Snort

Just released:Snort Subscriber Rule Set Update for Sept. 25, 2018Today, Cisco Talos released the newest rule update for SNORTⓇ. In this release, we introduced 13 new rules, of which one is a shared object rule. There is also one modified rule.This ... [More] release covers vulnerabilities in the Microsoft JET Database Engine, as well as Adobe Acrobat Reader.There were no changes made to the snort.conf in this release.Talos's rule release:Talos has added and modified multiple rules in the browser-plugins, file-image, file-office, file-other, malware-backdoor and protocol-dns rule sets to provide coverage for emerging threats from these technologies.In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 U.S. a year for personal users. Be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats. [Less]

Just released:Snort Subscriber Rule Set Update for Sept. 20, 2018Tonight, Cisco Talos has released the latest SNORTⓇ rule update. In this release, we introduced 20 new rules, two of which are shared object rules. There are also four modified rules ... [More] , none of which are shared object rules.This release protects against a variety of malware, including the newly discovered Xbash malware, which combines the features of a cryptocurrency miner and ransomware. We also have coverage for three vulnerabilities in Cisco's Webex software that could allow an attacker to execute arbitrary code on a victim machine.There were no changes made to the snort.conf in this release.Talos's rule release:Talos has added and modified multiple rules in the deleted, file-image, file-other, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 U.S. a year for personal users. Be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats. [Less]

Just released:Snort Subscriber Rule Set Update for Sept. 19, 2018We welcome the introduction of the newest rule release from Talos. In this release, we introduced eight new rules, none of which are shared object rules. There are also seven modified ... [More] rules.This rule release primarily covers vulnerabilities that were recently disclosed in Adobe Acrobat and Reader. The two products contain a series of critical and important bugs that could allow an attacker to execute code on the victim machine with the same rights as the current user.There were no changes made to the snort.conf in this release.Talos's rule release:Talos has added and modified multiple rules in the file-image, file-other, file-pdf and server-webapp rule sets to provide coverage for emerging threats from these technologies.In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 U.S. a year for personal users. Be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats. [Less]

Just released:Snort Subscriber Rule Set Update for Sept. 18, 2018The newest Snort rule update rule release was released this morning by Cisco Talos. In this release, we introduced 37 new rules, three of which are shared object rules. There are also ... [More] 2,155 modified rules, none of which are shared object rules.This release provides coverage for multiple bugs in Adobe ColdFusion and Flash Player, as well as the malware families njrat and DownloadGuide.There were no changes made to the snort.conf in this release.Talos's rule release:Talos has added and modified multiple rules in the exploit-kit, file-flash, file-identify, file-image, file-java, file-multimedia, file-office, file-other, file-pdf, indicator-compromise, malware-backdoor, malware-cnc, malware-other, netbios, os-linux, os-mobile, os-other, os-windows, policy-other, protocol-dns, protocol-ftp, protocol-icmp, protocol-imap, protocol-rpc, protocol-scada, protocol-services, protocol-snmp, protocol-tftp, protocol-voip, pua-adware, pua-toolbars, server-apache, server-iis, server-mail, server-mssql, server-mysql, server-oracle, server-other and sql rule sets to provide coverage for emerging threats from these technologies.In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 U.S. a year for personal users. Be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats. [Less]

Just released:Snort Subscriber Rule Set Update for Sept. 13, 2018Today, we welcome the newest rule release from Talos. In this release, we introduced 48 new rules, of six which are shared object rules. There are also 501 modified rules, none of which ... [More] are shared object rules.This update provides coverage for CVE-2018-8475, a coding deficiency in Microsoft Windows that could allow an attacker to execute code on the victim machine.There are also rules addressing multiple vulnerabilities in Adobe Flash Player and Adobe ColdFusion, including two critical bugs.There were no changes made to the snort.conf in this release.Talos's rule release:Talos also has added and modified multiple rules in the app-detect, browser-chrome, browser-firefox, browser-ie, browser-other, browser-plugins, browser-webkit, deleted, file-flash, file-image, file-other, file-pdf, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 U.S. a year for personal users. Be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats. [Less]

Just released:SNORTⓇ Subscriber Rule Set Update for Sept. 11, 2018Today, we welcome the introduction of the newest rule release from Talos. In this release, we introduced 46 new rules, 20 of which are shared object rules. There are also eight ... [More] modified rules, of which four are shared object rules.This release covers Microsoft Patch Tuesday. The monthly security update from Microsoft disclosed dozens of vulnerabilities across multiple products, including the Internet Explorer and Edge web browsers, as well as the Chakra scripting engine. If you would like to know more about these vulnerabilities, check out Talos' full blog post on Patch Tuesday here.Our rule update also adds new protections against the MysteryBot malware, a family that's been spotted on Android platforms.There were no changes made to the snort.conf in this release.Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:Yaser: 47723Talos's rule release: Talos is aware of vulnerabilities affecting products from Microsoft Corporation.Microsoft Vulnerability CVE-2018-8367: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 47734 through 47735.Microsoft Vulnerability CVE-2018-8391: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 47736 through 47737.Microsoft Vulnerability CVE-2018-8410: A coding deficiency exists in Microsoft Windows Registry that may lead to an escalation of privilege.Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 47745 through 47746.Microsoft Vulnerability CVE-2018-8420: A coding deficiency exists in MS XML that may lead to remote code execution.Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 47747 through 47748.Microsoft Vulnerability CVE-2018-8440: A coding deficiency exists in Microsoft Windows ALPC that may lead to an escalation of privilege.Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 47702 through 47703.Microsoft Vulnerability CVE-2018-8442: A coding deficiency exists in Microsoft Windows Kernel that may lead to information disclosure.Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 47717 through 47718.Microsoft Vulnerability CVE-2018-8447: Microsoft Internet Explorer suffers from programming errors that may lead to remote code execution.Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 47730 through 47731.Microsoft Vulnerability CVE-2018-8449: A coding deficiency exists in Microsoft Device Guard that may lead to a security feature bypass.Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 47740 through 47741.Microsoft Vulnerability CVE-2018-8456: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 45142 through 45143.Microsoft Vulnerability CVE-2018-8459: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 47732 through 47733.Microsoft Vulnerability CVE-2018-8461: Microsoft Internet Explorer suffers from programming errors that may lead to remote code execution.Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 47738 through 47739.Microsoft Vulnerability CVE-2018-8464: A coding deficiency exists in Microsoft Edge PDF that may lead to remote code execution.Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 42311 through 42312.Microsoft Vulnerability CVE-2018-8466: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 45628 through 45629.Microsoft Vulnerability CVE-2018-8467: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 47742 through 47743.Microsoft Vulnerability CVE-2018-8470: A coding deficiency exists in Microsoft Internet Explorer that may lead to a security feature bypass.A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 47761.Talos also has added and modified multiple rules in the browser-ie, file-office, file-other, file-pdf, malware-cnc, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats. In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 U.S. a year for personal users. Be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats. [Less]

Just released:Snort Subscriber Rule Set Update for Sept. 6, 2018Today, Cisco Talos released the newest rule set for SNORTⓇ rule release from Talos. In this release, we introduced 21 new rules, of which 11 are Shared Object rules. There is also one ... [More] modified rule.In this release, there is plenty of coverage for a slew of vulnerabilities that Cisco revealed this week, including flaws in Cisco Umbrella's API and the RV series of wireless routers.There were no changes made to the snort.conf in this release.Talos's rule release:New SO rules: 11  New Rules: 10  Modified Rules: 1In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 U.S. a year for personal users. Be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats. [Less]

Just released:Snort Subscriber Rule Set Update for Sept. 4, 2018.We welcome the introduction of the newest rule release from Talos. In this release, we introduced 11 new rules, of which one is a Shared Object rule. There are also 32 modified rules.We ... [More] continue to provide coverage for a slew of Adobe vulnerabilities that were disclosed in mid-August. There are also several rules that cover critical flaws in Apache Struts 2, many of which impact Cisco products.There were no changes made to the snort.conf in this release.Talos's rule release: New SO rules: 1    Modified SO rules: 0  New Rules: 10  Modified Rules: 32 In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 U.S. a year for personal users. Be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats. [Less]

Just released:Snort Subscriber Rule Set Update for Aug. 30, 2018We know everyone is still buzzing about the announcement yesterday that Snort 3 is now in beta, but the protection of our users still comes first, so as always, we have the new rule ... [More] update for Snort here.In this release, we introduced 16 new rules, of which four are Shared Object rules. There are also two modified rules.This release covers several vulnerabilities in Cisco products, including TelePresence. We are also continuing development of new rules for the slew of Adobe vulnerabilities that have been disclosed over the past few weeks.There were no changes made to the snort.conf in this release.Cisco Talos's rule release: New SO rules: 4 New Rules: 14 Modified Rules: 2 In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 U.S. a year for personal users. Be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats. [Less]

We know our customers and community members have been waiting a while for this — so we are thrilled to announce that Snort 3 (build 247) is available in beta now. Snort 3 is a redesign of Snort 2 with a number of significant improvements.Here are ... [More] some highlights you should know about before downloading: Configuration — We use LuaJIT for configuration. The config syntax is simple, consistent, and executable. LuaJIT plugins for rule options and loggers are supported, too. Detection — We have worked closely with Cisco Talos to update rules to meet their needs, including a feature they call "sticky buffers." With the use of the Hyperscan search engine, regex fast patterns make rules faster and more accurate. HTTP — We have a new and stateful HTTP inspector that currently handles 99 percent of the HTTP Evader cases, and will soon cover all of them. There are many new features, as well, including new rule options. HTTP/2 support is under development. Performance — We have substantially increased performance for deep packet inspection.  Snort 3 supports multiple packet-processing threads, and scales linearly with a much smaller amount of memory required for shared configs, like rule engines. JSON event logging — These can be used to integrate with tools such as the Elastic Stack.  See this blog post for more details. Plugins — Snort 3 was designed to be extensible and there are over 225 of plugins of various types. It is easy to add your own codec, inspector, rule action, rule option, or logger.  SO rules are plugins, too, and it is much easier to add your own. You can get Snort 3 from snort.org or from GitHub.These packages / repositories are available: snort3 — The main engine source code and plugins snort3_extra — Other experimental and example plugins snort3_demo — A test suite with working examples We push updates to GitHub multiple times per week, and the master branch is always stable.In addition to the cool new features, Snort 3 also supports all the capabilities of Snort 2.9.11, but we aren't done. Coming soon, we have: Next generation DAQ Connection events Search engine acceleration ... and much more. Please submit bugs, questions, and feedback to [email protected] or the Snort-Users mailing list.Happy Snorting!The Snort Release Team [Less]