Tuesday, October 20, 2020

Snort rule update for Oct. 20, 2020

Cisco Talos released the newest set of rules for SNORTⓇ this morning.

Shared object rules Modified shared object rules New rules Modified rules
11 0 50 503

Tuesday's release is full of new rules protecting against various malware strains. Among them are new protections against Emotet, which is now disguising itself as a fake Windows update. There's also new coverage for the Cerber ransomware and the UPATRE trojan.

Thursday, October 15, 2020

Better application logging with Snort3



By Costas Kleopa.


With the introduction of OpenAppID in SNORT®, we started to provide application-based information for our network flows. A user could enable the AppID preprocessor, load our Open Detector Package (snort-openappid.tgz) from the Snort Downloads page and — with the integration of any third-party tools — we could provide a deeper graphical representation of what’s running over a network. (See the blog here for an example showing Integration with Splunk.) The app_stats logging configuration allowed us to report some basic statistics on what type of traffic we can see per application and the overall traffic size we see during a specific recurring time interval.  


We also provide additional AppID-based control via the IPS rules. These IPS rules were allowing us to block/alert the actual application and ultimately log this information on a per-packet basis. The combination of alert/logging in IPS rules partially met a use case that the field has been asking for, which is logging the application per connection. Unfortunately, this was not the best solution, since this was causing us to report this information per packet and could cause some performance issues with a lot of duplicate data. 

Snort rule update for Oct. 15, 2020

Cisco Talos released the newest set of rules for SNORTⓇ this morning.

Shared object rules Modified shared object rules New rules Modified rules
0 0 11 506

Thursday's release has a new rule to protect against Emotet. The botnet is still out there, and is now using lure documents that promise to provide a Windows operating system update.

Tuesday, October 13, 2020

Snort rule update for Oct. 13, 2020

Cisco Talos released the newest SNORTⓇ rule update, coinciding with Microsoft Patch Tuesday. Here's an overview of today's rule release:

Shared object rules Modified shared object rules New rules Modified rules
6 0 59 513

Thursday's release provides several rules to protect against vulnerabilities in an array of Microsoft's products. For more on Patch Tuesday, check out the full blog over on the Talos site here

Thursday, October 8, 2020

How Talos is handling the transition to Snort 3



By Josh Williams. 

The release of Snort 3 brings with it some exciting changes in rule syntax and capabilities. These changes will make our rules easier to read and understand and will increase in speed. Before we get into these new changes, let's talk about what's staying the same. Cisco Talos will continue our current rule release schedule of Tuesdays and Thursdays with periodic additional releases when major vulnerabilities or malware appear in the wild.  

While moving to Snort 3 comes with a lot of improvements, we also understand that not everyone can switch over right away. We plan to continue releasing Snort 2 versions of rules until seven to 10 years after Snort 2's end of life. This will allow any users who can't upgrade quickly plenty of time to get everything in order. The only downside is that they'll be missing out on Snort 3's improvements. 

Snort rule update for Oct. 8, 2020

A new SNORTⓇ rule release is available this morning, courtesy of Cisco Talos. Here's an overview at this rule set:

Shared object rules Modified shared object rules New rules Modified rules
0 0 5 501

Thursday's release provides a few new rules protecting against the Emotet botnet. Everyone already knows about Emotet, but it continues to grow, most recently targeting state and other local government agencies, according to a recent advisory from the U.S. Cybersecurity and Infrastructure Security Agency.

Thursday, October 1, 2020

Snort rule update for Oct. 1, 2020

A new SNORTⓇ rule release is available this morning, courtesy of Cisco Talos. Here's an overview at this rule set:

Shared object rules Modified shared object rules New rules Modified rules
0 0 17 9

Thursday's release provides new rules protecting against several malware families, including the Razy trojan and the Gamarue botnet.

How to use Snort2lua



By Bhagya Tholpady. 

One of the major differences between Snort 2.X and Snort 3.X is configuration. Snort 2.X configuration files are written in Snort-specific syntax while Snort 3.0 configuration files are written in Lua. Hence, a valid Snort 2.X configuration won’t work with Snort 3 unless it’s converted to Lua. This can be done by using a tool called “Snort2lua” found under the tools/snort2lua directory in the distribution.