Thursday, August 27, 2020

Snort rule update for Aug. 27, 2020

The newest SNORTⓇ rule set is here, courtesy of Cisco Talos.

The latest update includes 28 new rules, four modified rules and four new shared object rules.

Thursday's release includes coverage for the GoldenSpy malware, which was recently discovered hidden on tax software. There are also a few rules protecting against the recently discovered Duri campaign that delivers malware via HTML smuggling.

Tuesday, August 25, 2020

Snort rule update for Aug. 24, 2020

 Cisco Talos released the newest SNORTⓇ rule set this morning. 

The latest update includes 30 new rules, 10 modified rules and two new shared object rules.

Tuesday's release is loaded with new detection for some infamous malware families, including the Remcos remote access trojan (RAT), the Zeus ransomware and Gafgyt.

Monday, August 24, 2020

Snort OpenAppID Detectors have been updated

SNORTⓇ released a new update today for the Snort OpenAppID Detector content.

This release — build 337 — includes:
  • A total of 2,917 detectors. 
  • Additional detectors from the open-source community. For more details on which contributions were included, we have added them to the AUTHORS file in this package.
The release is available now on our downloads page. We look forward to users downloading and using the new features of's OpenAppID preprocessor and sharing your experiences with the community.

The OpenAppID package is also compatible with our Snort 3.0 release.

The OpenAppID community has a mailing list specifically dedicated to the exchange and discussion of detector content. Please visit the mailing lists page to sign up.

Thursday, August 20, 2020

Snort rule update for Aug. 20, 2020

Cisco Talos released the newest SNORTⓇ rule set this morning. 

The latest update includes 18 new rules, five modified rules and four new shared object rules. 

Thursday's release includes several new rules to protect against a decades-old vulnerability recently discovered in Windows machines. The bug could allow an adversary to stop the print spooler process. There's also coverage for CVE-2020-12648, an arbitrary code execution vulnerability in the TinyMCE HTML text editor.

Tuesday, August 18, 2020

Snort rule update for Aug. 18, 2020

 Cisco Talos released the newest SNORTⓇ rule set this afternoon. 

The latest update includes 36 new rules, one modified rule and three new shared object rules. 

Tuesday's release provides new coverage several malware families, including the Sodinokibi ransomware and the Emotet spam botnet. 

One rule, 54793, protects against a newly discovered malware family from a state-sponsored actor. Drovorub, which was first reported on by American intelligence agencies, is a fully formed rootkit targeting Linux machines and networks. A report from CISA and the FBI highlighted this Snort rule.

Thursday, August 13, 2020

Snort rule update for Aug. 13, 2020

The latest rule update for SNORTⓇ is live this morning. 

Cisco Talos' latest release includes six new rules and eight modified rules.

Thursday's release provides new coverage for the Nanocore RAT, which was recently spotted targeting manufacturing companies in India.

Wednesday, August 12, 2020

New guide for installing Snort 3.0.2 on CentOS

We are excited to release a new guide on the Snort Resources page today to assist users with installing Snort 3.0.2, build 4, on CentOS. 

Thanks to user Yaser for all of their contributions to this document. 

This guide walks through installing, configuring and testing Snort 3 on CentOS, version 8.1. Some of the
configurations may not be applicable to production sensors. The author encourages all users to test the steps in this guide before enacting permanent changes.

Build 5 for Snort 3.0.2 available on GitHub

 The SNORT® development team released a new update to Snort 3 (aka Snort++) on GitHub today. 

How rules are improving in Snort 3


By Russ Combs and Jon Munshaw. 

There are many ways the user experience will improve in Snort 3 compared to previous versions. We've already outlined things like the improved speed and new features that’ll be in the full release later this year. Now, it’s time to look at what the full Snort 3 release means for the rules themselves. 

Cisco Talos releases new rule sets at least twice a week, and sometimes more depending upon any urgent vulnerabilities or exploits that appear in the wild. With Snort 3, rules are going to be more effective, faster and easier to understand. 

Here’s a look at some of the major changes to Snort rules with Snort 3. There are many more benefits that we’ll get into as well as we get closer to release. 

  • All rules must now have a SID 
  • The SID “0” is not allowed 
  • Deleted active/dynamic rules, unused rule_state.action and metadata engine shared 
  • Removed metadata: rule-flushing. With PDU flushing, some rules could miss attacks 
  • Changed metadata:service one[ to service:one[, two] 
  • soid is now a non-metadata option 
  • Metadata is now truly metadata. There won’t be any effect on detection, as Snort 3 ignores metadata internal structure/syntax. You can use the command line option --metadata-filter to select rules.  Eg snort --c snort.lua --tweaks security -rule-path path/to/talos/rules --metadata-filter "policy security-ips" will select all rules from the security policy. 
  • Snort 3 will automatically determine when something is fast_pattern only. 
  • Rules can fast-pattern sensitive data using Hyperscan with sd_pattern 
  • Deleted the uricontent option. Users should now only use sticky buffer uricontent:”foo” 
  • Deleted urilen raw and norm. Users should now use http_raw_uri and http_uri instead 
  • Added sticky buffers. Buffer selector option smust now also precede contents and remain in effect until changed 
  • Deleted the following PCRE options: B, U, P, H, M, C, I, D, K, S and Y. Users should use sticky buffers instead. 
  • Deleted the unused http_encode option 
  • urilen was replaced with the generic bufferlen, which applies to the current sticky buffer 
  • Added an option selector to http_header 
  • The new http_inspect has new buffers and rule options. Eg: http_param will set the detection cursor to the value of the specified HTTP parameter key which may be in the query or body. 
  • Added alert file and alert service rules 
  • There are #begin and #end comments to allow rule writers to easily comment out multiple lines 
  • Nets and/or ports can now be omitted from rule headers 
  • Snort 3 parses all rules and outputs all errors before quitting 
  • The symbol =< in a byte test is now recognized as a syntax error. The correct symbol is <= 
  • All text mode outputs default to stdout 
  • Changed default logging mode to “-L none” 
  • Deleted log_ascii 
  • Snort 3 now queues decoder and inspector events to the main event queue before IPS policy is selected. Since some events may not be enabled, the queue needs to be sized larger than they would be in Snort 2. 
  • Snort 3 added these fast pattern buffers:  http_raw_uri, http_raw_header, http_stat_code, http_stat_msg, http_cookie, http_method 
  • Unlike Snort 2, the use of service rules does not prevent the use of port rules. 
  • Snort 3 does not require the hosts table (attribute table in Snort 2) in order to use services. 
  • Rules can be included in a config or loaded from the command line with -R file, --rule-path dir, or --stdin-rules. 

Tuesday, August 11, 2020

Snort rule update for Aug. 11, 2020 — Microsoft Patch Tuesday

 The latest SNORT® rule release from Cisco Talos has arrived. This new round of rules provides coverage for all of the vulnerabilities covered in Microsoft Patch Tuesday.

For more details on the vulnerabilities Microsoft disclosed this week, head to the Talos blog.

In all, this release includes 55 new rules, 76 modified rules and seven new shared object rules.

Thursday, August 6, 2020

New Snort 3 release available on GitHub

The SNORT® development team released a new update to Snort 3 (aka Snort++) on GitHub today. 

Snort rule update for Aug. 6, 2020

Cisco Talos released the newest SNORTⓇ rule update this morning.

The latest release includes five new rules, 49 modified rules and nine new shared o.

Thursday's release provides expanded coverage for the vulnerabilities Cisco disclosed in its Data Center Network Manager and the AnyConnect VPN client. There's also a new rule preventing the Ursnif malware from making an outbound connection to its command and control (C2).

Wednesday, August 5, 2020

The major differences that set Snort 3 apart from Snort 2

By Russ Combs and Jon Munshaw. 

We are inching closer to the final release of Snort 3.  

Snort 3.0 is an updated version of the SNORT® Intrusion Prevention System that features a new design and a superset of Snort 2.X functionality that results in better efficacy, performance, scalability, usability and extensibility. 

There are many benefits of upgrading to Snort 3 once the final release is here. In the coming weeks, we’ll be outlining many of these changes to answer users’ most burning questions and assist everyone in the transition.  

Snort has been released

Join us as we are pleased to release a bug fix version of Snort!  First, some release notes:


New Additions
  • Added support for GCC version 10.1.1.
  • Added packet counters to make sure flows with one-way data don't stay pending forever.
  • Fixed potential race condition between reload and exit path.
As always this maintenance release of Snort is available on our Snort downloads page.  For any questions, please feel free to visit our Snort-Users mailing list.

Tuesday, August 4, 2020

Snort rule update for Aug. 4, 2020

Cisco Talos released the newest SNORTⓇ rule update this morning.

The latest release includes 13 new rules, three modified rules and four new shared object rules.

Tuesday's release provides expanded coverage for the WastedLocker ransomware. This malware family recently expanded its scope, going after several high-profile targets. You can read more about WastedLocker in Talos' research post here.