Talos Rules 2018-12-18
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-firefox, exploit-kit, file-image, file-other, file-pdf, indicator-compromise and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2018-12-18 18:26:59 UTC

Snort Subscriber Rules Update

Date: 2018-12-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48629 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file out-of-bounds read attempt (file-other.rules)
 * 1:48626 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox method array.prototype.push remote code execution attempt (browser-firefox.rules)
 * 1:48624 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro integer overflow vulnerability attempt (file-other.rules)
 * 1:48632 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF XFA node use-after-free attempt (file-pdf.rules)
 * 1:48631 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF XFA node use-after-free attempt (file-pdf.rules)
 * 1:48628 <-> ENABLED <-> FILE-PDF Adobe Acrobat integer overflow attempt (file-pdf.rules)
 * 1:48636 <-> ENABLED <-> FILE-PDF Adobe Acrobat out of bounds read attempt (file-pdf.rules)
 * 1:48634 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF EMR_CREATEMONOBRUSH out-of-bounds write attempt (file-other.rules)
 * 1:48627 <-> ENABLED <-> FILE-PDF Adobe Acrobat integer overflow attempt (file-pdf.rules)
 * 1:48294 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader RegExp out of bounds read attempt (file-pdf.rules)
 * 1:48293 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader RegExp out of bounds read attempt (file-pdf.rules)
 * 1:48633 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF EMR_CREATEMONOBRUSH out-of-bounds write attempt (file-other.rules)
 * 1:48622 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro malformed XPS JPEG out of bounds read attempt (file-other.rules)
 * 1:48623 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro integer overflow vulnerability attempt (file-other.rules)
 * 1:48637 <-> ENABLED <-> FILE-PDF Adobe Acrobat out of bounds read attempt (file-pdf.rules)
 * 1:48625 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox method array.prototype.push remote code execution attempt (browser-firefox.rules)
 * 1:48630 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file out-of-bounds read attempt (file-other.rules)
 * 3:48614 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0752 attack attempt (server-webapp.rules)
 * 3:48615 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0748 attack attempt (server-webapp.rules)
 * 3:48616 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0748 attack attempt (server-webapp.rules)
 * 3:48617 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0746 attack attempt (server-webapp.rules)
 * 3:48618 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0747 attack attempt (policy-other.rules)
 * 3:48619 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0750 attack attempt (server-webapp.rules)
 * 3:48620 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0754 attack attempt (policy-other.rules)
 * 3:48621 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0749 attack attempt (server-webapp.rules)
 * 3:48635 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0753 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:47987 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file out-of-bounds read attempt (file-other.rules)
 * 1:47988 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file out-of-bounds read attempt (file-other.rules)
 * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)
 * 1:47963 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture JavaScript manipulation type confusion attempt (file-other.rules)
 * 1:39362 <-> DISABLED <-> INDICATOR-COMPROMISE User-Agent blank user-agent string (indicator-compromise.rules)
 * 1:47964 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture JavaScript manipulation type confusion attempt (file-other.rules)
 * 1:48043 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 marker memory corruption attempt (file-image.rules)
 * 1:28795 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit payload download attempt (exploit-kit.rules)
 * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)
 * 1:48044 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 marker memory corruption attempt (file-image.rules)

2018-12-18 18:26:59 UTC

Snort Subscriber Rules Update

Date: 2018-12-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48631 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF XFA node use-after-free attempt (file-pdf.rules)
 * 1:48623 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro integer overflow vulnerability attempt (file-other.rules)
 * 1:48630 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file out-of-bounds read attempt (file-other.rules)
 * 1:48633 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF EMR_CREATEMONOBRUSH out-of-bounds write attempt (file-other.rules)
 * 1:48637 <-> ENABLED <-> FILE-PDF Adobe Acrobat out of bounds read attempt (file-pdf.rules)
 * 1:48629 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file out-of-bounds read attempt (file-other.rules)
 * 1:48628 <-> ENABLED <-> FILE-PDF Adobe Acrobat integer overflow attempt (file-pdf.rules)
 * 1:48624 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro integer overflow vulnerability attempt (file-other.rules)
 * 1:48632 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF XFA node use-after-free attempt (file-pdf.rules)
 * 1:48634 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF EMR_CREATEMONOBRUSH out-of-bounds write attempt (file-other.rules)
 * 1:48622 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro malformed XPS JPEG out of bounds read attempt (file-other.rules)
 * 1:48625 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox method array.prototype.push remote code execution attempt (browser-firefox.rules)
 * 1:48636 <-> ENABLED <-> FILE-PDF Adobe Acrobat out of bounds read attempt (file-pdf.rules)
 * 1:48293 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader RegExp out of bounds read attempt (file-pdf.rules)
 * 1:48294 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader RegExp out of bounds read attempt (file-pdf.rules)
 * 1:48626 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox method array.prototype.push remote code execution attempt (browser-firefox.rules)
 * 1:48627 <-> ENABLED <-> FILE-PDF Adobe Acrobat integer overflow attempt (file-pdf.rules)
 * 3:48614 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0752 attack attempt (server-webapp.rules)
 * 3:48615 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0748 attack attempt (server-webapp.rules)
 * 3:48616 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0748 attack attempt (server-webapp.rules)
 * 3:48617 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0746 attack attempt (server-webapp.rules)
 * 3:48618 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0747 attack attempt (policy-other.rules)
 * 3:48619 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0750 attack attempt (server-webapp.rules)
 * 3:48620 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0754 attack attempt (policy-other.rules)
 * 3:48621 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0749 attack attempt (server-webapp.rules)
 * 3:48635 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0753 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:48043 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 marker memory corruption attempt (file-image.rules)
 * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)
 * 1:47988 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file out-of-bounds read attempt (file-other.rules)
 * 1:47964 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture JavaScript manipulation type confusion attempt (file-other.rules)
 * 1:47987 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file out-of-bounds read attempt (file-other.rules)
 * 1:28795 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit payload download attempt (exploit-kit.rules)
 * 1:47963 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture JavaScript manipulation type confusion attempt (file-other.rules)
 * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)
 * 1:48044 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 marker memory corruption attempt (file-image.rules)
 * 1:39362 <-> DISABLED <-> INDICATOR-COMPROMISE User-Agent blank user-agent string (indicator-compromise.rules)

2018-12-18 18:26:59 UTC

Snort Subscriber Rules Update

Date: 2018-12-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48637 <-> ENABLED <-> FILE-PDF Adobe Acrobat out of bounds read attempt (snort3-file-pdf.rules)
 * 1:48622 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro malformed XPS JPEG out of bounds read attempt (snort3-file-other.rules)
 * 1:48623 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro integer overflow vulnerability attempt (snort3-file-other.rules)
 * 1:48624 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro integer overflow vulnerability attempt (snort3-file-other.rules)
 * 1:48294 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader RegExp out of bounds read attempt (snort3-file-pdf.rules)
 * 1:48636 <-> ENABLED <-> FILE-PDF Adobe Acrobat out of bounds read attempt (snort3-file-pdf.rules)
 * 1:48293 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader RegExp out of bounds read attempt (snort3-file-pdf.rules)
 * 1:48625 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox method array.prototype.push remote code execution attempt (snort3-browser-firefox.rules)
 * 1:48630 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file out-of-bounds read attempt (snort3-file-other.rules)
 * 1:48631 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF XFA node use-after-free attempt (snort3-file-pdf.rules)
 * 1:48626 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox method array.prototype.push remote code execution attempt (snort3-browser-firefox.rules)
 * 1:48632 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF XFA node use-after-free attempt (snort3-file-pdf.rules)
 * 1:48634 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF EMR_CREATEMONOBRUSH out-of-bounds write attempt (snort3-file-other.rules)
 * 1:48627 <-> ENABLED <-> FILE-PDF Adobe Acrobat integer overflow attempt (snort3-file-pdf.rules)
 * 1:48628 <-> ENABLED <-> FILE-PDF Adobe Acrobat integer overflow attempt (snort3-file-pdf.rules)
 * 1:48629 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file out-of-bounds read attempt (snort3-file-other.rules)
 * 1:48633 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF EMR_CREATEMONOBRUSH out-of-bounds write attempt (snort3-file-other.rules)

Modified Rules:


 * 1:28795 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit payload download attempt (snort3-exploit-kit.rules)
 * 1:47987 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file out-of-bounds read attempt (snort3-file-other.rules)
 * 1:47963 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture JavaScript manipulation type confusion attempt (snort3-file-other.rules)
 * 1:39362 <-> DISABLED <-> INDICATOR-COMPROMISE User-Agent blank user-agent string (snort3-indicator-compromise.rules)
 * 1:47988 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file out-of-bounds read attempt (snort3-file-other.rules)
 * 1:48043 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 marker memory corruption attempt (snort3-file-image.rules)
 * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (snort3-file-pdf.rules)
 * 1:48044 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 marker memory corruption attempt (snort3-file-image.rules)
 * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (snort3-file-pdf.rules)
 * 1:47964 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture JavaScript manipulation type confusion attempt (snort3-file-other.rules)

2018-12-18 18:26:59 UTC

Snort Subscriber Rules Update

Date: 2018-12-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48637 <-> ENABLED <-> FILE-PDF Adobe Acrobat out of bounds read attempt (file-pdf.rules)
 * 1:48636 <-> ENABLED <-> FILE-PDF Adobe Acrobat out of bounds read attempt (file-pdf.rules)
 * 1:48632 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF XFA node use-after-free attempt (file-pdf.rules)
 * 1:48627 <-> ENABLED <-> FILE-PDF Adobe Acrobat integer overflow attempt (file-pdf.rules)
 * 1:48631 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF XFA node use-after-free attempt (file-pdf.rules)
 * 1:48293 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader RegExp out of bounds read attempt (file-pdf.rules)
 * 1:48294 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader RegExp out of bounds read attempt (file-pdf.rules)
 * 1:48630 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file out-of-bounds read attempt (file-other.rules)
 * 1:48633 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF EMR_CREATEMONOBRUSH out-of-bounds write attempt (file-other.rules)
 * 1:48634 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF EMR_CREATEMONOBRUSH out-of-bounds write attempt (file-other.rules)
 * 1:48622 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro malformed XPS JPEG out of bounds read attempt (file-other.rules)
 * 1:48623 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro integer overflow vulnerability attempt (file-other.rules)
 * 1:48624 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro integer overflow vulnerability attempt (file-other.rules)
 * 1:48625 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox method array.prototype.push remote code execution attempt (browser-firefox.rules)
 * 1:48629 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file out-of-bounds read attempt (file-other.rules)
 * 1:48628 <-> ENABLED <-> FILE-PDF Adobe Acrobat integer overflow attempt (file-pdf.rules)
 * 1:48626 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox method array.prototype.push remote code execution attempt (browser-firefox.rules)
 * 3:48614 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0752 attack attempt (server-webapp.rules)
 * 3:48615 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0748 attack attempt (server-webapp.rules)
 * 3:48616 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0748 attack attempt (server-webapp.rules)
 * 3:48617 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0746 attack attempt (server-webapp.rules)
 * 3:48618 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0747 attack attempt (policy-other.rules)
 * 3:48619 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0750 attack attempt (server-webapp.rules)
 * 3:48620 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0754 attack attempt (policy-other.rules)
 * 3:48621 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0749 attack attempt (server-webapp.rules)
 * 3:48635 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0753 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:47988 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file out-of-bounds read attempt (file-other.rules)
 * 1:47987 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file out-of-bounds read attempt (file-other.rules)
 * 1:47963 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture JavaScript manipulation type confusion attempt (file-other.rules)
 * 1:48043 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 marker memory corruption attempt (file-image.rules)
 * 1:47964 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture JavaScript manipulation type confusion attempt (file-other.rules)
 * 1:39362 <-> DISABLED <-> INDICATOR-COMPROMISE User-Agent blank user-agent string (indicator-compromise.rules)
 * 1:48044 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 marker memory corruption attempt (file-image.rules)
 * 1:28795 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit payload download attempt (exploit-kit.rules)
 * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)
 * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)

2018-12-18 18:26:59 UTC

Snort Subscriber Rules Update

Date: 2018-12-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48631 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF XFA node use-after-free attempt (file-pdf.rules)
 * 1:48636 <-> ENABLED <-> FILE-PDF Adobe Acrobat out of bounds read attempt (file-pdf.rules)
 * 1:48629 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file out-of-bounds read attempt (file-other.rules)
 * 1:48630 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file out-of-bounds read attempt (file-other.rules)
 * 1:48632 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF XFA node use-after-free attempt (file-pdf.rules)
 * 1:48633 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF EMR_CREATEMONOBRUSH out-of-bounds write attempt (file-other.rules)
 * 1:48293 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader RegExp out of bounds read attempt (file-pdf.rules)
 * 1:48294 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader RegExp out of bounds read attempt (file-pdf.rules)
 * 1:48634 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF EMR_CREATEMONOBRUSH out-of-bounds write attempt (file-other.rules)
 * 1:48625 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox method array.prototype.push remote code execution attempt (browser-firefox.rules)
 * 1:48622 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro malformed XPS JPEG out of bounds read attempt (file-other.rules)
 * 1:48623 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro integer overflow vulnerability attempt (file-other.rules)
 * 1:48624 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro integer overflow vulnerability attempt (file-other.rules)
 * 1:48628 <-> ENABLED <-> FILE-PDF Adobe Acrobat integer overflow attempt (file-pdf.rules)
 * 1:48637 <-> ENABLED <-> FILE-PDF Adobe Acrobat out of bounds read attempt (file-pdf.rules)
 * 1:48627 <-> ENABLED <-> FILE-PDF Adobe Acrobat integer overflow attempt (file-pdf.rules)
 * 1:48626 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox method array.prototype.push remote code execution attempt (browser-firefox.rules)
 * 3:48614 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0752 attack attempt (server-webapp.rules)
 * 3:48615 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0748 attack attempt (server-webapp.rules)
 * 3:48616 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0748 attack attempt (server-webapp.rules)
 * 3:48617 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0746 attack attempt (server-webapp.rules)
 * 3:48618 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0747 attack attempt (policy-other.rules)
 * 3:48619 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0750 attack attempt (server-webapp.rules)
 * 3:48620 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0754 attack attempt (policy-other.rules)
 * 3:48621 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0749 attack attempt (server-webapp.rules)
 * 3:48635 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0753 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:47988 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file out-of-bounds read attempt (file-other.rules)
 * 1:48043 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 marker memory corruption attempt (file-image.rules)
 * 1:47964 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture JavaScript manipulation type confusion attempt (file-other.rules)
 * 1:28795 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit payload download attempt (exploit-kit.rules)
 * 1:39362 <-> DISABLED <-> INDICATOR-COMPROMISE User-Agent blank user-agent string (indicator-compromise.rules)
 * 1:47987 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file out-of-bounds read attempt (file-other.rules)
 * 1:47963 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture JavaScript manipulation type confusion attempt (file-other.rules)
 * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)
 * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)
 * 1:48044 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 marker memory corruption attempt (file-image.rules)

2018-12-18 18:26:59 UTC

Snort Subscriber Rules Update

Date: 2018-12-18

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48630 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file out-of-bounds read attempt (file-other.rules)
 * 1:48629 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file out-of-bounds read attempt (file-other.rules)
 * 1:48628 <-> ENABLED <-> FILE-PDF Adobe Acrobat integer overflow attempt (file-pdf.rules)
 * 1:48627 <-> ENABLED <-> FILE-PDF Adobe Acrobat integer overflow attempt (file-pdf.rules)
 * 1:48626 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox method array.prototype.push remote code execution attempt (browser-firefox.rules)
 * 1:48625 <-> ENABLED <-> BROWSER-FIREFOX Mozilla Firefox method array.prototype.push remote code execution attempt (browser-firefox.rules)
 * 1:48624 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro integer overflow vulnerability attempt (file-other.rules)
 * 1:48623 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro integer overflow vulnerability attempt (file-other.rules)
 * 1:48622 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro malformed XPS JPEG out of bounds read attempt (file-other.rules)
 * 1:48294 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader RegExp out of bounds read attempt (file-pdf.rules)
 * 1:48293 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader RegExp out of bounds read attempt (file-pdf.rules)
 * 1:48637 <-> ENABLED <-> FILE-PDF Adobe Acrobat out of bounds read attempt (file-pdf.rules)
 * 1:48636 <-> ENABLED <-> FILE-PDF Adobe Acrobat out of bounds read attempt (file-pdf.rules)
 * 1:48634 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF EMR_CREATEMONOBRUSH out-of-bounds write attempt (file-other.rules)
 * 1:48633 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF EMR_CREATEMONOBRUSH out-of-bounds write attempt (file-other.rules)
 * 1:48632 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF XFA node use-after-free attempt (file-pdf.rules)
 * 1:48631 <-> ENABLED <-> FILE-PDF Adobe Acrobat PDF XFA node use-after-free attempt (file-pdf.rules)
 * 3:48614 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0752 attack attempt (server-webapp.rules)
 * 3:48615 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0748 attack attempt (server-webapp.rules)
 * 3:48616 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0748 attack attempt (server-webapp.rules)
 * 3:48617 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0746 attack attempt (server-webapp.rules)
 * 3:48618 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0747 attack attempt (policy-other.rules)
 * 3:48619 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0750 attack attempt (server-webapp.rules)
 * 3:48620 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0754 attack attempt (policy-other.rules)
 * 3:48621 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0749 attack attempt (server-webapp.rules)
 * 3:48635 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0753 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:47987 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file out-of-bounds read attempt (file-other.rules)
 * 1:47988 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file out-of-bounds read attempt (file-other.rules)
 * 1:48043 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 marker memory corruption attempt (file-image.rules)
 * 1:28795 <-> ENABLED <-> EXPLOIT-KIT Goon/Infinity exploit kit payload download attempt (exploit-kit.rules)
 * 1:39362 <-> DISABLED <-> INDICATOR-COMPROMISE User-Agent blank user-agent string (indicator-compromise.rules)
 * 1:47963 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture JavaScript manipulation type confusion attempt (file-other.rules)
 * 1:47964 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture JavaScript manipulation type confusion attempt (file-other.rules)
 * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)
 * 1:48044 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 marker memory corruption attempt (file-image.rules)
 * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)