Snort Mailing List

• Current Quarter
• RSS Feed
• About List
• All Lists

Everyone's favorite open source IDS, Snort. This archive combines the snort-announce, snort-devel, snort-users, and snort-sigs lists.

List Archives

• Jan–Mar
• Apr–Jun
• Jul–Sep
• Oct–Dec
• 2024
• 49
• 25
• –
• –
• 2023
• 37
• 58
• 33
• 39
• 2022
• 112
• 82
• 105
• 58
• 2021
• 67
• 59
• 73
• 73
• 2020
• 164
• 177
• 137
• 105
• 2019
• 334
• 354
• 426
• 225
• 2018
• 351
• 618
• 350
• 396
• 2017
• 773
• 398
• 410
• 344
• 2016
• 501
• 482
• 410
• 478
• 2015
• 792
• 567
• 505
• 534
• 2014
• 916
• 1101
• 1032
• 735
• 2013
• 1238
• 1431
• 1251
• 825
• 2012
• 807
• 731
• 1245
• 1527
• 2011
• 1399
• 829
• 660
• 657
• 2010
• 864
• 1000
• 892
• 1152
• 2009
• 352
• 616
• 423
• 604
• 2008
• 277
• 264
• 220
• 277
• 2007
• 218
• 295
• 379
• 283
• 2006
• 393
• 476
• 403
• 333
• 2005
• 1684
• 725
• 777
• 616
• 2004
• 1913
• 1805
• 1729
• 1399
• 2003
• 3113
• 3034
• 2307
• 2165
• 2002
• 2884
• 2504
• 2570
• 2572
• 2001
• –
• 1488
• 3085
• 2640

Latest Posts

Snort Subscriber Rules Update 2024-05-02 Research via Snort-sigs (May 02)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the malware-cnc,
malware-other, os-windows, policy-other and server-webapp rule sets to
provide coverage for emerging threats from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2024-04-30 Research via Snort-sigs (Apr 30)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the file-office,
malware-cnc, os-windows, policy-other, server-other and server-webapp
rule sets to provide coverage for emerging threats from these
technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Discrepancy between NVD list and available snort rules for Rockwell equipment.. Steve Matthews (stmatthe) via Snort-sigs (Apr 29)
We have a concern from an end customer who uses a lot of Rockwell equipment..

They used this tool:
https://www.snort.org/rule_docs?utf8=%E2%9C%93&search_type=standard&simple_search%5Bsid_or_explanation_or_message_or_cves_cve_key_i_cont%5D=rockwell&submit_rule_search=
And found 34 rules matching Rockwell.

Then, they used this tool:...

Re: Multi Pattern Search Engine Plugin Vlad Ulmeanu via Snort-devel (Apr 29)
Hi Russ,

Sorry for the late answer. The patch wasn't meant to change the results.
Did you mean that no extra output appeared?

I narrowed down the pcap to the packet that produced the matches (link
<https://drive.google.com/file/d/15b8qw8lu2QB0K464cyOJ4wYNTOBSllrK/view?usp=sharing>).
Now we don't need `can_debug` or the deques. However, now snort doesn't
query anymore on exactly:

```
T = 0 0 0 0 243 127 95 75 189 112 255 71...

Snort Subscriber Rules Update 2024-04-24 Research via Snort-sigs (Apr 24)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the browser-chrome,
malware-cnc, os-windows and server-webapp rule sets to provide coverage
for emerging threats from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2024-04-23 Research via Snort-sigs (Apr 23)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the browser-chrome,
os-windows and server-webapp rule sets to provide coverage for emerging
threats from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Re: Multi Pattern Search Engine Plugin Russ Combs (rucombs) via Snort-devel (Apr 19)
Hey Vlad,

I built your patched lowmem and got the same results as unpatched.

I have the pcap but haven't tried a full reproduction. Please narrow it down to make it easier to focus on the problem.
Just the minimum diff from the default config, your command line, and the specific rule or rules that are required to
reproduce.

You should call the match function in the order that your algorithm generates them. Snort will figure it out from...

Snort Subscriber Rules Update 2024-04-18 Research via Snort-sigs (Apr 18)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the file-executable,
file-office and server-webapp rule sets to provide coverage for
emerging threats from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Snort Subscriber Rules Update 2024-04-16 Research via Snort-sigs (Apr 16)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos is releasing detection for CVE-2024-3400 PAN-OS Command Injection
Vulnerability in GlobalProtect Gateway.

Talos has added and modified multiple rules in the server-webapp rule
sets to provide coverage for emerging threats from these technologies.

For a complete list of new and modified rules please see:...

Snort Subscriber Rules Update 2024-04-16 Research via Snort-sigs (Apr 16)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the browser-chrome,
file-pdf, malware-other, os-windows and server-webapp rule sets to
provide coverage for emerging threats from these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Re: Multi Pattern Search Engine Plugin Vlad Ulmeanu via Snort-devel (Apr 12)
Hi Russ, thank you very much for the quick answer.

If I didn't overlook anything, I never interact with the null terminator.
This is how I store and access the patterns/text:

```
int add_pattern(const uint8_t* P, unsigned m, const PatternDescriptor&
desc, void* user) override {
patterns.emplace_back(std::vector<uint8_t>(P, P + m), ...);

...
}

...

int _search(const uint8_t* T, int n, MpseMatch match, void*...

Re: Multi Pattern Search Engine Plugin Russ Combs (rucombs) via Snort-devel (Apr 11)
Hey Vlad,

Sounds like you are making progress.

lowmem is caseless which helps reduce memory. The exact match is checked during signature evaluation unless the content
is nocase.

ac_bnfa and ac_full are also caseless. The hyperscan MPSE is case sensitive. Your algorithm can be either.

I'm not able to reproduce the match off the end of the buffer. Is it possible that your input includes a null
terminator with a length of 25? If you want...

Snort Subscriber Rules Update 2024-04-11 Research via Snort-sigs (Apr 11)
Talos Snort Subscriber Rules Update

Synopsis:
This release adds and modifies rules in several categories.

Details:
Talos has added and modified multiple rules in the file-pdf and
server-webapp rule sets to provide coverage for emerging threats from
these technologies.

For a complete list of new and modified rules please see:

https://www.snort.org/advisories

Re: Multi Pattern Search Engine Plugin Vlad Ulmeanu via Snort-devel (Apr 11)
Hi, back with some bugs:

* lowmem seems to treat every pattern as if they have `nocase == true`. All
calls to `KTriePrefixMatch` pass `Tnocase` as the useful parameter. Is this
intended?

* For the following text (in `uint8_t` format):

```
(n = 24)
T = 0 0 0 0 243 127 95 75 189 112 255 71 180 46 93 169 167 197 0 248 21 0 0
0
```

Tested against the following dictionary <https://pastebin.com/raET1dJR>
(originally `63` entries, only `50`...

Re: Matching http_cookie content Joel Esler via Snort-sigs (Apr 10)
If you think it’s a false negative/false positive, you can submit a ticket here:

https://talosintelligence.com/reputation_center/ips_ids

More Lists

Dozens of other network security lists are archived at SecLists.Org.