Talos Rules 2018-11-13
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2018-8408: A coding deficiency exists in Microsoft Windows Kernel that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48409 through 48410.

Microsoft Vulnerability CVE-2018-8417: A coding deficiency exists in Microsoft JScript that may lead to a security feature bypass.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48398 through 48399.

Microsoft Vulnerability CVE-2018-8476: A coding deficiency exists in Microsoft Wondows Deployment Services TFTP Server that may lead to remote code execution.

A previously released rule will detect attacks targeting these vulnerabilities and has been updated with the appropriate reference information. It is included in this release and is identified with GID 1, SID 32637.

Microsoft Vulnerability CVE-2018-8522: A coding deficiency exists in Microsoft Outlook that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48407 through 48408.

Microsoft Vulnerability CVE-2018-8539: A coding deficiency exists in Microsoft Word that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48378 through 48379.

Microsoft Vulnerability CVE-2018-8542: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 45142 through 45143.

Microsoft Vulnerability CVE-2018-8544: A coding deficiency exists in Microsoft Windows VBScript Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48372 through 48373.

Microsoft Vulnerability CVE-2018-8545: A coding deficiency exists in Microsoft Edge that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48387 through 48388.

Microsoft Vulnerability CVE-2018-8552: A coding deficiency exists in Microsoft Scripting Engine that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48368 through 48369.

Microsoft Vulnerability CVE-2018-8553: A coding deficiency exists in Microsoft Graphics that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48374 through 48375.

Microsoft Vulnerability CVE-2018-8554: A coding deficiency exists in DirectX that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48366 through 48367.

Microsoft Vulnerability CVE-2018-8555: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48360 through 48361.

Microsoft Vulnerability CVE-2018-8556: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48376 through 48377.

Microsoft Vulnerability CVE-2018-8557: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 45142 through 45143.

Microsoft Vulnerability CVE-2018-8562: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48362 through 48363.

Microsoft Vulnerability CVE-2018-8563: A coding deficiency exists in DirectX that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48370 through 48371.

Microsoft Vulnerability CVE-2018-8565: A coding deficiency exists in Microsoft Win32k that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48393 through 48394.

Microsoft Vulnerability CVE-2018-8576: A coding deficiency exists in Microsoft Outlook that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48405 through 48406.

Microsoft Vulnerability CVE-2018-8582: A coding deficiency exists in Microsoft Outlook that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48403 through 48404.

Microsoft Vulnerability CVE-2018-8584: A coding deficiency exists in Microsoft Windows ALPC that may lead to an escalation of privilege.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 48237 through 48238.

Microsoft Vulnerability CVE-2018-8588: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 45142 through 45143.

Microsoft Vulnerability CVE-2018-8589: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48364 through 48365.

Talos also has added and modified multiple rules in the browser-ie, file-flash, file-image, file-office, file-pdf, malware-cnc, os-windows, protocol-tftp and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-11-13 18:09:09 UTC

Snort Subscriber Rules Update

Date: 2018-11-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48408 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook rwz file memory corruption attempt (file-office.rules)
 * 1:48407 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook rwz file memory corruption attempt (file-office.rules)
 * 1:48409 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel ioctlsocket information disclosure attempt (os-windows.rules)
 * 1:48410 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel ioctlsocket information disclosure attempt (os-windows.rules)
 * 1:48373 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript Engine remote code execution attempt (browser-ie.rules)
 * 1:48372 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript Engine remote code execution attempt (browser-ie.rules)
 * 1:48371 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DirectX information disclosure attempt (browser-ie.rules)
 * 1:48370 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DirectX information disclosure attempt (browser-ie.rules)
 * 1:48369 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript Engine remote code execution attempt (browser-ie.rules)
 * 1:48368 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript Engine remote code execution attempt (browser-ie.rules)
 * 1:48367 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dxgkrnl.sys elevation of privilege attempt (os-windows.rules)
 * 1:48366 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dxgkrnl.sys elevation of privilege attempt (os-windows.rules)
 * 1:48365 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:48364 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:48363 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:48362 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:48361 <-> ENABLED <-> BROWSER-IE Microsoft Edge JIT floating point value type confusion attempt (browser-ie.rules)
 * 1:48360 <-> ENABLED <-> BROWSER-IE Microsoft Edge JIT floating point value type confusion attempt (browser-ie.rules)
 * 1:48395 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy outbound connection (malware-cnc.rules)
 * 1:48394 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k information disclosure attempt (os-windows.rules)
 * 1:48393 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k information disclosure attempt (os-windows.rules)
 * 1:48388 <-> ENABLED <-> BROWSER-IE Microsoft Edge information disclosure attempt (browser-ie.rules)
 * 1:48387 <-> ENABLED <-> BROWSER-IE Microsoft Edge information disclosure attempt (browser-ie.rules)
 * 1:48384 <-> DISABLED <-> SERVER-APACHE Apache Tomcat mod_jk access control bypass attempt (server-apache.rules)
 * 1:48383 <-> DISABLED <-> SERVER-APACHE Apache Tomcat mod_jk access control bypass attempt (server-apache.rules)
 * 1:48382 <-> DISABLED <-> SERVER-APACHE Apache Tomcat mod_jk access control bypass attempt (server-apache.rules)
 * 1:48381 <-> DISABLED <-> SERVER-APACHE Apache Tomcat mod_jk access control bypass attempt (server-apache.rules)
 * 1:48380 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup SupportPortalService.pm command injection attempt (server-webapp.rules)
 * 1:48379 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory entry remote code execution attempt (file-office.rules)
 * 1:48378 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory entry remote code execution attempt (file-office.rules)
 * 1:48377 <-> DISABLED <-> BROWSER-IE Microsoft Edge bailOnImplicitCall type confusion attempt (browser-ie.rules)
 * 1:48376 <-> DISABLED <-> BROWSER-IE Microsoft Edge bailOnImplicitCall type confusion attempt (browser-ie.rules)
 * 1:48375 <-> ENABLED <-> FILE-IMAGE Microsoft Graphics component WMF code execution attempt (file-image.rules)
 * 1:48374 <-> ENABLED <-> FILE-IMAGE Microsoft Graphics component WMF code execution attempt (file-image.rules)
 * 1:48398 <-> DISABLED <-> OS-WINDOWS Microsoft Windows potential Device Guard evasion via Jscript9 scripting engine attempt (os-windows.rules)
 * 1:48397 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy TLS server hello attempt (malware-cnc.rules)
 * 1:48396 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy outbound connection (malware-cnc.rules)
 * 1:48401 <-> DISABLED <-> FILE-FLASH Adobe Flash Player out of bounds read attempt (file-flash.rules)
 * 1:48400 <-> DISABLED <-> FILE-FLASH Adobe Flash Player out of bounds read attempt (file-flash.rules)
 * 1:48399 <-> DISABLED <-> OS-WINDOWS Microsoft Windows potential Device Guard evasion via Jscript9 scripting engine attempt (os-windows.rules)
 * 1:48403 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook email rules file memory corruption attempt (file-office.rules)
 * 1:48402 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant outbound connection attempt (malware-cnc.rules)
 * 1:48406 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook rwz file memory corruption attempt (file-office.rules)
 * 1:48405 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook rwz file memory corruption attempt (file-office.rules)
 * 1:48404 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook email rules file memory corruption attempt (file-office.rules)
 * 3:48386 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0713 attack attempt (file-office.rules)
 * 3:48385 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0713 attack attempt (file-office.rules)
 * 3:48390 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0711 attack attempt (file-office.rules)
 * 3:48391 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0712 attack attempt (file-office.rules)
 * 3:48392 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0712 attack attempt (file-office.rules)
 * 3:48389 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0711 attack attempt (file-office.rules)

Modified Rules:


 * 1:48238 <-> ENABLED <-> OS-WINDOWS Microsoft Data Sharing dssvc.dll arbitrary file deletion attempt (os-windows.rules)
 * 1:46677 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules)
 * 1:40146 <-> DISABLED <-> BROWSER-IE Microsoft Edge malformed response information disclosure attempt (browser-ie.rules)
 * 1:48237 <-> ENABLED <-> OS-WINDOWS Microsoft Data Sharing dssvc.dll arbitrary file deletion attempt (os-windows.rules)
 * 1:32637 <-> DISABLED <-> PROTOCOL-TFTP UDP large packet use after free attempt (protocol-tftp.rules)
 * 1:45143 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:45142 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:46676 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules)

2018-11-13 18:09:09 UTC

Snort Subscriber Rules Update

Date: 2018-11-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48399 <-> DISABLED <-> OS-WINDOWS Microsoft Windows potential Device Guard evasion via Jscript9 scripting engine attempt (os-windows.rules)
 * 1:48363 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:48410 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel ioctlsocket information disclosure attempt (os-windows.rules)
 * 1:48409 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel ioctlsocket information disclosure attempt (os-windows.rules)
 * 1:48408 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook rwz file memory corruption attempt (file-office.rules)
 * 1:48407 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook rwz file memory corruption attempt (file-office.rules)
 * 1:48406 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook rwz file memory corruption attempt (file-office.rules)
 * 1:48405 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook rwz file memory corruption attempt (file-office.rules)
 * 1:48403 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook email rules file memory corruption attempt (file-office.rules)
 * 1:48404 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook email rules file memory corruption attempt (file-office.rules)
 * 1:48362 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:48364 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:48400 <-> DISABLED <-> FILE-FLASH Adobe Flash Player out of bounds read attempt (file-flash.rules)
 * 1:48368 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript Engine remote code execution attempt (browser-ie.rules)
 * 1:48369 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript Engine remote code execution attempt (browser-ie.rules)
 * 1:48361 <-> ENABLED <-> BROWSER-IE Microsoft Edge JIT floating point value type confusion attempt (browser-ie.rules)
 * 1:48370 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DirectX information disclosure attempt (browser-ie.rules)
 * 1:48371 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DirectX information disclosure attempt (browser-ie.rules)
 * 1:48360 <-> ENABLED <-> BROWSER-IE Microsoft Edge JIT floating point value type confusion attempt (browser-ie.rules)
 * 1:48372 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript Engine remote code execution attempt (browser-ie.rules)
 * 1:48367 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dxgkrnl.sys elevation of privilege attempt (os-windows.rules)
 * 1:48365 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:48373 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript Engine remote code execution attempt (browser-ie.rules)
 * 1:48374 <-> ENABLED <-> FILE-IMAGE Microsoft Graphics component WMF code execution attempt (file-image.rules)
 * 1:48375 <-> ENABLED <-> FILE-IMAGE Microsoft Graphics component WMF code execution attempt (file-image.rules)
 * 1:48376 <-> DISABLED <-> BROWSER-IE Microsoft Edge bailOnImplicitCall type confusion attempt (browser-ie.rules)
 * 1:48377 <-> DISABLED <-> BROWSER-IE Microsoft Edge bailOnImplicitCall type confusion attempt (browser-ie.rules)
 * 1:48378 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory entry remote code execution attempt (file-office.rules)
 * 1:48379 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory entry remote code execution attempt (file-office.rules)
 * 1:48380 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup SupportPortalService.pm command injection attempt (server-webapp.rules)
 * 1:48381 <-> DISABLED <-> SERVER-APACHE Apache Tomcat mod_jk access control bypass attempt (server-apache.rules)
 * 1:48382 <-> DISABLED <-> SERVER-APACHE Apache Tomcat mod_jk access control bypass attempt (server-apache.rules)
 * 1:48383 <-> DISABLED <-> SERVER-APACHE Apache Tomcat mod_jk access control bypass attempt (server-apache.rules)
 * 1:48384 <-> DISABLED <-> SERVER-APACHE Apache Tomcat mod_jk access control bypass attempt (server-apache.rules)
 * 1:48387 <-> ENABLED <-> BROWSER-IE Microsoft Edge information disclosure attempt (browser-ie.rules)
 * 1:48388 <-> ENABLED <-> BROWSER-IE Microsoft Edge information disclosure attempt (browser-ie.rules)
 * 1:48393 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k information disclosure attempt (os-windows.rules)
 * 1:48394 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k information disclosure attempt (os-windows.rules)
 * 1:48395 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy outbound connection (malware-cnc.rules)
 * 1:48396 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy outbound connection (malware-cnc.rules)
 * 1:48398 <-> DISABLED <-> OS-WINDOWS Microsoft Windows potential Device Guard evasion via Jscript9 scripting engine attempt (os-windows.rules)
 * 1:48366 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dxgkrnl.sys elevation of privilege attempt (os-windows.rules)
 * 1:48397 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy TLS server hello attempt (malware-cnc.rules)
 * 1:48402 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant outbound connection attempt (malware-cnc.rules)
 * 1:48401 <-> DISABLED <-> FILE-FLASH Adobe Flash Player out of bounds read attempt (file-flash.rules)
 * 3:48385 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0713 attack attempt (file-office.rules)
 * 3:48386 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0713 attack attempt (file-office.rules)
 * 3:48389 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0711 attack attempt (file-office.rules)
 * 3:48390 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0711 attack attempt (file-office.rules)
 * 3:48391 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0712 attack attempt (file-office.rules)
 * 3:48392 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0712 attack attempt (file-office.rules)

Modified Rules:


 * 1:46676 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules)
 * 1:45143 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:40146 <-> DISABLED <-> BROWSER-IE Microsoft Edge malformed response information disclosure attempt (browser-ie.rules)
 * 1:46677 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules)
 * 1:48237 <-> ENABLED <-> OS-WINDOWS Microsoft Data Sharing dssvc.dll arbitrary file deletion attempt (os-windows.rules)
 * 1:45142 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:48238 <-> ENABLED <-> OS-WINDOWS Microsoft Data Sharing dssvc.dll arbitrary file deletion attempt (os-windows.rules)
 * 1:32637 <-> DISABLED <-> PROTOCOL-TFTP UDP large packet use after free attempt (protocol-tftp.rules)

2018-11-13 18:09:09 UTC

Snort Subscriber Rules Update

Date: 2018-11-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48397 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy TLS server hello attempt (malware-cnc.rules)
 * 1:48363 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:48362 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:48367 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dxgkrnl.sys elevation of privilege attempt (os-windows.rules)
 * 1:48401 <-> DISABLED <-> FILE-FLASH Adobe Flash Player out of bounds read attempt (file-flash.rules)
 * 1:48372 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript Engine remote code execution attempt (browser-ie.rules)
 * 1:48368 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript Engine remote code execution attempt (browser-ie.rules)
 * 1:48403 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook email rules file memory corruption attempt (file-office.rules)
 * 1:48404 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook email rules file memory corruption attempt (file-office.rules)
 * 1:48366 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dxgkrnl.sys elevation of privilege attempt (os-windows.rules)
 * 1:48371 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DirectX information disclosure attempt (browser-ie.rules)
 * 1:48398 <-> DISABLED <-> OS-WINDOWS Microsoft Windows potential Device Guard evasion via Jscript9 scripting engine attempt (os-windows.rules)
 * 1:48374 <-> ENABLED <-> FILE-IMAGE Microsoft Graphics component WMF code execution attempt (file-image.rules)
 * 1:48373 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript Engine remote code execution attempt (browser-ie.rules)
 * 1:48369 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript Engine remote code execution attempt (browser-ie.rules)
 * 1:48361 <-> ENABLED <-> BROWSER-IE Microsoft Edge JIT floating point value type confusion attempt (browser-ie.rules)
 * 1:48370 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DirectX information disclosure attempt (browser-ie.rules)
 * 1:48360 <-> ENABLED <-> BROWSER-IE Microsoft Edge JIT floating point value type confusion attempt (browser-ie.rules)
 * 1:48364 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:48365 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:48410 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel ioctlsocket information disclosure attempt (os-windows.rules)
 * 1:48409 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel ioctlsocket information disclosure attempt (os-windows.rules)
 * 1:48408 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook rwz file memory corruption attempt (file-office.rules)
 * 1:48407 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook rwz file memory corruption attempt (file-office.rules)
 * 1:48406 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook rwz file memory corruption attempt (file-office.rules)
 * 1:48405 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook rwz file memory corruption attempt (file-office.rules)
 * 1:48375 <-> ENABLED <-> FILE-IMAGE Microsoft Graphics component WMF code execution attempt (file-image.rules)
 * 1:48376 <-> DISABLED <-> BROWSER-IE Microsoft Edge bailOnImplicitCall type confusion attempt (browser-ie.rules)
 * 1:48377 <-> DISABLED <-> BROWSER-IE Microsoft Edge bailOnImplicitCall type confusion attempt (browser-ie.rules)
 * 1:48378 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory entry remote code execution attempt (file-office.rules)
 * 1:48379 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory entry remote code execution attempt (file-office.rules)
 * 1:48380 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup SupportPortalService.pm command injection attempt (server-webapp.rules)
 * 1:48381 <-> DISABLED <-> SERVER-APACHE Apache Tomcat mod_jk access control bypass attempt (server-apache.rules)
 * 1:48382 <-> DISABLED <-> SERVER-APACHE Apache Tomcat mod_jk access control bypass attempt (server-apache.rules)
 * 1:48383 <-> DISABLED <-> SERVER-APACHE Apache Tomcat mod_jk access control bypass attempt (server-apache.rules)
 * 1:48393 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k information disclosure attempt (os-windows.rules)
 * 1:48384 <-> DISABLED <-> SERVER-APACHE Apache Tomcat mod_jk access control bypass attempt (server-apache.rules)
 * 1:48387 <-> ENABLED <-> BROWSER-IE Microsoft Edge information disclosure attempt (browser-ie.rules)
 * 1:48388 <-> ENABLED <-> BROWSER-IE Microsoft Edge information disclosure attempt (browser-ie.rules)
 * 1:48394 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k information disclosure attempt (os-windows.rules)
 * 1:48395 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy outbound connection (malware-cnc.rules)
 * 1:48396 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy outbound connection (malware-cnc.rules)
 * 1:48399 <-> DISABLED <-> OS-WINDOWS Microsoft Windows potential Device Guard evasion via Jscript9 scripting engine attempt (os-windows.rules)
 * 1:48400 <-> DISABLED <-> FILE-FLASH Adobe Flash Player out of bounds read attempt (file-flash.rules)
 * 1:48402 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant outbound connection attempt (malware-cnc.rules)
 * 3:48386 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0713 attack attempt (file-office.rules)
 * 3:48391 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0712 attack attempt (file-office.rules)
 * 3:48389 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0711 attack attempt (file-office.rules)
 * 3:48392 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0712 attack attempt (file-office.rules)
 * 3:48385 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0713 attack attempt (file-office.rules)
 * 3:48390 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0711 attack attempt (file-office.rules)

Modified Rules:


 * 1:48238 <-> ENABLED <-> OS-WINDOWS Microsoft Data Sharing dssvc.dll arbitrary file deletion attempt (os-windows.rules)
 * 1:32637 <-> DISABLED <-> PROTOCOL-TFTP UDP large packet use after free attempt (protocol-tftp.rules)
 * 1:45142 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:48237 <-> ENABLED <-> OS-WINDOWS Microsoft Data Sharing dssvc.dll arbitrary file deletion attempt (os-windows.rules)
 * 1:40146 <-> DISABLED <-> BROWSER-IE Microsoft Edge malformed response information disclosure attempt (browser-ie.rules)
 * 1:46677 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules)
 * 1:46676 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules)
 * 1:45143 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)

2018-11-13 18:09:09 UTC

Snort Subscriber Rules Update

Date: 2018-11-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48406 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook rwz file memory corruption attempt (snort3-file-office.rules)
 * 1:48366 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dxgkrnl.sys elevation of privilege attempt (snort3-os-windows.rules)
 * 1:48374 <-> ENABLED <-> FILE-IMAGE Microsoft Graphics component WMF code execution attempt (snort3-file-image.rules)
 * 1:48375 <-> ENABLED <-> FILE-IMAGE Microsoft Graphics component WMF code execution attempt (snort3-file-image.rules)
 * 1:48364 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (snort3-os-windows.rules)
 * 1:48361 <-> ENABLED <-> BROWSER-IE Microsoft Edge JIT floating point value type confusion attempt (snort3-browser-ie.rules)
 * 1:48360 <-> ENABLED <-> BROWSER-IE Microsoft Edge JIT floating point value type confusion attempt (snort3-browser-ie.rules)
 * 1:48402 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant outbound connection attempt (snort3-malware-cnc.rules)
 * 1:48408 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook rwz file memory corruption attempt (snort3-file-office.rules)
 * 1:48409 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel ioctlsocket information disclosure attempt (snort3-os-windows.rules)
 * 1:48370 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DirectX information disclosure attempt (snort3-browser-ie.rules)
 * 1:48407 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook rwz file memory corruption attempt (snort3-file-office.rules)
 * 1:48369 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript Engine remote code execution attempt (snort3-browser-ie.rules)
 * 1:48410 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel ioctlsocket information disclosure attempt (snort3-os-windows.rules)
 * 1:48371 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DirectX information disclosure attempt (snort3-browser-ie.rules)
 * 1:48372 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript Engine remote code execution attempt (snort3-browser-ie.rules)
 * 1:48373 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript Engine remote code execution attempt (snort3-browser-ie.rules)
 * 1:48363 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (snort3-os-windows.rules)
 * 1:48367 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dxgkrnl.sys elevation of privilege attempt (snort3-os-windows.rules)
 * 1:48368 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript Engine remote code execution attempt (snort3-browser-ie.rules)
 * 1:48376 <-> DISABLED <-> BROWSER-IE Microsoft Edge bailOnImplicitCall type confusion attempt (snort3-browser-ie.rules)
 * 1:48377 <-> DISABLED <-> BROWSER-IE Microsoft Edge bailOnImplicitCall type confusion attempt (snort3-browser-ie.rules)
 * 1:48378 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory entry remote code execution attempt (snort3-file-office.rules)
 * 1:48362 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (snort3-os-windows.rules)
 * 1:48379 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory entry remote code execution attempt (snort3-file-office.rules)
 * 1:48365 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (snort3-os-windows.rules)
 * 1:48381 <-> DISABLED <-> SERVER-APACHE Apache Tomcat mod_jk access control bypass attempt (snort3-server-apache.rules)
 * 1:48380 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup SupportPortalService.pm command injection attempt (snort3-server-webapp.rules)
 * 1:48382 <-> DISABLED <-> SERVER-APACHE Apache Tomcat mod_jk access control bypass attempt (snort3-server-apache.rules)
 * 1:48384 <-> DISABLED <-> SERVER-APACHE Apache Tomcat mod_jk access control bypass attempt (snort3-server-apache.rules)
 * 1:48383 <-> DISABLED <-> SERVER-APACHE Apache Tomcat mod_jk access control bypass attempt (snort3-server-apache.rules)
 * 1:48387 <-> ENABLED <-> BROWSER-IE Microsoft Edge information disclosure attempt (snort3-browser-ie.rules)
 * 1:48393 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k information disclosure attempt (snort3-os-windows.rules)
 * 1:48388 <-> ENABLED <-> BROWSER-IE Microsoft Edge information disclosure attempt (snort3-browser-ie.rules)
 * 1:48394 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k information disclosure attempt (snort3-os-windows.rules)
 * 1:48396 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy outbound connection (snort3-malware-cnc.rules)
 * 1:48398 <-> DISABLED <-> OS-WINDOWS Microsoft Windows potential Device Guard evasion via Jscript9 scripting engine attempt (snort3-os-windows.rules)
 * 1:48397 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy TLS server hello attempt (snort3-malware-cnc.rules)
 * 1:48395 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy outbound connection (snort3-malware-cnc.rules)
 * 1:48399 <-> DISABLED <-> OS-WINDOWS Microsoft Windows potential Device Guard evasion via Jscript9 scripting engine attempt (snort3-os-windows.rules)
 * 1:48401 <-> DISABLED <-> FILE-FLASH Adobe Flash Player out of bounds read attempt (snort3-file-flash.rules)
 * 1:48400 <-> DISABLED <-> FILE-FLASH Adobe Flash Player out of bounds read attempt (snort3-file-flash.rules)
 * 1:48405 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook rwz file memory corruption attempt (snort3-file-office.rules)
 * 1:48404 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook email rules file memory corruption attempt (snort3-file-office.rules)
 * 1:48403 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook email rules file memory corruption attempt (snort3-file-office.rules)

Modified Rules:


 * 1:48238 <-> ENABLED <-> OS-WINDOWS Microsoft Data Sharing dssvc.dll arbitrary file deletion attempt (snort3-os-windows.rules)
 * 1:46677 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (snort3-file-pdf.rules)
 * 1:32637 <-> DISABLED <-> PROTOCOL-TFTP UDP large packet use after free attempt (snort3-protocol-tftp.rules)
 * 1:40146 <-> DISABLED <-> BROWSER-IE Microsoft Edge malformed response information disclosure attempt (snort3-browser-ie.rules)
 * 1:45143 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (snort3-browser-ie.rules)
 * 1:48237 <-> ENABLED <-> OS-WINDOWS Microsoft Data Sharing dssvc.dll arbitrary file deletion attempt (snort3-os-windows.rules)
 * 1:46676 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (snort3-file-pdf.rules)
 * 1:45142 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (snort3-browser-ie.rules)

2018-11-13 18:09:09 UTC

Snort Subscriber Rules Update

Date: 2018-11-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48399 <-> DISABLED <-> OS-WINDOWS Microsoft Windows potential Device Guard evasion via Jscript9 scripting engine attempt (os-windows.rules)
 * 1:48361 <-> ENABLED <-> BROWSER-IE Microsoft Edge JIT floating point value type confusion attempt (browser-ie.rules)
 * 1:48364 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:48408 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook rwz file memory corruption attempt (file-office.rules)
 * 1:48397 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy TLS server hello attempt (malware-cnc.rules)
 * 1:48362 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:48369 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript Engine remote code execution attempt (browser-ie.rules)
 * 1:48366 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dxgkrnl.sys elevation of privilege attempt (os-windows.rules)
 * 1:48368 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript Engine remote code execution attempt (browser-ie.rules)
 * 1:48365 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:48367 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dxgkrnl.sys elevation of privilege attempt (os-windows.rules)
 * 1:48363 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:48403 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook email rules file memory corruption attempt (file-office.rules)
 * 1:48401 <-> DISABLED <-> FILE-FLASH Adobe Flash Player out of bounds read attempt (file-flash.rules)
 * 1:48360 <-> ENABLED <-> BROWSER-IE Microsoft Edge JIT floating point value type confusion attempt (browser-ie.rules)
 * 1:48409 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel ioctlsocket information disclosure attempt (os-windows.rules)
 * 1:48410 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel ioctlsocket information disclosure attempt (os-windows.rules)
 * 1:48405 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook rwz file memory corruption attempt (file-office.rules)
 * 1:48373 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript Engine remote code execution attempt (browser-ie.rules)
 * 1:48370 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DirectX information disclosure attempt (browser-ie.rules)
 * 1:48371 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DirectX information disclosure attempt (browser-ie.rules)
 * 1:48407 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook rwz file memory corruption attempt (file-office.rules)
 * 1:48400 <-> DISABLED <-> FILE-FLASH Adobe Flash Player out of bounds read attempt (file-flash.rules)
 * 1:48372 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript Engine remote code execution attempt (browser-ie.rules)
 * 1:48375 <-> ENABLED <-> FILE-IMAGE Microsoft Graphics component WMF code execution attempt (file-image.rules)
 * 1:48374 <-> ENABLED <-> FILE-IMAGE Microsoft Graphics component WMF code execution attempt (file-image.rules)
 * 1:48376 <-> DISABLED <-> BROWSER-IE Microsoft Edge bailOnImplicitCall type confusion attempt (browser-ie.rules)
 * 1:48378 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory entry remote code execution attempt (file-office.rules)
 * 1:48379 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory entry remote code execution attempt (file-office.rules)
 * 1:48377 <-> DISABLED <-> BROWSER-IE Microsoft Edge bailOnImplicitCall type confusion attempt (browser-ie.rules)
 * 1:48380 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup SupportPortalService.pm command injection attempt (server-webapp.rules)
 * 1:48381 <-> DISABLED <-> SERVER-APACHE Apache Tomcat mod_jk access control bypass attempt (server-apache.rules)
 * 1:48382 <-> DISABLED <-> SERVER-APACHE Apache Tomcat mod_jk access control bypass attempt (server-apache.rules)
 * 1:48388 <-> ENABLED <-> BROWSER-IE Microsoft Edge information disclosure attempt (browser-ie.rules)
 * 1:48383 <-> DISABLED <-> SERVER-APACHE Apache Tomcat mod_jk access control bypass attempt (server-apache.rules)
 * 1:48387 <-> ENABLED <-> BROWSER-IE Microsoft Edge information disclosure attempt (browser-ie.rules)
 * 1:48384 <-> DISABLED <-> SERVER-APACHE Apache Tomcat mod_jk access control bypass attempt (server-apache.rules)
 * 1:48393 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k information disclosure attempt (os-windows.rules)
 * 1:48395 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy outbound connection (malware-cnc.rules)
 * 1:48394 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k information disclosure attempt (os-windows.rules)
 * 1:48406 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook rwz file memory corruption attempt (file-office.rules)
 * 1:48402 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant outbound connection attempt (malware-cnc.rules)
 * 1:48396 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy outbound connection (malware-cnc.rules)
 * 1:48398 <-> DISABLED <-> OS-WINDOWS Microsoft Windows potential Device Guard evasion via Jscript9 scripting engine attempt (os-windows.rules)
 * 1:48404 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook email rules file memory corruption attempt (file-office.rules)
 * 3:48391 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0712 attack attempt (file-office.rules)
 * 3:48390 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0711 attack attempt (file-office.rules)
 * 3:48392 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0712 attack attempt (file-office.rules)
 * 3:48385 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0713 attack attempt (file-office.rules)
 * 3:48386 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0713 attack attempt (file-office.rules)
 * 3:48389 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0711 attack attempt (file-office.rules)

Modified Rules:


 * 1:48237 <-> ENABLED <-> OS-WINDOWS Microsoft Data Sharing dssvc.dll arbitrary file deletion attempt (os-windows.rules)
 * 1:46677 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules)
 * 1:46676 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules)
 * 1:48238 <-> ENABLED <-> OS-WINDOWS Microsoft Data Sharing dssvc.dll arbitrary file deletion attempt (os-windows.rules)
 * 1:32637 <-> DISABLED <-> PROTOCOL-TFTP UDP large packet use after free attempt (protocol-tftp.rules)
 * 1:40146 <-> DISABLED <-> BROWSER-IE Microsoft Edge malformed response information disclosure attempt (browser-ie.rules)
 * 1:45142 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:45143 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)

2018-11-13 18:09:09 UTC

Snort Subscriber Rules Update

Date: 2018-11-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48362 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:48383 <-> DISABLED <-> SERVER-APACHE Apache Tomcat mod_jk access control bypass attempt (server-apache.rules)
 * 1:48380 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup SupportPortalService.pm command injection attempt (server-webapp.rules)
 * 1:48381 <-> DISABLED <-> SERVER-APACHE Apache Tomcat mod_jk access control bypass attempt (server-apache.rules)
 * 1:48382 <-> DISABLED <-> SERVER-APACHE Apache Tomcat mod_jk access control bypass attempt (server-apache.rules)
 * 1:48379 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory entry remote code execution attempt (file-office.rules)
 * 1:48376 <-> DISABLED <-> BROWSER-IE Microsoft Edge bailOnImplicitCall type confusion attempt (browser-ie.rules)
 * 1:48377 <-> DISABLED <-> BROWSER-IE Microsoft Edge bailOnImplicitCall type confusion attempt (browser-ie.rules)
 * 1:48378 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory entry remote code execution attempt (file-office.rules)
 * 1:48375 <-> ENABLED <-> FILE-IMAGE Microsoft Graphics component WMF code execution attempt (file-image.rules)
 * 1:48361 <-> ENABLED <-> BROWSER-IE Microsoft Edge JIT floating point value type confusion attempt (browser-ie.rules)
 * 1:48370 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DirectX information disclosure attempt (browser-ie.rules)
 * 1:48405 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook rwz file memory corruption attempt (file-office.rules)
 * 1:48368 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript Engine remote code execution attempt (browser-ie.rules)
 * 1:48367 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dxgkrnl.sys elevation of privilege attempt (os-windows.rules)
 * 1:48406 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook rwz file memory corruption attempt (file-office.rules)
 * 1:48399 <-> DISABLED <-> OS-WINDOWS Microsoft Windows potential Device Guard evasion via Jscript9 scripting engine attempt (os-windows.rules)
 * 1:48398 <-> DISABLED <-> OS-WINDOWS Microsoft Windows potential Device Guard evasion via Jscript9 scripting engine attempt (os-windows.rules)
 * 1:48395 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy outbound connection (malware-cnc.rules)
 * 1:48397 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy TLS server hello attempt (malware-cnc.rules)
 * 1:48394 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k information disclosure attempt (os-windows.rules)
 * 1:48387 <-> ENABLED <-> BROWSER-IE Microsoft Edge information disclosure attempt (browser-ie.rules)
 * 1:48396 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy outbound connection (malware-cnc.rules)
 * 1:48393 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k information disclosure attempt (os-windows.rules)
 * 1:48388 <-> ENABLED <-> BROWSER-IE Microsoft Edge information disclosure attempt (browser-ie.rules)
 * 1:48364 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:48365 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:48366 <-> DISABLED <-> OS-WINDOWS Microsoft Windows dxgkrnl.sys elevation of privilege attempt (os-windows.rules)
 * 1:48407 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook rwz file memory corruption attempt (file-office.rules)
 * 1:48363 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:48408 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook rwz file memory corruption attempt (file-office.rules)
 * 1:48369 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript Engine remote code execution attempt (browser-ie.rules)
 * 1:48384 <-> DISABLED <-> SERVER-APACHE Apache Tomcat mod_jk access control bypass attempt (server-apache.rules)
 * 1:48403 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook email rules file memory corruption attempt (file-office.rules)
 * 1:48409 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel ioctlsocket information disclosure attempt (os-windows.rules)
 * 1:48373 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript Engine remote code execution attempt (browser-ie.rules)
 * 1:48404 <-> ENABLED <-> FILE-OFFICE Microsoft Outlook email rules file memory corruption attempt (file-office.rules)
 * 1:48374 <-> ENABLED <-> FILE-IMAGE Microsoft Graphics component WMF code execution attempt (file-image.rules)
 * 1:48410 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel ioctlsocket information disclosure attempt (os-windows.rules)
 * 1:48360 <-> ENABLED <-> BROWSER-IE Microsoft Edge JIT floating point value type confusion attempt (browser-ie.rules)
 * 1:48401 <-> DISABLED <-> FILE-FLASH Adobe Flash Player out of bounds read attempt (file-flash.rules)
 * 1:48400 <-> DISABLED <-> FILE-FLASH Adobe Flash Player out of bounds read attempt (file-flash.rules)
 * 1:48372 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript Engine remote code execution attempt (browser-ie.rules)
 * 1:48402 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Emotet variant outbound connection attempt (malware-cnc.rules)
 * 1:48371 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DirectX information disclosure attempt (browser-ie.rules)
 * 3:48385 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0713 attack attempt (file-office.rules)
 * 3:48386 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0713 attack attempt (file-office.rules)
 * 3:48389 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0711 attack attempt (file-office.rules)
 * 3:48390 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0711 attack attempt (file-office.rules)
 * 3:48391 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0712 attack attempt (file-office.rules)
 * 3:48392 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0712 attack attempt (file-office.rules)

Modified Rules:


 * 1:45142 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:46676 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules)
 * 1:48238 <-> ENABLED <-> OS-WINDOWS Microsoft Data Sharing dssvc.dll arbitrary file deletion attempt (os-windows.rules)
 * 1:32637 <-> DISABLED <-> PROTOCOL-TFTP UDP large packet use after free attempt (protocol-tftp.rules)
 * 1:46677 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader go-to action NTLM credential disclosure attempt (file-pdf.rules)
 * 1:48237 <-> ENABLED <-> OS-WINDOWS Microsoft Data Sharing dssvc.dll arbitrary file deletion attempt (os-windows.rules)
 * 1:45143 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:40146 <-> DISABLED <-> BROWSER-IE Microsoft Edge malformed response information disclosure attempt (browser-ie.rules)