Cisco Talos released the newest set of rules for SNORTⓇ this morning.
| Shared object rules | Modified shared object rules | New rules | Modified rules |
|---|---|---|---|
| 11 | 0 | 50 | 503 |
Tuesday's release is full of new rules protecting against various malware strains. Among them are new protections against Emotet, which is now disguising itself as a fake Windows update. There's also new coverage for the Cerber ransomware and the UPATRE trojan.
By Costas Kleopa.
With the introduction of OpenAppID in SNORT®, we started to provide application-based information for our network flows. A user could enable the AppID preprocessor, load our Open Detector Package (snort-openappid.tgz) from the Snort Downloads page and — with the integration of any third-party tools — we could provide a deeper graphical representation of what’s running over a network. (See the blog here for an example showing Integration with Splunk.) The app_stats logging configuration allowed us to report some basic statistics on what type of traffic we can see per application and the overall traffic size we see during a specific recurring time interval.
We also provide additional AppID-based control via the IPS rules. These IPS rules were allowing us to block/alert the actual application and ultimately log this information on a per-packet basis. The combination of alert/logging in IPS rules partially met a use case that the field has been asking for, which is logging the application per connection. Unfortunately, this was not the best solution, since this was causing us to report this information per packet and could cause some performance issues with a lot of duplicate data.
Cisco Talos released the newest set of rules for SNORTⓇ this morning.
| Shared object rules | Modified shared object rules | New rules | Modified rules |
|---|---|---|---|
| 0 | 0 | 11 | 506 |
Thursday's release has a new rule to protect against Emotet. The botnet is still out there, and is now using lure documents that promise to provide a Windows operating system update.
Cisco Talos released the newest SNORTⓇ rule update, coinciding with Microsoft Patch Tuesday. Here's an overview of today's rule release:
| Shared object rules | Modified shared object rules | New rules | Modified rules |
|---|---|---|---|
| 6 | 0 | 59 | 513 |
Thursday's release provides several rules to protect against vulnerabilities in an array of Microsoft's products. For more on Patch Tuesday, check out the full blog over on the Talos site here.
By Josh Williams.
The release of Snort 3 brings with it some exciting changes in rule syntax and capabilities. These changes will make our rules easier to read and understand and will increase in speed. Before we get into these new changes, let's talk about what's staying the same. Cisco Talos will continue our current rule release schedule of Tuesdays and Thursdays with periodic additional releases when major vulnerabilities or malware appear in the wild.
While moving to Snort 3 comes with a lot of improvements, we also understand that not everyone can switch over right away. We plan to continue releasing Snort 2 versions of rules until seven to 10 years after Snort 2's end of life. This will allow any users who can't upgrade quickly plenty of time to get everything in order. The only downside is that they'll be missing out on Snort 3's improvements.
A new SNORTⓇ rule release is available this morning, courtesy of Cisco Talos. Here's an overview at this rule set:
| Shared object rules | Modified shared object rules | New rules | Modified rules |
|---|---|---|---|
| 0 | 0 | 5 | 501 |
Thursday's release provides a few new rules protecting against the Emotet botnet. Everyone already knows about Emotet, but it continues to grow, most recently targeting state and other local government agencies, according to a recent advisory from the U.S. Cybersecurity and Infrastructure Security Agency.
A new SNORTⓇ rule release is available this morning, courtesy of Cisco Talos. Here's an overview at this rule set:
| Shared object rules | Modified shared object rules | New rules | Modified rules |
|---|---|---|---|
| 0 | 0 | 17 | 9 |
Thursday's release provides new rules protecting against several malware families, including the Razy trojan and the Gamarue botnet.
By Bhagya Tholpady.
One of the major differences between Snort 2.X and Snort 3.X is configuration. Snort 2.X configuration files are written in Snort-specific syntax while Snort 3.0 configuration files are written in Lua. Hence, a valid Snort 2.X configuration won’t work with Snort 3 unless it’s converted to Lua. This can be done by using a tool called “Snort2lua” found under the tools/snort2lua directory in the distribution.