Talos Rules 2019-02-12
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2019-0590: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49128 through 49129.

Microsoft Vulnerability CVE-2019-0591: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49134 through 49135.

Microsoft Vulnerability CVE-2019-0593: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49130 through 49131.

Microsoft Vulnerability CVE-2019-0606: A coding deficiency exists in Microsoft Internet Explorer that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49144 through 49145.

Microsoft Vulnerability CVE-2019-0607: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49149 through 49150.

Microsoft Vulnerability CVE-2019-0610: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49140 through 49141.

Microsoft Vulnerability CVE-2019-0621: A coding deficiency exists in Microsoft Windows Kernel that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49172 through 49173.

Microsoft Vulnerability CVE-2019-0628: A coding deficiency exists in Microsoft Win32k that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49180 through 49181.

Microsoft Vulnerability CVE-2019-0630: A coding deficiency exists in Microsoft SMB that may lead to remote code execution.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 49146.

Microsoft Vulnerability CVE-2019-0633: A coding deficiency exists in Microsoft SMB that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49174 through 49177.

Microsoft Vulnerability CVE-2019-0636: A coding deficiency exists in Microsoft Windows that may lead to information disclosure.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 48799 through 48800.

Microsoft Vulnerability CVE-2019-0640: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49153 through 49154.

Microsoft Vulnerability CVE-2019-0642: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49169 through 49170.

Microsoft Vulnerability CVE-2019-0644: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49151 through 49152.

Microsoft Vulnerability CVE-2019-0645: A coding deficiency exists in Microsoft Edge that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49142 through 49143.

Microsoft Vulnerability CVE-2019-0648: A coding deficiency exists in Microsoft Scripting Engine that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49157 through 49158.

Microsoft Vulnerability CVE-2019-0650: A coding deficiency exists in Microsoft Edge that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49147 through 49148.

Microsoft Vulnerability CVE-2019-0651: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49138 through 49139.

Microsoft Vulnerability CVE-2019-0652: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49136 through 49137.

Microsoft Vulnerability CVE-2019-0655: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49167 through 49168.

Microsoft Vulnerability CVE-2019-0656: A coding deficiency exists in Microsoft Windows Kernel that may lead to elevation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49159 through 49160.

Microsoft Vulnerability CVE-2019-0658: A coding deficiency exists in Microsoft Scripting Engine that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49165 through 49166.

Microsoft Vulnerability CVE-2019-0661: A coding deficiency exists in Microsoft Windows Kernel that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49161 through 49162.

Microsoft Vulnerability CVE-2019-0669: A coding deficiency exists in Microsoft Excel that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49132 through 49133.

Microsoft Vulnerability CVE-2019-0676: A coding deficiency exists in Microsoft Internet Explorer that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49155 through 49156.

Talos also has added and modified multiple rules in the browser-ie, file-office, file-other, file-pdf, indicator-compromise, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2019-02-12 19:23:21 UTC

Snort Subscriber Rules Update

Date: 2019-02-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49142 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49178 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT information disclosure attempt (file-pdf.rules)
 * 1:49177 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB remote code execution attempt (os-windows.rules)
 * 1:49175 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB remote code execution attempt (os-windows.rules)
 * 1:49131 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion exploit attempt (browser-ie.rules)
 * 1:49176 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB remote code execution attempt (os-windows.rules)
 * 1:49133 <-> ENABLED <-> FILE-OFFICE Microsoft Excel information disclosure attempt (file-office.rules)
 * 1:49132 <-> ENABLED <-> FILE-OFFICE Microsoft Excel information disclosure attempt (file-office.rules)
 * 1:49139 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine type confusion attempt (browser-ie.rules)
 * 1:49179 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT information disclosure attempt (file-pdf.rules)
 * 1:49188 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Linux.Trojan.SpeakUp (malware-cnc.rules)
 * 1:49191 <-> DISABLED <-> SERVER-WEBAPP Dell EMC Virtual Appliance Manager undocumented credential use attempt (server-webapp.rules)
 * 1:49186 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HtmlLayout styling use after free attempt (browser-ie.rules)
 * 1:49187 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HtmlLayout styling use after free attempt (browser-ie.rules)
 * 1:49184 <-> DISABLED <-> INDICATOR-COMPROMISE PEAR Archive_Tar PHP object injection attempt (indicator-compromise.rules)
 * 1:49185 <-> DISABLED <-> INDICATOR-COMPROMISE PEAR Archive_Tar PHP object injection attempt (indicator-compromise.rules)
 * 1:49182 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher Opltc memory corruption attempt (file-office.rules)
 * 1:49134 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:49136 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine remote code execution attempt (browser-ie.rules)
 * 1:49137 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine remote code execution attempt (browser-ie.rules)
 * 1:49138 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine type confusion attempt (browser-ie.rules)
 * 1:49149 <-> ENABLED <-> BROWSER-IE Microsoft Edge WebAssembly type confusion exploit attempt (browser-ie.rules)
 * 1:49150 <-> ENABLED <-> BROWSER-IE Microsoft Edge WebAssembly type confusion exploit attempt (browser-ie.rules)
 * 1:49151 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine memory corruption attempt (browser-ie.rules)
 * 1:49148 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:49147 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:49146 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB named pipe buffer overflow attempt (os-windows.rules)
 * 1:49145 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion exploit attempt (browser-ie.rules)
 * 1:49141 <-> ENABLED <-> BROWSER-IE Microsoft Edge ArrayBuffer out of bounds write attempt (browser-ie.rules)
 * 1:49140 <-> ENABLED <-> BROWSER-IE Microsoft Edge ArrayBuffer out of bounds write attempt (browser-ie.rules)
 * 1:49143 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49163 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows NtTraceControl function use (indicator-compromise.rules)
 * 1:49152 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine memory corruption attempt (browser-ie.rules)
 * 1:49153 <-> ENABLED <-> BROWSER-IE Microsoft Edge Promise object context switch use-after-free attempt (browser-ie.rules)
 * 1:49154 <-> ENABLED <-> BROWSER-IE Microsoft Edge Promise object context switch use-after-free attempt (browser-ie.rules)
 * 1:49155 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer information disclosure attempt (browser-ie.rules)
 * 1:49128 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:49156 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer information disclosure attempt (browser-ie.rules)
 * 1:49157 <-> ENABLED <-> BROWSER-IE Microsoft Edge out of bounds read attempt  (browser-ie.rules)
 * 1:49158 <-> ENABLED <-> BROWSER-IE Microsoft Edge out of bounds read attempt  (browser-ie.rules)
 * 1:49159 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:49160 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:49161 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtTraceControl information disclosure attempt (os-windows.rules)
 * 1:49165 <-> ENABLED <-> BROWSER-IE Microsoft Edge buffer manipulation out-of-bounds read attempt (browser-ie.rules)
 * 1:49164 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows NtTraceControl function use (indicator-compromise.rules)
 * 1:49162 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtTraceControl information disclosure attempt (os-windows.rules)
 * 1:49135 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:49144 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion exploit attempt (browser-ie.rules)
 * 1:49174 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB remote code execution attempt (os-windows.rules)
 * 1:49130 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion exploit attempt (browser-ie.rules)
 * 1:49129 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:49166 <-> ENABLED <-> BROWSER-IE Microsoft Edge buffer manipulation out-of-bounds read attempt (browser-ie.rules)
 * 1:49167 <-> ENABLED <-> BROWSER-IE Microsoft Edge variable length manipulation type confusion attempt (browser-ie.rules)
 * 1:49180 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k SendMessageTimeout kernel information leak attempt (os-windows.rules)
 * 1:49181 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k SendMessageTimeout kernel information leak attempt (os-windows.rules)
 * 1:49168 <-> ENABLED <-> BROWSER-IE Microsoft Edge variable length manipulation type confusion attempt (browser-ie.rules)
 * 1:49169 <-> ENABLED <-> BROWSER-IE Microsoft Edge isSealed object buffer overrun attempt (browser-ie.rules)
 * 1:49170 <-> ENABLED <-> BROWSER-IE Microsoft Edge isSealed object buffer overrun attempt (browser-ie.rules)
 * 1:49171 <-> DISABLED <-> OS-WINDOWS NTLM authentication relay attempt (os-windows.rules)
 * 1:49172 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtAdjustGroupsToken kernel information disclosure attempt (os-windows.rules)
 * 1:49173 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtAdjustGroupsToken kernel information disclosure attempt (os-windows.rules)
 * 1:49183 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher Opltc memory corruption attempt (file-office.rules)
 * 3:49189 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0778 attack attempt (file-pdf.rules)
 * 3:49190 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0778 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:48799 <-> ENABLED <-> OS-WINDOWS Microsoft Windows arbitrary file read attempt (os-windows.rules)
 * 1:34727 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:37969 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:34728 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:37970 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42037 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:49073 <-> DISABLED <-> FILE-OTHER Microsoft Windows device metadata file directory traversal attempt (file-other.rules)
 * 1:48800 <-> ENABLED <-> OS-WINDOWS Microsoft Windows arbitrary file read attempt (os-windows.rules)
 * 1:42038 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42039 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:49074 <-> DISABLED <-> FILE-OTHER Microsoft Windows device metadata file directory traversal attempt (file-other.rules)
 * 1:42036 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42034 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42035 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42032 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42033 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:40123 <-> DISABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt (browser-ie.rules)
 * 1:40124 <-> DISABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt (browser-ie.rules)

2019-02-12 19:23:21 UTC

Snort Subscriber Rules Update

Date: 2019-02-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49178 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT information disclosure attempt (file-pdf.rules)
 * 1:49175 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB remote code execution attempt (os-windows.rules)
 * 1:49174 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB remote code execution attempt (os-windows.rules)
 * 1:49179 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT information disclosure attempt (file-pdf.rules)
 * 1:49177 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB remote code execution attempt (os-windows.rules)
 * 1:49180 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k SendMessageTimeout kernel information leak attempt (os-windows.rules)
 * 1:49181 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k SendMessageTimeout kernel information leak attempt (os-windows.rules)
 * 1:49182 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher Opltc memory corruption attempt (file-office.rules)
 * 1:49176 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB remote code execution attempt (os-windows.rules)
 * 1:49188 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Linux.Trojan.SpeakUp (malware-cnc.rules)
 * 1:49184 <-> DISABLED <-> INDICATOR-COMPROMISE PEAR Archive_Tar PHP object injection attempt (indicator-compromise.rules)
 * 1:49185 <-> DISABLED <-> INDICATOR-COMPROMISE PEAR Archive_Tar PHP object injection attempt (indicator-compromise.rules)
 * 1:49186 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HtmlLayout styling use after free attempt (browser-ie.rules)
 * 1:49191 <-> DISABLED <-> SERVER-WEBAPP Dell EMC Virtual Appliance Manager undocumented credential use attempt (server-webapp.rules)
 * 1:49183 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher Opltc memory corruption attempt (file-office.rules)
 * 1:49187 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HtmlLayout styling use after free attempt (browser-ie.rules)
 * 1:49133 <-> ENABLED <-> FILE-OFFICE Microsoft Excel information disclosure attempt (file-office.rules)
 * 1:49135 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:49136 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine remote code execution attempt (browser-ie.rules)
 * 1:49137 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine remote code execution attempt (browser-ie.rules)
 * 1:49148 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:49149 <-> ENABLED <-> BROWSER-IE Microsoft Edge WebAssembly type confusion exploit attempt (browser-ie.rules)
 * 1:49150 <-> ENABLED <-> BROWSER-IE Microsoft Edge WebAssembly type confusion exploit attempt (browser-ie.rules)
 * 1:49151 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine memory corruption attempt (browser-ie.rules)
 * 1:49152 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine memory corruption attempt (browser-ie.rules)
 * 1:49153 <-> ENABLED <-> BROWSER-IE Microsoft Edge Promise object context switch use-after-free attempt (browser-ie.rules)
 * 1:49154 <-> ENABLED <-> BROWSER-IE Microsoft Edge Promise object context switch use-after-free attempt (browser-ie.rules)
 * 1:49155 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer information disclosure attempt (browser-ie.rules)
 * 1:49156 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer information disclosure attempt (browser-ie.rules)
 * 1:49157 <-> ENABLED <-> BROWSER-IE Microsoft Edge out of bounds read attempt  (browser-ie.rules)
 * 1:49158 <-> ENABLED <-> BROWSER-IE Microsoft Edge out of bounds read attempt  (browser-ie.rules)
 * 1:49159 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:49160 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:49141 <-> ENABLED <-> BROWSER-IE Microsoft Edge ArrayBuffer out of bounds write attempt (browser-ie.rules)
 * 1:49140 <-> ENABLED <-> BROWSER-IE Microsoft Edge ArrayBuffer out of bounds write attempt (browser-ie.rules)
 * 1:49138 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine type confusion attempt (browser-ie.rules)
 * 1:49139 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine type confusion attempt (browser-ie.rules)
 * 1:49131 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion exploit attempt (browser-ie.rules)
 * 1:49146 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB named pipe buffer overflow attempt (os-windows.rules)
 * 1:49145 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion exploit attempt (browser-ie.rules)
 * 1:49144 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion exploit attempt (browser-ie.rules)
 * 1:49147 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:49142 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49173 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtAdjustGroupsToken kernel information disclosure attempt (os-windows.rules)
 * 1:49161 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtTraceControl information disclosure attempt (os-windows.rules)
 * 1:49143 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49162 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtTraceControl information disclosure attempt (os-windows.rules)
 * 1:49164 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows NtTraceControl function use (indicator-compromise.rules)
 * 1:49163 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows NtTraceControl function use (indicator-compromise.rules)
 * 1:49134 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:49129 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:49128 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:49165 <-> ENABLED <-> BROWSER-IE Microsoft Edge buffer manipulation out-of-bounds read attempt (browser-ie.rules)
 * 1:49166 <-> ENABLED <-> BROWSER-IE Microsoft Edge buffer manipulation out-of-bounds read attempt (browser-ie.rules)
 * 1:49167 <-> ENABLED <-> BROWSER-IE Microsoft Edge variable length manipulation type confusion attempt (browser-ie.rules)
 * 1:49130 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion exploit attempt (browser-ie.rules)
 * 1:49168 <-> ENABLED <-> BROWSER-IE Microsoft Edge variable length manipulation type confusion attempt (browser-ie.rules)
 * 1:49169 <-> ENABLED <-> BROWSER-IE Microsoft Edge isSealed object buffer overrun attempt (browser-ie.rules)
 * 1:49170 <-> ENABLED <-> BROWSER-IE Microsoft Edge isSealed object buffer overrun attempt (browser-ie.rules)
 * 1:49171 <-> DISABLED <-> OS-WINDOWS NTLM authentication relay attempt (os-windows.rules)
 * 1:49172 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtAdjustGroupsToken kernel information disclosure attempt (os-windows.rules)
 * 1:49132 <-> ENABLED <-> FILE-OFFICE Microsoft Excel information disclosure attempt (file-office.rules)
 * 3:49190 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0778 attack attempt (file-pdf.rules)
 * 3:49189 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0778 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:42033 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:34728 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:37970 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42035 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42034 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:40123 <-> DISABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt (browser-ie.rules)
 * 1:40124 <-> DISABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt (browser-ie.rules)
 * 1:42032 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:37969 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:34727 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42038 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:48799 <-> ENABLED <-> OS-WINDOWS Microsoft Windows arbitrary file read attempt (os-windows.rules)
 * 1:48800 <-> ENABLED <-> OS-WINDOWS Microsoft Windows arbitrary file read attempt (os-windows.rules)
 * 1:49074 <-> DISABLED <-> FILE-OTHER Microsoft Windows device metadata file directory traversal attempt (file-other.rules)
 * 1:42037 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:49073 <-> DISABLED <-> FILE-OTHER Microsoft Windows device metadata file directory traversal attempt (file-other.rules)
 * 1:42039 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42036 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)

2019-02-12 19:23:21 UTC

Snort Subscriber Rules Update

Date: 2019-02-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49140 <-> ENABLED <-> BROWSER-IE Microsoft Edge ArrayBuffer out of bounds write attempt (snort3-browser-ie.rules)
 * 1:49143 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:49176 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB remote code execution attempt (snort3-os-windows.rules)
 * 1:49177 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB remote code execution attempt (snort3-os-windows.rules)
 * 1:49188 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Linux.Trojan.SpeakUp (snort3-malware-cnc.rules)
 * 1:49187 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HtmlLayout styling use after free attempt (snort3-browser-ie.rules)
 * 1:49186 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HtmlLayout styling use after free attempt (snort3-browser-ie.rules)
 * 1:49185 <-> DISABLED <-> INDICATOR-COMPROMISE PEAR Archive_Tar PHP object injection attempt (snort3-indicator-compromise.rules)
 * 1:49184 <-> DISABLED <-> INDICATOR-COMPROMISE PEAR Archive_Tar PHP object injection attempt (snort3-indicator-compromise.rules)
 * 1:49183 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher Opltc memory corruption attempt (snort3-file-office.rules)
 * 1:49182 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher Opltc memory corruption attempt (snort3-file-office.rules)
 * 1:49181 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k SendMessageTimeout kernel information leak attempt (snort3-os-windows.rules)
 * 1:49180 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k SendMessageTimeout kernel information leak attempt (snort3-os-windows.rules)
 * 1:49179 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT information disclosure attempt (snort3-file-pdf.rules)
 * 1:49178 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT information disclosure attempt (snort3-file-pdf.rules)
 * 1:49133 <-> ENABLED <-> FILE-OFFICE Microsoft Excel information disclosure attempt (snort3-file-office.rules)
 * 1:49134 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (snort3-browser-ie.rules)
 * 1:49191 <-> DISABLED <-> SERVER-WEBAPP Dell EMC Virtual Appliance Manager undocumented credential use attempt (snort3-server-webapp.rules)
 * 1:49135 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (snort3-browser-ie.rules)
 * 1:49137 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine remote code execution attempt (snort3-browser-ie.rules)
 * 1:49138 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine type confusion attempt (snort3-browser-ie.rules)
 * 1:49139 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine type confusion attempt (snort3-browser-ie.rules)
 * 1:49150 <-> ENABLED <-> BROWSER-IE Microsoft Edge WebAssembly type confusion exploit attempt (snort3-browser-ie.rules)
 * 1:49151 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:49152 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:49153 <-> ENABLED <-> BROWSER-IE Microsoft Edge Promise object context switch use-after-free attempt (snort3-browser-ie.rules)
 * 1:49154 <-> ENABLED <-> BROWSER-IE Microsoft Edge Promise object context switch use-after-free attempt (snort3-browser-ie.rules)
 * 1:49155 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer information disclosure attempt (snort3-browser-ie.rules)
 * 1:49156 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer information disclosure attempt (snort3-browser-ie.rules)
 * 1:49157 <-> ENABLED <-> BROWSER-IE Microsoft Edge out of bounds read attempt  (snort3-browser-ie.rules)
 * 1:49158 <-> ENABLED <-> BROWSER-IE Microsoft Edge out of bounds read attempt  (snort3-browser-ie.rules)
 * 1:49159 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (snort3-os-windows.rules)
 * 1:49160 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (snort3-os-windows.rules)
 * 1:49161 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtTraceControl information disclosure attempt (snort3-os-windows.rules)
 * 1:49162 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtTraceControl information disclosure attempt (snort3-os-windows.rules)
 * 1:49145 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion exploit attempt (snort3-browser-ie.rules)
 * 1:49163 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows NtTraceControl function use (snort3-indicator-compromise.rules)
 * 1:49164 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows NtTraceControl function use (snort3-indicator-compromise.rules)
 * 1:49165 <-> ENABLED <-> BROWSER-IE Microsoft Edge buffer manipulation out-of-bounds read attempt (snort3-browser-ie.rules)
 * 1:49166 <-> ENABLED <-> BROWSER-IE Microsoft Edge buffer manipulation out-of-bounds read attempt (snort3-browser-ie.rules)
 * 1:49128 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (snort3-browser-ie.rules)
 * 1:49131 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion exploit attempt (snort3-browser-ie.rules)
 * 1:49130 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion exploit attempt (snort3-browser-ie.rules)
 * 1:49167 <-> ENABLED <-> BROWSER-IE Microsoft Edge variable length manipulation type confusion attempt (snort3-browser-ie.rules)
 * 1:49168 <-> ENABLED <-> BROWSER-IE Microsoft Edge variable length manipulation type confusion attempt (snort3-browser-ie.rules)
 * 1:49169 <-> ENABLED <-> BROWSER-IE Microsoft Edge isSealed object buffer overrun attempt (snort3-browser-ie.rules)
 * 1:49136 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine remote code execution attempt (snort3-browser-ie.rules)
 * 1:49170 <-> ENABLED <-> BROWSER-IE Microsoft Edge isSealed object buffer overrun attempt (snort3-browser-ie.rules)
 * 1:49171 <-> DISABLED <-> OS-WINDOWS NTLM authentication relay attempt (snort3-os-windows.rules)
 * 1:49172 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtAdjustGroupsToken kernel information disclosure attempt (snort3-os-windows.rules)
 * 1:49144 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion exploit attempt (snort3-browser-ie.rules)
 * 1:49129 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (snort3-browser-ie.rules)
 * 1:49149 <-> ENABLED <-> BROWSER-IE Microsoft Edge WebAssembly type confusion exploit attempt (snort3-browser-ie.rules)
 * 1:49148 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (snort3-browser-ie.rules)
 * 1:49147 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (snort3-browser-ie.rules)
 * 1:49146 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB named pipe buffer overflow attempt (snort3-os-windows.rules)
 * 1:49142 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:49132 <-> ENABLED <-> FILE-OFFICE Microsoft Excel information disclosure attempt (snort3-file-office.rules)
 * 1:49141 <-> ENABLED <-> BROWSER-IE Microsoft Edge ArrayBuffer out of bounds write attempt (snort3-browser-ie.rules)
 * 1:49175 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB remote code execution attempt (snort3-os-windows.rules)
 * 1:49173 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtAdjustGroupsToken kernel information disclosure attempt (snort3-os-windows.rules)
 * 1:49174 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB remote code execution attempt (snort3-os-windows.rules)

Modified Rules:


 * 1:34727 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (snort3-browser-ie.rules)
 * 1:34728 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (snort3-browser-ie.rules)
 * 1:37969 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (snort3-browser-ie.rules)
 * 1:37970 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (snort3-browser-ie.rules)
 * 1:40123 <-> DISABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt (snort3-browser-ie.rules)
 * 1:40124 <-> DISABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt (snort3-browser-ie.rules)
 * 1:42032 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (snort3-browser-ie.rules)
 * 1:42033 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (snort3-browser-ie.rules)
 * 1:42034 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (snort3-browser-ie.rules)
 * 1:42037 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (snort3-browser-ie.rules)
 * 1:42035 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (snort3-browser-ie.rules)
 * 1:42038 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (snort3-browser-ie.rules)
 * 1:48800 <-> ENABLED <-> OS-WINDOWS Microsoft Windows arbitrary file read attempt (snort3-os-windows.rules)
 * 1:49074 <-> DISABLED <-> FILE-OTHER Microsoft Windows device metadata file directory traversal attempt (snort3-file-other.rules)
 * 1:49073 <-> DISABLED <-> FILE-OTHER Microsoft Windows device metadata file directory traversal attempt (snort3-file-other.rules)
 * 1:42039 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (snort3-browser-ie.rules)
 * 1:48799 <-> ENABLED <-> OS-WINDOWS Microsoft Windows arbitrary file read attempt (snort3-os-windows.rules)
 * 1:42036 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (snort3-browser-ie.rules)

2019-02-12 19:23:21 UTC

Snort Subscriber Rules Update

Date: 2019-02-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49131 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion exploit attempt (browser-ie.rules)
 * 1:49175 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB remote code execution attempt (os-windows.rules)
 * 1:49176 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB remote code execution attempt (os-windows.rules)
 * 1:49133 <-> ENABLED <-> FILE-OFFICE Microsoft Excel information disclosure attempt (file-office.rules)
 * 1:49139 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine type confusion attempt (browser-ie.rules)
 * 1:49132 <-> ENABLED <-> FILE-OFFICE Microsoft Excel information disclosure attempt (file-office.rules)
 * 1:49135 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:49134 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:49136 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine remote code execution attempt (browser-ie.rules)
 * 1:49179 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT information disclosure attempt (file-pdf.rules)
 * 1:49137 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine remote code execution attempt (browser-ie.rules)
 * 1:49138 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine type confusion attempt (browser-ie.rules)
 * 1:49149 <-> ENABLED <-> BROWSER-IE Microsoft Edge WebAssembly type confusion exploit attempt (browser-ie.rules)
 * 1:49150 <-> ENABLED <-> BROWSER-IE Microsoft Edge WebAssembly type confusion exploit attempt (browser-ie.rules)
 * 1:49151 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine memory corruption attempt (browser-ie.rules)
 * 1:49152 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine memory corruption attempt (browser-ie.rules)
 * 1:49153 <-> ENABLED <-> BROWSER-IE Microsoft Edge Promise object context switch use-after-free attempt (browser-ie.rules)
 * 1:49154 <-> ENABLED <-> BROWSER-IE Microsoft Edge Promise object context switch use-after-free attempt (browser-ie.rules)
 * 1:49155 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer information disclosure attempt (browser-ie.rules)
 * 1:49156 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer information disclosure attempt (browser-ie.rules)
 * 1:49157 <-> ENABLED <-> BROWSER-IE Microsoft Edge out of bounds read attempt  (browser-ie.rules)
 * 1:49158 <-> ENABLED <-> BROWSER-IE Microsoft Edge out of bounds read attempt  (browser-ie.rules)
 * 1:49159 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:49160 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:49161 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtTraceControl information disclosure attempt (os-windows.rules)
 * 1:49144 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion exploit attempt (browser-ie.rules)
 * 1:49162 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtTraceControl information disclosure attempt (os-windows.rules)
 * 1:49163 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows NtTraceControl function use (indicator-compromise.rules)
 * 1:49164 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows NtTraceControl function use (indicator-compromise.rules)
 * 1:49165 <-> ENABLED <-> BROWSER-IE Microsoft Edge buffer manipulation out-of-bounds read attempt (browser-ie.rules)
 * 1:49177 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB remote code execution attempt (os-windows.rules)
 * 1:49178 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT information disclosure attempt (file-pdf.rules)
 * 1:49142 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49130 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion exploit attempt (browser-ie.rules)
 * 1:49129 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:49166 <-> ENABLED <-> BROWSER-IE Microsoft Edge buffer manipulation out-of-bounds read attempt (browser-ie.rules)
 * 1:49167 <-> ENABLED <-> BROWSER-IE Microsoft Edge variable length manipulation type confusion attempt (browser-ie.rules)
 * 1:49168 <-> ENABLED <-> BROWSER-IE Microsoft Edge variable length manipulation type confusion attempt (browser-ie.rules)
 * 1:49169 <-> ENABLED <-> BROWSER-IE Microsoft Edge isSealed object buffer overrun attempt (browser-ie.rules)
 * 1:49170 <-> ENABLED <-> BROWSER-IE Microsoft Edge isSealed object buffer overrun attempt (browser-ie.rules)
 * 1:49171 <-> DISABLED <-> OS-WINDOWS NTLM authentication relay attempt (os-windows.rules)
 * 1:49172 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtAdjustGroupsToken kernel information disclosure attempt (os-windows.rules)
 * 1:49173 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtAdjustGroupsToken kernel information disclosure attempt (os-windows.rules)
 * 1:49191 <-> DISABLED <-> SERVER-WEBAPP Dell EMC Virtual Appliance Manager undocumented credential use attempt (server-webapp.rules)
 * 1:49188 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Linux.Trojan.SpeakUp (malware-cnc.rules)
 * 1:49187 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HtmlLayout styling use after free attempt (browser-ie.rules)
 * 1:49186 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HtmlLayout styling use after free attempt (browser-ie.rules)
 * 1:49185 <-> DISABLED <-> INDICATOR-COMPROMISE PEAR Archive_Tar PHP object injection attempt (indicator-compromise.rules)
 * 1:49184 <-> DISABLED <-> INDICATOR-COMPROMISE PEAR Archive_Tar PHP object injection attempt (indicator-compromise.rules)
 * 1:49183 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher Opltc memory corruption attempt (file-office.rules)
 * 1:49182 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher Opltc memory corruption attempt (file-office.rules)
 * 1:49181 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k SendMessageTimeout kernel information leak attempt (os-windows.rules)
 * 1:49180 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k SendMessageTimeout kernel information leak attempt (os-windows.rules)
 * 1:49148 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:49147 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:49146 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB named pipe buffer overflow attempt (os-windows.rules)
 * 1:49145 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion exploit attempt (browser-ie.rules)
 * 1:49141 <-> ENABLED <-> BROWSER-IE Microsoft Edge ArrayBuffer out of bounds write attempt (browser-ie.rules)
 * 1:49140 <-> ENABLED <-> BROWSER-IE Microsoft Edge ArrayBuffer out of bounds write attempt (browser-ie.rules)
 * 1:49174 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB remote code execution attempt (os-windows.rules)
 * 1:49143 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49128 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 3:49189 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0778 attack attempt (file-pdf.rules)
 * 3:49190 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0778 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:40124 <-> DISABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt (browser-ie.rules)
 * 1:34728 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:37970 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:37969 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:34727 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:49073 <-> DISABLED <-> FILE-OTHER Microsoft Windows device metadata file directory traversal attempt (file-other.rules)
 * 1:49074 <-> DISABLED <-> FILE-OTHER Microsoft Windows device metadata file directory traversal attempt (file-other.rules)
 * 1:48799 <-> ENABLED <-> OS-WINDOWS Microsoft Windows arbitrary file read attempt (os-windows.rules)
 * 1:48800 <-> ENABLED <-> OS-WINDOWS Microsoft Windows arbitrary file read attempt (os-windows.rules)
 * 1:42038 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42039 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42036 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42037 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42034 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42035 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42032 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42033 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:40123 <-> DISABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt (browser-ie.rules)

2019-02-12 19:23:21 UTC

Snort Subscriber Rules Update

Date: 2019-02-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49142 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49141 <-> ENABLED <-> BROWSER-IE Microsoft Edge ArrayBuffer out of bounds write attempt (browser-ie.rules)
 * 1:49140 <-> ENABLED <-> BROWSER-IE Microsoft Edge ArrayBuffer out of bounds write attempt (browser-ie.rules)
 * 1:49139 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine type confusion attempt (browser-ie.rules)
 * 1:49138 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine type confusion attempt (browser-ie.rules)
 * 1:49137 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine remote code execution attempt (browser-ie.rules)
 * 1:49136 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine remote code execution attempt (browser-ie.rules)
 * 1:49135 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:49134 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:49133 <-> ENABLED <-> FILE-OFFICE Microsoft Excel information disclosure attempt (file-office.rules)
 * 1:49132 <-> ENABLED <-> FILE-OFFICE Microsoft Excel information disclosure attempt (file-office.rules)
 * 1:49131 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion exploit attempt (browser-ie.rules)
 * 1:49130 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion exploit attempt (browser-ie.rules)
 * 1:49129 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:49128 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:49148 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:49145 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion exploit attempt (browser-ie.rules)
 * 1:49144 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion exploit attempt (browser-ie.rules)
 * 1:49143 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49147 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:49146 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB named pipe buffer overflow attempt (os-windows.rules)
 * 1:49149 <-> ENABLED <-> BROWSER-IE Microsoft Edge WebAssembly type confusion exploit attempt (browser-ie.rules)
 * 1:49152 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine memory corruption attempt (browser-ie.rules)
 * 1:49151 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine memory corruption attempt (browser-ie.rules)
 * 1:49150 <-> ENABLED <-> BROWSER-IE Microsoft Edge WebAssembly type confusion exploit attempt (browser-ie.rules)
 * 1:49154 <-> ENABLED <-> BROWSER-IE Microsoft Edge Promise object context switch use-after-free attempt (browser-ie.rules)
 * 1:49153 <-> ENABLED <-> BROWSER-IE Microsoft Edge Promise object context switch use-after-free attempt (browser-ie.rules)
 * 1:49155 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer information disclosure attempt (browser-ie.rules)
 * 1:49176 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB remote code execution attempt (os-windows.rules)
 * 1:49175 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB remote code execution attempt (os-windows.rules)
 * 1:49174 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB remote code execution attempt (os-windows.rules)
 * 1:49173 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtAdjustGroupsToken kernel information disclosure attempt (os-windows.rules)
 * 1:49172 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtAdjustGroupsToken kernel information disclosure attempt (os-windows.rules)
 * 1:49171 <-> DISABLED <-> OS-WINDOWS NTLM authentication relay attempt (os-windows.rules)
 * 1:49170 <-> ENABLED <-> BROWSER-IE Microsoft Edge isSealed object buffer overrun attempt (browser-ie.rules)
 * 1:49169 <-> ENABLED <-> BROWSER-IE Microsoft Edge isSealed object buffer overrun attempt (browser-ie.rules)
 * 1:49168 <-> ENABLED <-> BROWSER-IE Microsoft Edge variable length manipulation type confusion attempt (browser-ie.rules)
 * 1:49167 <-> ENABLED <-> BROWSER-IE Microsoft Edge variable length manipulation type confusion attempt (browser-ie.rules)
 * 1:49166 <-> ENABLED <-> BROWSER-IE Microsoft Edge buffer manipulation out-of-bounds read attempt (browser-ie.rules)
 * 1:49165 <-> ENABLED <-> BROWSER-IE Microsoft Edge buffer manipulation out-of-bounds read attempt (browser-ie.rules)
 * 1:49164 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows NtTraceControl function use (indicator-compromise.rules)
 * 1:49163 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Windows NtTraceControl function use (indicator-compromise.rules)
 * 1:49162 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtTraceControl information disclosure attempt (os-windows.rules)
 * 1:49161 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtTraceControl information disclosure attempt (os-windows.rules)
 * 1:49160 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:49159 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k driver privilege escalation attempt (os-windows.rules)
 * 1:49158 <-> ENABLED <-> BROWSER-IE Microsoft Edge out of bounds read attempt  (browser-ie.rules)
 * 1:49157 <-> ENABLED <-> BROWSER-IE Microsoft Edge out of bounds read attempt  (browser-ie.rules)
 * 1:49156 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer information disclosure attempt (browser-ie.rules)
 * 1:49191 <-> DISABLED <-> SERVER-WEBAPP Dell EMC Virtual Appliance Manager undocumented credential use attempt (server-webapp.rules)
 * 1:49188 <-> ENABLED <-> MALWARE-CNC User-Agent known malicious user-agent string - Linux.Trojan.SpeakUp (malware-cnc.rules)
 * 1:49187 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HtmlLayout styling use after free attempt (browser-ie.rules)
 * 1:49186 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer HtmlLayout styling use after free attempt (browser-ie.rules)
 * 1:49185 <-> DISABLED <-> INDICATOR-COMPROMISE PEAR Archive_Tar PHP object injection attempt (indicator-compromise.rules)
 * 1:49184 <-> DISABLED <-> INDICATOR-COMPROMISE PEAR Archive_Tar PHP object injection attempt (indicator-compromise.rules)
 * 1:49183 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher Opltc memory corruption attempt (file-office.rules)
 * 1:49182 <-> DISABLED <-> FILE-OFFICE Microsoft Office Publisher Opltc memory corruption attempt (file-office.rules)
 * 1:49181 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k SendMessageTimeout kernel information leak attempt (os-windows.rules)
 * 1:49180 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k SendMessageTimeout kernel information leak attempt (os-windows.rules)
 * 1:49179 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT information disclosure attempt (file-pdf.rules)
 * 1:49178 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader XSLT information disclosure attempt (file-pdf.rules)
 * 1:49177 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SMB remote code execution attempt (os-windows.rules)
 * 3:49189 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0778 attack attempt (file-pdf.rules)
 * 3:49190 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0778 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:34728 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:37970 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:40123 <-> DISABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt (browser-ie.rules)
 * 1:40124 <-> DISABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll normalize missing div child use after free attempt (browser-ie.rules)
 * 1:42032 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42033 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42034 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42037 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42038 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42039 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:48799 <-> ENABLED <-> OS-WINDOWS Microsoft Windows arbitrary file read attempt (os-windows.rules)
 * 1:42036 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:42035 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:49074 <-> DISABLED <-> FILE-OTHER Microsoft Windows device metadata file directory traversal attempt (file-other.rules)
 * 1:48800 <-> ENABLED <-> OS-WINDOWS Microsoft Windows arbitrary file read attempt (os-windows.rules)
 * 1:49073 <-> DISABLED <-> FILE-OTHER Microsoft Windows device metadata file directory traversal attempt (file-other.rules)
 * 1:34727 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)
 * 1:37969 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer DataView use-after-free attempt (browser-ie.rules)