Snort rule update for July 27, 2021

Cisco Talos released the newest SNORTⓇ ruleset this morning.

We released the rule update overnight, featuring new protections against several malware families. Among the coverage are a few rules to detect a new Trickbot module that spies on users by creating an attacker-controlled virtual machine.

There are also new protections against the SeriousSAM vulnerability recently discovered in Windows 10 and 11. The vulnerability could allow an attacker to install programs, edit data or create new accounts with full user rights.

Here's a full breakdown of Monday night's release:

Shared object rules	Modified shared object rules	New rules	Modified rules
3	0	24	2

Join Snort on Discord

We are excited to have SNORT® on Discord now! 

Our Discord channel is the perfect place to ask questions to the community, check out new rule releases and just hang out with other members of the community.

All you have to do is click on this link and you'll be added to the community (if you've downloaded Discord).

Snort 2.9.8.3 end-of-life for shared object rules

Attention SNORTⓇ users and integrators:

This blog post serves as the official announcement that the shared object rules for Snort version 2.9.8.3 have now reached their end of life. This version will no longer be included in our shared object rule releases from now on. For an indeterminate amount of time, we'll still be supporting plain text rules for 2.9.8.3.

As we release new versions of Snort, occasionally we have to decommission older versions, lowering our amount of maintenance to building the ruleset for these different versions. We continually review the usage of versions and try to strive to only keep the most actively used versions around. There are several older Snort rule integrators that are using very old versions, which is the reason those versions are still around. However, we are actively working with these partners to move them to more current versions of Snort.

If you are using an older version of Snort, we encourage you to please start your upgrades to a more recent version of Snort 2.9 or Snort 3.

Snort rule update for July 20, 2021

Cisco Talos released the newest SNORTⓇ ruleset this morning.

Tuesday's rule update provides multiple forms of protection against the exploitation of high-severity vulnerabilities in Cisco's Business Process Automation (BPA) application and Web Security Appliance (WSA). An adversary could take advantage of these issues to access sensitive data or take over a targeted system.

Here's a full breakdown of today's release:

Shared object rules	Modified shared object rules	New rules	Modified rules
0	2	1	72

Snort rule update for July 15, 2021

Cisco Talos released the newest SNORTⓇ ruleset this morning.

Thursday's rule update includes multiple protections against the exploitation of a critical, pre-authentication remote code execution vulnerability in ForgeRock’s Access Management. The vulnerability is patched, but attackers are still targeting vulnerable devices.

Here's a full breakdown of today's release:

Shared object rules	Modified shared object rules	New rules	Modified rules
0	0	7	2

Snort rule update for July 13, 2021 — Microsoft Patch Tuesday

The latest SNORT® rule release from Cisco Talos has arrived. This new round of rules provides coverage for many of the vulnerabilities covered in Microsoft Patch Tuesday.

For more details on the vulnerabilities Microsoft disclosed this month, head to the Talos blog.

Here's a breakdown of this afternoon's rule release:

Shared object rules	Modified shared object rules	New rules	Modified rules
2	0	19	5

Snort rule update for July 8, 2021

The newest Cisco Talos rule release for SNORTⓇ is here.

Thursday's ruleset includes new protections against two recently disclosed vulnerabilities in Cisco Business Process Automation. An attacker could exploit these vulnerabilities to elevate their privileges to the level of Administrator on the targeted machine.

We also want to remind everyone that Snort version 2.9.15.0 has officially reached its end of life. Any users on that version need to update as soon as possible.

Here's a full breakdown of today's release:

Shared object rules	Modified shared object rules	New rules	Modified rules
8	0	0	2

Snort rule update for July 6, 2021 — Coverage for Kaseya supply chain attack

Cisco Talos released a new SNORTⓇ ruleset today, including a rule to protect against exploitation of the widespread Kaseya vulnerability. For more on this attack, head to the Talos blog.

Here's a full breakdown of Tuesday's release:

Shared object rules	Modified shared object rules	New rules	Modified rules
0	0	2	5

2.9.15.0 has reached its end of life

Attention SNORTⓇ users and integrators:

This blog post serves as the official announcement that Snort version 2.9.15.0 has officially reached its end of life. We first announced this EOL period in March. Users are encouraged to update to a more recent version of Snort as soon as possible if they are still using 2.9.15.0.

However, version 2.9.16.0 remains active, as there are still external commitments. Though users should still upgrade from that version as soon as they are able to.

As we release new versions of Snort, occasionally we have to decommission older versions, lowering our amount of maintenance to building the ruleset for these different versions.  We continually review the usage of versions and try to strive to only keep the most actively used versions around.  There are several older Snort rule integrators that are using very old versions (2.9.8.3 for example), which is the reason those versions are still around.  However, we are actively working with these partners to move them to more current versions of Snort.

If you are using an older version of Snort, we encourage you to please start your upgrades to 2.9.17.1 or Snort 3.

Snort rule update for July 1, 2021

Cisco Talos released the newest SNORTⓇ ruleset overnight.

Thursday's rule update was released earlier than usual to provide immediate protection against the PrintNightmare vulnerability in Microsoft's print spooler function. Microsoft patched the vulnerability as part of June's Patch Tuesday, but PoC code appeared on GitHub this week that indicates it is more serious than initially suspected and could be used for remote code execution. 

Rules 57876 and 57877 will protect against this vulnerability.

Here's a full breakdown of today's release:

Shared object rules	Modified shared object rules	New rules	Modified rules
0	0	6	1