Talos Rules 2016-06-14
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Security Bulletin MS16-063: Microsoft Internet Explorer suffers from programming errors that may lead to remote code execution.

A previously released rule will detect attacks targeting these vulnerabilities and has been updated with the appropriate reference information. It is included in this release and is identified with GID 1, SID 20258.

New rules to detect attacks targeting these vulnerabilities are also included in this release and are identified with GID 1, SIDs 20258, 39207 through 39208, 39227, 39230 through 39231, 39234 through 39235, and 39242 through 39259.

Microsoft Security Bulletin MS16-068: A coding deficiency exists in Microsoft Edge that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 39199 through 39200, 39205 through 39206, 39219 through 39220, 39228 through 39229, 39232 through 39233, and 39238 through 39239.

Microsoft Security Bulletin MS16-069: A coding deficiency exists in Microsoft Jscript and VBScript that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 39211 through 39212 and 39236 through 39237.

Microsoft Security Bulletin MS16-070: A coding deficiency exists in Microsoft Office that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 39203 through 39204 and 39221 through 39224.

Microsoft Security Bulletin MS16-073: A coding deficiency exists in Microsoft Kernel Mode Drivers that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 39193 through 39196 and 39217 through 39218.

Microsoft Security Bulletin MS16-074: A coding deficiency exists in Microsoft Graphics Component that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 39209 through 39210, 39260 through 39261, and 39266 through 39267.

Microsoft Security Bulletin MS16-075: A coding deficiency exists in Microsoft Windows SMB Server that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 39213 through 39216.

Microsoft Security Bulletin MS16-077: A coding deficiency exists in Microsoft Web Proxy Autodiscovery (WPAD) that may lead to an escalation of privilege.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 39227.

Microsoft Security Bulletin MS16-078: A coding deficiency exists in Microsoft Windows Diagnostic Hub that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 39225 through 39226.

Talos has added and modified multiple rules in the browser-ie, file-flash, file-image, file-office, file-other, malware-cnc, os-windows, pua-toolbars and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2016-06-14 19:09:50 UTC

Snort Subscriber Rules Update

Date: 2016-06-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39225 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Diagnostics Hub directory traversal attempt (os-windows.rules)
 * 1:39252 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39218 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32kfull.sys NtGdiExtFloodFill use after free attempt (os-windows.rules)
 * 1:39222 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word mso.dll subcomponent use after free attempt (file-office.rules)
 * 1:39216 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WebDAV NTLM reflection attack attempt (os-windows.rules)
 * 1:39217 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32kfull.sys NtGdiExtFloodFill use after free attempt (os-windows.rules)
 * 1:39198 <-> DISABLED <-> SERVER-WEBAPP D-Link authentication bypass attempt (server-webapp.rules)
 * 1:39213 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WebDAV NTLM reflection attack attempt (os-windows.rules)
 * 1:39211 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript out of bounds memory access remote code execution attempt (browser-ie.rules)
 * 1:39210 <-> ENABLED <-> OS-WINDOWS Microsoft Windows sandbox ProcessFontDisablePolicy check bypass attempt (os-windows.rules)
 * 1:39208 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer drag and drop API remote code execution attempt (browser-ie.rules)
 * 1:39193 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k.sys MakeWindowForegroundWithState null pointer dereference attempt (os-windows.rules)
 * 1:39192 <-> ENABLED <-> SERVER-WEBAPP D-Link router unauthorised DNS change attempt (server-webapp.rules)
 * 1:39238 <-> ENABLED <-> BROWSER-IE Microsoft Edge malformed PDF JPEG2000 object out of bounds memory access attempt (browser-ie.rules)
 * 1:39196 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k.sys MakeWindowForegroundWithState null pointer dereference attempt (os-windows.rules)
 * 1:39191 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (server-apache.rules)
 * 1:39255 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39256 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39254 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39257 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39258 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39260 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD font driver malformed OTF file out-of-bounds memory access attempt (file-other.rules)
 * 1:39259 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39190 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (server-apache.rules)
 * 1:39261 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD font driver malformed OTF file out-of-bounds memory access attempt (file-other.rules)
 * 1:39232 <-> ENABLED <-> BROWSER-IE Microsoft Edge Content Security Policy bypass attempt (browser-ie.rules)
 * 1:39231 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSS link element use-after-free attempt (browser-ie.rules)
 * 1:39230 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSS link element use-after-free attempt (browser-ie.rules)
 * 1:39228 <-> DISABLED <-> BROWSER-IE Microsoft Edge PDF Color Space out-of-bounds memory access attempt (browser-ie.rules)
 * 1:39229 <-> DISABLED <-> BROWSER-IE Microsoft Edge PDF Color Space out-of-bounds memory access attempt (browser-ie.rules)
 * 1:39224 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel malformed XLS out of bounds memory read attempt (file-office.rules)
 * 1:39219 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt (browser-ie.rules)
 * 1:39214 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WebDAV NTLM reflection attack attempt (os-windows.rules)
 * 1:39209 <-> ENABLED <-> OS-WINDOWS Microsoft Windows sandbox ProcessFontDisablePolicy check bypass attempt (os-windows.rules)
 * 1:39205 <-> ENABLED <-> BROWSER-IE Microsoft Edge PDF reader out of bounds memory access attempt (browser-ie.rules)
 * 1:39197 <-> DISABLED <-> SERVER-WEBAPP AirTies RT hardcoded credentials login attempt (server-webapp.rules)
 * 1:39207 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer drag and drop API remote code execution attempt (browser-ie.rules)
 * 1:39189 <-> ENABLED <-> PUA-TOOLBARS Win.Toolbar.Crossrider variant outbound connection (pua-toolbars.rules)
 * 1:39201 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript csession close use after free attempt (browser-ie.rules)
 * 1:39202 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript csession close use after free attempt (browser-ie.rules)
 * 1:39233 <-> ENABLED <-> BROWSER-IE Microsoft Edge Content Security Policy bypass attempt (browser-ie.rules)
 * 1:39203 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll out of bounds read attempt (file-office.rules)
 * 1:39200 <-> ENABLED <-> BROWSER-IE Microsoft Edge class object confusion attempt (browser-ie.rules)
 * 1:39204 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll out of bounds read attempt (file-office.rules)
 * 1:39206 <-> ENABLED <-> BROWSER-IE Microsoft Edge PDF reader out of bounds memory access attempt (browser-ie.rules)
 * 1:39212 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript out of bounds memory access remote code execution attempt (browser-ie.rules)
 * 1:39221 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word mso.dll subcomponent use after free attempt (file-office.rules)
 * 1:39215 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WebDAV NTLM reflection attack attempt (os-windows.rules)
 * 1:39220 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt (browser-ie.rules)
 * 1:39223 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel malformed XLS out of bounds memory read attempt (file-office.rules)
 * 1:39253 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39199 <-> ENABLED <-> BROWSER-IE Microsoft Edge class object confusion attempt (browser-ie.rules)
 * 1:39266 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GdiPlus malformed EMF file out of bounds read attempt (os-windows.rules)
 * 1:39267 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GdiPlus malformed EMF file out of bounds read attempt (os-windows.rules)
 * 1:39227 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WPAD spoofing attempt (os-windows.rules)
 * 1:39226 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Diagnostics Hub directory traversal attempt (os-windows.rules)
 * 1:39243 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39235 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer tagged integer type confusion attempt (browser-ie.rules)
 * 1:39242 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39237 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine buffer overflow attempt (browser-ie.rules)
 * 1:39234 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer tagged integer type confusion attempt (browser-ie.rules)
 * 1:39236 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine buffer overflow attempt (browser-ie.rules)
 * 1:39241 <-> DISABLED <-> FILE-FLASH Neutrino Exploit Kit exploitation attempt (file-flash.rules)
 * 1:39248 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39247 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39194 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k.sys MakeWindowForegroundWithState null pointer dereference attempt (os-windows.rules)
 * 1:39240 <-> DISABLED <-> FILE-FLASH Neutrino Exploit Kit exploitation attempt (file-flash.rules)
 * 1:39195 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k.sys MakeWindowForegroundWithState null pointer dereference attempt (os-windows.rules)
 * 1:39245 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39251 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39244 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39239 <-> ENABLED <-> BROWSER-IE Microsoft Edge malformed PDF JPEG2000 object out of bounds memory access attempt (browser-ie.rules)
 * 1:39250 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39249 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39246 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 3:39262 <-> ENABLED <-> FILE-FLASH TRUFFLEHUNTER TALOS-CAN-0165 attack attempt (file-flash.rules)
 * 3:39263 <-> ENABLED <-> FILE-FLASH TRUFFLEHUNTER TALOS-CAN-0165 attack attempt (file-flash.rules)
 * 3:39264 <-> ENABLED <-> FILE-FLASH TRUFFLEHUNTER TALOS-CAN-0165 attack attempt (file-flash.rules)
 * 3:39265 <-> ENABLED <-> FILE-FLASH TRUFFLEHUNTER TALOS-CAN-0165 attack attempt (file-flash.rules)

Modified Rules:


 * 1:39115 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39137 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39138 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39139 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39147 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39143 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39140 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39141 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39113 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:20258 <-> DISABLED <-> OS-WINDOWS Microsoft generic javascript handler in URI XSS attempt (os-windows.rules)
 * 1:39112 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39136 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39114 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39144 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39142 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39146 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39173 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.BlackShades Crypter outbound connection (malware-cnc.rules)
 * 1:39145 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)

2016-06-14 19:09:50 UTC

Snort Subscriber Rules Update

Date: 2016-06-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39193 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k.sys MakeWindowForegroundWithState null pointer dereference attempt (os-windows.rules)
 * 1:39196 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k.sys MakeWindowForegroundWithState null pointer dereference attempt (os-windows.rules)
 * 1:39191 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (server-apache.rules)
 * 1:39256 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39213 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WebDAV NTLM reflection attack attempt (os-windows.rules)
 * 1:39254 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39253 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39216 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WebDAV NTLM reflection attack attempt (os-windows.rules)
 * 1:39232 <-> ENABLED <-> BROWSER-IE Microsoft Edge Content Security Policy bypass attempt (browser-ie.rules)
 * 1:39230 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSS link element use-after-free attempt (browser-ie.rules)
 * 1:39231 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSS link element use-after-free attempt (browser-ie.rules)
 * 1:39228 <-> DISABLED <-> BROWSER-IE Microsoft Edge PDF Color Space out-of-bounds memory access attempt (browser-ie.rules)
 * 1:39229 <-> DISABLED <-> BROWSER-IE Microsoft Edge PDF Color Space out-of-bounds memory access attempt (browser-ie.rules)
 * 1:39224 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel malformed XLS out of bounds memory read attempt (file-office.rules)
 * 1:39219 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt (browser-ie.rules)
 * 1:39214 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WebDAV NTLM reflection attack attempt (os-windows.rules)
 * 1:39209 <-> ENABLED <-> OS-WINDOWS Microsoft Windows sandbox ProcessFontDisablePolicy check bypass attempt (os-windows.rules)
 * 1:39205 <-> ENABLED <-> BROWSER-IE Microsoft Edge PDF reader out of bounds memory access attempt (browser-ie.rules)
 * 1:39197 <-> DISABLED <-> SERVER-WEBAPP AirTies RT hardcoded credentials login attempt (server-webapp.rules)
 * 1:39215 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WebDAV NTLM reflection attack attempt (os-windows.rules)
 * 1:39218 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32kfull.sys NtGdiExtFloodFill use after free attempt (os-windows.rules)
 * 1:39255 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39257 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39221 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word mso.dll subcomponent use after free attempt (file-office.rules)
 * 1:39258 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39259 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39260 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD font driver malformed OTF file out-of-bounds memory access attempt (file-other.rules)
 * 1:39261 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD font driver malformed OTF file out-of-bounds memory access attempt (file-other.rules)
 * 1:39222 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word mso.dll subcomponent use after free attempt (file-office.rules)
 * 1:39266 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GdiPlus malformed EMF file out of bounds read attempt (os-windows.rules)
 * 1:39267 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GdiPlus malformed EMF file out of bounds read attempt (os-windows.rules)
 * 1:39211 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript out of bounds memory access remote code execution attempt (browser-ie.rules)
 * 1:39212 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript out of bounds memory access remote code execution attempt (browser-ie.rules)
 * 1:39210 <-> ENABLED <-> OS-WINDOWS Microsoft Windows sandbox ProcessFontDisablePolicy check bypass attempt (os-windows.rules)
 * 1:39208 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer drag and drop API remote code execution attempt (browser-ie.rules)
 * 1:39223 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel malformed XLS out of bounds memory read attempt (file-office.rules)
 * 1:39206 <-> ENABLED <-> BROWSER-IE Microsoft Edge PDF reader out of bounds memory access attempt (browser-ie.rules)
 * 1:39207 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer drag and drop API remote code execution attempt (browser-ie.rules)
 * 1:39225 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Diagnostics Hub directory traversal attempt (os-windows.rules)
 * 1:39203 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll out of bounds read attempt (file-office.rules)
 * 1:39204 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll out of bounds read attempt (file-office.rules)
 * 1:39202 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript csession close use after free attempt (browser-ie.rules)
 * 1:39200 <-> ENABLED <-> BROWSER-IE Microsoft Edge class object confusion attempt (browser-ie.rules)
 * 1:39226 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Diagnostics Hub directory traversal attempt (os-windows.rules)
 * 1:39199 <-> ENABLED <-> BROWSER-IE Microsoft Edge class object confusion attempt (browser-ie.rules)
 * 1:39201 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript csession close use after free attempt (browser-ie.rules)
 * 1:39227 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WPAD spoofing attempt (os-windows.rules)
 * 1:39198 <-> DISABLED <-> SERVER-WEBAPP D-Link authentication bypass attempt (server-webapp.rules)
 * 1:39189 <-> ENABLED <-> PUA-TOOLBARS Win.Toolbar.Crossrider variant outbound connection (pua-toolbars.rules)
 * 1:39192 <-> ENABLED <-> SERVER-WEBAPP D-Link router unauthorised DNS change attempt (server-webapp.rules)
 * 1:39190 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (server-apache.rules)
 * 1:39217 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32kfull.sys NtGdiExtFloodFill use after free attempt (os-windows.rules)
 * 1:39233 <-> ENABLED <-> BROWSER-IE Microsoft Edge Content Security Policy bypass attempt (browser-ie.rules)
 * 1:39234 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer tagged integer type confusion attempt (browser-ie.rules)
 * 1:39235 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer tagged integer type confusion attempt (browser-ie.rules)
 * 1:39236 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine buffer overflow attempt (browser-ie.rules)
 * 1:39237 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine buffer overflow attempt (browser-ie.rules)
 * 1:39238 <-> ENABLED <-> BROWSER-IE Microsoft Edge malformed PDF JPEG2000 object out of bounds memory access attempt (browser-ie.rules)
 * 1:39239 <-> ENABLED <-> BROWSER-IE Microsoft Edge malformed PDF JPEG2000 object out of bounds memory access attempt (browser-ie.rules)
 * 1:39240 <-> DISABLED <-> FILE-FLASH Neutrino Exploit Kit exploitation attempt (file-flash.rules)
 * 1:39241 <-> DISABLED <-> FILE-FLASH Neutrino Exploit Kit exploitation attempt (file-flash.rules)
 * 1:39220 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt (browser-ie.rules)
 * 1:39243 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39242 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39244 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39251 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39252 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39245 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39195 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k.sys MakeWindowForegroundWithState null pointer dereference attempt (os-windows.rules)
 * 1:39249 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39250 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39194 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k.sys MakeWindowForegroundWithState null pointer dereference attempt (os-windows.rules)
 * 1:39246 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39247 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39248 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 3:39262 <-> ENABLED <-> FILE-FLASH TRUFFLEHUNTER TALOS-CAN-0165 attack attempt (file-flash.rules)
 * 3:39263 <-> ENABLED <-> FILE-FLASH TRUFFLEHUNTER TALOS-CAN-0165 attack attempt (file-flash.rules)
 * 3:39264 <-> ENABLED <-> FILE-FLASH TRUFFLEHUNTER TALOS-CAN-0165 attack attempt (file-flash.rules)
 * 3:39265 <-> ENABLED <-> FILE-FLASH TRUFFLEHUNTER TALOS-CAN-0165 attack attempt (file-flash.rules)

Modified Rules:


 * 1:39143 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39142 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39141 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39115 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39137 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39138 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39139 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39140 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:20258 <-> DISABLED <-> OS-WINDOWS Microsoft generic javascript handler in URI XSS attempt (os-windows.rules)
 * 1:39112 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39113 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39145 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39114 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39146 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39147 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39173 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.BlackShades Crypter outbound connection (malware-cnc.rules)
 * 1:39144 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39136 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)

2016-06-14 19:09:50 UTC

Snort Subscriber Rules Update

Date: 2016-06-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39245 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39243 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39244 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39241 <-> DISABLED <-> FILE-FLASH Neutrino Exploit Kit exploitation attempt (file-flash.rules)
 * 1:39242 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39239 <-> ENABLED <-> BROWSER-IE Microsoft Edge malformed PDF JPEG2000 object out of bounds memory access attempt (browser-ie.rules)
 * 1:39240 <-> DISABLED <-> FILE-FLASH Neutrino Exploit Kit exploitation attempt (file-flash.rules)
 * 1:39238 <-> ENABLED <-> BROWSER-IE Microsoft Edge malformed PDF JPEG2000 object out of bounds memory access attempt (browser-ie.rules)
 * 1:39236 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine buffer overflow attempt (browser-ie.rules)
 * 1:39237 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine buffer overflow attempt (browser-ie.rules)
 * 1:39234 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer tagged integer type confusion attempt (browser-ie.rules)
 * 1:39235 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer tagged integer type confusion attempt (browser-ie.rules)
 * 1:39233 <-> ENABLED <-> BROWSER-IE Microsoft Edge Content Security Policy bypass attempt (browser-ie.rules)
 * 1:39232 <-> ENABLED <-> BROWSER-IE Microsoft Edge Content Security Policy bypass attempt (browser-ie.rules)
 * 1:39226 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Diagnostics Hub directory traversal attempt (os-windows.rules)
 * 1:39227 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WPAD spoofing attempt (os-windows.rules)
 * 1:39224 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel malformed XLS out of bounds memory read attempt (file-office.rules)
 * 1:39223 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel malformed XLS out of bounds memory read attempt (file-office.rules)
 * 1:39221 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word mso.dll subcomponent use after free attempt (file-office.rules)
 * 1:39222 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word mso.dll subcomponent use after free attempt (file-office.rules)
 * 1:39219 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt (browser-ie.rules)
 * 1:39217 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32kfull.sys NtGdiExtFloodFill use after free attempt (os-windows.rules)
 * 1:39218 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32kfull.sys NtGdiExtFloodFill use after free attempt (os-windows.rules)
 * 1:39214 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WebDAV NTLM reflection attack attempt (os-windows.rules)
 * 1:39216 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WebDAV NTLM reflection attack attempt (os-windows.rules)
 * 1:39213 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WebDAV NTLM reflection attack attempt (os-windows.rules)
 * 1:39211 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript out of bounds memory access remote code execution attempt (browser-ie.rules)
 * 1:39212 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript out of bounds memory access remote code execution attempt (browser-ie.rules)
 * 1:39209 <-> ENABLED <-> OS-WINDOWS Microsoft Windows sandbox ProcessFontDisablePolicy check bypass attempt (os-windows.rules)
 * 1:39207 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer drag and drop API remote code execution attempt (browser-ie.rules)
 * 1:39208 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer drag and drop API remote code execution attempt (browser-ie.rules)
 * 1:39206 <-> ENABLED <-> BROWSER-IE Microsoft Edge PDF reader out of bounds memory access attempt (browser-ie.rules)
 * 1:39204 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll out of bounds read attempt (file-office.rules)
 * 1:39203 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll out of bounds read attempt (file-office.rules)
 * 1:39201 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript csession close use after free attempt (browser-ie.rules)
 * 1:39202 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript csession close use after free attempt (browser-ie.rules)
 * 1:39200 <-> ENABLED <-> BROWSER-IE Microsoft Edge class object confusion attempt (browser-ie.rules)
 * 1:39196 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k.sys MakeWindowForegroundWithState null pointer dereference attempt (os-windows.rules)
 * 1:39193 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k.sys MakeWindowForegroundWithState null pointer dereference attempt (os-windows.rules)
 * 1:39192 <-> ENABLED <-> SERVER-WEBAPP D-Link router unauthorised DNS change attempt (server-webapp.rules)
 * 1:39194 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k.sys MakeWindowForegroundWithState null pointer dereference attempt (os-windows.rules)
 * 1:39191 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (server-apache.rules)
 * 1:39190 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (server-apache.rules)
 * 1:39195 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k.sys MakeWindowForegroundWithState null pointer dereference attempt (os-windows.rules)
 * 1:39197 <-> DISABLED <-> SERVER-WEBAPP AirTies RT hardcoded credentials login attempt (server-webapp.rules)
 * 1:39198 <-> DISABLED <-> SERVER-WEBAPP D-Link authentication bypass attempt (server-webapp.rules)
 * 1:39199 <-> ENABLED <-> BROWSER-IE Microsoft Edge class object confusion attempt (browser-ie.rules)
 * 1:39205 <-> ENABLED <-> BROWSER-IE Microsoft Edge PDF reader out of bounds memory access attempt (browser-ie.rules)
 * 1:39210 <-> ENABLED <-> OS-WINDOWS Microsoft Windows sandbox ProcessFontDisablePolicy check bypass attempt (os-windows.rules)
 * 1:39215 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WebDAV NTLM reflection attack attempt (os-windows.rules)
 * 1:39220 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt (browser-ie.rules)
 * 1:39225 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Diagnostics Hub directory traversal attempt (os-windows.rules)
 * 1:39228 <-> DISABLED <-> BROWSER-IE Microsoft Edge PDF Color Space out-of-bounds memory access attempt (browser-ie.rules)
 * 1:39229 <-> DISABLED <-> BROWSER-IE Microsoft Edge PDF Color Space out-of-bounds memory access attempt (browser-ie.rules)
 * 1:39230 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSS link element use-after-free attempt (browser-ie.rules)
 * 1:39231 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSS link element use-after-free attempt (browser-ie.rules)
 * 1:39267 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GdiPlus malformed EMF file out of bounds read attempt (os-windows.rules)
 * 1:39266 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GdiPlus malformed EMF file out of bounds read attempt (os-windows.rules)
 * 1:39261 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD font driver malformed OTF file out-of-bounds memory access attempt (file-other.rules)
 * 1:39260 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD font driver malformed OTF file out-of-bounds memory access attempt (file-other.rules)
 * 1:39259 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39258 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39257 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39256 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39255 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39254 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39253 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39252 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39251 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39250 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39249 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39248 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39247 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39189 <-> ENABLED <-> PUA-TOOLBARS Win.Toolbar.Crossrider variant outbound connection (pua-toolbars.rules)
 * 1:39246 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 3:39262 <-> ENABLED <-> FILE-FLASH TRUFFLEHUNTER TALOS-CAN-0165 attack attempt (file-flash.rules)
 * 3:39263 <-> ENABLED <-> FILE-FLASH TRUFFLEHUNTER TALOS-CAN-0165 attack attempt (file-flash.rules)
 * 3:39264 <-> ENABLED <-> FILE-FLASH TRUFFLEHUNTER TALOS-CAN-0165 attack attempt (file-flash.rules)
 * 3:39265 <-> ENABLED <-> FILE-FLASH TRUFFLEHUNTER TALOS-CAN-0165 attack attempt (file-flash.rules)

Modified Rules:


 * 1:39115 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39137 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39138 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39139 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39112 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:20258 <-> DISABLED <-> OS-WINDOWS Microsoft generic javascript handler in URI XSS attempt (os-windows.rules)
 * 1:39113 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39147 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39173 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.BlackShades Crypter outbound connection (malware-cnc.rules)
 * 1:39146 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39144 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39145 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39143 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39142 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39141 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39140 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39136 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39114 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)

2016-06-14 19:09:50 UTC

Snort Subscriber Rules Update

Date: 2016-06-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39267 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GdiPlus malformed EMF file out of bounds read attempt (os-windows.rules)
 * 1:39266 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GdiPlus malformed EMF file out of bounds read attempt (os-windows.rules)
 * 1:39261 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD font driver malformed OTF file out-of-bounds memory access attempt (file-other.rules)
 * 1:39260 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD font driver malformed OTF file out-of-bounds memory access attempt (file-other.rules)
 * 1:39259 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39258 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39257 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39256 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39255 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39254 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39253 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39252 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39251 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39250 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39249 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39248 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39247 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39246 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39245 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39244 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39243 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39242 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39241 <-> DISABLED <-> FILE-FLASH Neutrino Exploit Kit exploitation attempt (file-flash.rules)
 * 1:39240 <-> DISABLED <-> FILE-FLASH Neutrino Exploit Kit exploitation attempt (file-flash.rules)
 * 1:39239 <-> ENABLED <-> BROWSER-IE Microsoft Edge malformed PDF JPEG2000 object out of bounds memory access attempt (browser-ie.rules)
 * 1:39238 <-> ENABLED <-> BROWSER-IE Microsoft Edge malformed PDF JPEG2000 object out of bounds memory access attempt (browser-ie.rules)
 * 1:39237 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine buffer overflow attempt (browser-ie.rules)
 * 1:39236 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine buffer overflow attempt (browser-ie.rules)
 * 1:39235 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer tagged integer type confusion attempt (browser-ie.rules)
 * 1:39234 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer tagged integer type confusion attempt (browser-ie.rules)
 * 1:39233 <-> ENABLED <-> BROWSER-IE Microsoft Edge Content Security Policy bypass attempt (browser-ie.rules)
 * 1:39232 <-> ENABLED <-> BROWSER-IE Microsoft Edge Content Security Policy bypass attempt (browser-ie.rules)
 * 1:39231 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSS link element use-after-free attempt (browser-ie.rules)
 * 1:39230 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CSS link element use-after-free attempt (browser-ie.rules)
 * 1:39229 <-> DISABLED <-> BROWSER-IE Microsoft Edge PDF Color Space out-of-bounds memory access attempt (browser-ie.rules)
 * 1:39228 <-> DISABLED <-> BROWSER-IE Microsoft Edge PDF Color Space out-of-bounds memory access attempt (browser-ie.rules)
 * 1:39227 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WPAD spoofing attempt (os-windows.rules)
 * 1:39226 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Diagnostics Hub directory traversal attempt (os-windows.rules)
 * 1:39225 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Diagnostics Hub directory traversal attempt (os-windows.rules)
 * 1:39224 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel malformed XLS out of bounds memory read attempt (file-office.rules)
 * 1:39223 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel malformed XLS out of bounds memory read attempt (file-office.rules)
 * 1:39222 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word mso.dll subcomponent use after free attempt (file-office.rules)
 * 1:39221 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word mso.dll subcomponent use after free attempt (file-office.rules)
 * 1:39220 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt (browser-ie.rules)
 * 1:39219 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt (browser-ie.rules)
 * 1:39218 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32kfull.sys NtGdiExtFloodFill use after free attempt (os-windows.rules)
 * 1:39217 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32kfull.sys NtGdiExtFloodFill use after free attempt (os-windows.rules)
 * 1:39216 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WebDAV NTLM reflection attack attempt (os-windows.rules)
 * 1:39215 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WebDAV NTLM reflection attack attempt (os-windows.rules)
 * 1:39214 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WebDAV NTLM reflection attack attempt (os-windows.rules)
 * 1:39213 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WebDAV NTLM reflection attack attempt (os-windows.rules)
 * 1:39212 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript out of bounds memory access remote code execution attempt (browser-ie.rules)
 * 1:39211 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript out of bounds memory access remote code execution attempt (browser-ie.rules)
 * 1:39210 <-> ENABLED <-> OS-WINDOWS Microsoft Windows sandbox ProcessFontDisablePolicy check bypass attempt (os-windows.rules)
 * 1:39209 <-> ENABLED <-> OS-WINDOWS Microsoft Windows sandbox ProcessFontDisablePolicy check bypass attempt (os-windows.rules)
 * 1:39208 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer drag and drop API remote code execution attempt (browser-ie.rules)
 * 1:39207 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer drag and drop API remote code execution attempt (browser-ie.rules)
 * 1:39206 <-> ENABLED <-> BROWSER-IE Microsoft Edge PDF reader out of bounds memory access attempt (browser-ie.rules)
 * 1:39205 <-> ENABLED <-> BROWSER-IE Microsoft Edge PDF reader out of bounds memory access attempt (browser-ie.rules)
 * 1:39204 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll out of bounds read attempt (file-office.rules)
 * 1:39203 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word wwlib.dll out of bounds read attempt (file-office.rules)
 * 1:39202 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript csession close use after free attempt (browser-ie.rules)
 * 1:39201 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript csession close use after free attempt (browser-ie.rules)
 * 1:39200 <-> ENABLED <-> BROWSER-IE Microsoft Edge class object confusion attempt (browser-ie.rules)
 * 1:39199 <-> ENABLED <-> BROWSER-IE Microsoft Edge class object confusion attempt (browser-ie.rules)
 * 1:39198 <-> DISABLED <-> SERVER-WEBAPP D-Link authentication bypass attempt (server-webapp.rules)
 * 1:39197 <-> DISABLED <-> SERVER-WEBAPP AirTies RT hardcoded credentials login attempt (server-webapp.rules)
 * 1:39196 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k.sys MakeWindowForegroundWithState null pointer dereference attempt (os-windows.rules)
 * 1:39195 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k.sys MakeWindowForegroundWithState null pointer dereference attempt (os-windows.rules)
 * 1:39194 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k.sys MakeWindowForegroundWithState null pointer dereference attempt (os-windows.rules)
 * 1:39193 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k.sys MakeWindowForegroundWithState null pointer dereference attempt (os-windows.rules)
 * 1:39192 <-> ENABLED <-> SERVER-WEBAPP D-Link router unauthorised DNS change attempt (server-webapp.rules)
 * 1:39191 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (server-apache.rules)
 * 1:39190 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (server-apache.rules)
 * 1:39189 <-> ENABLED <-> PUA-TOOLBARS Win.Toolbar.Crossrider variant outbound connection (pua-toolbars.rules)
 * 3:39262 <-> ENABLED <-> FILE-FLASH TRUFFLEHUNTER TALOS-CAN-0165 attack attempt (file-flash.rules)
 * 3:39263 <-> ENABLED <-> FILE-FLASH TRUFFLEHUNTER TALOS-CAN-0165 attack attempt (file-flash.rules)
 * 3:39264 <-> ENABLED <-> FILE-FLASH TRUFFLEHUNTER TALOS-CAN-0165 attack attempt (file-flash.rules)
 * 3:39265 <-> ENABLED <-> FILE-FLASH TRUFFLEHUNTER TALOS-CAN-0165 attack attempt (file-flash.rules)

Modified Rules:


 * 1:39112 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:20258 <-> DISABLED <-> OS-WINDOWS Microsoft generic javascript handler in URI XSS attempt (os-windows.rules)
 * 1:39113 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39114 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39115 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39136 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39137 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39138 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39139 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39140 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39141 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39142 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39143 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif ModifyDate metadata memory corruption attempt (file-image.rules)
 * 1:39144 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39145 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39146 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39147 <-> DISABLED <-> FILE-IMAGE Adobe Pro DC Exif Software metadata memory corruption attempt (file-image.rules)
 * 1:39173 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.BlackShades Crypter outbound connection (malware-cnc.rules)