Thursday, December 17, 2020

Removing opensource.gz from rule releases

For many years, we have distributed a file called “opensource.gz," which contained the plaintext rule documents for each of our SNORTⓇ rules.  Since the release of this document, our documentation has improved by leaps and bounds as a result of our most recent project led by our own Kri Dontje, you can read more about those improvements in our prior blog post

Since our documentation is now more “living” and is released with every rule update, we’ve made the decision to no longer chew up the bandwidth to distribute opensource.gz, and instead point your browsers and tools to the official authority for Snort rule docs: Snort.org

The format for rule documentation links is as follows. For example, https://snort.org/rule_docs/1-56720.  Replacing the SID at the end of URL with the SID you are looking for will take you to the most updated document.  

Tools available on the internet and integrators of our ruleset onto their boxes are encouraged to create these links to Snort.org directly from their interfaces as well. 

We DO NOT encourage scraping the data, so please don’t set your “for loop’ed” cURL commands to iterate through the docs and download them — our system may block you. The docs are updated at least twice a week, so we want you to link to them to ensure you are getting the most updated version. 

The latest version of PulledPork will no longer request the opensource.gz file, and future requests for opensource.gz will be met with a 422, 404 or 403 error. 

Snort rule update for Dec. 17, 2020

The latest SNORTⓇ rule update is available now, courtesy of Cisco Talos.

Thursday's release contains numerous rules to protect against various malware families. Among the new rules is one to detect the Egregor ransomware, which is recently experiencing a surge and has even infected retail chain K-Mart's network.

If you haven't already, please check out all of Talos' coverage around the SolarWinds incident. We have new rules protecting against the exploitation of the backdoor in question. And we also have previous detection for the FireEye products affected by this attack.

Here's a breakdown of this morning's rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
90524

Wednesday, December 9, 2020

Snort rule update for Dec. 9, 2020 — FireEye breach detection guidance

Cyber security firm FireEye recently disclosed an incident that was reported to have resulted in the inadvertent disclosure of various internally developed offensive security tools (OSTs) that were used across FireEye red-team engagements.

Some of these tools appear to be based on well-known offensive frameworks like Cobalt Strike. This is even evident in the naming convention used in the coverage designated by FireEye. 

FireEye provided a list of CVEs in their blog to allow customers to assess their vulnerability to the tools. Here is the existing coverage for those CVEs:

Additionally, we've released several new rules that protect against these vulnerabilities, specifically defending against the use of Cobalt Strike. For more, check our full rule advisory here.

Tuesday, December 8, 2020

Snort rule update for Dec. 8, 2020 — Microsoft Patch Tuesday

The latest SNORT® rule release from Cisco Talos has arrived. This new round of rules provides coverage for all of the vulnerabilities covered in Microsoft Patch Tuesday.

For more details on the vulnerabilities Microsoft disclosed this week, head to the Talos blog.

Here's a breakdown of this evening's rule release:

Shared object rules Modified shared object rules New rules Modified rules
0 0 9 3

Monday, December 7, 2020

Soft Release: lightSPD, the new rules package for Snort 3



By Patrick Mullen.

Today, we released a new rules and configurations package style, named lightSPD, for Snort 3. 

This is only a "soft" release at this time, so information will be light, but we at Talos wanted to give users the opportunity to take a sneak peek at what is to come. This blog post assumes a basic understanding of running Snort 3. If you need to get up to speed, please download and install Snort 3 and read the documentation for running Snort 3 located on GitHub here. As always, you can find the basics of Snort on our Resources page.

One of the biggest features of the lightSPD package is that it contains configurations for all versions of Snort 3 in one package, and, new to open-source users, it contains multiple policy configurations, rather than just rule sets. Using lightSPD, users can select Snort configurations that are tailored more toward speed or more toward detection and depth of inspection.  

Thursday, December 3, 2020

Snort rule update for Dec. 3, 2020

The latest SNORTⓇ rule release is out this morning, courtesy of Cisco Talos.

Today's rule update includes several new rules protecting against some of the most prevalent malware families in the wild. There are two rules, specifically, for the ever-present Emotet botnet, which is surging at the end of 2020 after a somewhat quiet summer and fall period.

Here's a breakdown of Tuesday's rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
20154

Tuesday, December 1, 2020

Snort rule update for Dec. 1, 2020

This morning, Cisco Talos released the newest SNORTⓇ rule update.

Our latest release includes new rules protecting against the Remcos and Zeus malware, along with several other malware families. 

Here's a breakdown of Tuesday's rule release:

Shared object rules Modified shared object rules New rules Modified rules
2 0 15 8