Tuesday, July 27, 2021

Snort rule update for July 27, 2021

Cisco Talos released the newest SNORTⓇ ruleset this morning.

We released the rule update overnight, featuring new protections against several malware families. Among the coverage are a few rules to detect a new Trickbot module that spies on users by creating an attacker-controlled virtual machine.

There are also new protections against the SeriousSAM vulnerability recently discovered in Windows 10 and 11. The vulnerability could allow an attacker to install programs, edit data or create new accounts with full user rights.

Here's a full breakdown of Monday night's release:

Shared object rulesModified shared object rulesNew rulesModified rules
0242

There were no changes made to the snort.conf in this release.

Talos' rule release:

Today Talos is releasing coverage to detect exploitation attempts of NTLM Relay Attacks on Active Directory Certificate Services AKA SeriousSAM. Coverage is being released as SIDs 57965-57966.

Talos has added and modified multiple rules in the exploit-kit, malware-cnc, os-other, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

You can subscribe to Talos' newest rule detection functionality for as low as $29 a year with a personal account. Be sure and see our business pricing as well here. The Snort 3 release is also here after years of development and improvements. Upgrade here.