Snort Blog

End of Life Announcement for versions of Snort 2 AND Snort 3

noreply@blogger.com (Brendan Bell) — Tue, 20 Jan 2026 17:35:00 +0000

Multiple versions of Snort 2 and Snort 3 have reached End of Life and we will no longer publish Snort Talos Rules for these versions as of today.

As of Today we will no longer be supporting the following versions of Snort Talos Rules

Snort 2

2.9.11.1

2.9.13.0

2.9.14.1

2.9.15.1

2.9.16.0

2.9.16.1

2.9.17.0
2.9.19.0

Snort 3

3.0.3.1

3.0.3.4

3.1.0.0

3.1.3.0

3.1.4.0

3.1.5.0

3.1.7.0

3.1.9.0

We encourage All Snort 3 users to use the Talos lightSPD rules package for downloading rules as this singular package contains configurations for every version of Snort 3 and Shared Object rules for all supported versions and architectures, in addition to the latest versions of all rules

Upgrade to the latest version of Snort 3 available here: https://snort.org/downloads

For more information on the features and advantages of Snort 3 please visit:
https://snort.org/snort3

For More information on using the Talos lightSPD package please visit:
https://blog.snort.org/2020/12/soft-release-lightspd-new-rules-package.html

For help downloading, installing and configuring Snort 3 please visit:
https://docs.snort.org/rules/

To take advantage of SnortML:
https://blog.snort.org/2024/08/watch-snortml-training-video.html

To learn more about Snort 3 and Wide String Detection:
https://blog.snort.org/2025/04/in-snort-3.html

For users who would like to continue to use Snort 2, we encourage you to update to Snort 2.9.20 as soon as possible, which can be found at https://snort.org/downloads .

Snort 2.9.20 is the version of Snort that we will continue to support for the longest period of time.

If you have any questions, please feel free to reach out to us at: snort-sub@cisco.com or join our discord: https://discord.gg/DZpdZDJtSH

End of Life Announcement for Multiple Versions of Snort 2 and Snort 3

noreply@blogger.com (Brendan Bell) — Thu, 18 Sep 2025 20:32:00 +0000

Multiple versions of Snort 2 and Snort 3 will be reaching End of Life this year.

As of 12/18/2025 the following versions of Snort 2 will have reached end of life and we will no longer publish Snort Talos Rules for these versions as a result, the following versions of Snort 2 will no longer be supported:

2.9.11.1
2.9.13.0
2.9.14.1
2.9.15.1
2.9.16.0
2.9.16.1
2.9.17.0
2.9.18.1
2.9.19.0

As of 12/18/2025, all versions of Snort 3 prior to and including Snort 3.1.9.0 will reach end of life and will no longer be supported.

We encourage All Snort 3 users to use the Talos lightSPD rules package for downloading rules as this singular package contains configurations for every version of Snort 3 and Shared Object rules for all supported versions and architectures, in addition to the latest versions of all rules

Upgrade to the latest version of Snort 3 available here: https://snort.org/downloads

For more information on the features and advantages of Snort 3 please visit:
https://snort.org/snort3

For More information on using the Talos lightSPD package please visit:
https://blog.snort.org/2020/12/soft-release-lightspd-new-rules-package.html

For help downloading, installing and configuring Snort 3 please visit:
https://docs.snort.org/rules/

To take advantage of SnortML:
https://blog.snort.org/2024/08/watch-snortml-training-video.html

To learn more about Snort 3 and Wide String Detection:
https://blog.snort.org/2025/04/in-snort-3.html

For users who would like to continue to use Snort 2, we encourage you to update to Snort 2.9.20 as soon as possible, which can be found at https://snort.org/downloads .

Snort 2.9.20 is the version of Snort that we will continue to support for the longest period of time.

If you have any questions, please feel free to reach out to us at: snort-sub@cisco.com or join our discord: https://discord.gg/DZpdZDJtSH

Adding Improved Wide String Detection to Snort 3

noreply@blogger.com (Brendan Bell) — Sat, 05 Apr 2025 01:27:00 +0000

By Chris Morrison

In Snort 3.6.2.0, the team has added new modifiers for the "content” option to simplify detection against multi-byte character strings.

For content matches, “width” and “endian” options allow users to modify the content to match against simple wide character strings without manually adding null bytes into the patterns. This makes rule writing easier and more maintainable against targets that use multi-byte character strings, as is common in file metadata or modern string encodings.

Width allows a simple expansion of the content from 8-bit character width to a specified width of 8, 16, or 32 bits. Note that 8 bits is the default behavior and does not impact detected content.

# Match "hello" encoded with 32 bits per character in big endian

content:"|000000|h|000000|e|000000|l|000000|l|000000|o";

content:"hello", width 32;

Endian further modifies the width option’s expansion to control the endianness of the expanded character with “big” (as the default) and “little” options. Combining these two options, we can easily flex our detection patterns to match on a variety of string encodings. For example, content: “Talos”, width 32, endian little; would detect on “Talos” encoded as a UTF-32-LE string.

# Match "Talos" encoded with 32 bits per character in little endian content:"T|000000|a|000000|l|000000|o|000000|s|000000|";

content:"Talos",width 32,endian little;

To showcase how the width and endian modifiers can make rules more maintainable, consider the existing malware detection in Snort SID 55927. This rule detects several highly suspect strings within a target binary; however, these strings are UTF-16-LE encoded. Here is the simplified rule in old content syntax with null bytes manually added:

alert file (

msg:"MALWARE-CNC Win.Dropper.LemonDuck variant script download attempt";

file_data;

content:"|00|%|00|u|00|s|00|e|00|r|00|n|00|a|00|m|00|e|00|%|00||00|%|00|c|00|o|00|m|00|p|00|u|00|t|00|e|00|r|00|n|00|a|00|m|00|e|00|%|00|*|00|",fast_pattern,nocase;

content:"W|00|S|00|c|00|r|00|i|00|p|00|t|00|.|00|S|00|h|00|e|00|l|00|l|00|",nocase;

content:"D|00|o|00|w|00|n|00|L|00|o|00|a|00|d|00|S|00|t|00|r|00|i|00|n|00|g|00|",nocase;

)

Here is an example of the new syntax, which makes the rule much easier to follow:

alert file (

msg:"MALWARE-CNC Win.Dropper.LemonDuck variant script download attempt";

file_data;

content:"%username%%computername%*", fast_pattern, nocase, width 16, endian little;

content:"WScript.Shell", nocase, width 16, endian little;

content:"DownLoadString", nocase, width 16, endian little;

)

As we can see, if the new rule were to have hits in our environment, we would be able to understand what the rule is alerting to much faster than the original syntax. ClamAV and Yara users will likely be familiar with this usage because the combination of “endian little” and “width 16” is functionally identical to the languages’ wide modifiers.

These new features are available in Snort 3.6.2.0 and later. More documentation on these options is available in the Snort 3 Rule Writing Guide.

If you have any questions, feel free to reach out to us via: snort-users@lists.snort.org or join our Snort Discord.

Changes to the Snort Sample IP Block List

noreply@blogger.com (Brendan Bell) — Thu, 26 Sep 2024 15:01:00 +0000

Effective today, we have made some changes to the Snort Sample IP Block List available on Snort.org

The Snort Sample IP Blocklist has been a steady component of our open-source Snort community since its launch. It was originally provided so the community could test the functionality of their Snort installation, and it was never intended to be users’ sole source of IP blocking.

Traditionally, this is list of suggested IPs to block based on other open-source IP block lists. But over the past several years, we have seen an increasing number of users relying on the Snort Sample IP Blocklist as their primary source of IP Blocking, which may lead to a false sense of protection from threats.   

To ensure the intention and legal usage of this blocklist is clear to all our users, we will be enabling a “click-to-accept” terms and conditions box for users to access the Snort Sample IP Blocklist hosted on Snort.org. This change will outline the legal terms and conditions for use of the blocklist, which clearly documents the intended use of the data.

We will continuously update the Snort Sample IP Blocklist on Snort.org regularly and provide it free to all users to ensure that Snort is functioning as intended.

You can download the Snort Sample IP Block List here.

Thanks,

The Snort Team

Upcoming changes to the Snort.org Sample IP Blocklist

noreply@blogger.com (Brendan Bell) — Mon, 26 Aug 2024 17:00:00 +0000

We will be making some changes to the Snort Sample IP Block List on Sept. 26, 2024.

The Snort Sample IP Block List is a list of suggested IPs to block based on other open-source IP block lists. Over the last several years, we have seen an increasing number of users relying on the Snort Sample IP Blocklist as their primary source of IP Blocking, which may be leading to a false sense of protection from threats.   

This change will outline the legal terms and conditions for use of the blocklist, which clearly documents the intended use of the data. 

We will continue to update the Snort Sample IP Blocklist on Snort.org regularly and provide it free to all users, to ensure that Snort is functioning as intended. After Sept. 26, 2024, access to the list will require users to click to accept the terms and conditions.

If you have any questions, feel free to reach out to us via:snort-users@lists.snort.org

Or join our Discord https://discord.gg/Pj3usE9CZ7

Watch: SnortML Training video

noreply@blogger.com (Anonymous) — Mon, 05 Aug 2024 13:40:00 +0000

We recently launched SnortML – our new machine learning exploit detection engine designed to detect novel attacks fitting known vulnerability types.

Now, we have released a SnortML training video featuring Cisco Talos security researcher (and SnortML developer) Brandon Stultz. This video covers how SnortML addresses the zero-day problem, the vulnerability classes it is currently trained on, and a dive into neural networks.

The training concludes a model development lab where you will see Brandon create a new model to detect a SQL injection attack.

We hope you enjoy this training and are able to develop a good understanding of SnortML’s capabilities. We look forward to hearing your use cases for the models you create based on SnortML.

You can find the SnortML and LibML code on GitHub. You can also join the conversation on our Discord or on the Snort users mailing list if you have any questions or feedback. 

Talos launching new machine learning-based exploit detection engine

noreply@blogger.com (Anonymous) — Fri, 15 Mar 2024 13:39:00 +0000

By Brandon Stultz.

Every day, new vulnerabilities are discovered in the software critical to the function of the modern world. Security analysts take apart these new vulnerabilities, isolate what is necessary to trigger them and write signatures to block any exploits targeting them.
For Snort, these signatures are called Snort rules — and they’re extremely versatile. They can access specific network service fields, locate a vulnerable parameter and scan that parameter for the presence of an exploit.
They can also leverage numerous rule options to traverse protocols and file formats. Written well, these rules can have high efficacy and performance with few or no false positives.
This approach to defense is very good at protecting networks from known threats, but what if the threat is unknown? What if a vulnerability is discovered, an exploit for it is written, and the security community has no knowledge of it? We need another approach to defense that doesn’t require prior knowledge of the attack to function.
Over the past year at Cisco, we have been prototyping and building this new approach into a new detection engine for Snort. Today, I am proud to announce we are open-sourcing this engine to the community in the latest Snort 3 release (version 3.1.82.0). This new detection engine is called “SnortML.”
SnortML is a machine learning-based detection engine for the Snort intrusion prevention system. At a high level, there are two components to this new detection engine. The first component is the snort_ml_engine itself, which loads pre-trained machine learning models, instantiates classifiers based on these models and then makes the classifiers available for detection. The second is the snort_ml inspector, which subscribes to data provided by Snort service inspectors, passes the data to classifiers, and then acts on the output of the classifiers.
Currently, the snort_ml_engine module only has one model type, namely the http_param_model, but we plan on building other models in the future.
This http_param_model is used for classifying HTTP parameters as malicious or normal. Once the snort_ml_engine loads the http_param_model, it can be used in the snort_ml inspector to detect exploits.
The inspector subscribes to the HTTP request data provided by the HTTP inspector through the publish/subscribe interface. It then passes this data (HTTP URI query and optionally HTTP POST body) to a binary classifier based on the http_param_model. This classifier then returns the probability that it saw an exploit. Based on this probability, SnortML can generate an alert, similar to a Snort rule alert, which can be configured to block malicious traffic. Now that you know how the machine learning engine works, let’s get into how the models work.
SnortML models are designed to be extremely flexible, much like their Snort rule counterparts. To that end, we based our models and our inference engine on TensorFlow. The TensorFlow project is a free and open-source library for machine learning and artificial intelligence.
Any TensorFlow model can be a SnortML binary classifier model so long as it satisfies three conditions, namely, the model must have a single input tensor and a single output tensor, the input and output tensor types must be 32-bit floating point, and finally, the output tensor must have only a single element. We plan on adding other model types in the future (including multiclass classifiers), but right now, this is the only model type currently supported. The SnortML engine uses TensorFlow through a support library we call LibML. The LibML library handles loading, configuring and running machine learning models for Snort. It also includes the XNNPACK accelerator needed to run CPU-bound models at line rate. The easiest way to build a SnortML model is to use the TensorFlow Keras API. If you are new to machine learning, don’t worry, Keras is a simple but powerful deep-learning framework that allows you to build neural networks and train them in a few lines of Python. To get started, import the following: We are going to train our example model on just two samples, but a real production model would use far more: The next thing we need to do is prepare our data. SnortML models expect input data to be zero-padded which is what we are going to do here: Now, we need to construct a neural network that can classify our data. This example uses a simple LSTM (Long Short-Term Memory) network, but other combinations of layers available in Keras work here as well. LSTM is a type of neural network that is keenly suited to identify patterns in sequences of data, such as the sequences of bytes in HTTP parameters. To translate the bytes on the wire to tensors that the LSTM can accept, we can place an embedding layer in front of it. Embedding layers are a kind of association layer, they can learn relationships between input data (bytes in our case) and output those relationships as tensors that the LSTM neurons can accept.

Finally, we will converge the output of our LSTM neurons to a single output neuron with a Dense layer. This will serve as the output of the neural network.
Now for the fun part — let’s train this neural network: Training output:

As you can see above, the accuracy of our network increased, and the loss dropped. These metrics show that the neural network learned to differentiate attack from normal in our example dataset.
Now, let’s save this model to a file so we can load it in Snort: Now that we have a model file, we can run it against PCAPs with Snort 3: If you have Snort 3 built with debug messages enabled, you can even trace the ML engine input and output.

Notice that even with variations in the SQL injection attack above, we still detected it. For years, we had dreamed about tackling the zero-day problem, providing coverage for attacks that were like those we had seen before, but targeting different applications or parameters. Now, with SnortML, this dream is becoming a reality. You can find the SnortML and LibML code here. Feel free to join the conversation on our Discord or on the Snort users mailing list if you have any questions or feedback.

Snort 2.9.8.3 and Snort 2.9.13.0 End of Life

noreply@blogger.com (Brendan Bell) — Thu, 07 Mar 2024 14:20:00 +0000

We are announcing the end of life for Talos rules in the following versions of Snort 2:

Snort 2.9.8.3
Snort 2.9.13.0
Snort 2.9.8.3 Rules: This rule set is no longer available.
Snort 2.9.13.0 Rules: We will no longer produce Talos rules for these versions of Snort on or around July 1, 2024.

We encourage our open-source users to upgrade to the latest version of Snort 3 available here: Snort.org/downloads.

For users who would like to continue to use Snort 2, we recommend updating to Snort 2.9.20 as soon as possible, which can be found at Snort.org/downloads.

If you have any questions please feel free to reach out to us at: snort-sub@cisco.com or join our discord: Snort Discord Invite.

ICS protocol coverage using Snort 3 service inspectors

noreply@blogger.com (Anonymous) — Tue, 26 Sep 2023 15:43:00 +0000

By Jared Rittle.

With more devices on operational technology (OT) networks now getting connected to wide-reaching IT networks, it is more important than ever to have effective detection capabilities for ICS protocols.

However, there are a few issues that usually arise when creating detection for ICS protocol traffic.

Oftentimes, the protocols connecting these devices on modern networks originate in older serial protocols. This transition resulted in protocols that use techniques like bitfields to reduce message size and multiple levels of encapsulation to avoid changes to the original protocol. These protocols often support combining multiple requests into one packet (pipelining) or splitting up a single request across multiple packets (fragmenting). Snort is fully capable of detecting traffic using any of these approaches, however, it requires a deeper understanding of the underlying protocol and more complicated plaintext rules, which is not always feasible.

The solution to these problems lies in the use of a Snort 3 service inspector for protocols requiring increased detection capabilities. Service inspectors are an evolution of Snort 2's preprocessors, providing access to additional built-in rules that look for protocol-level abnormalities, normalize pipelined and fragmented messages, and provide additional verification that the traffic being inspected is the expected protocol. Through the use of rule options exposed by existing service inspectors, plaintext rule writers can focus on the coverage of interest and let Snort handle protocol decoding and normalization.

Read the rest of this post over on the Talos blog.

Applications open now for 2023 Snort scholarship

noreply@blogger.com (Anonymous) — Mon, 03 Apr 2023 13:15:00 +0000

Applications are now open for the $10,000 Snort scholarship. We encourage everyone eligible to apply here. We will be accepting applications through May 3.

After that, our hand-picked panel will review the submissions and select two students to receive a $10,000 award each.

For more detailed instructions on applying, check out the video below.

To be eligible for the scholarship, you must have or be eligible to receive your high school diploma or an equivalent in 2023 as of the date Cisco receives your application. Each applicant must provide reasonable evidence to Cisco that you are seeking a degree in computer science, information technology, computer networking, cybersecurity or a similarly related field of study from a school located in the U.S. or a U.S. territory.

To apply for the scholarship, you must answer a series of short essay questions, which will be the main basis for how we select the winners.

The selection process is different from years past. Our panel will review all submissions and score the responses on the following 15-point scale:

Originality (Score 1-5): Points will be assigned based on the assessment of original, fresh thoughts and concepts including anecdotes or examples of how security or a related field has shaped the personal and/or professional life of the applicant.
Knowledge of Snort (Score 1-5): Points will be assigned on how well the applicant understands Snort and its use.
Overall Submission Quality (Score 1-5): Points will be assigned on the overall quality of the submission. Factors include, but are not limited to, perceived effort and sincerity level.

The panel of judges will score each submission, and then we will select a winner based on the top cumulative score. In the event of a tie, the judges will select the winner based on their responses’ originality.

We hope these applications will introduce aspiring researchers and IT professionals to Cisco’s job pool and establish early communication between applicants and potential future job opportunities.

Snort v3.1.53.0 is now available!

noreply@blogger.com (Unknown) — Mon, 30 Jan 2023 19:44:00 +0000

The SNORTⓇ team recently released a new version of Snort 3 on Snort.org and the Snort 3 GitHub.

Snort 3.1.53.0 contains several new features and bug fixes. Here's a complete rundown of what's new in this version. Users are encouraged to update as soon as possible, or upgrade to Snort 3 if they have not already done so.

Here's a rundown of all the changes and new features in this latest version of Snort 3:

appid: publish tls host set in eve process event handler only when appid discovery is complete
detection: show search algorithm configured
file_api: handling filedata in multithreading context
flow: add stream interface to get parent flow from child flow
memory: added memusage pegs
memory: fix unit test build w/o reg test

Snort 3 is the next generation of the Snort Intrusion Prevention System. The GitHub page will walk users through what Snort 3 has to offer and guide users through the steps of getting set up—from download to demo. Users unfamiliar with Snort should start with the Snort Resources page and the Snort 101 video series.

You can subscribe to the newest rule detection functionality from Talos for as low as $29.99 a year with a personal account. See our business pricing as well here. Make sure and stay up to date to catch the most emerging threats.

New Snort 3 rule writing guide available

noreply@blogger.com (Anonymous) — Tue, 18 Oct 2022 15:36:00 +0000

Snort 3's new features, improvements and detection capabilities come with updates to the Snort rule language syntax and the rule-writing process.

To help with that, direct from the Talos analyst team, comes the Snort 3 Rule Writing guide: Detailed documentation for all the different rule options available in Snort 3.

The Snort 3 Rule Writing Guide is meant for new and experienced Snort rule-writers alike, focusing primarily on the rule-writing process. It is intended to supplement the documentation provided in the official Snort 3 repository (the official Snort User Manual). Each rule option has its own page to describe its functionality and syntax, along with examples to show how the option might be used in a Snort rule.

The guide covers the essential information for new Snort users to get Snort 3 up and running. This includes installation and usage instructions, a brief look into Snort 3's internals, the basics of configuration files, and detailed information on writing effective Snort 3 rules. Despite the manual's broad scope, users will however still need to refer to the full user manual to find more comprehensive and advanced guidance on non-rule-writing-specific topics.

Experienced Snort users who are already comfortable using Snort can skip the "Getting Started" section and instead jump right to the "Rule Options" section to get extensive documentation on the unchanged, updated and new rule options present in Snort 3. Watch out specifically for the now-sticky HTTP buffers, the new "alert file" and "alert http" rule types, as well as the new options like "http_param", "js_data", and "bufferlen".

As Snort 3 continues to evolve, this manual will too. The analyst team will provide updates to the manual to keep the greater Snort community abreast of any recent changes.

Snort OpenAppID Detectors have been updated

noreply@blogger.com (Costas Kleopa) — Thu, 22 Sep 2022 14:40:00 +0000

SNORTⓇ released a new update today for its OpenAppID Detector content.

This release — build 356 — includes:

3,374 detectors.
Additional detectors from the open-source community. For more details on which contributions were included — we have added them to the "Authors" file in this package.

The release is available now on our Downloads page. We look forward to users downloading and using the new features. If you have any feedback, please share it with the OpenAppID mailing list.

The OpenAppID package is also compatible with our most recent Snort 3 releases.

For more information regarding the applications that are included in the open-source version of OpenAppID, feel free to visit our new application portal at appid.cisco.com.

Changes to the community rule release schedule

noreply@blogger.com (Anonymous) — Thu, 09 Jun 2022 12:35:00 +0000

By Jon Munshaw.

As of this week, we are changing the cadence for releases for the Snort community rule set.

Previously, the community rules were released every day at 11:40 a.m. ET, even if there are no rule changes. Now, the rule set will align with our normal open-source build and release schedule. This is usually every Tuesday and Thursday, though this may change based on public holidays and ad hoc releases for certain vulnerabilities or malware families.

We apologize for any disruptions this may cause.

Community rules are a set of rules that members of our open-source community or Snort integrators have submitted. These rules are freely available to all Snort users and are governed by the GPLv2. Anyone can submit a community rule using the Snort Rules mailer here.

Community rules are available for anyone to download here without registration and are free of charge without any Rule Set License restrictions.

Weekly Snort rule update for March 25 - April 1

noreply@blogger.com (Anonymous) — Fri, 01 Apr 2022 13:14:00 +0000

Cisco Talos released two new rule sets for SNORTⓇ this week, which you can view here and here.

There are multiple rules to protect against the exploitation of the highly publicized Spring4Shell vulnerabilities that could lead to remote code execution. Spring is a popular framework used to develop Java applications. Snort SIDs 30790 - 30793, 59388 and 59416 can detect this activity.

For more on these vulnerabilities, read the Talos blog here.

All users can subscribe to Talos' newest rule detection functionality for as low as $29 a year with a personal account. Be sure and see our business pricing as well here. The Snort 3 release is also here after years of development and improvements, which you can upgrade to here.

Snort's rule blog posts are switching to a weekly recap format, rather than releasing every day a new rule update is released. If you have any feedback on this blog format, please reach out to us on Twitter @Snort.

Weekly Snort rule update for March 21 - 25

noreply@blogger.com (Anonymous) — Fri, 25 Mar 2022 16:22:00 +0000

Cisco Talos released two new rule sets for SNORTⓇ this week, which you can view here and here.

Weekly Snort rule update for March 14 - 18

noreply@blogger.com (Anonymous) — Thu, 17 Mar 2022 14:43:00 +0000

Cisco Talos released two new rule sets for SNORTⓇ this week, which you can view here and here.

The rules from this week cover a variety of malware families, including the CaddyWiper threat that's been targeting users in Ukraine. The wiper is relatively small in size and dynamically resolves most of the APIs it uses. Cisco Talos' analysis didn't show any indications of persistency, self-propagation or exploitation code.

We also released new protections for the Dirty Pipe exploit recently discovered in the Linux operating system. This vulnerability could allow an attacker to completely root devices, including some Android devices, as researchers showed with the Google Pixel 6. QNAP also warned users that its network-attached storage devices are also at risk.

Snort OpenAppID Detectors have been updated

noreply@blogger.com (Costas Kleopa) — Thu, 17 Mar 2022 14:05:00 +0000

SNORTⓇ released a new update today for its OpenAppID Detector content.

This release — build 353 — includes:

3,370 detectors.
Additional detectors from the open-source community. For more details on which contributions were included — we have added them to the "Authors" file in this package.

For more information regarding the applications that are included in the open-source version of OpenAppID, feel free to visit our new application portal at appid.cisco.com.

Weekly Snort rule update for Feb. 14 - 18

noreply@blogger.com (Anonymous) — Thu, 17 Feb 2022 17:52:00 +0000

Cisco Talos released two new rule sets for SNORTⓇ this week, which you can view here and here.

Our two releases include several new protections against a variety of malicious webshells. There is also an additional rule that protects against the string of vulnerabilities Cisco recently disclosed in its RV series of routers aimed at small businesses.

The CVEs have a combined severity score of a maximum 10 out of 10. If successful, an adversary could execute arbitrary code on the targeted device, cause a denial of service or bypass authentication protections.

Snort 3.1.21.0 is now available (plus bonus information on Thursday's rule update)

noreply@blogger.com (Anonymous) — Thu, 03 Feb 2022 21:52:00 +0000

The SNORTⓇ team recently released a new version of Snort 3 on Snort.org and the Snort 3 GitHub. Thursday also brought us the latest rule release, which includes several rules to protect against critical vulnerabilities Cisco patched in its RV series of routers. You can see more about this rule update here.

Snort 3.1.21.0 contains several new features and bug fixes. Here's a complete rundown of what's new in this version. Users are encouraged to update as soon as possible and to upgrade to Snort 3 if they have not already done so.

Here's a rundown of all the changes and new features in this latest version of Snort 3.

AppID: Do not delay detection of SMB service for the sake of version detection.
control: Fix macro definitions.
http_inspect: Correct comment regarding header splitting rules.
http_inspect: Forward 0.9 request lines to detection.
http_inspect: http_version_match uses msg section version ID.
http_inspect: Webroot traversal.
main: Move policy selector and flow tracking from snort config to policy map.
main: Only add policies to the user policy map at the end of table processing.
policy: Add a file_policy to the network policy and use it.
stream: QUIC stream-dependent changes.
stream_tcp: Ensure that we call splitter finish() only once per flow, per direction.
wizard: Remove extra semicolon.

Snort 3 is the next generation of the Snort Intrusion Prevention System. The GitHub page will walk users through what Snort 3 has to offer and guide users through the steps of getting set up — from download to demo. Users unfamiliar with Snort should start with the Snort Resources page and the Snort 101 video series.

You can subscribe to Talos' newest rule detection functionality for as low as $29 a year with a personal account. Be sure and see our business pricing as well here. Make sure and stay up to date to catch the most emerging threats.

Snort OpenAppID Detectors have been updated

noreply@blogger.com (Costas Kleopa) — Thu, 03 Feb 2022 21:44:00 +0000

SNORTⓇ released a new update today for its OpenAppID Detector content.

This release — build 352 — includes:

3,280 detectors.
Additional detectors from the open-source community. For more details on which contributions were included, we have added them to the "Authors" file in this package.

For more information regarding the applications that are included in the open-source version of OpenAppID, feel free to visit our new application portal at appid.cisco.com.

Snort rule update for Jan. 25, 2022 — And an update to our supported operating systems

noreply@blogger.com (Anonymous) — Tue, 25 Jan 2022 21:21:00 +0000

The newest SNORTⓇ rule update from Cisco Talos is now available.

This release includes several rules to protect against malicious PHP command shells in Ajax that are sometimes used in cyber attacks.

Here's a full breakdown of the rest of Tuesday's rule update:

Shared object rules	Modified shared object rules	New rules	Modified rules
3	0	14	0

There were no changes made to the snort.conf in this release.

Cisco Talos' rule release:

Talos has added and modified multiple rules in the malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

We would also like to give everyone a head's up that we are working to update the list of supported operating systems for Snort. As of Feb. 15, 2022, the following operating systems will no longer be supported:

Alpine 3.10 i386
Alpine 3.10 x64
CentOS 6 i386
CentOS 6 x64
CentOS 7 i386
CentOS 7 x64
Debian 8 i386
Debian 8 x64
Debian 9 i386
Debian 9 x64
FC 27 x64
FC 30 x64
FC 31 x64
FreeBSD 11.1 i386
FreeBSD 11.1 x64
FreeBSD 12.0 x64
OpenBSD 6.2 i386
OpenBSD 6.2 x64
OpenBSD 6.4 i386
OpenBSD 6.4 x64
OpenBSD 6.5 i386
OpenBSD 6.5 x64
OpenSUSE LEAP 42.3 x64
OpenSUSE LEAP 15.0 x64
OpenSUSE LEAP 15.1 x64
RHEL 6 i386
RHEL 6 x64
Ubuntu 17.10 i386
Ubuntu 17.10 x64
Ubuntu 19.10 x64

Please reach out to one of our mailing lists if you have any questions.

Snort rule update for Jan. 13, 2022

noreply@blogger.com (Anonymous) — Thu, 13 Jan 2022 13:56:00 +0000

The newest SNORTⓇ rule update from Cisco Talos is now available.

Thursday morning's rule release includes new protections against the exploitation of a Log4shell-like vulnerability recently discovered in the popular H2 Java SQL database. Although the paths to exploiting this vulnerability are similar to the recent Log4j issue, the scope of execution is less broad.

Here's a full breakdown of the rest of today's rule update:

Shared object rules	Modified shared object rules	New rules	Modified rules
2	0	2	2

There were no changes made to the snort.conf in this release.

Cisco Talos' rule release:

Talos has added and modified multiple rules in the malware-cnc, server-mysql and server-webapp rule sets to provide coverage for emerging threats from these technologies.

You can subscribe to Talos' newest rule detection functionality for as low as $29 a year with a personal account. Be sure and see our business pricing as well here. The Snort 3 release is also here after years of development and improvements. Upgrade here.

Snort 3.1.20.0 available for download now

noreply@blogger.com (Anonymous) — Wed, 12 Jan 2022 18:39:00 +0000

The SNORTⓇ team recently released a new version of Snort 3 on Snort.org and the Snort 3 GitHub.

Snort 3.1.20.0 contains several new features and bug fixes. Here's a complete rundown of what's new in this version. Users are encouraged to update as soon as possible and to upgrade to Snort 3 if they have not already done so.

Here's a rundown of all the changes and new features in this latest version of Snort 3.

AppID: Handle SNI in efp event.
AppID: Make peg counts consistent with what is reported to external components*
AppID: Updated the AppID API to include SSH in the list of service inspectors that need inspection.
dnp3, gtp, file_type: Fix assert while parsing string parameter.
doc: Update JavaScript normalization docs.
http2_inspect: Don't send data frames to the HTTP stream splitter when it's not expecting them.
http2_inspect: Hardening.
http_inspect: Version update, http_version_match rule option.
stream_tcp: Limit reassembly size for AtomSplitter. Thanks to barosch78 and DAKOIT for their help in the process of finding the root cause.
stream_tcp: Skip seglist gap in post-ack mode if data is acked beyond the gap.
stream_user: Change packet type from PDU to USER for hext daq, user codec, and stream_user.
wizard: Make max_search_depth applicably for curses.

Snort 3 is the next generation of the Snort Intrusion Prevention System. The GitHub page will walk users through what Snort 3 has to offer and guide users through the steps of getting set up — from download to demo. Users unfamiliar with Snort should start with the Snort Resources page and the Snort 101 video series.

Snort rule update for Jan. 11, 2022 — Microsoft Patch Tuesday

noreply@blogger.com (Anonymous) — Wed, 12 Jan 2022 13:56:00 +0000

Cisco Talos released a new SNORT® ruleset Tuesday evening, providing coverage for many of the vulnerabilities covered in Microsoft Patch Tuesday.

For more details on the vulnerabilities Microsoft disclosed this month, view all of them on Microsoft's security update page. You can also read our breakdown of the most notable vulnerabilities on the Talos blog.

Here's a breakdown of Tuesday's rule release:

Shared object rules	Modified shared object rules	New rules	Modified rules
0	0	22	9

There were no changes made to the snort.conf in this release.

Microsoft Vulnerability CVE-2022-21881: A coding deficiency exists in Microsoft Windows Kernel that may lead to elevation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 58866 through 58867.

Microsoft Vulnerability CVE-2022-21882: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 58859 through 58860.

Microsoft Vulnerability CVE-2022-21887: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 58874 through 58875.

Microsoft Vulnerability CVE-2022-21897: A coding deficiency exists in Microsoft Windows Common Log File System Driver that may lead to an escalation of privilege.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 40689 through 40690.

Microsoft Vulnerability CVE-2022-21907: A coding deficiency exists in HTTP Stack that may lead to remote code execution.

Preprocessors to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 119, SIDs 19 and 31.

Microsoft Vulnerability CVE-2022-21908: A coding deficiency exists in Microsoft Windows Installer that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 58870 through 58871.

Microsoft Vulnerability CVE-2022-21916: A coding deficiency exists in Microsoft Windows Common Log File System Driver that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 58872 through 58873.

Microsoft Vulnerability CVE-2022-21919: A coding deficiency exists in Microsoft Windows User Profile Service that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 58868 through 58869.

Talos also has added and modified multiple rules in the file-other, indicator-obfuscation, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.