Snort - Network Intrusion Detection & Prevention System

Talos Rules 2016-03-08

Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Security Bulletin MS16-023: Microsoft Internet Explorer suffers from programming errors that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 38065 through 38070, 38081 through 38082, 38085 through 38086, 38088 through 38091, 38094 through 38099, 38108 through 38109, 38112 through 38113, 38117 through 38118, and 38122 through 38123.

Microsoft Security Bulletin MS16-024: A coding deficiency exists in Microsoft Edge that may lead to remote code execution.

Previously released rules will detect attacks targeting this vulnerability and have been updated with the appropriate reference information. They are included in this release and are identified with GID 1, SIDs 37279 through 37280.

New rules to detect attacks targeting these vulnerabilities are also included in this release and are identified with GID 1, SIDs 38106 through 38107.

Microsoft Security Bulletin MS16-026: A coding deficiency exists in Microsoft Graphic Fonts that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 38063 through 38064.

Microsoft Security Bulletin MS16-027: A coding deficiency exists in Microsoft Windows Media Player that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 38079 through 38080 and 38124 through 38125.

Microsoft Security Bulletin MS16-028: A coding deficiency exists in Microsoft Windows PDF Library that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 38073 through 38078.

Microsoft Security Bulletin MS16-029: A coding deficiency exists in Microsoft Office that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 38100 through 38101 and 38126 through 38129.

Microsoft Security Bulletin MS16-030: A coding deficiency exists in Microsoft Windows OLE that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 38110 through 38111.

Microsoft Security Bulletin MS16-031: A coding deficiency exists in Microsoft Windows that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 38092 through 38093.

Microsoft Security Bulletin MS16-032: A coding deficiency exists in Microsoft Secondary Logon that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 38114 through 38115.

Microsoft Security Bulletin MS16-034: A coding deficiency exists in Microsoft Kernel Mode Drivers that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 38061 through 38062, 38071 through 38072, 38083 through 38084, and 38119 through 38120.

Talos also has added and modified multiple rules in the browser-ie, exploit-kit, file-multimedia, file-office, file-other, indicator-obfuscation, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2976

2016-03-08 18:17:22 UTC

Snort Subscriber Rules Update

Date: 2016-03-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38112 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer addRow out-of-bounds read attempt (browser-ie.rules)
 * 1:38113 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer addRow out-of-bounds read attempt (browser-ie.rules)
 * 1:38110 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word bitmap stream parsing remote code execution attempt (file-office.rules)
 * 1:38111 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word bitmap stream parsing remote code execution attempt (file-office.rules)
 * 1:38108 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CGeneratedTreeNode use-after-free (browser-ie.rules)
 * 1:38109 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CGeneratedTreeNode use-after-free (browser-ie.rules)
 * 1:38106 <-> DISABLED <-> BROWSER-IE Microsoft Edge LineBoxBuilder out-of-bound memory access attempt  (browser-ie.rules)
 * 1:38107 <-> DISABLED <-> BROWSER-IE Microsoft Edge LineBoxBuilder out-of-bound memory access attempt (browser-ie.rules)
 * 1:38104 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation double unescape (indicator-obfuscation.rules)
 * 1:38105 <-> DISABLED <-> INDICATOR-OBFUSCATION Javascript obfuscation double unescape (indicator-obfuscation.rules)
 * 1:38102 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CEditEventSink navigate use after free attempt (browser-ie.rules)
 * 1:38103 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CEditEventSink navigate use after free attempt (browser-ie.rules)
 * 1:38100 <-> ENABLED <-> FILE-OFFICE Microsoft Word wwlib.dll invalid pointer read attempt (file-office.rules)
 * 1:38101 <-> ENABLED <-> FILE-OFFICE Microsoft Word wwlib.dll invalid pointer read attempt (file-office.rules)
 * 1:38098 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TableCellLayoutArray use-after-free attempt (browser-ie.rules)
 * 1:38099 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer TableCellLayoutArray use-after-free attempt (browser-ie.rules)
 * 1:38096 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer out of bound write access attempt (browser-ie.rules)
 * 1:38097 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer out of bound write access attempt (browser-ie.rules)
 * 1:38094 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos remote code execution attempt (browser-ie.rules)
 * 1:38095 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos remote code execution attempt (browser-ie.rules)
 * 1:38092 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ObReferenceObjectByHandle function privilege escalation attempt (os-windows.rules)
 * 1:38093 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ObReferenceObjectByHandle function privilege escalation attempt (os-windows.rules)
 * 1:38090 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt (browser-ie.rules)
 * 1:38091 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt (browser-ie.rules)
 * 1:38088 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer string type confusion remote code execution attempt (browser-ie.rules)
 * 1:38089 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer string type confusion remote code execution attempt (browser-ie.rules)
 * 1:38085 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules)
 * 1:38086 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules)
 * 1:38083 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GreCreateDisplayDC surface object use after free attempt (os-windows.rules)
 * 1:38084 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GreCreateDisplayDC surface object use after free attempt (os-windows.rules)
 * 1:38081 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer SetItem use after free attempt (browser-ie.rules)
 * 1:38082 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer SetItem use after free attempt (browser-ie.rules)
 * 1:38079 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer embedded media player use after free attempt (browser-ie.rules)
 * 1:38080 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer embedded media player use after free attempt (browser-ie.rules)
 * 1:38077 <-> DISABLED <-> BROWSER-IE Microsoft Edge CPostScriptEvaluator out of bounds read attempt (browser-ie.rules)
 * 1:38078 <-> DISABLED <-> BROWSER-IE Microsoft Edge CPostScriptEvaluator out of bounds read attempt (browser-ie.rules)
 * 1:38075 <-> ENABLED <-> BROWSER-IE Microsoft Edge CAsyncTpWorker Windows.Data.Pdf.dll object use after free attempt (browser-ie.rules)
 * 1:38076 <-> ENABLED <-> BROWSER-IE Microsoft Edge CAsyncTpWorker Windows.Data.Pdf.dll object use after free attempt (browser-ie.rules)
 * 1:38073 <-> ENABLED <-> BROWSER-IE Microsoft Edge CAsyncTpWorker Windows.Data.Pdf.dll object use after free attempt (browser-ie.rules)
 * 1:38074 <-> ENABLED <-> BROWSER-IE Microsoft Edge CAsyncTpWorker Windows.Data.Pdf.dll object use after free attempt (browser-ie.rules)
 * 1:38071 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ValidateParentDepth out of bounds read attempt (os-windows.rules)
 * 1:38072 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ValidateParentDepth out of bounds read attempt (os-windows.rules)
 * 1:38069 <-> ENABLED <-> BROWSER-IE Internet Explorer CTreePos type confusion attempt (browser-ie.rules)
 * 1:38070 <-> ENABLED <-> BROWSER-IE Internet Explorer CTreePos type confusion attempt (browser-ie.rules)
 * 1:38067 <-> ENABLED <-> BROWSER-IE Internet Explorer CTreePos type confusion attempt (browser-ie.rules)
 * 1:38068 <-> ENABLED <-> BROWSER-IE Internet Explorer CTreePos type confusion attempt (browser-ie.rules)
 * 1:38065 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer GETDISPID invalid pointer access attempt (browser-ie.rules)
 * 1:38066 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer GETDISPID invalid pointer access attempt (browser-ie.rules)
 * 1:38064 <-> ENABLED <-> FILE-OTHER Microsoft Windows atmfd.dll font driver malformed OTF file remote code execution attempt (file-other.rules)
 * 1:38061 <-> ENABLED <-> OS-WINDOWS Microsoft Windows rpdesk remote code execution attempt (os-windows.rules)
 * 1:38062 <-> ENABLED <-> OS-WINDOWS Microsoft Windows rpdesk remote code execution attempt (os-windows.rules)
 * 1:38063 <-> ENABLED <-> FILE-OTHER Microsoft Windows atmfd.dll font driver malformed OTF file remote code execution attempt (file-other.rules)
 * 1:38129 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word ipdesign.dll ActiveX object access attempt (file-office.rules)
 * 1:38128 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word ipdesign.dll ActiveX object access attempt (file-office.rules)
 * 1:38127 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word ipdesign.dll ActiveX object access attempt (file-office.rules)
 * 1:38126 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word ipdesign.dll ActiveX object access attempt (file-office.rules)
 * 1:38125 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Transport Stream Program Map Table Heap Overflow attempt (file-multimedia.rules)
 * 1:38124 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Transport Stream Program Map Table Heap Overflow attempt (file-multimedia.rules)
 * 1:38123 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CInput sliderdata object use after free attempt (browser-ie.rules)
 * 1:38122 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CInput sliderdata object use after free attempt (browser-ie.rules)
 * 1:38121 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit search uri request attempt (exploit-kit.rules)
 * 1:38120 <-> DISABLED <-> OS-WINDOWS Microsoft Windows EPOINTQF privilege escalation attempt (os-windows.rules)
 * 1:38118 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer mshtml InsertRange out of bounds write access (browser-ie.rules)
 * 1:38119 <-> DISABLED <-> OS-WINDOWS Microsoft Windows EPOINTQF privilege escalation attempt (os-windows.rules)
 * 1:38117 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer mshtml InsertRange out of bounds write access (browser-ie.rules)
 * 1:38116 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Keranger outbound connection attempt (malware-cnc.rules)
 * 1:38115 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WebDAV mini redirector driver privilege escalation attempt (os-windows.rules)
 * 1:38114 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WebDAV mini redirector driver privilege escalation attempt (os-windows.rules)
 * 3:38087 <-> ENABLED <-> SERVER-WEBAPP Cisco WLAN Controller insecure configuration wizard access attempt (server-webapp.rules)

Modified Rules:


 * 1:31299 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Necurs or Win.Trojan.Locky variant outbound detection (malware-cnc.rules)
 * 1:36702 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CEditEventSink navigate use after free attempt (browser-ie.rules)
 * 1:37279 <-> DISABLED <-> BROWSER-IE Microsoft Edge mutation event memory corruption attempt (browser-ie.rules)
 * 1:37280 <-> DISABLED <-> BROWSER-IE Microsoft Edge mutation event memory corruption attempt (browser-ie.rules)
 * 1:36701 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CEditEventSink navigate use after free attempt (browser-ie.rules)

2980