Thursday, July 9, 2020

Snort rule update from July 9, 2020

This morning, Cisco Talos released the latest rule update for SNORTⓇ.

The latest release includes 1six new rule, two modified rules and 12 new shared object rules.

This release provides another rule covering the major vulnerability in F5 BIG-IP that's made headlines over the past week. Adversaries are using this vulnerability to target big-name organizations using the BIG-IP service.

Monday, July 6, 2020

Snort rule update for July 6 includes coverage for F5 BIG-IP vulnerability

Cisco Talos just released Snort coverage for a prominent vulnerability in F5’s BIG-IP.

BIG-IP is one of the most popular networking products on the modern market. This product is used to shape web traffic, access gateways, limit rates and much more. F5 disclosed a remote code execution over the weekend that was assigned a maximum 10 out of 10 severity score.

CVE-2020-5902 is a remote code execution vulnerability in BIG-IP's configuration interface. Users are urged to make their interfaces inaccessible to the internet and patch as soon as possible. The latest Snort rule set also includes rules 54462 to protect users from the exploitation of this vulnerability.

Thursday, July 2, 2020

Snort rule update from July 2, 2020

This morning, Cisco Talos released the latest rule update for SNORTⓇ.

The latest release includes 11 new rules and four new shared object rules.

This release provides new coverage against the NetWire trojan. Adversaries have recently been exploiting an old Microsoft Equation Editor vulnerability — CVE-2017-1182 — to deliver this malware as the final payload.

Tuesday, June 30, 2020

Snort rule update for June 30, 2020

This morning, Cisco Talos released the latest rule update for SNORTⓇ.

The latest release includes 18 new rules, four modified rules and six new shared object rules.

Today's release provides new coverage for the Zeus malware, which recently expanded with a new loader. There are also several new rules providing protection against the well-known Valak malware.

Tuesday, June 23, 2020

Snort rule update for June 23, 2020

This morning, Cisco Talos released the latest rule update for SNORTⓇ.

The latest release includes 15 new rules and one modified rule.

Today's release provides new coverage for the IndigoDrop malware, which Talos recently discovered and reported on. For more information on this threat, which is spreading Cobalt Strike beacons, read the full Talos blog here.

Tuesday, June 16, 2020

Snort rule update for June 16, 2020

This morning, Cisco Talos released the latest rule update for SNORTⓇ.

The latest release includes 10 new rules, 16 modified rules and eight new shared object rules.

Today's release provides new coverage for several different malware families, including the Agent adware, Nanocore RAT and Tinba dropper.

Updates to Snort guides for CentOS, rule writing in 3

Our documentation on Snort 3 running on CentOS and the Snort Rules Writing guide to Snort 3.

Thanks to community member Yaser for providing the updates.

The Snort 3 guide now has expanded information on logging options — such as syslog and JSON. There is also a new performance optimization section.

The Rules Writing guide has new syntax comparisons for various file_type detection for various Snort versions, as well as a comparison of app ID.

As always, you can view all of our guides on the Snort Documentation page.

Thursday, May 28, 2020

Snort rule update for May 28, 2020

This morning, Cisco Talos released the latest rule update for SNORTⓇ.

The latest release includes 30 new rules and 15 modified rules.

Today's release continues our wave of Trickbot rules, blocking the trojan that's been spread recently through COVID-19-themed spam emails. There are also new rules preventing the Copperhedge malware family from making outbound connections.

Tuesday, May 26, 2020

New Real-time Network Awareness (RNA) inspector feature added to Snort 3 beta

By Masud Hasan, additional contributions by Jon Munshaw and Joel Esler. 

As we near our “General Availability” (or GA) release of Snort 3.0 later this year, we’re going to be introducing content such as our videos, how-to guides and other installation documents. 

With our most recent release of Snort3’s beta, we added a new inspector “RNA“ to provide network visibility. For those of you that have been using Sourcefire products, you’ll remember this feature as “Real-Time Network Awareness”, a technology that we invented and patented back then.

In this initial release, RNA analyzes passing traffic to discover hosts with filtering based on IP/port/zone. It logs information about these hosts such as protocols, applications and user agents (collected from other modules), and operating systems (using predefined fingerprints). RNA does not generate or alter traffic on its own.  Keep in mind that this preprocessor is a work in progress for Open Source users, and more functionality will be added over time.

To enable host discovery (this feature is disabled by default), you’ll need to look at the config file referred by rna_conf_path (in your snort.conf) can have keywords:

Analyze                      # discover application, host, user (only host discovery is implemented)
AnalyzeHostUser     # discover application, host, user (same as Analyze)
AnalyzeApplication # discover application
AnalyzeHost             # discover application, host
AnalyzeUser             # discover application, user
portexclusion           # don't discover on this port 

Format:
config keyword [!]ip [zone]
portexclusion dst|src|both tcp|udp port ip 
Examples:

config AnalyzeHost 0.0.0.0/0 -1      # discover any ipv4 on any zone
config AnalyzeHost ::/0 2                 # discover any ipv6 on zone 2
config AnalyzeHost !1.2.3.4/16 3   # exclude this ipv4 range on zone 3
config Analyze !cafe:feed::0/64      # exclude this ipv6 range on any zone
portexclusion dst udp 53 8.8.8.8    # exclude this ip for UDP port 53 in destination direction
portexclusion both tcp 4000 ::0/0  # exclude any ipv6 for TCP port 4000 in both direction 
Note that exclusion has a higher priority than inclusion. The enable_logger config enables or disables sending RNA discovery events to EventManager::call_loggers. This type of event logger or reader is not implemented yet. However, since RNA stores host information into host_cache, to log the discovered hosts into a file, users can issue a socket command — host_cache.dump('file.out') — or add lua config — host_cache = { dump_file = 'file.out'}.

For example:
> cat rna.conf 
config AnalyzeHost 0.0.0.0/0 1
config AnalyzeHost 0.0.0.0/0 2
portexclusion dst tcp 80 0.0.0.0/0
> cat snort.lua 
stream = { }
stream_tcp = { }
host_cache = { dump_file = file.out' }
rna = { rna_conf_path = 'rna.conf' } 
Then, run Snort with TCP traffic, such as:
1.1.1.1:23 zone1 <--> 8.8.8.8:22 zone2
2.2.2.2:23 zone3 <--> 9.9.9.9:22 zone4
3.3.3.3:1234 zone1 <--> 2.2.2.2:80 zone2 
The following file.out will be generated when Snort closes, which demonstrates discovered hosts (in the least recently used order) after filtering from the traffic:
IP: 8.8.8.8
    hops: 255, time: 2000-01-01 00:00:00
macs size: 1
    mac: 02:09:08:07:06:05, ttl: 64, primary: 0, time: 2000-01-01 00:00:00

IP: 1.1.1.1
    hops: 255, time: 2000-01-01 00:00:00
macs size: 1
                   mac: 02:01:02:03:04:05, ttl: 64, primary: 0, time: 2000-01-01 00:00:00 
As always, feedback on this work-in-progress feature may be sent to the Snort Users mailing list.

Thursday, May 21, 2020

Snort rule update for May 21, 2020

This morning, Cisco Talos released the latest rule update for SNORTⓇ.

The latest release includes 16 new rules, 12 modified rules, nine modified shared object rules and six new shared object rules.

Today's release provides new coverage for the Trickbot malware family, which was recently used in a spam campaign associated with fake emails alleging to be from the U.S. Department of Labor. We also have rules protecting against CVE-2020-3280, a critical remote code execution vulnerability in Cisco Unified Contact Center.

Wednesday, May 20, 2020

Snort 3 installation guide update for Ubuntu 18 & 19

By Noah Dietrich.

Today, we released Noah's installation guide for the newest version of Snort 3 for Ubuntu 18 and 19. We've provided some highlights below, but you can view the full log of changes, along with a guide of setting up Snort 3 on Ubuntu, here.

Major changes in this release:
  • Tested with Snort 3.0.1 b2
  • Ubuntu 20 LTS support added
  • Ubuntu 19 support removed
  • Removed old environmental variables
  • Added new IP commands to replace ipconfig on Ubuntu 20 
Minor Changes:
  • SafeC updated to 3.5.1
  • Gperftools updated from 2.7.0 to 2.7.90
  • Boost headers updated from 1.71.0 to 1.72.0
  • Hyperscan updated from 5.2.0 to 5.2.1
  • Flatbuffers updated from 1.11 to 1.12
  • Updated openAppId to 12159
  • Replaced community rules with registered rules
  • Updated from Splunk 7.x to Splunk 8.x
  • Configure Splunk startup to use systemD rather than init.
  • Added libcmocka-dev libraries to support DAQ requirements.

Tuesday, May 19, 2020

Snort rule update for May 19, 2020

This morning, Cisco Talos released the latest rule update for SNORTⓇ.

The latest release includes 20 new rules, four modified rules, seven new shared-object rules and two modified shared-object rules.

Today's release provides new coverage for the Hancitor malware family, which has become increasingly popular in COVID-19-themed phishing campaigns.

Thursday, May 14, 2020

Snort rule update for May 14, 2020

This morning, Cisco Talos released the latest rule update for SNORTⓇ.

The latest release includes 26 new rules and more than 1,000 modified rules.

Today's release provides new coverage for the Ursnif malware family, which was recently spotted in the wild using COVID-19-themed lure documents. There are also new rules that detect common PowerShell techniques used by the Cobalt Strike family.

Tuesday, May 12, 2020

Snort rule update for May 12, 2020 — Microsoft Patch Tuesday

The latest SNORT® rule release from Cisco Talos has arrived. This new round of rules provides coverage for all of the vulnerabilities covered in Microsoft Patch Tuesday.

For more details on the vulnerabilities Microsoft disclosed this week, head to the Talos blog.

In all, this release includes 83 new rules, two modified rules and five new shared object rules.

Tuesday, May 5, 2020

Snort rule update for May 5, 2020

This morning, Cisco Talos released the latest rule update for SNORTⓇ.

The latest release includes 41 new rules, 24 modified rules and two new shared object rules.

Today's release provides new coverage for several different malware families, including Gh0stRAT, the Zbot trojan and the Kuluoz botnet.

Thursday, April 23, 2020

Snort++ beta available now

The final beta version of Snort 3 is available now. Due to some internal constraints, the version is 3.0.1, but it is not the first official 3.0 release. The 3.0 release candidate is planned for later this year.

There are many changes since the last update. Here are a few highlights:

  • Several tweaks files are available to quickly configure your security posture relative to the default configuration.
  • The C++ compiler supported feature set requirement is now C++14.
  • A new VXLAN codec is available.
  • Improved content literal searches with updated Boyer-Moore and Hyperscan alternatives.
  • The HTTP/2 inspector is nearly complete.
  • Faster startup by using multiple threads to compile rule groups (Hyperscan only).
  • A new Talos logger is available.
  • More robust Lua error detection and whitelisting.
  • Numerous updates to enable on the fly reloading of most configurations.
  • A new network awareness inspector is added (RNA).
  • snort_config.lua and SNORT_LUA_PATH are eliminated for simpler configuration.

There are many other updates not mentioned. Check the ChangeLog for a summary of changes including new features, build and bug fixes and performance enhancements.

There are still lots of enhancements and new features planned for Snort++, some of which are already in development. As always, new downloads are posted to snort.org periodically. You can also get the latest updates from GitHub. Watch these repos to keep up with the latest:

  • snort3 – main codebase.
  • snort3_extra – plugin examples, experimental, and test code.
  • snort3_demo – a test suite demonstrating key features and including a performance analysis suite.
  • libdaq – the latest, greatest DAQ which is required for Snort 3.

You will also want to grab the latest registered Talos rule set.

Please submit bugs, questions, and feedback to Bugs or the Snort-Users mailing list.

Happy Snorting!
The Snort Release Team

Tuesday, April 21, 2020

Snort rule update for April 21, 2020

This morning, Cisco Talos released the latest rule update for SNORTⓇ.

The latest release includes 34 new rules, four new shared object rules and three modified rules.

Today's release provides new coverage for several different malware families, including the Feejar trojan, the Kuluoz botnet and the Vobfus worm.

Thursday, April 16, 2020

To all PFsense users: Please update your "Rules Update Start Time"

Attention Pfsense users:

We recently were in touch with the package maintainer for Snort on pfsense, to which he was so kind to update the "Rules Update Start Time" to be random on install in version v3.2.9.10_3.

For more information about this update, please check out Bill's forum post here.

This update randomizes the start time of the Rules Update for every installation so that we don't have every installation of pfsense in the world simultaneously hitting Snort.org to check for updates all in the same second. As you can imagine, this causes quite a bit of a traffic spike on the site.

What we'd like is for all pfsense users is to either update their package, or to change the "Rules Update Start Time" entry to some random minute in the hour.  Obviously not all at :15, :30 or :45, but pick a more random time.

This will help up tremendously to load balance out the amount of traffic headed to Snort.org.


Tuesday, April 14, 2020

Snort rule update for April 14, 2020 — Microsoft Patch Tuesday

The latest SNORT® rule release from Cisco Talos has arrived. This new round of rules provides coverage for all of the vulnerabilities covered in Microsoft Patch Tuesday.

For more details on the vulnerabilities Microsoft disclosed this week, head to the Talos blog.

In all, this release includes 22 new rules, four modified rules and one new shared object rule.

Monday, April 13, 2020

Snort 2.9.16.0 has been released

We just released Snort major release, 2.9.16.0  Take a look at the release notes below for more information:

Snort version 2.9.16.0

New Additions


  • Added support for early inspection of HTTP payload before flushing in pre-ack mode. This feature can be enabled using fast_blocking in http inspect configuration.
  • Added 64-bit support for Windows 10 operating system.
  • Added support for glibc version 2.30.

Improvements and fixes

  • Fixed file policy not working with character prefix in chunk size.
  • Updated the file magic to detect ALZ file types.
  • Addressed an issue when out-of-order FIN is received by dropping it.
  • Normalize randomly encoded nulls interspersed in the HTTP server response to UTF-8.
As always, feedback on this release and any other release may be sent to the Snort mailing lists.

You may download this latest version of Snort from our downloads site.

Tuesday, April 7, 2020

Snort rule update for April 7, 2020

This morning, Cisco Talos released the latest rule update for SNORTⓇ.

The latest release includes 15 new rules, one modified rule and 12 new shared object rules.

Some of the new rules include new protections against two critical vulnerabilities in the popular ThemeREX WordPress plugin. There is also coverage for a pair of critical use-after-free vulnerabilities in Mozilla Firefox that have been used recently in targeted attacks.

Thursday, April 2, 2020

Snort rule update for April 2, 2020 — Microsoft Patch Tuesday

Apologies for the radio silence on the blog over the past week weeks. The Snort communications team was settling into a new schedule. But that doesn't mean the rule updates haven't been rolling in.

We just released a new SNORTⓇ rule update this morning with 20 new rules, two modified rules, two modified shared object rules and 12 new shared object rules.

Today's release provides protection against the Agent Tesla malware, which recently saw a spike connected to COVID-19-related spam.

Tuesday, March 10, 2020

Snort rule update for March 10, 2020 — Microsoft Patch Tuesday

The latest SNORT® rule release from Cisco Talos has arrived. This new round of rules provides coverage for all of the vulnerabilities covered in Microsoft Patch Tuesday.

For more details on the vulnerabilities Microsoft disclosed this week, head to the Talos blog.

In all, this release includes 22 new rules, four modified rules and one new shared object rule.

Thursday, March 5, 2020

Snort rule update for March 5, 2020

Cisco Talos just released the latest SNORT® rule update for all users. Talos urges all users to implement these rules as soon as possible to keep their networks and machines protected.

Today's release contains eight new rules, 10 new shared object rules and 292 modified rules.

This rule set primarily covers a series of vulnerabilities Cisco disclosed earlier this week in Webex Player and Webex Network Recording Player. While Cisco has already released updates for these bugs, Snort rules 53384 - 53392 provide an additional layer of protection by preventing adversaries from corrupting memory on affected devices.

Tuesday, March 3, 2020

Snort rule update for March 3, 2020

Cisco Talos just released the latest SNORT® rule update for all users. Talos urges all users to implement these rules as soon as possible to keep their networks and machines protected.

Today's release contains nine new rules and two modified rules.

This latest update primarily supplies new rules to protect against the newly discovered Mozart malware. The backdoor uses DNS to communicate with its creators and evade detection. Rules 53364 - 53373 prevent Mozart from connecting to a command and control server and downloading malicious PDFs.

Thursday, February 27, 2020

Snort rule update for Feb. 27, 2020

Cisco Talos just released the latest SNORT® rule update for all users. Talos urges all users to implement these rules as soon as possible to keep their networks and machines protected.

Today's release contains nine new rules and two modified rules.

This release primarily focuses on a new variant of Emotet. The longstanding malware has evolved to spread over WiFi connections. These new rules prevent that variant from being downloaded on your machine.

After you're done adding the new rules today, head over to our shiny new Resources page. We've got improved documentation, as well as the new Snort 101 video series, which will teach you the basics of setting up Snort 2 and 3, and even dives a little into rule writing.

Wednesday, February 26, 2020

Snort rule update for Feb. 26, 2020

Cisco Talos just released the latest SNORT® rule update for all users. Talos urges all users to implement these rules as soon as possible to keep their networks and machines protected.

Today's release contains 82 new rules and eight modified rules.

This release primarily provides new coverage for two malware families: Zeroll and NetWire — the latter of which was recently associated with tax-theme spam campaigns and malicious IMG files.

After you're done adding the new rules today, head over to our shiny new Resources page. We've got improved documentation, as well as the new Snort 101 video series, which will teach you the basics of setting up Snort 2 and 3, and even dives a little into rule writing.

Tuesday, February 25, 2020

Snort rule update for Feb. 25, 2020

Cisco Talos just released the latest SNORT® rule update for all users. Talos urges all users to implement these rules as soon as possible to keep their networks and machines protected.

Today's release contains 57 new rules, 12 modified rules, and 10 new shared object rules.

This rule update provides several new rules for variants in the longstanding Netwire and AZORult malware families.

After you're done adding the new rules today, head over to our shiny new Resources page. We've got improved documentation, as well as the new Snort 101 video series, which will teach you the basics of setting up Snort 2 and 3, and even dives a little into rule writing.

Monday, February 24, 2020

Learn Snort: Back to basics videos and labs


Snort is happy to launch a new (free!) video training series created by Cisco Talos covering the basic operation of Snort 2 and Snort 3. Currently available topics include installation and configuration, packet capture and logging and rule writing. Users of both Snort 2.9x and Snort 3 can use the included labs to acquire the basic skills and information for quick and easy setup of Snort and start inspecting traffic immediately.

The series is available on the newly revamped Snort Resources page, where you will also find Snort documentation, white papers, and additional tutorials and guides. Currently, the following topics covered in the “Snort 101” videos are:

  • Snort Overview - Snort 101
  • Snort 2 - Install and Config (with labs)
  • Snort 2 - Introduction to Rule Writing
  • Snort 3 - Install and Config (with labs)
  • Snort 3 - Writing Rules (with labs)
  • Snort 3 - Logging (with labs)

The training videos and labs can also be found in a playlist on the Talos YouTube channel, and on the new Resources page here.

Thursday, February 20, 2020

Snort rule update for Feb. 20, 2020

Cisco Talos just released the latest SNORT® rule update for all users. Talos urges all users to implement these rules as soon as possible to keep their networks and machines protected.

Today's release contains 46 new rules and nine new shared object rules.

This rule update provides several new protections against malware we're calling "ObliqueRAT." We will be publishing details about this RAT on the Talos blog later today.

Tuesday, February 18, 2020

Snort rule update for Feb. 18, 2020

Cisco Talos just released the latest SNORT® rule update for all users. Talos urges all users to implement these rules as soon as possible to keep their networks and machines protected.

Today's release contains 33 new rules, six new shared object rules and eight modified rules.

This rule update provides protection against a major new wave of malware that reportedly targeted a U.S. federal agency. Attackers are using the Syscon backdoor along with a variant of the Carrotbat malware to install malicious downloaders on victim's machines. New rules 53129 - 53144 perform various actions to prevent this malware from infecting victims and downloading any additional payloads.

Tuesday, February 11, 2020

Snort rule update for Feb. 11, 2020: Microsoft Patch Tuesday

The latest SNORT® rule release from Cisco Talos has arrived. This new round of rules provides coverage for all of the vulnerabilities covered in Microsoft Patch Tuesday.

For more details on the vulnerabilities Microsoft disclosed this week, head to the Talos blog.

In all, this release includes 34 new rules, 10 modified rules, three modified shared object rules and 11 new shared object rules.

Tuesday, February 4, 2020

Snort rule update for Feb. 4, 2020

Cisco Talos just released the latest SNORT® rule update for all users. Talos urges all users to implement these rules as soon as possible to keep their networks and machines protected.

Today's release contains 14 new rules, 12 modified rules, 15 new shared object rules and two modified shared object rules.

This rule update provides protection against two major malware families recently discovered. Rules 53026 - 53030 provide coverage for the NetWire RAT, which disguises itself as a fake email from a legitimate business. 53023 - 53025 also covers a variant of the Ako ransomware.

Thursday, January 30, 2020

Snort rule update for Jan. 30, 2020

Cisco Talos just released the latest SNORT® rule update for all users. Talos urges all users to implement these rules as soon as possible to keep their networks and machines protected.

Today's release contains 13 new rules, 19 modified rules and eight new shared object rules.

This rule update provides coverage for several vulnerabilities disclosed this week in some Cisco Small Business Switches, along with protection against a new variant of the HyperBro backdoor.

Wednesday, January 22, 2020

Snort rule update for Jan. 22, 2020

Cisco Talos just released the latest SNORT® rule update for all users. Talos urges all users to implement these rules as soon as possible to keep their networks and machines protected.

Today's release contains seven new rules, six modified rules and 16 new shared object rules.

This rule update primarily covers a series of vulnerabilities Cisco disclosed in several of its products, including Firepower Management Center, Smart Software Manager and the IOS XR software.

Area Under Construction: Snort documentation is getting a facelift


By Kri Dontje.

Changes will be popping up all over Snort.org to bring better support to every aspect of the Snort user experience. What sort of new things are coming?

  • Added context information and a new look for Snort rule documentation.
  • Reorganized and updated documentation.
  • Elasticsearch.
  • A surprise of the multi-media variety!

As these changes go into effect, Snort.org may experience growing pains. In particular, the search function will be limited for a few days during the change-over. Pardon the inconvenience over the next week or so while we change the Elasticsearch indexes.

After our updates are complete, we’ll keep you posted about the new features and go over where to find them.

Thursday, January 16, 2020

Snort rule update for Jan. 16, 2020

Cisco Talos just released the latest SNORT® rule update for all users. Talos urges all users to implement these rules as soon as possible to keep their networks and machines protected.

Today's release contains 12 new rules, two modified shared object rules and 103 modified rules.

The latest rule update provides new coverage for several different malware families, including Whiteshadow, the Remcos botnet and a variant of the AgentTesla malware.

Tuesday, January 14, 2020

Snort rule update for Jan. 14, 2020: Microsoft Patch Tuesday

The latest SNORT® rule release from Cisco Talos has arrived. This new round of rules provides coverage for all of the vulnerabilities covered in Microsoft Patch Tuesday.

For more details on the vulnerabilities Microsoft disclosed this week, head to the Talos blog.

In all, this release includes 22 new rules and five modified rules.

Thursday, January 9, 2020

Snort rule update for Jan. 9, 2020

Cisco Talos just released the latest SNORT® rule update for all users. Talos urges all users to implement these rules as soon as possible to keep their networks and machines protected.

Today's release contains 26 new rules, six modified rules and five new shared object rules.

The latest rule update provides several new protections against the ZeroCleare malware, a data-wiping attack recently deployed on an oil refinery in the Middle East. There is also new coverage for a variant of the Mirai botnet.

Tuesday, January 7, 2020

Snort rule update for Jan. 7, 2020

Cisco Talos just released the latest SNORT® rule update for all users. Talos urges all users to implement these rules as soon as possible to keep their networks and machines protected.

Today's release contains two new rules, both of which provide protection against the Xpert remote access tool.

Monday, January 6, 2020

Snort 2.9.15.1 has been released

We just released Snort minor bug update, version 2.9.15.1.  Take a look at the release notes below for more information:

2019-12-15 - Snort 2.9.15.1

New Additions
  • Added support for glibc version 2.30.
Improvements/Fix
  • Fixed Snort core seen during SSL re-configuration.
  • Fixed file access issues on files from SMB share.
Special thanks for this release go out to David Binderman for the reporting of an issue.

As always, feedback on this release and any other release may be sent to the Snort mailing lists.

You may download this latest version of Snort from our downloads site.