Thursday, April 12, 2018

Snort Subscriber Rule Set Update for 04/12/2018

Just released:
Snort Subscriber Rule Set Update for 04/12/2018


We welcome the introduction of the newest rule release from Talos. In this release we introduced 33 new rules of which 5 are Shared Object rules and made modifications to 1 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Talos has added and modified multiple rules in the file-pdf, malware-backdoor, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Tuesday, April 10, 2018

Snort Subscriber Rule Set Update for 04/10/2018, MSTuesday

Just released:
Snort Subscriber Rule Set Update for 04/10/2018


We welcome the introduction of the newest rule release from Talos. In this release we introduced 103 new rules of which 21 are Shared Object rules and made modifications to 10 additional rules of which 4 are Shared Object rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:
Talos is aware of vulnerabilities affecting products from Microsoft
Corporation.

Details:
Microsoft Vulnerability CVE-2018-0870:
A coding deficiency exists in Microsoft Internet Explorer that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46243 through 46246.

Microsoft Vulnerability CVE-2018-0920:
A coding deficiency exists in Microsoft Excel that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46196 through 46197.

Microsoft Vulnerability CVE-2018-0950:
A coding deficiency exists in Microsoft Office that may lead to
information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46266 through 46267.

Microsoft Vulnerability CVE-2018-0980:
A coding deficiency exists in Microsoft Chakra Scripting Engine that
may lead to remote code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 45628 through 45629.

Microsoft Vulnerability CVE-2018-0986:
A coding deficiency exists in Microsoft Malware Protection Engine that
may lead to remote code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 46163 through 46164.

Microsoft Vulnerability CVE-2018-0988:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46198 through 46199.

Microsoft Vulnerability CVE-2018-0990:
A coding deficiency exists in Microsoft Chakra Scripting Engine that
may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46194 through 46195.

Microsoft Vulnerability CVE-2018-0991:
A coding deficiency exists in Microsoft Internet Explorer that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46206 through 46207.

Microsoft Vulnerability CVE-2018-0993:
A coding deficiency exists in Microsoft Chakra Scripting Engine that
may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46212 through 46213.

Microsoft Vulnerability CVE-2018-0994:
A coding deficiency exists in Microsoft Chakra Scripting Engine that
may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46220 through 46221.

Microsoft Vulnerability CVE-2018-0995:
A coding deficiency exists in Microsoft Chakra Scripting Engine that
may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46176 through 46177.

Microsoft Vulnerability CVE-2018-0996:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46218 through 46219.

Microsoft Vulnerability CVE-2018-0997:
A coding deficiency exists in Microsoft Internet Explorer that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46220 through 46221.

Microsoft Vulnerability CVE-2018-0998:
Microsoft Edge suffers from programming errors that may lead to a
security feature bypass.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46226 through 46227.

Microsoft Vulnerability CVE-2018-1001:
A coding deficiency exists in Microsoft Scripting Engine that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46228 through 46229.

Microsoft Vulnerability CVE-2018-1003:
A coding deficiency exists in Microsoft JET Database Engine that may
lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46233 through 46234.

Microsoft Vulnerability CVE-2018-1004:
A coding deficiency exists in Microsoft Windows VBScript Engine that
may lead to remote code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 37283 through 37284.

Microsoft Vulnerability CVE-2018-1010:
A coding deficiency exists in Microsoft Graphics that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46200 through 46201.

Microsoft Vulnerability CVE-2018-1011:
A coding deficiency exists in Microsoft Excel that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46192 through 46193.

Microsoft Vulnerability CVE-2018-1012:
A coding deficiency exists in Microsoft Graphics that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46230 through 46231.

Microsoft Vulnerability CVE-2018-1013:
A coding deficiency exists in Microsoft Graphics that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46188 through 46189.

Microsoft Vulnerability CVE-2018-1015:
A coding deficiency exists in Microsoft Graphics that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46214 through 46215.

Microsoft Vulnerability CVE-2018-1016:
A coding deficiency exists in Microsoft Graphics that may lead to
remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46186 through 46187.

Microsoft Vulnerability CVE-2018-1018:
A coding deficiency exists in Microsoft Internet Explorer that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46204 through 46205.

Microsoft Vulnerability CVE-2018-1023:
A coding deficiency exists in Microsoft Browser that may lead to remote
code execution.

Previously released rules will detect attacks targeting these
vulnerabilities and have been updated with the appropriate reference
information. They are also included in this release and are identified
with GID 1, SIDs 37283 through 37284.

Microsoft Vulnerability CVE-2018-1026:
A coding deficiency exists in Microsoft Office that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46184 through 46185.

Microsoft Vulnerability CVE-2018-1027:
A coding deficiency exists in Microsoft Excel that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46208 through 46209.

Microsoft Vulnerability CVE-2018-1028:
A coding deficiency exists in Microsoft Office Graphics that may lead
to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46182 through 46183.

Microsoft Vulnerability CVE-2018-1029:
A coding deficiency exists in Microsoft Excel that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46180 through 46181.

Microsoft Vulnerability CVE-2018-1030:
A coding deficiency exists in Microsoft Office that may lead to remote
code execution.

Rules to detect attacks targeting these vulnerabilities are included in
this release and are identified with GID 1, SIDs 46178 through 46179.


Talos also has added and modified multiple rules in the browser-ie,
file-flash, file-image, file-office, file-other, file-pdf, malware-cnc,
os-windows, policy-other and server-webapp rule sets to provide
coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Friday, April 6, 2018

Requiring at least TLS 1.2 for Snort.org

Later this month, (currently planning) around April 25th, we will be forcing everyone who visits Snort.org, either via API (oinkcode) or the website to at least negotiate at TLS version 1.2 or 1.3.

Today we do not enforce this restriction, but as we move more and more things here at Snort / Talos / ClamAV to a more secure environment, we want to make sure everyone is doing so, at the best possible encryption level.

We already enforce HTTPS for every connection to any host on the snort.org domain (to include blog.snort.org starting this week, in case you didn't notice), and all HTTP connections are now redirected to HTTPS.  This change hasn't had any negative impact (as far as we can tell), as only 7% of connections in the past month to the snort.org domain were over HTTP.

What we are concerned about, are very old installations of Snort boxes out there that haven't been updated in some time (we know they exist), not being able to connect to Snort.org anymore.

We are assuming the majority of these to be blocked already, as they are attempting to download version "2.4.4" of the ruleset for example.

However, In an abundance of caution, and to isolate any issues that this may have, I figured I'd write this blog post just in case.

Thursday, April 5, 2018

Snort Subscriber Rule Set Update for 04/05/2018

Just released:
Snort Subscriber Rule Set Update for 04/05/2018


We welcome the introduction of the newest rule release from Talos. In this release we introduced 9 new rules of which 0 are Shared Object rules and made modifications to 1 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.



Talos's rule release:
Microsoft Vulnerability CVE-2018-0986: A coding deficiency exists in Microsoft Malware Protection Engine that may lead to remote code execution. Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46163 through 46164. Talos has also added and modified multiple rules in the file-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Snort Subscriber Rule Set Update for 04/03/2018

Just released:
Snort Subscriber Rule Set Update for 04/03/2018


We welcome the introduction of the newest rule release from Talos. In this release we introduced 27 new rules of which 14 are Shared Object rules and made modifications to 5 additional rules of which 0 are Shared Object rules.

There were no changes made to the snort.conf in this release.

Talos would like to thank the following individuals for their contributions, their rules are included in the Community Ruleset:

Avery Tarasov
46129


Talos's rule release:
Talos has added and modified multiple rules in the file-image,
file-java, malware-cnc, os-linux and server-webapp rule sets to provide
coverage for emerging threats from these technologies.


In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://snort.org/products#rule_subscriptions. Make sure and stay up to date to catch the most emerging threats!

Wednesday, April 4, 2018

2018 Snort Scholarship is now open!

We are currently accepting submissions for our 2018 Snort Scholarship award!

This year we will be awarding $10,000 to two individuals pursuing a higher education degree that meets our eligibility criteria. 
To be eligible to submit an Application and participate in the Drawing, you must: 
(1) have or be eligible to receive your high school diploma or equivalent in 2018 as of the date Cisco receives your Application, and
(2) provide reasonable evidence to Cisco that you are seeking a degree in computer science, information technology, computer networking, cyber security or similarly related field of study from a school located in the United States or a United States Territory.
Company Personnel and their immediate family members are ineligible.
The deadline to apply for consideration is May 2, 2018. 
For more information about contest rules, eligibility requirements, or to complete a submissions for, visit our Snort Scholarship page
Best of luck!