Tuesday, September 29, 2020

Snort rule update for Sept. 29, 2020

 Cisco Talos released the newest SNORTⓇ rule set this morning.

This release includes eight new rules, four new shared object rules, two modified shared object rules and 20 modified rules.

Tuesday's release includes new rules protecting against a vulnerability in the WordPress Nexos plugin, along with a rule to prevent the Uppercut malware from downloading its payload.

Monday, September 28, 2020

New guide for installing Snort 3.0.3 on CentOS

We are excited to release a new guide on the Snort Resources page today to assist users with installing Snort 3.0.3 on CentOS. 

Thanks to user Yaser Mansour for all of their contributions to this document. This is one of the best ways to help out the rest of the Snort community — by submitting things like documentation, guides and answers to our Snort mailing lists.

This guide walks through installing, configuring and testing Snort 3 on CentOS, version 8.1. Some of the
configurations may not be applicable to production sensors. The author encourages all users to test the steps in this guide before enacting permanent changes.

If you haven't already, you can check out the first official release candidate for Snort 3. Stay tuned for a full, public release of Snort 3 later this year.

Converting custom Snort 2 rules for Snort 3 compatibility



By John Levy.

Snort 3 introduces many improvements to simplify rule-writing and increase rule syntax consistency, while at the same time increasing detection robustness and granularity. Converting Snort 2 rules to Snort 3 is a painless process, and this document, while not an exhaustive guide, walks users through some of the more fundamental and significant changes users will need to make to update their custom rules for Snort 3 compatibility.

Thursday, September 24, 2020

Snort rule update for Sept. 24, 2020

Cisco Talos released the newest SNORTⓇ rule set this afternoon.

This release includes 14 new rules, 14 new shared object rules and 51 modified rules.

Thursday's release includes new protection against the Mekotio banking trojan, which disguises itself in a pop-up window. There is also coverage for several vulnerabilities Cisco disclosed in its IOS operating system today.

Wednesday, September 23, 2020

Official Snort 3 release candidate available now



By Jon Munshaw. 

We are thrilled to announce that Snort 3 is out of beta with the release candidate for Snort 3.0.3. Snort 3.1.0 general availability will be available in roughly a month. 

Snort 3 has been in beta for several months now, and we would like to thank all the users who’ve provided us feedback during that period that we’ve used to polish this product. 

Monday, September 21, 2020

Improve Snort 3 performance with Hyperscan



By Steve Chew. 

Snort 3 includes native support for Hyperscan pattern matching.  Hyperscan is an open-source, high-performance, regular expression-matching library from Intel that runs on x86 platforms. It supports a large subset of the PCRE syntax and takes advantage of the Intel SIMD instructions. However, it is not yet available for ARM processors. 

Hyperscan provides a significant boost for Snort 3's IPS fast pattern matching when compared to the other available search engines. Hyperscan is up to two times faster than the ac_full engine and three times faster than ac_bfna. Snort 3 will see the most benefit from Hyperscan when using a large ruleset and when doing deep flow inspection.

Thursday, September 17, 2020

New version of PulledPork available on GitHub

The Snort community welcomes a new version of PulledPork on GitHub today.

Version 0.7.4 now supports Snort 3 and points to the new, correct, location of the IP blocklist. PulledPork is a Perl script that allows users to download new rules as soon as new vulnerabilities or exploits are discovered.

Here are some of the other changes in this version:

  • Supports updating of Snort 3.0 signatures (0.8 will be released when Snort 3.0 moves out of BETA).
  • Fixed some of the logic to allow updating with Perl on Windows
  • ability to modify rules via regex in modifysid.conf
  • Removal of opensource.gz processing (will speed up signature updating)
  • Updated OS Distro list to match so_rules
  • Added error checking around writing to directories that do not exist (i.e., block_list)
  • Updated for new location of block list

Snort rule update for Sept. 17, 2020

Cisco Talos released the newest SNORTⓇ rule set this morning.

This release includes 43 new rules, three modified rules and two new shared object rules.

Thursday's release includes new protection against the Nitol backdoor, the Zeus (aka Zbot) trojan and more.

Tuesday, September 15, 2020

Snort rule update for Sept. 15, 2020

The newest SNORTⓇ ruleset is out this morning, courtesy of Cisco Talos.

The latest update is a big one. We've got 418 new rules, three modified rules and six new shared object rules.

Tuesday's release is packed with new rules to protect against a variety of malware families, including Zeus (aka Zbot), DarkKomet and Gh0stRAT. There is also new coverage for vulnerabilities in the Pulse VPN service. The U.S. Cybersecurity and Infrastructure Security Agency released a warning this week saying that state-sponsored actors are exploiting some previously disclosed vulnerabilities.

Friday, September 11, 2020

Snort rule update for Sept. 10, 2020

Cisco Talos released a new SNORTⓇ rule set yesterday. Our apologies, as this blog post is going up a day late. 

The latest update includes 14 new rules.

Thursday's release included new protections against some notable malware families, including the Delf downloader, which was recently part of a spam campaign in Spain. There are also two rules targeting the DarkSide ransomware, which recently debuted using several professional techniques to give the group a more formal appearance.

Tuesday, September 8, 2020

Snort rule update for Sept. 8, 2020 — Microsoft Patch Tuesday

The latest SNORT® rule release from Cisco Talos has arrived. This new round of rules provides coverage for all of the vulnerabilities covered in Microsoft Patch Tuesday.

For more details on the vulnerabilities Microsoft disclosed this week, head to the Talos blog.

In all, this release includes 173 new rules, 12 modified rules and two modified shared object rules.

Thursday, September 3, 2020

Snort rule update for Sept. 3, 2020

Cisco Talos released a new SNORTⓇ rule set this afternoon. 

The latest update includes 108 new rules and six new shared object rules.

Thursday's release deals mainly with malware. There are dozens of rules protecting against a variety of malware families, including Zusy, the Trickbot trojan and the infamous Emotet botnet.

Tuesday, September 1, 2020

Snort rule update for Sept. 1, 2020

This morning, Cisco Talos released a new SNORTⓇ rule set

The latest update includes 19 new rules and two new shared object rules.

Tuesday's release provides multiple new rules defending against the Lockbit ransomware. The ransomware-as-a-service was most recently spotted targeting users with COVID-19-themed lures