Talos Rules 2016-09-13
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Security Bulletin MS16-104: Microsoft Internet Explorer suffers from programming errors that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 40073 through 40074, 40077 through 40078, 40084 through 40095, 40108 through 40109, 40132 through 40133, and 40146.

Microsoft Security Bulletin MS16-105: A coding deficiency exists in Microsoft Exchange that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 40073 through 40074, 40098 through 40101, 40108 through 40109, 40123 through 40124, and 40134 through 40141.

Microsoft Security Bulletin MS16-106: A coding deficiency exists in Microsoft Graphics Component that may lead to remove code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 40096 through 40097 and 40112 through 40113.

Microsoft Security Bulletin MS16-107: A coding deficiency exists in Microsoft Office that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 40075 through 40076, 40079 through 40080, 40082 through 40083, 40102 through 40107, 40116 through 40117, 40121 through 40122, 40142 through 40143, and 40147 through 40148.

Microsoft Security Bulletin MS16-110: A coding deficiency exists in Microsoft Windows that may lead to remote code execution.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 40129.

Microsoft Security Bulletin MS16-111: A coding deficiency exists in Microsoft Windows Kernel that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 40110 through 40111, 40114 through 40115, and 40127 through 40128.

Microsoft Security Bulletin MS16-115: A coding deficiency exists in Microsoft Windows PDF library that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 40144 through 40145.

Microsoft Security Bulletin MS16-116: A coding deficiency exists in Microsoft OLE Automation VBScript Scripting Engine that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 40149 through 40150.

Talos has added and modified multiple rules in the blacklist, browser-ie, deleted, file-identify, file-image, file-office, file-other, file-pdf, indicator-compromise, indicator-scan, malware-cnc, os-other, os-windows, policy-other, protocol-voip and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2016-09-13 18:13:37 UTC

Snort Subscriber Rules Update

Date: 2016-09-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40106 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt (file-office.rules)
 * 1:40104 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt (file-office.rules)
 * 1:40102 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt (file-office.rules)
 * 1:40100 <-> DISABLED <-> BROWSER-IE Microsoft Edge PDF PostScript calculator out of bounds read attempt (browser-ie.rules)
 * 1:40097 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 7 Win32k ValidateZorder privilege escalation attempt (os-windows.rules)
 * 1:40096 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 7 Win32k ValidateZorder privilege escalation attempt (os-windows.rules)
 * 1:40091 <-> DISABLED <-> INDICATOR-COMPROMISE TextDecorationLineOverline property use (indicator-compromise.rules)
 * 1:40092 <-> DISABLED <-> INDICATOR-COMPROMISE TextDecorationLineThrough property use (indicator-compromise.rules)
 * 1:40088 <-> DISABLED <-> INDICATOR-COMPROMISE TextDecorationLineUnderline property use (indicator-compromise.rules)
 * 1:37676 <-> DISABLED <-> DELETED SERVER-OTHER Cisco ASA IKEv2 invalid fragment length heap buffer overflow attempt (deleted.rules)
 * 1:40148 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint ppcore invalid pointer reference attempt (file-office.rules)
 * 1:40137 <-> ENABLED <-> BROWSER-IE  Microsoft Edge HTML normalize caption memory corruption attempt (browser-ie.rules)
 * 1:40084 <-> DISABLED <-> INDICATOR-COMPROMISE TextDecorationBlink property use (indicator-compromise.rules)
 * 1:40082 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel Ordinal43 out of bounds read attempt (file-office.rules)
 * 1:40083 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel Ordinal43 out of bounds read attempt (file-office.rules)
 * 1:40080 <-> ENABLED <-> FILE-OFFICE Microsoft Office Visio visdlgu.dll dll-load exploit attempt (file-office.rules)
 * 1:40081 <-> ENABLED <-> BLACKLIST User-Agent known PUA user-agent string - TopTools100 (blacklist.rules)
 * 1:40079 <-> ENABLED <-> FILE-OFFICE Microsoft Office Visio visdlgu.dll dll-load exploit attempt (file-office.rules)
 * 1:40078 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer protected mode sandbox escape attempt (browser-ie.rules)
 * 1:40077 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer protected mode sandbox escape attempt (browser-ie.rules)
 * 1:40075 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel LPenHelper out of bounds write attempt (file-office.rules)
 * 1:40076 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel LPenHelper out of bounds write attempt (file-office.rules)
 * 1:40074 <-> DISABLED <-> BROWSER-IE Microsoft Edge white-space information disclosure attempt (browser-ie.rules)
 * 1:40070 <-> DISABLED <-> SERVER-WEBAPP Zabbix Network Monitoring System latest.php SQL injection attempt (server-webapp.rules)
 * 1:40068 <-> DISABLED <-> SERVER-WEBAPP Zabbix Network Monitoring System jsrpc.php SQL injection attempt (server-webapp.rules)
 * 1:40069 <-> DISABLED <-> SERVER-WEBAPP Zabbix Network Monitoring System jsrpc.php SQL injection attempt (server-webapp.rules)
 * 1:40144 <-> DISABLED <-> BROWSER-IE Microsoft Edge PDF out-of-bounds Crypt Filter length attempt  (browser-ie.rules)
 * 1:40143 <-> DISABLED <-> FILE-OFFICE Microsoft PowerPoint bogus JPEG marker length heap buffer overflow (file-office.rules)
 * 1:40147 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint ppcore invalid pointer reference attempt (file-office.rules)
 * 1:40145 <-> DISABLED <-> BROWSER-IE Microsoft Edge PDF out-of-bounds Crypt Filter length attempt  (browser-ie.rules)
 * 1:40150 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer MSXML IDispatch use after free attempt (browser-ie.rules)
 * 1:40139 <-> ENABLED <-> BROWSER-IE  Microsoft Edge HTML normalize caption memory corruption attempt (browser-ie.rules)
 * 1:40140 <-> ENABLED <-> BROWSER-IE  Microsoft Edge HTML normalize caption memory corruption attempt (browser-ie.rules)
 * 1:40146 <-> DISABLED <-> BROWSER-IE Microsoft Edge malformed response information disclosure attempt (browser-ie.rules)
 * 1:40141 <-> ENABLED <-> BROWSER-IE  Microsoft Edge HTML normalize caption memory corruption attempt (browser-ie.rules)
 * 1:40071 <-> DISABLED <-> SERVER-WEBAPP Zabbix Network Monitoring System latest.php SQL injection attempt (server-webapp.rules)
 * 1:40073 <-> DISABLED <-> BROWSER-IE Microsoft Edge white-space information disclosure attempt (browser-ie.rules)
 * 1:40142 <-> DISABLED <-> FILE-OFFICE Microsoft PowerPoint bogus JPEG marker length heap buffer overflow (file-office.rules)
 * 1:40085 <-> DISABLED <-> INDICATOR-COMPROMISE TextDecorationLineNone property use (indicator-compromise.rules)
 * 1:40086 <-> DISABLED <-> INDICATOR-COMPROMISE TextDecorationLineOverline property use (indicator-compromise.rules)
 * 1:40087 <-> DISABLED <-> INDICATOR-COMPROMISE TextDecorationLineThrough property use (indicator-compromise.rules)
 * 1:40089 <-> DISABLED <-> INDICATOR-COMPROMISE TextDecorationBlink property use (indicator-compromise.rules)
 * 1:40090 <-> DISABLED <-> INDICATOR-COMPROMISE TextDecorationLineNone property use (indicator-compromise.rules)
 * 1:40093 <-> DISABLED <-> INDICATOR-COMPROMISE TextDecorationLineUnderline property use (indicator-compromise.rules)
 * 1:40094 <-> DISABLED <-> INDICATOR-SCAN Microsoft Internet Explorer AnchorElement information disclosure attempt (indicator-scan.rules)
 * 1:40095 <-> DISABLED <-> INDICATOR-SCAN Microsoft Internet Explorer AnchorElement information disclosure attempt (indicator-scan.rules)
 * 1:40098 <-> ENABLED <-> BROWSER-IE Microsoft Edge proxy object type confusion attempt (browser-ie.rules)
 * 1:40099 <-> ENABLED <-> BROWSER-IE Microsoft Edge proxy object type confusion attempt (browser-ie.rules)
 * 1:40101 <-> DISABLED <-> BROWSER-IE Microsoft Edge PDF PostScript calculator out of bounds read attempt (browser-ie.rules)
 * 1:40107 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt (file-office.rules)
 * 1:40103 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt (file-office.rules)
 * 1:40149 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer MSXML IDispatch use after free attempt (browser-ie.rules)
 * 1:40105 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt (file-office.rules)
 * 1:40108 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer font element out of bounds read attempt (browser-ie.rules)
 * 1:40109 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer font element out of bounds read attempt (browser-ie.rules)
 * 1:40110 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Server Ntoskrnl concurrent login attempt (os-windows.rules)
 * 1:40111 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Server Ntoskrnl concurrent login attempt (os-windows.rules)
 * 1:40112 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 GDI privilege escalation attempt (os-windows.rules)
 * 1:40113 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 GDI privilege escalation attempt (os-windows.rules)
 * 1:40114 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 privilege escalation attempt (os-windows.rules)
 * 1:40115 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 privilege escalation attempt (os-windows.rules)
 * 1:40116 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt (file-office.rules)
 * 1:40117 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt (file-office.rules)
 * 1:40118 <-> ENABLED <-> FILE-IDENTIFY Microsoft Excel XLSB file download request (file-identify.rules)
 * 1:40119 <-> ENABLED <-> FILE-IDENTIFY Microsoft Excel XLSB file attachment detected (file-identify.rules)
 * 1:40120 <-> ENABLED <-> FILE-IDENTIFY Microsoft Excel XLSB file attachment detected (file-identify.rules)
 * 1:40123 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt (browser-ie.rules)
 * 1:40121 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt (file-office.rules)
 * 1:40138 <-> ENABLED <-> BROWSER-IE  Microsoft Edge HTML normalize caption memory corruption attempt (browser-ie.rules)
 * 1:40122 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt (file-office.rules)
 * 1:40124 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt (browser-ie.rules)
 * 1:40127 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 and 8.1 registry key privilege escalation attempt (os-windows.rules)
 * 1:40128 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 and 8.1 registry key privilege escalation attempt (os-windows.rules)
 * 1:40135 <-> ENABLED <-> BROWSER-IE  Microsoft Edge HTML normalize caption memory corruption attempt (browser-ie.rules)
 * 1:40136 <-> ENABLED <-> BROWSER-IE  Microsoft Edge HTML normalize caption memory corruption attempt (browser-ie.rules)
 * 1:40129 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Server lsass.exe memory corruption attempt (os-windows.rules)
 * 1:40132 <-> ENABLED <-> BROWSER-IE VBScript ADODB.Connection object use after free attempt (browser-ie.rules)
 * 1:40133 <-> ENABLED <-> BROWSER-IE VBScript ADODB.Connection object use after free attempt (browser-ie.rules)
 * 1:40134 <-> ENABLED <-> BROWSER-IE  Microsoft Edge HTML normalize caption memory corruption attempt (browser-ie.rules)
 * 3:40125 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2016-0197 attack attempt (file-other.rules)
 * 3:40072 <-> ENABLED <-> MALWARE-CNC Cisco ASA backdoor installer inbound connection attempt (malware-cnc.rules)
 * 3:40131 <-> ENABLED <-> POLICY-OTHER Cisco Prime Collaboration Assurance session ID privilege escalation attempt (policy-other.rules)
 * 3:40126 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2016-0197 attack attempt (file-other.rules)
 * 3:40130 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI emf filename buffer overflow attempt (os-windows.rules)
 * 3:29441 <-> ENABLED <-> PROTOCOL-VOIP CISCO Telepresence VCS SIP denial of service attempt (protocol-voip.rules)

Modified Rules:


 * 3:13676 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI emf filename buffer overflow attempt (os-windows.rules)
 * 3:33053 <-> ENABLED <-> OS-WINDOWS Microsoft RADIUS Server invalid access-request username denial of service attempt (os-windows.rules)
 * 3:38323 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0093 attack attempt (file-other.rules)
 * 3:38326 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0093 attack attempt (file-other.rules)
 * 3:38325 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0093 attack attempt (file-other.rules)
 * 3:38324 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0093 attack attempt (file-other.rules)
 * 3:37675 <-> ENABLED <-> SERVER-OTHER Cisco ASA invalid fragment length heap buffer overflow attempt (server-other.rules)
 * 3:16222 <-> ENABLED <-> FILE-IMAGE Malformed BMP dimensions arbitrary code execution attempt (file-image.rules)
 * 3:31984 <-> ENABLED <-> OS-OTHER Cisco IOS mDNS malformed rrlength denial of service attempt (os-other.rules)
 * 3:26877 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TCPRecomputeMss denial of service attempt (os-windows.rules)
 * 3:16343 <-> ENABLED <-> FILE-PDF obfuscated header in PDF (file-pdf.rules)
 * 3:23180 <-> ENABLED <-> FILE-PDF obfuscated header in PDF attachment (file-pdf.rules)

2016-09-13 18:13:37 UTC

Snort Subscriber Rules Update

Date: 2016-09-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40083 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel Ordinal43 out of bounds read attempt (file-office.rules)
 * 1:40081 <-> ENABLED <-> BLACKLIST User-Agent known PUA user-agent string - TopTools100 (blacklist.rules)
 * 1:40082 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel Ordinal43 out of bounds read attempt (file-office.rules)
 * 1:40079 <-> ENABLED <-> FILE-OFFICE Microsoft Office Visio visdlgu.dll dll-load exploit attempt (file-office.rules)
 * 1:40080 <-> ENABLED <-> FILE-OFFICE Microsoft Office Visio visdlgu.dll dll-load exploit attempt (file-office.rules)
 * 1:40077 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer protected mode sandbox escape attempt (browser-ie.rules)
 * 1:40078 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer protected mode sandbox escape attempt (browser-ie.rules)
 * 1:40075 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel LPenHelper out of bounds write attempt (file-office.rules)
 * 1:40076 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel LPenHelper out of bounds write attempt (file-office.rules)
 * 1:40073 <-> DISABLED <-> BROWSER-IE Microsoft Edge white-space information disclosure attempt (browser-ie.rules)
 * 1:40074 <-> DISABLED <-> BROWSER-IE Microsoft Edge white-space information disclosure attempt (browser-ie.rules)
 * 1:40071 <-> DISABLED <-> SERVER-WEBAPP Zabbix Network Monitoring System latest.php SQL injection attempt (server-webapp.rules)
 * 1:40069 <-> DISABLED <-> SERVER-WEBAPP Zabbix Network Monitoring System jsrpc.php SQL injection attempt (server-webapp.rules)
 * 1:40068 <-> DISABLED <-> SERVER-WEBAPP Zabbix Network Monitoring System jsrpc.php SQL injection attempt (server-webapp.rules)
 * 1:37676 <-> DISABLED <-> DELETED SERVER-OTHER Cisco ASA IKEv2 invalid fragment length heap buffer overflow attempt (deleted.rules)
 * 1:40070 <-> DISABLED <-> SERVER-WEBAPP Zabbix Network Monitoring System latest.php SQL injection attempt (server-webapp.rules)
 * 1:40084 <-> DISABLED <-> INDICATOR-COMPROMISE TextDecorationBlink property use (indicator-compromise.rules)
 * 1:40085 <-> DISABLED <-> INDICATOR-COMPROMISE TextDecorationLineNone property use (indicator-compromise.rules)
 * 1:40086 <-> DISABLED <-> INDICATOR-COMPROMISE TextDecorationLineOverline property use (indicator-compromise.rules)
 * 1:40087 <-> DISABLED <-> INDICATOR-COMPROMISE TextDecorationLineThrough property use (indicator-compromise.rules)
 * 1:40088 <-> DISABLED <-> INDICATOR-COMPROMISE TextDecorationLineUnderline property use (indicator-compromise.rules)
 * 1:40089 <-> DISABLED <-> INDICATOR-COMPROMISE TextDecorationBlink property use (indicator-compromise.rules)
 * 1:40090 <-> DISABLED <-> INDICATOR-COMPROMISE TextDecorationLineNone property use (indicator-compromise.rules)
 * 1:40091 <-> DISABLED <-> INDICATOR-COMPROMISE TextDecorationLineOverline property use (indicator-compromise.rules)
 * 1:40092 <-> DISABLED <-> INDICATOR-COMPROMISE TextDecorationLineThrough property use (indicator-compromise.rules)
 * 1:40093 <-> DISABLED <-> INDICATOR-COMPROMISE TextDecorationLineUnderline property use (indicator-compromise.rules)
 * 1:40094 <-> DISABLED <-> INDICATOR-SCAN Microsoft Internet Explorer AnchorElement information disclosure attempt (indicator-scan.rules)
 * 1:40095 <-> DISABLED <-> INDICATOR-SCAN Microsoft Internet Explorer AnchorElement information disclosure attempt (indicator-scan.rules)
 * 1:40096 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 7 Win32k ValidateZorder privilege escalation attempt (os-windows.rules)
 * 1:40097 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 7 Win32k ValidateZorder privilege escalation attempt (os-windows.rules)
 * 1:40098 <-> ENABLED <-> BROWSER-IE Microsoft Edge proxy object type confusion attempt (browser-ie.rules)
 * 1:40099 <-> ENABLED <-> BROWSER-IE Microsoft Edge proxy object type confusion attempt (browser-ie.rules)
 * 1:40100 <-> DISABLED <-> BROWSER-IE Microsoft Edge PDF PostScript calculator out of bounds read attempt (browser-ie.rules)
 * 1:40101 <-> DISABLED <-> BROWSER-IE Microsoft Edge PDF PostScript calculator out of bounds read attempt (browser-ie.rules)
 * 1:40102 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt (file-office.rules)
 * 1:40103 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt (file-office.rules)
 * 1:40104 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt (file-office.rules)
 * 1:40105 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt (file-office.rules)
 * 1:40106 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt (file-office.rules)
 * 1:40107 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt (file-office.rules)
 * 1:40108 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer font element out of bounds read attempt (browser-ie.rules)
 * 1:40109 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer font element out of bounds read attempt (browser-ie.rules)
 * 1:40110 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Server Ntoskrnl concurrent login attempt (os-windows.rules)
 * 1:40111 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Server Ntoskrnl concurrent login attempt (os-windows.rules)
 * 1:40112 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 GDI privilege escalation attempt (os-windows.rules)
 * 1:40113 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 GDI privilege escalation attempt (os-windows.rules)
 * 1:40114 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 privilege escalation attempt (os-windows.rules)
 * 1:40115 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 privilege escalation attempt (os-windows.rules)
 * 1:40116 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt (file-office.rules)
 * 1:40117 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt (file-office.rules)
 * 1:40118 <-> ENABLED <-> FILE-IDENTIFY Microsoft Excel XLSB file download request (file-identify.rules)
 * 1:40119 <-> ENABLED <-> FILE-IDENTIFY Microsoft Excel XLSB file attachment detected (file-identify.rules)
 * 1:40120 <-> ENABLED <-> FILE-IDENTIFY Microsoft Excel XLSB file attachment detected (file-identify.rules)
 * 1:40121 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt (file-office.rules)
 * 1:40122 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt (file-office.rules)
 * 1:40123 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt (browser-ie.rules)
 * 1:40124 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt (browser-ie.rules)
 * 1:40127 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 and 8.1 registry key privilege escalation attempt (os-windows.rules)
 * 1:40150 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer MSXML IDispatch use after free attempt (browser-ie.rules)
 * 1:40149 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer MSXML IDispatch use after free attempt (browser-ie.rules)
 * 1:40148 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint ppcore invalid pointer reference attempt (file-office.rules)
 * 1:40147 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint ppcore invalid pointer reference attempt (file-office.rules)
 * 1:40146 <-> DISABLED <-> BROWSER-IE Microsoft Edge malformed response information disclosure attempt (browser-ie.rules)
 * 1:40145 <-> DISABLED <-> BROWSER-IE Microsoft Edge PDF out-of-bounds Crypt Filter length attempt  (browser-ie.rules)
 * 1:40144 <-> DISABLED <-> BROWSER-IE Microsoft Edge PDF out-of-bounds Crypt Filter length attempt  (browser-ie.rules)
 * 1:40143 <-> DISABLED <-> FILE-OFFICE Microsoft PowerPoint bogus JPEG marker length heap buffer overflow (file-office.rules)
 * 1:40142 <-> DISABLED <-> FILE-OFFICE Microsoft PowerPoint bogus JPEG marker length heap buffer overflow (file-office.rules)
 * 1:40141 <-> ENABLED <-> BROWSER-IE  Microsoft Edge HTML normalize caption memory corruption attempt (browser-ie.rules)
 * 1:40140 <-> ENABLED <-> BROWSER-IE  Microsoft Edge HTML normalize caption memory corruption attempt (browser-ie.rules)
 * 1:40139 <-> ENABLED <-> BROWSER-IE  Microsoft Edge HTML normalize caption memory corruption attempt (browser-ie.rules)
 * 1:40138 <-> ENABLED <-> BROWSER-IE  Microsoft Edge HTML normalize caption memory corruption attempt (browser-ie.rules)
 * 1:40137 <-> ENABLED <-> BROWSER-IE  Microsoft Edge HTML normalize caption memory corruption attempt (browser-ie.rules)
 * 1:40136 <-> ENABLED <-> BROWSER-IE  Microsoft Edge HTML normalize caption memory corruption attempt (browser-ie.rules)
 * 1:40134 <-> ENABLED <-> BROWSER-IE  Microsoft Edge HTML normalize caption memory corruption attempt (browser-ie.rules)
 * 1:40135 <-> ENABLED <-> BROWSER-IE  Microsoft Edge HTML normalize caption memory corruption attempt (browser-ie.rules)
 * 1:40133 <-> ENABLED <-> BROWSER-IE VBScript ADODB.Connection object use after free attempt (browser-ie.rules)
 * 1:40132 <-> ENABLED <-> BROWSER-IE VBScript ADODB.Connection object use after free attempt (browser-ie.rules)
 * 1:40129 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Server lsass.exe memory corruption attempt (os-windows.rules)
 * 1:40128 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 and 8.1 registry key privilege escalation attempt (os-windows.rules)
 * 3:40130 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI emf filename buffer overflow attempt (os-windows.rules)
 * 3:40131 <-> ENABLED <-> POLICY-OTHER Cisco Prime Collaboration Assurance session ID privilege escalation attempt (policy-other.rules)
 * 3:40125 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2016-0197 attack attempt (file-other.rules)
 * 3:40126 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2016-0197 attack attempt (file-other.rules)
 * 3:29441 <-> ENABLED <-> PROTOCOL-VOIP CISCO Telepresence VCS SIP denial of service attempt (protocol-voip.rules)
 * 3:40072 <-> ENABLED <-> MALWARE-CNC Cisco ASA backdoor installer inbound connection attempt (malware-cnc.rules)

Modified Rules:


 * 3:13676 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI emf filename buffer overflow attempt (os-windows.rules)
 * 3:38325 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0093 attack attempt (file-other.rules)
 * 3:38326 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0093 attack attempt (file-other.rules)
 * 3:38323 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0093 attack attempt (file-other.rules)
 * 3:38324 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0093 attack attempt (file-other.rules)
 * 3:37675 <-> ENABLED <-> SERVER-OTHER Cisco ASA invalid fragment length heap buffer overflow attempt (server-other.rules)
 * 3:16222 <-> ENABLED <-> FILE-IMAGE Malformed BMP dimensions arbitrary code execution attempt (file-image.rules)
 * 3:33053 <-> ENABLED <-> OS-WINDOWS Microsoft RADIUS Server invalid access-request username denial of service attempt (os-windows.rules)
 * 3:31984 <-> ENABLED <-> OS-OTHER Cisco IOS mDNS malformed rrlength denial of service attempt (os-other.rules)
 * 3:26877 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TCPRecomputeMss denial of service attempt (os-windows.rules)
 * 3:16343 <-> ENABLED <-> FILE-PDF obfuscated header in PDF (file-pdf.rules)
 * 3:23180 <-> ENABLED <-> FILE-PDF obfuscated header in PDF attachment (file-pdf.rules)

2016-09-13 18:13:37 UTC

Snort Subscriber Rules Update

Date: 2016-09-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40150 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer MSXML IDispatch use after free attempt (browser-ie.rules)
 * 1:40149 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer MSXML IDispatch use after free attempt (browser-ie.rules)
 * 1:40148 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint ppcore invalid pointer reference attempt (file-office.rules)
 * 1:40147 <-> ENABLED <-> FILE-OFFICE Microsoft Office PowerPoint ppcore invalid pointer reference attempt (file-office.rules)
 * 1:40146 <-> DISABLED <-> BROWSER-IE Microsoft Edge malformed response information disclosure attempt (browser-ie.rules)
 * 1:40145 <-> DISABLED <-> BROWSER-IE Microsoft Edge PDF out-of-bounds Crypt Filter length attempt  (browser-ie.rules)
 * 1:40144 <-> DISABLED <-> BROWSER-IE Microsoft Edge PDF out-of-bounds Crypt Filter length attempt  (browser-ie.rules)
 * 1:40143 <-> DISABLED <-> FILE-OFFICE Microsoft PowerPoint bogus JPEG marker length heap buffer overflow (file-office.rules)
 * 1:40142 <-> DISABLED <-> FILE-OFFICE Microsoft PowerPoint bogus JPEG marker length heap buffer overflow (file-office.rules)
 * 1:40141 <-> ENABLED <-> BROWSER-IE  Microsoft Edge HTML normalize caption memory corruption attempt (browser-ie.rules)
 * 1:40140 <-> ENABLED <-> BROWSER-IE  Microsoft Edge HTML normalize caption memory corruption attempt (browser-ie.rules)
 * 1:40139 <-> ENABLED <-> BROWSER-IE  Microsoft Edge HTML normalize caption memory corruption attempt (browser-ie.rules)
 * 1:40138 <-> ENABLED <-> BROWSER-IE  Microsoft Edge HTML normalize caption memory corruption attempt (browser-ie.rules)
 * 1:40137 <-> ENABLED <-> BROWSER-IE  Microsoft Edge HTML normalize caption memory corruption attempt (browser-ie.rules)
 * 1:40136 <-> ENABLED <-> BROWSER-IE  Microsoft Edge HTML normalize caption memory corruption attempt (browser-ie.rules)
 * 1:40135 <-> ENABLED <-> BROWSER-IE  Microsoft Edge HTML normalize caption memory corruption attempt (browser-ie.rules)
 * 1:40134 <-> ENABLED <-> BROWSER-IE  Microsoft Edge HTML normalize caption memory corruption attempt (browser-ie.rules)
 * 1:40133 <-> ENABLED <-> BROWSER-IE VBScript ADODB.Connection object use after free attempt (browser-ie.rules)
 * 1:40132 <-> ENABLED <-> BROWSER-IE VBScript ADODB.Connection object use after free attempt (browser-ie.rules)
 * 1:40129 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Server lsass.exe memory corruption attempt (os-windows.rules)
 * 1:40128 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 and 8.1 registry key privilege escalation attempt (os-windows.rules)
 * 1:40127 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 and 8.1 registry key privilege escalation attempt (os-windows.rules)
 * 1:40124 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt (browser-ie.rules)
 * 1:40123 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt (browser-ie.rules)
 * 1:40122 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt (file-office.rules)
 * 1:40121 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt (file-office.rules)
 * 1:40120 <-> ENABLED <-> FILE-IDENTIFY Microsoft Excel XLSB file attachment detected (file-identify.rules)
 * 1:40119 <-> ENABLED <-> FILE-IDENTIFY Microsoft Excel XLSB file attachment detected (file-identify.rules)
 * 1:40118 <-> ENABLED <-> FILE-IDENTIFY Microsoft Excel XLSB file download request (file-identify.rules)
 * 1:40117 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt (file-office.rules)
 * 1:40116 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt (file-office.rules)
 * 1:40115 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 privilege escalation attempt (os-windows.rules)
 * 1:40114 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 privilege escalation attempt (os-windows.rules)
 * 1:40113 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 GDI privilege escalation attempt (os-windows.rules)
 * 1:40112 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 GDI privilege escalation attempt (os-windows.rules)
 * 1:40111 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Server Ntoskrnl concurrent login attempt (os-windows.rules)
 * 1:40110 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Server Ntoskrnl concurrent login attempt (os-windows.rules)
 * 1:40109 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer font element out of bounds read attempt (browser-ie.rules)
 * 1:40108 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer font element out of bounds read attempt (browser-ie.rules)
 * 1:40107 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt (file-office.rules)
 * 1:40106 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt (file-office.rules)
 * 1:40105 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt (file-office.rules)
 * 1:40104 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt (file-office.rules)
 * 1:40103 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt (file-office.rules)
 * 1:40102 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt (file-office.rules)
 * 1:40101 <-> DISABLED <-> BROWSER-IE Microsoft Edge PDF PostScript calculator out of bounds read attempt (browser-ie.rules)
 * 1:40100 <-> DISABLED <-> BROWSER-IE Microsoft Edge PDF PostScript calculator out of bounds read attempt (browser-ie.rules)
 * 1:40099 <-> ENABLED <-> BROWSER-IE Microsoft Edge proxy object type confusion attempt (browser-ie.rules)
 * 1:40098 <-> ENABLED <-> BROWSER-IE Microsoft Edge proxy object type confusion attempt (browser-ie.rules)
 * 1:40097 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 7 Win32k ValidateZorder privilege escalation attempt (os-windows.rules)
 * 1:40096 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 7 Win32k ValidateZorder privilege escalation attempt (os-windows.rules)
 * 1:40095 <-> DISABLED <-> INDICATOR-SCAN Microsoft Internet Explorer AnchorElement information disclosure attempt (indicator-scan.rules)
 * 1:40094 <-> DISABLED <-> INDICATOR-SCAN Microsoft Internet Explorer AnchorElement information disclosure attempt (indicator-scan.rules)
 * 1:40093 <-> DISABLED <-> INDICATOR-COMPROMISE TextDecorationLineUnderline property use (indicator-compromise.rules)
 * 1:40092 <-> DISABLED <-> INDICATOR-COMPROMISE TextDecorationLineThrough property use (indicator-compromise.rules)
 * 1:40091 <-> DISABLED <-> INDICATOR-COMPROMISE TextDecorationLineOverline property use (indicator-compromise.rules)
 * 1:40090 <-> DISABLED <-> INDICATOR-COMPROMISE TextDecorationLineNone property use (indicator-compromise.rules)
 * 1:40089 <-> DISABLED <-> INDICATOR-COMPROMISE TextDecorationBlink property use (indicator-compromise.rules)
 * 1:40088 <-> DISABLED <-> INDICATOR-COMPROMISE TextDecorationLineUnderline property use (indicator-compromise.rules)
 * 1:40087 <-> DISABLED <-> INDICATOR-COMPROMISE TextDecorationLineThrough property use (indicator-compromise.rules)
 * 1:40086 <-> DISABLED <-> INDICATOR-COMPROMISE TextDecorationLineOverline property use (indicator-compromise.rules)
 * 1:40085 <-> DISABLED <-> INDICATOR-COMPROMISE TextDecorationLineNone property use (indicator-compromise.rules)
 * 1:40084 <-> DISABLED <-> INDICATOR-COMPROMISE TextDecorationBlink property use (indicator-compromise.rules)
 * 1:40083 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel Ordinal43 out of bounds read attempt (file-office.rules)
 * 1:40082 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel Ordinal43 out of bounds read attempt (file-office.rules)
 * 1:40081 <-> ENABLED <-> BLACKLIST User-Agent known PUA user-agent string - TopTools100 (blacklist.rules)
 * 1:40080 <-> ENABLED <-> FILE-OFFICE Microsoft Office Visio visdlgu.dll dll-load exploit attempt (file-office.rules)
 * 1:40079 <-> ENABLED <-> FILE-OFFICE Microsoft Office Visio visdlgu.dll dll-load exploit attempt (file-office.rules)
 * 1:40078 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer protected mode sandbox escape attempt (browser-ie.rules)
 * 1:40077 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer protected mode sandbox escape attempt (browser-ie.rules)
 * 1:40076 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel LPenHelper out of bounds write attempt (file-office.rules)
 * 1:40075 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel LPenHelper out of bounds write attempt (file-office.rules)
 * 1:40074 <-> DISABLED <-> BROWSER-IE Microsoft Edge white-space information disclosure attempt (browser-ie.rules)
 * 1:40073 <-> DISABLED <-> BROWSER-IE Microsoft Edge white-space information disclosure attempt (browser-ie.rules)
 * 1:40071 <-> DISABLED <-> SERVER-WEBAPP Zabbix Network Monitoring System latest.php SQL injection attempt (server-webapp.rules)
 * 1:40070 <-> DISABLED <-> SERVER-WEBAPP Zabbix Network Monitoring System latest.php SQL injection attempt (server-webapp.rules)
 * 1:40069 <-> DISABLED <-> SERVER-WEBAPP Zabbix Network Monitoring System jsrpc.php SQL injection attempt (server-webapp.rules)
 * 1:40068 <-> DISABLED <-> SERVER-WEBAPP Zabbix Network Monitoring System jsrpc.php SQL injection attempt (server-webapp.rules)
 * 1:37676 <-> DISABLED <-> DELETED SERVER-OTHER Cisco ASA IKEv2 invalid fragment length heap buffer overflow attempt (deleted.rules)
 * 3:29441 <-> ENABLED <-> PROTOCOL-VOIP CISCO Telepresence VCS SIP denial of service attempt (protocol-voip.rules)
 * 3:40072 <-> ENABLED <-> MALWARE-CNC Cisco ASA backdoor installer inbound connection attempt (malware-cnc.rules)
 * 3:40125 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2016-0197 attack attempt (file-other.rules)
 * 3:40126 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2016-0197 attack attempt (file-other.rules)
 * 3:40130 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI emf filename buffer overflow attempt (os-windows.rules)
 * 3:40131 <-> ENABLED <-> POLICY-OTHER Cisco Prime Collaboration Assurance session ID privilege escalation attempt (policy-other.rules)

Modified Rules:


 * 3:26877 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TCPRecomputeMss denial of service attempt (os-windows.rules)
 * 3:33053 <-> ENABLED <-> OS-WINDOWS Microsoft RADIUS Server invalid access-request username denial of service attempt (os-windows.rules)
 * 3:31984 <-> ENABLED <-> OS-OTHER Cisco IOS mDNS malformed rrlength denial of service attempt (os-other.rules)
 * 3:16343 <-> ENABLED <-> FILE-PDF obfuscated header in PDF (file-pdf.rules)
 * 3:16222 <-> ENABLED <-> FILE-IMAGE Malformed BMP dimensions arbitrary code execution attempt (file-image.rules)
 * 3:37675 <-> ENABLED <-> SERVER-OTHER Cisco ASA invalid fragment length heap buffer overflow attempt (server-other.rules)
 * 3:38323 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0093 attack attempt (file-other.rules)
 * 3:38324 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0093 attack attempt (file-other.rules)
 * 3:38325 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0093 attack attempt (file-other.rules)
 * 3:38326 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-CAN-0093 attack attempt (file-other.rules)
 * 3:13676 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI emf filename buffer overflow attempt (os-windows.rules)
 * 3:23180 <-> ENABLED <-> FILE-PDF obfuscated header in PDF attachment (file-pdf.rules)