Talos Rules 2018-06-12
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2018-0978: A coding deficiency exists in Microsoft Internet Explorer that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46942 through 46943.

Microsoft Vulnerability CVE-2018-1036: A coding deficiency exists in NTFS that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46955 through 46956.

Microsoft Vulnerability CVE-2018-8110: A coding deficiency exists in Microsoft Edge that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46927 through 46928.

Microsoft Vulnerability CVE-2018-8111: A coding deficiency exists in Microsoft Edge that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46929 through 46930.

Microsoft Vulnerability CVE-2018-8169: A coding deficiency exists in HIDParser that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46957 through 46958.

Microsoft Vulnerability CVE-2018-8208: A coding deficiency exists in Microsoft Windows Desktop Bridge that may lead to elevation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46953 through 46954.

Microsoft Vulnerability CVE-2018-8210: A coding deficiency exists in Microsoft Windows that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 46055 through 46056 and 46058 through 46059.

Microsoft Vulnerability CVE-2018-8225: A coding deficiency exists in Microsoft Windows DNSAPI that may lead to remote code execution.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 46935.

Microsoft Vulnerability CVE-2018-8229: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46933 through 46934.

Microsoft Vulnerability CVE-2018-8233: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46938 through 46939.

Microsoft Vulnerability CVE-2018-8236: A coding deficiency exists in Microsoft Edge that may lead to remote code execution.

A previously released rule will detect attacks targeting these vulnerabilities and has been updated with the appropriate reference information. It is included in this release and is identified with GID 1, SID 45628.

Microsoft Vulnerability CVE-2018-8248: A coding deficiency exists in Microsoft Excel that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46940 through 46941.

Microsoft Vulnerability CVE-2018-8249: A coding deficiency exists in Microsoft Internet Explorer that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46944 through 46945.

Microsoft Vulnerability CVE-2018-8251: A coding deficiency exists in Microsoft Media Foundation that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46947 through 46948.

Microsoft Vulnerability CVE-2018-8267: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 46951 through 46952.

Talos also has added and modified multiple rules in the browser-ie, file-flash, file-office, file-other, indicator-compromise, malware-cnc, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-06-12 18:25:10 UTC

Snort Subscriber Rules Update

Date: 2018-06-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46934 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine type confusion attempt (browser-ie.rules)
 * 1:46933 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine type confusion attempt (browser-ie.rules)
 * 1:46932 <-> DISABLED <-> INDICATOR-COMPROMISE dynamic Excel web query file download attempt (indicator-compromise.rules)
 * 1:46931 <-> DISABLED <-> INDICATOR-COMPROMISE dynamic Excel web query file download attempt (indicator-compromise.rules)
 * 1:46930 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion memory corruption attempt (browser-ie.rules)
 * 1:46929 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion memory corruption attempt (browser-ie.rules)
 * 1:46928 <-> ENABLED <-> BROWSER-IE Microsoft Edge ClipPath out of bounds write attempt (browser-ie.rules)
 * 1:46927 <-> ENABLED <-> BROWSER-IE Microsoft Edge ClipPath out of bounds write attempt (browser-ie.rules)
 * 1:46926 <-> ENABLED <-> SERVER-OTHER Mitsubishi Electric E-Designer font field buffer overflow attempt (server-other.rules)
 * 1:46925 <-> ENABLED <-> SERVER-OTHER Mitsubishi Electric E-Designer font field buffer overflow attempt (server-other.rules)
 * 1:46924 <-> ENABLED <-> SERVER-OTHER Mitsubishi Electric E-Designer Status_bit buffer overflow attempt (server-other.rules)
 * 1:46923 <-> ENABLED <-> SERVER-OTHER Mitsubishi Electric E-Designer Status_bit buffer overflow attempt (server-other.rules)
 * 1:46922 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection (malware-cnc.rules)
 * 1:46921 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup Login.pm command injection attempt (server-webapp.rules)
 * 1:46059 <-> DISABLED <-> FILE-OTHER Microsoft wimgapi LoadIntegrityInfo heap buffer overflow attempt (file-other.rules)
 * 1:46058 <-> DISABLED <-> FILE-OTHER Microsoft wimgapi LoadIntegrityInfo heap buffer overflow attempt (file-other.rules)
 * 1:46056 <-> DISABLED <-> FILE-OTHER Microsoft wimgapi LoadIntegrityInfo heap buffer overflow attempt (file-other.rules)
 * 1:46055 <-> DISABLED <-> FILE-OTHER Microsoft wimgapi LoadIntegrityInfo heap buffer overflow attempt (file-other.rules)
 * 1:46950 <-> ENABLED <-> FILE-FLASH Adobe Flash Player out of bounds memory access attempt (file-flash.rules)
 * 1:46949 <-> ENABLED <-> FILE-FLASH Adobe Flash Player out of bounds memory access attempt (file-flash.rules)
 * 1:46948 <-> DISABLED <-> BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt (browser-ie.rules)
 * 1:46947 <-> DISABLED <-> BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt (browser-ie.rules)
 * 1:46946 <-> ENABLED <-> MALWARE-CNC Js.Downloader.Cryptojacking miner download attempt (malware-cnc.rules)
 * 1:46945 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:46944 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:46943 <-> ENABLED <-> FILE-OTHER Microsoft Windows .lnk shortcut file executing system32 executable attempt (file-other.rules)
 * 1:46942 <-> ENABLED <-> FILE-OTHER Microsoft Windows .lnk shortcut file executing system32 executable attempt (file-other.rules)
 * 1:46941 <-> ENABLED <-> FILE-OFFICE Microsoft Word malformed RTF memory corruption attempt (file-office.rules)
 * 1:46940 <-> ENABLED <-> FILE-OFFICE Microsoft Word malformed RTF memory corruption attempt (file-office.rules)
 * 1:46939 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k privilege escalation attempt (os-windows.rules)
 * 1:46938 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k privilege escalation attempt (os-windows.rules)
 * 1:46937 <-> DISABLED <-> INDICATOR-COMPROMISE Java ysoserial payload deserialization exploit attempt (indicator-compromise.rules)
 * 1:46936 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper outbound connection (malware-cnc.rules)
 * 1:46935 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DNSAPI remote code execution attempt (os-windows.rules)
 * 1:46953 <-> ENABLED <-> OS-WINDOWS Microsoft OfficeHub object manager namespace privilege escalation attempt (os-windows.rules)
 * 1:46952 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 JScript use-after-free attempt (browser-ie.rules)
 * 1:46951 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 JScript use-after-free attempt (browser-ie.rules)
 * 1:46956 <-> DISABLED <-> OS-WINDOWS Windows 10 access control privilege escalation attempt (os-windows.rules)
 * 1:46955 <-> DISABLED <-> OS-WINDOWS Windows 10 access control privilege escalation attempt (os-windows.rules)
 * 1:46954 <-> ENABLED <-> OS-WINDOWS Microsoft OfficeHub object manager namespace privilege escalation attempt (os-windows.rules)
 * 1:46958 <-> DISABLED <-> OS-WINDOWS Microsoft Windows hidparse.sys privilege escalation attempt (os-windows.rules)
 * 1:46957 <-> DISABLED <-> OS-WINDOWS Microsoft Windows hidparse.sys privilege escalation attempt (os-windows.rules)
 * 1:46960 <-> DISABLED <-> FILE-OTHER Adobe Flash Player AMF0 Shared Object integer overflow attempt (file-other.rules)
 * 1:46959 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DarkSeoul variant payload download (malware-cnc.rules)

Modified Rules:


 * 1:32965 <-> DISABLED <-> OS-WINDOWS Microsoft Windows identity token authorization bypass attempt (os-windows.rules)
 * 1:32966 <-> DISABLED <-> OS-WINDOWS Microsoft Windows identity token authorization bypass attempt (os-windows.rules)
 * 1:38785 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel BOF memory disclosure attempt (file-office.rules)
 * 1:38786 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel BOF memory disclosure attempt (file-office.rules)
 * 1:44825 <-> DISABLED <-> OS-WINDOWS Microsoft Edge out of bounds write attempt (os-windows.rules)
 * 1:44826 <-> DISABLED <-> OS-WINDOWS Microsoft Edge out of bounds write attempt (os-windows.rules)
 * 1:45628 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:46598 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASnative MovieClip type confusion attempt (file-flash.rules)
 * 1:46599 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASnative MovieClip type confusion attempt (file-flash.rules)

2018-06-12 18:25:10 UTC

Snort Subscriber Rules Update

Date: 2018-06-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46951 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 JScript use-after-free attempt (browser-ie.rules)
 * 1:46952 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 JScript use-after-free attempt (browser-ie.rules)
 * 1:46950 <-> ENABLED <-> FILE-FLASH Adobe Flash Player out of bounds memory access attempt (file-flash.rules)
 * 1:46921 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup Login.pm command injection attempt (server-webapp.rules)
 * 1:46922 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection (malware-cnc.rules)
 * 1:46926 <-> ENABLED <-> SERVER-OTHER Mitsubishi Electric E-Designer font field buffer overflow attempt (server-other.rules)
 * 1:46925 <-> ENABLED <-> SERVER-OTHER Mitsubishi Electric E-Designer font field buffer overflow attempt (server-other.rules)
 * 1:46056 <-> DISABLED <-> FILE-OTHER Microsoft wimgapi LoadIntegrityInfo heap buffer overflow attempt (file-other.rules)
 * 1:46058 <-> DISABLED <-> FILE-OTHER Microsoft wimgapi LoadIntegrityInfo heap buffer overflow attempt (file-other.rules)
 * 1:46933 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine type confusion attempt (browser-ie.rules)
 * 1:46934 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine type confusion attempt (browser-ie.rules)
 * 1:46935 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DNSAPI remote code execution attempt (os-windows.rules)
 * 1:46923 <-> ENABLED <-> SERVER-OTHER Mitsubishi Electric E-Designer Status_bit buffer overflow attempt (server-other.rules)
 * 1:46936 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper outbound connection (malware-cnc.rules)
 * 1:46937 <-> DISABLED <-> INDICATOR-COMPROMISE Java ysoserial payload deserialization exploit attempt (indicator-compromise.rules)
 * 1:46938 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k privilege escalation attempt (os-windows.rules)
 * 1:46939 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k privilege escalation attempt (os-windows.rules)
 * 1:46940 <-> ENABLED <-> FILE-OFFICE Microsoft Word malformed RTF memory corruption attempt (file-office.rules)
 * 1:46944 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:46941 <-> ENABLED <-> FILE-OFFICE Microsoft Word malformed RTF memory corruption attempt (file-office.rules)
 * 1:46942 <-> ENABLED <-> FILE-OTHER Microsoft Windows .lnk shortcut file executing system32 executable attempt (file-other.rules)
 * 1:46943 <-> ENABLED <-> FILE-OTHER Microsoft Windows .lnk shortcut file executing system32 executable attempt (file-other.rules)
 * 1:46945 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:46946 <-> ENABLED <-> MALWARE-CNC Js.Downloader.Cryptojacking miner download attempt (malware-cnc.rules)
 * 1:46948 <-> DISABLED <-> BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt (browser-ie.rules)
 * 1:46949 <-> ENABLED <-> FILE-FLASH Adobe Flash Player out of bounds memory access attempt (file-flash.rules)
 * 1:46947 <-> DISABLED <-> BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt (browser-ie.rules)
 * 1:46953 <-> ENABLED <-> OS-WINDOWS Microsoft OfficeHub object manager namespace privilege escalation attempt (os-windows.rules)
 * 1:46954 <-> ENABLED <-> OS-WINDOWS Microsoft OfficeHub object manager namespace privilege escalation attempt (os-windows.rules)
 * 1:46960 <-> DISABLED <-> FILE-OTHER Adobe Flash Player AMF0 Shared Object integer overflow attempt (file-other.rules)
 * 1:46959 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DarkSeoul variant payload download (malware-cnc.rules)
 * 1:46958 <-> DISABLED <-> OS-WINDOWS Microsoft Windows hidparse.sys privilege escalation attempt (os-windows.rules)
 * 1:46957 <-> DISABLED <-> OS-WINDOWS Microsoft Windows hidparse.sys privilege escalation attempt (os-windows.rules)
 * 1:46956 <-> DISABLED <-> OS-WINDOWS Windows 10 access control privilege escalation attempt (os-windows.rules)
 * 1:46955 <-> DISABLED <-> OS-WINDOWS Windows 10 access control privilege escalation attempt (os-windows.rules)
 * 1:46924 <-> ENABLED <-> SERVER-OTHER Mitsubishi Electric E-Designer Status_bit buffer overflow attempt (server-other.rules)
 * 1:46932 <-> DISABLED <-> INDICATOR-COMPROMISE dynamic Excel web query file download attempt (indicator-compromise.rules)
 * 1:46930 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion memory corruption attempt (browser-ie.rules)
 * 1:46931 <-> DISABLED <-> INDICATOR-COMPROMISE dynamic Excel web query file download attempt (indicator-compromise.rules)
 * 1:46928 <-> ENABLED <-> BROWSER-IE Microsoft Edge ClipPath out of bounds write attempt (browser-ie.rules)
 * 1:46929 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion memory corruption attempt (browser-ie.rules)
 * 1:46927 <-> ENABLED <-> BROWSER-IE Microsoft Edge ClipPath out of bounds write attempt (browser-ie.rules)
 * 1:46059 <-> DISABLED <-> FILE-OTHER Microsoft wimgapi LoadIntegrityInfo heap buffer overflow attempt (file-other.rules)
 * 1:46055 <-> DISABLED <-> FILE-OTHER Microsoft wimgapi LoadIntegrityInfo heap buffer overflow attempt (file-other.rules)

Modified Rules:


 * 1:32965 <-> DISABLED <-> OS-WINDOWS Microsoft Windows identity token authorization bypass attempt (os-windows.rules)
 * 1:45628 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:38785 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel BOF memory disclosure attempt (file-office.rules)
 * 1:44825 <-> DISABLED <-> OS-WINDOWS Microsoft Edge out of bounds write attempt (os-windows.rules)
 * 1:32966 <-> DISABLED <-> OS-WINDOWS Microsoft Windows identity token authorization bypass attempt (os-windows.rules)
 * 1:46599 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASnative MovieClip type confusion attempt (file-flash.rules)
 * 1:44826 <-> DISABLED <-> OS-WINDOWS Microsoft Edge out of bounds write attempt (os-windows.rules)
 * 1:46598 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASnative MovieClip type confusion attempt (file-flash.rules)
 * 1:38786 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel BOF memory disclosure attempt (file-office.rules)

2018-06-12 18:25:10 UTC

Snort Subscriber Rules Update

Date: 2018-06-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46921 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup Login.pm command injection attempt (snort3-server-webapp.rules)
 * 1:46055 <-> DISABLED <-> FILE-OTHER Microsoft wimgapi LoadIntegrityInfo heap buffer overflow attempt (snort3-file-other.rules)
 * 1:46936 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper outbound connection (snort3-malware-cnc.rules)
 * 1:46951 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 JScript use-after-free attempt (snort3-browser-ie.rules)
 * 1:46957 <-> DISABLED <-> OS-WINDOWS Microsoft Windows hidparse.sys privilege escalation attempt (snort3-os-windows.rules)
 * 1:46956 <-> DISABLED <-> OS-WINDOWS Windows 10 access control privilege escalation attempt (snort3-os-windows.rules)
 * 1:46955 <-> DISABLED <-> OS-WINDOWS Windows 10 access control privilege escalation attempt (snort3-os-windows.rules)
 * 1:46953 <-> ENABLED <-> OS-WINDOWS Microsoft OfficeHub object manager namespace privilege escalation attempt (snort3-os-windows.rules)
 * 1:46954 <-> ENABLED <-> OS-WINDOWS Microsoft OfficeHub object manager namespace privilege escalation attempt (snort3-os-windows.rules)
 * 1:46946 <-> ENABLED <-> MALWARE-CNC Js.Downloader.Cryptojacking miner download attempt (snort3-malware-cnc.rules)
 * 1:46949 <-> ENABLED <-> FILE-FLASH Adobe Flash Player out of bounds memory access attempt (snort3-file-flash.rules)
 * 1:46922 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection (snort3-malware-cnc.rules)
 * 1:46926 <-> ENABLED <-> SERVER-OTHER Mitsubishi Electric E-Designer font field buffer overflow attempt (snort3-server-other.rules)
 * 1:46942 <-> ENABLED <-> FILE-OTHER Microsoft Windows .lnk shortcut file executing system32 executable attempt (snort3-file-other.rules)
 * 1:46948 <-> DISABLED <-> BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt (snort3-browser-ie.rules)
 * 1:46960 <-> DISABLED <-> FILE-OTHER Adobe Flash Player AMF0 Shared Object integer overflow attempt (snort3-file-other.rules)
 * 1:46959 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DarkSeoul variant payload download (snort3-malware-cnc.rules)
 * 1:46958 <-> DISABLED <-> OS-WINDOWS Microsoft Windows hidparse.sys privilege escalation attempt (snort3-os-windows.rules)
 * 1:46947 <-> DISABLED <-> BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt (snort3-browser-ie.rules)
 * 1:46944 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (snort3-browser-ie.rules)
 * 1:46945 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (snort3-browser-ie.rules)
 * 1:46058 <-> DISABLED <-> FILE-OTHER Microsoft wimgapi LoadIntegrityInfo heap buffer overflow attempt (snort3-file-other.rules)
 * 1:46056 <-> DISABLED <-> FILE-OTHER Microsoft wimgapi LoadIntegrityInfo heap buffer overflow attempt (snort3-file-other.rules)
 * 1:46933 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine type confusion attempt (snort3-browser-ie.rules)
 * 1:46934 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine type confusion attempt (snort3-browser-ie.rules)
 * 1:46923 <-> ENABLED <-> SERVER-OTHER Mitsubishi Electric E-Designer Status_bit buffer overflow attempt (snort3-server-other.rules)
 * 1:46937 <-> DISABLED <-> INDICATOR-COMPROMISE Java ysoserial payload deserialization exploit attempt (snort3-indicator-compromise.rules)
 * 1:46938 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k privilege escalation attempt (snort3-os-windows.rules)
 * 1:46939 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k privilege escalation attempt (snort3-os-windows.rules)
 * 1:46940 <-> ENABLED <-> FILE-OFFICE Microsoft Word malformed RTF memory corruption attempt (snort3-file-office.rules)
 * 1:46941 <-> ENABLED <-> FILE-OFFICE Microsoft Word malformed RTF memory corruption attempt (snort3-file-office.rules)
 * 1:46935 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DNSAPI remote code execution attempt (snort3-os-windows.rules)
 * 1:46950 <-> ENABLED <-> FILE-FLASH Adobe Flash Player out of bounds memory access attempt (snort3-file-flash.rules)
 * 1:46952 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 JScript use-after-free attempt (snort3-browser-ie.rules)
 * 1:46924 <-> ENABLED <-> SERVER-OTHER Mitsubishi Electric E-Designer Status_bit buffer overflow attempt (snort3-server-other.rules)
 * 1:46931 <-> DISABLED <-> INDICATOR-COMPROMISE dynamic Excel web query file download attempt (snort3-indicator-compromise.rules)
 * 1:46932 <-> DISABLED <-> INDICATOR-COMPROMISE dynamic Excel web query file download attempt (snort3-indicator-compromise.rules)
 * 1:46929 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion memory corruption attempt (snort3-browser-ie.rules)
 * 1:46930 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion memory corruption attempt (snort3-browser-ie.rules)
 * 1:46927 <-> ENABLED <-> BROWSER-IE Microsoft Edge ClipPath out of bounds write attempt (snort3-browser-ie.rules)
 * 1:46928 <-> ENABLED <-> BROWSER-IE Microsoft Edge ClipPath out of bounds write attempt (snort3-browser-ie.rules)
 * 1:46059 <-> DISABLED <-> FILE-OTHER Microsoft wimgapi LoadIntegrityInfo heap buffer overflow attempt (snort3-file-other.rules)
 * 1:46943 <-> ENABLED <-> FILE-OTHER Microsoft Windows .lnk shortcut file executing system32 executable attempt (snort3-file-other.rules)
 * 1:46925 <-> ENABLED <-> SERVER-OTHER Mitsubishi Electric E-Designer font field buffer overflow attempt (snort3-server-other.rules)

Modified Rules:


 * 1:32965 <-> DISABLED <-> OS-WINDOWS Microsoft Windows identity token authorization bypass attempt (snort3-os-windows.rules)
 * 1:32966 <-> DISABLED <-> OS-WINDOWS Microsoft Windows identity token authorization bypass attempt (snort3-os-windows.rules)
 * 1:38785 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel BOF memory disclosure attempt (snort3-file-office.rules)
 * 1:38786 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel BOF memory disclosure attempt (snort3-file-office.rules)
 * 1:44825 <-> DISABLED <-> OS-WINDOWS Microsoft Edge out of bounds write attempt (snort3-os-windows.rules)
 * 1:44826 <-> DISABLED <-> OS-WINDOWS Microsoft Edge out of bounds write attempt (snort3-os-windows.rules)
 * 1:45628 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:46598 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASnative MovieClip type confusion attempt (snort3-file-flash.rules)
 * 1:46599 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASnative MovieClip type confusion attempt (snort3-file-flash.rules)

2018-06-12 18:25:10 UTC

Snort Subscriber Rules Update

Date: 2018-06-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46951 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 JScript use-after-free attempt (browser-ie.rules)
 * 1:46940 <-> ENABLED <-> FILE-OFFICE Microsoft Word malformed RTF memory corruption attempt (file-office.rules)
 * 1:46953 <-> ENABLED <-> OS-WINDOWS Microsoft OfficeHub object manager namespace privilege escalation attempt (os-windows.rules)
 * 1:46939 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k privilege escalation attempt (os-windows.rules)
 * 1:46926 <-> ENABLED <-> SERVER-OTHER Mitsubishi Electric E-Designer font field buffer overflow attempt (server-other.rules)
 * 1:46055 <-> DISABLED <-> FILE-OTHER Microsoft wimgapi LoadIntegrityInfo heap buffer overflow attempt (file-other.rules)
 * 1:46952 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 JScript use-after-free attempt (browser-ie.rules)
 * 1:46950 <-> ENABLED <-> FILE-FLASH Adobe Flash Player out of bounds memory access attempt (file-flash.rules)
 * 1:46955 <-> DISABLED <-> OS-WINDOWS Windows 10 access control privilege escalation attempt (os-windows.rules)
 * 1:46957 <-> DISABLED <-> OS-WINDOWS Microsoft Windows hidparse.sys privilege escalation attempt (os-windows.rules)
 * 1:46958 <-> DISABLED <-> OS-WINDOWS Microsoft Windows hidparse.sys privilege escalation attempt (os-windows.rules)
 * 1:46959 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DarkSeoul variant payload download (malware-cnc.rules)
 * 1:46941 <-> ENABLED <-> FILE-OFFICE Microsoft Word malformed RTF memory corruption attempt (file-office.rules)
 * 1:46929 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion memory corruption attempt (browser-ie.rules)
 * 1:46927 <-> ENABLED <-> BROWSER-IE Microsoft Edge ClipPath out of bounds write attempt (browser-ie.rules)
 * 1:46056 <-> DISABLED <-> FILE-OTHER Microsoft wimgapi LoadIntegrityInfo heap buffer overflow attempt (file-other.rules)
 * 1:46928 <-> ENABLED <-> BROWSER-IE Microsoft Edge ClipPath out of bounds write attempt (browser-ie.rules)
 * 1:46931 <-> DISABLED <-> INDICATOR-COMPROMISE dynamic Excel web query file download attempt (indicator-compromise.rules)
 * 1:46930 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion memory corruption attempt (browser-ie.rules)
 * 1:46954 <-> ENABLED <-> OS-WINDOWS Microsoft OfficeHub object manager namespace privilege escalation attempt (os-windows.rules)
 * 1:46932 <-> DISABLED <-> INDICATOR-COMPROMISE dynamic Excel web query file download attempt (indicator-compromise.rules)
 * 1:46924 <-> ENABLED <-> SERVER-OTHER Mitsubishi Electric E-Designer Status_bit buffer overflow attempt (server-other.rules)
 * 1:46946 <-> ENABLED <-> MALWARE-CNC Js.Downloader.Cryptojacking miner download attempt (malware-cnc.rules)
 * 1:46944 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:46945 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:46942 <-> ENABLED <-> FILE-OTHER Microsoft Windows .lnk shortcut file executing system32 executable attempt (file-other.rules)
 * 1:46947 <-> DISABLED <-> BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt (browser-ie.rules)
 * 1:46943 <-> ENABLED <-> FILE-OTHER Microsoft Windows .lnk shortcut file executing system32 executable attempt (file-other.rules)
 * 1:46938 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k privilege escalation attempt (os-windows.rules)
 * 1:46921 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup Login.pm command injection attempt (server-webapp.rules)
 * 1:46935 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DNSAPI remote code execution attempt (os-windows.rules)
 * 1:46936 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper outbound connection (malware-cnc.rules)
 * 1:46923 <-> ENABLED <-> SERVER-OTHER Mitsubishi Electric E-Designer Status_bit buffer overflow attempt (server-other.rules)
 * 1:46934 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine type confusion attempt (browser-ie.rules)
 * 1:46933 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine type confusion attempt (browser-ie.rules)
 * 1:46058 <-> DISABLED <-> FILE-OTHER Microsoft wimgapi LoadIntegrityInfo heap buffer overflow attempt (file-other.rules)
 * 1:46937 <-> DISABLED <-> INDICATOR-COMPROMISE Java ysoserial payload deserialization exploit attempt (indicator-compromise.rules)
 * 1:46949 <-> ENABLED <-> FILE-FLASH Adobe Flash Player out of bounds memory access attempt (file-flash.rules)
 * 1:46925 <-> ENABLED <-> SERVER-OTHER Mitsubishi Electric E-Designer font field buffer overflow attempt (server-other.rules)
 * 1:46922 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection (malware-cnc.rules)
 * 1:46956 <-> DISABLED <-> OS-WINDOWS Windows 10 access control privilege escalation attempt (os-windows.rules)
 * 1:46059 <-> DISABLED <-> FILE-OTHER Microsoft wimgapi LoadIntegrityInfo heap buffer overflow attempt (file-other.rules)
 * 1:46948 <-> DISABLED <-> BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt (browser-ie.rules)
 * 1:46960 <-> DISABLED <-> FILE-OTHER Adobe Flash Player AMF0 Shared Object integer overflow attempt (file-other.rules)

Modified Rules:


 * 1:32965 <-> DISABLED <-> OS-WINDOWS Microsoft Windows identity token authorization bypass attempt (os-windows.rules)
 * 1:32966 <-> DISABLED <-> OS-WINDOWS Microsoft Windows identity token authorization bypass attempt (os-windows.rules)
 * 1:38785 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel BOF memory disclosure attempt (file-office.rules)
 * 1:38786 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel BOF memory disclosure attempt (file-office.rules)
 * 1:44825 <-> DISABLED <-> OS-WINDOWS Microsoft Edge out of bounds write attempt (os-windows.rules)
 * 1:44826 <-> DISABLED <-> OS-WINDOWS Microsoft Edge out of bounds write attempt (os-windows.rules)
 * 1:45628 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:46598 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASnative MovieClip type confusion attempt (file-flash.rules)
 * 1:46599 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASnative MovieClip type confusion attempt (file-flash.rules)

2018-06-12 18:25:10 UTC

Snort Subscriber Rules Update

Date: 2018-06-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:46951 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 JScript use-after-free attempt (browser-ie.rules)
 * 1:46940 <-> ENABLED <-> FILE-OFFICE Microsoft Word malformed RTF memory corruption attempt (file-office.rules)
 * 1:46932 <-> DISABLED <-> INDICATOR-COMPROMISE dynamic Excel web query file download attempt (indicator-compromise.rules)
 * 1:46945 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:46952 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 JScript use-after-free attempt (browser-ie.rules)
 * 1:46950 <-> ENABLED <-> FILE-FLASH Adobe Flash Player out of bounds memory access attempt (file-flash.rules)
 * 1:46947 <-> DISABLED <-> BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt (browser-ie.rules)
 * 1:46925 <-> ENABLED <-> SERVER-OTHER Mitsubishi Electric E-Designer font field buffer overflow attempt (server-other.rules)
 * 1:46941 <-> ENABLED <-> FILE-OFFICE Microsoft Word malformed RTF memory corruption attempt (file-office.rules)
 * 1:46056 <-> DISABLED <-> FILE-OTHER Microsoft wimgapi LoadIntegrityInfo heap buffer overflow attempt (file-other.rules)
 * 1:46926 <-> ENABLED <-> SERVER-OTHER Mitsubishi Electric E-Designer font field buffer overflow attempt (server-other.rules)
 * 1:46059 <-> DISABLED <-> FILE-OTHER Microsoft wimgapi LoadIntegrityInfo heap buffer overflow attempt (file-other.rules)
 * 1:46957 <-> DISABLED <-> OS-WINDOWS Microsoft Windows hidparse.sys privilege escalation attempt (os-windows.rules)
 * 1:46958 <-> DISABLED <-> OS-WINDOWS Microsoft Windows hidparse.sys privilege escalation attempt (os-windows.rules)
 * 1:46955 <-> DISABLED <-> OS-WINDOWS Windows 10 access control privilege escalation attempt (os-windows.rules)
 * 1:46055 <-> DISABLED <-> FILE-OTHER Microsoft wimgapi LoadIntegrityInfo heap buffer overflow attempt (file-other.rules)
 * 1:46959 <-> ENABLED <-> MALWARE-CNC Win.Trojan.DarkSeoul variant payload download (malware-cnc.rules)
 * 1:46928 <-> ENABLED <-> BROWSER-IE Microsoft Edge ClipPath out of bounds write attempt (browser-ie.rules)
 * 1:46954 <-> ENABLED <-> OS-WINDOWS Microsoft OfficeHub object manager namespace privilege escalation attempt (os-windows.rules)
 * 1:46939 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k privilege escalation attempt (os-windows.rules)
 * 1:46953 <-> ENABLED <-> OS-WINDOWS Microsoft OfficeHub object manager namespace privilege escalation attempt (os-windows.rules)
 * 1:46937 <-> DISABLED <-> INDICATOR-COMPROMISE Java ysoserial payload deserialization exploit attempt (indicator-compromise.rules)
 * 1:46942 <-> ENABLED <-> FILE-OTHER Microsoft Windows .lnk shortcut file executing system32 executable attempt (file-other.rules)
 * 1:46936 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dropper outbound connection (malware-cnc.rules)
 * 1:46946 <-> ENABLED <-> MALWARE-CNC Js.Downloader.Cryptojacking miner download attempt (malware-cnc.rules)
 * 1:46923 <-> ENABLED <-> SERVER-OTHER Mitsubishi Electric E-Designer Status_bit buffer overflow attempt (server-other.rules)
 * 1:46933 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine type confusion attempt (browser-ie.rules)
 * 1:46934 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine type confusion attempt (browser-ie.rules)
 * 1:46058 <-> DISABLED <-> FILE-OTHER Microsoft wimgapi LoadIntegrityInfo heap buffer overflow attempt (file-other.rules)
 * 1:46929 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion memory corruption attempt (browser-ie.rules)
 * 1:46927 <-> ENABLED <-> BROWSER-IE Microsoft Edge ClipPath out of bounds write attempt (browser-ie.rules)
 * 1:46921 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup Login.pm command injection attempt (server-webapp.rules)
 * 1:46960 <-> DISABLED <-> FILE-OTHER Adobe Flash Player AMF0 Shared Object integer overflow attempt (file-other.rules)
 * 1:46931 <-> DISABLED <-> INDICATOR-COMPROMISE dynamic Excel web query file download attempt (indicator-compromise.rules)
 * 1:46924 <-> ENABLED <-> SERVER-OTHER Mitsubishi Electric E-Designer Status_bit buffer overflow attempt (server-other.rules)
 * 1:46948 <-> DISABLED <-> BROWSER-IE Microsoft Edge Media Foundation use-after-free attempt (browser-ie.rules)
 * 1:46956 <-> DISABLED <-> OS-WINDOWS Windows 10 access control privilege escalation attempt (os-windows.rules)
 * 1:46949 <-> ENABLED <-> FILE-FLASH Adobe Flash Player out of bounds memory access attempt (file-flash.rules)
 * 1:46944 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:46922 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Fareit variant outbound connection (malware-cnc.rules)
 * 1:46938 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k privilege escalation attempt (os-windows.rules)
 * 1:46943 <-> ENABLED <-> FILE-OTHER Microsoft Windows .lnk shortcut file executing system32 executable attempt (file-other.rules)
 * 1:46935 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DNSAPI remote code execution attempt (os-windows.rules)
 * 1:46930 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion memory corruption attempt (browser-ie.rules)

Modified Rules:


 * 1:32965 <-> DISABLED <-> OS-WINDOWS Microsoft Windows identity token authorization bypass attempt (os-windows.rules)
 * 1:32966 <-> DISABLED <-> OS-WINDOWS Microsoft Windows identity token authorization bypass attempt (os-windows.rules)
 * 1:38785 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel BOF memory disclosure attempt (file-office.rules)
 * 1:38786 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel BOF memory disclosure attempt (file-office.rules)
 * 1:44825 <-> DISABLED <-> OS-WINDOWS Microsoft Edge out of bounds write attempt (os-windows.rules)
 * 1:44826 <-> DISABLED <-> OS-WINDOWS Microsoft Edge out of bounds write attempt (os-windows.rules)
 * 1:45628 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:46598 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASnative MovieClip type confusion attempt (file-flash.rules)
 * 1:46599 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASnative MovieClip type confusion attempt (file-flash.rules)