Thursday, October 24, 2019

Snort rule update for Oct. 24, 2019

Cisco Talos just released the latest SNORT® rule update for all users. Talos urges all users to implement these rules as soon as possible to keep their networks and machines protected.

Today's release contains 42 new rules, 13 new shared object rules and five modified rules.

Thursday's release provides updated protections against the Emotet botnet. While Emotet has been around for years, the attackers behind it are still updating it and releasing new variants on victims. There is also coverage for new malware variants used by the OceanLotus APT.
Talos has added and modified multiple rules in the browser-webkit, file-identify, file-image, file-other, malware-cnc, malware-tools, policy-other, server-mail and server-webapp rule sets to provide coverage for emerging threats from these technologies.

There is one group of rules we which to highlight:
  • 51967 - 51971: These rules provide protection against the latest wave of Emotet infections. The infamous botnet, after going quiet for several months, is back with a new set of tactics to infect users. It even has gone after several city governments this year. Rule 51971 prevents Emotet from making an outbound connection to its command and control (C2), while the others fires when Emotet attempts to download its final payload. Alex Chui wrote these rules. 
You can subscribe to Talos' newest rule detection functionality for as low as $29 a year with a personal account. Be sure and see our business pricing as well here. Make sure and stay up to date to catch the most emerging threats.