Tuesday, June 29, 2021

Snort rule update for June 29, 2021

Cisco Talos released the newest SNORTⓇ ruleset this morning.

Tuesday's rule update includes new rules to protect against the "Victory" backdoor recently being used by a state-sponsored APT as part of a surveillance operation. There are also new rules associated with the same attack that block an RTF file the attackers use with the RoyalRoad weaponizer.

Talos also released coverage for a recently disclosed vulnerability in Cisco's Adaptive Security Appliance that is being exploited in the wild.

Here's a full breakdown of today's release:

Shared object rulesModified shared object rulesNew rulesModified rules
2371

Thursday, June 24, 2021

Snort rule update for June 24, 2021

Cisco Talos' latest ruleset for SNORTⓇ is out now.

Today's rule update includes new rules to protect against CVE-2021-30657, a vulnerability in Mac OS Big Sur that could allow an attacker to create a malicious application that can bypass Gatekeeper checks. Apple officially disclosed and patched this vulnerability in May while acknowledging that it may have been exploited in the wild.

Here's a full breakdown of Thursday's release:

Shared object rulesModified shared object rulesNew rulesModified rules
030

PulledPork 3 — Rule updating for Snort 3

We are incredibly excited to release PulledPork 3 — the next evolution for PulledPork, a companion piece of software for SNORTⓇ that is specifically designed for Snort 3

PulledPork 3 is built to use the LightSPD package. It allows a single ruleset package to adapt the rules it can run to the version of the engine running on the system and allows users to select a default policy for the ruleset.

Noah Dietrich, an extremely helpful and generous member of our community, re-wrote PulledPork from the ground up in Python (Pulled Pork for Snort 2.X is written in Perl). Not all PulledPork functionality carries over, but the tool is at a point now where it's ready for users to start testing it. We are considering PulledPork 3 to be in alpha.

Please check out the tool here. As always, we are looking for contributors to the project as well. If you are well-versed in Python, would love to have a hand in documentation, or simply want to help "QA" the tool, all issues and pull requests against the tool are welcome.

We also created a special PulledPork channel on the newly created Snort Discord server, so feel free to contribute there as well!

Tuesday, June 22, 2021

Snort rule update for June 22, 2021

Cisco Talos released the newest rule set for SNORTⓇ this morning.

Tuesday's release includes several new rules relating to a recent wiper malware campaign that disguises itself as ransomware. These rules prevent the trojan used in this campaign from downloading a payload and also detects the open-source ASPXSpy malware which this adversary uses.

Here's a full breakdown of this release:

Shared object rulesModified shared object rulesNew rulesModified rules
11 0212

Monday, June 21, 2021

New version of Snort 3 out now (3.1.6.0) — Here are all the updates and fixes

The SNORTⓇ team recently released a new version of Snort 3 on Snort.org and the Snort 3 GitHub.

Snort 3.1.6.0 contains several new features and bug fixes. Here's a complete rundown of what's new in this version. Users are encouraged to update as soon as possible and to upgrade to Snort 3 if they have not already done so.

Tuesday, June 15, 2021

Snort 2.9.18.0 released

We released SNORTⓇ version 2.9.18.0 this afternoon. 

This version includes several bug fixes and updates to improve your Snort experience. If you haven't already, we also encourage users to upgrade to Snort 3, which includes a new rule parser and rule syntax, support for multiple packet-processing threads, and much more.

Here's a rundown of what's new in 2.9.18.0.

Snort rule update for June 15, 2021

Cisco Talos released the newest rule set for SNORTⓇ this morning.

Tuesday's rule release provides new protections against the IPsec Helper backdoor. The group behind the backdoor, known as Agrius, recently deployed a similar backdoor as part of a wiper malware campaign

Here's a full breakdown of this release:

Shared object rulesModified shared object rulesNew rulesModified rules
14 01111

Thursday, June 10, 2021

Snort rule update for June 10, 2021

 SNORTⓇ's latest rule release is here, courtesy of Cisco Talos.

Thursday's rule release includes several new rules to defend against the DarkSide ransomware. These rules will specifically detect any usage of a custom command and control framework the ransomware's been known to utilize.

Here's a full breakdown of this release:

Shared object rulesModified shared object rulesNew rulesModified rules
14 080

Tuesday, June 8, 2021

Snort rule update for June 8, 2021 — Microsoft Patch Tuesday

The latest SNORT® rule release from Cisco Talos has arrived. This new round of rules provides coverage for many of the vulnerabilities covered in Microsoft Patch Tuesday.

For more details on the vulnerabilities Microsoft disclosed this month, head to the Talos blog.

Here's a breakdown of this afternoon's rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
22152

Monday, June 7, 2021

Rule released to protect against severe VMware vulnerability that attackers are exploiting in the wild

Cisco Talos released a SNORTⓇ rule over the weekend to protect against exploitation of a severe vulnerability in VMware's vSphere Client’s Virtual SAN Health Check plug-in, which is enabled by default in vCenter Server.

An attacker with network access to this service can exploit this vulnerability to gain remote code execution on the affected vCenter Server.

Thursday, June 3, 2021

Snort rule update for June 3, 2021

SNORTⓇ's latest rule release is here, courtesy of Cisco Talos.

Thursday's rule release includes new coverage for the Necro Python bot. Talos researchers recently discovered this bot adding new functionality to target several well-known vulnerabilities. It also added a cryptocurrency miner. Read more over on the Talos blog.

Here's a full breakdown of this release:

Shared object rulesModified shared object rulesNew rulesModified rules
0  0341

Tuesday, June 1, 2021

Snort rule update for June 1, 2021

Cisco Talos released the newest SNORTⓇ rule update Tuesday afternoon.

This release includes several new rules to protect against attacks from Russian Foreign Intelligence Service (SVR) cyber actors (aka APT29 and CozyBear). A joint release from U.S. intelligence organizations outlined the vulnerabilities this group uses to target many of its victims.

Here's a breakdown of everything in today's release:

Shared object rulesModified shared object rulesNew rulesModified rules
0  0154