Thursday, April 23, 2020

Snort++ beta available now

The final beta version of Snort 3 is available now. Due to some internal constraints, the version is 3.0.1, but it is not the first official 3.0 release. The 3.0 release candidate is planned for later this year.

There are many changes since the last update. Here are a few highlights:

  • Several tweaks files are available to quickly configure your security posture relative to the default configuration.
  • The C++ compiler supported feature set requirement is now C++14.
  • A new VXLAN codec is available.
  • Improved content literal searches with updated Boyer-Moore and Hyperscan alternatives.
  • The HTTP/2 inspector is nearly complete.
  • Faster startup by using multiple threads to compile rule groups (Hyperscan only).
  • A new Talos logger is available.
  • More robust Lua error detection and whitelisting.
  • Numerous updates to enable on the fly reloading of most configurations.
  • A new network awareness inspector is added (RNA).
  • snort_config.lua and SNORT_LUA_PATH are eliminated for simpler configuration.

There are many other updates not mentioned. Check the ChangeLog for a summary of changes including new features, build and bug fixes and performance enhancements.

There are still lots of enhancements and new features planned for Snort++, some of which are already in development. As always, new downloads are posted to periodically. You can also get the latest updates from GitHub. Watch these repos to keep up with the latest:

  • snort3 – main codebase.
  • snort3_extra – plugin examples, experimental, and test code.
  • snort3_demo – a test suite demonstrating key features and including a performance analysis suite.
  • libdaq – the latest, greatest DAQ which is required for Snort 3.

You will also want to grab the latest registered Talos rule set.

Please submit bugs, questions, and feedback to Bugs or the Snort-Users mailing list.

Happy Snorting!
The Snort Release Team

Tuesday, April 21, 2020

Snort rule update for April 21, 2020

This morning, Cisco Talos released the latest rule update for SNORTⓇ.

The latest release includes 34 new rules, four new shared object rules and three modified rules.

Today's release provides new coverage for several different malware families, including the Feejar trojan, the Kuluoz botnet and the Vobfus worm.

Thursday, April 16, 2020

To all PFsense users: Please update your "Rules Update Start Time"

Attention Pfsense users:

We recently were in touch with the package maintainer for Snort on pfsense, to which he was so kind to update the "Rules Update Start Time" to be random on install in version v3.2.9.10_3.

For more information about this update, please check out Bill's forum post here.

This update randomizes the start time of the Rules Update for every installation so that we don't have every installation of pfsense in the world simultaneously hitting to check for updates all in the same second. As you can imagine, this causes quite a bit of a traffic spike on the site.

What we'd like is for all pfsense users is to either update their package, or to change the "Rules Update Start Time" entry to some random minute in the hour.  Obviously not all at :15, :30 or :45, but pick a more random time.

This will help up tremendously to load balance out the amount of traffic headed to

Tuesday, April 14, 2020

Snort rule update for April 14, 2020 — Microsoft Patch Tuesday

The latest SNORT® rule release from Cisco Talos has arrived. This new round of rules provides coverage for all of the vulnerabilities covered in Microsoft Patch Tuesday.

For more details on the vulnerabilities Microsoft disclosed this week, head to the Talos blog.

In all, this release includes 22 new rules, four modified rules and one new shared object rule.

Monday, April 13, 2020

Snort has been released

We just released Snort major release,  Take a look at the release notes below for more information:

Snort version

New Additions

  • Added support for early inspection of HTTP payload before flushing in pre-ack mode. This feature can be enabled using fast_blocking in http inspect configuration.
  • Added 64-bit support for Windows 10 operating system.
  • Added support for glibc version 2.30.

Improvements and fixes

  • Fixed file policy not working with character prefix in chunk size.
  • Updated the file magic to detect ALZ file types.
  • Addressed an issue when out-of-order FIN is received by dropping it.
  • Normalize randomly encoded nulls interspersed in the HTTP server response to UTF-8.
As always, feedback on this release and any other release may be sent to the Snort mailing lists.

You may download this latest version of Snort from our downloads site.

Tuesday, April 7, 2020

Snort rule update for April 7, 2020

This morning, Cisco Talos released the latest rule update for SNORTⓇ.

The latest release includes 15 new rules, one modified rule and 12 new shared object rules.

Some of the new rules include new protections against two critical vulnerabilities in the popular ThemeREX WordPress plugin. There is also coverage for a pair of critical use-after-free vulnerabilities in Mozilla Firefox that have been used recently in targeted attacks.

Thursday, April 2, 2020

Snort rule update for April 2, 2020 — Microsoft Patch Tuesday

Apologies for the radio silence on the blog over the past week weeks. The Snort communications team was settling into a new schedule. But that doesn't mean the rule updates haven't been rolling in.

We just released a new SNORTⓇ rule update this morning with 20 new rules, two modified rules, two modified shared object rules and 12 new shared object rules.

Today's release provides protection against the Agent Tesla malware, which recently saw a spike connected to COVID-19-related spam.