The newest SNORTⓇ rule release arrived overnight, courtesy of Cisco Talos.
Tuesday's release is primarily focused on the recent vulnerabilities Microsoft disclosed in Exchange Server. The company released a statement yesterday warning that a state-sponsored actor was exploiting these zero-day vulnerabilities to steal sensitive information from U.S.-based infectious disease researchers, law firms, colleges, defense contractors, think tanks and non-governmental organizations.
These vulnerabilities are considered to be very serious and all users should update their affected products as soon as possible. Additionally, this rule release provides rules 57233, 57234 and 57241 - 57246 to protect users against the exploitation of these vulnerabilities.
Here's a breakdown of the rule release:
Shared object rules | Modified shared object rules | New rules | Modified rules |
---|---|---|---|
1 | 0 | 14 | 0 |
snort.conf
in this release.Talos' rule release:
Microsoft Vulnerability CVE-2021-26855: A coding deficiency exists in Microsoft Exchange Server that may lead to remote code execution.Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 57241 through 57244.Microsoft Vulnerability CVE-2021-26857: A coding deficiency exists in Microsoft Exchange Server that may lead to remote code execution.Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 57233 through 57234.Microsoft Vulnerability CVE-2021-26858: A coding deficiency exists in Microsoft Exchange Server that may lead to remote code execution.Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 57245 through 57246.Microsoft Vulnerability CVE-2021-27065: A coding deficiency exists in Microsoft Exchange Server that may lead to remote code execution.Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 57245 through 57246.Talos also has added and modified multiple rules in the malware-cnc, netbios and server-webapp rule sets to provide coverage for emerging threats from these technologies.