Snort Subscriber Rule Set Update for 03/14/2017
We welcome the introduction of the newest rule release from Talos. In this release we introduced 77 new rules and made modifications to 62 additional rules.
There were no changes made to the
snort.conf
in this release.Talos's rule release:
Synopsis:
Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.
Details:
Microsoft Security Bulletin MS17-006:
Microsoft Internet Explorer suffers from programming errors that may
lead to remote code execution.
Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 41575 through 41576, 41585 through 41590, and 41625
through 41626.
New rules to detect attacks targeting these vulnerabilities are also
included in this release and are identified with GID 1, SIDs 41954
through 41957.
Microsoft Security Bulletin MS17-007:
Microsoft Edge suffers from programming errors that may lead to remote
code execution.
Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 41553 through 41554, 41557 through 41562, 41573
through 41574, 41583 through 41584, 41593 through 41594, 41605 through
41606, and 41625 through 41626.
New rules to detect attacks targeting these vulnerabilities are also
included in this release and are identified with GID 1, SIDs 41936
through 41939, 41942 through 41945, 41948 through 41953, 41958 through
41959, 41968 through 41969, and 41987 through 41988.
Microsoft Security Bulletin MS17-009:
A coding deficiency exists in Microsoft Windows PDF Library that may
lead to remote code execution.
Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 41601 through 41602.
Microsoft Security Bulletin MS17-010:
A coding deficiency exists in Microsoft Windows SMB Server that may
lead to remote code execution.
Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 41978 and 41983
through 41984.
Microsoft Security Bulletin MS17-011:
A coding deficiency exists in Microsoft Uniscribe that may lead to
remote code execution.
Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 41597 through 41598.
New rules to detect attacks targeting these vulnerabilities are also
included in this release and are identified with GID 1, SIDs 41934
through 41935, 41940 through 41941, 41960 through 41961, 41966 through
41967, 41972 through 41975, 41985 through 41986, and 41991 through
41992.
Microsoft Security Bulletin MS17-012:
A coding deficiency exists in Microsoft Windows that may lead to remote
code execution.
Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 41563 through 41564 and 41567 through 41572.
New rules to detect attacks targeting these vulnerabilities are also
included in this release and are identified with GID 1, SIDs 41989
through 41990.
Microsoft Security Bulletin MS17-013:
A coding deficiency exists in Microsoft Graphics Component that may
lead to remote code execution.
Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 41591 through 41592.
New rules to detect attacks targeting these vulnerabilities are also
included in this release and are identified with GID 1, SIDs 41932
through 41933, 41946 through 41947, 41970 through 41971, and 41993
through 41994.
Microsoft Security Bulletin MS17-014:
A coding deficiency exists in Microsoft Office that may lead to remote
code execution.
Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 41565 through 41566, 41577 through 41578, 41581
through 41582, 41597 through 41598, and 41797 through 41798.
New rules to detect attacks targeting these vulnerabilities are also
included in this release and are identified with GID 1, SIDs 41962
through 41965, 41976 through 41977, and 41979 through 41982.
Microsoft Security Bulletin MS17-017:
A coding deficiency exists in Microsoft Windows Kernel that may lead to
an escalation of privilege.
Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 40394 through 40395 and 41607 through 41610.
Microsoft Security Bulletin MS17-018:
A coding deficiency exists in Microsoft Windows Kernel-Mode Drivers
that may lead to an escalation of privilege.
Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 41579 through 41580.
New rules to detect attacks targeting these vulnerabilities are also
included in this release and are identified with GID 1, SIDs 41926
through 41931 and 41995 through 41998.
Microsoft Security Bulletin MS17-021:
A coding deficiency exists in Microsoft DirectShow that may lead to
information disclosure.
Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 41633 through 41634.
Microsoft Security Bulletin MS17-022:
A coding deficiency exists in Microsoft XML Core Services that may lead
to information disclosure.
Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 40364 through 40365.
Talos also has added and modified multiple rules in the browser-ie,
file-executable, file-flash, file-image, file-office, file-other,
file-pdf, os-other, os-windows and server-samba rule sets to provide
coverage for emerging threats from these technologies.
In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!