Thursday, May 28, 2020

Snort rule update for May 28, 2020

This morning, Cisco Talos released the latest rule update for SNORTⓇ.

The latest release includes 30 new rules and 15 modified rules.

Today's release continues our wave of Trickbot rules, blocking the trojan that's been spread recently through COVID-19-themed spam emails. There are also new rules preventing the Copperhedge malware family from making outbound connections.

Tuesday, May 26, 2020

New Real-time Network Awareness (RNA) inspector feature added to Snort 3 beta

By Masud Hasan, additional contributions by Jon Munshaw and Joel Esler. 

As we near our “General Availability” (or GA) release of Snort 3.0 later this year, we’re going to be introducing content such as our videos, how-to guides and other installation documents. 

With our most recent release of Snort3’s beta, we added a new inspector “RNA“ to provide network visibility. For those of you that have been using Sourcefire products, you’ll remember this feature as “Real-Time Network Awareness”, a technology that we invented and patented back then.

In this initial release, RNA analyzes passing traffic to discover hosts with filtering based on IP/port/zone. It logs information about these hosts such as protocols, applications and user agents (collected from other modules), and operating systems (using predefined fingerprints). RNA does not generate or alter traffic on its own.  Keep in mind that this preprocessor is a work in progress for Open Source users, and more functionality will be added over time.

To enable host discovery (this feature is disabled by default), you’ll need to look at the config file referred by rna_conf_path (in your snort.conf) can have keywords:

Analyze                      # discover application, host, user (only host discovery is implemented)
AnalyzeHostUser     # discover application, host, user (same as Analyze)
AnalyzeApplication # discover application
AnalyzeHost             # discover application, host
AnalyzeUser             # discover application, user
portexclusion           # don't discover on this port 

Format:
config keyword [!]ip [zone]
portexclusion dst|src|both tcp|udp port ip 
Examples:

config AnalyzeHost 0.0.0.0/0 -1      # discover any ipv4 on any zone
config AnalyzeHost ::/0 2                 # discover any ipv6 on zone 2
config AnalyzeHost !1.2.3.4/16 3   # exclude this ipv4 range on zone 3
config Analyze !cafe:feed::0/64      # exclude this ipv6 range on any zone
portexclusion dst udp 53 8.8.8.8    # exclude this ip for UDP port 53 in destination direction
portexclusion both tcp 4000 ::0/0  # exclude any ipv6 for TCP port 4000 in both direction 
Note that exclusion has a higher priority than inclusion. The enable_logger config enables or disables sending RNA discovery events to EventManager::call_loggers. This type of event logger or reader is not implemented yet. However, since RNA stores host information into host_cache, to log the discovered hosts into a file, users can issue a socket command — host_cache.dump('file.out') — or add lua config — host_cache = { dump_file = 'file.out'}.

For example:
> cat rna.conf 
config AnalyzeHost 0.0.0.0/0 1
config AnalyzeHost 0.0.0.0/0 2
portexclusion dst tcp 80 0.0.0.0/0
> cat snort.lua 
stream = { }
stream_tcp = { }
host_cache = { dump_file = file.out' }
rna = { rna_conf_path = 'rna.conf' } 
Then, run Snort with TCP traffic, such as:
1.1.1.1:23 zone1 <--> 8.8.8.8:22 zone2
2.2.2.2:23 zone3 <--> 9.9.9.9:22 zone4
3.3.3.3:1234 zone1 <--> 2.2.2.2:80 zone2 
The following file.out will be generated when Snort closes, which demonstrates discovered hosts (in the least recently used order) after filtering from the traffic:
IP: 8.8.8.8
    hops: 255, time: 2000-01-01 00:00:00
macs size: 1
    mac: 02:09:08:07:06:05, ttl: 64, primary: 0, time: 2000-01-01 00:00:00

IP: 1.1.1.1
    hops: 255, time: 2000-01-01 00:00:00
macs size: 1
                   mac: 02:01:02:03:04:05, ttl: 64, primary: 0, time: 2000-01-01 00:00:00 
As always, feedback on this work-in-progress feature may be sent to the Snort Users mailing list.

Thursday, May 21, 2020

Snort rule update for May 21, 2020

This morning, Cisco Talos released the latest rule update for SNORTⓇ.

The latest release includes 16 new rules, 12 modified rules, nine modified shared object rules and six new shared object rules.

Today's release provides new coverage for the Trickbot malware family, which was recently used in a spam campaign associated with fake emails alleging to be from the U.S. Department of Labor. We also have rules protecting against CVE-2020-3280, a critical remote code execution vulnerability in Cisco Unified Contact Center.

Wednesday, May 20, 2020

Snort 3 installation guide update for Ubuntu 18 & 19

By Noah Dietrich.

Today, we released Noah's installation guide for the newest version of Snort 3 for Ubuntu 18 and 19. We've provided some highlights below, but you can view the full log of changes, along with a guide of setting up Snort 3 on Ubuntu, here.

Major changes in this release:
  • Tested with Snort 3.0.1 b2
  • Ubuntu 20 LTS support added
  • Ubuntu 19 support removed
  • Removed old environmental variables
  • Added new IP commands to replace ipconfig on Ubuntu 20 
Minor Changes:
  • SafeC updated to 3.5.1
  • Gperftools updated from 2.7.0 to 2.7.90
  • Boost headers updated from 1.71.0 to 1.72.0
  • Hyperscan updated from 5.2.0 to 5.2.1
  • Flatbuffers updated from 1.11 to 1.12
  • Updated openAppId to 12159
  • Replaced community rules with registered rules
  • Updated from Splunk 7.x to Splunk 8.x
  • Configure Splunk startup to use systemD rather than init.
  • Added libcmocka-dev libraries to support DAQ requirements.

Tuesday, May 19, 2020

Snort rule update for May 19, 2020

This morning, Cisco Talos released the latest rule update for SNORTⓇ.

The latest release includes 20 new rules, four modified rules, seven new shared-object rules and two modified shared-object rules.

Today's release provides new coverage for the Hancitor malware family, which has become increasingly popular in COVID-19-themed phishing campaigns.

Thursday, May 14, 2020

Snort rule update for May 14, 2020

This morning, Cisco Talos released the latest rule update for SNORTⓇ.

The latest release includes 26 new rules and more than 1,000 modified rules.

Today's release provides new coverage for the Ursnif malware family, which was recently spotted in the wild using COVID-19-themed lure documents. There are also new rules that detect common PowerShell techniques used by the Cobalt Strike family.

Tuesday, May 12, 2020

Snort rule update for May 12, 2020 — Microsoft Patch Tuesday

The latest SNORT® rule release from Cisco Talos has arrived. This new round of rules provides coverage for all of the vulnerabilities covered in Microsoft Patch Tuesday.

For more details on the vulnerabilities Microsoft disclosed this week, head to the Talos blog.

In all, this release includes 83 new rules, two modified rules and five new shared object rules.

Tuesday, May 5, 2020

Snort rule update for May 5, 2020

This morning, Cisco Talos released the latest rule update for SNORTⓇ.

The latest release includes 41 new rules, 24 modified rules and two new shared object rules.

Today's release provides new coverage for several different malware families, including Gh0stRAT, the Zbot trojan and the Kuluoz botnet.