Talos Rules 2018-05-08
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2018-0946: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46544 through 46545.

Microsoft Vulnerability CVE-2018-0951: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 45628 through 45629.

Microsoft Vulnerability CVE-2018-0953: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 45628 through 45629.

Microsoft Vulnerability CVE-2018-0954: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 45628 through 45629.

Microsoft Vulnerability CVE-2018-0955: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46554 through 46555.

Microsoft Vulnerability CVE-2018-8120: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46546 through 46547.

Microsoft Vulnerability CVE-2018-8122: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46594 through 46595.

Microsoft Vulnerability CVE-2018-8123: A coding deficiency exists in Microsoft Edge that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 45121 through 45122.

Microsoft Vulnerability CVE-2018-8124: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46538 through 46539.

Microsoft Vulnerability CVE-2018-8133: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 45628 through 45629.

Microsoft Vulnerability CVE-2018-8137: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46606 through 46607.

Microsoft Vulnerability CVE-2018-8147: A coding deficiency exists in Microsoft Excel that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46552 through 46553.

Microsoft Vulnerability CVE-2018-8148: A coding deficiency exists in Microsoft Excel that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46556 through 46557.

Microsoft Vulnerability CVE-2018-8157: A coding deficiency exists in Microsoft Office that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46558 through 46559.

Microsoft Vulnerability CVE-2018-8158: A coding deficiency exists in Microsoft Office that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46560 through 46561.

Microsoft Vulnerability CVE-2018-8161: A coding deficiency exists in Microsoft Office that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46601 through 46602.

Microsoft Vulnerability CVE-2018-8162: A coding deficiency exists in Microsoft Excel that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 38785 through 38786.

Microsoft Vulnerability CVE-2018-8164: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46562 through 46563.

Microsoft Vulnerability CVE-2018-8165: A coding deficiency exists in DirectX Graphics Kernel that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46596 through 46597.

Microsoft Vulnerability CVE-2018-8166: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46564 through 46565.

Microsoft Vulnerability CVE-2018-8167: A coding deficiency exists in Microsoft Windows Common Log File System Driver that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46603 through 46604.

Microsoft Vulnerability CVE-2018-8174: A coding deficiency exists in Microsoft Windows VBScript Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46548 through 46549.

Talos also has added and modified multiple rules in the browser-ie, file-flash, file-office, file-other, file-pdf, malware-cnc, os-windows, server-oracle and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2018-05-08 18:34:57 UTC

Snort Subscriber Rules Update

Date: 2018-05-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46537 <-> DISABLED <-> SERVER-WEBAPP NetGear DGN2200B command injection attempt (server-webapp.rules)
 * 1:46546 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k NtUserSetImeInfoEx privilege escalation attempt (os-windows.rules)
 * 1:46597 <-> ENABLED <-> OS-WINDOWS dxgkrnl.sys privilege escalation attempt (os-windows.rules)
 * 1:46535 <-> DISABLED <-> SERVER-WEBAPP NetGear DGN2200B command injection attempt (server-webapp.rules)
 * 1:46594 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer prototype type confusion attempt (browser-ie.rules)
 * 1:46544 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine use after free attempt (browser-ie.rules)
 * 1:46577 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46595 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer prototype type confusion attempt (browser-ie.rules)
 * 1:46562 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k privilege escalation attempt (os-windows.rules)
 * 1:46539 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys privilege escalation attempt (os-windows.rules)
 * 1:46587 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46588 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46545 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine use after free attempt (browser-ie.rules)
 * 1:46580 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46593 <-> DISABLED <-> BROWSER-IE Microsoft Edge JSON.parse information disclosure attempt (browser-ie.rules)
 * 1:46589 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46536 <-> DISABLED <-> SERVER-WEBAPP NetGear DGN2200B command injection attempt (server-webapp.rules)
 * 1:46533 <-> DISABLED <-> SERVER-WEBAPP DHCP cross site scripting attempt (server-webapp.rules)
 * 1:46547 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k NtUserSetImeInfoEx privilege escalation attempt (os-windows.rules)
 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46563 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k privilege escalation attempt (os-windows.rules)
 * 1:46532 <-> DISABLED <-> SERVER-WEBAPP SearchBlox suspicious configuration upload attempt (server-webapp.rules)
 * 1:46552 <-> ENABLED <-> FILE-OFFICE Microsoft Excel remote code execution attempt (file-office.rules)
 * 1:46553 <-> ENABLED <-> FILE-OFFICE Microsoft Excel remote code execution attempt (file-office.rules)
 * 1:46554 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Regexp use after free attempt (browser-ie.rules)
 * 1:46555 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Regexp use after free attempt (browser-ie.rules)
 * 1:46586 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46556 <-> ENABLED <-> FILE-OFFICE Microsoft Excel remote code execution attempt  (file-office.rules)
 * 1:46557 <-> ENABLED <-> FILE-OFFICE Microsoft Excel remote code execution attempt (file-office.rules)
 * 1:46558 <-> ENABLED <-> FILE-OFFICE Microsoft Office docx heap out of bounds read attempt (file-office.rules)
 * 1:46560 <-> ENABLED <-> FILE-OFFICE Microsoft Office RTF embedded ole file out of bounds write attempt (file-office.rules)
 * 1:46559 <-> ENABLED <-> FILE-OFFICE Microsoft Office docx heap out of bounds read attempt (file-office.rules)
 * 1:46540 <-> DISABLED <-> SERVER-WEBAPP UltiDev Cassini Webserver file download attempt (server-webapp.rules)
 * 1:46598 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASnative MovieClip type confusion attempt (file-flash.rules)
 * 1:46602 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook use-after-free vulnerability attempt (file-office.rules)
 * 1:46606 <-> ENABLED <-> BROWSER-IE Microsoft Edge out-of-bounds memory access attempt (browser-ie.rules)
 * 1:46599 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASnative MovieClip type confusion attempt (file-flash.rules)
 * 1:46603 <-> ENABLED <-> OS-WINDOWS Microsoft Windows clfs.sys out of bounds local privilege escalation attempt (os-windows.rules)
 * 1:46585 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46579 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious system information disclosure (malware-cnc.rules)
 * 1:46576 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46578 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious system information disclosure (malware-cnc.rules)
 * 1:46582 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46581 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46531 <-> DISABLED <-> SERVER-WEBAPP SearchBlox suspicious configuration upload attempt (server-webapp.rules)
 * 1:46530 <-> DISABLED <-> SERVER-WEBAPP Dream Report ASPX file upload attempt (server-webapp.rules)
 * 1:46584 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46538 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys privilege escalation attempt (os-windows.rules)
 * 1:46600 <-> DISABLED <-> SERVER-WEBAPP Indusoft Web Studio/Intouch Machine Edition buffer overflow attempt (server-webapp.rules)
 * 1:46574 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46575 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46564 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k privilege escalation attempt (os-windows.rules)
 * 1:46565 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k privilege escalation attempt (os-windows.rules)
 * 1:46590 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46591 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46601 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook use-after-free vulnerability attempt (file-office.rules)
 * 1:46605 <-> DISABLED <-> SERVER-ORACLE Oracle Access Manager authentication bypass attempt (server-oracle.rules)
 * 1:46534 <-> DISABLED <-> SERVER-WEBAPP NetGear DGN2200B command injection attempt (server-webapp.rules)
 * 1:46607 <-> ENABLED <-> BROWSER-IE Microsoft Edge out-of-bounds memory access attempt (browser-ie.rules)
 * 1:46583 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46592 <-> DISABLED <-> BROWSER-IE Microsoft Edge JSON.parse information disclosure attempt (browser-ie.rules)
 * 1:46596 <-> ENABLED <-> OS-WINDOWS dxgkrnl.sys privilege escalation attempt (os-windows.rules)
 * 1:46561 <-> ENABLED <-> FILE-OFFICE Microsoft Office RTF embedded ole file out of bounds write attempt (file-office.rules)
 * 1:46604 <-> ENABLED <-> OS-WINDOWS Microsoft Windows clfs.sys out of bounds local privilege escalation attempt (os-windows.rules)
 * 3:46550 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0590 attack attempt (file-pdf.rules)
 * 3:46551 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0590 attack attempt (file-pdf.rules)
 * 3:46542 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0589 attack attempt (file-other.rules)
 * 3:46541 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0589 attack attempt (file-other.rules)
 * 3:46543 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0591 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:40714 <-> DISABLED <-> BROWSER-IE Microsoft Edge JSON.parse information disclosure attempt (browser-ie.rules)
 * 1:45629 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:40703 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer UIAnimaation.dll use after free attempt (browser-ie.rules)
 * 1:26179 <-> DISABLED <-> SERVER-WEBAPP TP-Link http/tftp backdoor initiation attempt (server-webapp.rules)
 * 1:45628 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45122 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:45121 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:40713 <-> DISABLED <-> BROWSER-IE Microsoft Edge JSON.parse information disclosure attempt (browser-ie.rules)
 * 1:46489 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUBackup SQL injection attempt (server-webapp.rules)
 * 1:46495 <-> DISABLED <-> SERVER-OTHER HTTP request smuggling attempt (server-other.rules)
 * 1:40704 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer UIAnimaation.dll use after free attempt (browser-ie.rules)
 * 1:38786 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel BOF memory disclosure attempt (file-office.rules)
 * 1:38785 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel BOF memory disclosure attempt (file-office.rules)
 * 1:44826 <-> DISABLED <-> OS-WINDOWS Microsoft Edge out of bounds write attempt (os-windows.rules)
 * 1:44825 <-> DISABLED <-> OS-WINDOWS Microsoft Edge out of bounds write attempt (os-windows.rules)

2018-05-08 18:34:57 UTC

Snort Subscriber Rules Update

Date: 2018-05-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46597 <-> ENABLED <-> OS-WINDOWS dxgkrnl.sys privilege escalation attempt (os-windows.rules)
 * 1:46591 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46532 <-> DISABLED <-> SERVER-WEBAPP SearchBlox suspicious configuration upload attempt (server-webapp.rules)
 * 1:46596 <-> ENABLED <-> OS-WINDOWS dxgkrnl.sys privilege escalation attempt (os-windows.rules)
 * 1:46534 <-> DISABLED <-> SERVER-WEBAPP NetGear DGN2200B command injection attempt (server-webapp.rules)
 * 1:46535 <-> DISABLED <-> SERVER-WEBAPP NetGear DGN2200B command injection attempt (server-webapp.rules)
 * 1:46589 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46592 <-> DISABLED <-> BROWSER-IE Microsoft Edge JSON.parse information disclosure attempt (browser-ie.rules)
 * 1:46530 <-> DISABLED <-> SERVER-WEBAPP Dream Report ASPX file upload attempt (server-webapp.rules)
 * 1:46536 <-> DISABLED <-> SERVER-WEBAPP NetGear DGN2200B command injection attempt (server-webapp.rules)
 * 1:46595 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer prototype type confusion attempt (browser-ie.rules)
 * 1:46590 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46539 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys privilege escalation attempt (os-windows.rules)
 * 1:46540 <-> DISABLED <-> SERVER-WEBAPP UltiDev Cassini Webserver file download attempt (server-webapp.rules)
 * 1:46544 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine use after free attempt (browser-ie.rules)
 * 1:46537 <-> DISABLED <-> SERVER-WEBAPP NetGear DGN2200B command injection attempt (server-webapp.rules)
 * 1:46547 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k NtUserSetImeInfoEx privilege escalation attempt (os-windows.rules)
 * 1:46607 <-> ENABLED <-> BROWSER-IE Microsoft Edge out-of-bounds memory access attempt (browser-ie.rules)
 * 1:46564 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k privilege escalation attempt (os-windows.rules)
 * 1:46594 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer prototype type confusion attempt (browser-ie.rules)
 * 1:46598 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASnative MovieClip type confusion attempt (file-flash.rules)
 * 1:46599 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASnative MovieClip type confusion attempt (file-flash.rules)
 * 1:46600 <-> DISABLED <-> SERVER-WEBAPP Indusoft Web Studio/Intouch Machine Edition buffer overflow attempt (server-webapp.rules)
 * 1:46601 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook use-after-free vulnerability attempt (file-office.rules)
 * 1:46602 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook use-after-free vulnerability attempt (file-office.rules)
 * 1:46603 <-> ENABLED <-> OS-WINDOWS Microsoft Windows clfs.sys out of bounds local privilege escalation attempt (os-windows.rules)
 * 1:46562 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k privilege escalation attempt (os-windows.rules)
 * 1:46584 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46580 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46578 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious system information disclosure (malware-cnc.rules)
 * 1:46545 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine use after free attempt (browser-ie.rules)
 * 1:46579 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious system information disclosure (malware-cnc.rules)
 * 1:46577 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46576 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46574 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46575 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46565 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k privilege escalation attempt (os-windows.rules)
 * 1:46531 <-> DISABLED <-> SERVER-WEBAPP SearchBlox suspicious configuration upload attempt (server-webapp.rules)
 * 1:46563 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k privilege escalation attempt (os-windows.rules)
 * 1:46561 <-> ENABLED <-> FILE-OFFICE Microsoft Office RTF embedded ole file out of bounds write attempt (file-office.rules)
 * 1:46559 <-> ENABLED <-> FILE-OFFICE Microsoft Office docx heap out of bounds read attempt (file-office.rules)
 * 1:46560 <-> ENABLED <-> FILE-OFFICE Microsoft Office RTF embedded ole file out of bounds write attempt (file-office.rules)
 * 1:46558 <-> ENABLED <-> FILE-OFFICE Microsoft Office docx heap out of bounds read attempt (file-office.rules)
 * 1:46555 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Regexp use after free attempt (browser-ie.rules)
 * 1:46552 <-> ENABLED <-> FILE-OFFICE Microsoft Excel remote code execution attempt (file-office.rules)
 * 1:46553 <-> ENABLED <-> FILE-OFFICE Microsoft Excel remote code execution attempt (file-office.rules)
 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46587 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46588 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46585 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46586 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46583 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46581 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46582 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46604 <-> ENABLED <-> OS-WINDOWS Microsoft Windows clfs.sys out of bounds local privilege escalation attempt (os-windows.rules)
 * 1:46533 <-> DISABLED <-> SERVER-WEBAPP DHCP cross site scripting attempt (server-webapp.rules)
 * 1:46546 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k NtUserSetImeInfoEx privilege escalation attempt (os-windows.rules)
 * 1:46605 <-> DISABLED <-> SERVER-ORACLE Oracle Access Manager authentication bypass attempt (server-oracle.rules)
 * 1:46606 <-> ENABLED <-> BROWSER-IE Microsoft Edge out-of-bounds memory access attempt (browser-ie.rules)
 * 1:46538 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys privilege escalation attempt (os-windows.rules)
 * 1:46593 <-> DISABLED <-> BROWSER-IE Microsoft Edge JSON.parse information disclosure attempt (browser-ie.rules)
 * 1:46554 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Regexp use after free attempt (browser-ie.rules)
 * 1:46556 <-> ENABLED <-> FILE-OFFICE Microsoft Excel remote code execution attempt  (file-office.rules)
 * 1:46557 <-> ENABLED <-> FILE-OFFICE Microsoft Excel remote code execution attempt (file-office.rules)
 * 3:46550 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0590 attack attempt (file-pdf.rules)
 * 3:46551 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0590 attack attempt (file-pdf.rules)
 * 3:46541 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0589 attack attempt (file-other.rules)
 * 3:46542 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0589 attack attempt (file-other.rules)
 * 3:46543 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0591 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:44826 <-> DISABLED <-> OS-WINDOWS Microsoft Edge out of bounds write attempt (os-windows.rules)
 * 1:46495 <-> DISABLED <-> SERVER-OTHER HTTP request smuggling attempt (server-other.rules)
 * 1:44825 <-> DISABLED <-> OS-WINDOWS Microsoft Edge out of bounds write attempt (os-windows.rules)
 * 1:45121 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:40714 <-> DISABLED <-> BROWSER-IE Microsoft Edge JSON.parse information disclosure attempt (browser-ie.rules)
 * 1:38785 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel BOF memory disclosure attempt (file-office.rules)
 * 1:46489 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUBackup SQL injection attempt (server-webapp.rules)
 * 1:45628 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:40704 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer UIAnimaation.dll use after free attempt (browser-ie.rules)
 * 1:45122 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:40703 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer UIAnimaation.dll use after free attempt (browser-ie.rules)
 * 1:26179 <-> DISABLED <-> SERVER-WEBAPP TP-Link http/tftp backdoor initiation attempt (server-webapp.rules)
 * 1:40713 <-> DISABLED <-> BROWSER-IE Microsoft Edge JSON.parse information disclosure attempt (browser-ie.rules)
 * 1:45629 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:38786 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel BOF memory disclosure attempt (file-office.rules)

2018-05-08 18:34:57 UTC

Snort Subscriber Rules Update

Date: 2018-05-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46537 <-> DISABLED <-> SERVER-WEBAPP NetGear DGN2200B command injection attempt (snort3-server-webapp.rules)
 * 1:46531 <-> DISABLED <-> SERVER-WEBAPP SearchBlox suspicious configuration upload attempt (snort3-server-webapp.rules)
 * 1:46539 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys privilege escalation attempt (snort3-os-windows.rules)
 * 1:46535 <-> DISABLED <-> SERVER-WEBAPP NetGear DGN2200B command injection attempt (snort3-server-webapp.rules)
 * 1:46532 <-> DISABLED <-> SERVER-WEBAPP SearchBlox suspicious configuration upload attempt (snort3-server-webapp.rules)
 * 1:46544 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine use after free attempt (snort3-browser-ie.rules)
 * 1:46596 <-> ENABLED <-> OS-WINDOWS dxgkrnl.sys privilege escalation attempt (snort3-os-windows.rules)
 * 1:46595 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer prototype type confusion attempt (snort3-browser-ie.rules)
 * 1:46606 <-> ENABLED <-> BROWSER-IE Microsoft Edge out-of-bounds memory access attempt (snort3-browser-ie.rules)
 * 1:46605 <-> DISABLED <-> SERVER-ORACLE Oracle Access Manager authentication bypass attempt (snort3-server-oracle.rules)
 * 1:46604 <-> ENABLED <-> OS-WINDOWS Microsoft Windows clfs.sys out of bounds local privilege escalation attempt (snort3-os-windows.rules)
 * 1:46603 <-> ENABLED <-> OS-WINDOWS Microsoft Windows clfs.sys out of bounds local privilege escalation attempt (snort3-os-windows.rules)
 * 1:46602 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook use-after-free vulnerability attempt (snort3-file-office.rules)
 * 1:46601 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook use-after-free vulnerability attempt (snort3-file-office.rules)
 * 1:46547 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k NtUserSetImeInfoEx privilege escalation attempt (snort3-os-windows.rules)
 * 1:46600 <-> DISABLED <-> SERVER-WEBAPP Indusoft Web Studio/Intouch Machine Edition buffer overflow attempt (snort3-server-webapp.rules)
 * 1:46597 <-> ENABLED <-> OS-WINDOWS dxgkrnl.sys privilege escalation attempt (snort3-os-windows.rules)
 * 1:46599 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASnative MovieClip type confusion attempt (snort3-file-flash.rules)
 * 1:46598 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASnative MovieClip type confusion attempt (snort3-file-flash.rules)
 * 1:46592 <-> DISABLED <-> BROWSER-IE Microsoft Edge JSON.parse information disclosure attempt (snort3-browser-ie.rules)
 * 1:46607 <-> ENABLED <-> BROWSER-IE Microsoft Edge out-of-bounds memory access attempt (snort3-browser-ie.rules)
 * 1:46545 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine use after free attempt (snort3-browser-ie.rules)
 * 1:46540 <-> DISABLED <-> SERVER-WEBAPP UltiDev Cassini Webserver file download attempt (snort3-server-webapp.rules)
 * 1:46553 <-> ENABLED <-> FILE-OFFICE Microsoft Excel remote code execution attempt (snort3-file-office.rules)
 * 1:46555 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Regexp use after free attempt (snort3-browser-ie.rules)
 * 1:46538 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys privilege escalation attempt (snort3-os-windows.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules)
 * 1:46582 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (snort3-malware-cnc.rules)
 * 1:46583 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (snort3-malware-cnc.rules)
 * 1:46580 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (snort3-malware-cnc.rules)
 * 1:46581 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (snort3-malware-cnc.rules)
 * 1:46578 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious system information disclosure (snort3-malware-cnc.rules)
 * 1:46579 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious system information disclosure (snort3-malware-cnc.rules)
 * 1:46576 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (snort3-malware-cnc.rules)
 * 1:46577 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (snort3-malware-cnc.rules)
 * 1:46575 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (snort3-malware-cnc.rules)
 * 1:46574 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (snort3-malware-cnc.rules)
 * 1:46564 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k privilege escalation attempt (snort3-os-windows.rules)
 * 1:46565 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k privilege escalation attempt (snort3-os-windows.rules)
 * 1:46563 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k privilege escalation attempt (snort3-os-windows.rules)
 * 1:46536 <-> DISABLED <-> SERVER-WEBAPP NetGear DGN2200B command injection attempt (snort3-server-webapp.rules)
 * 1:46534 <-> DISABLED <-> SERVER-WEBAPP NetGear DGN2200B command injection attempt (snort3-server-webapp.rules)
 * 1:46530 <-> DISABLED <-> SERVER-WEBAPP Dream Report ASPX file upload attempt (snort3-server-webapp.rules)
 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules)
 * 1:46533 <-> DISABLED <-> SERVER-WEBAPP DHCP cross site scripting attempt (snort3-server-webapp.rules)
 * 1:46562 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k privilege escalation attempt (snort3-os-windows.rules)
 * 1:46546 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k NtUserSetImeInfoEx privilege escalation attempt (snort3-os-windows.rules)
 * 1:46561 <-> ENABLED <-> FILE-OFFICE Microsoft Office RTF embedded ole file out of bounds write attempt (snort3-file-office.rules)
 * 1:46559 <-> ENABLED <-> FILE-OFFICE Microsoft Office docx heap out of bounds read attempt (snort3-file-office.rules)
 * 1:46560 <-> ENABLED <-> FILE-OFFICE Microsoft Office RTF embedded ole file out of bounds write attempt (snort3-file-office.rules)
 * 1:46558 <-> ENABLED <-> FILE-OFFICE Microsoft Office docx heap out of bounds read attempt (snort3-file-office.rules)
 * 1:46557 <-> ENABLED <-> FILE-OFFICE Microsoft Excel remote code execution attempt (snort3-file-office.rules)
 * 1:46554 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Regexp use after free attempt (snort3-browser-ie.rules)
 * 1:46556 <-> ENABLED <-> FILE-OFFICE Microsoft Excel remote code execution attempt  (snort3-file-office.rules)
 * 1:46552 <-> ENABLED <-> FILE-OFFICE Microsoft Excel remote code execution attempt (snort3-file-office.rules)
 * 1:46590 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (snort3-malware-cnc.rules)
 * 1:46591 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (snort3-malware-cnc.rules)
 * 1:46588 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (snort3-malware-cnc.rules)
 * 1:46589 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (snort3-malware-cnc.rules)
 * 1:46586 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (snort3-malware-cnc.rules)
 * 1:46587 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (snort3-malware-cnc.rules)
 * 1:46584 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (snort3-malware-cnc.rules)
 * 1:46585 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (snort3-malware-cnc.rules)
 * 1:46594 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer prototype type confusion attempt (snort3-browser-ie.rules)
 * 1:46593 <-> DISABLED <-> BROWSER-IE Microsoft Edge JSON.parse information disclosure attempt (snort3-browser-ie.rules)

Modified Rules:


 * 1:26179 <-> DISABLED <-> SERVER-WEBAPP TP-Link http/tftp backdoor initiation attempt (snort3-server-webapp.rules)
 * 1:38785 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel BOF memory disclosure attempt (snort3-file-office.rules)
 * 1:38786 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel BOF memory disclosure attempt (snort3-file-office.rules)
 * 1:40703 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer UIAnimaation.dll use after free attempt (snort3-browser-ie.rules)
 * 1:40704 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer UIAnimaation.dll use after free attempt (snort3-browser-ie.rules)
 * 1:40713 <-> DISABLED <-> BROWSER-IE Microsoft Edge JSON.parse information disclosure attempt (snort3-browser-ie.rules)
 * 1:40714 <-> DISABLED <-> BROWSER-IE Microsoft Edge JSON.parse information disclosure attempt (snort3-browser-ie.rules)
 * 1:44825 <-> DISABLED <-> OS-WINDOWS Microsoft Edge out of bounds write attempt (snort3-os-windows.rules)
 * 1:44826 <-> DISABLED <-> OS-WINDOWS Microsoft Edge out of bounds write attempt (snort3-os-windows.rules)
 * 1:45121 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (snort3-browser-ie.rules)
 * 1:45122 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (snort3-browser-ie.rules)
 * 1:45628 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:45629 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:46489 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUBackup SQL injection attempt (snort3-server-webapp.rules)
 * 1:46495 <-> DISABLED <-> SERVER-OTHER HTTP request smuggling attempt (snort3-server-other.rules)

2018-05-08 18:34:57 UTC

Snort Subscriber Rules Update

Date: 2018-05-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46539 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys privilege escalation attempt (os-windows.rules)
 * 1:46592 <-> DISABLED <-> BROWSER-IE Microsoft Edge JSON.parse information disclosure attempt (browser-ie.rules)
 * 1:46593 <-> DISABLED <-> BROWSER-IE Microsoft Edge JSON.parse information disclosure attempt (browser-ie.rules)
 * 1:46594 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer prototype type confusion attempt (browser-ie.rules)
 * 1:46532 <-> DISABLED <-> SERVER-WEBAPP SearchBlox suspicious configuration upload attempt (server-webapp.rules)
 * 1:46535 <-> DISABLED <-> SERVER-WEBAPP NetGear DGN2200B command injection attempt (server-webapp.rules)
 * 1:46531 <-> DISABLED <-> SERVER-WEBAPP SearchBlox suspicious configuration upload attempt (server-webapp.rules)
 * 1:46544 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine use after free attempt (browser-ie.rules)
 * 1:46545 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine use after free attempt (browser-ie.rules)
 * 1:46536 <-> DISABLED <-> SERVER-WEBAPP NetGear DGN2200B command injection attempt (server-webapp.rules)
 * 1:46530 <-> DISABLED <-> SERVER-WEBAPP Dream Report ASPX file upload attempt (server-webapp.rules)
 * 1:46538 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys privilege escalation attempt (os-windows.rules)
 * 1:46546 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k NtUserSetImeInfoEx privilege escalation attempt (os-windows.rules)
 * 1:46533 <-> DISABLED <-> SERVER-WEBAPP DHCP cross site scripting attempt (server-webapp.rules)
 * 1:46547 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k NtUserSetImeInfoEx privilege escalation attempt (os-windows.rules)
 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46552 <-> ENABLED <-> FILE-OFFICE Microsoft Excel remote code execution attempt (file-office.rules)
 * 1:46553 <-> ENABLED <-> FILE-OFFICE Microsoft Excel remote code execution attempt (file-office.rules)
 * 1:46554 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Regexp use after free attempt (browser-ie.rules)
 * 1:46555 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Regexp use after free attempt (browser-ie.rules)
 * 1:46556 <-> ENABLED <-> FILE-OFFICE Microsoft Excel remote code execution attempt  (file-office.rules)
 * 1:46557 <-> ENABLED <-> FILE-OFFICE Microsoft Excel remote code execution attempt (file-office.rules)
 * 1:46558 <-> ENABLED <-> FILE-OFFICE Microsoft Office docx heap out of bounds read attempt (file-office.rules)
 * 1:46560 <-> ENABLED <-> FILE-OFFICE Microsoft Office RTF embedded ole file out of bounds write attempt (file-office.rules)
 * 1:46559 <-> ENABLED <-> FILE-OFFICE Microsoft Office docx heap out of bounds read attempt (file-office.rules)
 * 1:46561 <-> ENABLED <-> FILE-OFFICE Microsoft Office RTF embedded ole file out of bounds write attempt (file-office.rules)
 * 1:46540 <-> DISABLED <-> SERVER-WEBAPP UltiDev Cassini Webserver file download attempt (server-webapp.rules)
 * 1:46562 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k privilege escalation attempt (os-windows.rules)
 * 1:46563 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k privilege escalation attempt (os-windows.rules)
 * 1:46564 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k privilege escalation attempt (os-windows.rules)
 * 1:46565 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k privilege escalation attempt (os-windows.rules)
 * 1:46574 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46575 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46577 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46578 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious system information disclosure (malware-cnc.rules)
 * 1:46579 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious system information disclosure (malware-cnc.rules)
 * 1:46580 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46581 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46582 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46583 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46584 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46585 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46586 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46587 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46588 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46589 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46590 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46591 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46607 <-> ENABLED <-> BROWSER-IE Microsoft Edge out-of-bounds memory access attempt (browser-ie.rules)
 * 1:46606 <-> ENABLED <-> BROWSER-IE Microsoft Edge out-of-bounds memory access attempt (browser-ie.rules)
 * 1:46605 <-> DISABLED <-> SERVER-ORACLE Oracle Access Manager authentication bypass attempt (server-oracle.rules)
 * 1:46604 <-> ENABLED <-> OS-WINDOWS Microsoft Windows clfs.sys out of bounds local privilege escalation attempt (os-windows.rules)
 * 1:46603 <-> ENABLED <-> OS-WINDOWS Microsoft Windows clfs.sys out of bounds local privilege escalation attempt (os-windows.rules)
 * 1:46602 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook use-after-free vulnerability attempt (file-office.rules)
 * 1:46601 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook use-after-free vulnerability attempt (file-office.rules)
 * 1:46600 <-> DISABLED <-> SERVER-WEBAPP Indusoft Web Studio/Intouch Machine Edition buffer overflow attempt (server-webapp.rules)
 * 1:46599 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASnative MovieClip type confusion attempt (file-flash.rules)
 * 1:46598 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASnative MovieClip type confusion attempt (file-flash.rules)
 * 1:46534 <-> DISABLED <-> SERVER-WEBAPP NetGear DGN2200B command injection attempt (server-webapp.rules)
 * 1:46597 <-> ENABLED <-> OS-WINDOWS dxgkrnl.sys privilege escalation attempt (os-windows.rules)
 * 1:46596 <-> ENABLED <-> OS-WINDOWS dxgkrnl.sys privilege escalation attempt (os-windows.rules)
 * 1:46595 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer prototype type confusion attempt (browser-ie.rules)
 * 1:46576 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46537 <-> DISABLED <-> SERVER-WEBAPP NetGear DGN2200B command injection attempt (server-webapp.rules)
 * 3:46550 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0590 attack attempt (file-pdf.rules)
 * 3:46551 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0590 attack attempt (file-pdf.rules)
 * 3:46542 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0589 attack attempt (file-other.rules)
 * 3:46543 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0591 attack attempt (server-webapp.rules)
 * 3:46541 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0589 attack attempt (file-other.rules)

Modified Rules:


 * 1:44826 <-> DISABLED <-> OS-WINDOWS Microsoft Edge out of bounds write attempt (os-windows.rules)
 * 1:40714 <-> DISABLED <-> BROWSER-IE Microsoft Edge JSON.parse information disclosure attempt (browser-ie.rules)
 * 1:38786 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel BOF memory disclosure attempt (file-office.rules)
 * 1:45121 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:38785 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel BOF memory disclosure attempt (file-office.rules)
 * 1:40713 <-> DISABLED <-> BROWSER-IE Microsoft Edge JSON.parse information disclosure attempt (browser-ie.rules)
 * 1:45122 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:45628 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:40703 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer UIAnimaation.dll use after free attempt (browser-ie.rules)
 * 1:26179 <-> DISABLED <-> SERVER-WEBAPP TP-Link http/tftp backdoor initiation attempt (server-webapp.rules)
 * 1:46495 <-> DISABLED <-> SERVER-OTHER HTTP request smuggling attempt (server-other.rules)
 * 1:45629 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:46489 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUBackup SQL injection attempt (server-webapp.rules)
 * 1:40704 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer UIAnimaation.dll use after free attempt (browser-ie.rules)
 * 1:44825 <-> DISABLED <-> OS-WINDOWS Microsoft Edge out of bounds write attempt (os-windows.rules)

2018-05-08 18:34:57 UTC

Snort Subscriber Rules Update

Date: 2018-05-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46545 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine use after free attempt (browser-ie.rules)
 * 1:46544 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine use after free attempt (browser-ie.rules)
 * 1:46540 <-> DISABLED <-> SERVER-WEBAPP UltiDev Cassini Webserver file download attempt (server-webapp.rules)
 * 1:46539 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys privilege escalation attempt (os-windows.rules)
 * 1:46538 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys privilege escalation attempt (os-windows.rules)
 * 1:46537 <-> DISABLED <-> SERVER-WEBAPP NetGear DGN2200B command injection attempt (server-webapp.rules)
 * 1:46536 <-> DISABLED <-> SERVER-WEBAPP NetGear DGN2200B command injection attempt (server-webapp.rules)
 * 1:46535 <-> DISABLED <-> SERVER-WEBAPP NetGear DGN2200B command injection attempt (server-webapp.rules)
 * 1:46534 <-> DISABLED <-> SERVER-WEBAPP NetGear DGN2200B command injection attempt (server-webapp.rules)
 * 1:46533 <-> DISABLED <-> SERVER-WEBAPP DHCP cross site scripting attempt (server-webapp.rules)
 * 1:46532 <-> DISABLED <-> SERVER-WEBAPP SearchBlox suspicious configuration upload attempt (server-webapp.rules)
 * 1:46531 <-> DISABLED <-> SERVER-WEBAPP SearchBlox suspicious configuration upload attempt (server-webapp.rules)
 * 1:46530 <-> DISABLED <-> SERVER-WEBAPP Dream Report ASPX file upload attempt (server-webapp.rules)
 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46547 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k NtUserSetImeInfoEx privilege escalation attempt (os-windows.rules)
 * 1:46546 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k NtUserSetImeInfoEx privilege escalation attempt (os-windows.rules)
 * 1:46553 <-> ENABLED <-> FILE-OFFICE Microsoft Excel remote code execution attempt (file-office.rules)
 * 1:46552 <-> ENABLED <-> FILE-OFFICE Microsoft Excel remote code execution attempt (file-office.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46554 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Regexp use after free attempt (browser-ie.rules)
 * 1:46557 <-> ENABLED <-> FILE-OFFICE Microsoft Excel remote code execution attempt (file-office.rules)
 * 1:46556 <-> ENABLED <-> FILE-OFFICE Microsoft Excel remote code execution attempt  (file-office.rules)
 * 1:46555 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Regexp use after free attempt (browser-ie.rules)
 * 1:46560 <-> ENABLED <-> FILE-OFFICE Microsoft Office RTF embedded ole file out of bounds write attempt (file-office.rules)
 * 1:46559 <-> ENABLED <-> FILE-OFFICE Microsoft Office docx heap out of bounds read attempt (file-office.rules)
 * 1:46558 <-> ENABLED <-> FILE-OFFICE Microsoft Office docx heap out of bounds read attempt (file-office.rules)
 * 1:46561 <-> ENABLED <-> FILE-OFFICE Microsoft Office RTF embedded ole file out of bounds write attempt (file-office.rules)
 * 1:46590 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46589 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46588 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46587 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46586 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46585 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46584 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46583 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46582 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46581 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46580 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46579 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious system information disclosure (malware-cnc.rules)
 * 1:46578 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious system information disclosure (malware-cnc.rules)
 * 1:46577 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46576 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46575 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46574 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46565 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k privilege escalation attempt (os-windows.rules)
 * 1:46564 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k privilege escalation attempt (os-windows.rules)
 * 1:46563 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k privilege escalation attempt (os-windows.rules)
 * 1:46562 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k privilege escalation attempt (os-windows.rules)
 * 1:46606 <-> ENABLED <-> BROWSER-IE Microsoft Edge out-of-bounds memory access attempt (browser-ie.rules)
 * 1:46605 <-> DISABLED <-> SERVER-ORACLE Oracle Access Manager authentication bypass attempt (server-oracle.rules)
 * 1:46604 <-> ENABLED <-> OS-WINDOWS Microsoft Windows clfs.sys out of bounds local privilege escalation attempt (os-windows.rules)
 * 1:46603 <-> ENABLED <-> OS-WINDOWS Microsoft Windows clfs.sys out of bounds local privilege escalation attempt (os-windows.rules)
 * 1:46602 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook use-after-free vulnerability attempt (file-office.rules)
 * 1:46601 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook use-after-free vulnerability attempt (file-office.rules)
 * 1:46600 <-> DISABLED <-> SERVER-WEBAPP Indusoft Web Studio/Intouch Machine Edition buffer overflow attempt (server-webapp.rules)
 * 1:46599 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASnative MovieClip type confusion attempt (file-flash.rules)
 * 1:46598 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASnative MovieClip type confusion attempt (file-flash.rules)
 * 1:46597 <-> ENABLED <-> OS-WINDOWS dxgkrnl.sys privilege escalation attempt (os-windows.rules)
 * 1:46596 <-> ENABLED <-> OS-WINDOWS dxgkrnl.sys privilege escalation attempt (os-windows.rules)
 * 1:46595 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer prototype type confusion attempt (browser-ie.rules)
 * 1:46594 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer prototype type confusion attempt (browser-ie.rules)
 * 1:46593 <-> DISABLED <-> BROWSER-IE Microsoft Edge JSON.parse information disclosure attempt (browser-ie.rules)
 * 1:46592 <-> DISABLED <-> BROWSER-IE Microsoft Edge JSON.parse information disclosure attempt (browser-ie.rules)
 * 1:46591 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Banload malicious file download (malware-cnc.rules)
 * 1:46607 <-> ENABLED <-> BROWSER-IE Microsoft Edge out-of-bounds memory access attempt (browser-ie.rules)
 * 3:46550 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0590 attack attempt (file-pdf.rules)
 * 3:46551 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0590 attack attempt (file-pdf.rules)
 * 3:46542 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0589 attack attempt (file-other.rules)
 * 3:46543 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0591 attack attempt (server-webapp.rules)
 * 3:46541 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0589 attack attempt (file-other.rules)

Modified Rules:


 * 1:38785 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel BOF memory disclosure attempt (file-office.rules)
 * 1:40714 <-> DISABLED <-> BROWSER-IE Microsoft Edge JSON.parse information disclosure attempt (browser-ie.rules)
 * 1:44825 <-> DISABLED <-> OS-WINDOWS Microsoft Edge out of bounds write attempt (os-windows.rules)
 * 1:44826 <-> DISABLED <-> OS-WINDOWS Microsoft Edge out of bounds write attempt (os-windows.rules)
 * 1:45121 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:40713 <-> DISABLED <-> BROWSER-IE Microsoft Edge JSON.parse information disclosure attempt (browser-ie.rules)
 * 1:40704 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer UIAnimaation.dll use after free attempt (browser-ie.rules)
 * 1:45629 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:46489 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server NVBUBackup SQL injection attempt (server-webapp.rules)
 * 1:46495 <-> DISABLED <-> SERVER-OTHER HTTP request smuggling attempt (server-other.rules)
 * 1:38786 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel BOF memory disclosure attempt (file-office.rules)
 * 1:45122 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:45628 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:40703 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer UIAnimaation.dll use after free attempt (browser-ie.rules)
 * 1:26179 <-> DISABLED <-> SERVER-WEBAPP TP-Link http/tftp backdoor initiation attempt (server-webapp.rules)