Snort - Network Intrusion Detection & Prevention System

Talos Rules 2015-10-13

Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Security Bulletin MS15-106: Microsoft Internet Explorer suffers from programming errors that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are included in this release and are identified with GID 1, SIDs 34393 through 34394.

New rules to detect attacks targeting these vulnerabilities are also included in this release and are identified with GID 1, SIDs 36407 through 36414, 36417 through 36422, 36431 through 36432, 36437 through 36444, 36447 through 36448, 36450 through 36451, and 36458 through 36459.

Microsoft Security Bulletin MS15-107: A coding deficiency exists in Microsoft Edge that may lead to information disclosure.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 36452.

Microsoft Security Bulletin MS15-108: A coding deficiency exists in Microsoft JScript and VBScript that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 36419 through 36422.

Microsoft Security Bulletin MS15-109: A coding deficiency exists in Microsoft Windows Shell that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 36401 through 36402 and 36423 through 36424.

Microsoft Security Bulletin MS15-110: A coding deficiency exists in Microsoft Office that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 36425 through 36430.

Microsoft Security Bulletin MS15-111: A coding deficiency exists in the Microsoft Windows Kernel that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 36403 through 36406, 36415 through 36416, and 36445 through 36446.

Talos has also added and modified multiple rules in the browser-ie, browser-plugins, exploit-kit, file-flash, file-multimedia, file-office, file-other, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2962

2015-10-13 18:57:21 UTC

Snort Subscriber Rules Update

Date: 2015-10-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36458 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript regular expression information disclosure attempt (browser-ie.rules)
 * 1:36451 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RegExp object use-after-free attempt (browser-ie.rules)
 * 1:36449 <-> DISABLED <-> SERVER-WEBAPP Wordpress xmlrpc.php multiple failed authentication response (server-webapp.rules)
 * 1:36448 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSharedStyle object out-of-bounds read attempt (browser-ie.rules)
 * 1:36418 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CWindow object use after free attempt (browser-ie.rules)
 * 1:36406 <-> ENABLED <-> OS-WINDOWS Microsoft Windows sandbox policy bypass attempt (os-windows.rules)
 * 1:36410 <-> ENABLED <-> OS-WINDOWS RDP client dll-load exploit attempt (os-windows.rules)
 * 1:36411 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:36417 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CWindow object use after free attempt (browser-ie.rules)
 * 1:36415 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel ALPC synchronous requests memory corruption attempt (os-windows.rules)
 * 1:36421 <-> DISABLED <-> POLICY-OTHER Remote non-VBScript file found in Visual Basic script tag src attribute (policy-other.rules)
 * 1:36401 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuickLinks object use-after-free attempt (browser-ie.rules)
 * 1:36459 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript regular expression information disclosure attempt (browser-ie.rules)
 * 1:36443 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EventListener use after free attempt (browser-ie.rules)
 * 1:36445 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 low integrity level NTFS mount reparse point bypass attempt (os-windows.rules)
 * 1:36442 <-> ENABLED <-> FILE-OTHER Visual Basic scripting engine Filter argument mishandling attempt (file-other.rules)
 * 1:36444 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EventListener use after free attempt (browser-ie.rules)
 * 1:36441 <-> ENABLED <-> FILE-OTHER Visual Basic scripting engine Filter argument mishandling attempt (file-other.rules)
 * 1:36438 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ieframe.dll ActiveX clsid access (browser-ie.rules)
 * 1:36439 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTableSelection use-after-free attempt (browser-ie.rules)
 * 1:36440 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTableSelection use-after-free attempt (browser-ie.rules)
 * 1:36433 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer sapi.dll ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36437 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ieframe.dll ActiveX clsid access (browser-ie.rules)
 * 1:36436 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer pre-line use after free attempt (browser-ie.rules)
 * 1:36435 <-> DISABLED <-> SERVER-OTHER Xerox Administrator Console password extraction attempt (server-other.rules)
 * 1:36432 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arraybuffer entryslice memory corruption attempt (browser-ie.rules)
 * 1:36434 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer sapi.dll ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36431 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arraybuffer entryslice memory corruption attempt (browser-ie.rules)
 * 1:36428 <-> ENABLED <-> FILE-OFFICE Microsoft Visio lmetaclasscount buffer overflow attempt (file-office.rules)
 * 1:36429 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel malformed binary format use after free attempt (file-office.rules)
 * 1:36430 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel malformed binary format use after free attempt (file-office.rules)
 * 1:36427 <-> ENABLED <-> FILE-OFFICE Microsoft Visio lmetaclasscount buffer overflow attempt (file-office.rules)
 * 1:36426 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel fileVersion use-after-free attempt (file-office.rules)
 * 1:36425 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel fileVersion use-after-free attempt (file-office.rules)
 * 1:36423 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDeskBand use-after-free attempt (browser-ie.rules)
 * 1:36424 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDeskBand use-after-free attempt (browser-ie.rules)
 * 1:36422 <-> DISABLED <-> POLICY-OTHER Remote non-VBScript file found in Visual Basic script tag src attribute (policy-other.rules)
 * 1:36419 <-> DISABLED <-> POLICY-OTHER Remote non-VBScript file found in Visual Basic script tag src attribute (policy-other.rules)
 * 1:36414 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:36409 <-> ENABLED <-> OS-WINDOWS RDP client dll-load exploit attempt (os-windows.rules)
 * 1:36404 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SepReferenceLowBoxObjects privilege escalation attempt (os-windows.rules)
 * 1:36420 <-> DISABLED <-> POLICY-OTHER Remote non-VBScript file found in Visual Basic script tag src attribute (policy-other.rules)
 * 1:36416 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel ALPC synchronous requests memory corruption attempt (os-windows.rules)
 * 1:36413 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:36412 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:36408 <-> ENABLED <-> OS-WINDOWS RDP client dll-load exploit attempt (os-windows.rules)
 * 1:36450 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RegExp object use-after-free attempt (browser-ie.rules)
 * 1:36453 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer argument validation in print preview handling exploitation attempt (browser-ie.rules)
 * 1:36455 <-> DISABLED <-> SERVER-OTHER Schneider Electric InduSoft Web Studio Remote Agent remote code execution attempt (server-other.rules)
 * 1:36452 <-> DISABLED <-> BROWSER-IE Microsoft Edge cross site scripting filter bypass attempt (browser-ie.rules)
 * 1:36454 <-> DISABLED <-> SERVER-OTHER Schneider Electric InduSoft Web Studio Remote Agent remote code execution attempt (server-other.rules)
 * 1:36456 <-> DISABLED <-> FILE-MULTIMEDIA MultiMedia Soft Components AdjMmsEng.dll PLS file processing buffer overflow attempt (file-multimedia.rules)
 * 1:36407 <-> ENABLED <-> OS-WINDOWS RDP client dll-load exploit attempt (os-windows.rules)
 * 1:36405 <-> ENABLED <-> OS-WINDOWS Microsoft Windows sandbox policy bypass attempt (os-windows.rules)
 * 1:36403 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SepReferenceLowBoxObjects privilege escalation attempt (os-windows.rules)
 * 1:36402 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuickLinks object use-after-free attempt (browser-ie.rules)
 * 1:36400 <-> DISABLED <-> SERVER-WEBAPP OpenDocMan redirection parameter cross site scripting attempt (server-webapp.rules)
 * 1:36457 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:36446 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 low integrity level NTFS mount reparse point bypass attempt (os-windows.rules)
 * 1:36447 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSharedStyle object out-of-bounds read attempt (browser-ie.rules)

Modified Rules:


 * 1:35672 <-> ENABLED <-> FILE-FLASH Adobe Flash Player incorrect reference to IExternalizable object attempt (file-flash.rules)
 * 1:34394 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript regular expression information disclosure attempt (browser-ie.rules)
 * 1:25656 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector exec_cmd buffer overflow attempt (server-other.rules)
 * 1:35671 <-> ENABLED <-> FILE-FLASH Adobe Flash Player incorrect reference to IExternalizable object attempt (file-flash.rules)
 * 1:13830 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer sapi.dll ActiveX clsid access attempt (browser-plugins.rules)
 * 1:34393 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript regular expression information disclosure attempt (browser-ie.rules)
 * 1:13963 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer argument validation in print preview handling exploitation attempt (browser-ie.rules)
 * 1:25775 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer pre-line use after free attempt (browser-ie.rules)
 * 1:13828 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer sapi.dll ActiveX clsid access attempt (browser-plugins.rules)
 * 1:12078 <-> DISABLED <-> SERVER-OTHER CA BrightStor ARCserve LGServer heap buffer overflow (server-other.rules)
 * 1:12079 <-> DISABLED <-> SERVER-OTHER CA BrightStor ARCserve LGServer stack buffer overflow attempt (server-other.rules)

2973

2015-10-13 18:57:21 UTC

Snort Subscriber Rules Update

Date: 2015-10-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2973.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36401 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuickLinks object use-after-free attempt (browser-ie.rules)
 * 1:36459 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript regular expression information disclosure attempt (browser-ie.rules)
 * 1:36445 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 low integrity level NTFS mount reparse point bypass attempt (os-windows.rules)
 * 1:36444 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EventListener use after free attempt (browser-ie.rules)
 * 1:36443 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EventListener use after free attempt (browser-ie.rules)
 * 1:36441 <-> ENABLED <-> FILE-OTHER Visual Basic scripting engine Filter argument mishandling attempt (file-other.rules)
 * 1:36442 <-> ENABLED <-> FILE-OTHER Visual Basic scripting engine Filter argument mishandling attempt (file-other.rules)
 * 1:36439 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTableSelection use-after-free attempt (browser-ie.rules)
 * 1:36440 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTableSelection use-after-free attempt (browser-ie.rules)
 * 1:36437 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ieframe.dll ActiveX clsid access (browser-ie.rules)
 * 1:36438 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ieframe.dll ActiveX clsid access (browser-ie.rules)
 * 1:36436 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer pre-line use after free attempt (browser-ie.rules)
 * 1:36435 <-> DISABLED <-> SERVER-OTHER Xerox Administrator Console password extraction attempt (server-other.rules)
 * 1:36434 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer sapi.dll ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36432 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arraybuffer entryslice memory corruption attempt (browser-ie.rules)
 * 1:36433 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer sapi.dll ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36430 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel malformed binary format use after free attempt (file-office.rules)
 * 1:36431 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arraybuffer entryslice memory corruption attempt (browser-ie.rules)
 * 1:36428 <-> ENABLED <-> FILE-OFFICE Microsoft Visio lmetaclasscount buffer overflow attempt (file-office.rules)
 * 1:36429 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel malformed binary format use after free attempt (file-office.rules)
 * 1:36426 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel fileVersion use-after-free attempt (file-office.rules)
 * 1:36427 <-> ENABLED <-> FILE-OFFICE Microsoft Visio lmetaclasscount buffer overflow attempt (file-office.rules)
 * 1:36425 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel fileVersion use-after-free attempt (file-office.rules)
 * 1:36424 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDeskBand use-after-free attempt (browser-ie.rules)
 * 1:36422 <-> DISABLED <-> POLICY-OTHER Remote non-VBScript file found in Visual Basic script tag src attribute (policy-other.rules)
 * 1:36423 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDeskBand use-after-free attempt (browser-ie.rules)
 * 1:36419 <-> DISABLED <-> POLICY-OTHER Remote non-VBScript file found in Visual Basic script tag src attribute (policy-other.rules)
 * 1:36414 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:36409 <-> ENABLED <-> OS-WINDOWS RDP client dll-load exploit attempt (os-windows.rules)
 * 1:36404 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SepReferenceLowBoxObjects privilege escalation attempt (os-windows.rules)
 * 1:36458 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript regular expression information disclosure attempt (browser-ie.rules)
 * 1:36457 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:36456 <-> DISABLED <-> FILE-MULTIMEDIA MultiMedia Soft Components AdjMmsEng.dll PLS file processing buffer overflow attempt (file-multimedia.rules)
 * 1:36454 <-> DISABLED <-> SERVER-OTHER Schneider Electric InduSoft Web Studio Remote Agent remote code execution attempt (server-other.rules)
 * 1:36455 <-> DISABLED <-> SERVER-OTHER Schneider Electric InduSoft Web Studio Remote Agent remote code execution attempt (server-other.rules)
 * 1:36453 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer argument validation in print preview handling exploitation attempt (browser-ie.rules)
 * 1:36450 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RegExp object use-after-free attempt (browser-ie.rules)
 * 1:36418 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CWindow object use after free attempt (browser-ie.rules)
 * 1:36451 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RegExp object use-after-free attempt (browser-ie.rules)
 * 1:36452 <-> DISABLED <-> BROWSER-IE Microsoft Edge cross site scripting filter bypass attempt (browser-ie.rules)
 * 1:36449 <-> DISABLED <-> SERVER-WEBAPP Wordpress xmlrpc.php multiple failed authentication response (server-webapp.rules)
 * 1:36420 <-> DISABLED <-> POLICY-OTHER Remote non-VBScript file found in Visual Basic script tag src attribute (policy-other.rules)
 * 1:36448 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSharedStyle object out-of-bounds read attempt (browser-ie.rules)
 * 1:36417 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CWindow object use after free attempt (browser-ie.rules)
 * 1:36421 <-> DISABLED <-> POLICY-OTHER Remote non-VBScript file found in Visual Basic script tag src attribute (policy-other.rules)
 * 1:36416 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel ALPC synchronous requests memory corruption attempt (os-windows.rules)
 * 1:36415 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel ALPC synchronous requests memory corruption attempt (os-windows.rules)
 * 1:36413 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:36411 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:36412 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:36410 <-> ENABLED <-> OS-WINDOWS RDP client dll-load exploit attempt (os-windows.rules)
 * 1:36408 <-> ENABLED <-> OS-WINDOWS RDP client dll-load exploit attempt (os-windows.rules)
 * 1:36406 <-> ENABLED <-> OS-WINDOWS Microsoft Windows sandbox policy bypass attempt (os-windows.rules)
 * 1:36407 <-> ENABLED <-> OS-WINDOWS RDP client dll-load exploit attempt (os-windows.rules)
 * 1:36405 <-> ENABLED <-> OS-WINDOWS Microsoft Windows sandbox policy bypass attempt (os-windows.rules)
 * 1:36403 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SepReferenceLowBoxObjects privilege escalation attempt (os-windows.rules)
 * 1:36402 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuickLinks object use-after-free attempt (browser-ie.rules)
 * 1:36400 <-> DISABLED <-> SERVER-WEBAPP OpenDocMan redirection parameter cross site scripting attempt (server-webapp.rules)
 * 1:36447 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSharedStyle object out-of-bounds read attempt (browser-ie.rules)
 * 1:36446 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 low integrity level NTFS mount reparse point bypass attempt (os-windows.rules)

Modified Rules:


 * 1:34394 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript regular expression information disclosure attempt (browser-ie.rules)
 * 1:35672 <-> ENABLED <-> FILE-FLASH Adobe Flash Player incorrect reference to IExternalizable object attempt (file-flash.rules)
 * 1:35671 <-> ENABLED <-> FILE-FLASH Adobe Flash Player incorrect reference to IExternalizable object attempt (file-flash.rules)
 * 1:34393 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript regular expression information disclosure attempt (browser-ie.rules)
 * 1:25775 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer pre-line use after free attempt (browser-ie.rules)
 * 1:13830 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer sapi.dll ActiveX clsid access attempt (browser-plugins.rules)
 * 1:13963 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer argument validation in print preview handling exploitation attempt (browser-ie.rules)
 * 1:25656 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector exec_cmd buffer overflow attempt (server-other.rules)
 * 1:13828 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer sapi.dll ActiveX clsid access attempt (browser-plugins.rules)
 * 1:12078 <-> DISABLED <-> SERVER-OTHER CA BrightStor ARCserve LGServer heap buffer overflow (server-other.rules)
 * 1:12079 <-> DISABLED <-> SERVER-OTHER CA BrightStor ARCserve LGServer stack buffer overflow attempt (server-other.rules)

2975

2015-10-13 18:57:21 UTC

Snort Subscriber Rules Update

Date: 2015-10-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2975.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36445 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 low integrity level NTFS mount reparse point bypass attempt (os-windows.rules)
 * 1:36444 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EventListener use after free attempt (browser-ie.rules)
 * 1:36443 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EventListener use after free attempt (browser-ie.rules)
 * 1:36441 <-> ENABLED <-> FILE-OTHER Visual Basic scripting engine Filter argument mishandling attempt (file-other.rules)
 * 1:36442 <-> ENABLED <-> FILE-OTHER Visual Basic scripting engine Filter argument mishandling attempt (file-other.rules)
 * 1:36439 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTableSelection use-after-free attempt (browser-ie.rules)
 * 1:36440 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTableSelection use-after-free attempt (browser-ie.rules)
 * 1:36437 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ieframe.dll ActiveX clsid access (browser-ie.rules)
 * 1:36438 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ieframe.dll ActiveX clsid access (browser-ie.rules)
 * 1:36436 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer pre-line use after free attempt (browser-ie.rules)
 * 1:36435 <-> DISABLED <-> SERVER-OTHER Xerox Administrator Console password extraction attempt (server-other.rules)
 * 1:36434 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer sapi.dll ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36432 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arraybuffer entryslice memory corruption attempt (browser-ie.rules)
 * 1:36433 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer sapi.dll ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36430 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel malformed binary format use after free attempt (file-office.rules)
 * 1:36431 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arraybuffer entryslice memory corruption attempt (browser-ie.rules)
 * 1:36428 <-> ENABLED <-> FILE-OFFICE Microsoft Visio lmetaclasscount buffer overflow attempt (file-office.rules)
 * 1:36429 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel malformed binary format use after free attempt (file-office.rules)
 * 1:36426 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel fileVersion use-after-free attempt (file-office.rules)
 * 1:36427 <-> ENABLED <-> FILE-OFFICE Microsoft Visio lmetaclasscount buffer overflow attempt (file-office.rules)
 * 1:36425 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel fileVersion use-after-free attempt (file-office.rules)
 * 1:36423 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDeskBand use-after-free attempt (browser-ie.rules)
 * 1:36424 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDeskBand use-after-free attempt (browser-ie.rules)
 * 1:36422 <-> DISABLED <-> POLICY-OTHER Remote non-VBScript file found in Visual Basic script tag src attribute (policy-other.rules)
 * 1:36419 <-> DISABLED <-> POLICY-OTHER Remote non-VBScript file found in Visual Basic script tag src attribute (policy-other.rules)
 * 1:36414 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:36409 <-> ENABLED <-> OS-WINDOWS RDP client dll-load exploit attempt (os-windows.rules)
 * 1:36404 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SepReferenceLowBoxObjects privilege escalation attempt (os-windows.rules)
 * 1:36400 <-> DISABLED <-> SERVER-WEBAPP OpenDocMan redirection parameter cross site scripting attempt (server-webapp.rules)
 * 1:36402 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuickLinks object use-after-free attempt (browser-ie.rules)
 * 1:36403 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SepReferenceLowBoxObjects privilege escalation attempt (os-windows.rules)
 * 1:36405 <-> ENABLED <-> OS-WINDOWS Microsoft Windows sandbox policy bypass attempt (os-windows.rules)
 * 1:36406 <-> ENABLED <-> OS-WINDOWS Microsoft Windows sandbox policy bypass attempt (os-windows.rules)
 * 1:36407 <-> ENABLED <-> OS-WINDOWS RDP client dll-load exploit attempt (os-windows.rules)
 * 1:36408 <-> ENABLED <-> OS-WINDOWS RDP client dll-load exploit attempt (os-windows.rules)
 * 1:36410 <-> ENABLED <-> OS-WINDOWS RDP client dll-load exploit attempt (os-windows.rules)
 * 1:36411 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:36412 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:36413 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:36415 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel ALPC synchronous requests memory corruption attempt (os-windows.rules)
 * 1:36416 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel ALPC synchronous requests memory corruption attempt (os-windows.rules)
 * 1:36417 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CWindow object use after free attempt (browser-ie.rules)
 * 1:36418 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CWindow object use after free attempt (browser-ie.rules)
 * 1:36420 <-> DISABLED <-> POLICY-OTHER Remote non-VBScript file found in Visual Basic script tag src attribute (policy-other.rules)
 * 1:36421 <-> DISABLED <-> POLICY-OTHER Remote non-VBScript file found in Visual Basic script tag src attribute (policy-other.rules)
 * 1:36459 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript regular expression information disclosure attempt (browser-ie.rules)
 * 1:36458 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript regular expression information disclosure attempt (browser-ie.rules)
 * 1:36457 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:36456 <-> DISABLED <-> FILE-MULTIMEDIA MultiMedia Soft Components AdjMmsEng.dll PLS file processing buffer overflow attempt (file-multimedia.rules)
 * 1:36455 <-> DISABLED <-> SERVER-OTHER Schneider Electric InduSoft Web Studio Remote Agent remote code execution attempt (server-other.rules)
 * 1:36454 <-> DISABLED <-> SERVER-OTHER Schneider Electric InduSoft Web Studio Remote Agent remote code execution attempt (server-other.rules)
 * 1:36453 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer argument validation in print preview handling exploitation attempt (browser-ie.rules)
 * 1:36452 <-> DISABLED <-> BROWSER-IE Microsoft Edge cross site scripting filter bypass attempt (browser-ie.rules)
 * 1:36450 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RegExp object use-after-free attempt (browser-ie.rules)
 * 1:36401 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuickLinks object use-after-free attempt (browser-ie.rules)
 * 1:36451 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RegExp object use-after-free attempt (browser-ie.rules)
 * 1:36449 <-> DISABLED <-> SERVER-WEBAPP Wordpress xmlrpc.php multiple failed authentication response (server-webapp.rules)
 * 1:36448 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSharedStyle object out-of-bounds read attempt (browser-ie.rules)
 * 1:36447 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSharedStyle object out-of-bounds read attempt (browser-ie.rules)
 * 1:36446 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 low integrity level NTFS mount reparse point bypass attempt (os-windows.rules)

Modified Rules:


 * 1:35672 <-> ENABLED <-> FILE-FLASH Adobe Flash Player incorrect reference to IExternalizable object attempt (file-flash.rules)
 * 1:34394 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript regular expression information disclosure attempt (browser-ie.rules)
 * 1:35671 <-> ENABLED <-> FILE-FLASH Adobe Flash Player incorrect reference to IExternalizable object attempt (file-flash.rules)
 * 1:25775 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer pre-line use after free attempt (browser-ie.rules)
 * 1:34393 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript regular expression information disclosure attempt (browser-ie.rules)
 * 1:13963 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer argument validation in print preview handling exploitation attempt (browser-ie.rules)
 * 1:25656 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector exec_cmd buffer overflow attempt (server-other.rules)
 * 1:13828 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer sapi.dll ActiveX clsid access attempt (browser-plugins.rules)
 * 1:13830 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer sapi.dll ActiveX clsid access attempt (browser-plugins.rules)
 * 1:12078 <-> DISABLED <-> SERVER-OTHER CA BrightStor ARCserve LGServer heap buffer overflow (server-other.rules)
 * 1:12079 <-> DISABLED <-> SERVER-OTHER CA BrightStor ARCserve LGServer stack buffer overflow attempt (server-other.rules)

2976

2015-10-13 18:57:21 UTC

Snort Subscriber Rules Update

Date: 2015-10-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:36459 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript regular expression information disclosure attempt (browser-ie.rules)
 * 1:36458 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript regular expression information disclosure attempt (browser-ie.rules)
 * 1:36457 <-> ENABLED <-> EXPLOIT-KIT Angler exploit kit landing page detected (exploit-kit.rules)
 * 1:36456 <-> DISABLED <-> FILE-MULTIMEDIA MultiMedia Soft Components AdjMmsEng.dll PLS file processing buffer overflow attempt (file-multimedia.rules)
 * 1:36455 <-> DISABLED <-> SERVER-OTHER Schneider Electric InduSoft Web Studio Remote Agent remote code execution attempt (server-other.rules)
 * 1:36454 <-> DISABLED <-> SERVER-OTHER Schneider Electric InduSoft Web Studio Remote Agent remote code execution attempt (server-other.rules)
 * 1:36453 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer argument validation in print preview handling exploitation attempt (browser-ie.rules)
 * 1:36452 <-> DISABLED <-> BROWSER-IE Microsoft Edge cross site scripting filter bypass attempt (browser-ie.rules)
 * 1:36451 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RegExp object use-after-free attempt (browser-ie.rules)
 * 1:36450 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RegExp object use-after-free attempt (browser-ie.rules)
 * 1:36449 <-> DISABLED <-> SERVER-WEBAPP Wordpress xmlrpc.php multiple failed authentication response (server-webapp.rules)
 * 1:36448 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSharedStyle object out-of-bounds read attempt (browser-ie.rules)
 * 1:36447 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSharedStyle object out-of-bounds read attempt (browser-ie.rules)
 * 1:36446 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 low integrity level NTFS mount reparse point bypass attempt (os-windows.rules)
 * 1:36445 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 low integrity level NTFS mount reparse point bypass attempt (os-windows.rules)
 * 1:36444 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EventListener use after free attempt (browser-ie.rules)
 * 1:36443 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EventListener use after free attempt (browser-ie.rules)
 * 1:36442 <-> ENABLED <-> FILE-OTHER Visual Basic scripting engine Filter argument mishandling attempt (file-other.rules)
 * 1:36441 <-> ENABLED <-> FILE-OTHER Visual Basic scripting engine Filter argument mishandling attempt (file-other.rules)
 * 1:36440 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTableSelection use-after-free attempt (browser-ie.rules)
 * 1:36439 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTableSelection use-after-free attempt (browser-ie.rules)
 * 1:36438 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ieframe.dll ActiveX clsid access (browser-ie.rules)
 * 1:36437 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ieframe.dll ActiveX clsid access (browser-ie.rules)
 * 1:36436 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer pre-line use after free attempt (browser-ie.rules)
 * 1:36435 <-> DISABLED <-> SERVER-OTHER Xerox Administrator Console password extraction attempt (server-other.rules)
 * 1:36434 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer sapi.dll ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36433 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer sapi.dll ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36432 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arraybuffer entryslice memory corruption attempt (browser-ie.rules)
 * 1:36431 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arraybuffer entryslice memory corruption attempt (browser-ie.rules)
 * 1:36430 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel malformed binary format use after free attempt (file-office.rules)
 * 1:36429 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel malformed binary format use after free attempt (file-office.rules)
 * 1:36428 <-> ENABLED <-> FILE-OFFICE Microsoft Visio lmetaclasscount buffer overflow attempt (file-office.rules)
 * 1:36427 <-> ENABLED <-> FILE-OFFICE Microsoft Visio lmetaclasscount buffer overflow attempt (file-office.rules)
 * 1:36426 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel fileVersion use-after-free attempt (file-office.rules)
 * 1:36425 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel fileVersion use-after-free attempt (file-office.rules)
 * 1:36424 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDeskBand use-after-free attempt (browser-ie.rules)
 * 1:36423 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDeskBand use-after-free attempt (browser-ie.rules)
 * 1:36422 <-> DISABLED <-> POLICY-OTHER Remote non-VBScript file found in Visual Basic script tag src attribute (policy-other.rules)
 * 1:36421 <-> DISABLED <-> POLICY-OTHER Remote non-VBScript file found in Visual Basic script tag src attribute (policy-other.rules)
 * 1:36420 <-> DISABLED <-> POLICY-OTHER Remote non-VBScript file found in Visual Basic script tag src attribute (policy-other.rules)
 * 1:36419 <-> DISABLED <-> POLICY-OTHER Remote non-VBScript file found in Visual Basic script tag src attribute (policy-other.rules)
 * 1:36418 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CWindow object use after free attempt (browser-ie.rules)
 * 1:36417 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CWindow object use after free attempt (browser-ie.rules)
 * 1:36416 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel ALPC synchronous requests memory corruption attempt (os-windows.rules)
 * 1:36415 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel ALPC synchronous requests memory corruption attempt (os-windows.rules)
 * 1:36414 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:36413 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:36412 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:36411 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer sandbox escape attempt (browser-ie.rules)
 * 1:36410 <-> ENABLED <-> OS-WINDOWS RDP client dll-load exploit attempt (os-windows.rules)
 * 1:36409 <-> ENABLED <-> OS-WINDOWS RDP client dll-load exploit attempt (os-windows.rules)
 * 1:36408 <-> ENABLED <-> OS-WINDOWS RDP client dll-load exploit attempt (os-windows.rules)
 * 1:36407 <-> ENABLED <-> OS-WINDOWS RDP client dll-load exploit attempt (os-windows.rules)
 * 1:36406 <-> ENABLED <-> OS-WINDOWS Microsoft Windows sandbox policy bypass attempt (os-windows.rules)
 * 1:36405 <-> ENABLED <-> OS-WINDOWS Microsoft Windows sandbox policy bypass attempt (os-windows.rules)
 * 1:36404 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SepReferenceLowBoxObjects privilege escalation attempt (os-windows.rules)
 * 1:36403 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SepReferenceLowBoxObjects privilege escalation attempt (os-windows.rules)
 * 1:36402 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuickLinks object use-after-free attempt (browser-ie.rules)
 * 1:36401 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CQuickLinks object use-after-free attempt (browser-ie.rules)
 * 1:36400 <-> DISABLED <-> SERVER-WEBAPP OpenDocMan redirection parameter cross site scripting attempt (server-webapp.rules)

Modified Rules:


 * 1:35671 <-> ENABLED <-> FILE-FLASH Adobe Flash Player incorrect reference to IExternalizable object attempt (file-flash.rules)
 * 1:35672 <-> ENABLED <-> FILE-FLASH Adobe Flash Player incorrect reference to IExternalizable object attempt (file-flash.rules)
 * 1:34393 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript regular expression information disclosure attempt (browser-ie.rules)
 * 1:34394 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript regular expression information disclosure attempt (browser-ie.rules)
 * 1:25656 <-> DISABLED <-> SERVER-OTHER HP OpenView Storage Data Protector exec_cmd buffer overflow attempt (server-other.rules)
 * 1:25775 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer pre-line use after free attempt (browser-ie.rules)
 * 1:13963 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer argument validation in print preview handling exploitation attempt (browser-ie.rules)
 * 1:13828 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer sapi.dll ActiveX clsid access attempt (browser-plugins.rules)
 * 1:13830 <-> DISABLED <-> BROWSER-PLUGINS Microsoft Internet Explorer sapi.dll ActiveX clsid access attempt (browser-plugins.rules)
 * 1:12078 <-> DISABLED <-> SERVER-OTHER CA BrightStor ARCserve LGServer heap buffer overflow (server-other.rules)
 * 1:12079 <-> DISABLED <-> SERVER-OTHER CA BrightStor ARCserve LGServer stack buffer overflow attempt (server-other.rules)