Tuesday, November 24, 2020

Snort rule update for Nov. 21, 2020

Cisco Talos released the newest SNORTⓇ rule update this morning.

This morning's release includes protection against several different malware families. There are a few new rules specifically defending against the Zbot (aka Zeus, Zloader, etc.) which was recently spotted targeting adult websites. Other malware families covered in this release include Razy and Zusy.

Here's a breakdown of this morning's rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
250330

Thursday, November 19, 2020

Snort 2.9.17.0 has been released

Join us as we are pleased to release a bug fix version of Snort 2.9.17.0!  First, some release notes:

Snort 2.9.17.0

New Additions

  • Added support for s7Commplus protocol.
  • Support for allowing common names across rule options.
  • Added support to detect TCP Fast Open packets.
Improvements / Fix
  • Added support for HTTP range field parsing to detect if HTTP response/request is indeed partial or full content.
  • Miscellaneous SMB bug fixes.
  • Fixed TCP segment queue hole issue as per the RFC793 recommendation for OOO Ack packet handling.
  • Fixed multiple static analysis issues.
  • Fixed DNS application detector failing to detect DNS traffic in some scenarios
  • Fixed complier warnings
  • Fix to populate original IP in dropped events when inline normalization is enabled in unified2 output method
  • Fixed handling of encrypted traffic by the SIP preprocessor
  • Added port 853 to the SSL detector for DNS over TLS runs on SSL
    • Also improved SIP preprocessor to detect SSL encrypted SIP traffic better
  • Fixes to byte_math operation
  • Fixed GCC 10.1.1 compile issues
  • Fixed incorrect filtering of UDP traffic when "ignore_any_rules" is configured
  • Fix to address some cases of ambiguous codes between SMTP & FTP and when SMTP server does not support EHLO
  • Fixed AppID caching proxy IP instead of tunneled IP in the dynamic cache during ultrasurf traffic
  • Fixed popup message on Windows uninstall operation
  • Added message to ask users to choose 4.1.1 of winpcap when on Windows.

As always this maintenance release of Snort 2.9.17.0 is available on our Snort downloads page.  For any questions, please feel free to visit our Snort-Users mailing list.

Snort rule update for Nov. 19, 2020

A new rule update is out this morning for SNORTⓇ.

Cisco Talos' newest release includes new rules for the Cisco Integrated Management Controller that protect against a recently disclosed critical vulnerability. There are also new rules protecting against the exploitation of a different critical bug in Cisco's IoT Field Network Director that could allow an adversary to access the back-end database of the affected device and read, alter or drop information.

Here's a breakdown of this morning's rule release:

Shared object rules Modified shared object rules New rules Modified rules
11 5 18 1

Wednesday, November 18, 2020

Snort OpenAppID Detectors have been updated

SNORTⓇ released a new update today for the Snort OpenAppID Detector content.

This release — build 339 — includes:
  • A total of 2,927 detectors. 
  • Additional detectors from the open-source community. For more details on which contributions were included, we have added them to the "Authors" file in this package.
The release is available now on our downloads page. We look forward to users downloading and using the new features of 2.9.16.1's OpenAppID preprocessor and sharing your experiences with the community.

The OpenAppID package is also compatible with our Snort 3.0 release.

The OpenAppID community has a mailing list specifically dedicated to the exchange and discussion of detector content. Please visit the mailing lists page to sign up.

Tuesday, November 17, 2020

Snort rule update for Nov. 17, 2020

Cisco Talos just released the newest SNORTⓇ rule update

This set of rules includes a bunch of new protection against a critical bug in the Cisco Security Manager software that could allow a remote attacker without credentials to execute arbitrary code on the victim's device. The latest Security Manager update also patches these exploits. There are two other high-severity vulnerabilities Cisco also disclosed this week.

Here's a breakdown of this afternoon's rule release:

Shared object rules Modified shared object rules New rules Modified rules
8 0 88 2

Tuesday, November 10, 2020

Snort rule update for Nov. 10, 2020 — Microsoft Patch Tuesday

 The latest SNORT® rule release from Cisco Talos has arrived. This new round of rules provides coverage for all of the vulnerabilities covered in Microsoft Patch Tuesday.

For more details on the vulnerabilities Microsoft disclosed this week, head to the Talos blog.

Here's a breakdown of this evening's rule release:

Shared object rules Modified shared object rules New rules Modified rules
6 3 65 9