Posted by Jonathan Lee via Snort-sigs on Apr 05
can this detect Docker containers like Kali Bleeding Edge Docker Container with appid?Re: Snort Subscriber Rules Update 2024-04-04
↧
↧
Re: Snort Subscriber Rules Update 2024-04-04
Posted by Joel Esler via Snort-sigs on Apr 05
Probably a good question for snort-openappid’s list.↧
Re: Matching http_cookie content
Posted by Al Lewis (allewi) via Snort-sigs on Apr 07
Using your script, if the http_cookie keyword is added it alerts. Files used are attached.box20@box20:/var/tmp/snort3-20240404$ ./bin/snort -c etc/snort/log4j.lua -R etc/snort/log4j.rules -r
~/Downloads/log4j-script.pcap -Acsv -k none -q
04/07-21:35:08.151273, 8, TCP, stream_tcp, 109, C2S, 210.210.210.6:41932, 210.210.210.5:3000, 1:58726:6, allow
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS ( \
msg:"SERVER-OTHER Apache...
↧
Snort Subscriber Rules Update 2024-04-09
Posted by Research via Snort-sigs on Apr 09
Talos Snort Subscriber Rules UpdateSynopsis:
Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.
Details:
Microsoft Vulnerability CVE-2024-26158:
A coding deficiency exists in Microsoft Install Service that may lead
to an escalation of privilege.
Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with:
Snort 2: GID 1, SIDs 63254 through 63255,
Snort 3: GID 1,...
↧
Re: Matching http_cookie content
Posted by Stephen Reese via Snort-sigs on Apr 10
Does this mean the rule that is being distributed is broken?↧
↧
Re: Matching http_cookie content
Posted by Al Lewis (allewi) via Snort-sigs on Apr 10
No, not necessarily. I don't know what the traffic looked like that they wrote the rule on.I edited the rule to match the traffic that your script generated just as an example.
Albert Lewis
Email: allewi () cisco com<mailto:allewi () cisco com>
________________________________
From: Stephen Reese <rsreese () gmail com>
Sent: Monday, April 8, 2024 8:27 AM
To: Al Lewis (allewi) <allewi () cisco com>
Cc: Alex Tatistcheff...
↧
Re: Matching http_cookie content
Posted by Joel Esler via Snort-sigs on Apr 10
If you think it’s a false negative/false positive, you can submit a ticket here:https://talosintelligence.com/reputation_center/ips_ids
↧
Re: Multi Pattern Search Engine Plugin
Posted by Vlad Ulmeanu via Snort-devel on Apr 11
Hi, back with some bugs:* lowmem seems to treat every pattern as if they have `nocase == true`. All
calls to `KTriePrefixMatch` pass `Tnocase` as the useful parameter. Is this
intended?
* For the following text (in `uint8_t` format):
```
(n = 24)
T = 0 0 0 0 243 127 95 75 189 112 255 71 180 46 93 169 167 197 0 248 21 0 0
0
```
Tested against the following dictionary <https://pastebin.com/raET1dJR>
(originally `63` entries, only `50`...
↧
Snort Subscriber Rules Update 2024-04-11
Posted by Research via Snort-sigs on Apr 11
Talos Snort Subscriber Rules UpdateSynopsis:
This release adds and modifies rules in several categories.
Details:
Talos has added and modified multiple rules in the file-pdf and
server-webapp rule sets to provide coverage for emerging threats from
these technologies.
For a complete list of new and modified rules please see:
https://www.snort.org/advisories
↧
↧
Re: Multi Pattern Search Engine Plugin
Posted by Russ Combs (rucombs) via Snort-devel on Apr 11
Hey Vlad,Sounds like you are making progress.
lowmem is caseless which helps reduce memory. The exact match is checked during signature evaluation unless the content
is nocase.
ac_bnfa and ac_full are also caseless. The hyperscan MPSE is case sensitive. Your algorithm can be either.
I'm not able to reproduce the match off the end of the buffer. Is it possible that your input includes a null
terminator with a length of 25? If you want...
↧
Re: Multi Pattern Search Engine Plugin
Posted by Vlad Ulmeanu via Snort-devel on Apr 12
Hi Russ, thank you very much for the quick answer.If I didn't overlook anything, I never interact with the null terminator.
This is how I store and access the patterns/text:
```
int add_pattern(const uint8_t* P, unsigned m, const PatternDescriptor&
desc, void* user) override {
patterns.emplace_back(std::vector<uint8_t>(P, P + m), ...);
...
}
...
int _search(const uint8_t* T, int n, MpseMatch match, void*...
↧
Snort Subscriber Rules Update 2024-04-16
Posted by Research via Snort-sigs on Apr 16
Talos Snort Subscriber Rules UpdateSynopsis:
This release adds and modifies rules in several categories.
Details:
Talos has added and modified multiple rules in the browser-chrome,
file-pdf, malware-other, os-windows and server-webapp rule sets to
provide coverage for emerging threats from these technologies.
For a complete list of new and modified rules please see:
https://www.snort.org/advisories
↧
Snort Subscriber Rules Update 2024-04-16
Posted by Research via Snort-sigs on Apr 16
Talos Snort Subscriber Rules UpdateSynopsis:
This release adds and modifies rules in several categories.
Details:
Talos is releasing detection for CVE-2024-3400 PAN-OS Command Injection
Vulnerability in GlobalProtect Gateway.
Talos has added and modified multiple rules in the server-webapp rule
sets to provide coverage for emerging threats from these technologies.
For a complete list of new and modified rules please see:...
↧
↧
Snort Subscriber Rules Update 2024-04-18
Posted by Research via Snort-sigs on Apr 18
Talos Snort Subscriber Rules UpdateSynopsis:
This release adds and modifies rules in several categories.
Details:
Talos has added and modified multiple rules in the file-executable,
file-office and server-webapp rule sets to provide coverage for
emerging threats from these technologies.
For a complete list of new and modified rules please see:
https://www.snort.org/advisories
↧
Re: Multi Pattern Search Engine Plugin
Posted by Russ Combs (rucombs) via Snort-devel on Apr 19
Hey Vlad,I built your patched lowmem and got the same results as unpatched.
I have the pcap but haven't tried a full reproduction. Please narrow it down to make it easier to focus on the problem.
Just the minimum diff from the default config, your command line, and the specific rule or rules that are required to
reproduce.
You should call the match function in the order that your algorithm generates them. Snort will figure it out from...
↧
More Pages to Explore .....
