Tuesday, July 27, 2021

Snort rule update for July 27, 2021

Cisco Talos released the newest SNORTⓇ ruleset this morning.

We released the rule update overnight, featuring new protections against several malware families. Among the coverage are a few rules to detect a new Trickbot module that spies on users by creating an attacker-controlled virtual machine.

There are also new protections against the SeriousSAM vulnerability recently discovered in Windows 10 and 11. The vulnerability could allow an attacker to install programs, edit data or create new accounts with full user rights.

Here's a full breakdown of Monday night's release:

Shared object rulesModified shared object rulesNew rulesModified rules
0242

Join Snort on Discord








We are excited to have SNORT® on Discord now

Our Discord channel is the perfect place to ask questions to the community, check out new rule releases and just hang out with other members of the community.

All you have to do is click on this link and you'll be added to the community (if you've downloaded Discord).

Tuesday, July 20, 2021

Snort 2.9.8.3 end-of-life for shared object rules

Attention SNORTⓇ users and integrators:

This blog post serves as the official announcement that the shared object rules for Snort version 2.9.8.3 have now reached their end of life. This version will no longer be included in our shared object rule releases from now on. For an indeterminate amount of time, we'll still be supporting plain text rules for 2.9.8.3.

As we release new versions of Snort, occasionally we have to decommission older versions, lowering our amount of maintenance to building the ruleset for these different versions. We continually review the usage of versions and try to strive to only keep the most actively used versions around. There are several older Snort rule integrators that are using very old versions, which is the reason those versions are still around. However, we are actively working with these partners to move them to more current versions of Snort.

If you are using an older version of Snort, we encourage you to please start your upgrades to a more recent version of Snort 2.9 or Snort 3.

Snort rule update for July 20, 2021

Cisco Talos released the newest SNORTⓇ ruleset this morning.

Tuesday's rule update provides multiple forms of protection against the exploitation of high-severity vulnerabilities in Cisco's Business Process Automation (BPA) application and Web Security Appliance (WSA). An adversary could take advantage of these issues to access sensitive data or take over a targeted system.

Here's a full breakdown of today's release:

Shared object rulesModified shared object rulesNew rulesModified rules
2172

Thursday, July 15, 2021

Snort rule update for July 15, 2021

Cisco Talos released the newest SNORTⓇ ruleset this morning.

Thursday's rule update includes multiple protections against the exploitation of a critical, pre-authentication remote code execution vulnerability in ForgeRock’s Access Management. The vulnerability is patched, but attackers are still targeting vulnerable devices.

Here's a full breakdown of today's release:

Shared object rulesModified shared object rulesNew rulesModified rules
072

Tuesday, July 13, 2021

Snort rule update for July 13, 2021 — Microsoft Patch Tuesday

The latest SNORT® rule release from Cisco Talos has arrived. This new round of rules provides coverage for many of the vulnerabilities covered in Microsoft Patch Tuesday.

For more details on the vulnerabilities Microsoft disclosed this month, head to the Talos blog.

Here's a breakdown of this afternoon's rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
20195

Thursday, July 8, 2021

Snort rule update for July 8, 2021

The newest Cisco Talos rule release for SNORTⓇ is here.

Thursday's ruleset includes new protections against two recently disclosed vulnerabilities in Cisco Business Process Automation. An attacker could exploit these vulnerabilities to elevate their privileges to the level of Administrator on the targeted machine.

We also want to remind everyone that Snort version 2.9.15.0 has officially reached its end of life. Any users on that version need to update as soon as possible.

Here's a full breakdown of today's release:

Shared object rulesModified shared object rulesNew rulesModified rules
002

Tuesday, July 6, 2021

Snort rule update for July 6, 2021 — Coverage for Kaseya supply chain attack

Cisco Talos released a new SNORTⓇ ruleset today, including a rule to protect against exploitation of the widespread Kaseya vulnerability. For more on this attack, head to the Talos blog.

Here's a full breakdown of Tuesday's release:

Shared object rulesModified shared object rulesNew rulesModified rules
025

Friday, July 2, 2021

2.9.15.0 has reached its end of life

Attention SNORTⓇ users and integrators:

This blog post serves as the official announcement that Snort version 2.9.15.0 has officially reached its end of life. We first announced this EOL period in March. Users are encouraged to update to a more recent version of Snort as soon as possible if they are still using 2.9.15.0.

However, version 2.9.16.0 remains active, as there are still external commitments. Though users should still upgrade from that version as soon as they are able to.

As we release new versions of Snort, occasionally we have to decommission older versions, lowering our amount of maintenance to building the ruleset for these different versions.  We continually review the usage of versions and try to strive to only keep the most actively used versions around.  There are several older Snort rule integrators that are using very old versions (2.9.8.3 for example), which is the reason those versions are still around.  However, we are actively working with these partners to move them to more current versions of Snort.

If you are using an older version of Snort, we encourage you to please start your upgrades to 2.9.17.1 or Snort 3.

Thursday, July 1, 2021

Snort rule update for July 1, 2021

Cisco Talos released the newest SNORTⓇ ruleset overnight.

Thursday's rule update was released earlier than usual to provide immediate protection against the PrintNightmare vulnerability in Microsoft's print spooler function. Microsoft patched the vulnerability as part of June's Patch Tuesday, but PoC code appeared on GitHub this week that indicates it is more serious than initially suspected and could be used for remote code execution. 

Rules 57876 and 57877 will protect against this vulnerability.

Here's a full breakdown of today's release:

Shared object rulesModified shared object rulesNew rulesModified rules
061

Tuesday, June 29, 2021

Snort rule update for June 29, 2021

Cisco Talos released the newest SNORTⓇ ruleset this morning.

Tuesday's rule update includes new rules to protect against the "Victory" backdoor recently being used by a state-sponsored APT as part of a surveillance operation. There are also new rules associated with the same attack that block an RTF file the attackers use with the RoyalRoad weaponizer.

Talos also released coverage for a recently disclosed vulnerability in Cisco's Adaptive Security Appliance that is being exploited in the wild.

Here's a full breakdown of today's release:

Shared object rulesModified shared object rulesNew rulesModified rules
2371

Thursday, June 24, 2021

Snort rule update for June 24, 2021

Cisco Talos' latest ruleset for SNORTⓇ is out now.

Today's rule update includes new rules to protect against CVE-2021-30657, a vulnerability in Mac OS Big Sur that could allow an attacker to create a malicious application that can bypass Gatekeeper checks. Apple officially disclosed and patched this vulnerability in May while acknowledging that it may have been exploited in the wild.

Here's a full breakdown of Thursday's release:

Shared object rulesModified shared object rulesNew rulesModified rules
030

PulledPork 3 — Rule updating for Snort 3

We are incredibly excited to release PulledPork 3 — the next evolution for PulledPork, a companion piece of software for SNORTⓇ that is specifically designed for Snort 3

PulledPork 3 is built to use the LightSPD package. It allows a single ruleset package to adapt the rules it can run to the version of the engine running on the system and allows users to select a default policy for the ruleset.

Noah Dietrich, an extremely helpful and generous member of our community, re-wrote PulledPork from the ground up in Python (Pulled Pork for Snort 2.X is written in Perl). Not all PulledPork functionality carries over, but the tool is at a point now where it's ready for users to start testing it. We are considering PulledPork 3 to be in alpha.

Please check out the tool here. As always, we are looking for contributors to the project as well. If you are well-versed in Python, would love to have a hand in documentation, or simply want to help "QA" the tool, all issues and pull requests against the tool are welcome.

We also created a special PulledPork channel on the newly created Snort Discord server, so feel free to contribute there as well!

Tuesday, June 22, 2021

Snort rule update for June 22, 2021

Cisco Talos released the newest rule set for SNORTⓇ this morning.

Tuesday's release includes several new rules relating to a recent wiper malware campaign that disguises itself as ransomware. These rules prevent the trojan used in this campaign from downloading a payload and also detects the open-source ASPXSpy malware which this adversary uses.

Here's a full breakdown of this release:

Shared object rulesModified shared object rulesNew rulesModified rules
11 0212

Monday, June 21, 2021

New version of Snort 3 out now (3.1.6.0) — Here are all the updates and fixes

The SNORTⓇ team recently released a new version of Snort 3 on Snort.org and the Snort 3 GitHub.

Snort 3.1.6.0 contains several new features and bug fixes. Here's a complete rundown of what's new in this version. Users are encouraged to update as soon as possible and to upgrade to Snort 3 if they have not already done so.

Tuesday, June 15, 2021

Snort 2.9.18.0 released

We released SNORTⓇ version 2.9.18.0 this afternoon. 

This version includes several bug fixes and updates to improve your Snort experience. If you haven't already, we also encourage users to upgrade to Snort 3, which includes a new rule parser and rule syntax, support for multiple packet-processing threads, and much more.

Here's a rundown of what's new in 2.9.18.0.

Snort rule update for June 15, 2021

Cisco Talos released the newest rule set for SNORTⓇ this morning.

Tuesday's rule release provides new protections against the IPsec Helper backdoor. The group behind the backdoor, known as Agrius, recently deployed a similar backdoor as part of a wiper malware campaign

Here's a full breakdown of this release:

Shared object rulesModified shared object rulesNew rulesModified rules
14 01111

Thursday, June 10, 2021

Snort rule update for June 10, 2021

 SNORTⓇ's latest rule release is here, courtesy of Cisco Talos.

Thursday's rule release includes several new rules to defend against the DarkSide ransomware. These rules will specifically detect any usage of a custom command and control framework the ransomware's been known to utilize.

Here's a full breakdown of this release:

Shared object rulesModified shared object rulesNew rulesModified rules
14 080

Tuesday, June 8, 2021

Snort rule update for June 8, 2021 — Microsoft Patch Tuesday

The latest SNORT® rule release from Cisco Talos has arrived. This new round of rules provides coverage for many of the vulnerabilities covered in Microsoft Patch Tuesday.

For more details on the vulnerabilities Microsoft disclosed this month, head to the Talos blog.

Here's a breakdown of this afternoon's rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
22152

Monday, June 7, 2021

Rule released to protect against severe VMware vulnerability that attackers are exploiting in the wild

Cisco Talos released a SNORTⓇ rule over the weekend to protect against exploitation of a severe vulnerability in VMware's vSphere Client’s Virtual SAN Health Check plug-in, which is enabled by default in vCenter Server.

An attacker with network access to this service can exploit this vulnerability to gain remote code execution on the affected vCenter Server.

Thursday, June 3, 2021

Snort rule update for June 3, 2021

SNORTⓇ's latest rule release is here, courtesy of Cisco Talos.

Thursday's rule release includes new coverage for the Necro Python bot. Talos researchers recently discovered this bot adding new functionality to target several well-known vulnerabilities. It also added a cryptocurrency miner. Read more over on the Talos blog.

Here's a full breakdown of this release:

Shared object rulesModified shared object rulesNew rulesModified rules
0  0341

Tuesday, June 1, 2021

Snort rule update for June 1, 2021

Cisco Talos released the newest SNORTⓇ rule update Tuesday afternoon.

This release includes several new rules to protect against attacks from Russian Foreign Intelligence Service (SVR) cyber actors (aka APT29 and CozyBear). A joint release from U.S. intelligence organizations outlined the vulnerabilities this group uses to target many of its victims.

Here's a breakdown of everything in today's release:

Shared object rulesModified shared object rulesNew rulesModified rules
0  0154

Thursday, May 27, 2021

Snort rule update for May 27, 2021

The newest rule set for SNORTⓇ is now available from Cisco Talos. In case you missed it, there is also a new version of Snort 3 out now.

Thursday's rule release includes new coverage to protect against the REvil ransomware, which is recently known for targeting health care systems.

Here's a breakdown of everything in today's release:

Shared object rulesModified shared object rulesNew rulesModified rules
46  360

Tuesday, May 25, 2021

New version of Snort 3 out now — Here are all the updates and fixes

The SNORTⓇ team recently released a new version of Snort 3 on Snort.org and the Snort 3 GitHub.

Snort 3.1.5.0 contains several new features and bug fixes. Here's a complete rundown of what's new in this version. Users are encouraged to update as soon as possible and to upgrade to Snort 3 if they have not already done so.

Snort rule update for May 25, 2021

Cisco Talos released the newest rule update for SNORTⓇ on Tuesday morning. This release comes alongside the newest update for Snort 3 — version 3.1.5.0

Here's a breakdown of everything in today's release:

Shared object rulesModified shared object rulesNew rulesModified rules
14   019

Thursday, May 20, 2021

Snort rule update for May 20, 2021

The latest SNORTⓇ rule update is out this morning from Cisco Talos. 

Thursday's release includes new rules to protect users against the exploitation of a recently disclosed vulnerability in Cisco Prime Infrastructure.

Here's a breakdown of everything in today's release:

Shared object rulesModified shared object rulesNew rulesModified rules
24   127

Tuesday, May 18, 2021

Snort rule update for May 18, 2021

Cisco Talos released the newest rule set for SNORTⓇ Tuesday morning.

This update includes a new rule to protect against the IcedID banking trojan by preventing the malware from making an outbound connection to its command and control (C2). 

Here's a breakdown of today's rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
1   51317

Thursday, May 13, 2021

Snort rule update for May 13, 2021

The newest SNORTⓇ rule update is out now. Cisco Talos released this ruleset providing additional protection against the CrimsonRAT malware.

The Transparent Tribe APT, as highlighted by Talos researchers, recently added CrimsonRAT to their arsenal as they began targeting more government contractors. 

Here's a breakdown of Thursday's rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
0   01912

Wednesday, May 12, 2021

Snort OpenAppID Detectors have been updated

SNORTⓇ released a new update today for its Snort OpenAppID Detector content.

This release — build 342 — includes:
  • 2,971 detectors. 
  • Additional detectors from the open-source community. For more details on which contributions were included, we have added them to the "Authors" file in this package.
The release is available now on our Downloads page. We look forward to users downloading and using the new features. If you have any feedback,  please share with the OpenAppID mailing list.

The OpenAppID package is also compatible with our Snort 3.x release.

Tuesday, May 11, 2021

Snort rule update for May 11, 2021 — Microsoft Patch Tuesday

The latest SNORT® rule release from Cisco Talos has arrived. This new round of rules provides coverage for many of the vulnerabilities covered in Microsoft Patch Tuesday.

For more details on the vulnerabilities Microsoft disclosed this month, head to the Talos blog.

Here's a breakdown of this afternoon's rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
241016

Tuesday, May 4, 2021

Snort rule update for May 4, 2021

Cisco Talos released the newest rule release for SNORTⓇ Tuesday.

This release includes multiple rules to protect against vulnerabilities in the Micro Focus Operations Bridge and the KLog Server. 

Here's a breakdown of Tuesday's rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
1022029

Monday, May 3, 2021

New Snort 3 release available — Here are all the updates and fixes

The SNORTⓇ team recently released a new version of Snort 3 on Snort.org and the Snort 3 GitHub.

Snort 3.1.4.0 contains several new features and bug fixes. Here's a complete rundown of what's new in this version. Users are encouraged to update as soon as possible, and to upgrade to Snort 3 if they have not already done so.

Thursday, April 29, 2021

Snort rule update for April 29, 2021

Cisco Talos just released the latest SNORTⓇ rule update.

Thursday's release includes protection against the exploitation of a recently disclosed vulnerability in Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software. An adversary could exploit this vulnerability to cause a denial-of-service condition on a client's VPN connection if they're using an affected version of the Cisco Secure Client. 

Here's a breakdown of this rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
3063

Tuesday, April 27, 2021

Snort rule update for April 27, 2021

 Cisco Talos released the latest SNORT® rule update Tuesday morning.

Today's release includes several new rules to protect against attacks from the LemonDuck threat group. Talos first discovered LemonDuck spreading cryptocurrency miners, but it has now shifted to targeting vulnerable Microsoft Exchange Servers to deploy ransomware.

Here's a breakdown of Tuesday's rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
60612

Friday, April 23, 2021

Recording: Snort 3 and me — an introduction and overview

 
Our first entry in the "Snort 3 and me" webinar series is the perfect place to start if you've never worked with Snort 3 before.

If you missed our presentation from earlier this week, we've uploaded the full version to the Cisco Talos YouTube channel. You can also check it out above.

Stay tuned for more information on the next entry in our webinar series.

Thursday, April 22, 2021

2.9.8.3 Shared Object end-of-life

Attention users of SNORTⓇ version 2.9.8.3: This serves as your official end-of-life notification. However, this EOL notification is a bit unique.  

We will be moving to an “end of life” for shared object rules for Snort version 2.9.8.3 in 90 days, (July 20, 2021).  After that, for an indeterminate amount of time after July 20, we will only be supporting 2.9.8.3 for plain text rules. 

If you are using version 2.9.8.3, you should immediately start making plans to move off of that version altogether. 

Please see our other announcement recently on the EOL of 2.9.15.0 and 2.9.16.0. 

Tuesday, April 20, 2021

Snort rule update for April 20, 2021

Cisco Talos released the latest SNORT® rule update Tuesday afternoon.

Today's release includes several rules to protect against the exploitation of a recently discovered vulnerability in the VMware View Planner virtual desktop deployment platform. An attacker could use this vulnerability to gain the ability to execute remote code on the victim machine.

There is also one rule preventing the Remcos RAT from making an outbound connection to its command and control server. Remcos is recently known for being attached to COVID-19-themed spam campaigns

Here's a breakdown of Tuesday's rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
0092

Thursday, April 15, 2021

Snort rule update for April 15, 2021

Cisco Talos released the newest rule update for SNORTⓇ this morning.

Thursday's rule release includes several new rules to protect against the Raindrop malware. This threat was recently discovered being deployed by actors exploiting the well-known vulnerabilities in SolarWinds. This supply chain attack targeted many high-profile organizations and government agencies.

Here's a breakdown of today's rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
20137

Tuesday, April 13, 2021

Snort rule update for April 13, 2021 — Microsoft Patch Tuesday

 The latest SNORT® rule release from Cisco Talos has arrived. This new round of rules provides coverage for many of the vulnerabilities covered in Microsoft Patch Tuesday.

For more details on the vulnerabilities Microsoft disclosed this month, head to the Talos blog.

Here's a breakdown of this afternoon's rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
11110

Thursday, April 8, 2021

New "Snort 3 and me" webinar series launches on April 20

Have you upgraded to Snort 3 yet? Want to learn how to transition?

With Snort 3, rules are faster and more efficient, users have more control over their Snort experience, and it runs on multiple environments and operating systems.

To help you make the switch, we're launching a new series of webinars with the help of the Snort product team and our friends across Cisco. 

To kick things off, Alex Tatistcheff, a technical marketing manager for Cisco, will be holding a presentation on Snort 3 on April 20 at 11 a.m. ET. Alex will address specific questions anyone has about Snort 3 and walk you through how to have a successful migration to Snort 3. You can register for this webinar here.

Alex is the author of the book "Essential Firepower: Your best practice guide to configuring Cisco's Next Generation Firewall" and is an expert on all things Snort.

Thursday, April 1, 2021

Snort rule update for April 1, 2021

The latest SNORTⓇ rule update is available this morning, courtesy of Cisco Talos.

Here's a breakdown of today's rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
01632

Applications open now for Snort scholarship








Applications are now open for the $10,000 Snort scholarship. We encourage everyone who is eligible to apply here. We will be accepting applications through the end of the month.

After that, our hand-picked panel will look at the submissions and select two students to receive a $10,000 award each.

For more detailed instructions on how to apply, check out the video below.

Monday, March 29, 2021

Official EOL Notice for 2.9.15.0 and 2.9.16.0

Attention Snort User and Integrators:

This blog post serves as your official 90-day notice that we will be EOL'ing rule support for versions 2.9.15.0 and 2.9.16.0 as of 2021-06-27 or June 27, 2021.

As we release new versions of Snort, occasionally we have to decommission older versions, lowering our amount of maintenance to build the ruleset for these different versions.  We continually review the usage of versions, and try to strive to only keep the most actively used versions around.  There are several older Snort rule integrators that are using very old versions (2.9.8.3 for example), which is the reason those versions are still around.  However, we are actively working with these partners to move them to more current versions of Snort.

If you are using an older version of Snort, we encourage you to please start your upgrades to 2.9.17.1 or Snort 3.

Our next versions to EOL will be 2.9.16.1, 2.9.11.1, and 2.9.14.1, so we encourage users of those versions to start your upgrade planning now.

2.9.17.1 has been released!

 Join us as we are pleased to release a minor bug fix version of Snort 2.9.17.1!  Since all new development focus in on Snort 3, we encourage you to take a look.  

First, some release notes:

Snort 2.9.17.1

Improvements / Fix
  • Fixed wrong reference to configuration during
  • Fixed possible memleak in appid.
  • Fixed a race-condition in http preproc and IPS.
  • Fixed a race-condition in stream preproc.

As always this maintenance release of Snort 2.9.17.1 is available on our Snort downloads page.  For any questions, please feel free to visit our Snort-Users mailing list.

Thursday, March 25, 2021

Snort rule update for March 25, 2021

Cisco Talos released the newest rule update for SNORTⓇ this morning.

Thursday's release includes another new rule to protect against attacks from the Hafnium threat group that's been recently spotted exploiting zero-day vulnerabilities in Microsoft Exchange Server. 

There are also multiple rules to protect against the exploitation of several vulnerabilities Cisco recently disclosed in its IOS XE software. Cisco disclosed 15 vulnerabilities earlier this week, all of which are considered to be high-severity.

Here's a breakdown of today's rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
16342

Video: Snort 3 roundtable discussion

To celebrate the release of Snort 3, we gathered up some of SNORTⓇ's most influential team members to talk about everything you could ever hope to know about this iteration of Snort.

We were lucky enough to pull in Marty Roesch, the creator of Snort, along with Patrick Mullen of Cisco Talos, Russ Combs of the Snort product development teams, and Joel Esler, the open-source and community manager. The four of them talked about all things Snort 3, going all the way to its initial inception almost 10 years ago.

They also discuss the benefits of upgrading to Snort 3, new tools and features you may have never heard of and other changes that could be coming in the future. Watch the full discussion below or over on the Talos YouTube page.

With Snort 3, rules are faster and more efficient, users have more control over their Snort experience, and it runs on multiple environments and operating systems. We encourage everyone to shift over to Snort 3 from any versions of Snort 2.  You can download the source from snort.org or pull it from GitHub

Thursday, March 18, 2021

Snort scholarship returning this year — here’s what you need to know

The SNORT® scholarship is back this year with a new application process and new benefits that will set this year’s winners up for a future career in cybersecurity (hopefully with Cisco Talos). 

We will start accepting applications starting April 1, through the end of the month. After that, our hand-picked panel will select two winners to award a $10,000 scholarship. 

To be eligible for the scholarship, you must have or be eligible to receive your high school diploma or an equivalent in 2021 as of the date Cisco receives your application. Each applicant must provide reasonable evidence to Cisco that you are seeking a degree in computer science, information technology, computer networking, cybersecurity or a similarly related field of study from a school located in the U.S. or a U.S. territory.  

Snort rule update for March 18, 2021 — Additional rules to protect against Hafnium attacks

The latest rule update for SNORTⓇ released early this morning via Cisco Talos.

This latest release provides several new rules to protect against attacks from the Hafnium state-sponsored actor. Microsoft first discovered this group a few weeks ago when it disclosed several zero-day vulnerabilities in the Exchange Server software. Hafnium reportedly exploited these vulnerabilities to steal emails, among other malicious actions.

These new rules prevent a web shell upload attempt commonly seen with Hafnium.

Here's a breakdown of today's rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
111122

Tuesday, March 16, 2021

Snort rule update for March 16, 2021

The newest SNORTⓇ rule release arrived this morning, courtesy of Cisco Talos.

Tuesday's release includes a new rule protecting against the exploitation of the critical vulnerabilities in F5 BIG-IP and BIG-IQ. An adversary could exploit these vulnerabilities, which F5 disclosed last week, to take complete control of affected systems to execute malicious code, disable services and create or delete files, among other malicious actions. 

The new Snort rule detects when attackers try to inject arbitrary commands via the iControl REST interface.

Here's a breakdown of today's rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
8011

Thursday, March 11, 2021

Snort rule update for March 11, 2021

Cisco Talos released the newest rule update for SNORTⓇ Thursday afternoon.

This latest release includes multiple rules to protect against the DEWMODE malware. Attackers exploit vulnerabilities in Accellion’s legacy File Transfer Appliance (FTA) to install this web shell. This malware family was first discovered in late February.

Here's a breakdown of the rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
101211

Tuesday, March 9, 2021

Snort rule update for March 9, 2021 — Microsoft Patch Tuesday

The latest SNORT® rule release from Cisco Talos has arrived. This new round of rules provides coverage for many of the vulnerabilities covered in Microsoft Patch Tuesday.

For more details on the vulnerabilities Microsoft disclosed this month, head to the Talos blog.

Here's a breakdown of this afternoon's rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
701611

Thursday, March 4, 2021

Snort rule update for March 4, 2021 — Continuing coverage for Microsoft Exchange zero-day

Cisco Talos released another rule update for SNORTⓇ last night that adds additional protection against the exploitation of zero-day vulnerabilities in Microsoft Exchange Server. This follows the eight rules we released earlier this week.

Microsoft disclosed these vulnerabilities earlier in the week, attributing the attacks to a group known as HAFNIUM. For more on this threat, head to the Talos blog.

Here's a breakdown of Wednesday's rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
2254

Wednesday, March 3, 2021

Snort rule update for March 3, 2021

The newest SNORTⓇ rule release arrived overnight, courtesy of Cisco Talos. 

Tuesday's release is primarily focused on the recent vulnerabilities Microsoft disclosed in Exchange Server. The company released a statement yesterday warning that a state-sponsored actor was exploiting these zero-day vulnerabilities to steal sensitive information from U.S.-based infectious disease researchers, law firms, colleges, defense contractors, think tanks and non-governmental organizations.

These vulnerabilities are considered to be very serious and all users should update their affected products as soon as possible. Additionally, this rule release provides rules 57233, 57234 and 57241 - 57246 to protect users against the exploitation of these vulnerabilities.

Here's a breakdown of the rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
10140

Tuesday, February 23, 2021

Snort rule update for Feb. 23, 2021

Cisco Talos released the newest rule update for SNORTⓇ on Tuesday morning.

Today's release includes multiple rules to defend against attacks from the Gamaredon threat group. Talos researchers have spotted this group carrying out multiple attacks recently that appear to be mainly motivated by stealing users' information and selling it to other threat actors. For more on this group, check out Talos' full research post.

Here's a breakdown of today's rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
0223357

Monday, February 22, 2021

Snort calendar poster giveaway

Each month for the rest of this year, we'll be giving away a poster of the previous month's Snort calendar illustration. We're kicking things off with a giveaway of a Scrapple Street poster.

To enter this month's random drawing, we want you to go on Twitter and send us a picture of your favorite Snort swag. This can be anything from a T-shirt to a previous year's calendar or your favorite squishy Snorty. 

Tag us on Twitter @snort and use #SnortCal2021 by Friday, Feb. 26, at 10 a.m. ET to be entered in the drawing, and we'll select one winner at random.

By participating in this contest, you are agreeing to Twitter’s contest rules. And if you don’t win this month’s, don’t worry, you’ll have another chance in March! Sorry, no multi-time winners.

Thursday, February 18, 2021

Snort rule update for Feb. 18, 2021

The newest rule update for SNORTⓇ is here, courtesy of Cisco Talos. 

Thursday's release includes multiple rules to protect against the exploitation of a vulnerability recently identified in the VMware virtual machine software. VMware disclosed the vulnerability this week, warning an attacker could exploit it to execute shell commands on the underlying system.

Here's a breakdown of today's rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
61123

Tuesday, February 16, 2021

Snort rule update for Feb. 16, 2021

Cisco Talos released the newest rule set for SNORTⓇ on Tuesday morning.

Today's update includes several rules to protect against the ObliqueRAT malware from making an outbound connection to its command and control server. Cisco Talos has documented this trojan several times. If installed, ObliqueRAT can give its operators the ability to execute arbitrary commands, exfiltrate files, drop additional payloads and terminate processes on the infected endpoint. 

Here's a breakdown of today's rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
62152

Thursday, February 11, 2021

Snort rule update for Feb. 11, 2021

Cisco Talos released the newest rule update for SNORTⓇ Thursday morning.

Today's rule update provides several new protections against the Masslogger credential-stealing malware. There is also a rule protecting against a heap buffer overload attempt in Adobe Acrobat that Adobe disclosed earlier this week as part of its monthly security update.

Here's a breakdown of today's rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
502116

Snort OpenAppID Detectors have been updated

 SNORTⓇ released a new update today for the Snort OpenAppID Detector content.

This release — build 341 — includes:
  • A total of 2,926 detectors. 
  • Additional detectors from the open-source community. For more details on which contributions were included, we have added them to the "Authors" file in this package.
The release is available now on our downloads page. We look forward to users downloading and using the new features of 2.9.17.0's OpenAppID preprocessor and sharing your experiences with the community.

The OpenAppID package is also compatible with our Snort 3.x release.

The OpenAppID community has a mailing list specifically dedicated to the exchange and discussion of detector content. Please visit the mailing lists page to sign up.

Tuesday, February 9, 2021

Snort rule update for Feb. 9, 2021 — Microsoft Patch Tuesday

The latest SNORT® rule release from Cisco Talos has arrived. This new round of rules provides coverage for many of the vulnerabilities covered in Microsoft Patch Tuesday.

For more details on the vulnerabilities Microsoft disclosed this month, head to the Talos blog.

Here's a breakdown of this afternoon's rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
1002111

Thursday, February 4, 2021

Snort rule update for Feb. 4, 2021

The newest SNORTⓇ rule release is here, courtesy of Cisco Talos.

Thursday's rule set comes with protection against the exploitation of several vulnerabilities Cisco recently disclosed in some of its VPN routers. If exploited, an adversary could gain the ability to execute remote code on the targeted machine. 

Here's a breakdown of today's rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
003718

Tuesday, February 2, 2021

Snort rule update for Feb. 2, 2021

Cisco Talos released the newest rule set for SNORTⓇ Tuesday morning.

There are multiple rules in this release that protect against, Generickdz which is often the generic name given to Windows trojans. Our two new rules will prevent the malware from downloading its final payload.

Here's a breakdown of today's rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
70421

Thursday, January 28, 2021

Snort rule update for Jan. 28, 2021

This afternoon, Cisco Talos released the newest rule update for SNORTⓇ.

Thursday's release mainly provides coverage for multiple malware families. We have new and updated coverage for the Karangany malware family, which is known for targeting the energy sector, as well as the Nymaim downloader.

Here's a breakdown of today's rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
20294

Tuesday, January 26, 2021

Snort rule update for Jan. 26, 2021

The newest SNORTⓇ rule set is available this morning, courtesy of Cisco Talos.

Tuesday's release includes rules protecting against a multitude of malware families, including well-known threats like Emotet and Zbot. There is also new coverage for the ElectroRAT trojan, which was recently spotted in the wild trying to steal money from users' cryptocurrency wallets

Here's a breakdown of this morning's rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
122401

Monday, January 25, 2021

New Snort virtual meeting backgrounds available

We love sharing the SNORTⓇ calendar with our users every year. Our designers enjoy creating new designs and themes and we are always humbled by the support it receives every year.

Usually, we love to see pictures of the calendars hung up at cubicles, on the walls of meeting rooms or placed among armies of colored Snorties on desks and server racks.

Unfortunately, all our workspaces look different now than they did this time last year. It looks like it could be many months before we're all returning to a regular in-person schedule at the office, and instead, we've turned to virtual meeting tools like Cisco WebEx to connect with team members.

We get that your home office is not always in peak condition, or you just want to give off the idea that you're on a tropical island while sitting in that 4:30 p.m. meeting on a Friday. But why not sprinkle in a bit of your Snort fandom? 

To help you show off your love of Snort and the Snort calendar, we've converted this year's monthly illustrations into virtual meeting backgrounds, which you can find and download here. Feel free to show off the might of the Sowerpuff Curls or transport your colleagues back in time with the Flintsnouts.

Friday, January 22, 2021

New installation guides for Snort 3 GA

We are excited to release three new guides on the revamped Snort 3 page today to assist users with installing the new Snort 3 GA, version 3.1.0.0, in several different environments. 

The guides will walk you through installing our official Snort 3 release on CentOS Stream, OracleLinux 8 and Ubuntu 18 and 20.

Thursday, January 21, 2021

Snort rule update for Jan. 21, 2021

 Cisco Talos released the latest SNORTⓇ rule update this morning. This is our second rule release since Snort 3 has been officially released. This is a total overhaul of Snort as you know it, so you won't to waste any time switching over. For more information, check out our blog post on the release here and check out the Snort 3 page on Snort.org. 

Thursday's release provides several rules to protect against the exploitation of critical remote code execution vulnerabilities in Cisco's SD-WAN solutions. The most serious among the group of vulnerabilities Cisco disclosed this week is one that could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system with root privileges.

Here's a breakdown of today's rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
22250

Tuesday, January 19, 2021

Snort 3 officially released

We know users have been anticipating this day for years. So, we are excited to announce that the official release of Snort 3 is here! The version number is 3.1.0.0. 

Snort is an open-source intrusion prevention system (IPS) capable of real-time traffic analysis and packet logging. Snort 3 is the next step in our years-long journey of protecting users’ networks from unwanted traffic, malicious software and spam and phishing documents.  

When we started thinking about what the next generation of IPS looked like, we decided to start from scratch. This latest version of Snort is the result of more than seven years of development and hard work from our team. After many years of success, it is time for Snort to evolve by incorporating lessons we had learned over the many years of the software’s existence and make it even more effective. 

With Snort 3, rules are faster and more efficient, users have more control over their Snort experience, and it runs on multiple environments and operating systems.

Other prominent features of Snort 3 include: