This release adds and modifies rules in several categories.
Talos has added and modified multiple rules in the app-detect, browser-firefox, browser-ie, browser-plugins, browser-webkit, exploit-kit, file-executable, file-flash, file-identify, file-image, file-java, file-multimedia, file-office, file-other, file-pdf, indicator-compromise, indicator-obfuscation, indicator-scan, indicator-shellcode, malware-backdoor, malware-cnc, malware-other, netbios, os-mobile, os-other, os-solaris, os-windows, policy-other, policy-social, policy-spam, protocol-ftp, protocol-imap, protocol-other, protocol-pop, protocol-rpc, protocol-scada, protocol-snmp, protocol-telnet, protocol-voip, pua-adware, server-apache, server-iis, server-mail, server-mysql, server-oracle, server-other and sql rule sets to provide coverage for emerging threats from these technologies.
SRU-03-27-001 includes over 1300 updated rules. The bulk of these updates simply add references for the MITRE ATT&ACK framework. The MITRE ATT&CK Framework is described in this wiki (https://attack.mitre.org) which provides a thorough overview of all known attack techniques which are currently or have been employed by adversaries in the wild. Each documented technique is accompanied by explanations, examples, detection recommendations, and the related actor(s) that have employed the technique. Talos has added these additional references in the SIDs provide attack context information for our customers, and to support integration with other systems or reporting requirements.
For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.