Talos Rules 2016-02-09
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Security Bulletin MS16-009: Microsoft Internet Explorer suffers from programming errors that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 37553 through 37554, 37571 through 37574, 37581 through 37582, 37596 through 37597, 37602 through 37605, and 37616 through 37617.

Microsoft Security Bulletin MS16-011: A coding deficiency exists in Microsoft Edge that may lead to remote code execution.

Previously released rules will detect attacks targeting this vulnerability and have been updated with the appropriate reference information. They are included in this release and are identified with GID 1, SIDs 36986 through 36987.

New rules to detect attacks targeting these vulnerabilities are also included in this release and are identified with GID 1, SIDs 37575 through 37576, and 37608 through 37615.

Microsoft Security Bulletin MS16-012: A coding deficiency exists in the Microsoft Windows PDF library that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 37565 through 37566 and 37594 through 37595.

Microsoft Security Bulletin MS16-013: A coding deficiency exists in Microsoft Windows Journal that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 37577 through 37578.

Microsoft Security Bulletin MS16-014: A coding deficiency exists in Microsoft Windows that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 37555 through 37558, 37567 through 37570, and 37588 through 37591.

Microsoft Security Bulletin MS16-015: A coding deficiency exists in Microsoft Office that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 37559 through 37564, 37579 through 37580, 37592 through 37593, 37598 through 37601, and 37606 through 37607.

Microsoft Security Bulletin MS16-016: A coding deficiency exists in Microsoft WebDAV that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 37586 through 37587.

Microsoft Security Bulletin MS16-018: A coding deficiency exists in a Microsoft Windows kernel-mode driver that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 37584 through 37585.

Talos has added and modified multiple rules in the browser-ie, file-identify, file-image, file-office, file-other, file-pdf, indicator-shellcode, malware-cnc, os-windows, pua-adware and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-02-09 18:58:44 UTC

Snort Subscriber Rules Update

Date: 2016-02-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2962.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37614 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CFGBitmap heap code execution attempt (browser-ie.rules)
 * 1:37624 <-> ENABLED <-> SERVER-WEBAPP Allen-Bradley Compact Logix cross site scripting attempt (server-webapp.rules)
 * 1:37556 <-> ENABLED <-> FILE-OFFICE Microsoft Office phoneinfo.dll dll-load exploit attempt (file-office.rules)
 * 1:37558 <-> ENABLED <-> FILE-OFFICE Microsoft Office phoneinfo.dll dll-load exploit attempt (file-office.rules)
 * 1:37555 <-> ENABLED <-> FILE-OFFICE Microsoft Office msdaora.dll dll-load exploit attempt (file-office.rules)
 * 1:37553 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDATA use-after-free attempt (browser-ie.rules)
 * 1:37554 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDATA use-after-free attempt (browser-ie.rules)
 * 1:37616 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel hlink.dll string duplication input validation information disclosure attempt (file-office.rules)
 * 1:37618 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Latentbot variant outbound connection (malware-cnc.rules)
 * 1:37620 <-> DISABLED <-> PUA-ADWARE Genieo Adware framework variant outbound connection (pua-adware.rules)
 * 1:37619 <-> DISABLED <-> SERVER-OTHER InterSystems Cache UtilConfigHome.csp buffer overflow attempt (server-other.rules)
 * 1:37621 <-> DISABLED <-> PUA-ADWARE Genieo Adware framework User-Agent (pua-adware.rules)
 * 1:37622 <-> ENABLED <-> SERVER-WEBAPP Allen-Bradley Compact Logix cross site scripting attempt (server-webapp.rules)
 * 1:37623 <-> ENABLED <-> SERVER-WEBAPP Allen-Bradley Compact Logix cross site scripting attempt (server-webapp.rules)
 * 1:37613 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CACPWrap object use-after-free attempt (browser-ie.rules)
 * 1:37612 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CACPWrap object use-after-free attempt (browser-ie.rules)
 * 1:37552 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Engr variant outbound connection (malware-cnc.rules)
 * 1:37557 <-> ENABLED <-> FILE-OFFICE Microsoft Office msdaora.dll dll-load exploit attempt (file-office.rules)
 * 1:37559 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word rtf file ffdefres integer underflow attempt (file-office.rules)
 * 1:37560 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word rtf file ffdefres integer underflow attempt (file-office.rules)
 * 1:37561 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word missing dpinfo structure integer overflow attempt (file-office.rules)
 * 1:37562 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word missing dpinfo structure integer overflow attempt (file-office.rules)
 * 1:37563 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word missing dpinfo structure integer overflow attempt (file-office.rules)
 * 1:37564 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word missing dpinfo structure integer overflow attempt (file-office.rules)
 * 1:37565 <-> ENABLED <-> FILE-PDF Microsoft Reader dynamic object stream uninitialized memory corruption attempt (file-pdf.rules)
 * 1:37566 <-> ENABLED <-> FILE-PDF Microsoft Reader dynamic object stream uninitialized memory corruption attempt (file-pdf.rules)
 * 1:37567 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WmipReceiveNotifications out of bounds write attempt (os-windows.rules)
 * 1:37568 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WmipReceiveNotifications out of bounds write attempt (os-windows.rules)
 * 1:37569 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WmipReceiveNotifications out of bounds write attempt (os-windows.rules)
 * 1:37570 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WmipReceiveNotifications out of bounds write attempt (os-windows.rules)
 * 1:37571 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
 * 1:37572 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
 * 1:37573 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
 * 1:37574 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
 * 1:37575 <-> ENABLED <-> BROWSER-IE Microsoft Edge CTextBlock out of bounds read attempt (browser-ie.rules)
 * 1:37576 <-> ENABLED <-> BROWSER-IE Microsoft Edge CTextBlock out of bounds read attempt (browser-ie.rules)
 * 1:37577 <-> ENABLED <-> FILE-OTHER Microsoft Windows Journal CWispTiss use after free attempt (file-other.rules)
 * 1:37578 <-> ENABLED <-> FILE-OTHER Microsoft Windows Journal CWispTiss use after free attempt (file-other.rules)
 * 1:37579 <-> ENABLED <-> FILE-OFFICE Microsoft Powerpoint shape object null pointer dereference attempt (file-office.rules)
 * 1:37580 <-> ENABLED <-> FILE-OFFICE Microsoft Powerpoint shape object null pointer dereference attempt (file-office.rules)
 * 1:37581 <-> ENABLED <-> BROWSER-IE Microsoft Edge SysFreeString double free attempt (browser-ie.rules)
 * 1:37582 <-> ENABLED <-> BROWSER-IE Microsoft Edge SysFreeString double free attempt (browser-ie.rules)
 * 1:37583 <-> DISABLED <-> INDICATOR-SHELLCODE Javascript 0xCCCC unicode unescape (indicator-shellcode.rules)
 * 1:37584 <-> ENABLED <-> OS-WINDOWS Microsoft Windows wind32kfull.sys out of bounds write attempt (os-windows.rules)
 * 1:37585 <-> ENABLED <-> OS-WINDOWS Microsoft Windows wind32kfull.sys out of bounds write attempt (os-windows.rules)
 * 1:37586 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WebDAV mini redirector driver privilege escalation attempt (os-windows.rules)
 * 1:37587 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WebDAV mini redirector driver privilege escalation attempt (os-windows.rules)
 * 1:37588 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word BCSRuntime.dll dll-load exploit attempt (file-office.rules)
 * 1:37589 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word OLMAPI32.dll dll-load exploit attempt (file-office.rules)
 * 1:37617 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel hlink.dll string duplication input validation information disclosure attempt (file-office.rules)
 * 1:37590 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word BCSRuntime.dll dll-load exploit attempt (file-office.rules)
 * 1:37591 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word OLMAPI32.dll dll-load exploit attempt (file-office.rules)
 * 1:37592 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel formula length heap corruption attempt (file-office.rules)
 * 1:37593 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel formula length heap corruption attempt (file-office.rules)
 * 1:37594 <-> ENABLED <-> FILE-PDF Microsoft Windows PDF Library invalid JPX image heap corruption attempt (file-pdf.rules)
 * 1:37595 <-> ENABLED <-> FILE-PDF Microsoft Windows PDF Library invalid JPX image heap corruption attempt (file-pdf.rules)
 * 1:37596 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextBlock use-after-free attempt (browser-ie.rules)
 * 1:37597 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextBlock use-after-free attempt (browser-ie.rules)
 * 1:37598 <-> ENABLED <-> FILE-OFFICE Microsoft Word external document access use-after-free attempt (file-office.rules)
 * 1:37599 <-> ENABLED <-> FILE-OFFICE Microsoft Word external document access use-after-free attempt (file-office.rules)
 * 1:37600 <-> ENABLED <-> FILE-OFFICE Microsoft Powerpoint shape objects null pointer dereference memory corruption attempt (file-office.rules)
 * 1:37601 <-> ENABLED <-> FILE-OFFICE Microsoft Powerpoint shape objects null pointer dereference memory corruption attempt (file-office.rules)
 * 1:37602 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer IFRAME object constructor cross site scripting attempt (browser-ie.rules)
 * 1:37603 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer IFRAME object constructor cross site scripting attempt (browser-ie.rules)
 * 1:37604 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer StrCmpNICW string object use after free attempt (browser-ie.rules)
 * 1:37605 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer StrCmpNICW string object use after free attempt (browser-ie.rules)
 * 1:37609 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CallInvoke type confusion attempt (browser-ie.rules)
 * 1:37611 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CallInvoke type confusion attempt (browser-ie.rules)
 * 1:37610 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CallInvoke type confusion attempt (browser-ie.rules)
 * 1:37615 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CFGBitmap heap code execution attempt (browser-ie.rules)
 * 1:37606 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word rtf file bitmap width integer overflow attempt (file-office.rules)
 * 1:37608 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CallInvoke type confusion attempt (browser-ie.rules)
 * 1:37607 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word rtf file bitmap width integer overflow attempt (file-office.rules)

Modified Rules:


 * 1:36987 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CAttrArray use after free attempt (browser-ie.rules)
 * 1:36986 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CAttrArray use after free attempt (browser-ie.rules)
 * 1:31404 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer celement use after free (browser-ie.rules)
 * 1:35848 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Bitmap width integer overflow attempt (file-image.rules)
 * 1:31403 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer celement use after free (browser-ie.rules)
 * 1:33833 <-> DISABLED <-> PUA-ADWARE User-Agent adware OutBrowse/Amonitize (pua-adware.rules)
 * 1:24206 <-> ENABLED <-> FILE-IDENTIFY LZH archive file magic detected (file-identify.rules)

2016-02-09 18:58:44 UTC

Snort Subscriber Rules Update

Date: 2016-02-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37556 <-> ENABLED <-> FILE-OFFICE Microsoft Office phoneinfo.dll dll-load exploit attempt (file-office.rules)
 * 1:37558 <-> ENABLED <-> FILE-OFFICE Microsoft Office phoneinfo.dll dll-load exploit attempt (file-office.rules)
 * 1:37555 <-> ENABLED <-> FILE-OFFICE Microsoft Office msdaora.dll dll-load exploit attempt (file-office.rules)
 * 1:37554 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDATA use-after-free attempt (browser-ie.rules)
 * 1:37553 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDATA use-after-free attempt (browser-ie.rules)
 * 1:37552 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Engr variant outbound connection (malware-cnc.rules)
 * 1:37557 <-> ENABLED <-> FILE-OFFICE Microsoft Office msdaora.dll dll-load exploit attempt (file-office.rules)
 * 1:37559 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word rtf file ffdefres integer underflow attempt (file-office.rules)
 * 1:37560 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word rtf file ffdefres integer underflow attempt (file-office.rules)
 * 1:37561 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word missing dpinfo structure integer overflow attempt (file-office.rules)
 * 1:37562 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word missing dpinfo structure integer overflow attempt (file-office.rules)
 * 1:37563 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word missing dpinfo structure integer overflow attempt (file-office.rules)
 * 1:37564 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word missing dpinfo structure integer overflow attempt (file-office.rules)
 * 1:37565 <-> ENABLED <-> FILE-PDF Microsoft Reader dynamic object stream uninitialized memory corruption attempt (file-pdf.rules)
 * 1:37566 <-> ENABLED <-> FILE-PDF Microsoft Reader dynamic object stream uninitialized memory corruption attempt (file-pdf.rules)
 * 1:37567 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WmipReceiveNotifications out of bounds write attempt (os-windows.rules)
 * 1:37568 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WmipReceiveNotifications out of bounds write attempt (os-windows.rules)
 * 1:37569 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WmipReceiveNotifications out of bounds write attempt (os-windows.rules)
 * 1:37570 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WmipReceiveNotifications out of bounds write attempt (os-windows.rules)
 * 1:37571 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
 * 1:37572 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
 * 1:37573 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
 * 1:37574 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
 * 1:37575 <-> ENABLED <-> BROWSER-IE Microsoft Edge CTextBlock out of bounds read attempt (browser-ie.rules)
 * 1:37576 <-> ENABLED <-> BROWSER-IE Microsoft Edge CTextBlock out of bounds read attempt (browser-ie.rules)
 * 1:37577 <-> ENABLED <-> FILE-OTHER Microsoft Windows Journal CWispTiss use after free attempt (file-other.rules)
 * 1:37578 <-> ENABLED <-> FILE-OTHER Microsoft Windows Journal CWispTiss use after free attempt (file-other.rules)
 * 1:37579 <-> ENABLED <-> FILE-OFFICE Microsoft Powerpoint shape object null pointer dereference attempt (file-office.rules)
 * 1:37580 <-> ENABLED <-> FILE-OFFICE Microsoft Powerpoint shape object null pointer dereference attempt (file-office.rules)
 * 1:37581 <-> ENABLED <-> BROWSER-IE Microsoft Edge SysFreeString double free attempt (browser-ie.rules)
 * 1:37582 <-> ENABLED <-> BROWSER-IE Microsoft Edge SysFreeString double free attempt (browser-ie.rules)
 * 1:37583 <-> DISABLED <-> INDICATOR-SHELLCODE Javascript 0xCCCC unicode unescape (indicator-shellcode.rules)
 * 1:37584 <-> ENABLED <-> OS-WINDOWS Microsoft Windows wind32kfull.sys out of bounds write attempt (os-windows.rules)
 * 1:37585 <-> ENABLED <-> OS-WINDOWS Microsoft Windows wind32kfull.sys out of bounds write attempt (os-windows.rules)
 * 1:37586 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WebDAV mini redirector driver privilege escalation attempt (os-windows.rules)
 * 1:37587 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WebDAV mini redirector driver privilege escalation attempt (os-windows.rules)
 * 1:37588 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word BCSRuntime.dll dll-load exploit attempt (file-office.rules)
 * 1:37589 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word OLMAPI32.dll dll-load exploit attempt (file-office.rules)
 * 1:37590 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word BCSRuntime.dll dll-load exploit attempt (file-office.rules)
 * 1:37591 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word OLMAPI32.dll dll-load exploit attempt (file-office.rules)
 * 1:37592 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel formula length heap corruption attempt (file-office.rules)
 * 1:37593 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel formula length heap corruption attempt (file-office.rules)
 * 1:37594 <-> ENABLED <-> FILE-PDF Microsoft Windows PDF Library invalid JPX image heap corruption attempt (file-pdf.rules)
 * 1:37595 <-> ENABLED <-> FILE-PDF Microsoft Windows PDF Library invalid JPX image heap corruption attempt (file-pdf.rules)
 * 1:37596 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextBlock use-after-free attempt (browser-ie.rules)
 * 1:37597 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextBlock use-after-free attempt (browser-ie.rules)
 * 1:37598 <-> ENABLED <-> FILE-OFFICE Microsoft Word external document access use-after-free attempt (file-office.rules)
 * 1:37599 <-> ENABLED <-> FILE-OFFICE Microsoft Word external document access use-after-free attempt (file-office.rules)
 * 1:37600 <-> ENABLED <-> FILE-OFFICE Microsoft Powerpoint shape objects null pointer dereference memory corruption attempt (file-office.rules)
 * 1:37601 <-> ENABLED <-> FILE-OFFICE Microsoft Powerpoint shape objects null pointer dereference memory corruption attempt (file-office.rules)
 * 1:37602 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer IFRAME object constructor cross site scripting attempt (browser-ie.rules)
 * 1:37603 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer IFRAME object constructor cross site scripting attempt (browser-ie.rules)
 * 1:37604 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer StrCmpNICW string object use after free attempt (browser-ie.rules)
 * 1:37605 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer StrCmpNICW string object use after free attempt (browser-ie.rules)
 * 1:37606 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word rtf file bitmap width integer overflow attempt (file-office.rules)
 * 1:37624 <-> ENABLED <-> SERVER-WEBAPP Allen-Bradley Compact Logix cross site scripting attempt (server-webapp.rules)
 * 1:37623 <-> ENABLED <-> SERVER-WEBAPP Allen-Bradley Compact Logix cross site scripting attempt (server-webapp.rules)
 * 1:37622 <-> ENABLED <-> SERVER-WEBAPP Allen-Bradley Compact Logix cross site scripting attempt (server-webapp.rules)
 * 1:37621 <-> DISABLED <-> PUA-ADWARE Genieo Adware framework User-Agent (pua-adware.rules)
 * 1:37620 <-> DISABLED <-> PUA-ADWARE Genieo Adware framework variant outbound connection (pua-adware.rules)
 * 1:37619 <-> DISABLED <-> SERVER-OTHER InterSystems Cache UtilConfigHome.csp buffer overflow attempt (server-other.rules)
 * 1:37618 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Latentbot variant outbound connection (malware-cnc.rules)
 * 1:37617 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel hlink.dll string duplication input validation information disclosure attempt (file-office.rules)
 * 1:37616 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel hlink.dll string duplication input validation information disclosure attempt (file-office.rules)
 * 1:37615 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CFGBitmap heap code execution attempt (browser-ie.rules)
 * 1:37614 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CFGBitmap heap code execution attempt (browser-ie.rules)
 * 1:37613 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CACPWrap object use-after-free attempt (browser-ie.rules)
 * 1:37612 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CACPWrap object use-after-free attempt (browser-ie.rules)
 * 1:37609 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CallInvoke type confusion attempt (browser-ie.rules)
 * 1:37611 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CallInvoke type confusion attempt (browser-ie.rules)
 * 1:37610 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CallInvoke type confusion attempt (browser-ie.rules)
 * 1:37608 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CallInvoke type confusion attempt (browser-ie.rules)
 * 1:37607 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word rtf file bitmap width integer overflow attempt (file-office.rules)

Modified Rules:


 * 1:36987 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CAttrArray use after free attempt (browser-ie.rules)
 * 1:24206 <-> ENABLED <-> FILE-IDENTIFY LZH archive file magic detected (file-identify.rules)
 * 1:36986 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CAttrArray use after free attempt (browser-ie.rules)
 * 1:35848 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Bitmap width integer overflow attempt (file-image.rules)
 * 1:33833 <-> DISABLED <-> PUA-ADWARE User-Agent adware OutBrowse/Amonitize (pua-adware.rules)
 * 1:31404 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer celement use after free (browser-ie.rules)
 * 1:31403 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer celement use after free (browser-ie.rules)

2016-02-09 18:58:44 UTC

Snort Subscriber Rules Update

Date: 2016-02-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:37624 <-> ENABLED <-> SERVER-WEBAPP Allen-Bradley Compact Logix cross site scripting attempt (server-webapp.rules)
 * 1:37623 <-> ENABLED <-> SERVER-WEBAPP Allen-Bradley Compact Logix cross site scripting attempt (server-webapp.rules)
 * 1:37622 <-> ENABLED <-> SERVER-WEBAPP Allen-Bradley Compact Logix cross site scripting attempt (server-webapp.rules)
 * 1:37621 <-> DISABLED <-> PUA-ADWARE Genieo Adware framework User-Agent (pua-adware.rules)
 * 1:37620 <-> DISABLED <-> PUA-ADWARE Genieo Adware framework variant outbound connection (pua-adware.rules)
 * 1:37619 <-> DISABLED <-> SERVER-OTHER InterSystems Cache UtilConfigHome.csp buffer overflow attempt (server-other.rules)
 * 1:37618 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Latentbot variant outbound connection (malware-cnc.rules)
 * 1:37617 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel hlink.dll string duplication input validation information disclosure attempt (file-office.rules)
 * 1:37616 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel hlink.dll string duplication input validation information disclosure attempt (file-office.rules)
 * 1:37615 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CFGBitmap heap code execution attempt (browser-ie.rules)
 * 1:37614 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CFGBitmap heap code execution attempt (browser-ie.rules)
 * 1:37613 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CACPWrap object use-after-free attempt (browser-ie.rules)
 * 1:37612 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CACPWrap object use-after-free attempt (browser-ie.rules)
 * 1:37611 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CallInvoke type confusion attempt (browser-ie.rules)
 * 1:37610 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CallInvoke type confusion attempt (browser-ie.rules)
 * 1:37609 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CallInvoke type confusion attempt (browser-ie.rules)
 * 1:37608 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CallInvoke type confusion attempt (browser-ie.rules)
 * 1:37607 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word rtf file bitmap width integer overflow attempt (file-office.rules)
 * 1:37606 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word rtf file bitmap width integer overflow attempt (file-office.rules)
 * 1:37605 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer StrCmpNICW string object use after free attempt (browser-ie.rules)
 * 1:37604 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer StrCmpNICW string object use after free attempt (browser-ie.rules)
 * 1:37603 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer IFRAME object constructor cross site scripting attempt (browser-ie.rules)
 * 1:37602 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer IFRAME object constructor cross site scripting attempt (browser-ie.rules)
 * 1:37601 <-> ENABLED <-> FILE-OFFICE Microsoft Powerpoint shape objects null pointer dereference memory corruption attempt (file-office.rules)
 * 1:37600 <-> ENABLED <-> FILE-OFFICE Microsoft Powerpoint shape objects null pointer dereference memory corruption attempt (file-office.rules)
 * 1:37599 <-> ENABLED <-> FILE-OFFICE Microsoft Word external document access use-after-free attempt (file-office.rules)
 * 1:37598 <-> ENABLED <-> FILE-OFFICE Microsoft Word external document access use-after-free attempt (file-office.rules)
 * 1:37597 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextBlock use-after-free attempt (browser-ie.rules)
 * 1:37596 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTextBlock use-after-free attempt (browser-ie.rules)
 * 1:37595 <-> ENABLED <-> FILE-PDF Microsoft Windows PDF Library invalid JPX image heap corruption attempt (file-pdf.rules)
 * 1:37594 <-> ENABLED <-> FILE-PDF Microsoft Windows PDF Library invalid JPX image heap corruption attempt (file-pdf.rules)
 * 1:37593 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel formula length heap corruption attempt (file-office.rules)
 * 1:37592 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel formula length heap corruption attempt (file-office.rules)
 * 1:37591 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word OLMAPI32.dll dll-load exploit attempt (file-office.rules)
 * 1:37590 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word BCSRuntime.dll dll-load exploit attempt (file-office.rules)
 * 1:37589 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word OLMAPI32.dll dll-load exploit attempt (file-office.rules)
 * 1:37588 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word BCSRuntime.dll dll-load exploit attempt (file-office.rules)
 * 1:37587 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WebDAV mini redirector driver privilege escalation attempt (os-windows.rules)
 * 1:37586 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WebDAV mini redirector driver privilege escalation attempt (os-windows.rules)
 * 1:37585 <-> ENABLED <-> OS-WINDOWS Microsoft Windows wind32kfull.sys out of bounds write attempt (os-windows.rules)
 * 1:37584 <-> ENABLED <-> OS-WINDOWS Microsoft Windows wind32kfull.sys out of bounds write attempt (os-windows.rules)
 * 1:37583 <-> DISABLED <-> INDICATOR-SHELLCODE Javascript 0xCCCC unicode unescape (indicator-shellcode.rules)
 * 1:37582 <-> ENABLED <-> BROWSER-IE Microsoft Edge SysFreeString double free attempt (browser-ie.rules)
 * 1:37581 <-> ENABLED <-> BROWSER-IE Microsoft Edge SysFreeString double free attempt (browser-ie.rules)
 * 1:37580 <-> ENABLED <-> FILE-OFFICE Microsoft Powerpoint shape object null pointer dereference attempt (file-office.rules)
 * 1:37579 <-> ENABLED <-> FILE-OFFICE Microsoft Powerpoint shape object null pointer dereference attempt (file-office.rules)
 * 1:37578 <-> ENABLED <-> FILE-OTHER Microsoft Windows Journal CWispTiss use after free attempt (file-other.rules)
 * 1:37577 <-> ENABLED <-> FILE-OTHER Microsoft Windows Journal CWispTiss use after free attempt (file-other.rules)
 * 1:37576 <-> ENABLED <-> BROWSER-IE Microsoft Edge CTextBlock out of bounds read attempt (browser-ie.rules)
 * 1:37575 <-> ENABLED <-> BROWSER-IE Microsoft Edge CTextBlock out of bounds read attempt (browser-ie.rules)
 * 1:37574 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
 * 1:37573 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
 * 1:37572 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
 * 1:37571 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDomPrototype type confusion attempt (browser-ie.rules)
 * 1:37570 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WmipReceiveNotifications out of bounds write attempt (os-windows.rules)
 * 1:37569 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WmipReceiveNotifications out of bounds write attempt (os-windows.rules)
 * 1:37568 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WmipReceiveNotifications out of bounds write attempt (os-windows.rules)
 * 1:37567 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WmipReceiveNotifications out of bounds write attempt (os-windows.rules)
 * 1:37566 <-> ENABLED <-> FILE-PDF Microsoft Reader dynamic object stream uninitialized memory corruption attempt (file-pdf.rules)
 * 1:37565 <-> ENABLED <-> FILE-PDF Microsoft Reader dynamic object stream uninitialized memory corruption attempt (file-pdf.rules)
 * 1:37564 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word missing dpinfo structure integer overflow attempt (file-office.rules)
 * 1:37563 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word missing dpinfo structure integer overflow attempt (file-office.rules)
 * 1:37562 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word missing dpinfo structure integer overflow attempt (file-office.rules)
 * 1:37561 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word missing dpinfo structure integer overflow attempt (file-office.rules)
 * 1:37560 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word rtf file ffdefres integer underflow attempt (file-office.rules)
 * 1:37559 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word rtf file ffdefres integer underflow attempt (file-office.rules)
 * 1:37558 <-> ENABLED <-> FILE-OFFICE Microsoft Office phoneinfo.dll dll-load exploit attempt (file-office.rules)
 * 1:37557 <-> ENABLED <-> FILE-OFFICE Microsoft Office msdaora.dll dll-load exploit attempt (file-office.rules)
 * 1:37556 <-> ENABLED <-> FILE-OFFICE Microsoft Office phoneinfo.dll dll-load exploit attempt (file-office.rules)
 * 1:37555 <-> ENABLED <-> FILE-OFFICE Microsoft Office msdaora.dll dll-load exploit attempt (file-office.rules)
 * 1:37554 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDATA use-after-free attempt (browser-ie.rules)
 * 1:37553 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CDATA use-after-free attempt (browser-ie.rules)
 * 1:37552 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Engr variant outbound connection (malware-cnc.rules)

Modified Rules:


 * 1:36987 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CAttrArray use after free attempt (browser-ie.rules)
 * 1:35848 <-> DISABLED <-> FILE-IMAGE Microsoft Windows Bitmap width integer overflow attempt (file-image.rules)
 * 1:36986 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CAttrArray use after free attempt (browser-ie.rules)
 * 1:31404 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer celement use after free (browser-ie.rules)
 * 1:33833 <-> DISABLED <-> PUA-ADWARE User-Agent adware OutBrowse/Amonitize (pua-adware.rules)
 * 1:24206 <-> ENABLED <-> FILE-IDENTIFY LZH archive file magic detected (file-identify.rules)
 * 1:31403 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer celement use after free (browser-ie.rules)