Wednesday, January 12, 2022

Snort rule update for Jan. 11, 2022 — Microsoft Patch Tuesday

Cisco Talos released a new SNORT® ruleset Tuesday evening, providing coverage for many of the vulnerabilities covered in Microsoft Patch Tuesday.

For more details on the vulnerabilities Microsoft disclosed this month, view all of them on Microsoft's security update page. You can also read our breakdown of the most notable vulnerabilities on the Talos blog.

Here's a breakdown of Tuesday's rule release:

Shared object rulesModified shared object rulesNew rulesModified rules
00229

There were no changes made to the snort.conf in this release.

Microsoft Vulnerability CVE-2022-21881: A coding deficiency exists in Microsoft Windows Kernel that may lead to elevation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 58866 through 58867.

Microsoft Vulnerability CVE-2022-21882: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 58859 through 58860.

Microsoft Vulnerability CVE-2022-21887: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 58874 through 58875.

Microsoft Vulnerability CVE-2022-21897: A coding deficiency exists in Microsoft Windows Common Log File System Driver that may lead to an escalation of privilege.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 40689 through 40690.

Microsoft Vulnerability CVE-2022-21907: A coding deficiency exists in HTTP Stack that may lead to remote code execution.

Preprocessors to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 119, SIDs 19 and 31.

Microsoft Vulnerability CVE-2022-21908: A coding deficiency exists in Microsoft Windows Installer that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 58870 through 58871.

Microsoft Vulnerability CVE-2022-21916: A coding deficiency exists in Microsoft Windows Common Log File System Driver that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 58872 through 58873.

Microsoft Vulnerability CVE-2022-21919: A coding deficiency exists in Microsoft Windows User Profile Service that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 58868 through 58869.

Talos also has added and modified multiple rules in the file-other, indicator-obfuscation, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

You can subscribe to Talos' newest rule detection functionality for as low as $29 a year with a personal account. Be sure and see our business pricing as well here. Make sure and stay up to date to catch the most emerging threats.