Talos Rules 2017-08-08
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2017-0250: A coding deficiency exists in Microsoft JET Database Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 43847 through 43848.

Microsoft Vulnerability CVE-2017-8625: Microsoft Internet Explorer suffers from programming errors that may lead to a security feature bypass.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 43851 through 43852.

Talos has also added and modified multiple rules in the file-identify, file-image, file-multimedia, file-office, file-other, file-pdf, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2017-08-08 18:11:14 UTC

Snort Subscriber Rules Update

Date: 2017-08-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:43867 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed TTF memory corruption attempt (file-pdf.rules)
 * 1:43874 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Professional malformed PCX memory corruption attempt (file-image.rules)
 * 1:43877 <-> ENABLED <-> FILE-PDF Acrobat Reader PDFDocEncoding object WinAnsiEncoding memory corruption attempt (file-pdf.rules)
 * 1:43878 <-> ENABLED <-> FILE-PDF Acrobat Reader PDFDocEncoding object WinAnsiEncoding memory corruption attempt (file-pdf.rules)
 * 1:43872 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Professional malformed PCX memory corruption attempt (file-image.rules)
 * 1:43870 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed TTF memory corruption attempt (file-pdf.rules)
 * 1:43871 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Professional malformed PCX memory corruption attempt (file-image.rules)
 * 1:43869 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed TTF memory corruption attempt (file-pdf.rules)
 * 1:43880 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF polygon heap buffer overflow attempt (file-other.rules)
 * 1:43873 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Professional malformed PCX memory corruption attempt (file-image.rules)
 * 1:43847 <-> ENABLED <-> FILE-OFFICE Microsoft Office Access Jet Database Engine integer overflow attempt (file-office.rules)
 * 1:43875 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF with malformed embedded JPEG memory corruption attempt (file-other.rules)
 * 1:43849 <-> DISABLED <-> SERVER-OTHER HP Intelligent Management Center dbman RestoreZipFile opcode command injection attempt (server-other.rules)
 * 1:43850 <-> DISABLED <-> SERVER-OTHER HP Intelligent Management Center dbman BackupZipFile opcode command injection attempt (server-other.rules)
 * 1:43876 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF with malformed embedded JPEG memory corruption attempt (file-other.rules)
 * 1:43851 <-> ENABLED <-> FILE-OTHER Microsoft Windows Device Guard bypass via compiled help file attempt (file-other.rules)
 * 1:43852 <-> ENABLED <-> FILE-OTHER Microsoft Windows Device Guard bypass via compiled help file attempt (file-other.rules)
 * 1:43853 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word unpaired RTF dpendgroup buffer overflow attempt (file-office.rules)
 * 1:43854 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word unpaired RTF dpendgroup buffer overflow attempt (file-office.rules)
 * 1:43865 <-> ENABLED <-> FILE-IMAGE Adobe Reader EMF EMR_MOVETOEX memory corruption attempt (file-image.rules)
 * 1:43866 <-> ENABLED <-> FILE-IMAGE Adobe Reader EMF EMR_MOVETOEX memory corruption attempt (file-image.rules)
 * 1:43879 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF polygon heap buffer overflow attempt (file-other.rules)
 * 1:43848 <-> ENABLED <-> FILE-OFFICE Microsoft Office Access Jet Database Engine integer overflow attempt (file-office.rules)
 * 1:43868 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed TTF memory corruption attempt (file-pdf.rules)
 * 3:43863 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0393 attack attempt (file-image.rules)
 * 3:43864 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0371 attack attempt (policy-other.rules)
 * 3:43861 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0397 attack attempt (server-webapp.rules)
 * 3:43862 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0393 attack attempt (file-image.rules)
 * 3:43859 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)
 * 3:43860 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)
 * 3:43857 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)
 * 3:43858 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)
 * 3:43855 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0394 attack attempt (file-image.rules)
 * 3:43856 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0394 attack attempt (file-image.rules)

Modified Rules:


 * 1:39843 <-> ENABLED <-> OS-WINDOWS Microsoft Windows gdiplus EMF EmrText out of bounds write attempt (os-windows.rules)
 * 1:20486 <-> ENABLED <-> FILE-IDENTIFY RTF file magic detected (file-identify.rules)
 * 1:40276 <-> DISABLED <-> SERVER-WEBAPP SugarCRM SugarRestSerialize.php PHP object injection attempt (server-webapp.rules)
 * 1:40277 <-> DISABLED <-> SERVER-WEBAPP SugarCRM SugarRestSerialize.php PHP object injection attempt (server-webapp.rules)
 * 1:9801 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Media Player or Explorer Malformed MIDI File DOS attempt (file-multimedia.rules)
 * 1:39844 <-> ENABLED <-> OS-WINDOWS Microsoft Windows gdiplus EMF EmrText out of bounds write attempt (os-windows.rules)
 * 1:16716 <-> DISABLED <-> FILE-IMAGE multiple products PNG processing buffer overflow attempt (file-image.rules)
 * 1:42352 <-> DISABLED <-> FILE-PDF Poppler readProgressiveSOF out of bounds write attempt (file-pdf.rules)
 * 1:41399 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader xfa subform use after free attempt (file-pdf.rules)
 * 1:41400 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader xfa subform use after free attempt (file-pdf.rules)
 * 1:42353 <-> DISABLED <-> FILE-PDF Poppler readProgressiveSOF out of bounds write attempt (file-pdf.rules)
 * 1:43151 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA PacFileManagement servlet command injection attempt (server-webapp.rules)
 * 1:43152 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA PacFileManagement servlet command injection attempt (server-webapp.rules)
 * 1:43153 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA PacFileManagement servlet command injection attempt (server-webapp.rules)
 * 1:22999 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows WMF file magic detected (file-identify.rules)
 * 1:43154 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA PacFileManagement servlet command injection attempt (server-webapp.rules)
 * 1:43399 <-> DISABLED <-> FILE-IMAGE multiple products PNG processing buffer overflow attempt (file-image.rules)
 * 1:29646 <-> DISABLED <-> SERVER-WEBAPP SkyBlueCanvas CMS contact page command injection attempt (server-webapp.rules)
 * 1:23670 <-> ENABLED <-> FILE-IDENTIFY RTF file magic detected (file-identify.rules)
 * 1:24465 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows WMF file magic detected (file-identify.rules)
 * 3:43488 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0372 attack attempt (server-webapp.rules)

2017-08-08 18:11:14 UTC

Snort Subscriber Rules Update

Date: 2017-08-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:43880 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF polygon heap buffer overflow attempt (file-other.rules)
 * 1:43879 <-> DISABLED <-> FILE-OTHER Adobe Professional EMF polygon heap buffer overflow attempt (file-other.rules)
 * 1:43878 <-> ENABLED <-> FILE-PDF Acrobat Reader PDFDocEncoding object WinAnsiEncoding memory corruption attempt (file-pdf.rules)
 * 1:43877 <-> ENABLED <-> FILE-PDF Acrobat Reader PDFDocEncoding object WinAnsiEncoding memory corruption attempt (file-pdf.rules)
 * 1:43876 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF with malformed embedded JPEG memory corruption attempt (file-other.rules)
 * 1:43875 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF with malformed embedded JPEG memory corruption attempt (file-other.rules)
 * 1:43874 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Professional malformed PCX memory corruption attempt (file-image.rules)
 * 1:43873 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Professional malformed PCX memory corruption attempt (file-image.rules)
 * 1:43872 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Professional malformed PCX memory corruption attempt (file-image.rules)
 * 1:43871 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Professional malformed PCX memory corruption attempt (file-image.rules)
 * 1:43870 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed TTF memory corruption attempt (file-pdf.rules)
 * 1:43869 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed TTF memory corruption attempt (file-pdf.rules)
 * 1:43868 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed TTF memory corruption attempt (file-pdf.rules)
 * 1:43867 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed TTF memory corruption attempt (file-pdf.rules)
 * 1:43866 <-> ENABLED <-> FILE-IMAGE Adobe Reader EMF EMR_MOVETOEX memory corruption attempt (file-image.rules)
 * 1:43865 <-> ENABLED <-> FILE-IMAGE Adobe Reader EMF EMR_MOVETOEX memory corruption attempt (file-image.rules)
 * 1:43854 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word unpaired RTF dpendgroup buffer overflow attempt (file-office.rules)
 * 1:43853 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word unpaired RTF dpendgroup buffer overflow attempt (file-office.rules)
 * 1:43852 <-> ENABLED <-> FILE-OTHER Microsoft Windows Device Guard bypass via compiled help file attempt (file-other.rules)
 * 1:43851 <-> ENABLED <-> FILE-OTHER Microsoft Windows Device Guard bypass via compiled help file attempt (file-other.rules)
 * 1:43850 <-> DISABLED <-> SERVER-OTHER HP Intelligent Management Center dbman BackupZipFile opcode command injection attempt (server-other.rules)
 * 1:43849 <-> DISABLED <-> SERVER-OTHER HP Intelligent Management Center dbman RestoreZipFile opcode command injection attempt (server-other.rules)
 * 1:43848 <-> ENABLED <-> FILE-OFFICE Microsoft Office Access Jet Database Engine integer overflow attempt (file-office.rules)
 * 1:43847 <-> ENABLED <-> FILE-OFFICE Microsoft Office Access Jet Database Engine integer overflow attempt (file-office.rules)
 * 3:43864 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0371 attack attempt (policy-other.rules)
 * 3:43863 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0393 attack attempt (file-image.rules)
 * 3:43861 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0397 attack attempt (server-webapp.rules)
 * 3:43862 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0393 attack attempt (file-image.rules)
 * 3:43859 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)
 * 3:43860 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)
 * 3:43857 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)
 * 3:43858 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0395 attack attempt (file-image.rules)
 * 3:43855 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0394 attack attempt (file-image.rules)
 * 3:43856 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0394 attack attempt (file-image.rules)

Modified Rules:


 * 1:39843 <-> ENABLED <-> OS-WINDOWS Microsoft Windows gdiplus EMF EmrText out of bounds write attempt (os-windows.rules)
 * 1:20486 <-> ENABLED <-> FILE-IDENTIFY RTF file magic detected (file-identify.rules)
 * 1:22999 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows WMF file magic detected (file-identify.rules)
 * 1:16716 <-> DISABLED <-> FILE-IMAGE multiple products PNG processing buffer overflow attempt (file-image.rules)
 * 1:40277 <-> DISABLED <-> SERVER-WEBAPP SugarCRM SugarRestSerialize.php PHP object injection attempt (server-webapp.rules)
 * 1:23670 <-> ENABLED <-> FILE-IDENTIFY RTF file magic detected (file-identify.rules)
 * 1:41399 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader xfa subform use after free attempt (file-pdf.rules)
 * 1:41400 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader xfa subform use after free attempt (file-pdf.rules)
 * 1:42352 <-> DISABLED <-> FILE-PDF Poppler readProgressiveSOF out of bounds write attempt (file-pdf.rules)
 * 1:42353 <-> DISABLED <-> FILE-PDF Poppler readProgressiveSOF out of bounds write attempt (file-pdf.rules)
 * 1:43151 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA PacFileManagement servlet command injection attempt (server-webapp.rules)
 * 1:43152 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA PacFileManagement servlet command injection attempt (server-webapp.rules)
 * 1:43153 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA PacFileManagement servlet command injection attempt (server-webapp.rules)
 * 1:43154 <-> DISABLED <-> SERVER-WEBAPP Trend Micro InterScan WSA PacFileManagement servlet command injection attempt (server-webapp.rules)
 * 1:43399 <-> DISABLED <-> FILE-IMAGE multiple products PNG processing buffer overflow attempt (file-image.rules)
 * 1:9801 <-> DISABLED <-> FILE-MULTIMEDIA Microsoft Windows Media Player or Explorer Malformed MIDI File DOS attempt (file-multimedia.rules)
 * 1:24465 <-> ENABLED <-> FILE-IDENTIFY Microsoft Windows WMF file magic detected (file-identify.rules)
 * 1:29646 <-> DISABLED <-> SERVER-WEBAPP SkyBlueCanvas CMS contact page command injection attempt (server-webapp.rules)
 * 1:40276 <-> DISABLED <-> SERVER-WEBAPP SugarCRM SugarRestSerialize.php PHP object injection attempt (server-webapp.rules)
 * 1:39844 <-> ENABLED <-> OS-WINDOWS Microsoft Windows gdiplus EMF EmrText out of bounds write attempt (os-windows.rules)
 * 3:43488 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0372 attack attempt (server-webapp.rules)