SNORTⓇ rule update this morning with 20 new rules, two modified rules, two modified shared object rules and 12 new shared object rules.

Today's release provides protection against the Agent Tesla malware, which recently saw a spike connected to COVID-19-related spam.

Tuesday, March 10, 2020

Snort rule update for March 10, 2020 — Microsoft Patch Tuesday

The latest SNORT® rule release from Cisco Talos has arrived. This new round of rules provides coverage for all of the vulnerabilities covered in Microsoft Patch Tuesday.

For more details on the vulnerabilities Microsoft disclosed this week, head to the Talos blog.

In all, this release includes 22 new rules, four modified rules and one new shared object rule.

Thursday, March 5, 2020

Snort rule update for March 5, 2020

Cisco Talos just released the latest SNORT® rule update for all users. Talos urges all users to implement these rules as soon as possible to keep their networks and machines protected.

Today's release contains eight new rules, 10 new shared object rules and 292 modified rules.

This rule set primarily covers a series of vulnerabilities Cisco disclosed earlier this week in Webex Player and Webex Network Recording Player. While Cisco has already released updates for these bugs, Snort rules 53384 - 53392 provide an additional layer of protection by preventing adversaries from corrupting memory on affected devices.

Tuesday, March 3, 2020

Snort rule update for March 3, 2020

Cisco Talos just released the latest SNORT® rule update for all users. Talos urges all users to implement these rules as soon as possible to keep their networks and machines protected.

Today's release contains nine new rules and two modified rules.

This latest update primarily supplies new rules to protect against the newly discovered Mozart malware. The backdoor uses DNS to communicate with its creators and evade detection. Rules 53364 - 53373 prevent Mozart from connecting to a command and control server and downloading malicious PDFs.

Thursday, February 27, 2020

Snort rule update for Feb. 27, 2020

Cisco Talos just released the latest SNORT® rule update for all users. Talos urges all users to implement these rules as soon as possible to keep their networks and machines protected.

Today's release contains nine new rules and two modified rules.

This release primarily focuses on a new variant of Emotet. The longstanding malware has evolved to spread over WiFi connections. These new rules prevent that variant from being downloaded on your machine.

After you're done adding the new rules today, head over to our shiny new Resources page. We've got improved documentation, as well as the new Snort 101 video series, which will teach you the basics of setting up Snort 2 and 3, and even dives a little into rule writing.

Wednesday, February 26, 2020

Snort rule update for Feb. 26, 2020

Cisco Talos just released the latest SNORT® rule update for all users. Talos urges all users to implement these rules as soon as possible to keep their networks and machines protected.

Today's release contains 82 new rules and eight modified rules.

This release primarily provides new coverage for two malware families: Zeroll and NetWire — the latter of which was recently associated with tax-theme spam campaigns and malicious IMG files.

After you're done adding the new rules today, head over to our shiny new Resources page. We've got improved documentation, as well as the new Snort 101 video series, which will teach you the basics of setting up Snort 2 and 3, and even dives a little into rule writing.

Tuesday, February 25, 2020

Snort rule update for Feb. 25, 2020

Cisco Talos just released the latest SNORT® rule update for all users. Talos urges all users to implement these rules as soon as possible to keep their networks and machines protected.

Today's release contains 57 new rules, 12 modified rules, and 10 new shared object rules.

This rule update provides several new rules for variants in the longstanding Netwire and AZORult malware families.

After you're done adding the new rules today, head over to our shiny new Resources page. We've got improved documentation, as well as the new Snort 101 video series, which will teach you the basics of setting up Snort 2 and 3, and even dives a little into rule writing.

Monday, February 24, 2020

Learn Snort: Back to basics videos and labs


Snort is happy to launch a new (free!) video training series created by Cisco Talos covering the basic operation of Snort 2 and Snort 3. Currently available topics include installation and configuration, packet capture and logging and rule writing. Users of both Snort 2.9x and Snort 3 can use the included labs to acquire the basic skills and information for quick and easy setup of Snort and start inspecting traffic immediately.

The series is available on the newly revamped Snort Resources page, where you will also find Snort documentation, white papers, and additional tutorials and guides. Currently, the following topics covered in the “Snort 101” videos are:

  • Snort Overview - Snort 101
  • Snort 2 - Install and Config (with labs)
  • Snort 2 - Introduction to Rule Writing
  • Snort 3 - Install and Config (with labs)
  • Snort 3 - Writing Rules (with labs)
  • Snort 3 - Logging (with labs)

The training videos and labs can also be found in a playlist on the Talos YouTube channel, and on the new Resources page here.

Thursday, February 20, 2020

Snort rule update for Feb. 20, 2020

Cisco Talos just released the latest SNORT® rule update for all users. Talos urges all users to implement these rules as soon as possible to keep their networks and machines protected.

Today's release contains 46 new rules and nine new shared object rules.

This rule update provides several new protections against malware we're calling "ObliqueRAT." We will be publishing details about this RAT on the Talos blog later today.

Tuesday, February 18, 2020

Snort rule update for Feb. 18, 2020

Cisco Talos just released the latest SNORT® rule update for all users. Talos urges all users to implement these rules as soon as possible to keep their networks and machines protected.

Today's release contains 33 new rules, six new shared object rules and eight modified rules.

This rule update provides protection against a major new wave of malware that reportedly targeted a U.S. federal agency. Attackers are using the Syscon backdoor along with a variant of the Carrotbat malware to install malicious downloaders on victim's machines. New rules 53129 - 53144 perform various actions to prevent this malware from infecting victims and downloading any additional payloads.

Tuesday, February 11, 2020

Snort rule update for Feb. 11, 2020: Microsoft Patch Tuesday

The latest SNORT® rule release from Cisco Talos has arrived. This new round of rules provides coverage for all of the vulnerabilities covered in Microsoft Patch Tuesday.

For more details on the vulnerabilities Microsoft disclosed this week, head to the Talos blog.

In all, this release includes 34 new rules, 10 modified rules, three modified shared object rules and 11 new shared object rules.

Tuesday, February 4, 2020

Snort rule update for Feb. 4, 2020

Cisco Talos just released the latest SNORT® rule update for all users. Talos urges all users to implement these rules as soon as possible to keep their networks and machines protected.

Today's release contains 14 new rules, 12 modified rules, 15 new shared object rules and two modified shared object rules.

This rule update provides protection against two major malware families recently discovered. Rules 53026 - 53030 provide coverage for the NetWire RAT, which disguises itself as a fake email from a legitimate business. 53023 - 53025 also covers a variant of the Ako ransomware.