Talos Rules 2015-09-08
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Security Bulletin MS15-094: Microsoft Internet Explorer suffers from programming errors that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 35955 through 35960, 35963 through 35972, 35975 through 35976, 35990 through 35993, 35998 through 35999, 36004 through 36009, and 36018 through 36021.

Microsoft Security Bulletin MS15-095: A coding deficiency exists in Microsoft Edge that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 35963 through 35966.

Microsoft Security Bulletin MS15-097: A coding deficiency exists in a Microsoft Graphics Component that may lead to remote code execution.

Previously released rules will detect attacks targeting this vulnerability and have been updated with the appropriate reference information. They are included in this release and are identified with GID 1, SIDs 33765 through 33766 and 35719 through 35720.

New rules to detect attacks targeting these vulnerabilities are also included in this release and are identified with GID 1, SIDs 35973 through 35974, 35984 through 35989, 35994 through 35995, and 36016 through 36017.

Microsoft Security Bulletin MS15-098: A coding deficiency exists in Microsoft Windows Journal that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 35961 through 35962.

Microsoft Security Bulletin MS15-099: A coding deficiency exists in Microsoft Office that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 35996 through 35997 and 36000 through 36003.

Microsoft Security Bulletin MS15-100: A coding deficiency exists in Microsoft Windows Media Center that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 35982 through 35983.

Microsoft Security Bulletin MS15-101: A coding deficiency exists in the Microsoft .NET Framework that may lead to escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 36014 through 36015.

Microsoft Security Bulletin MS15-102: A coding deficiency exists in Microsoft Task Management that may lead to escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 35977 through 35978 and 36010 through 36013.

Talos has also added and modified multiple rules in the app-detect, browser-ie, file-executable, file-flash, file-identify, file-office, file-other, malware-other and server-mail rule sets to provide coverage for emerging threats from these technologies.

Change logs

2015-09-08 17:14:31 UTC

Snort Subscriber Rules Update

Date: 2015-09-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36006 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTableColCalc out of bounds memory write attempt (browser-ie.rules)
 * 1:35944 <-> ENABLED <-> SERVER-MAIL IBM Domino BMP color palette stack buffer overflow attempt (server-mail.rules)
 * 1:36020 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EPM SetValue sandbox bypass attempt (browser-ie.rules)
 * 1:36016 <-> ENABLED <-> OS-WINDOWS Microsoft Windows use after free kernel privilege escalation attempt (os-windows.rules)
 * 1:36002 <-> ENABLED <-> FILE-OFFICE Microsoft Excel bad file pointer memory corruption attempt (file-office.rules)
 * 1:36000 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed XF record use after free attempt (file-office.rules)
 * 1:36001 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed XF record use after free attempt (file-office.rules)
 * 1:35998 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer msGetRegionContent memory corruption attempt (browser-ie.rules)
 * 1:35999 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer msGetRegionContent memory corruption attempt (browser-ie.rules)
 * 1:35996 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel OLESS directory entry type confusion remote code execution attempt (file-office.rules)
 * 1:35997 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel OLESS directory entry type confusion remote code execution attempt (file-office.rules)
 * 1:35994 <-> ENABLED <-> OS-WINDOWS Microsoft Windows desktop window privilege escalation attempt (os-windows.rules)
 * 1:35995 <-> ENABLED <-> OS-WINDOWS Microsoft Windows desktop window privilege escalation attempt (os-windows.rules)
 * 1:35992 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CImgTaskSvgDoc object double free attempt (browser-ie.rules)
 * 1:35993 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CImgTaskSvgDoc object double free attempt (browser-ie.rules)
 * 1:35991 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JScript.Compact insertBefore memory corruption attempt (browser-ie.rules)
 * 1:35990 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JScript.Compact insertBefore memory corruption attempt (browser-ie.rules)
 * 1:35988 <-> ENABLED <-> FILE-EXECUTABLE NtGdiStretchBlt buffer overflow privilege escalation attempt (file-executable.rules)
 * 1:35989 <-> ENABLED <-> FILE-EXECUTABLE NtGdiStretchBlt buffer overflow privilege escalation attempt (file-executable.rules)
 * 1:35986 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserSetWindowsHook memory disclosure attempt (os-windows.rules)
 * 1:35987 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserSetWindowsHook memory disclosure attempt (os-windows.rules)
 * 1:35984 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI+ denial of service attempt (os-windows.rules)
 * 1:35985 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI+ denial of service attempt (os-windows.rules)
 * 1:35982 <-> ENABLED <-> FILE-OTHER Windows Media Player mcl remote file execution attempt (file-other.rules)
 * 1:35983 <-> ENABLED <-> FILE-OTHER Windows Media Player mcl remote file execution attempt (file-other.rules)
 * 1:35980 <-> ENABLED <-> FILE-IDENTIFY Windows Media Center link file attachment detected (file-identify.rules)
 * 1:35981 <-> ENABLED <-> FILE-IDENTIFY Windows Media Center link file attachment detected (file-identify.rules)
 * 1:35978 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CreateObjectTask privilege escalation attempt (os-windows.rules)
 * 1:35979 <-> ENABLED <-> FILE-IDENTIFY Windows Media Center link file download request (file-identify.rules)
 * 1:35976 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElement object use-after-free attempt (browser-ie.rules)
 * 1:35977 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CreateObjectTask privilege escalation attempt (os-windows.rules)
 * 1:35974 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SURFACE objects kernel privilege escalation attempt (os-windows.rules)
 * 1:35975 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElement object use-after-free attempt (browser-ie.rules)
 * 1:35972 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Embedded Windows Media Player CMarkup object use after free attempt (browser-ie.rules)
 * 1:35973 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SURFACE objects kernel privilege escalation attempt (os-windows.rules)
 * 1:35970 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Embedded Windows Media Player CMarkup object use after free attempt (browser-ie.rules)
 * 1:35971 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Embedded Windows Media Player CMarkup object use after free attempt (browser-ie.rules)
 * 1:35968 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge sandbox CreateFileW arbitrary file delete attempt (browser-ie.rules)
 * 1:35969 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Embedded Windows Media Player CMarkup object use after free attempt (browser-ie.rules)
 * 1:35966 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElement input type memory corruption attempt (browser-ie.rules)
 * 1:35967 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge sandbox CreateFileW arbitrary file delete attempt (browser-ie.rules)
 * 1:35964 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer element attribute use after free attempt (browser-ie.rules)
 * 1:35965 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElement input type memory corruption attempt (browser-ie.rules)
 * 1:35962 <-> ENABLED <-> FILE-OTHER Microsoft Journal file parsing remote code execution attempt (file-other.rules)
 * 1:35963 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer element attribute use after free attempt (browser-ie.rules)
 * 1:35960 <-> ENABLED <-> BROWSER-IE Microsoft Edge DOMNode manipulation use after free attempt (browser-ie.rules)
 * 1:35961 <-> ENABLED <-> FILE-OTHER Microsoft Journal file parsing remote code execution attempt (file-other.rules)
 * 1:35956 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStr object use after free attempt (browser-ie.rules)
 * 1:35959 <-> ENABLED <-> BROWSER-IE Microsoft Edge DOMNode manipulation use after free attempt (browser-ie.rules)
 * 1:35958 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStr object use after free attempt (browser-ie.rules)
 * 1:35957 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStr object use after free attempt (browser-ie.rules)
 * 1:35954 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:35955 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStr object use after free attempt (browser-ie.rules)
 * 1:35952 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:35953 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:35950 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:35951 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:35948 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:35949 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:35946 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:35947 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:35945 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:35719 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CDD font parsing kernel memory corruption attempt (os-windows.rules)
 * 1:35720 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CDD font parsing kernel memory corruption attempt (os-windows.rules)
 * 1:36010 <-> ENABLED <-> OS-WINDOWS Microsoft Windows task scheduler race condition attempt (os-windows.rules)
 * 1:36012 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Kernel SettingsSyncDiagnostics privilege escalation attempt (os-windows.rules)
 * 1:36013 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Kernel SettingsSyncDiagnostics privilege escalation attempt (os-windows.rules)
 * 1:36007 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTableColCalc out of bounds memory write attempt (browser-ie.rules)
 * 1:36011 <-> ENABLED <-> OS-WINDOWS Microsoft Windows task scheduler race condition attempt (os-windows.rules)
 * 1:36008 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds array memory access attempt (browser-ie.rules)
 * 1:36015 <-> ENABLED <-> OS-WINDOWS Microsoft Windows System.DirectoryServices.Protocols.Utility class memory overflow attempt (os-windows.rules)
 * 1:36014 <-> ENABLED <-> OS-WINDOWS Microsoft Windows System.DirectoryServices.Protocols.Utility class memory overflow attempt (os-windows.rules)
 * 1:36017 <-> ENABLED <-> OS-WINDOWS Microsoft Windows use after free kernel privilege escalation attempt (os-windows.rules)
 * 1:36018 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer invalid memory access attempt (browser-ie.rules)
 * 1:36019 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer invalid memory access attempt (browser-ie.rules)
 * 1:36021 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EPM SetValue sandbox bypass attempt (browser-ie.rules)
 * 1:36009 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds array memory access attempt (browser-ie.rules)
 * 1:36005 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CImgElement object double free attempt (browser-ie.rules)
 * 1:36004 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CImgElement object double free attempt (browser-ie.rules)
 * 1:36003 <-> ENABLED <-> FILE-OFFICE Microsoft Excel bad file pointer memory corruption attempt (file-office.rules)

Modified Rules:


 * 1:26803 <-> ENABLED <-> MALWARE-OTHER DNS data exfiltration attempt (malware-other.rules)
 * 1:20133 <-> DISABLED <-> FILE-OTHER MHTML XSS attempt (file-other.rules)
 * 1:33766 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserGetClipboardAccessToken privilege escalation attempt (os-windows.rules)
 * 1:27541 <-> DISABLED <-> APP-DETECT OzymanDNS dns tunneling down attempt (app-detect.rules)
 * 1:33765 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserGetClipboardAccessToken privilege escalation attempt (os-windows.rules)
 * 1:27540 <-> DISABLED <-> APP-DETECT OzymanDNS dns tunneling up attempt (app-detect.rules)
 * 3:30881 <-> ENABLED <-> MALWARE-OTHER dns request with long host name segment - possible data exfiltration attempt (malware-other.rules)

2015-09-08 17:14:31 UTC

Snort Subscriber Rules Update

Date: 2015-09-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2973.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36002 <-> ENABLED <-> FILE-OFFICE Microsoft Excel bad file pointer memory corruption attempt (file-office.rules)
 * 1:36001 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed XF record use after free attempt (file-office.rules)
 * 1:36000 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed XF record use after free attempt (file-office.rules)
 * 1:35998 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer msGetRegionContent memory corruption attempt (browser-ie.rules)
 * 1:35999 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer msGetRegionContent memory corruption attempt (browser-ie.rules)
 * 1:35996 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel OLESS directory entry type confusion remote code execution attempt (file-office.rules)
 * 1:35997 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel OLESS directory entry type confusion remote code execution attempt (file-office.rules)
 * 1:35994 <-> ENABLED <-> OS-WINDOWS Microsoft Windows desktop window privilege escalation attempt (os-windows.rules)
 * 1:35995 <-> ENABLED <-> OS-WINDOWS Microsoft Windows desktop window privilege escalation attempt (os-windows.rules)
 * 1:35992 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CImgTaskSvgDoc object double free attempt (browser-ie.rules)
 * 1:35993 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CImgTaskSvgDoc object double free attempt (browser-ie.rules)
 * 1:35990 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JScript.Compact insertBefore memory corruption attempt (browser-ie.rules)
 * 1:35991 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JScript.Compact insertBefore memory corruption attempt (browser-ie.rules)
 * 1:35988 <-> ENABLED <-> FILE-EXECUTABLE NtGdiStretchBlt buffer overflow privilege escalation attempt (file-executable.rules)
 * 1:35989 <-> ENABLED <-> FILE-EXECUTABLE NtGdiStretchBlt buffer overflow privilege escalation attempt (file-executable.rules)
 * 1:35986 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserSetWindowsHook memory disclosure attempt (os-windows.rules)
 * 1:35987 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserSetWindowsHook memory disclosure attempt (os-windows.rules)
 * 1:35984 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI+ denial of service attempt (os-windows.rules)
 * 1:35985 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI+ denial of service attempt (os-windows.rules)
 * 1:35982 <-> ENABLED <-> FILE-OTHER Windows Media Player mcl remote file execution attempt (file-other.rules)
 * 1:35983 <-> ENABLED <-> FILE-OTHER Windows Media Player mcl remote file execution attempt (file-other.rules)
 * 1:35981 <-> ENABLED <-> FILE-IDENTIFY Windows Media Center link file attachment detected (file-identify.rules)
 * 1:35979 <-> ENABLED <-> FILE-IDENTIFY Windows Media Center link file download request (file-identify.rules)
 * 1:35980 <-> ENABLED <-> FILE-IDENTIFY Windows Media Center link file attachment detected (file-identify.rules)
 * 1:35977 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CreateObjectTask privilege escalation attempt (os-windows.rules)
 * 1:35978 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CreateObjectTask privilege escalation attempt (os-windows.rules)
 * 1:35975 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElement object use-after-free attempt (browser-ie.rules)
 * 1:35976 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElement object use-after-free attempt (browser-ie.rules)
 * 1:35973 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SURFACE objects kernel privilege escalation attempt (os-windows.rules)
 * 1:35974 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SURFACE objects kernel privilege escalation attempt (os-windows.rules)
 * 1:35971 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Embedded Windows Media Player CMarkup object use after free attempt (browser-ie.rules)
 * 1:35972 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Embedded Windows Media Player CMarkup object use after free attempt (browser-ie.rules)
 * 1:35970 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Embedded Windows Media Player CMarkup object use after free attempt (browser-ie.rules)
 * 1:35969 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Embedded Windows Media Player CMarkup object use after free attempt (browser-ie.rules)
 * 1:35967 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge sandbox CreateFileW arbitrary file delete attempt (browser-ie.rules)
 * 1:35968 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge sandbox CreateFileW arbitrary file delete attempt (browser-ie.rules)
 * 1:35965 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElement input type memory corruption attempt (browser-ie.rules)
 * 1:35966 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElement input type memory corruption attempt (browser-ie.rules)
 * 1:35963 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer element attribute use after free attempt (browser-ie.rules)
 * 1:35964 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer element attribute use after free attempt (browser-ie.rules)
 * 1:35961 <-> ENABLED <-> FILE-OTHER Microsoft Journal file parsing remote code execution attempt (file-other.rules)
 * 1:35962 <-> ENABLED <-> FILE-OTHER Microsoft Journal file parsing remote code execution attempt (file-other.rules)
 * 1:35960 <-> ENABLED <-> BROWSER-IE Microsoft Edge DOMNode manipulation use after free attempt (browser-ie.rules)
 * 1:35959 <-> ENABLED <-> BROWSER-IE Microsoft Edge DOMNode manipulation use after free attempt (browser-ie.rules)
 * 1:35958 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStr object use after free attempt (browser-ie.rules)
 * 1:35956 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStr object use after free attempt (browser-ie.rules)
 * 1:35957 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStr object use after free attempt (browser-ie.rules)
 * 1:35954 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:35955 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStr object use after free attempt (browser-ie.rules)
 * 1:35952 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:35953 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:35950 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:35951 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:35949 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:35947 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:35948 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:35945 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:35946 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:35719 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CDD font parsing kernel memory corruption attempt (os-windows.rules)
 * 1:35720 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CDD font parsing kernel memory corruption attempt (os-windows.rules)
 * 1:35944 <-> ENABLED <-> SERVER-MAIL IBM Domino BMP color palette stack buffer overflow attempt (server-mail.rules)
 * 1:36021 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EPM SetValue sandbox bypass attempt (browser-ie.rules)
 * 1:36020 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EPM SetValue sandbox bypass attempt (browser-ie.rules)
 * 1:36019 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer invalid memory access attempt (browser-ie.rules)
 * 1:36018 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer invalid memory access attempt (browser-ie.rules)
 * 1:36017 <-> ENABLED <-> OS-WINDOWS Microsoft Windows use after free kernel privilege escalation attempt (os-windows.rules)
 * 1:36016 <-> ENABLED <-> OS-WINDOWS Microsoft Windows use after free kernel privilege escalation attempt (os-windows.rules)
 * 1:36015 <-> ENABLED <-> OS-WINDOWS Microsoft Windows System.DirectoryServices.Protocols.Utility class memory overflow attempt (os-windows.rules)
 * 1:36014 <-> ENABLED <-> OS-WINDOWS Microsoft Windows System.DirectoryServices.Protocols.Utility class memory overflow attempt (os-windows.rules)
 * 1:36013 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Kernel SettingsSyncDiagnostics privilege escalation attempt (os-windows.rules)
 * 1:36012 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Kernel SettingsSyncDiagnostics privilege escalation attempt (os-windows.rules)
 * 1:36011 <-> ENABLED <-> OS-WINDOWS Microsoft Windows task scheduler race condition attempt (os-windows.rules)
 * 1:36010 <-> ENABLED <-> OS-WINDOWS Microsoft Windows task scheduler race condition attempt (os-windows.rules)
 * 1:36009 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds array memory access attempt (browser-ie.rules)
 * 1:36007 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTableColCalc out of bounds memory write attempt (browser-ie.rules)
 * 1:36008 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds array memory access attempt (browser-ie.rules)
 * 1:36006 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTableColCalc out of bounds memory write attempt (browser-ie.rules)
 * 1:36005 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CImgElement object double free attempt (browser-ie.rules)
 * 1:36004 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CImgElement object double free attempt (browser-ie.rules)
 * 1:36003 <-> ENABLED <-> FILE-OFFICE Microsoft Excel bad file pointer memory corruption attempt (file-office.rules)

Modified Rules:


 * 1:33766 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserGetClipboardAccessToken privilege escalation attempt (os-windows.rules)
 * 1:27541 <-> DISABLED <-> APP-DETECT OzymanDNS dns tunneling down attempt (app-detect.rules)
 * 1:33765 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserGetClipboardAccessToken privilege escalation attempt (os-windows.rules)
 * 1:26803 <-> ENABLED <-> MALWARE-OTHER DNS data exfiltration attempt (malware-other.rules)
 * 1:27540 <-> DISABLED <-> APP-DETECT OzymanDNS dns tunneling up attempt (app-detect.rules)
 * 1:20133 <-> DISABLED <-> FILE-OTHER MHTML XSS attempt (file-other.rules)
 * 3:30881 <-> ENABLED <-> MALWARE-OTHER dns request with long host name segment - possible data exfiltration attempt (malware-other.rules)

2015-09-08 17:14:30 UTC

Snort Subscriber Rules Update

Date: 2015-09-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36021 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EPM SetValue sandbox bypass attempt (browser-ie.rules)
 * 1:36020 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EPM SetValue sandbox bypass attempt (browser-ie.rules)
 * 1:36019 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer invalid memory access attempt (browser-ie.rules)
 * 1:36018 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer invalid memory access attempt (browser-ie.rules)
 * 1:36017 <-> ENABLED <-> OS-WINDOWS Microsoft Windows use after free kernel privilege escalation attempt (os-windows.rules)
 * 1:36016 <-> ENABLED <-> OS-WINDOWS Microsoft Windows use after free kernel privilege escalation attempt (os-windows.rules)
 * 1:36015 <-> ENABLED <-> OS-WINDOWS Microsoft Windows System.DirectoryServices.Protocols.Utility class memory overflow attempt (os-windows.rules)
 * 1:36014 <-> ENABLED <-> OS-WINDOWS Microsoft Windows System.DirectoryServices.Protocols.Utility class memory overflow attempt (os-windows.rules)
 * 1:36013 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Kernel SettingsSyncDiagnostics privilege escalation attempt (os-windows.rules)
 * 1:36012 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Kernel SettingsSyncDiagnostics privilege escalation attempt (os-windows.rules)
 * 1:36011 <-> ENABLED <-> OS-WINDOWS Microsoft Windows task scheduler race condition attempt (os-windows.rules)
 * 1:36010 <-> ENABLED <-> OS-WINDOWS Microsoft Windows task scheduler race condition attempt (os-windows.rules)
 * 1:36009 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds array memory access attempt (browser-ie.rules)
 * 1:36008 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds array memory access attempt (browser-ie.rules)
 * 1:36007 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTableColCalc out of bounds memory write attempt (browser-ie.rules)
 * 1:36006 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTableColCalc out of bounds memory write attempt (browser-ie.rules)
 * 1:36005 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CImgElement object double free attempt (browser-ie.rules)
 * 1:36004 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CImgElement object double free attempt (browser-ie.rules)
 * 1:36003 <-> ENABLED <-> FILE-OFFICE Microsoft Excel bad file pointer memory corruption attempt (file-office.rules)
 * 1:36002 <-> ENABLED <-> FILE-OFFICE Microsoft Excel bad file pointer memory corruption attempt (file-office.rules)
 * 1:36001 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed XF record use after free attempt (file-office.rules)
 * 1:36000 <-> ENABLED <-> FILE-OFFICE Microsoft Excel malformed XF record use after free attempt (file-office.rules)
 * 1:35999 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer msGetRegionContent memory corruption attempt (browser-ie.rules)
 * 1:35998 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer msGetRegionContent memory corruption attempt (browser-ie.rules)
 * 1:35997 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel OLESS directory entry type confusion remote code execution attempt (file-office.rules)
 * 1:35996 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel OLESS directory entry type confusion remote code execution attempt (file-office.rules)
 * 1:35995 <-> ENABLED <-> OS-WINDOWS Microsoft Windows desktop window privilege escalation attempt (os-windows.rules)
 * 1:35994 <-> ENABLED <-> OS-WINDOWS Microsoft Windows desktop window privilege escalation attempt (os-windows.rules)
 * 1:35993 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CImgTaskSvgDoc object double free attempt (browser-ie.rules)
 * 1:35992 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CImgTaskSvgDoc object double free attempt (browser-ie.rules)
 * 1:35991 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JScript.Compact insertBefore memory corruption attempt (browser-ie.rules)
 * 1:35990 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer JScript.Compact insertBefore memory corruption attempt (browser-ie.rules)
 * 1:35989 <-> ENABLED <-> FILE-EXECUTABLE NtGdiStretchBlt buffer overflow privilege escalation attempt (file-executable.rules)
 * 1:35988 <-> ENABLED <-> FILE-EXECUTABLE NtGdiStretchBlt buffer overflow privilege escalation attempt (file-executable.rules)
 * 1:35987 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserSetWindowsHook memory disclosure attempt (os-windows.rules)
 * 1:35986 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserSetWindowsHook memory disclosure attempt (os-windows.rules)
 * 1:35985 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI+ denial of service attempt (os-windows.rules)
 * 1:35984 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI+ denial of service attempt (os-windows.rules)
 * 1:35983 <-> ENABLED <-> FILE-OTHER Windows Media Player mcl remote file execution attempt (file-other.rules)
 * 1:35982 <-> ENABLED <-> FILE-OTHER Windows Media Player mcl remote file execution attempt (file-other.rules)
 * 1:35981 <-> ENABLED <-> FILE-IDENTIFY Windows Media Center link file attachment detected (file-identify.rules)
 * 1:35980 <-> ENABLED <-> FILE-IDENTIFY Windows Media Center link file attachment detected (file-identify.rules)
 * 1:35979 <-> ENABLED <-> FILE-IDENTIFY Windows Media Center link file download request (file-identify.rules)
 * 1:35978 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CreateObjectTask privilege escalation attempt (os-windows.rules)
 * 1:35977 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CreateObjectTask privilege escalation attempt (os-windows.rules)
 * 1:35976 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElement object use-after-free attempt (browser-ie.rules)
 * 1:35975 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElement object use-after-free attempt (browser-ie.rules)
 * 1:35974 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SURFACE objects kernel privilege escalation attempt (os-windows.rules)
 * 1:35973 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SURFACE objects kernel privilege escalation attempt (os-windows.rules)
 * 1:35972 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Embedded Windows Media Player CMarkup object use after free attempt (browser-ie.rules)
 * 1:35971 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Embedded Windows Media Player CMarkup object use after free attempt (browser-ie.rules)
 * 1:35970 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Embedded Windows Media Player CMarkup object use after free attempt (browser-ie.rules)
 * 1:35969 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Embedded Windows Media Player CMarkup object use after free attempt (browser-ie.rules)
 * 1:35968 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge sandbox CreateFileW arbitrary file delete attempt (browser-ie.rules)
 * 1:35967 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge sandbox CreateFileW arbitrary file delete attempt (browser-ie.rules)
 * 1:35966 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElement input type memory corruption attempt (browser-ie.rules)
 * 1:35965 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CElement input type memory corruption attempt (browser-ie.rules)
 * 1:35964 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer element attribute use after free attempt (browser-ie.rules)
 * 1:35963 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer element attribute use after free attempt (browser-ie.rules)
 * 1:35962 <-> ENABLED <-> FILE-OTHER Microsoft Journal file parsing remote code execution attempt (file-other.rules)
 * 1:35961 <-> ENABLED <-> FILE-OTHER Microsoft Journal file parsing remote code execution attempt (file-other.rules)
 * 1:35960 <-> ENABLED <-> BROWSER-IE Microsoft Edge DOMNode manipulation use after free attempt (browser-ie.rules)
 * 1:35959 <-> ENABLED <-> BROWSER-IE Microsoft Edge DOMNode manipulation use after free attempt (browser-ie.rules)
 * 1:35958 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStr object use after free attempt (browser-ie.rules)
 * 1:35957 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStr object use after free attempt (browser-ie.rules)
 * 1:35956 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStr object use after free attempt (browser-ie.rules)
 * 1:35955 <-> ENABLED <-> BROWSER-IE Microsoft Edge CStr object use after free attempt (browser-ie.rules)
 * 1:35954 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:35953 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:35952 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:35951 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:35950 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:35949 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:35948 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:35947 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:35946 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:35945 <-> ENABLED <-> FILE-FLASH Adobe Flash Player dangling bytearray pointer code execution attempt (file-flash.rules)
 * 1:35944 <-> ENABLED <-> SERVER-MAIL IBM Domino BMP color palette stack buffer overflow attempt (server-mail.rules)
 * 1:35720 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CDD font parsing kernel memory corruption attempt (os-windows.rules)
 * 1:35719 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CDD font parsing kernel memory corruption attempt (os-windows.rules)

Modified Rules:


 * 1:20133 <-> DISABLED <-> FILE-OTHER MHTML XSS attempt (file-other.rules)
 * 1:26803 <-> ENABLED <-> MALWARE-OTHER DNS data exfiltration attempt (malware-other.rules)
 * 1:27540 <-> DISABLED <-> APP-DETECT OzymanDNS dns tunneling up attempt (app-detect.rules)
 * 1:27541 <-> DISABLED <-> APP-DETECT OzymanDNS dns tunneling down attempt (app-detect.rules)
 * 1:33765 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserGetClipboardAccessToken privilege escalation attempt (os-windows.rules)
 * 1:33766 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserGetClipboardAccessToken privilege escalation attempt (os-windows.rules)
 * 3:30881 <-> ENABLED <-> MALWARE-OTHER dns request with long host name segment - possible data exfiltration attempt (malware-other.rules)