Wednesday, March 3, 2021

Snort rule update for March 3, 2021

The newest SNORTⓇ rule release arrived overnight, courtesy of Cisco Talos. 

Tuesday's release is primarily focused on the recent vulnerabilities Microsoft disclosed in Exchange Server. The company released a statement yesterday warning that a state-sponsored actor was exploiting these zero-day vulnerabilities to steal sensitive information from U.S.-based infectious disease researchers, law firms, colleges, defense contractors, think tanks and non-governmental organizations.

These vulnerabilities are considered to be very serious and all users should update their affected products as soon as possible. Additionally, this rule release provides rules 57233, 57234 and 57241 - 57246 to protect users against the exploitation of these vulnerabilities.

Here's a breakdown of the rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
10140

There were no changes made to the snort.conf in this release.

Talos' rule release:
Microsoft Vulnerability CVE-2021-26855: A coding deficiency exists in Microsoft Exchange Server that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 57241 through 57244.

Microsoft Vulnerability CVE-2021-26857: A coding deficiency exists in Microsoft Exchange Server that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 57233 through 57234.

Microsoft Vulnerability CVE-2021-26858: A coding deficiency exists in Microsoft Exchange Server that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 57245 through 57246.

Microsoft Vulnerability CVE-2021-27065: A coding deficiency exists in Microsoft Exchange Server that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 57245 through 57246.

Talos also has added and modified multiple rules in the malware-cnc, netbios and server-webapp rule sets to provide coverage for emerging threats from these technologies.
You can subscribe to Talos' newest rule detection functionality for as low as $29 a year with a personal account. Be sure and see our business pricing as well here. The Snort 3 release is also here after years of development and improvements. Upgrade here.