Talos Rules 2019-04-09
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2019-0685: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49688 through 49689.

Microsoft Vulnerability CVE-2019-0730: A coding deficiency exists in Microsoft Windows that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49692 through 49693.

Microsoft Vulnerability CVE-2019-0731: A coding deficiency exists in Microsoft Windows that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49696 through 49697.

Microsoft Vulnerability CVE-2019-0732: A coding deficiency exists in Microsoft Windows that may lead to a security feature bypass.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49704 through 49705.

Microsoft Vulnerability CVE-2019-0735: A coding deficiency exists in Microsoft Windows CSRSS that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49694 through 49695.

Microsoft Vulnerability CVE-2019-0752: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49702 through 49703.

Microsoft Vulnerability CVE-2019-0753: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49708 through 49709.

Microsoft Vulnerability CVE-2019-0793: A coding deficiency exists in MS XML that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 46548 through 46549.

Microsoft Vulnerability CVE-2019-0794: A coding deficiency exists in OLE Automation that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 46548 through 46549.

Microsoft Vulnerability CVE-2019-0796: A coding deficiency exists in Microsoft Windows that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49718 through 49719.

Microsoft Vulnerability CVE-2019-0801: A coding deficiency exists in Microsoft Office that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49727 through 49745.

Microsoft Vulnerability CVE-2019-0803: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49712 through 49713.

Microsoft Vulnerability CVE-2019-0805: A coding deficiency exists in Microsoft Windows that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49748 through 49749.

Microsoft Vulnerability CVE-2019-0806: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49716 through 49717.

Microsoft Vulnerability CVE-2019-0810: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49710 through 49711.

Microsoft Vulnerability CVE-2019-0812: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49698 through 49699.

Microsoft Vulnerability CVE-2019-0814: A coding deficiency exists in Microsoft Win32k that may lead to information disclosure.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 45632 and 45635.

Microsoft Vulnerability CVE-2019-0822: A coding deficiency exists in Microsoft Graphics that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49700 through 49701.

Microsoft Vulnerability CVE-2019-0829: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49722 through 49723.

Microsoft Vulnerability CVE-2019-0836: A coding deficiency exists in Microsoft Windows that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49720 through 49721.

Microsoft Vulnerability CVE-2019-0840: A coding deficiency exists in Microsoft Windows Kernel that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49750 through 49751.

Microsoft Vulnerability CVE-2019-0844: A coding deficiency exists in Microsoft Windows Kernel that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49754 through 49755.

Microsoft Vulnerability CVE-2019-0859: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49746 through 49747.

Microsoft Vulnerability CVE-2019-0860: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49706 through 49707.

Microsoft Vulnerability CVE-2019-0861: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 49380 through 49381.

Microsoft Vulnerability CVE-2019-0862: A coding deficiency exists in Microsoft Windows VBScript Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49752 through 49753.

Talos also has added and modified multiple rules in the browser-ie, browser-plugins, file-executable, file-office, file-pdf, indicator-shellcode, malware-cnc, os-linux, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2019-04-09 17:17:56 UTC

Snort Subscriber Rules Update

Date: 2019-04-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49679 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt (malware-cnc.rules)
 * 1:49678 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt (malware-cnc.rules)
 * 1:49677 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt (malware-cnc.rules)
 * 1:49676 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt (malware-cnc.rules)
 * 1:49687 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:49682 <-> ENABLED <-> MALWARE-CNC Android.Trojan.Banking command-and-control communication attempt (malware-cnc.rules)
 * 1:49681 <-> ENABLED <-> MALWARE-CNC Android.Trojan.Banking outbound beacon attempt (malware-cnc.rules)
 * 1:49680 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt (malware-cnc.rules)
 * 1:49686 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:49683 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX function call access attempt (browser-plugins.rules)
 * 1:49688 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows kernel user after free attempt (file-executable.rules)
 * 1:49691 <-> ENABLED <-> INDICATOR-SHELLCODE KernelFuzzer system call 64 bit (indicator-shellcode.rules)
 * 1:49690 <-> ENABLED <-> INDICATOR-SHELLCODE KernelFuzzer system call 64 bit (indicator-shellcode.rules)
 * 1:49689 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows kernel user after free attempt (file-executable.rules)
 * 1:49693 <-> DISABLED <-> OS-WINDOWS Microsoft Windows LUAFV driver privilege escalation attempt (os-windows.rules)
 * 1:49692 <-> DISABLED <-> OS-WINDOWS Microsoft Windows LUAFV driver privilege escalation attempt (os-windows.rules)
 * 1:49694 <-> DISABLED <-> OS-WINDOWS Windows CSRSS privilege escalation attempt (os-windows.rules)
 * 1:49732 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49715 <-> DISABLED <-> SERVER-WEBAPP Horde Groupware Webmail Contact Management add.php directory traversal attempt (server-webapp.rules)
 * 1:49714 <-> DISABLED <-> SERVER-WEBAPP Horde Groupware Webmail Contact Management add.php arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:49713 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI component use after free attempt (os-windows.rules)
 * 1:49712 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI component use after free attempt (os-windows.rules)
 * 1:49711 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49710 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49709 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49708 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49707 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49706 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49705 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtSetCachedSigningLevel Device Guard bypass attempt (os-windows.rules)
 * 1:49704 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtSetCachedSigningLevel Device Guard bypass attempt (os-windows.rules)
 * 1:49703 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49702 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49701 <-> ENABLED <-> FILE-OFFICE Microsoft Powerpoint graphics component remote code execution attempt (file-office.rules)
 * 1:49700 <-> ENABLED <-> FILE-OFFICE Microsoft Powerpoint graphics component remote code execution attempt (file-office.rules)
 * 1:49699 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49698 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49697 <-> ENABLED <-> OS-WINDOWS Microsoft Windows LUAFV privilege escalation attempt (os-windows.rules)
 * 1:49696 <-> ENABLED <-> OS-WINDOWS Microsoft Windows LUAFV privilege escalation attempt (os-windows.rules)
 * 1:49695 <-> DISABLED <-> OS-WINDOWS Windows CSRSS privilege escalation attempt (os-windows.rules)
 * 1:49731 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49730 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49729 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49728 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49727 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49726 <-> DISABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt (browser-ie.rules)
 * 1:49725 <-> DISABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt (browser-ie.rules)
 * 1:49724 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Xwo variant outbound connection attempt (malware-cnc.rules)
 * 1:49723 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49722 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49721 <-> ENABLED <-> OS-WINDOWS Microsoft Windows LuafvPostReadWrite privilege escalation attempt (os-windows.rules)
 * 1:49720 <-> ENABLED <-> OS-WINDOWS Microsoft Windows LuafvPostReadWrite privilege escalation attempt (os-windows.rules)
 * 1:49719 <-> ENABLED <-> OS-WINDOWS Microsoft windows LUAFV privilege escalation attempt (os-windows.rules)
 * 1:49718 <-> ENABLED <-> OS-WINDOWS Microsoft windows LUAFV privilege escalation attempt (os-windows.rules)
 * 1:49717 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49716 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49753 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use-after-free attempt (browser-ie.rules)
 * 1:49752 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use-after-free attempt (browser-ie.rules)
 * 1:49751 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:49750 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:49749 <-> ENABLED <-> OS-WINDOWS Microsoft Windows LUAFV privilege escalation attempt (os-windows.rules)
 * 1:49748 <-> ENABLED <-> OS-WINDOWS Microsoft Windows LUAFV privilege escalation attempt (os-windows.rules)
 * 1:49747 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k privilege escalation attempt (os-windows.rules)
 * 1:49746 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k privilege escalation attempt (os-windows.rules)
 * 1:49745 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49744 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49743 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49742 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49741 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49740 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49739 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49738 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49737 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49736 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49735 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49734 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49733 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49759 <-> DISABLED <-> BROWSER-PLUGINS GE Intelligent Platforms Proficy HTML help ActiveX function call attempt (browser-plugins.rules)
 * 1:49758 <-> DISABLED <-> BROWSER-PLUGINS GE Intelligent Platforms Proficy HTML help ActiveX function call attempt (browser-plugins.rules)
 * 1:49755 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Kernel information disclosure attempt (os-windows.rules)
 * 1:49754 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Kernel information disclosure attempt (os-windows.rules)
 * 3:49684 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0796 attack attempt (file-pdf.rules)
 * 3:49757 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0794 attack attempt (file-office.rules)
 * 3:49760 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0795 attack attempt (file-office.rules)
 * 3:49761 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0795 attack attempt (file-office.rules)
 * 3:49756 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0794 attack attempt (file-office.rules)
 * 3:49685 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0796 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:30326 <-> DISABLED <-> OS-LINUX Linux kernel SCTP duplicate cookie denial of service attempt (os-linux.rules)
 * 1:25314 <-> DISABLED <-> OS-LINUX Linux kernel IGMP queries denial of service attempt (os-linux.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:20746 <-> DISABLED <-> SERVER-OTHER Ethereal IGAP Dissector Buffer Overflow attempt (server-other.rules)
 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:45632 <-> DISABLED <-> OS-WINDOWS Microsoft Windows use after free win32kbase.sys privilege escalation attempt (os-windows.rules)
 * 1:49380 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:20747 <-> DISABLED <-> SERVER-OTHER Ethereal IGAP Dissector Buffer Overflow attempt (server-other.rules)
 * 1:45635 <-> DISABLED <-> OS-WINDOWS Microsoft Windows use after free win32kbase.sys privilege escalation attempt (os-windows.rules)
 * 1:49381 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)

2019-04-09 17:17:56 UTC

Snort Subscriber Rules Update

Date: 2019-04-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49738 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49739 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49676 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt (malware-cnc.rules)
 * 1:49678 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt (malware-cnc.rules)
 * 1:49680 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt (malware-cnc.rules)
 * 1:49681 <-> ENABLED <-> MALWARE-CNC Android.Trojan.Banking outbound beacon attempt (malware-cnc.rules)
 * 1:49682 <-> ENABLED <-> MALWARE-CNC Android.Trojan.Banking command-and-control communication attempt (malware-cnc.rules)
 * 1:49683 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX function call access attempt (browser-plugins.rules)
 * 1:49686 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:49687 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:49688 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows kernel user after free attempt (file-executable.rules)
 * 1:49689 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows kernel user after free attempt (file-executable.rules)
 * 1:49690 <-> ENABLED <-> INDICATOR-SHELLCODE KernelFuzzer system call 64 bit (indicator-shellcode.rules)
 * 1:49691 <-> ENABLED <-> INDICATOR-SHELLCODE KernelFuzzer system call 64 bit (indicator-shellcode.rules)
 * 1:49692 <-> DISABLED <-> OS-WINDOWS Microsoft Windows LUAFV driver privilege escalation attempt (os-windows.rules)
 * 1:49693 <-> DISABLED <-> OS-WINDOWS Microsoft Windows LUAFV driver privilege escalation attempt (os-windows.rules)
 * 1:49694 <-> DISABLED <-> OS-WINDOWS Windows CSRSS privilege escalation attempt (os-windows.rules)
 * 1:49695 <-> DISABLED <-> OS-WINDOWS Windows CSRSS privilege escalation attempt (os-windows.rules)
 * 1:49696 <-> ENABLED <-> OS-WINDOWS Microsoft Windows LUAFV privilege escalation attempt (os-windows.rules)
 * 1:49697 <-> ENABLED <-> OS-WINDOWS Microsoft Windows LUAFV privilege escalation attempt (os-windows.rules)
 * 1:49698 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49699 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49700 <-> ENABLED <-> FILE-OFFICE Microsoft Powerpoint graphics component remote code execution attempt (file-office.rules)
 * 1:49701 <-> ENABLED <-> FILE-OFFICE Microsoft Powerpoint graphics component remote code execution attempt (file-office.rules)
 * 1:49702 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49703 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49704 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtSetCachedSigningLevel Device Guard bypass attempt (os-windows.rules)
 * 1:49705 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtSetCachedSigningLevel Device Guard bypass attempt (os-windows.rules)
 * 1:49706 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49707 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49708 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49709 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49710 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49711 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49712 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI component use after free attempt (os-windows.rules)
 * 1:49713 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI component use after free attempt (os-windows.rules)
 * 1:49714 <-> DISABLED <-> SERVER-WEBAPP Horde Groupware Webmail Contact Management add.php arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:49715 <-> DISABLED <-> SERVER-WEBAPP Horde Groupware Webmail Contact Management add.php directory traversal attempt (server-webapp.rules)
 * 1:49716 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49717 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49718 <-> ENABLED <-> OS-WINDOWS Microsoft windows LUAFV privilege escalation attempt (os-windows.rules)
 * 1:49719 <-> ENABLED <-> OS-WINDOWS Microsoft windows LUAFV privilege escalation attempt (os-windows.rules)
 * 1:49720 <-> ENABLED <-> OS-WINDOWS Microsoft Windows LuafvPostReadWrite privilege escalation attempt (os-windows.rules)
 * 1:49721 <-> ENABLED <-> OS-WINDOWS Microsoft Windows LuafvPostReadWrite privilege escalation attempt (os-windows.rules)
 * 1:49722 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49723 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49724 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Xwo variant outbound connection attempt (malware-cnc.rules)
 * 1:49725 <-> DISABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt (browser-ie.rules)
 * 1:49726 <-> DISABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt (browser-ie.rules)
 * 1:49727 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49728 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49729 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49730 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49731 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49732 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49733 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49679 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt (malware-cnc.rules)
 * 1:49748 <-> ENABLED <-> OS-WINDOWS Microsoft Windows LUAFV privilege escalation attempt (os-windows.rules)
 * 1:49747 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k privilege escalation attempt (os-windows.rules)
 * 1:49746 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k privilege escalation attempt (os-windows.rules)
 * 1:49745 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49744 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49743 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49740 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49742 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49741 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49734 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49735 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49736 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49751 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:49749 <-> ENABLED <-> OS-WINDOWS Microsoft Windows LUAFV privilege escalation attempt (os-windows.rules)
 * 1:49750 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:49758 <-> DISABLED <-> BROWSER-PLUGINS GE Intelligent Platforms Proficy HTML help ActiveX function call attempt (browser-plugins.rules)
 * 1:49755 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Kernel information disclosure attempt (os-windows.rules)
 * 1:49754 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Kernel information disclosure attempt (os-windows.rules)
 * 1:49753 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use-after-free attempt (browser-ie.rules)
 * 1:49752 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use-after-free attempt (browser-ie.rules)
 * 1:49759 <-> DISABLED <-> BROWSER-PLUGINS GE Intelligent Platforms Proficy HTML help ActiveX function call attempt (browser-plugins.rules)
 * 1:49677 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt (malware-cnc.rules)
 * 1:49737 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 3:49684 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0796 attack attempt (file-pdf.rules)
 * 3:49761 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0795 attack attempt (file-office.rules)
 * 3:49760 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0795 attack attempt (file-office.rules)
 * 3:49756 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0794 attack attempt (file-office.rules)
 * 3:49757 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0794 attack attempt (file-office.rules)
 * 3:49685 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0796 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:30326 <-> DISABLED <-> OS-LINUX Linux kernel SCTP duplicate cookie denial of service attempt (os-linux.rules)
 * 1:25314 <-> DISABLED <-> OS-LINUX Linux kernel IGMP queries denial of service attempt (os-linux.rules)
 * 1:45635 <-> DISABLED <-> OS-WINDOWS Microsoft Windows use after free win32kbase.sys privilege escalation attempt (os-windows.rules)
 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:20746 <-> DISABLED <-> SERVER-OTHER Ethereal IGAP Dissector Buffer Overflow attempt (server-other.rules)
 * 1:20747 <-> DISABLED <-> SERVER-OTHER Ethereal IGAP Dissector Buffer Overflow attempt (server-other.rules)
 * 1:49381 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49380 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:45632 <-> DISABLED <-> OS-WINDOWS Microsoft Windows use after free win32kbase.sys privilege escalation attempt (os-windows.rules)

2019-04-09 17:17:56 UTC

Snort Subscriber Rules Update

Date: 2019-04-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49739 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (snort3-file-office.rules)
 * 1:49742 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (snort3-file-office.rules)
 * 1:49743 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (snort3-file-office.rules)
 * 1:49746 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k privilege escalation attempt (snort3-os-windows.rules)
 * 1:49747 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k privilege escalation attempt (snort3-os-windows.rules)
 * 1:49680 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt (snort3-malware-cnc.rules)
 * 1:49745 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (snort3-file-office.rules)
 * 1:49744 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (snort3-file-office.rules)
 * 1:49759 <-> DISABLED <-> BROWSER-PLUGINS GE Intelligent Platforms Proficy HTML help ActiveX function call attempt (snort3-browser-plugins.rules)
 * 1:49758 <-> DISABLED <-> BROWSER-PLUGINS GE Intelligent Platforms Proficy HTML help ActiveX function call attempt (snort3-browser-plugins.rules)
 * 1:49755 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Kernel information disclosure attempt (snort3-os-windows.rules)
 * 1:49754 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Kernel information disclosure attempt (snort3-os-windows.rules)
 * 1:49753 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use-after-free attempt (snort3-browser-ie.rules)
 * 1:49752 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use-after-free attempt (snort3-browser-ie.rules)
 * 1:49751 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (snort3-os-windows.rules)
 * 1:49750 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (snort3-os-windows.rules)
 * 1:49749 <-> ENABLED <-> OS-WINDOWS Microsoft Windows LUAFV privilege escalation attempt (snort3-os-windows.rules)
 * 1:49748 <-> ENABLED <-> OS-WINDOWS Microsoft Windows LUAFV privilege escalation attempt (snort3-os-windows.rules)
 * 1:49676 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt (snort3-malware-cnc.rules)
 * 1:49677 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt (snort3-malware-cnc.rules)
 * 1:49720 <-> ENABLED <-> OS-WINDOWS Microsoft Windows LuafvPostReadWrite privilege escalation attempt (snort3-os-windows.rules)
 * 1:49721 <-> ENABLED <-> OS-WINDOWS Microsoft Windows LuafvPostReadWrite privilege escalation attempt (snort3-os-windows.rules)
 * 1:49722 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:49723 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:49724 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Xwo variant outbound connection attempt (snort3-malware-cnc.rules)
 * 1:49726 <-> DISABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt (snort3-browser-ie.rules)
 * 1:49725 <-> DISABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt (snort3-browser-ie.rules)
 * 1:49727 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (snort3-file-office.rules)
 * 1:49719 <-> ENABLED <-> OS-WINDOWS Microsoft windows LUAFV privilege escalation attempt (snort3-os-windows.rules)
 * 1:49733 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (snort3-file-office.rules)
 * 1:49732 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (snort3-file-office.rules)
 * 1:49735 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (snort3-file-office.rules)
 * 1:49736 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (snort3-file-office.rules)
 * 1:49737 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (snort3-file-office.rules)
 * 1:49738 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (snort3-file-office.rules)
 * 1:49731 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (snort3-file-office.rules)
 * 1:49734 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (snort3-file-office.rules)
 * 1:49679 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt (snort3-malware-cnc.rules)
 * 1:49741 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (snort3-file-office.rules)
 * 1:49691 <-> ENABLED <-> INDICATOR-SHELLCODE KernelFuzzer system call 64 bit (snort3-indicator-shellcode.rules)
 * 1:49692 <-> DISABLED <-> OS-WINDOWS Microsoft Windows LUAFV driver privilege escalation attempt (snort3-os-windows.rules)
 * 1:49690 <-> ENABLED <-> INDICATOR-SHELLCODE KernelFuzzer system call 64 bit (snort3-indicator-shellcode.rules)
 * 1:49682 <-> ENABLED <-> MALWARE-CNC Android.Trojan.Banking command-and-control communication attempt (snort3-malware-cnc.rules)
 * 1:49683 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX function call access attempt (snort3-browser-plugins.rules)
 * 1:49681 <-> ENABLED <-> MALWARE-CNC Android.Trojan.Banking outbound beacon attempt (snort3-malware-cnc.rules)
 * 1:49740 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (snort3-file-office.rules)
 * 1:49718 <-> ENABLED <-> OS-WINDOWS Microsoft windows LUAFV privilege escalation attempt (snort3-os-windows.rules)
 * 1:49729 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (snort3-file-office.rules)
 * 1:49730 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (snort3-file-office.rules)
 * 1:49717 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:49728 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (snort3-file-office.rules)
 * 1:49715 <-> DISABLED <-> SERVER-WEBAPP Horde Groupware Webmail Contact Management add.php directory traversal attempt (snort3-server-webapp.rules)
 * 1:49716 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:49713 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI component use after free attempt (snort3-os-windows.rules)
 * 1:49714 <-> DISABLED <-> SERVER-WEBAPP Horde Groupware Webmail Contact Management add.php arbitrary PHP file upload attempt (snort3-server-webapp.rules)
 * 1:49711 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:49712 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI component use after free attempt (snort3-os-windows.rules)
 * 1:49709 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:49710 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:49707 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:49708 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:49705 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtSetCachedSigningLevel Device Guard bypass attempt (snort3-os-windows.rules)
 * 1:49706 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:49703 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:49704 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtSetCachedSigningLevel Device Guard bypass attempt (snort3-os-windows.rules)
 * 1:49701 <-> ENABLED <-> FILE-OFFICE Microsoft Powerpoint graphics component remote code execution attempt (snort3-file-office.rules)
 * 1:49702 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:49699 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:49700 <-> ENABLED <-> FILE-OFFICE Microsoft Powerpoint graphics component remote code execution attempt (snort3-file-office.rules)
 * 1:49697 <-> ENABLED <-> OS-WINDOWS Microsoft Windows LUAFV privilege escalation attempt (snort3-os-windows.rules)
 * 1:49698 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:49695 <-> DISABLED <-> OS-WINDOWS Windows CSRSS privilege escalation attempt (snort3-os-windows.rules)
 * 1:49696 <-> ENABLED <-> OS-WINDOWS Microsoft Windows LUAFV privilege escalation attempt (snort3-os-windows.rules)
 * 1:49693 <-> DISABLED <-> OS-WINDOWS Microsoft Windows LUAFV driver privilege escalation attempt (snort3-os-windows.rules)
 * 1:49694 <-> DISABLED <-> OS-WINDOWS Windows CSRSS privilege escalation attempt (snort3-os-windows.rules)
 * 1:49689 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows kernel user after free attempt (snort3-file-executable.rules)
 * 1:49678 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt (snort3-malware-cnc.rules)
 * 1:49687 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (snort3-browser-ie.rules)
 * 1:49688 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows kernel user after free attempt (snort3-file-executable.rules)
 * 1:49686 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (snort3-browser-ie.rules)

Modified Rules:


 * 1:25314 <-> DISABLED <-> OS-LINUX Linux kernel IGMP queries denial of service attempt (snort3-os-linux.rules)
 * 1:30326 <-> DISABLED <-> OS-LINUX Linux kernel SCTP duplicate cookie denial of service attempt (snort3-os-linux.rules)
 * 1:45632 <-> DISABLED <-> OS-WINDOWS Microsoft Windows use after free win32kbase.sys privilege escalation attempt (snort3-os-windows.rules)
 * 1:45635 <-> DISABLED <-> OS-WINDOWS Microsoft Windows use after free win32kbase.sys privilege escalation attempt (snort3-os-windows.rules)
 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules)
 * 1:49380 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:49381 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:20746 <-> DISABLED <-> SERVER-OTHER Ethereal IGAP Dissector Buffer Overflow attempt (snort3-server-other.rules)
 * 1:20747 <-> DISABLED <-> SERVER-OTHER Ethereal IGAP Dissector Buffer Overflow attempt (snort3-server-other.rules)

2019-04-09 17:17:56 UTC

Snort Subscriber Rules Update

Date: 2019-04-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49741 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49740 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49743 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49742 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49690 <-> ENABLED <-> INDICATOR-SHELLCODE KernelFuzzer system call 64 bit (indicator-shellcode.rules)
 * 1:49737 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49736 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49759 <-> DISABLED <-> BROWSER-PLUGINS GE Intelligent Platforms Proficy HTML help ActiveX function call attempt (browser-plugins.rules)
 * 1:49694 <-> DISABLED <-> OS-WINDOWS Windows CSRSS privilege escalation attempt (os-windows.rules)
 * 1:49758 <-> DISABLED <-> BROWSER-PLUGINS GE Intelligent Platforms Proficy HTML help ActiveX function call attempt (browser-plugins.rules)
 * 1:49701 <-> ENABLED <-> FILE-OFFICE Microsoft Powerpoint graphics component remote code execution attempt (file-office.rules)
 * 1:49732 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49744 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49739 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49738 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49750 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:49751 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:49754 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Kernel information disclosure attempt (os-windows.rules)
 * 1:49735 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49749 <-> ENABLED <-> OS-WINDOWS Microsoft Windows LUAFV privilege escalation attempt (os-windows.rules)
 * 1:49753 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use-after-free attempt (browser-ie.rules)
 * 1:49746 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k privilege escalation attempt (os-windows.rules)
 * 1:49748 <-> ENABLED <-> OS-WINDOWS Microsoft Windows LUAFV privilege escalation attempt (os-windows.rules)
 * 1:49747 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k privilege escalation attempt (os-windows.rules)
 * 1:49693 <-> DISABLED <-> OS-WINDOWS Microsoft Windows LUAFV driver privilege escalation attempt (os-windows.rules)
 * 1:49698 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49699 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49733 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49734 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49677 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt (malware-cnc.rules)
 * 1:49696 <-> ENABLED <-> OS-WINDOWS Microsoft Windows LUAFV privilege escalation attempt (os-windows.rules)
 * 1:49729 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49730 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49727 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49702 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49725 <-> DISABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt (browser-ie.rules)
 * 1:49726 <-> DISABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt (browser-ie.rules)
 * 1:49723 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49724 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Xwo variant outbound connection attempt (malware-cnc.rules)
 * 1:49721 <-> ENABLED <-> OS-WINDOWS Microsoft Windows LuafvPostReadWrite privilege escalation attempt (os-windows.rules)
 * 1:49722 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49719 <-> ENABLED <-> OS-WINDOWS Microsoft windows LUAFV privilege escalation attempt (os-windows.rules)
 * 1:49720 <-> ENABLED <-> OS-WINDOWS Microsoft Windows LuafvPostReadWrite privilege escalation attempt (os-windows.rules)
 * 1:49717 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49718 <-> ENABLED <-> OS-WINDOWS Microsoft windows LUAFV privilege escalation attempt (os-windows.rules)
 * 1:49715 <-> DISABLED <-> SERVER-WEBAPP Horde Groupware Webmail Contact Management add.php directory traversal attempt (server-webapp.rules)
 * 1:49716 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49713 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI component use after free attempt (os-windows.rules)
 * 1:49714 <-> DISABLED <-> SERVER-WEBAPP Horde Groupware Webmail Contact Management add.php arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:49711 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49712 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI component use after free attempt (os-windows.rules)
 * 1:49709 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49710 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49707 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49708 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49678 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt (malware-cnc.rules)
 * 1:49679 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt (malware-cnc.rules)
 * 1:49680 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt (malware-cnc.rules)
 * 1:49681 <-> ENABLED <-> MALWARE-CNC Android.Trojan.Banking outbound beacon attempt (malware-cnc.rules)
 * 1:49706 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49703 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49745 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49728 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49691 <-> ENABLED <-> INDICATOR-SHELLCODE KernelFuzzer system call 64 bit (indicator-shellcode.rules)
 * 1:49692 <-> DISABLED <-> OS-WINDOWS Microsoft Windows LUAFV driver privilege escalation attempt (os-windows.rules)
 * 1:49687 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:49688 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows kernel user after free attempt (file-executable.rules)
 * 1:49689 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows kernel user after free attempt (file-executable.rules)
 * 1:49704 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtSetCachedSigningLevel Device Guard bypass attempt (os-windows.rules)
 * 1:49686 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:49682 <-> ENABLED <-> MALWARE-CNC Android.Trojan.Banking command-and-control communication attempt (malware-cnc.rules)
 * 1:49683 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX function call access attempt (browser-plugins.rules)
 * 1:49700 <-> ENABLED <-> FILE-OFFICE Microsoft Powerpoint graphics component remote code execution attempt (file-office.rules)
 * 1:49676 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt (malware-cnc.rules)
 * 1:49705 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtSetCachedSigningLevel Device Guard bypass attempt (os-windows.rules)
 * 1:49752 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use-after-free attempt (browser-ie.rules)
 * 1:49755 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Kernel information disclosure attempt (os-windows.rules)
 * 1:49695 <-> DISABLED <-> OS-WINDOWS Windows CSRSS privilege escalation attempt (os-windows.rules)
 * 1:49731 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49697 <-> ENABLED <-> OS-WINDOWS Microsoft Windows LUAFV privilege escalation attempt (os-windows.rules)
 * 3:49760 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0795 attack attempt (file-office.rules)
 * 3:49684 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0796 attack attempt (file-pdf.rules)
 * 3:49757 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0794 attack attempt (file-office.rules)
 * 3:49761 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0795 attack attempt (file-office.rules)
 * 3:49685 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0796 attack attempt (file-pdf.rules)
 * 3:49756 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0794 attack attempt (file-office.rules)

Modified Rules:


 * 1:30326 <-> DISABLED <-> OS-LINUX Linux kernel SCTP duplicate cookie denial of service attempt (os-linux.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:25314 <-> DISABLED <-> OS-LINUX Linux kernel IGMP queries denial of service attempt (os-linux.rules)
 * 1:45635 <-> DISABLED <-> OS-WINDOWS Microsoft Windows use after free win32kbase.sys privilege escalation attempt (os-windows.rules)
 * 1:20746 <-> DISABLED <-> SERVER-OTHER Ethereal IGAP Dissector Buffer Overflow attempt (server-other.rules)
 * 1:49380 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:49381 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:45632 <-> DISABLED <-> OS-WINDOWS Microsoft Windows use after free win32kbase.sys privilege escalation attempt (os-windows.rules)
 * 1:20747 <-> DISABLED <-> SERVER-OTHER Ethereal IGAP Dissector Buffer Overflow attempt (server-other.rules)

2019-04-09 17:17:56 UTC

Snort Subscriber Rules Update

Date: 2019-04-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49749 <-> ENABLED <-> OS-WINDOWS Microsoft Windows LUAFV privilege escalation attempt (os-windows.rules)
 * 1:49741 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49740 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49750 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:49735 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49742 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49744 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49720 <-> ENABLED <-> OS-WINDOWS Microsoft Windows LuafvPostReadWrite privilege escalation attempt (os-windows.rules)
 * 1:49739 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49678 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt (malware-cnc.rules)
 * 1:49686 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:49677 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt (malware-cnc.rules)
 * 1:49734 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49683 <-> DISABLED <-> BROWSER-PLUGINS Schneider Electric ProClima ActiveX function call access attempt (browser-plugins.rules)
 * 1:49752 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use-after-free attempt (browser-ie.rules)
 * 1:49723 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49754 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Kernel information disclosure attempt (os-windows.rules)
 * 1:49748 <-> ENABLED <-> OS-WINDOWS Microsoft Windows LUAFV privilege escalation attempt (os-windows.rules)
 * 1:49691 <-> ENABLED <-> INDICATOR-SHELLCODE KernelFuzzer system call 64 bit (indicator-shellcode.rules)
 * 1:49737 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49743 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49736 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49721 <-> ENABLED <-> OS-WINDOWS Microsoft Windows LuafvPostReadWrite privilege escalation attempt (os-windows.rules)
 * 1:49690 <-> ENABLED <-> INDICATOR-SHELLCODE KernelFuzzer system call 64 bit (indicator-shellcode.rules)
 * 1:49695 <-> DISABLED <-> OS-WINDOWS Windows CSRSS privilege escalation attempt (os-windows.rules)
 * 1:49692 <-> DISABLED <-> OS-WINDOWS Microsoft Windows LUAFV driver privilege escalation attempt (os-windows.rules)
 * 1:49697 <-> ENABLED <-> OS-WINDOWS Microsoft Windows LUAFV privilege escalation attempt (os-windows.rules)
 * 1:49694 <-> DISABLED <-> OS-WINDOWS Windows CSRSS privilege escalation attempt (os-windows.rules)
 * 1:49699 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49696 <-> ENABLED <-> OS-WINDOWS Microsoft Windows LUAFV privilege escalation attempt (os-windows.rules)
 * 1:49701 <-> ENABLED <-> FILE-OFFICE Microsoft Powerpoint graphics component remote code execution attempt (file-office.rules)
 * 1:49698 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49703 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49700 <-> ENABLED <-> FILE-OFFICE Microsoft Powerpoint graphics component remote code execution attempt (file-office.rules)
 * 1:49705 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtSetCachedSigningLevel Device Guard bypass attempt (os-windows.rules)
 * 1:49702 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49707 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49704 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtSetCachedSigningLevel Device Guard bypass attempt (os-windows.rules)
 * 1:49709 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49706 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49711 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49708 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49713 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI component use after free attempt (os-windows.rules)
 * 1:49710 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49718 <-> ENABLED <-> OS-WINDOWS Microsoft windows LUAFV privilege escalation attempt (os-windows.rules)
 * 1:49712 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI component use after free attempt (os-windows.rules)
 * 1:49727 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49732 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49714 <-> DISABLED <-> SERVER-WEBAPP Horde Groupware Webmail Contact Management add.php arbitrary PHP file upload attempt (server-webapp.rules)
 * 1:49729 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49715 <-> DISABLED <-> SERVER-WEBAPP Horde Groupware Webmail Contact Management add.php directory traversal attempt (server-webapp.rules)
 * 1:49716 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49717 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49730 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49733 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49693 <-> DISABLED <-> OS-WINDOWS Microsoft Windows LUAFV driver privilege escalation attempt (os-windows.rules)
 * 1:49719 <-> ENABLED <-> OS-WINDOWS Microsoft windows LUAFV privilege escalation attempt (os-windows.rules)
 * 1:49722 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49728 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49724 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Xwo variant outbound connection attempt (malware-cnc.rules)
 * 1:49725 <-> DISABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt (browser-ie.rules)
 * 1:49726 <-> DISABLED <-> BROWSER-IE Microsoft Edge edgehtml.dll uninitialized pointer vulnerability attempt (browser-ie.rules)
 * 1:49687 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:49689 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows kernel user after free attempt (file-executable.rules)
 * 1:49680 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt (malware-cnc.rules)
 * 1:49688 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows kernel user after free attempt (file-executable.rules)
 * 1:49679 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt (malware-cnc.rules)
 * 1:49676 <-> ENABLED <-> MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt (malware-cnc.rules)
 * 1:49759 <-> DISABLED <-> BROWSER-PLUGINS GE Intelligent Platforms Proficy HTML help ActiveX function call attempt (browser-plugins.rules)
 * 1:49747 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k privilege escalation attempt (os-windows.rules)
 * 1:49755 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Kernel information disclosure attempt (os-windows.rules)
 * 1:49746 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k privilege escalation attempt (os-windows.rules)
 * 1:49738 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49753 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use-after-free attempt (browser-ie.rules)
 * 1:49751 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:49758 <-> DISABLED <-> BROWSER-PLUGINS GE Intelligent Platforms Proficy HTML help ActiveX function call attempt (browser-plugins.rules)
 * 1:49681 <-> ENABLED <-> MALWARE-CNC Android.Trojan.Banking outbound beacon attempt (malware-cnc.rules)
 * 1:49682 <-> ENABLED <-> MALWARE-CNC Android.Trojan.Banking command-and-control communication attempt (malware-cnc.rules)
 * 1:49731 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 1:49745 <-> ENABLED <-> FILE-OFFICE Microsoft Office directory traversal attempt (file-office.rules)
 * 3:49756 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0794 attack attempt (file-office.rules)
 * 3:49761 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0795 attack attempt (file-office.rules)
 * 3:49757 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0794 attack attempt (file-office.rules)
 * 3:49684 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0796 attack attempt (file-pdf.rules)
 * 3:49685 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2019-0796 attack attempt (file-pdf.rules)
 * 3:49760 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0795 attack attempt (file-office.rules)

Modified Rules:


 * 1:20746 <-> DISABLED <-> SERVER-OTHER Ethereal IGAP Dissector Buffer Overflow attempt (server-other.rules)
 * 1:30326 <-> DISABLED <-> OS-LINUX Linux kernel SCTP duplicate cookie denial of service attempt (os-linux.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:25314 <-> DISABLED <-> OS-LINUX Linux kernel IGMP queries denial of service attempt (os-linux.rules)
 * 1:45632 <-> DISABLED <-> OS-WINDOWS Microsoft Windows use after free win32kbase.sys privilege escalation attempt (os-windows.rules)
 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:49381 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49380 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:20747 <-> DISABLED <-> SERVER-OTHER Ethereal IGAP Dissector Buffer Overflow attempt (server-other.rules)
 * 1:45635 <-> DISABLED <-> OS-WINDOWS Microsoft Windows use after free win32kbase.sys privilege escalation attempt (os-windows.rules)