Just pushed build 142 to github (snortadmin/snort3):fixed host lookup issuefolded classification.lua and reference.lua into snort_defaults.luaapply defaults from parameter tables instead of relying on ctors etc.fix static analysis issues reported by
... [More]
xcodechange policy names with a-b form to a_b for consistencymake all warnings optionalfix ip and tcp policy definesfix ip and icmp flow client/server ip initadded plugin and logging examples to usage [Less]
|
Just released:Snort Subscriber Rule Set Update for 03/17/2015We welcome the introduction of the newest rule release from Talos. In this release we introduced 41 new rules and made modifications to 20 additional rules. There were no changes made to
... [More]
the snort.conf in this release. Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:Yaser Mansour338333383433835Talos's rule release: Talos has added and modified multiple rules in the blacklist, malware-cnc, protocol-voip, pua-adware, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies. In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats! [Less]
|
Snort 2.9.7.2 is now available on snort.org athttp://www.snort.org/downloads in the Snort Stable Release section.Release Notes:2015-03-10 - Snort 2.9.7.2[*] New additions* Support for Cisco FabricPath decoding/encoding.[*] Improvements* Resolved an
... [More]
issue where the inline normalization preprocessor incorrectlyresized packets when 'preprocessor normalize_tcp: trim' was enabled.* Resolved crash in file processing of HTTP continuations. [Less]
|
Just released:Snort Subscriber Rule Set Update for 03/12/2015We welcome the introduction of the newest rule release from Talos. In this release we introduced 19 new rules and made modifications to 4 additional rules. There were no changes made to
... [More]
the snort.conf in this release. Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:Yaser Mansour33815338163381833819338203382133822Talos's rule release: Talos has added and modified multiple rules in the file-flash, malware-backdoor, malware-cnc, os-windows, pua-adware, server-mail, server-other and server-webapp rule sets to provide coverage for emerging threats from these technologies. In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats! [Less]
|
For the following examples "$my_path" is assumed to be the path to the Snort++ install directory. Additionally, it is assumed that "$my_path/bin" is in your PATH.EnvironmentLUA_PATH is used directly by Lua to load and run required libraries.
... [More]
SNORT_LUA_PATH is used by Snort to load supplemental configuration files. export LUA_PATH=$my_path/include/snort/lua/\?.lua\;\; export SNORT_LUA_PATH=$my_path/etc/snortHelpPrint the help summary: snort --helpGet help on a specific module ("stream", for example): snort --help-module streamGet help on the "-A" command line option: snort --help-options AGrep for help on threads: snort --help-config | grep threadOutput help on "rule" options in AsciiDoc format: snort --markup --help-options ruleNote: Snort++ stops reading command-line options after the "--help-*" and "--list-*" options, so any other options should be placed before them.Sniffing and LoggingRead a pcap: snort -r /path/to/my.pcapDump the packets to STDOUT: snort -r /path/to/my.pcap -K textDump packets with application data and layer 2 headers snort -r /path/to/my.pcap -K text -d -eNote: Command line options must be specified separately. "snort -de" won't work. You can still concatenate options and their arguments, however, so "snort -Ktext" will work.Dump packets from all pcaps in a directory: snort --pcap-dir /path/to/pcap/dir --pcap-filter '*.pcap' -K text -d -eLog packets to a directory: snort --pcap-dir /path/to/pcap/dir --pcap-filter '*.pcap' -K pcap \ -l /path/to/log/dirConfigurationValidate a configuration file: snort -c $my_path/etc/snort/snort.luaValidate a rules file and a configuration file: snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rulesRead rules from stdin and validate: snort -c $my_path/etc/snort/snort.lua --stdin-rules < \ $my_path/etc/snort/sample.rulesEnable warnings for Lua configurations and make warnings fatal: snort -c $my_path/etc/snort/snort.lua --warn-all --pedanticTell Snort++ where to look for additional Lua scripts: snort --script-path /path/to/script/dirIDS ModeRun Snort++ in IDS mode, reading packets from a pcap: snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \ -r /path/to/my.pcapLog any generated alerts to the console using the "-A" option: snort -c $my_path/etc/snort/snort.lua -R $my_path/etc/snort/sample.rules \ -r /path/to/my.pcap -A alert_fullAdd or modify a configuration from the command line using the "--lua" option: snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap \ --lua 'ips = { enable_builtin_rules = true }'Note: The "--lua" option can be specified multiple times.Run Snort++ in IDS mode on an entire directory of pcaps, processing each input source on a separate thread: snort -c $my_path/etc/snort/snort.lua --pcap-dir /path/to/pcap/dir \ --pcap-filter '*.pcap' --max-packet-threads 8Output FilesTo make it simple to configure outputs when you run with multiple packet threads, output files are not explicitly configured. Instead, you can use the options below to format the paths: /[][][]Log to unified in the current directory: snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A unified2Log to unified in the current directory with a different prefix: snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A unified2 \ --run-prefix take2Log to unified in /tmp: snort -c $my_path/etc/snort/snort.lua -r /path/to/my.pcap -A unified2 \ -l /tmpRun 4 packet threads and log with thread number prefix (0-3): snort -c $my_path/etc/snort/snort.lua --pcap-dir /path/to/pcap/dir \ --pcap-filter '*.pcap' -z 4 -A unified2Run 4 packet threads and log in thread number subdirs (0-3): snort -c $my_path/etc/snort/snort.lua --pcap-dir /path/to/pcap/dir \ --pcap-filter '*.pcap' -z 4 -A unified2 --id-subdirNOTE: subdirectories are created automatically if required. Log filename is based on module name that writes the file. All text mode outputs default to stdout. These options can be combined. ShellYou must build with --enable-shell to make the command line shell available. Enable shell mode: snort --shell You will see the shell mode command prompt, which looks like this: o")~(The prompt can be changed with the SNORT_PROMPT environment variable.) You can pause immediately after loading the configuration and again before exiting with: snort --shell --pause In that case you must issue the resume() command to continue. Enter quit() to terminate Snort or detach() to exit the shell. You can list the available commands with help(). To enable local telnet access on port 12345: snort --shell -j 12345 The command line interface is still under development. Suggestions are welcome. SignalsThe following examples assume that Snort++ is currently running and has a process ID of . Modify and Reload Configuration: echo 'suppress = { { gid = 1, sid = 2215 } }' >> $my_path/etc/snort/snort.lua kill -hup Dump stats to stdout: kill -usr1 Shutdown normally: kill -term Exit without flushing packets: kill -quit List available signals: snort --help-signalsNote: The available signals may vary from platform to platform. [Less]
|
|
Just pushed build 141 to github (snortadmin/snort3):added build foo for lzma; refactored configure.acenhancements for checking compatibility of external pluginsadded doc/usage.txtNote that the plugin API was changed with this release to be more robust. All plugins must be rebuilt.
|
Just released:Snort Subscriber Rule Set Update for 03/10/2015We welcome the introduction of the newest rule release from Talos. In this release we introduced 107 new rules and made modifications to 30 additional rules. There were no changes made to
... [More]
the snort.conf in this release.Talos's rule release: Microsoft Security Bulletin MS15-018:Microsoft Internet Explorer suffers from programming errors that may lead toremote code execution.Rules to detect attacks targeting these vulnerabilities are included in thisrelease and are identified with GID 1, SIDs 33287 through 33288, 33707 through33710, 33718 through 33721, 33726 through 33727, 33730 through 33731, 33736through 33739, 33741 through 33744, and 33763 through 33764.Microsoft Security Bulletin MS15-020:A coding deficiency exists in Microsoft Windows Shell that may lead to remotecode execution.A previously released rule will detect attacks targeting these vulnerabilitiesand has been updated with the appropriate reference information. It is includedin this release and is identified with GID 1, SID 17042.New rules to detect attacks targeting these vulnerabilities are also includedin this release and are identified with GID 1, SIDs 33775 through 33776.Microsoft Security Bulletin MS15-021:A coding deficiency exists in the Adobe Font Driver that may lead to remotecode execution.Rules to detect attacks targeting these vulnerabilities are included in thisrelease and are identified with GID 1, SIDs 33711 through 33714, 33722 through33725, 33728 through 33729, and 33732 through 33733.Microsoft Security Bulletin MS15-022:A coding deficiency exists in Microsoft Office that may lead to an escalationof privilege.Rules to detect attacks targeting these vulnerabilities are included in thisrelease and are identified with GID 1, SIDs 33705 through 33706, 33715 through33716, 33734 through 33735, and 33808 through 33809.Microsoft Security Bulletin MS15-023:A coding deficiency exists in a Microsoft Kernel Mode driver that may lead toan escalation of privilege.Rules to detect attacks targeting these vulnerabilities are included in thisrelease and are identified with GID 1, SIDs 33765 through 33770.Microsoft Security Bulletin MS15-024:A coding deficiency exists in Microsoft PNG image processing that may lead toinformation disclosure.Rules to detect attacks targeting these vulnerabilities are included in thisrelease and are identified with GID 1, SIDs 33760 through 33761.Microsoft Security Bulletin MS15-025:A coding deficiency exists in the Microsoft Windows Kernel that may lead to anescalation of privilege.Rules to detect attacks targeting these vulnerabilities are included in thisrelease and are identified with GID 1, SIDs 33773 through 33774.Microsoft Security Bulletin MS15-026:A coding deficiency exists in Microsoft Exchange Server that may lead to anescalation of privilege.Rules to detect attacks targeting these vulnerabilities are included in thisrelease and are identified with GID 1, SIDs 33762, 33807, and 33810 through33811.Microsoft Security Bulletin MS15-027:A coding deficiency exists in Microsoft Netlogon that may allow spoofingattacks.A previously released rule will detect attacks targeting this vulnerability andhas been updated with the appropriate reference information. It is included inthis release and is identified with GID 3, SID 15453.Microsoft Security Bulletin MS15-028:A coding deficiency exists in the Microsoft Task Scheduler that may allow asecurity feature bypass.A rule to detect attacks targeting this vulnerability is included in thisrelease and is identified with GID 1, SID 33717.Microsoft Security Bulletin MS15-029:A coding deficiency exists in a Microsoft graphics component that lead toinformation disclosure.Rules to detect attacks targeting these vulnerabilities are included in thisrelease and are identified with GID 1, SIDs 33771 through 33772.Microsoft Security Bulletin MS15-030:A coding deficiency exists in Microsoft Remote Desktop protocol that may leadto a Denial of Service (DoS).A previously released rule will detect attacks targeting these vulnerabilitiesand has been updated with the appropriate reference information. It is includedin this release and is identified with GID 1, SID 21232.Microsoft Security Bulletin MS15-031:A coding deficiency exists in Microsoft Schannel that may allow a securityfeature bypass.Rules to detect attacks targeting these vulnerabilities are included in thisrelease and are identified with GID 1, SIDs 33777 through 33806.Talos has added and modified multiple rules in the blacklist, browser-ie,file-image, file-office, file-other, malware-cnc, malware-other, os-windows,server-mail and server-webapp rule sets to provide coverage for emergingthreats from these technologies.In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats! [Less]
|
Just released:Snort Subscriber Rule Set Update for 03/05/2015We welcome the introduction of the newest rule release from Talos. In this release we introduced 84 new rules and made modifications to 5 additional rules. There were no changes made to
... [More]
the snort.conf in this release. Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:Yaser Mansour3367733678Talos's rule release: OpenSSL RSA_EXPORT attack CVE-2015-0204:A coding deficiency in OpenSSL exists that may lead to information disclosure.Rules to detect attacks targeting this vulnerability are included in thisrelease and are identified with GID 1, 33686 through 33703.Talos has also added and modified multiple rules in the blacklist,browser-chrome, file-identify, file-other, malware-cnc, protocol-voip,server-other and sql rule sets to provide coverage for emerging threats fromthese technologies.In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats! [Less]
|
Just released:Snort Subscriber Rule Set Update for 03/03/2015We welcome the introduction of the newest rule release from Talos. In this release we introduced 29 new rules and made modifications to 16 additional rules. There were no changes made to
... [More]
the snort.conf in this release. Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:Yaser Mansour33646336473364833650Avery Tarasov33649Talos's rule release: Talos has added and modified multiple rules in the blacklist, browser-chrome, browser-ie, browser-other, browser-plugins, exploit-kit, file-identify, file-image, file-other, malware-cnc, pua-adware, server-mysql and server-webapp rule sets to provide coverage for emerging threats from these technologies. In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats! [Less]
|
Just released:Snort Subscriber Rule Set Update for 01/13/2015We welcome the introduction of the newest rule release from Talos. In this release we introduced 12 new rules and made modifications to 7 additional rules. There were no changes made to
... [More]
the snort.conf in this release. Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:Red Sky Alliance33047330583305933060Talos's rule release: Synopsis:Talos is aware of vulnerabilities affecting products from MicrosoftCorporation.Details:Microsoft Security Bulletin MS15-001:A coding deficiency exists in Microsoft Windows that may lead to anescalation of privilege.Rules to detect attacks targeting these vulnerabilities are included inthis release and are identified with GID 1, SIDs 32965 through 32966.Microsoft Security Bulletin MS15-002:A coding deficiency exists in Microsoft Telnet Server that may lead toremote code execution.A rule to detect attacks targeting this vulnerability is included inthis release and is identified with GID 1, SID 33050.Microsoft Security Bulletin MS15-004:A coding deficiency exists in the Microsoft CTSWebProxy ActiveX controlthat may lead to an escalation of privilege.Rules to detect attacks targeting these vulnerabilities are included inthis release and are identified with GID 1, SIDs 33051 through 33052.Microsoft Security Bulletin MS15-007:A coding deficiency exists in Microsoft RADIUS services on domaincontrollers that may lead to a Denial of Service (DoS).Rules to detect attacks targeting these vulnerabilities are included inthis release and are identified with GID 1, SIDs 33048 through 33049.Microsoft Security Bulletin MS15-008:A coding deficiency exists in Microsoft WebDAV that may lead to anescalation of privilege.A rule to detect attacks targeting this vulnerability is included inthis release and is identified with GID 3, SID 33053.Talos has added and modified multiple rules in the blacklist,browser-plugins, file-multimedia and protocol-telnet rule sets toprovide coverage for emerging threats from these technologies.In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!
[Less]
|
