ICS protocol coverage using Snort 3 service inspectors

By Jared Rittle.

With more devices on operational technology (OT) networks now getting connected to wide-reaching IT networks, it is more important than ever to have effective detection capabilities for ICS protocols.

However, there are a few issues that usually arise when creating detection for ICS protocol traffic.

Oftentimes, the protocols connecting these devices on modern networks originate in older serial protocols. This transition resulted in protocols that use techniques like bitfields to reduce message size and multiple levels of encapsulation to avoid changes to the original protocol. These protocols often support combining multiple requests into one packet (pipelining) or splitting up a single request across multiple packets (fragmenting). Snort is fully capable of detecting traffic using any of these approaches, however, it requires a deeper understanding of the underlying protocol and more complicated plaintext rules, which is not always feasible.

The solution to these problems lies in the use of a Snort 3 service inspector for protocols requiring increased detection capabilities. Service inspectors are an evolution of Snort 2's preprocessors, providing access to additional built-in rules that look for protocol-level abnormalities, normalize pipelined and fragmented messages, and provide additional verification that the traffic being inspected is the expected protocol. Through the use of rule options exposed by existing service inspectors, plaintext rule writers can focus on the coverage of interest and let Snort handle protocol decoding and normalization.

Read the rest of this post over on the Talos blog.

Applications open now for 2023 Snort scholarship

Applications are now open for the $10,000 Snort scholarship. We encourage everyone eligible to apply here. We will be accepting applications through May 3. 

After that, our hand-picked panel will review the submissions and select two students to receive a $10,000 award each. 

For more detailed instructions on applying, check out the video below. 

To be eligible for the scholarship, you must have or be eligible to receive your high school diploma or an equivalent in 2023 as of the date Cisco receives your application. Each applicant must provide reasonable evidence to Cisco that you are seeking a degree in computer science, information technology, computer networking, cybersecurity or a similarly related field of study from a school located in the U.S. or a U.S. territory.   

To apply for the scholarship, you must answer a series of short essay questions, which will be the main basis for how we select the winners.  

The selection process is different from years past. Our panel will review all submissions and score the responses on the following 15-point scale:  

• Originality (Score 1-5): Points will be assigned based on the assessment of original, fresh thoughts and concepts including anecdotes or examples of how security or a related field has shaped the personal and/or professional life of the applicant.  
• Knowledge of Snort (Score 1-5): Points will be assigned on how well the applicant understands Snort and its use.  
• Overall Submission Quality (Score 1-5): Points will be assigned on the overall quality of the submission. Factors include, but are not limited to, perceived effort and sincerity level.  

The panel of judges will score each submission, and then we will select a winner based on the top cumulative score. In the event of a tie, the judges will select the winner based on their responses’ originality.   

We hope these applications will introduce aspiring researchers and IT professionals to Cisco’s job pool and establish early communication between applicants and potential future job opportunities.

Snort v3.1.53.0 is now available!

The SNORTⓇ team recently released a new version of Snort 3 on Snort.org and the Snort 3 GitHub. 

Snort 3.1.53.0 contains several new features and bug fixes. Here's a complete rundown of what's new in this version. Users are encouraged to update as soon as possible, or upgrade to Snort 3 if they have not already done so.

Here's a rundown of all the changes and new features in this latest version of Snort 3:

• appid: publish tls host set in eve process event handler only when appid discovery is complete
• detection: show search algorithm configured
• file_api: handling filedata in multithreading context
• flow: add stream interface to get parent flow from child flow
• memory: added memusage pegs
• memory: fix unit test build w/o reg test

Snort 3 is the next generation of the Snort Intrusion Prevention System. The GitHub page will walk users through what Snort 3 has to offer and guide users through the steps of getting set up—from download to demo. Users unfamiliar with Snort should start with the Snort Resources page and the Snort 101 video series. 

You can subscribe to the newest rule detection functionality from Talos for as low as $29.99 a year with a personal account. See our business pricing as well here. Make sure and stay up to date to catch the most emerging threats. 

New Snort 3 rule writing guide available

Snort 3's new features, improvements and detection capabilities come with updates to the Snort rule language syntax and the rule-writing process.  

To help with that, direct from the Talos analyst team, comes the Snort 3 Rule Writing guide: Detailed documentation for all the different rule options available in Snort 3. 

The Snort 3 Rule Writing Guide is meant for new and experienced Snort rule-writers alike, focusing primarily on the rule-writing process. It is intended to supplement the documentation provided in the official Snort 3 repository (the official Snort User Manual). Each rule option has its own page to describe its functionality and syntax, along with examples to show how the option might be used in a Snort rule.  

The guide covers the essential information for new Snort users to get Snort 3 up and running. This includes installation and usage instructions, a brief look into Snort 3's internals, the basics of configuration files, and detailed information on writing effective Snort 3 rules. Despite the manual's broad scope, users will however still need to refer to the full user manual to find more comprehensive and advanced guidance on non-rule-writing-specific topics. 

Experienced Snort users who are already comfortable using Snort can skip the "Getting Started" section and instead jump right to the "Rule Options" section to get extensive documentation on the unchanged, updated and new rule options present in Snort 3. Watch out specifically for the now-sticky HTTP buffers, the new "alert file" and "alert http" rule types, as well as the new options like "http_param", "js_data", and "bufferlen".

As Snort 3 continues to evolve, this manual will too. The analyst team will provide updates to the manual to keep the greater Snort community abreast of any recent changes. 

Snort OpenAppID Detectors have been updated

SNORTⓇ released a new update today for its OpenAppID Detector content.

This release — build 356 — includes:

• 3,374 detectors. 
• Additional detectors from the open-source community. For more details on which contributions were included — we have added them to the "Authors" file in this package.

The release is available now on our Downloads page. We look forward to users downloading and using the new features. If you have any feedback,  please share it with the OpenAppID mailing list.

The OpenAppID package is also compatible with our most recent Snort 3 releases.

For more information regarding the applications that are included in the open-source version of OpenAppID, feel free to visit our new application portal at appid.cisco.com.

Changes to the community rule release schedule

By Jon Munshaw. 

As of this week, we are changing the cadence for releases for the Snort community rule set. 

Previously, the community rules were released every day at 11:40 a.m. ET, even if there are no rule changes. Now, the rule set will align with our normal open-source build and release schedule. This is usually every Tuesday and Thursday, though this may change based on public holidays and ad hoc releases for certain vulnerabilities or malware families. 

We apologize for any disruptions this may cause.  

Community rules are a set of rules that members of our open-source community or Snort integrators have submitted. These rules are freely available to all Snort users and are governed by the GPLv2. Anyone can submit a community rule using the Snort Rules mailer here. 

Community rules are available for anyone to download here without registration and are free of charge without any Rule Set License restrictions.  

Weekly Snort rule update for March 25 - April 1

 Cisco Talos released two new rule sets for SNORTⓇ this week, which you can view here and here.

There are multiple rules to protect against the exploitation of the highly publicized Spring4Shell vulnerabilities that could lead to remote code execution. Spring is a popular framework used to develop Java applications. Snort SIDs 30790 - 30793, 59388 and 59416 can detect this activity.

For more on these vulnerabilities, read the Talos blog here. 

All users can subscribe to Talos' newest rule detection functionality for as low as $29 a year with a personal account. Be sure and see our business pricing as well here. The Snort 3 release is also here after years of development and improvements, which you can upgrade to here.

Snort's rule blog posts are switching to a weekly recap format, rather than releasing every day a new rule update is released. If you have any feedback on this blog format, please reach out to us on Twitter @Snort. 

Weekly Snort rule update for March 21 - 25

Cisco Talos released two new rule sets for SNORTⓇ this week, which you can view here and here.

All users can subscribe to Talos' newest rule detection functionality for as low as $29 a year with a personal account. Be sure and see our business pricing as well here. The Snort 3 release is also here after years of development and improvements, which you can upgrade to here.

Snort's rule blog posts are switching to a weekly recap format, rather than releasing every day a new rule update is released. If you have any feedback on this blog format, please reach out to us on Twitter @Snort. 

Weekly Snort rule update for March 14 - 18

Cisco Talos released two new rule sets for SNORTⓇ this week, which you can view here and here.

The rules from this week cover a variety of malware families, including the CaddyWiper threat that's been targeting users in Ukraine. The wiper is relatively small in size and dynamically resolves most of the APIs it uses. Cisco Talos' analysis didn't show any indications of persistency, self-propagation or exploitation code.

We also released new protections for the Dirty Pipe exploit recently discovered in the Linux operating system. This vulnerability could allow an attacker to completely root devices, including some Android devices, as researchers showed with the Google Pixel 6. QNAP also warned users that its network-attached storage devices are also at risk. 

All users can subscribe to Talos' newest rule detection functionality for as low as $29 a year with a personal account. Be sure and see our business pricing as well here. The Snort 3 release is also here after years of development and improvements, which you can upgrade to here.

Snort's rule blog posts are switching to a weekly recap format, rather than releasing every day a new rule update is released. If you have any feedback on this blog format, please reach out to us on Twitter @Snort. 

Snort OpenAppID Detectors have been updated

SNORTⓇ released a new update today for its OpenAppID Detector content.

This release — build 353 — includes:

• 3,370 detectors. 
• Additional detectors from the open-source community. For more details on which contributions were included — we have added them to the "Authors" file in this package.

The release is available now on our Downloads page. We look forward to users downloading and using the new features. If you have any feedback,  please share it with the OpenAppID mailing list.

The OpenAppID package is also compatible with our most recent Snort 3 releases.

For more information regarding the applications that are included in the open-source version of OpenAppID, feel free to visit our new application portal at appid.cisco.com.