Talos Rules 2018-09-11
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2018-8367: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 47734 through 47735.

Microsoft Vulnerability CVE-2018-8391: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 47736 through 47737.

Microsoft Vulnerability CVE-2018-8410: A coding deficiency exists in Microsoft Windows Registry that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 47745 through 47746.

Microsoft Vulnerability CVE-2018-8420: A coding deficiency exists in MS XML that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 47747 through 47748.

Microsoft Vulnerability CVE-2018-8440: A coding deficiency exists in Microsoft Windows ALPC that may lead to an escalation of privilege.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 47702 through 47703.

Microsoft Vulnerability CVE-2018-8442: A coding deficiency exists in Microsoft Windows Kernel that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 47717 through 47718.

Microsoft Vulnerability CVE-2018-8447: Microsoft Internet Explorer suffers from programming errors that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 47730 through 47731.

Microsoft Vulnerability CVE-2018-8449: A coding deficiency exists in Microsoft Device Guard that may lead to a security feature bypass.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 47740 through 47741.

Microsoft Vulnerability CVE-2018-8456: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 45142 through 45143.

Microsoft Vulnerability CVE-2018-8459: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 47732 through 47733.

Microsoft Vulnerability CVE-2018-8461: Microsoft Internet Explorer suffers from programming errors that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 47738 through 47739.

Microsoft Vulnerability CVE-2018-8464: A coding deficiency exists in Microsoft Edge PDF that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 42311 through 42312.

Microsoft Vulnerability CVE-2018-8466: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 45628 through 45629.

Microsoft Vulnerability CVE-2018-8467: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 47742 through 47743.

Microsoft Vulnerability CVE-2018-8470: A coding deficiency exists in Microsoft Internet Explorer that may lead to a security feature bypass.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 47761.

Talos also has added and modified multiple rules in the browser-ie, file-office, file-other, file-pdf, malware-cnc, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-09-11 17:45:58 UTC

Snort Subscriber Rules Update

Date: 2018-09-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47744 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup CustomerPortalService.pm command injection attempt (server-webapp.rules)
 * 1:47743 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion code execution attempt (browser-ie.rules)
 * 1:47742 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion code execution attempt (browser-ie.rules)
 * 1:47741 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Device Guard bypass attempt (os-windows.rules)
 * 1:47740 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Device Guard bypass attempt (os-windows.rules)
 * 1:47739 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:47738 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:47737 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion memory corruption attempt (browser-ie.rules)
 * 1:47736 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion memory corruption attempt (browser-ie.rules)
 * 1:47735 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra engine use after free exploit attempt (browser-ie.rules)
 * 1:47734 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra engine use after free exploit attempt (browser-ie.rules)
 * 1:47733 <-> DISABLED <-> BROWSER-IE Microsoft Edge empty prototype use-after-free attempt (browser-ie.rules)
 * 1:47732 <-> DISABLED <-> BROWSER-IE Microsoft Edge empty prototype use-after-free attempt (browser-ie.rules)
 * 1:47731 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:47730 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:47726 <-> DISABLED <-> SERVER-OTHER Memcached DDoS attempt (server-other.rules)
 * 1:47725 <-> DISABLED <-> SERVER-OTHER Memcached DDoS attempt (server-other.rules)
 * 1:47724 <-> DISABLED <-> SERVER-OTHER Memcached DDoS attempt (server-other.rules)
 * 1:47723 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.MysteryBot outbound connection (malware-cnc.rules)
 * 1:47718 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:47717 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:47761 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer iframe open redirect attempt (browser-ie.rules)
 * 1:47748 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer MSXML use after free attempt (browser-ie.rules)
 * 1:47747 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer MSXML use after free attempt (browser-ie.rules)
 * 1:47746 <-> DISABLED <-> OS-WINDOWS Microsoft Windows predefined registry keys double free attempt (os-windows.rules)
 * 1:47745 <-> DISABLED <-> OS-WINDOWS Microsoft Windows predefined registry keys double free attempt (os-windows.rules)
 * 3:47716 <-> ENABLED <-> SERVER-WEBAPP HP Client Automation Server directory traversal attempt (server-webapp.rules)
 * 3:47721 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0670 attack attempt (file-other.rules)
 * 3:47722 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0670 attack attempt (file-other.rules)
 * 3:47727 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0662 attack attempt (file-pdf.rules)
 * 3:47728 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0662 attack attempt (file-pdf.rules)
 * 3:47729 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2018-0659 attack attempt (server-other.rules)
 * 3:47750 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0657 attack attempt (file-other.rules)
 * 3:47751 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0657 attack attempt (file-other.rules)
 * 3:47753 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0669 attack attempt (file-office.rules)
 * 3:47754 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0669 attack attempt (file-office.rules)
 * 3:47755 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0667 attack attempt (file-office.rules)
 * 3:47756 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0667 attack attempt (file-office.rules)
 * 3:47757 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0666 attack attempt (file-office.rules)
 * 3:47758 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0666 attack attempt (file-office.rules)
 * 3:47759 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0666 attack attempt (file-office.rules)
 * 3:47760 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0666 attack attempt (file-office.rules)
 * 3:47762 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0668 attack attempt (file-office.rules)
 * 3:47763 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0668 attack attempt (file-office.rules)

Modified Rules:


 * 1:42311 <-> DISABLED <-> FILE-PDF Multiple Products malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:42312 <-> DISABLED <-> FILE-PDF Multiple Products malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:45142 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:45143 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:45628 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45629 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:47702 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ALPC task scheduler local privilege escalation attempt (os-windows.rules)
 * 1:47703 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ALPC task scheduler local privilege escalation attempt (os-windows.rules)
 * 3:46864 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0606 attack attempt (file-pdf.rules)
 * 3:46865 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0606 attack attempt (file-pdf.rules)
 * 3:47035 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0622 attack attempt (policy-other.rules)
 * 3:47036 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0622 attack attempt (policy-other.rules)

2018-09-11 17:45:58 UTC

Snort Subscriber Rules Update

Date: 2018-09-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47742 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion code execution attempt (browser-ie.rules)
 * 1:47740 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Device Guard bypass attempt (os-windows.rules)
 * 1:47743 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion code execution attempt (browser-ie.rules)
 * 1:47726 <-> DISABLED <-> SERVER-OTHER Memcached DDoS attempt (server-other.rules)
 * 1:47741 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Device Guard bypass attempt (os-windows.rules)
 * 1:47733 <-> DISABLED <-> BROWSER-IE Microsoft Edge empty prototype use-after-free attempt (browser-ie.rules)
 * 1:47761 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer iframe open redirect attempt (browser-ie.rules)
 * 1:47735 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra engine use after free exploit attempt (browser-ie.rules)
 * 1:47718 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:47731 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:47725 <-> DISABLED <-> SERVER-OTHER Memcached DDoS attempt (server-other.rules)
 * 1:47736 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion memory corruption attempt (browser-ie.rules)
 * 1:47737 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion memory corruption attempt (browser-ie.rules)
 * 1:47730 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:47732 <-> DISABLED <-> BROWSER-IE Microsoft Edge empty prototype use-after-free attempt (browser-ie.rules)
 * 1:47723 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.MysteryBot outbound connection (malware-cnc.rules)
 * 1:47738 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:47739 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:47717 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:47724 <-> DISABLED <-> SERVER-OTHER Memcached DDoS attempt (server-other.rules)
 * 1:47748 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer MSXML use after free attempt (browser-ie.rules)
 * 1:47734 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra engine use after free exploit attempt (browser-ie.rules)
 * 1:47746 <-> DISABLED <-> OS-WINDOWS Microsoft Windows predefined registry keys double free attempt (os-windows.rules)
 * 1:47747 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer MSXML use after free attempt (browser-ie.rules)
 * 1:47744 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup CustomerPortalService.pm command injection attempt (server-webapp.rules)
 * 1:47745 <-> DISABLED <-> OS-WINDOWS Microsoft Windows predefined registry keys double free attempt (os-windows.rules)
 * 3:47727 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0662 attack attempt (file-pdf.rules)
 * 3:47754 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0669 attack attempt (file-office.rules)
 * 3:47763 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0668 attack attempt (file-office.rules)
 * 3:47760 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0666 attack attempt (file-office.rules)
 * 3:47722 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0670 attack attempt (file-other.rules)
 * 3:47758 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0666 attack attempt (file-office.rules)
 * 3:47729 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2018-0659 attack attempt (server-other.rules)
 * 3:47762 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0668 attack attempt (file-office.rules)
 * 3:47728 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0662 attack attempt (file-pdf.rules)
 * 3:47750 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0657 attack attempt (file-other.rules)
 * 3:47755 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0667 attack attempt (file-office.rules)
 * 3:47751 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0657 attack attempt (file-other.rules)
 * 3:47756 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0667 attack attempt (file-office.rules)
 * 3:47753 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0669 attack attempt (file-office.rules)
 * 3:47716 <-> ENABLED <-> SERVER-WEBAPP HP Client Automation Server directory traversal attempt (server-webapp.rules)
 * 3:47757 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0666 attack attempt (file-office.rules)
 * 3:47759 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0666 attack attempt (file-office.rules)
 * 3:47721 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0670 attack attempt (file-other.rules)

Modified Rules:


 * 1:42311 <-> DISABLED <-> FILE-PDF Multiple Products malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:42312 <-> DISABLED <-> FILE-PDF Multiple Products malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:45142 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:45143 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:45628 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45629 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:47702 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ALPC task scheduler local privilege escalation attempt (os-windows.rules)
 * 1:47703 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ALPC task scheduler local privilege escalation attempt (os-windows.rules)
 * 3:46864 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0606 attack attempt (file-pdf.rules)
 * 3:46865 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0606 attack attempt (file-pdf.rules)
 * 3:47035 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0622 attack attempt (policy-other.rules)
 * 3:47036 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0622 attack attempt (policy-other.rules)

2018-09-11 17:45:58 UTC

Snort Subscriber Rules Update

Date: 2018-09-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47740 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Device Guard bypass attempt (snort3-os-windows.rules)
 * 1:47744 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup CustomerPortalService.pm command injection attempt (snort3-server-webapp.rules)
 * 1:47723 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.MysteryBot outbound connection (snort3-malware-cnc.rules)
 * 1:47724 <-> DISABLED <-> SERVER-OTHER Memcached DDoS attempt (snort3-server-other.rules)
 * 1:47726 <-> DISABLED <-> SERVER-OTHER Memcached DDoS attempt (snort3-server-other.rules)
 * 1:47738 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (snort3-browser-ie.rules)
 * 1:47736 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion memory corruption attempt (snort3-browser-ie.rules)
 * 1:47734 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra engine use after free exploit attempt (snort3-browser-ie.rules)
 * 1:47725 <-> DISABLED <-> SERVER-OTHER Memcached DDoS attempt (snort3-server-other.rules)
 * 1:47730 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (snort3-browser-ie.rules)
 * 1:47747 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer MSXML use after free attempt (snort3-browser-ie.rules)
 * 1:47731 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (snort3-browser-ie.rules)
 * 1:47741 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Device Guard bypass attempt (snort3-os-windows.rules)
 * 1:47732 <-> DISABLED <-> BROWSER-IE Microsoft Edge empty prototype use-after-free attempt (snort3-browser-ie.rules)
 * 1:47718 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (snort3-os-windows.rules)
 * 1:47746 <-> DISABLED <-> OS-WINDOWS Microsoft Windows predefined registry keys double free attempt (snort3-os-windows.rules)
 * 1:47743 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion code execution attempt (snort3-browser-ie.rules)
 * 1:47735 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra engine use after free exploit attempt (snort3-browser-ie.rules)
 * 1:47742 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion code execution attempt (snort3-browser-ie.rules)
 * 1:47739 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (snort3-browser-ie.rules)
 * 1:47761 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer iframe open redirect attempt (snort3-browser-ie.rules)
 * 1:47745 <-> DISABLED <-> OS-WINDOWS Microsoft Windows predefined registry keys double free attempt (snort3-os-windows.rules)
 * 1:47737 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion memory corruption attempt (snort3-browser-ie.rules)
 * 1:47748 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer MSXML use after free attempt (snort3-browser-ie.rules)
 * 1:47733 <-> DISABLED <-> BROWSER-IE Microsoft Edge empty prototype use-after-free attempt (snort3-browser-ie.rules)
 * 1:47717 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (snort3-os-windows.rules)

Modified Rules:


 * 1:42311 <-> DISABLED <-> FILE-PDF Multiple Products malformed JP2K codestream out of bounds read attempt (snort3-file-pdf.rules)
 * 1:42312 <-> DISABLED <-> FILE-PDF Multiple Products malformed JP2K codestream out of bounds read attempt (snort3-file-pdf.rules)
 * 1:45142 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (snort3-browser-ie.rules)
 * 1:45143 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (snort3-browser-ie.rules)
 * 1:45628 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:45629 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:47702 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ALPC task scheduler local privilege escalation attempt (snort3-os-windows.rules)
 * 1:47703 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ALPC task scheduler local privilege escalation attempt (snort3-os-windows.rules)

2018-09-11 17:45:58 UTC

Snort Subscriber Rules Update

Date: 2018-09-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47734 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra engine use after free exploit attempt (browser-ie.rules)
 * 1:47744 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup CustomerPortalService.pm command injection attempt (server-webapp.rules)
 * 1:47745 <-> DISABLED <-> OS-WINDOWS Microsoft Windows predefined registry keys double free attempt (os-windows.rules)
 * 1:47740 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Device Guard bypass attempt (os-windows.rules)
 * 1:47748 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer MSXML use after free attempt (browser-ie.rules)
 * 1:47742 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion code execution attempt (browser-ie.rules)
 * 1:47743 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion code execution attempt (browser-ie.rules)
 * 1:47741 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Device Guard bypass attempt (os-windows.rules)
 * 1:47725 <-> DISABLED <-> SERVER-OTHER Memcached DDoS attempt (server-other.rules)
 * 1:47735 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra engine use after free exploit attempt (browser-ie.rules)
 * 1:47738 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:47730 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:47726 <-> DISABLED <-> SERVER-OTHER Memcached DDoS attempt (server-other.rules)
 * 1:47747 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer MSXML use after free attempt (browser-ie.rules)
 * 1:47732 <-> DISABLED <-> BROWSER-IE Microsoft Edge empty prototype use-after-free attempt (browser-ie.rules)
 * 1:47746 <-> DISABLED <-> OS-WINDOWS Microsoft Windows predefined registry keys double free attempt (os-windows.rules)
 * 1:47723 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.MysteryBot outbound connection (malware-cnc.rules)
 * 1:47717 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:47724 <-> DISABLED <-> SERVER-OTHER Memcached DDoS attempt (server-other.rules)
 * 1:47733 <-> DISABLED <-> BROWSER-IE Microsoft Edge empty prototype use-after-free attempt (browser-ie.rules)
 * 1:47736 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion memory corruption attempt (browser-ie.rules)
 * 1:47718 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:47761 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer iframe open redirect attempt (browser-ie.rules)
 * 1:47731 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:47737 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion memory corruption attempt (browser-ie.rules)
 * 1:47739 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 3:47759 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0666 attack attempt (file-office.rules)
 * 3:47722 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0670 attack attempt (file-other.rules)
 * 3:47753 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0669 attack attempt (file-office.rules)
 * 3:47716 <-> ENABLED <-> SERVER-WEBAPP HP Client Automation Server directory traversal attempt (server-webapp.rules)
 * 3:47721 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0670 attack attempt (file-other.rules)
 * 3:47760 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0666 attack attempt (file-office.rules)
 * 3:47763 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0668 attack attempt (file-office.rules)
 * 3:47729 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2018-0659 attack attempt (server-other.rules)
 * 3:47756 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0667 attack attempt (file-office.rules)
 * 3:47762 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0668 attack attempt (file-office.rules)
 * 3:47758 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0666 attack attempt (file-office.rules)
 * 3:47727 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0662 attack attempt (file-pdf.rules)
 * 3:47751 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0657 attack attempt (file-other.rules)
 * 3:47728 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0662 attack attempt (file-pdf.rules)
 * 3:47757 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0666 attack attempt (file-office.rules)
 * 3:47750 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0657 attack attempt (file-other.rules)
 * 3:47754 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0669 attack attempt (file-office.rules)
 * 3:47755 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0667 attack attempt (file-office.rules)

Modified Rules:


 * 1:42311 <-> DISABLED <-> FILE-PDF Multiple Products malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:42312 <-> DISABLED <-> FILE-PDF Multiple Products malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:45142 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:45143 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:45628 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45629 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:47702 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ALPC task scheduler local privilege escalation attempt (os-windows.rules)
 * 1:47703 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ALPC task scheduler local privilege escalation attempt (os-windows.rules)
 * 3:46864 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0606 attack attempt (file-pdf.rules)
 * 3:46865 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0606 attack attempt (file-pdf.rules)
 * 3:47035 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0622 attack attempt (policy-other.rules)
 * 3:47036 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0622 attack attempt (policy-other.rules)

2018-09-11 17:45:58 UTC

Snort Subscriber Rules Update

Date: 2018-09-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47740 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Device Guard bypass attempt (os-windows.rules)
 * 1:47761 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer iframe open redirect attempt (browser-ie.rules)
 * 1:47733 <-> DISABLED <-> BROWSER-IE Microsoft Edge empty prototype use-after-free attempt (browser-ie.rules)
 * 1:47742 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion code execution attempt (browser-ie.rules)
 * 1:47717 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:47735 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra engine use after free exploit attempt (browser-ie.rules)
 * 1:47741 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Device Guard bypass attempt (os-windows.rules)
 * 1:47726 <-> DISABLED <-> SERVER-OTHER Memcached DDoS attempt (server-other.rules)
 * 1:47748 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer MSXML use after free attempt (browser-ie.rules)
 * 1:47736 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion memory corruption attempt (browser-ie.rules)
 * 1:47730 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:47737 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion memory corruption attempt (browser-ie.rules)
 * 1:47724 <-> DISABLED <-> SERVER-OTHER Memcached DDoS attempt (server-other.rules)
 * 1:47738 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:47739 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:47731 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:47725 <-> DISABLED <-> SERVER-OTHER Memcached DDoS attempt (server-other.rules)
 * 1:47747 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer MSXML use after free attempt (browser-ie.rules)
 * 1:47744 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup CustomerPortalService.pm command injection attempt (server-webapp.rules)
 * 1:47745 <-> DISABLED <-> OS-WINDOWS Microsoft Windows predefined registry keys double free attempt (os-windows.rules)
 * 1:47746 <-> DISABLED <-> OS-WINDOWS Microsoft Windows predefined registry keys double free attempt (os-windows.rules)
 * 1:47743 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion code execution attempt (browser-ie.rules)
 * 1:47718 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:47732 <-> DISABLED <-> BROWSER-IE Microsoft Edge empty prototype use-after-free attempt (browser-ie.rules)
 * 1:47734 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra engine use after free exploit attempt (browser-ie.rules)
 * 1:47723 <-> ENABLED <-> MALWARE-CNC Andr.Trojan.MysteryBot outbound connection (malware-cnc.rules)
 * 3:47758 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0666 attack attempt (file-office.rules)
 * 3:47716 <-> ENABLED <-> SERVER-WEBAPP HP Client Automation Server directory traversal attempt (server-webapp.rules)
 * 3:47762 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0668 attack attempt (file-office.rules)
 * 3:47763 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0668 attack attempt (file-office.rules)
 * 3:47722 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0670 attack attempt (file-other.rules)
 * 3:47760 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0666 attack attempt (file-office.rules)
 * 3:47753 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0669 attack attempt (file-office.rules)
 * 3:47729 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2018-0659 attack attempt (server-other.rules)
 * 3:47755 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0667 attack attempt (file-office.rules)
 * 3:47759 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0666 attack attempt (file-office.rules)
 * 3:47728 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0662 attack attempt (file-pdf.rules)
 * 3:47750 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0657 attack attempt (file-other.rules)
 * 3:47751 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0657 attack attempt (file-other.rules)
 * 3:47757 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0666 attack attempt (file-office.rules)
 * 3:47756 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0667 attack attempt (file-office.rules)
 * 3:47727 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0662 attack attempt (file-pdf.rules)
 * 3:47754 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0669 attack attempt (file-office.rules)
 * 3:47721 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2018-0670 attack attempt (file-other.rules)

Modified Rules:


 * 1:42311 <-> DISABLED <-> FILE-PDF Multiple Products malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:42312 <-> DISABLED <-> FILE-PDF Multiple Products malformed JP2K codestream out of bounds read attempt (file-pdf.rules)
 * 1:45142 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:45143 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:45628 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45629 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:47702 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ALPC task scheduler local privilege escalation attempt (os-windows.rules)
 * 1:47703 <-> ENABLED <-> OS-WINDOWS Microsoft Windows ALPC task scheduler local privilege escalation attempt (os-windows.rules)
 * 3:46864 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0606 attack attempt (file-pdf.rules)
 * 3:46865 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0606 attack attempt (file-pdf.rules)
 * 3:47035 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0622 attack attempt (policy-other.rules)
 * 3:47036 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2018-0622 attack attempt (policy-other.rules)