Talos Rules 2018-04-10
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2018-0870: A coding deficiency exists in Microsoft Internet Explorer that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46243 through 46246.

Microsoft Vulnerability CVE-2018-0920: A coding deficiency exists in Microsoft Excel that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46196 through 46197.

Microsoft Vulnerability CVE-2018-0950: A coding deficiency exists in Microsoft Office that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46266 through 46267.

Microsoft Vulnerability CVE-2018-0980: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 45628 through 45629.

Microsoft Vulnerability CVE-2018-0986: A coding deficiency exists in Microsoft Malware Protection Engine that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 46163 through 46164.

Microsoft Vulnerability CVE-2018-0988: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46198 through 46199.

Microsoft Vulnerability CVE-2018-0990: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46194 through 46195.

Microsoft Vulnerability CVE-2018-0991: A coding deficiency exists in Microsoft Internet Explorer that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46206 through 46207.

Microsoft Vulnerability CVE-2018-0993: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46212 through 46213.

Microsoft Vulnerability CVE-2018-0994: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46220 through 46221.

Microsoft Vulnerability CVE-2018-0995: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46176 through 46177.

Microsoft Vulnerability CVE-2018-0996: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46218 through 46219.

Microsoft Vulnerability CVE-2018-0997: A coding deficiency exists in Microsoft Internet Explorer that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46220 through 46221.

Microsoft Vulnerability CVE-2018-0998: Microsoft Edge suffers from programming errors that may lead to a security feature bypass.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46226 through 46227.

Microsoft Vulnerability CVE-2018-1001: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46228 through 46229.

Microsoft Vulnerability CVE-2018-1003: A coding deficiency exists in Microsoft JET Database Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46233 through 46234.

Microsoft Vulnerability CVE-2018-1004: A coding deficiency exists in Microsoft Windows VBScript Engine that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 37283 through 37284.

Microsoft Vulnerability CVE-2018-1010: A coding deficiency exists in Microsoft Graphics that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46200 through 46201.

Microsoft Vulnerability CVE-2018-1011: A coding deficiency exists in Microsoft Excel that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46192 through 46193.

Microsoft Vulnerability CVE-2018-1012: A coding deficiency exists in Microsoft Graphics that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46230 through 46231.

Microsoft Vulnerability CVE-2018-1013: A coding deficiency exists in Microsoft Graphics that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46188 through 46189.

Microsoft Vulnerability CVE-2018-1015: A coding deficiency exists in Microsoft Graphics that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46214 through 46215.

Microsoft Vulnerability CVE-2018-1016: A coding deficiency exists in Microsoft Graphics that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46186 through 46187.

Microsoft Vulnerability CVE-2018-1018: A coding deficiency exists in Microsoft Internet Explorer that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46204 through 46205.

Microsoft Vulnerability CVE-2018-1023: A coding deficiency exists in Microsoft Browser that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 37283 through 37284.

Microsoft Vulnerability CVE-2018-1026: A coding deficiency exists in Microsoft Office that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46184 through 46185.

Microsoft Vulnerability CVE-2018-1027: A coding deficiency exists in Microsoft Excel that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46208 through 46209.

Microsoft Vulnerability CVE-2018-1028: A coding deficiency exists in Microsoft Office Graphics that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46182 through 46183.

Microsoft Vulnerability CVE-2018-1029: A coding deficiency exists in Microsoft Excel that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46180 through 46181.

Microsoft Vulnerability CVE-2018-1030: A coding deficiency exists in Microsoft Office that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46178 through 46179.

Talos also has added and modified multiple rules in the browser-ie, file-flash, file-image, file-office, file-other, file-pdf, malware-cnc, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2018-04-10 20:03:41 UTC

Snort Subscriber Rules Update

Date: 2018-04-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46187 <-> ENABLED <-> FILE-OTHER TrueType Font Windows EOT font engine remote code execution attempt (file-other.rules)
 * 1:46188 <-> ENABLED <-> FILE-OTHER Microsoft Windows malformed TTF integer overflow attempt (file-other.rules)
 * 1:46251 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rovnix outbound connection attempt (malware-cnc.rules)
 * 1:46189 <-> ENABLED <-> FILE-OTHER Microsoft Windows malformed TTF integer overflow attempt (file-other.rules)
 * 1:46192 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel drawing cell reuse use-after-free attempt (file-office.rules)
 * 1:46253 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rovnix file upload attempt (malware-cnc.rules)
 * 1:46210 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Blackshades variant outbound communication (malware-cnc.rules)
 * 1:46216 <-> DISABLED <-> SERVER-WEBAPP DIAEnergie credential request attempt (server-webapp.rules)
 * 1:46193 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel drawing cell reuse use-after-free attempt (file-office.rules)
 * 1:46200 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType font heap overflow attempt (os-windows.rules)
 * 1:46255 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:46180 <-> ENABLED <-> FILE-OFFICE Microsoft Excel use after free remote code execution attempt (file-office.rules)
 * 1:46181 <-> ENABLED <-> FILE-OFFICE Microsoft Excel use after free remote code execution attempt (file-office.rules)
 * 1:46196 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel named range cell content use-after-free attempt (file-office.rules)
 * 1:46218 <-> ENABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:46208 <-> ENABLED <-> FILE-OFFICE Microsoft Excel use after free remote code execution attempt (file-office.rules)
 * 1:46197 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel named range cell content use-after-free attempt (file-office.rules)
 * 1:46198 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Vbscript String out of bounds write (browser-ie.rules)
 * 1:46266 <-> DISABLED <-> FILE-OTHER Microsoft Office Outlook 2003 OLE information disclosure attempt detected (file-other.rules)
 * 1:46199 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Vbscript String out of bounds write (browser-ie.rules)
 * 1:46250 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rovnix outbound connection attempt (malware-cnc.rules)
 * 1:46207 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge use-after-free attempt (browser-ie.rules)
 * 1:46263 <-> ENABLED <-> FILE-FLASH Adobe Flash Player use after free attempt (file-flash.rules)
 * 1:46252 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rovnix outbound connection attempt (malware-cnc.rules)
 * 1:46215 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType font heap overflow attempt (os-windows.rules)
 * 1:46201 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType font heap overflow attempt (os-windows.rules)
 * 1:46202 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Wannaminer malicious Powershell download attempt (malware-cnc.rules)
 * 1:46203 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Wannamine malicious Powershell download attempt (malware-cnc.rules)
 * 1:46209 <-> ENABLED <-> FILE-OFFICE Microsoft Excel use after free remote code execution attempt (file-office.rules)
 * 1:46204 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer array use after free attempt (browser-ie.rules)
 * 1:46205 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer array use after free attempt (browser-ie.rules)
 * 1:46206 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge use-after-free attempt (browser-ie.rules)
 * 1:46259 <-> DISABLED <-> FILE-FLASH Adobe Flash Player MovieClip out of bounds write attempt (file-flash.rules)
 * 1:46186 <-> ENABLED <-> FILE-OTHER TrueType Font Windows EOT font engine remote code execution attempt (file-other.rules)
 * 1:46185 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel remote code execution attempt (file-office.rules)
 * 1:46182 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel graphics remote code execution attempt (file-office.rules)
 * 1:46183 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel graphics remote code execution attempt (file-office.rules)
 * 1:46176 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra use after free attempt (browser-ie.rules)
 * 1:46177 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra use after free attempt (browser-ie.rules)
 * 1:46219 <-> ENABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:46194 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra use after free attempt (browser-ie.rules)
 * 1:46220 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer object use after free attempt (browser-ie.rules)
 * 1:46221 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer object use after free attempt (browser-ie.rules)
 * 1:46226 <-> ENABLED <-> FILE-PDF Microsoft Edge pdf parsing information disclosure attempt (file-pdf.rules)
 * 1:46178 <-> ENABLED <-> FILE-OFFICE Microsoft Excel out of bounds read attempt (file-office.rules)
 * 1:46195 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra use after free attempt (browser-ie.rules)
 * 1:46258 <-> DISABLED <-> FILE-FLASH Adobe Flash Player MovieClip out of bounds write attempt (file-flash.rules)
 * 1:46254 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:46262 <-> ENABLED <-> FILE-FLASH Adobe Flash Player use after free attempt (file-flash.rules)
 * 1:46213 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:46214 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType font heap overflow attempt (os-windows.rules)
 * 1:46249 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rovnix outbound connection attempt (malware-cnc.rules)
 * 1:46184 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel remote code execution attempt (file-office.rules)
 * 1:46264 <-> ENABLED <-> FILE-OTHER Adobe Flash Player ATF image file out of bounds read attempt (file-other.rules)
 * 1:46212 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:46256 <-> DISABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:46267 <-> DISABLED <-> FILE-OTHER Microsoft Office Outlook 2003 OLE information disclosure attempt detected (file-other.rules)
 * 1:46227 <-> ENABLED <-> FILE-PDF Microsoft Edge pdf parsing information disclosure attempt (file-pdf.rules)
 * 1:46257 <-> DISABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:46228 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer javascript memory corruption attempt (browser-ie.rules)
 * 1:46229 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JavaScript memory corruption attempt (browser-ie.rules)
 * 1:46230 <-> ENABLED <-> OS-WINDOWS Microsoft Windows malformed TTF integer overflow attempt (os-windows.rules)
 * 1:46231 <-> ENABLED <-> OS-WINDOWS Microsoft Windows malformed TTF integer overflow attempt (os-windows.rules)
 * 1:46232 <-> DISABLED <-> SERVER-WEBAPP Mango Automation arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:46233 <-> ENABLED <-> FILE-OFFICE Microsoft JET Database remote code execution attempt (file-office.rules)
 * 1:46234 <-> ENABLED <-> FILE-OFFICE Microsoft JET Database remote code execution attempt (file-office.rules)
 * 1:46235 <-> ENABLED <-> MALWARE-CNC Dofoil outbound connection attempt (malware-cnc.rules)
 * 1:46236 <-> ENABLED <-> MALWARE-CNC Dofoil file download attempt (malware-cnc.rules)
 * 1:46237 <-> ENABLED <-> PUA-OTHER Cryptocurrency Miner outbound connection attempt (pua-other.rules)
 * 1:46238 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog outbound communication attempt (malware-cnc.rules)
 * 1:46239 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog outbound communication attempt (malware-cnc.rules)
 * 1:46240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt (malware-cnc.rules)
 * 1:46243 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer embedSWF use after free exploit attempt (browser-ie.rules)
 * 1:46244 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer embedSWF use after free exploit attempt (browser-ie.rules)
 * 1:46245 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer embedSWF use after free exploit attempt (browser-ie.rules)
 * 1:46246 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer embedSWF use after free exploit attempt (browser-ie.rules)
 * 1:46247 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime MediaPlayerItemLoader BlurFilter object out of bounds write attempt (file-flash.rules)
 * 1:46248 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime MediaPlayerItemLoader BlurFilter object out of bounds write attempt (file-flash.rules)
 * 1:46265 <-> ENABLED <-> FILE-OTHER Adobe Flash Player ATF image file out of bounds read attempt (file-other.rules)
 * 1:46179 <-> ENABLED <-> FILE-OFFICE Microsoft Excel out of bounds read attempt (file-office.rules)
 * 3:46242 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0564 attack attempt (file-image.rules)
 * 3:46174 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0568 attack attempt (file-other.rules)
 * 3:46223 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0561 attack attempt (file-image.rules)
 * 3:46172 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0560 attack attempt (server-webapp.rules)
 * 3:46217 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0557 attack attempt (policy-other.rules)
 * 3:46170 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0560 attack attempt (server-webapp.rules)
 * 3:46191 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0567 attack attempt (server-webapp.rules)
 * 3:46168 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0560 attack attempt (server-webapp.rules)
 * 3:46175 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0559 attack attempt (server-webapp.rules)
 * 3:46166 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0560 attack attempt (server-webapp.rules)
 * 3:46173 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0568 attack attempt (file-other.rules)
 * 3:46171 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0560 attack attempt (server-webapp.rules)
 * 3:46169 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0560 attack attempt (server-webapp.rules)
 * 3:46167 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0560 attack attempt (server-webapp.rules)
 * 3:46165 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0560 attack attempt (server-webapp.rules)
 * 3:46224 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0562 attack attempt (file-image.rules)
 * 3:46241 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0564 attack attempt (file-image.rules)
 * 3:46222 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0561 attack attempt (file-image.rules)
 * 3:46211 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0556 attack attempt (server-webapp.rules)
 * 3:46190 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0567 attack attempt (server-webapp.rules)
 * 3:46225 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0562 attack attempt (file-image.rules)

Modified Rules:


 * 1:46070 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty file exfiltration outbound request (malware-cnc.rules)
 * 1:37284 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:37283 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:45628 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45629 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:44657 <-> ENABLED <-> SERVER-WEBAPP Unitrends Enterprise Backup API SQL injection attempt (server-webapp.rules)
 * 3:46143 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules)
 * 3:46146 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules)
 * 3:46145 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules)
 * 3:46144 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules)

2018-04-10 20:03:41 UTC

Snort Subscriber Rules Update

Date: 2018-04-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46249 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rovnix outbound connection attempt (malware-cnc.rules)
 * 1:46253 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rovnix file upload attempt (malware-cnc.rules)
 * 1:46252 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rovnix outbound connection attempt (malware-cnc.rules)
 * 1:46267 <-> DISABLED <-> FILE-OTHER Microsoft Office Outlook 2003 OLE information disclosure attempt detected (file-other.rules)
 * 1:46265 <-> ENABLED <-> FILE-OTHER Adobe Flash Player ATF image file out of bounds read attempt (file-other.rules)
 * 1:46263 <-> ENABLED <-> FILE-FLASH Adobe Flash Player use after free attempt (file-flash.rules)
 * 1:46234 <-> ENABLED <-> FILE-OFFICE Microsoft JET Database remote code execution attempt (file-office.rules)
 * 1:46261 <-> DISABLED <-> FILE-FLASH Adobe Flash Player malformed DefineSound tag heap overflow attempt (file-flash.rules)
 * 1:46260 <-> DISABLED <-> FILE-FLASH Adobe Flash Player malformed DefineSound tag heap overflow attempt (file-flash.rules)
 * 1:46258 <-> DISABLED <-> FILE-FLASH Adobe Flash Player MovieClip out of bounds write attempt (file-flash.rules)
 * 1:46250 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rovnix outbound connection attempt (malware-cnc.rules)
 * 1:46251 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rovnix outbound connection attempt (malware-cnc.rules)
 * 1:46266 <-> DISABLED <-> FILE-OTHER Microsoft Office Outlook 2003 OLE information disclosure attempt detected (file-other.rules)
 * 1:46254 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:46255 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:46262 <-> ENABLED <-> FILE-FLASH Adobe Flash Player use after free attempt (file-flash.rules)
 * 1:46257 <-> DISABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:46256 <-> DISABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:46240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt (malware-cnc.rules)
 * 1:46239 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog outbound communication attempt (malware-cnc.rules)
 * 1:46238 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog outbound communication attempt (malware-cnc.rules)
 * 1:46237 <-> ENABLED <-> PUA-OTHER Cryptocurrency Miner outbound connection attempt (pua-other.rules)
 * 1:46236 <-> ENABLED <-> MALWARE-CNC Dofoil file download attempt (malware-cnc.rules)
 * 1:46245 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer embedSWF use after free exploit attempt (browser-ie.rules)
 * 1:46244 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer embedSWF use after free exploit attempt (browser-ie.rules)
 * 1:46243 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer embedSWF use after free exploit attempt (browser-ie.rules)
 * 1:46247 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime MediaPlayerItemLoader BlurFilter object out of bounds write attempt (file-flash.rules)
 * 1:46246 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer embedSWF use after free exploit attempt (browser-ie.rules)
 * 1:46235 <-> ENABLED <-> MALWARE-CNC Dofoil outbound connection attempt (malware-cnc.rules)
 * 1:46176 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra use after free attempt (browser-ie.rules)
 * 1:46177 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra use after free attempt (browser-ie.rules)
 * 1:46178 <-> ENABLED <-> FILE-OFFICE Microsoft Excel out of bounds read attempt (file-office.rules)
 * 1:46179 <-> ENABLED <-> FILE-OFFICE Microsoft Excel out of bounds read attempt (file-office.rules)
 * 1:46180 <-> ENABLED <-> FILE-OFFICE Microsoft Excel use after free remote code execution attempt (file-office.rules)
 * 1:46181 <-> ENABLED <-> FILE-OFFICE Microsoft Excel use after free remote code execution attempt (file-office.rules)
 * 1:46182 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel graphics remote code execution attempt (file-office.rules)
 * 1:46183 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel graphics remote code execution attempt (file-office.rules)
 * 1:46184 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel remote code execution attempt (file-office.rules)
 * 1:46185 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel remote code execution attempt (file-office.rules)
 * 1:46186 <-> ENABLED <-> FILE-OTHER TrueType Font Windows EOT font engine remote code execution attempt (file-other.rules)
 * 1:46187 <-> ENABLED <-> FILE-OTHER TrueType Font Windows EOT font engine remote code execution attempt (file-other.rules)
 * 1:46188 <-> ENABLED <-> FILE-OTHER Microsoft Windows malformed TTF integer overflow attempt (file-other.rules)
 * 1:46233 <-> ENABLED <-> FILE-OFFICE Microsoft JET Database remote code execution attempt (file-office.rules)
 * 1:46189 <-> ENABLED <-> FILE-OTHER Microsoft Windows malformed TTF integer overflow attempt (file-other.rules)
 * 1:46192 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel drawing cell reuse use-after-free attempt (file-office.rules)
 * 1:46193 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel drawing cell reuse use-after-free attempt (file-office.rules)
 * 1:46194 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra use after free attempt (browser-ie.rules)
 * 1:46195 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra use after free attempt (browser-ie.rules)
 * 1:46196 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel named range cell content use-after-free attempt (file-office.rules)
 * 1:46264 <-> ENABLED <-> FILE-OTHER Adobe Flash Player ATF image file out of bounds read attempt (file-other.rules)
 * 1:46197 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel named range cell content use-after-free attempt (file-office.rules)
 * 1:46198 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Vbscript String out of bounds write (browser-ie.rules)
 * 1:46199 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Vbscript String out of bounds write (browser-ie.rules)
 * 1:46200 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType font heap overflow attempt (os-windows.rules)
 * 1:46201 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType font heap overflow attempt (os-windows.rules)
 * 1:46202 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Wannaminer malicious Powershell download attempt (malware-cnc.rules)
 * 1:46203 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Wannamine malicious Powershell download attempt (malware-cnc.rules)
 * 1:46204 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer array use after free attempt (browser-ie.rules)
 * 1:46205 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer array use after free attempt (browser-ie.rules)
 * 1:46206 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge use-after-free attempt (browser-ie.rules)
 * 1:46259 <-> DISABLED <-> FILE-FLASH Adobe Flash Player MovieClip out of bounds write attempt (file-flash.rules)
 * 1:46207 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge use-after-free attempt (browser-ie.rules)
 * 1:46208 <-> ENABLED <-> FILE-OFFICE Microsoft Excel use after free remote code execution attempt (file-office.rules)
 * 1:46209 <-> ENABLED <-> FILE-OFFICE Microsoft Excel use after free remote code execution attempt (file-office.rules)
 * 1:46210 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Blackshades variant outbound communication (malware-cnc.rules)
 * 1:46212 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:46213 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:46214 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType font heap overflow attempt (os-windows.rules)
 * 1:46215 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType font heap overflow attempt (os-windows.rules)
 * 1:46216 <-> DISABLED <-> SERVER-WEBAPP DIAEnergie credential request attempt (server-webapp.rules)
 * 1:46218 <-> ENABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:46219 <-> ENABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:46220 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer object use after free attempt (browser-ie.rules)
 * 1:46221 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer object use after free attempt (browser-ie.rules)
 * 1:46226 <-> ENABLED <-> FILE-PDF Microsoft Edge pdf parsing information disclosure attempt (file-pdf.rules)
 * 1:46227 <-> ENABLED <-> FILE-PDF Microsoft Edge pdf parsing information disclosure attempt (file-pdf.rules)
 * 1:46228 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer javascript memory corruption attempt (browser-ie.rules)
 * 1:46229 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JavaScript memory corruption attempt (browser-ie.rules)
 * 1:46230 <-> ENABLED <-> OS-WINDOWS Microsoft Windows malformed TTF integer overflow attempt (os-windows.rules)
 * 1:46231 <-> ENABLED <-> OS-WINDOWS Microsoft Windows malformed TTF integer overflow attempt (os-windows.rules)
 * 1:46232 <-> DISABLED <-> SERVER-WEBAPP Mango Automation arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:46248 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime MediaPlayerItemLoader BlurFilter object out of bounds write attempt (file-flash.rules)
 * 3:46211 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0556 attack attempt (server-webapp.rules)
 * 3:46175 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0559 attack attempt (server-webapp.rules)
 * 3:46190 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0567 attack attempt (server-webapp.rules)
 * 3:46173 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0568 attack attempt (file-other.rules)
 * 3:46174 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0568 attack attempt (file-other.rules)
 * 3:46171 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0560 attack attempt (server-webapp.rules)
 * 3:46172 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0560 attack attempt (server-webapp.rules)
 * 3:46169 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0560 attack attempt (server-webapp.rules)
 * 3:46170 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0560 attack attempt (server-webapp.rules)
 * 3:46167 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0560 attack attempt (server-webapp.rules)
 * 3:46168 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0560 attack attempt (server-webapp.rules)
 * 3:46165 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0560 attack attempt (server-webapp.rules)
 * 3:46166 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0560 attack attempt (server-webapp.rules)
 * 3:46242 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0564 attack attempt (file-image.rules)
 * 3:46225 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0562 attack attempt (file-image.rules)
 * 3:46241 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0564 attack attempt (file-image.rules)
 * 3:46223 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0561 attack attempt (file-image.rules)
 * 3:46224 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0562 attack attempt (file-image.rules)
 * 3:46217 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0557 attack attempt (policy-other.rules)
 * 3:46222 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0561 attack attempt (file-image.rules)
 * 3:46191 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0567 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:45628 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45629 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:37283 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:46070 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty file exfiltration outbound request (malware-cnc.rules)
 * 1:37284 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:44657 <-> ENABLED <-> SERVER-WEBAPP Unitrends Enterprise Backup API SQL injection attempt (server-webapp.rules)
 * 3:46145 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules)
 * 3:46143 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules)
 * 3:46144 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules)
 * 3:46146 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules)

2018-04-10 20:03:41 UTC

Snort Subscriber Rules Update

Date: 2018-04-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46177 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra use after free attempt (snort3-browser-ie.rules)
 * 1:46234 <-> ENABLED <-> FILE-OFFICE Microsoft JET Database remote code execution attempt (snort3-file-office.rules)
 * 1:46262 <-> ENABLED <-> FILE-FLASH Adobe Flash Player use after free attempt (snort3-file-flash.rules)
 * 1:46193 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel drawing cell reuse use-after-free attempt (snort3-file-office.rules)
 * 1:46261 <-> DISABLED <-> FILE-FLASH Adobe Flash Player malformed DefineSound tag heap overflow attempt (snort3-file-flash.rules)
 * 1:46200 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType font heap overflow attempt (snort3-os-windows.rules)
 * 1:46267 <-> DISABLED <-> FILE-OTHER Microsoft Office Outlook 2003 OLE information disclosure attempt detected (snort3-file-other.rules)
 * 1:46266 <-> DISABLED <-> FILE-OTHER Microsoft Office Outlook 2003 OLE information disclosure attempt detected (snort3-file-other.rules)
 * 1:46265 <-> ENABLED <-> FILE-OTHER Adobe Flash Player ATF image file out of bounds read attempt (snort3-file-other.rules)
 * 1:46197 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel named range cell content use-after-free attempt (snort3-file-office.rules)
 * 1:46264 <-> ENABLED <-> FILE-OTHER Adobe Flash Player ATF image file out of bounds read attempt (snort3-file-other.rules)
 * 1:46263 <-> ENABLED <-> FILE-FLASH Adobe Flash Player use after free attempt (snort3-file-flash.rules)
 * 1:46194 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra use after free attempt (snort3-browser-ie.rules)
 * 1:46201 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType font heap overflow attempt (snort3-os-windows.rules)
 * 1:46205 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer array use after free attempt (snort3-browser-ie.rules)
 * 1:46202 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Wannaminer malicious Powershell download attempt (snort3-malware-cnc.rules)
 * 1:46203 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Wannamine malicious Powershell download attempt (snort3-malware-cnc.rules)
 * 1:46204 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer array use after free attempt (snort3-browser-ie.rules)
 * 1:46218 <-> ENABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (snort3-browser-ie.rules)
 * 1:46212 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:46187 <-> ENABLED <-> FILE-OTHER TrueType Font Windows EOT font engine remote code execution attempt (snort3-file-other.rules)
 * 1:46188 <-> ENABLED <-> FILE-OTHER Microsoft Windows malformed TTF integer overflow attempt (snort3-file-other.rules)
 * 1:46207 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge use-after-free attempt (snort3-browser-ie.rules)
 * 1:46208 <-> ENABLED <-> FILE-OFFICE Microsoft Excel use after free remote code execution attempt (snort3-file-office.rules)
 * 1:46209 <-> ENABLED <-> FILE-OFFICE Microsoft Excel use after free remote code execution attempt (snort3-file-office.rules)
 * 1:46210 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Blackshades variant outbound communication (snort3-malware-cnc.rules)
 * 1:46181 <-> ENABLED <-> FILE-OFFICE Microsoft Excel use after free remote code execution attempt (snort3-file-office.rules)
 * 1:46192 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel drawing cell reuse use-after-free attempt (snort3-file-office.rules)
 * 1:46219 <-> ENABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (snort3-browser-ie.rules)
 * 1:46213 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:46214 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType font heap overflow attempt (snort3-os-windows.rules)
 * 1:46215 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType font heap overflow attempt (snort3-os-windows.rules)
 * 1:46216 <-> DISABLED <-> SERVER-WEBAPP DIAEnergie credential request attempt (snort3-server-webapp.rules)
 * 1:46220 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer object use after free attempt (snort3-browser-ie.rules)
 * 1:46221 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer object use after free attempt (snort3-browser-ie.rules)
 * 1:46226 <-> ENABLED <-> FILE-PDF Microsoft Edge pdf parsing information disclosure attempt (snort3-file-pdf.rules)
 * 1:46227 <-> ENABLED <-> FILE-PDF Microsoft Edge pdf parsing information disclosure attempt (snort3-file-pdf.rules)
 * 1:46228 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer javascript memory corruption attempt (snort3-browser-ie.rules)
 * 1:46230 <-> ENABLED <-> OS-WINDOWS Microsoft Windows malformed TTF integer overflow attempt (snort3-os-windows.rules)
 * 1:46231 <-> ENABLED <-> OS-WINDOWS Microsoft Windows malformed TTF integer overflow attempt (snort3-os-windows.rules)
 * 1:46232 <-> DISABLED <-> SERVER-WEBAPP Mango Automation arbitrary JSP file upload attempt (snort3-server-webapp.rules)
 * 1:46206 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge use-after-free attempt (snort3-browser-ie.rules)
 * 1:46233 <-> ENABLED <-> FILE-OFFICE Microsoft JET Database remote code execution attempt (snort3-file-office.rules)
 * 1:46229 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JavaScript memory corruption attempt (snort3-browser-ie.rules)
 * 1:46182 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel graphics remote code execution attempt (snort3-file-office.rules)
 * 1:46176 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra use after free attempt (snort3-browser-ie.rules)
 * 1:46199 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Vbscript String out of bounds write (snort3-browser-ie.rules)
 * 1:46198 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Vbscript String out of bounds write (snort3-browser-ie.rules)
 * 1:46195 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra use after free attempt (snort3-browser-ie.rules)
 * 1:46196 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel named range cell content use-after-free attempt (snort3-file-office.rules)
 * 1:46183 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel graphics remote code execution attempt (snort3-file-office.rules)
 * 1:46184 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel remote code execution attempt (snort3-file-office.rules)
 * 1:46185 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel remote code execution attempt (snort3-file-office.rules)
 * 1:46186 <-> ENABLED <-> FILE-OTHER TrueType Font Windows EOT font engine remote code execution attempt (snort3-file-other.rules)
 * 1:46178 <-> ENABLED <-> FILE-OFFICE Microsoft Excel out of bounds read attempt (snort3-file-office.rules)
 * 1:46180 <-> ENABLED <-> FILE-OFFICE Microsoft Excel use after free remote code execution attempt (snort3-file-office.rules)
 * 1:46179 <-> ENABLED <-> FILE-OFFICE Microsoft Excel out of bounds read attempt (snort3-file-office.rules)
 * 1:46235 <-> ENABLED <-> MALWARE-CNC Dofoil outbound connection attempt (snort3-malware-cnc.rules)
 * 1:46236 <-> ENABLED <-> MALWARE-CNC Dofoil file download attempt (snort3-malware-cnc.rules)
 * 1:46237 <-> ENABLED <-> PUA-OTHER Cryptocurrency Miner outbound connection attempt (snort3-pua-other.rules)
 * 1:46189 <-> ENABLED <-> FILE-OTHER Microsoft Windows malformed TTF integer overflow attempt (snort3-file-other.rules)
 * 1:46238 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog outbound communication attempt (snort3-malware-cnc.rules)
 * 1:46239 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog outbound communication attempt (snort3-malware-cnc.rules)
 * 1:46240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt (snort3-malware-cnc.rules)
 * 1:46243 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer embedSWF use after free exploit attempt (snort3-browser-ie.rules)
 * 1:46244 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer embedSWF use after free exploit attempt (snort3-browser-ie.rules)
 * 1:46245 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer embedSWF use after free exploit attempt (snort3-browser-ie.rules)
 * 1:46246 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer embedSWF use after free exploit attempt (snort3-browser-ie.rules)
 * 1:46247 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime MediaPlayerItemLoader BlurFilter object out of bounds write attempt (snort3-file-flash.rules)
 * 1:46248 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime MediaPlayerItemLoader BlurFilter object out of bounds write attempt (snort3-file-flash.rules)
 * 1:46249 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rovnix outbound connection attempt (snort3-malware-cnc.rules)
 * 1:46250 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rovnix outbound connection attempt (snort3-malware-cnc.rules)
 * 1:46251 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rovnix outbound connection attempt (snort3-malware-cnc.rules)
 * 1:46252 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rovnix outbound connection attempt (snort3-malware-cnc.rules)
 * 1:46253 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rovnix file upload attempt (snort3-malware-cnc.rules)
 * 1:46254 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (snort3-file-flash.rules)
 * 1:46255 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (snort3-file-flash.rules)
 * 1:46256 <-> DISABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (snort3-file-flash.rules)
 * 1:46257 <-> DISABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (snort3-file-flash.rules)
 * 1:46258 <-> DISABLED <-> FILE-FLASH Adobe Flash Player MovieClip out of bounds write attempt (snort3-file-flash.rules)
 * 1:46259 <-> DISABLED <-> FILE-FLASH Adobe Flash Player MovieClip out of bounds write attempt (snort3-file-flash.rules)
 * 1:46260 <-> DISABLED <-> FILE-FLASH Adobe Flash Player malformed DefineSound tag heap overflow attempt (snort3-file-flash.rules)

Modified Rules:


 * 1:37283 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (snort3-browser-ie.rules)
 * 1:37284 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (snort3-browser-ie.rules)
 * 1:44657 <-> ENABLED <-> SERVER-WEBAPP Unitrends Enterprise Backup API SQL injection attempt (snort3-server-webapp.rules)
 * 1:45628 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:45629 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:46070 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty file exfiltration outbound request (snort3-malware-cnc.rules)

2018-04-10 20:03:41 UTC

Snort Subscriber Rules Update

Date: 2018-04-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46248 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime MediaPlayerItemLoader BlurFilter object out of bounds write attempt (file-flash.rules)
 * 1:46249 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rovnix outbound connection attempt (malware-cnc.rules)
 * 1:46178 <-> ENABLED <-> FILE-OFFICE Microsoft Excel out of bounds read attempt (file-office.rules)
 * 1:46183 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel graphics remote code execution attempt (file-office.rules)
 * 1:46180 <-> ENABLED <-> FILE-OFFICE Microsoft Excel use after free remote code execution attempt (file-office.rules)
 * 1:46181 <-> ENABLED <-> FILE-OFFICE Microsoft Excel use after free remote code execution attempt (file-office.rules)
 * 1:46184 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel remote code execution attempt (file-office.rules)
 * 1:46199 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Vbscript String out of bounds write (browser-ie.rules)
 * 1:46200 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType font heap overflow attempt (os-windows.rules)
 * 1:46201 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType font heap overflow attempt (os-windows.rules)
 * 1:46202 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Wannaminer malicious Powershell download attempt (malware-cnc.rules)
 * 1:46203 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Wannamine malicious Powershell download attempt (malware-cnc.rules)
 * 1:46204 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer array use after free attempt (browser-ie.rules)
 * 1:46205 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer array use after free attempt (browser-ie.rules)
 * 1:46206 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge use-after-free attempt (browser-ie.rules)
 * 1:46207 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge use-after-free attempt (browser-ie.rules)
 * 1:46208 <-> ENABLED <-> FILE-OFFICE Microsoft Excel use after free remote code execution attempt (file-office.rules)
 * 1:46209 <-> ENABLED <-> FILE-OFFICE Microsoft Excel use after free remote code execution attempt (file-office.rules)
 * 1:46210 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Blackshades variant outbound communication (malware-cnc.rules)
 * 1:46212 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:46213 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:46214 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType font heap overflow attempt (os-windows.rules)
 * 1:46193 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel drawing cell reuse use-after-free attempt (file-office.rules)
 * 1:46215 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType font heap overflow attempt (os-windows.rules)
 * 1:46216 <-> DISABLED <-> SERVER-WEBAPP DIAEnergie credential request attempt (server-webapp.rules)
 * 1:46218 <-> ENABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:46219 <-> ENABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:46220 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer object use after free attempt (browser-ie.rules)
 * 1:46176 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra use after free attempt (browser-ie.rules)
 * 1:46192 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel drawing cell reuse use-after-free attempt (file-office.rules)
 * 1:46179 <-> ENABLED <-> FILE-OFFICE Microsoft Excel out of bounds read attempt (file-office.rules)
 * 1:46250 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rovnix outbound connection attempt (malware-cnc.rules)
 * 1:46177 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra use after free attempt (browser-ie.rules)
 * 1:46255 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:46254 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:46253 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rovnix file upload attempt (malware-cnc.rules)
 * 1:46252 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rovnix outbound connection attempt (malware-cnc.rules)
 * 1:46182 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel graphics remote code execution attempt (file-office.rules)
 * 1:46251 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rovnix outbound connection attempt (malware-cnc.rules)
 * 1:46259 <-> DISABLED <-> FILE-FLASH Adobe Flash Player MovieClip out of bounds write attempt (file-flash.rules)
 * 1:46258 <-> DISABLED <-> FILE-FLASH Adobe Flash Player MovieClip out of bounds write attempt (file-flash.rules)
 * 1:46257 <-> DISABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:46256 <-> DISABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:46260 <-> DISABLED <-> FILE-FLASH Adobe Flash Player malformed DefineSound tag heap overflow attempt (file-flash.rules)
 * 1:46266 <-> DISABLED <-> FILE-OTHER Microsoft Office Outlook 2003 OLE information disclosure attempt detected (file-other.rules)
 * 1:46265 <-> ENABLED <-> FILE-OTHER Adobe Flash Player ATF image file out of bounds read attempt (file-other.rules)
 * 1:46264 <-> ENABLED <-> FILE-OTHER Adobe Flash Player ATF image file out of bounds read attempt (file-other.rules)
 * 1:46263 <-> ENABLED <-> FILE-FLASH Adobe Flash Player use after free attempt (file-flash.rules)
 * 1:46262 <-> ENABLED <-> FILE-FLASH Adobe Flash Player use after free attempt (file-flash.rules)
 * 1:46261 <-> DISABLED <-> FILE-FLASH Adobe Flash Player malformed DefineSound tag heap overflow attempt (file-flash.rules)
 * 1:46267 <-> DISABLED <-> FILE-OTHER Microsoft Office Outlook 2003 OLE information disclosure attempt detected (file-other.rules)
 * 1:46197 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel named range cell content use-after-free attempt (file-office.rules)
 * 1:46196 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel named range cell content use-after-free attempt (file-office.rules)
 * 1:46195 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra use after free attempt (browser-ie.rules)
 * 1:46194 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra use after free attempt (browser-ie.rules)
 * 1:46189 <-> ENABLED <-> FILE-OTHER Microsoft Windows malformed TTF integer overflow attempt (file-other.rules)
 * 1:46198 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Vbscript String out of bounds write (browser-ie.rules)
 * 1:46187 <-> ENABLED <-> FILE-OTHER TrueType Font Windows EOT font engine remote code execution attempt (file-other.rules)
 * 1:46188 <-> ENABLED <-> FILE-OTHER Microsoft Windows malformed TTF integer overflow attempt (file-other.rules)
 * 1:46185 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel remote code execution attempt (file-office.rules)
 * 1:46186 <-> ENABLED <-> FILE-OTHER TrueType Font Windows EOT font engine remote code execution attempt (file-other.rules)
 * 1:46246 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer embedSWF use after free exploit attempt (browser-ie.rules)
 * 1:46247 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime MediaPlayerItemLoader BlurFilter object out of bounds write attempt (file-flash.rules)
 * 1:46244 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer embedSWF use after free exploit attempt (browser-ie.rules)
 * 1:46245 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer embedSWF use after free exploit attempt (browser-ie.rules)
 * 1:46240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt (malware-cnc.rules)
 * 1:46243 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer embedSWF use after free exploit attempt (browser-ie.rules)
 * 1:46238 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog outbound communication attempt (malware-cnc.rules)
 * 1:46239 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog outbound communication attempt (malware-cnc.rules)
 * 1:46236 <-> ENABLED <-> MALWARE-CNC Dofoil file download attempt (malware-cnc.rules)
 * 1:46237 <-> ENABLED <-> PUA-OTHER Cryptocurrency Miner outbound connection attempt (pua-other.rules)
 * 1:46234 <-> ENABLED <-> FILE-OFFICE Microsoft JET Database remote code execution attempt (file-office.rules)
 * 1:46235 <-> ENABLED <-> MALWARE-CNC Dofoil outbound connection attempt (malware-cnc.rules)
 * 1:46232 <-> DISABLED <-> SERVER-WEBAPP Mango Automation arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:46233 <-> ENABLED <-> FILE-OFFICE Microsoft JET Database remote code execution attempt (file-office.rules)
 * 1:46230 <-> ENABLED <-> OS-WINDOWS Microsoft Windows malformed TTF integer overflow attempt (os-windows.rules)
 * 1:46231 <-> ENABLED <-> OS-WINDOWS Microsoft Windows malformed TTF integer overflow attempt (os-windows.rules)
 * 1:46229 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JavaScript memory corruption attempt (browser-ie.rules)
 * 1:46228 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer javascript memory corruption attempt (browser-ie.rules)
 * 1:46226 <-> ENABLED <-> FILE-PDF Microsoft Edge pdf parsing information disclosure attempt (file-pdf.rules)
 * 1:46227 <-> ENABLED <-> FILE-PDF Microsoft Edge pdf parsing information disclosure attempt (file-pdf.rules)
 * 1:46221 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer object use after free attempt (browser-ie.rules)
 * 3:46242 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0564 attack attempt (file-image.rules)
 * 3:46225 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0562 attack attempt (file-image.rules)
 * 3:46241 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0564 attack attempt (file-image.rules)
 * 3:46223 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0561 attack attempt (file-image.rules)
 * 3:46224 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0562 attack attempt (file-image.rules)
 * 3:46217 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0557 attack attempt (policy-other.rules)
 * 3:46222 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0561 attack attempt (file-image.rules)
 * 3:46191 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0567 attack attempt (server-webapp.rules)
 * 3:46211 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0556 attack attempt (server-webapp.rules)
 * 3:46175 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0559 attack attempt (server-webapp.rules)
 * 3:46190 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0567 attack attempt (server-webapp.rules)
 * 3:46173 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0568 attack attempt (file-other.rules)
 * 3:46174 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0568 attack attempt (file-other.rules)
 * 3:46172 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0560 attack attempt (server-webapp.rules)
 * 3:46171 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0560 attack attempt (server-webapp.rules)
 * 3:46169 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0560 attack attempt (server-webapp.rules)
 * 3:46170 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0560 attack attempt (server-webapp.rules)
 * 3:46167 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0560 attack attempt (server-webapp.rules)
 * 3:46168 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0560 attack attempt (server-webapp.rules)
 * 3:46166 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0560 attack attempt (server-webapp.rules)
 * 3:46165 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0560 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:37283 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:37284 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:44657 <-> ENABLED <-> SERVER-WEBAPP Unitrends Enterprise Backup API SQL injection attempt (server-webapp.rules)
 * 1:45628 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45629 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:46070 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty file exfiltration outbound request (malware-cnc.rules)
 * 3:46146 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules)
 * 3:46144 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules)
 * 3:46145 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules)
 * 3:46143 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules)

2018-04-10 20:03:41 UTC

Snort Subscriber Rules Update

Date: 2018-04-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46176 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra use after free attempt (browser-ie.rules)
 * 1:46178 <-> ENABLED <-> FILE-OFFICE Microsoft Excel out of bounds read attempt (file-office.rules)
 * 1:46177 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra use after free attempt (browser-ie.rules)
 * 1:46181 <-> ENABLED <-> FILE-OFFICE Microsoft Excel use after free remote code execution attempt (file-office.rules)
 * 1:46180 <-> ENABLED <-> FILE-OFFICE Microsoft Excel use after free remote code execution attempt (file-office.rules)
 * 1:46179 <-> ENABLED <-> FILE-OFFICE Microsoft Excel out of bounds read attempt (file-office.rules)
 * 1:46183 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel graphics remote code execution attempt (file-office.rules)
 * 1:46182 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel graphics remote code execution attempt (file-office.rules)
 * 1:46184 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel remote code execution attempt (file-office.rules)
 * 1:46207 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge use-after-free attempt (browser-ie.rules)
 * 1:46206 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge use-after-free attempt (browser-ie.rules)
 * 1:46205 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer array use after free attempt (browser-ie.rules)
 * 1:46204 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer array use after free attempt (browser-ie.rules)
 * 1:46203 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Wannamine malicious Powershell download attempt (malware-cnc.rules)
 * 1:46202 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Wannaminer malicious Powershell download attempt (malware-cnc.rules)
 * 1:46201 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType font heap overflow attempt (os-windows.rules)
 * 1:46200 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType font heap overflow attempt (os-windows.rules)
 * 1:46199 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Vbscript String out of bounds write (browser-ie.rules)
 * 1:46198 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Vbscript String out of bounds write (browser-ie.rules)
 * 1:46197 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel named range cell content use-after-free attempt (file-office.rules)
 * 1:46196 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel named range cell content use-after-free attempt (file-office.rules)
 * 1:46195 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra use after free attempt (browser-ie.rules)
 * 1:46194 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra use after free attempt (browser-ie.rules)
 * 1:46193 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel drawing cell reuse use-after-free attempt (file-office.rules)
 * 1:46192 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel drawing cell reuse use-after-free attempt (file-office.rules)
 * 1:46189 <-> ENABLED <-> FILE-OTHER Microsoft Windows malformed TTF integer overflow attempt (file-other.rules)
 * 1:46188 <-> ENABLED <-> FILE-OTHER Microsoft Windows malformed TTF integer overflow attempt (file-other.rules)
 * 1:46187 <-> ENABLED <-> FILE-OTHER TrueType Font Windows EOT font engine remote code execution attempt (file-other.rules)
 * 1:46186 <-> ENABLED <-> FILE-OTHER TrueType Font Windows EOT font engine remote code execution attempt (file-other.rules)
 * 1:46185 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel remote code execution attempt (file-office.rules)
 * 1:46229 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JavaScript memory corruption attempt (browser-ie.rules)
 * 1:46228 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer javascript memory corruption attempt (browser-ie.rules)
 * 1:46227 <-> ENABLED <-> FILE-PDF Microsoft Edge pdf parsing information disclosure attempt (file-pdf.rules)
 * 1:46226 <-> ENABLED <-> FILE-PDF Microsoft Edge pdf parsing information disclosure attempt (file-pdf.rules)
 * 1:46221 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer object use after free attempt (browser-ie.rules)
 * 1:46220 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer object use after free attempt (browser-ie.rules)
 * 1:46219 <-> ENABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:46218 <-> ENABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:46216 <-> DISABLED <-> SERVER-WEBAPP DIAEnergie credential request attempt (server-webapp.rules)
 * 1:46215 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType font heap overflow attempt (os-windows.rules)
 * 1:46214 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType font heap overflow attempt (os-windows.rules)
 * 1:46213 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:46212 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:46210 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Blackshades variant outbound communication (malware-cnc.rules)
 * 1:46209 <-> ENABLED <-> FILE-OFFICE Microsoft Excel use after free remote code execution attempt (file-office.rules)
 * 1:46208 <-> ENABLED <-> FILE-OFFICE Microsoft Excel use after free remote code execution attempt (file-office.rules)
 * 1:46252 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rovnix outbound connection attempt (malware-cnc.rules)
 * 1:46251 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rovnix outbound connection attempt (malware-cnc.rules)
 * 1:46250 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rovnix outbound connection attempt (malware-cnc.rules)
 * 1:46249 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rovnix outbound connection attempt (malware-cnc.rules)
 * 1:46248 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime MediaPlayerItemLoader BlurFilter object out of bounds write attempt (file-flash.rules)
 * 1:46247 <-> ENABLED <-> FILE-FLASH Adobe Flash Player Primetime MediaPlayerItemLoader BlurFilter object out of bounds write attempt (file-flash.rules)
 * 1:46246 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer embedSWF use after free exploit attempt (browser-ie.rules)
 * 1:46245 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer embedSWF use after free exploit attempt (browser-ie.rules)
 * 1:46244 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer embedSWF use after free exploit attempt (browser-ie.rules)
 * 1:46243 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer embedSWF use after free exploit attempt (browser-ie.rules)
 * 1:46240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt (malware-cnc.rules)
 * 1:46239 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog outbound communication attempt (malware-cnc.rules)
 * 1:46238 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog outbound communication attempt (malware-cnc.rules)
 * 1:46237 <-> ENABLED <-> PUA-OTHER Cryptocurrency Miner outbound connection attempt (pua-other.rules)
 * 1:46236 <-> ENABLED <-> MALWARE-CNC Dofoil file download attempt (malware-cnc.rules)
 * 1:46235 <-> ENABLED <-> MALWARE-CNC Dofoil outbound connection attempt (malware-cnc.rules)
 * 1:46234 <-> ENABLED <-> FILE-OFFICE Microsoft JET Database remote code execution attempt (file-office.rules)
 * 1:46233 <-> ENABLED <-> FILE-OFFICE Microsoft JET Database remote code execution attempt (file-office.rules)
 * 1:46232 <-> DISABLED <-> SERVER-WEBAPP Mango Automation arbitrary JSP file upload attempt (server-webapp.rules)
 * 1:46231 <-> ENABLED <-> OS-WINDOWS Microsoft Windows malformed TTF integer overflow attempt (os-windows.rules)
 * 1:46230 <-> ENABLED <-> OS-WINDOWS Microsoft Windows malformed TTF integer overflow attempt (os-windows.rules)
 * 1:46267 <-> DISABLED <-> FILE-OTHER Microsoft Office Outlook 2003 OLE information disclosure attempt detected (file-other.rules)
 * 1:46266 <-> DISABLED <-> FILE-OTHER Microsoft Office Outlook 2003 OLE information disclosure attempt detected (file-other.rules)
 * 1:46265 <-> ENABLED <-> FILE-OTHER Adobe Flash Player ATF image file out of bounds read attempt (file-other.rules)
 * 1:46264 <-> ENABLED <-> FILE-OTHER Adobe Flash Player ATF image file out of bounds read attempt (file-other.rules)
 * 1:46263 <-> ENABLED <-> FILE-FLASH Adobe Flash Player use after free attempt (file-flash.rules)
 * 1:46262 <-> ENABLED <-> FILE-FLASH Adobe Flash Player use after free attempt (file-flash.rules)
 * 1:46261 <-> DISABLED <-> FILE-FLASH Adobe Flash Player malformed DefineSound tag heap overflow attempt (file-flash.rules)
 * 1:46260 <-> DISABLED <-> FILE-FLASH Adobe Flash Player malformed DefineSound tag heap overflow attempt (file-flash.rules)
 * 1:46259 <-> DISABLED <-> FILE-FLASH Adobe Flash Player MovieClip out of bounds write attempt (file-flash.rules)
 * 1:46258 <-> DISABLED <-> FILE-FLASH Adobe Flash Player MovieClip out of bounds write attempt (file-flash.rules)
 * 1:46257 <-> DISABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:46256 <-> DISABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:46255 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:46254 <-> ENABLED <-> FILE-FLASH Adobe Flash Player corrupt PNG image load out of bounds memory access attempt (file-flash.rules)
 * 1:46253 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rovnix file upload attempt (malware-cnc.rules)
 * 3:46165 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0560 attack attempt (server-webapp.rules)
 * 3:46167 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0560 attack attempt (server-webapp.rules)
 * 3:46166 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0560 attack attempt (server-webapp.rules)
 * 3:46170 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0560 attack attempt (server-webapp.rules)
 * 3:46171 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0560 attack attempt (server-webapp.rules)
 * 3:46172 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0560 attack attempt (server-webapp.rules)
 * 3:46173 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0568 attack attempt (file-other.rules)
 * 3:46174 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0568 attack attempt (file-other.rules)
 * 3:46175 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0559 attack attempt (server-webapp.rules)
 * 3:46190 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0567 attack attempt (server-webapp.rules)
 * 3:46191 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0567 attack attempt (server-webapp.rules)
 * 3:46211 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0556 attack attempt (server-webapp.rules)
 * 3:46217 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0557 attack attempt (policy-other.rules)
 * 3:46222 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0561 attack attempt (file-image.rules)
 * 3:46223 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0561 attack attempt (file-image.rules)
 * 3:46224 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0562 attack attempt (file-image.rules)
 * 3:46225 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0562 attack attempt (file-image.rules)
 * 3:46241 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0564 attack attempt (file-image.rules)
 * 3:46242 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0564 attack attempt (file-image.rules)
 * 3:46168 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0560 attack attempt (server-webapp.rules)
 * 3:46169 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0560 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:37283 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:37284 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:45629 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:46070 <-> ENABLED <-> MALWARE-CNC Win.Trojan.yty file exfiltration outbound request (malware-cnc.rules)
 * 1:45628 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:44657 <-> ENABLED <-> SERVER-WEBAPP Unitrends Enterprise Backup API SQL injection attempt (server-webapp.rules)
 * 3:46146 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules)
 * 3:46143 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules)
 * 3:46144 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules)
 * 3:46145 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2018-0553 attack attempt (file-image.rules)