Tuesday, July 30, 2019

Snort rule update for July 30, 2019

Cisco Talos just released the latest SNORT® rule update for all users. Talos urges all users to implement these rules as soon as possible to keep their networks and machines protected.

This release contains 21 new rules, nine new shared object rules, 138 modified rules and five modified shared object rules.

Thursday's release includes coverage for several different malware families recently used in the wild, including Godlua, Ratsnif and SoftCell.
Talos added and modified multiple rules in the browser-ie, browser-plugins, file-identify, file-image, file-multimedia, file-office, file-other, file-pdf, indicator-compromise, malware-cnc, malware-other, os-other, os-windows, policy-other, protocol-dns, protocol-ftp, protocol-imap, protocol-nntp, protocol-rpc, protocol-scada, protocol-services, protocol-snmp, protocol-telnet, server-iis, server-mail, server-mssql, server-mysql, server-oracle, server-other and sql rule sets to provide coverage for emerging threats from these technologies.

Here are several important rules we would like to highlight:
  • 50808 - 50811: These rules provide protection against the Godlua malware, which attackers recently released on Linux and Windows machines. The backdoor secures its communication via DNS over HTTPS. The attackers primarily use Godlua as a distributed denial-of-service bot, even launching an HTTP flood attack against one domain. Written by Kristen Houser.
  • 50800 - 50802: The OceanLotus APT recently launched a new malware known as "Ratsnif," which comes in four different variant forms. These rules fire when Ratsnif attempts to make an outbound connection to a command and control (C2) server, or if the user were to attempt to download the malware. Written by Kristen Houser.
You can subscribe to Talos' newest rule detection functionality for as low as $29 a year with a personal account. Be sure and see our business pricing as well here. Make sure and stay up to date to catch the most emerging threats.