Thursday, September 26, 2024

Changes to the Snort Sample IP Block List

Effective today, we have made some changes to the Snort Sample IP Block List available on Snort.org

The Snort Sample IP Blocklist has been a steady component of our open-source Snort community since its launch. It was originally provided so the community could test the functionality of their Snort installation, and it was never intended to be users’ sole source of IP blocking.

Traditionally, this is list of suggested IPs to block based on other open-source IP block lists. But over the past several years, we have seen an increasing number of users relying on the Snort Sample IP Blocklist as their primary source of IP Blocking, which may lead to a false sense of protection from threats.   

To ensure the intention and legal usage of this blocklist is clear to all our users, we will be enabling a “click-to-accept” terms and conditions box for users to access the Snort Sample IP Blocklist hosted on Snort.org. This change will outline the legal terms and conditions for use of the blocklist, which clearly documents the intended use of the data.  

We will continuously update the Snort Sample IP Blocklist on Snort.org regularly and provide it free to all users to ensure that Snort is functioning as intended. 

You can download the Snort Sample IP Block List here.

Thanks,

The Snort Team


Monday, August 26, 2024

Upcoming changes to the Snort.org Sample IP Blocklist

We will be making some changes to the Snort Sample IP Block List on Sept. 26, 2024. 

The Snort Sample IP Blocklist has been a steady component of our open-source Snort community since its launch. It was originally provided so the community could test the functionality of their Snort installation, and it was never intended to be users’ sole source of IP blocking. 

The Snort Sample IP Block List is a list of suggested IPs to block based on other open-source IP block lists. Over the last several years, we have seen an increasing number of users relying on the Snort Sample IP Blocklist as their primary source of IP Blocking, which may be leading to a false sense of protection from threats.    

To ensure the intention and legal usage of this blocklist is clear to all our users, we will be enabling a “click-to-accept” terms and conditions box for users to access the Snort Sample IP Blocklist hosted on Snort.org.  

This change will outline the legal terms and conditions for use of the blocklist, which clearly documents the intended use of the data. 

We will continue to update the Snort Sample IP Blocklist on Snort.org regularly and provide it free to all users, to ensure that Snort is functioning as intended.  After Sept. 26, 2024, access to the list will require users to click to accept the terms and conditions. 

 
If you have any questions, feel free to reach out to us via:snort-users@lists.snort.org 
 
Or join our Discord https://discord.gg/Pj3usE9CZ7

Monday, August 5, 2024

Watch: SnortML Training video

We recently launched SnortML – our new machine learning exploit detection engine designed to detect novel attacks fitting known vulnerability types.  

Now, we have released a SnortML training video featuring Cisco Talos security researcher (and SnortML developer) Brandon Stultz. This video covers how SnortML addresses the zero-day problem, the vulnerability classes it is currently trained on, and a dive into neural networks.  

The training concludes a model development lab where you will see Brandon create a new model to detect a SQL injection attack. 


We hope you enjoy this training and are able to develop a good understanding of SnortML’s capabilities. We look forward to hearing your use cases for the models you create based on SnortML. 

You can find the SnortML and LibML code on GitHub. You can also join the conversation on our Discord or on the Snort users mailing list if you have any questions or feedback.  

Friday, March 15, 2024

Talos launching new machine learning-based exploit detection engine








By Brandon Stultz.

Every day, new vulnerabilities are discovered in the software critical to the function of the modern world. Security analysts take apart these new vulnerabilities, isolate what is necessary to trigger them and write signatures to block any exploits targeting them.
For Snort, these signatures are called Snort rules — and they’re extremely versatile. They can access specific network service fields, locate a vulnerable parameter and scan that parameter for the presence of an exploit.
They can also leverage numerous rule options to traverse protocols and file formats. Written well, these rules can have high efficacy and performance with few or no false positives.
This approach to defense is very good at protecting networks from known threats, but what if the threat is unknown? What if a vulnerability is discovered, an exploit for it is written, and the security community has no knowledge of it? We need another approach to defense that doesn’t require prior knowledge of the attack to function.
Over the past year at Cisco, we have been prototyping and building this new approach into a new detection engine for Snort. Today, I am proud to announce we are open-sourcing this engine to the community in the latest Snort 3 release (version 3.1.82.0). This new detection engine is called “SnortML.”
SnortML is a machine learning-based detection engine for the Snort intrusion prevention system. At a high level, there are two components to this new detection engine. The first component is the snort_ml_engine itself, which loads pre-trained machine learning models, instantiates classifiers based on these models and then makes the classifiers available for detection. The second is the snort_ml inspector, which subscribes to data provided by Snort service inspectors, passes the data to classifiers, and then acts on the output of the classifiers.
Currently, the snort_ml_engine module only has one model type, namely the http_param_model, but we plan on building other models in the future.
This http_param_model is used for classifying HTTP parameters as malicious or normal. Once the snort_ml_engine loads the http_param_model, it can be used in the snort_ml inspector to detect exploits.
The inspector subscribes to the HTTP request data provided by the HTTP inspector through the publish/subscribe interface. It then passes this data (HTTP URI query and optionally HTTP POST body) to a binary classifier based on the http_param_model. This classifier then returns the probability that it saw an exploit. Based on this probability, SnortML can generate an alert, similar to a Snort rule alert, which can be configured to block malicious traffic. Now that you know how the machine learning engine works, let’s get into how the models work.
SnortML models are designed to be extremely flexible, much like their Snort rule counterparts. To that end, we based our models and our inference engine on TensorFlow. The TensorFlow project is a free and open-source library for machine learning and artificial intelligence.
Any TensorFlow model can be a SnortML binary classifier model so long as it satisfies three conditions, namely, the model must have a single input tensor and a single output tensor, the input and output tensor types must be 32-bit floating point, and finally, the output tensor must have only a single element. We plan on adding other model types in the future (including multiclass classifiers), but right now, this is the only model type currently supported. The SnortML engine uses TensorFlow through a support library we call LibML. The LibML library handles loading, configuring and running machine learning models for Snort. It also includes the XNNPACK accelerator needed to run CPU-bound models at line rate. The easiest way to build a SnortML model is to use the TensorFlow Keras API. If you are new to machine learning, don’t worry, Keras is a simple but powerful deep-learning framework that allows you to build neural networks and train them in a few lines of Python. To get started, import the following: We are going to train our example model on just two samples, but a real production model would use far more: The next thing we need to do is prepare our data. SnortML models expect input data to be zero-padded which is what we are going to do here: Now, we need to construct a neural network that can classify our data. This example uses a simple LSTM (Long Short-Term Memory) network, but other combinations of layers available in Keras work here as well. LSTM is a type of neural network that is keenly suited to identify patterns in sequences of data, such as the sequences of bytes in HTTP parameters. To translate the bytes on the wire to tensors that the LSTM can accept, we can place an embedding layer in front of it. Embedding layers are a kind of association layer, they can learn relationships between input data (bytes in our case) and output those relationships as tensors that the LSTM neurons can accept.

Finally, we will converge the output of our LSTM neurons to a single output neuron with a Dense layer. This will serve as the output of the neural network.
Now for the fun part — let’s train this neural network: Training output:

As you can see above, the accuracy of our network increased, and the loss dropped. These metrics show that the neural network learned to differentiate attack from normal in our example dataset.
Now, let’s save this model to a file so we can load it in Snort: Now that we have a model file, we can run it against PCAPs with Snort 3: If you have Snort 3 built with debug messages enabled, you can even trace the ML engine input and output.


Notice that even with variations in the SQL injection attack above, we still detected it. For years, we had dreamed about tackling the zero-day problem, providing coverage for attacks that were like those we had seen before, but targeting different applications or parameters. Now, with SnortML, this dream is becoming a reality. You can find the SnortML and LibML code here. Feel free to join the conversation on our Discord or on the Snort users mailing list if you have any questions or feedback. 

Thursday, March 7, 2024

Snort 2.9.8.3 and Snort 2.9.13.0 End of Life

We are announcing the end of life for Talos rules in the following versions of Snort 2:

  • Snort 2.9.8.3
  • Snort 2.9.13.0
  • Snort 2.9.8.3 Rules: This rule set is no longer available.
  • Snort 2.9.13.0 Rules: We will no longer produce Talos rules for these versions of Snort on or around July 1, 2024.

We encourage our open-source users to upgrade to the latest version of Snort 3 available here: Snort.org/downloads.

For users who would like to continue to use Snort 2, we recommend updating to Snort 2.9.20 as soon as possible, which can be found at Snort.org/downloads.

If you have any questions please feel free to reach out to us at: snort-sub@cisco.com or join our discord: Snort Discord Invite.