Tuesday, September 26, 2023

ICS protocol coverage using Snort 3 service inspectors

By Jared Rittle.

With more devices on operational technology (OT) networks now getting connected to wide-reaching IT networks, it is more important than ever to have effective detection capabilities for ICS protocols.

However, there are a few issues that usually arise when creating detection for ICS protocol traffic.

Oftentimes, the protocols connecting these devices on modern networks originate in older serial protocols. This transition resulted in protocols that use techniques like bitfields to reduce message size and multiple levels of encapsulation to avoid changes to the original protocol. These protocols often support combining multiple requests into one packet (pipelining) or splitting up a single request across multiple packets (fragmenting). Snort is fully capable of detecting traffic using any of these approaches, however, it requires a deeper understanding of the underlying protocol and more complicated plaintext rules, which is not always feasible.

The solution to these problems lies in the use of a Snort 3 service inspector for protocols requiring increased detection capabilities. Service inspectors are an evolution of Snort 2's preprocessors, providing access to additional built-in rules that look for protocol-level abnormalities, normalize pipelined and fragmented messages, and provide additional verification that the traffic being inspected is the expected protocol. Through the use of rule options exposed by existing service inspectors, plaintext rule writers can focus on the coverage of interest and let Snort handle protocol decoding and normalization.

Read the rest of this post over on the Talos blog.

Monday, April 3, 2023

Applications open now for 2023 Snort scholarship

Applications are now open for the $10,000 Snort scholarship. We encourage everyone eligible to apply here. We will be accepting applications through May 3. 

After that, our hand-picked panel will review the submissions and select two students to receive a $10,000 award each. 

For more detailed instructions on applying, check out the video below. 

To be eligible for the scholarship, you must have or be eligible to receive your high school diploma or an equivalent in 2023 as of the date Cisco receives your application. Each applicant must provide reasonable evidence to Cisco that you are seeking a degree in computer science, information technology, computer networking, cybersecurity or a similarly related field of study from a school located in the U.S. or a U.S. territory.   

To apply for the scholarship, you must answer a series of short essay questions, which will be the main basis for how we select the winners.  

The selection process is different from years past. Our panel will review all submissions and score the responses on the following 15-point scale:  

  • Originality (Score 1-5): Points will be assigned based on the assessment of original, fresh thoughts and concepts including anecdotes or examples of how security or a related field has shaped the personal and/or professional life of the applicant.  
  • Knowledge of Snort (Score 1-5): Points will be assigned on how well the applicant understands Snort and its use.  
  • Overall Submission Quality (Score 1-5): Points will be assigned on the overall quality of the submission. Factors include, but are not limited to, perceived effort and sincerity level.  

The panel of judges will score each submission, and then we will select a winner based on the top cumulative score. In the event of a tie, the judges will select the winner based on their responses’ originality.   

We hope these applications will introduce aspiring researchers and IT professionals to Cisco’s job pool and establish early communication between applicants and potential future job opportunities.

Monday, January 30, 2023

Snort v3.1.53.0 is now available!

The SNORTⓇ team recently released a new version of Snort 3 on Snort.org and the Snort 3 GitHub

Snort contains several new features and bug fixes. Here's a complete rundown of what's new in this version. Users are encouraged to update as soon as possible, or upgrade to Snort 3 if they have not already done so.

Here's a rundown of all the changes and new features in this latest version of Snort 3:

  • appid: publish tls host set in eve process event handler only when appid discovery is complete
  • detection: show search algorithm configured
  • file_api: handling filedata in multithreading context
  • flow: add stream interface to get parent flow from child flow
  • memory: added memusage pegs
  • memory: fix unit test build w/o reg test

Snort 3 is the next generation of the Snort Intrusion Prevention System. The GitHub page will walk users through what Snort 3 has to offer and guide users through the steps of getting set up—from download to demo. Users unfamiliar with Snort should start with the Snort Resources page and the Snort 101 video series

You can subscribe to the newest rule detection functionality from Talos for as low as $29.99 a year with a personal account. See our business pricing as well here. Make sure and stay up to date to catch the most emerging threats.