Tuesday, December 14, 2021

Snort rule update for Dec. 14, 2021 — Microsoft Patch Tuesday

The latest SNORT® rule release from Cisco Talos has arrived. This new round of rules provides coverage for many of the vulnerabilities covered in Microsoft Patch Tuesday.

For more details on the vulnerabilities Microsoft disclosed this month, view all of them on Microsoft's security update page. Since our researchers are heads-down working on the Log4j vulnerability, we were not able to release a full Patch Tuesday blog post this month on the Talos site.

Here's a breakdown of this afternoon's rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
00397

Wednesday, December 8, 2021

The newest version of Snort 3 is available now — Here are the latest updates and features

     

The SNORTⓇ team recently released a new version of Snort 3 on Snort.org and the Snort 3 GitHub.

 

Snort 3.1.18.0 contains several new features and bug fixes. Here's a complete rundown of what's new in this version. Users are encouraged to update as soon as possible and to upgrade to Snort 3 if they have not already done so.

We are also excited to release a new installation guide for Snort 3 for Ubuntu 18 and 20. This guide teachers users on how to install Snort 2.1.17.0 on the aforementioned operating systems. A huge thanks to Noah Dietrich for his work on these guides as always.

Here's a rundown of all the changes and new features in this latest version of Snort 3.

Tuesday, December 7, 2021

Snort rule update for Dec. 7, 2021

The newest SNORTⓇ rule update from Cisco Talos is now available.

Tuesday's rule update includes multiple rules to protect against vulnerabilities that are being exploited in the wild. One such vulnerability is CVE-2021-44515 in the Zoho patch management software. If exploited, it could allow attackers to bypass authentication and execute arbitrary code. Snort rule 58696 detects if attackers try to upload a file as part of exploiting this vulnerability.

Here's a full breakdown of today's rule update:

Shared object rulesModified shared object rulesNew rulesModified rules
017353

Monday, December 6, 2021

Open-source version of Snort 2.9.19.0 available now

 SNORTⓇ released its newest open-source version, 2.9.19.0, this morning.

You can download this version on Snort.org. As you may remember, version 2.9.18.0 reached its end-of-life last week, so anyone using that version should update immediately. 

Tuesday, November 30, 2021

Snort rule update for Nov. 30, 2021

The newest SNORTⓇ rule update from Cisco Talos is now available.

Tuesday morning's release includes a new rule to protect against the high-profile DarkSide ransomware. The group, also known as DarkMatter, targeted several high-profile companies across the globe this year, including two companies in the U.S. food and agriculture sector. 

This new rule detects when the ransomware attempts to make an outbound connection.

Here's a full breakdown of the rest of today's rule update:

Shared object rulesModified shared object rulesNew rulesModified rules
10 0195

Snort OpenAppID Detectors have been updated

 SNORTⓇ released a new update today for its OpenAppID Detector content.

This release — build 349 — includes:
  • 3,123 detectors. 
  • Additional detectors from the open-source community. For more details on which contributions were included, we have added them to the "Authors" file in this package.
The release is available now on our Downloads page. We look forward to users downloading and using the new features. If you have any feedback,  please share it with the OpenAppID mailing list.

The OpenAppID package is also compatible with our most recent Snort 3 releases.

For more information regarding the applications that are included in the open-source version of OpenAppID, feel free to visit our new application portal at appid.cisco.com.

Monday, November 29, 2021

Snort 2.9.18.0 end of life

This is the notification that SNORTⓇ 2.9.18.0 will reach its End of Life (EOL) tomorrow, Nov. 30, 2021.  

Users can upgrade to the latest version of Snort 3. For more on the benefits of Snort 3, click here. Alternatively, users can update to any newer version of Snort 2.9.

Tuesday, November 23, 2021

Snort 3.1.17.0 has been released — Check out this new version!

    

The SNORTⓇ team recently released a new version of Snort 3 on Snort.org and the Snort 3 GitHub.

 

Snort 3.1.17.0 contains several new features and bug fixes. Here's a complete rundown of what's new in this version. Users are encouraged to update as soon as possible and to upgrade to Snort 3 if they have not already done so.

Here's a rundown of all the changes and new features in this latest version of Snort 3.

Tuesday, November 16, 2021

Snort rule update for Nov. 12, 2021

The newest SNORTⓇ rule update from Cisco Talos is now available.

Tuesday morning's release includes a new rule to protect against the SQUIRRELWAFFLE attack we detailed in late October. SQUIRRELWAFFLE provides threat actors with an initial foothold onto systems and their network environments that can then be used to facilitate further compromise or additional malware infections depending on how adversaries choose to attempt to monetize their access. 

Here's a full breakdown of the rest of today's rule update:

Shared object rulesModified shared object rulesNew rulesModified rules
01239

Thursday, November 4, 2021

Snort rule update for Nov. 4, 2021

The newest SNORTⓇ rule update from Cisco Talos is now available.

We apologize that these rule blog posts have not been as frequent recently — our comms team was on a bit of a fall break. But, we're excited to let everyone know about today's rule release. 

We have multiple rules available to protect against the exploitation of multiple vulnerabilities Cisco disclosed in some of their routers that could allow unauthenticated attackers to log in using hard-coded credentials or default SSH keys.

Here's a full breakdown of the rest of Tuesday's rule update:

Shared object rulesModified shared object rulesNew rulesModified rules
12 0141

Wednesday, November 3, 2021

Snort 3.1.16.0 has been released!

   

The SNORTⓇ team recently released a new version of Snort 3 on Snort.org and the Snort 3 GitHub.

 
Snort 3.1.16.0 contains several new features and bug fixes. Here's a complete rundown of what's new in this version. Users are encouraged to update as soon as possible and to upgrade to Snort 3 if they have not already done so.

Changes in this release (since 3.1.15.0):

  • appid: during initialization, skip loading of Lua detectors that don't have validate function
  • appid: in packet threads, skip loading of detectors that don't have validate function on reload
  • appid: provide API to give client_app_detection_type
  • codec: geneve - ensure injected packets have geneve port in outer udp header
  • detection: refactor mpse serialization
  • detection: rename PortGroup to the more apt RuleGroup (and related)
  • detection: replace PortGroup::alloc/free with ctor/dtor
  • doc: add SIP built-in rule documentation
  • doc: update built-in rule doc for SMTP, IMAP and POP inspectors
  • doc: update built-in rules documentation for dns module
  • doc: update built-in rules documentation for ftp-telnet
  • doc: updated builtin rules documentation for gtp module
  • flow: fix warning in flow_cache.cc
  • flow: use the same pkt_type to link and unlink unidirectional flows
  • http2_inspect: refactor decoded_headers_buffer for hpack decoding
  • http_inspect: eliminate cumulative js data processing
  • http_inspect: handle unordered PDUs for inline/external JavaScript normalization
  • http_inspect: improve file decompression
  • hyperscan: sort patterns for dump / load stability
  • ips: correct fast pattern port group counts
  • mpse: add md5 check to deserialization
  • reload: add logs to track reload process
  • reload: move out reload progress flag to reload tracker
  • search_engine: support hyperscan serialization
  • search_engine: support port group serialization
  • sip: track memory for sip sessions
  • ssl: disable inspection on alert only at fatal level
  • stream_tcp: fix init_wscale() to take into account the DECODE_TCP_WS flag
  • tcp: remove the obsolete GNUC block from TcpOption::next()
  • tcp: stop on the EOL option in TcpOptIteratorIter::operator++()
  • utils: add get methods to peek in internal buffer
  • utils: correct Normalizer's output upon the next scan
  • wizard: update globbing and max_pattern

Snort 3 is the next generation of the Snort Intrusion Prevention System. The GitHub page will walk users through what Snort 3 has to offer and guide users through the steps of getting set up — from download to demo. Users unfamiliar with Snort should start with the Snort Resources page and the Snort 101 video series

You can subscribe to Talos' newest rule detection functionality for as low as $29 a year with a personal account. Be sure and see our business pricing as well here. Make sure and stay up to date to catch the most emerging threats.

Friday, October 29, 2021

Snort 3.1.15.0 has been released -- Check out this new version!

   

The SNORTⓇ team recently released a new version of Snort 3 on Snort.org and the Snort 3 GitHub.

 

Snort 3.1.15.0 contains several new features and bug fixes. Here's a complete rundown of what's new in this version. Users are encouraged to update as soon as possible and to upgrade to Snort 3 if they have not already done so.

Since the API inside of Snort3 has changed with this version, if you are using the LightSPD package, you will need to use the latest release (posted yesterday, October 28, 2021).

Tuesday, October 19, 2021

Snort rule update for Oct. 19, 2021

The newest SNORTⓇ rule update is available this morning from Cisco Talos.

Our rule release includes detection content for several different malware families, including the AndroSpy backdoor and Quasar RAT, a .NET-based malware used by a variety of attackers.

Here's a full breakdown of the rest of Tuesday's rule update:

Shared object rulesModified shared object rulesNew rulesModified rules
0230

Thursday, October 14, 2021

Snort rule update for Oct. 14, 2021

Cisco Talos released the newest SNORTⓇ rule update today.  This release includes protections against several vulnerabilities including the Trend Micro Encryption Email Gateway and the phpMyAdmin tool.

Here's a full breakdown of the rest of Thursday's rule update:

Shared object rulesModified shared object rulesNew rulesModified rules
2250

Tuesday, October 12, 2021

Snort rule update for Oct. 12, 2021 — Microsoft Patch Tuesday

The latest SNORT® rule release from Cisco Talos has arrived. This new round of rules provides coverage for many of the vulnerabilities covered in Microsoft Patch Tuesday.

For more details on the vulnerabilities Microsoft disclosed this month, head to the Talos blog.

Here's a breakdown of this afternoon's rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
10378

Friday, October 8, 2021

Snort version 3.1.14.0 released — Here are all the updates and improvements

   

The SNORTⓇ team recently released a new version of Snort 3 on Snort.org and the Snort 3 GitHub.

 

Snort 3.1.14.0 contains several new features and bug fixes. Here's a complete rundown of what's new in this version. Users are encouraged to update as soon as possible and to upgrade to Snort 3 if they have not already done so.

Thursday, October 7, 2021

Snort rule update for Oct. 7, 2021

The newest SNORTⓇ rule update is available now. 

Cisco Talos' latest ruleset includes SID 58276 (SID 300053 for Snort 3) to protect against the exploitation of a zero-day vulnerability in the Apache HTTP Server Project. An attacker could exploit CVE-2021-41773 to execute remote code on the targeted machine. As of earlier this week, this exploit has already been used in the wild.

Here's a full breakdown of the rest of Thursday's rule update:

Shared object rulesModified shared object rulesNew rulesModified rules
0222

Tuesday, October 5, 2021

Snort rule update for Oct. 5, 2021

Cisco Talos shared the newest rule update for SNORTⓇ this afternoon. 

Tuesday's release includes new protection against the BlackMatter ransomware attack. Japanese technology company Olympus recently suffered an attack from this group, suffering outages across its European, Middle East and Africa computer networks. BlackMatter also recently infected a large grain co-op in Iowa, with the group demanding a $5.9 million ransom payment. 

Here's a full breakdown of Thursday's rule update:

Shared object rulesModified shared object rulesNew rulesModified rules
0135

Monday, September 27, 2021

Snort version 3.1.13.0 released — Here are all the updates and improvements

  

The SNORTⓇ team recently released a new version of Snort 3 on Snort.org and the Snort 3 GitHub.

 

Snort 3.1.13.0 contains several new features and bug fixes. Here's a complete rundown of what's new in this version. Users are encouraged to update as soon as possible and to upgrade to Snort 3 if they have not already done so.

Thursday, September 23, 2021

Snort rule update for Sept. 23, 2021

A new SNORTⓇ rule update is out this morning.

There are two rules in this package that protect against a zero-day vulnerability in the macOS Finder.  An attacker could exploit this vulnerability by tricking a user into opening a specially crafted email attachment that executes arbitrary commands. Apple released an update for this issue, but it is still exploitable, according to security researchers.

Here's a full breakdown of Thursday's rule update:

Shared object rulesModified shared object rulesNew rulesModified rules
1201

Tuesday, September 21, 2021

Snort rule update for Sept. 21, 2021

Cisco Talos released the latest rule update for SNORTⓇ Tuesday morning.

We neglected to post about this Thursday, but there was also another rule update that Talos released late last week.

Here's a full breakdown of today's rule update:

Shared object rulesModified shared object rulesNew rulesModified rules
1141

Tuesday, September 14, 2021

Snort rule update for Sept. 14, 2021 — Microsoft Patch Tuesday

The latest SNORT® rule release from Cisco Talos has arrived. This new round of rules provides coverage for many of the vulnerabilities covered in Microsoft Patch Tuesday.

For more details on the vulnerabilities Microsoft disclosed this month, head to the Talos blog.

Here's a breakdown of this afternoon's rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
20174

Thursday, September 9, 2021

Snort version 3.1.12.0 released — Here are all the updates and improvements

 

The SNORTⓇ team recently released a new version of Snort 3 on Snort.org and the Snort 3 GitHub.

 

Snort 3.1.12.0 contains several new features and bug fixes. Here's a complete rundown of what's new in this version. Users are encouraged to update as soon as possible and to upgrade to Snort 3 if they have not already done so.

Snort rule update for Sept. 9, 2021 — New coverage for Microsoft MSHTML zero-day

The latest SNORT rule update is available this morning, including new coverage for the recently disclosed zero-day vulnerability in Microsoft MSHTML

Users are encouraged to deploy SIDs 58120 – 58129 to detect and prevent the exploitation of CVE-2021-40444, which Microsoft disclosed earlier this week. If an adversary were to successfully exploit this vulnerability, they could remotely execute code on the victim machine or gain complete control. The Microsoft advisory also stated that proof-of-concept code for this vulnerability is available in the wild. 

Here's a full breakdown of this rule update:

Shared object rulesModified shared object rulesNew rulesModified rules
0192

Thursday, September 2, 2021

Snort 2.9.18.0 end of life warning

This is the notification that SNORTⓇ 2.9.18.0 will reach its End of Life (EOL) on Nov. 30, 2021.  In accordance with our EOL policy, and reminders we've posted in the past, we are now giving users a 90-day warning.

Earlier this week, we released version 2.9.18.1, so users should upgrade to that as soon as possible. Alternatively, users can also upgrade to the latest version of Snort 3. For more on the benefits of Snort 3, click here.

Snort rule update for Sept. 2, 2021

Cisco Talos released the latest rule update for SNORTⓇ Thursday.

This release includes new protection against a critical vulnerability Cisco recently disclosed in its NFVIS software. There is a publicly available proof-of-concept exploit available for this vulnerability that could allow an attacker to bypass authentication and log in to a vulnerable device as an admin.

Here's a full breakdown of this rule update:

Shared object rulesModified shared object rulesNew rulesModified rules
0180

Wednesday, September 1, 2021

Snort version 2.9.18.1 has been released

We released the latest version of Snort 2.9, SNORTⓇ version 2.9.18.1, this afternoon. 

This version is a very small update that fixes a possible memory corruption issue in the SMB preprocessor. If you haven't already, we also encourage users to upgrade to Snort 3, which includes a new rule parser and rule syntax, support for multiple packet-processing threads, and much more.

Here's a rundown of what's new in 2.9.18.1:

Snort OpenAppID Detectors have been updated

SNORTⓇ released a new update today for its OpenAppID Detector content.

This release — build 346 — includes:
  • 3,066 detectors. 
  • Additional detectors from the open-source community. For more details on which contributions were included, we have added them to the "Authors" file in this package.
The release is available now on our Downloads page. We look forward to users downloading and using the new features. If you have any feedback,  please share it with the OpenAppID mailing list.

The OpenAppID package is also compatible with our most recent Snort 3 releases.

Tuesday, August 31, 2021

Snort rule update for Aug. 31, 2021

Cisco Talos released the latest SNORTⓇ rule update Tuesday afternoon. 

Today's release includes new rules to protect against vulnerabilities in Apache Flink and the Kentico content management system, among other software.

Here's a full breakdown of this release:

Shared object rulesModified shared object rulesNew rulesModified rules
0104

Thursday, August 26, 2021

Snort rule update for Aug. 26, 2021

The newest SNORTⓇ rule update is out now from Cisco Talos.

Thursday's rule release contains new protections against some widely discussed vulnerabilities in Realtek SDKs that affect thousands of internet-of-things devices. The vulnerabilities exist in products from more than 65 manufacturers, including IP cameras, childrens' toys and travel routers.

Here's a full breakdown of this release:

Shared object rulesModified shared object rulesNew rulesModified rules
0143

Tuesday, August 24, 2021

Snort rule update for Aug. 24, 2021

Cisco Talos released the latest rule update for SNORTⓇ this morning.

Our latest rule set includes two new rules to protect against the LockBit ransomware. Researchers are tracking the 2.0 version of this malware spreading rapidly across the threat landscape, recently hitting multiple high-profile targets.

Here's a full breakdown of this release:

Shared object rulesModified shared object rulesNew rulesModified rules
10 0140

Thursday, August 12, 2021

Snort version 3.1.10.0 released — Here are all the updates and improvements


The SNORTⓇ team recently released a new version of Snort 3 on Snort.org and the Snort 3 GitHub.

 

Snort 3.1.10.0 contains several new features and bug fixes. Here's a complete rundown of what's new in this version. Users are encouraged to update as soon as possible and to upgrade to Snort 3 if they have not already done so.

Snort rule update for Aug. 12, 2021

Cisco Talos released the latest rule update for SNORTⓇ this morning.

Thursday's rule update includes protection against several malware families. One rule prevents the Bandidos malware, an upgraded version of Bandook, from making an outbound connection. Security researchers recently found Bandidos being used in spying campaigns against targets in Latin America.

Here's a full breakdown of this release:

Shared object rulesModified shared object rulesNew rulesModified rules
050

Tuesday, August 10, 2021

Snort rule update for Aug. 10, 2021 — Microsoft Patch Tuesday

The latest SNORT® rule release from Cisco Talos has arrived. This new round of rules provides coverage for many of the vulnerabilities covered in Microsoft Patch Tuesday.

For more details on the vulnerabilities Microsoft disclosed this month, head to the Talos blog.

Here's a breakdown of this afternoon's rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
20180

Thursday, August 5, 2021

Snort version 3.1.9.0 available now

The SNORTⓇ team recently released a new version of Snort 3 on Snort.org and the Snort 3 GitHub.

Snort 3.1.9.0 contains several new features and bug fixes. Here's a complete rundown of what's new in this version. Users are encouraged to update as soon as possible and to upgrade to Snort 3 if they have not already done so.

Snort rule update for Aug. 5, 2021

The latest SNORTⓇ ruleset is available this morning from Cisco Talos.

Thursday's rule update includes protection against two pre-authorization vulnerabilities in the Cisco RV series of routers. The two vulnerabilities Cisco disclosed this week could allow an attacker to trigger a denial-of-service condition or execute commands and arbitrary code on vulnerable devices.

Here's a full breakdown of this release:

Shared object rulesModified shared object rulesNew rulesModified rules
100

Tuesday, July 27, 2021

Snort rule update for July 27, 2021

Cisco Talos released the newest SNORTⓇ ruleset this morning.

We released the rule update overnight, featuring new protections against several malware families. Among the coverage are a few rules to detect a new Trickbot module that spies on users by creating an attacker-controlled virtual machine.

There are also new protections against the SeriousSAM vulnerability recently discovered in Windows 10 and 11. The vulnerability could allow an attacker to install programs, edit data or create new accounts with full user rights.

Here's a full breakdown of Monday night's release:

Shared object rulesModified shared object rulesNew rulesModified rules
0242

Join Snort on Discord








We are excited to have SNORT® on Discord now

Our Discord channel is the perfect place to ask questions to the community, check out new rule releases and just hang out with other members of the community.

All you have to do is click on this link and you'll be added to the community (if you've downloaded Discord).

Tuesday, July 20, 2021

Snort 2.9.8.3 end-of-life for shared object rules

Attention SNORTⓇ users and integrators:

This blog post serves as the official announcement that the shared object rules for Snort version 2.9.8.3 have now reached their end of life. This version will no longer be included in our shared object rule releases from now on. For an indeterminate amount of time, we'll still be supporting plain text rules for 2.9.8.3.

As we release new versions of Snort, occasionally we have to decommission older versions, lowering our amount of maintenance to building the ruleset for these different versions. We continually review the usage of versions and try to strive to only keep the most actively used versions around. There are several older Snort rule integrators that are using very old versions, which is the reason those versions are still around. However, we are actively working with these partners to move them to more current versions of Snort.

If you are using an older version of Snort, we encourage you to please start your upgrades to a more recent version of Snort 2.9 or Snort 3.

Snort rule update for July 20, 2021

Cisco Talos released the newest SNORTⓇ ruleset this morning.

Tuesday's rule update provides multiple forms of protection against the exploitation of high-severity vulnerabilities in Cisco's Business Process Automation (BPA) application and Web Security Appliance (WSA). An adversary could take advantage of these issues to access sensitive data or take over a targeted system.

Here's a full breakdown of today's release:

Shared object rulesModified shared object rulesNew rulesModified rules
2172

Thursday, July 15, 2021

Snort rule update for July 15, 2021

Cisco Talos released the newest SNORTⓇ ruleset this morning.

Thursday's rule update includes multiple protections against the exploitation of a critical, pre-authentication remote code execution vulnerability in ForgeRock’s Access Management. The vulnerability is patched, but attackers are still targeting vulnerable devices.

Here's a full breakdown of today's release:

Shared object rulesModified shared object rulesNew rulesModified rules
072

Tuesday, July 13, 2021

Snort rule update for July 13, 2021 — Microsoft Patch Tuesday

The latest SNORT® rule release from Cisco Talos has arrived. This new round of rules provides coverage for many of the vulnerabilities covered in Microsoft Patch Tuesday.

For more details on the vulnerabilities Microsoft disclosed this month, head to the Talos blog.

Here's a breakdown of this afternoon's rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
20195

Thursday, July 8, 2021

Snort rule update for July 8, 2021

The newest Cisco Talos rule release for SNORTⓇ is here.

Thursday's ruleset includes new protections against two recently disclosed vulnerabilities in Cisco Business Process Automation. An attacker could exploit these vulnerabilities to elevate their privileges to the level of Administrator on the targeted machine.

We also want to remind everyone that Snort version 2.9.15.0 has officially reached its end of life. Any users on that version need to update as soon as possible.

Here's a full breakdown of today's release:

Shared object rulesModified shared object rulesNew rulesModified rules
002

Tuesday, July 6, 2021

Snort rule update for July 6, 2021 — Coverage for Kaseya supply chain attack

Cisco Talos released a new SNORTⓇ ruleset today, including a rule to protect against exploitation of the widespread Kaseya vulnerability. For more on this attack, head to the Talos blog.

Here's a full breakdown of Tuesday's release:

Shared object rulesModified shared object rulesNew rulesModified rules
025

Friday, July 2, 2021

2.9.15.0 has reached its end of life

Attention SNORTⓇ users and integrators:

This blog post serves as the official announcement that Snort version 2.9.15.0 has officially reached its end of life. We first announced this EOL period in March. Users are encouraged to update to a more recent version of Snort as soon as possible if they are still using 2.9.15.0.

However, version 2.9.16.0 remains active, as there are still external commitments. Though users should still upgrade from that version as soon as they are able to.

As we release new versions of Snort, occasionally we have to decommission older versions, lowering our amount of maintenance to building the ruleset for these different versions.  We continually review the usage of versions and try to strive to only keep the most actively used versions around.  There are several older Snort rule integrators that are using very old versions (2.9.8.3 for example), which is the reason those versions are still around.  However, we are actively working with these partners to move them to more current versions of Snort.

If you are using an older version of Snort, we encourage you to please start your upgrades to 2.9.17.1 or Snort 3.

Thursday, July 1, 2021

Snort rule update for July 1, 2021

Cisco Talos released the newest SNORTⓇ ruleset overnight.

Thursday's rule update was released earlier than usual to provide immediate protection against the PrintNightmare vulnerability in Microsoft's print spooler function. Microsoft patched the vulnerability as part of June's Patch Tuesday, but PoC code appeared on GitHub this week that indicates it is more serious than initially suspected and could be used for remote code execution. 

Rules 57876 and 57877 will protect against this vulnerability.

Here's a full breakdown of today's release:

Shared object rulesModified shared object rulesNew rulesModified rules
061

Tuesday, June 29, 2021

Snort rule update for June 29, 2021

Cisco Talos released the newest SNORTⓇ ruleset this morning.

Tuesday's rule update includes new rules to protect against the "Victory" backdoor recently being used by a state-sponsored APT as part of a surveillance operation. There are also new rules associated with the same attack that block an RTF file the attackers use with the RoyalRoad weaponizer.

Talos also released coverage for a recently disclosed vulnerability in Cisco's Adaptive Security Appliance that is being exploited in the wild.

Here's a full breakdown of today's release:

Shared object rulesModified shared object rulesNew rulesModified rules
2371

Thursday, June 24, 2021

Snort rule update for June 24, 2021

Cisco Talos' latest ruleset for SNORTⓇ is out now.

Today's rule update includes new rules to protect against CVE-2021-30657, a vulnerability in Mac OS Big Sur that could allow an attacker to create a malicious application that can bypass Gatekeeper checks. Apple officially disclosed and patched this vulnerability in May while acknowledging that it may have been exploited in the wild.

Here's a full breakdown of Thursday's release:

Shared object rulesModified shared object rulesNew rulesModified rules
030

PulledPork 3 — Rule updating for Snort 3

We are incredibly excited to release PulledPork 3 — the next evolution for PulledPork, a companion piece of software for SNORTⓇ that is specifically designed for Snort 3

PulledPork 3 is built to use the LightSPD package. It allows a single ruleset package to adapt the rules it can run to the version of the engine running on the system and allows users to select a default policy for the ruleset.

Noah Dietrich, an extremely helpful and generous member of our community, re-wrote PulledPork from the ground up in Python (Pulled Pork for Snort 2.X is written in Perl). Not all PulledPork functionality carries over, but the tool is at a point now where it's ready for users to start testing it. We are considering PulledPork 3 to be in alpha.

Please check out the tool here. As always, we are looking for contributors to the project as well. If you are well-versed in Python, would love to have a hand in documentation, or simply want to help "QA" the tool, all issues and pull requests against the tool are welcome.

We also created a special PulledPork channel on the newly created Snort Discord server, so feel free to contribute there as well!

Tuesday, June 22, 2021

Snort rule update for June 22, 2021

Cisco Talos released the newest rule set for SNORTⓇ this morning.

Tuesday's release includes several new rules relating to a recent wiper malware campaign that disguises itself as ransomware. These rules prevent the trojan used in this campaign from downloading a payload and also detects the open-source ASPXSpy malware which this adversary uses.

Here's a full breakdown of this release:

Shared object rulesModified shared object rulesNew rulesModified rules
11 0212

Monday, June 21, 2021

New version of Snort 3 out now (3.1.6.0) — Here are all the updates and fixes

The SNORTⓇ team recently released a new version of Snort 3 on Snort.org and the Snort 3 GitHub.

Snort 3.1.6.0 contains several new features and bug fixes. Here's a complete rundown of what's new in this version. Users are encouraged to update as soon as possible and to upgrade to Snort 3 if they have not already done so.

Tuesday, June 15, 2021

Snort 2.9.18.0 released

We released SNORTⓇ version 2.9.18.0 this afternoon. 

This version includes several bug fixes and updates to improve your Snort experience. If you haven't already, we also encourage users to upgrade to Snort 3, which includes a new rule parser and rule syntax, support for multiple packet-processing threads, and much more.

Here's a rundown of what's new in 2.9.18.0.

Snort rule update for June 15, 2021

Cisco Talos released the newest rule set for SNORTⓇ this morning.

Tuesday's rule release provides new protections against the IPsec Helper backdoor. The group behind the backdoor, known as Agrius, recently deployed a similar backdoor as part of a wiper malware campaign

Here's a full breakdown of this release:

Shared object rulesModified shared object rulesNew rulesModified rules
14 01111

Thursday, June 10, 2021

Snort rule update for June 10, 2021

 SNORTⓇ's latest rule release is here, courtesy of Cisco Talos.

Thursday's rule release includes several new rules to defend against the DarkSide ransomware. These rules will specifically detect any usage of a custom command and control framework the ransomware's been known to utilize.

Here's a full breakdown of this release:

Shared object rulesModified shared object rulesNew rulesModified rules
14 080

Tuesday, June 8, 2021

Snort rule update for June 8, 2021 — Microsoft Patch Tuesday

The latest SNORT® rule release from Cisco Talos has arrived. This new round of rules provides coverage for many of the vulnerabilities covered in Microsoft Patch Tuesday.

For more details on the vulnerabilities Microsoft disclosed this month, head to the Talos blog.

Here's a breakdown of this afternoon's rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
22152

Monday, June 7, 2021

Rule released to protect against severe VMware vulnerability that attackers are exploiting in the wild

Cisco Talos released a SNORTⓇ rule over the weekend to protect against exploitation of a severe vulnerability in VMware's vSphere Client’s Virtual SAN Health Check plug-in, which is enabled by default in vCenter Server.

An attacker with network access to this service can exploit this vulnerability to gain remote code execution on the affected vCenter Server.

Thursday, June 3, 2021

Snort rule update for June 3, 2021

SNORTⓇ's latest rule release is here, courtesy of Cisco Talos.

Thursday's rule release includes new coverage for the Necro Python bot. Talos researchers recently discovered this bot adding new functionality to target several well-known vulnerabilities. It also added a cryptocurrency miner. Read more over on the Talos blog.

Here's a full breakdown of this release:

Shared object rulesModified shared object rulesNew rulesModified rules
0  0341

Tuesday, June 1, 2021

Snort rule update for June 1, 2021

Cisco Talos released the newest SNORTⓇ rule update Tuesday afternoon.

This release includes several new rules to protect against attacks from Russian Foreign Intelligence Service (SVR) cyber actors (aka APT29 and CozyBear). A joint release from U.S. intelligence organizations outlined the vulnerabilities this group uses to target many of its victims.

Here's a breakdown of everything in today's release:

Shared object rulesModified shared object rulesNew rulesModified rules
0  0154

Thursday, May 27, 2021

Snort rule update for May 27, 2021

The newest rule set for SNORTⓇ is now available from Cisco Talos. In case you missed it, there is also a new version of Snort 3 out now.

Thursday's rule release includes new coverage to protect against the REvil ransomware, which is recently known for targeting health care systems.

Here's a breakdown of everything in today's release:

Shared object rulesModified shared object rulesNew rulesModified rules
46  360

Tuesday, May 25, 2021

New version of Snort 3 out now — Here are all the updates and fixes

The SNORTⓇ team recently released a new version of Snort 3 on Snort.org and the Snort 3 GitHub.

Snort 3.1.5.0 contains several new features and bug fixes. Here's a complete rundown of what's new in this version. Users are encouraged to update as soon as possible and to upgrade to Snort 3 if they have not already done so.

Snort rule update for May 25, 2021

Cisco Talos released the newest rule update for SNORTⓇ on Tuesday morning. This release comes alongside the newest update for Snort 3 — version 3.1.5.0

Here's a breakdown of everything in today's release:

Shared object rulesModified shared object rulesNew rulesModified rules
14   019

Thursday, May 20, 2021

Snort rule update for May 20, 2021

The latest SNORTⓇ rule update is out this morning from Cisco Talos. 

Thursday's release includes new rules to protect users against the exploitation of a recently disclosed vulnerability in Cisco Prime Infrastructure.

Here's a breakdown of everything in today's release:

Shared object rulesModified shared object rulesNew rulesModified rules
24   127

Tuesday, May 18, 2021

Snort rule update for May 18, 2021

Cisco Talos released the newest rule set for SNORTⓇ Tuesday morning.

This update includes a new rule to protect against the IcedID banking trojan by preventing the malware from making an outbound connection to its command and control (C2). 

Here's a breakdown of today's rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
1   51317

Thursday, May 13, 2021

Snort rule update for May 13, 2021

The newest SNORTⓇ rule update is out now. Cisco Talos released this ruleset providing additional protection against the CrimsonRAT malware.

The Transparent Tribe APT, as highlighted by Talos researchers, recently added CrimsonRAT to their arsenal as they began targeting more government contractors. 

Here's a breakdown of Thursday's rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
0   01912

Wednesday, May 12, 2021

Snort OpenAppID Detectors have been updated

SNORTⓇ released a new update today for its Snort OpenAppID Detector content.

This release — build 342 — includes:
  • 2,971 detectors. 
  • Additional detectors from the open-source community. For more details on which contributions were included, we have added them to the "Authors" file in this package.
The release is available now on our Downloads page. We look forward to users downloading and using the new features. If you have any feedback,  please share with the OpenAppID mailing list.

The OpenAppID package is also compatible with our Snort 3.x release.

Tuesday, May 11, 2021

Snort rule update for May 11, 2021 — Microsoft Patch Tuesday

The latest SNORT® rule release from Cisco Talos has arrived. This new round of rules provides coverage for many of the vulnerabilities covered in Microsoft Patch Tuesday.

For more details on the vulnerabilities Microsoft disclosed this month, head to the Talos blog.

Here's a breakdown of this afternoon's rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
241016

Tuesday, May 4, 2021

Snort rule update for May 4, 2021

Cisco Talos released the newest rule release for SNORTⓇ Tuesday.

This release includes multiple rules to protect against vulnerabilities in the Micro Focus Operations Bridge and the KLog Server. 

Here's a breakdown of Tuesday's rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
1022029

Monday, May 3, 2021

New Snort 3 release available — Here are all the updates and fixes

The SNORTⓇ team recently released a new version of Snort 3 on Snort.org and the Snort 3 GitHub.

Snort 3.1.4.0 contains several new features and bug fixes. Here's a complete rundown of what's new in this version. Users are encouraged to update as soon as possible, and to upgrade to Snort 3 if they have not already done so.