Talos Rules 2019-05-14
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2019-0707: A coding deficiency exists in Microsoft Windows NDIS that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50090 through 50091.

Microsoft Vulnerability CVE-2019-0758: A coding deficiency exists in Microsoft Windows GDI that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50119 through 50120.

Microsoft Vulnerability CVE-2019-0863: A coding deficiency exists in Microsoft Windows Error Reporting that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50115 through 50116.

Microsoft Vulnerability CVE-2019-0881: A coding deficiency exists in DirectX Graphics Kernel that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50084 through 50085.

Microsoft Vulnerability CVE-2019-0882: A coding deficiency exists in Microsoft Windows GDI that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50086 through 50087.

Microsoft Vulnerability CVE-2019-0884: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50074 through 50075.

Microsoft Vulnerability CVE-2019-0885: A coding deficiency exists in Micrisoft Windows OLE that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50088 through 50089.

Microsoft Vulnerability CVE-2019-0903: A coding deficiency exists in Micrisoft Windows GDI+ that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50121 through 50122.

Microsoft Vulnerability CVE-2019-0911: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50070 through 50071.

Microsoft Vulnerability CVE-2019-0918: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50072 through 50073.

Microsoft Vulnerability CVE-2019-0926: A coding deficiency exists in Microsoft Edge that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50076 through 50077.

Microsoft Vulnerability CVE-2019-0930: A coding deficiency exists in Microsoft Internet Explorer that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50082 through 50083.

Microsoft Vulnerability CVE-2019-0931: A coding deficiency exists in Microsoft Windows Storage Service that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50068 through 50069.

Microsoft Vulnerability CVE-2019-0938: A coding deficiency exists in Microsoft Edge that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50080 through 50081.

Microsoft Vulnerability CVE-2019-0940: A coding deficiency exists in Microsoft Browser that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50078 through 50079.

Talos also has added and modified multiple rules in the browser-ie, file-image, file-office, file-other, indicator-compromise, malware-cnc, malware-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-05-14 18:01:55 UTC

Snort Subscriber Rules Update

Date: 2019-05-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50075 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50074 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50073 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50072 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50071 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50070 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50069 <-> ENABLED <-> OS-WINDOWS Microsoft Windows arbitrary registry access privilege escalation attempt (os-windows.rules)
 * 1:50068 <-> ENABLED <-> OS-WINDOWS Microsoft Windows arbitrary registry access privilege escalation attempt (os-windows.rules)
 * 1:50067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrackXTSR variant outbound response attempt (malware-cnc.rules)
 * 1:50066 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Robinhood malicious executable download attempt (malware-cnc.rules)
 * 1:50065 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Robinhood malicious executable download attempt (malware-cnc.rules)
 * 1:50092 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Filensfer connection attempt (malware-cnc.rules)
 * 1:50091 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NDIS elevation of privilege attempt (os-windows.rules)
 * 1:50090 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NDIS elevation of privilege attempt (os-windows.rules)
 * 1:50089 <-> ENABLED <-> FILE-IMAGE Microsoft Windows OLE Load Picture remote code execution attempt (file-image.rules)
 * 1:50088 <-> ENABLED <-> FILE-IMAGE Microsoft Windows OLE Load Picture remote code execution attempt (file-image.rules)
 * 1:50087 <-> DISABLED <-> FILE-OFFICE Microsoft Windows GDI EMR_POLYTEXTOUTW out-of-bounds read attempt (file-office.rules)
 * 1:50086 <-> DISABLED <-> FILE-OFFICE Microsoft Windows GDI EMR_POLYTEXTOUTW out-of-bounds read attempt (file-office.rules)
 * 1:50085 <-> DISABLED <-> OS-WINDOWS Windows Kernel Registry Virtualization privilege escalation attempt (os-windows.rules)
 * 1:50084 <-> DISABLED <-> OS-WINDOWS Windows Kernel Registry Virtualization privilege escalation attempt (os-windows.rules)
 * 1:50083 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:50082 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:50081 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50080 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50079 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50078 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50077 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50076 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50095 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner self-signed certificate attempt (indicator-compromise.rules)
 * 1:50094 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner HTTP attack attempt (indicator-compromise.rules)
 * 1:50093 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner HTTP attack attempt (indicator-compromise.rules)
 * 1:50098 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner HTTP attack attempt (indicator-compromise.rules)
 * 1:50097 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner HTTP attack attempt (indicator-compromise.rules)
 * 1:50096 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner toolkit download attempt (indicator-compromise.rules)
 * 1:50105 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (indicator-compromise.rules)
 * 1:50099 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner HTTP attack attempt (indicator-compromise.rules)
 * 1:50102 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner LDAP attack attempt (indicator-compromise.rules)
 * 1:50101 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner MSSQL attack attempt (indicator-compromise.rules)
 * 1:50100 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMTP attack attempt (indicator-compromise.rules)
 * 1:50104 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (indicator-compromise.rules)
 * 1:50103 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (indicator-compromise.rules)
 * 1:50122 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TrueType font parsing integer underflow attempt (os-windows.rules)
 * 1:50121 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TrueType font parsing integer underflow attempt (os-windows.rules)
 * 1:50120 <-> DISABLED <-> FILE-OTHER Windows GDI font out-of-bounds read attempt (file-other.rules)
 * 1:50119 <-> DISABLED <-> FILE-OTHER Windows GDI font out-of-bounds read attempt (file-other.rules)
 * 1:50116 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Error Reporting elevation of privilege attempt (os-windows.rules)
 * 1:50115 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Error Reporting elevation of privilege attempt (os-windows.rules)
 * 1:50113 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.MegaLocker ransom note transfer over SMB (malware-other.rules)
 * 1:50112 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Agent ransom note transfer over SMB (malware-other.rules)
 * 1:50109 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound cnc connection (malware-cnc.rules)
 * 1:50108 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound cnc connection (malware-cnc.rules)
 * 1:50107 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound cnc connection (malware-cnc.rules)
 * 1:50106 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB attack attempt (indicator-compromise.rules)
 * 3:50110 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0836 attack attempt (server-webapp.rules)
 * 3:50111 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0839 attack attempt (server-webapp.rules)
 * 3:50114 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0833 attack attempt (server-webapp.rules)
 * 3:50117 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:50118 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:35525 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TrueType font parsing integer underflow attempt (os-windows.rules)
 * 1:35526 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TrueType font parsing integer underflow attempt (os-windows.rules)

2019-05-14 18:01:55 UTC

Snort Subscriber Rules Update

Date: 2019-05-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50107 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound cnc connection (malware-cnc.rules)
 * 1:50106 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB attack attempt (indicator-compromise.rules)
 * 1:50068 <-> ENABLED <-> OS-WINDOWS Microsoft Windows arbitrary registry access privilege escalation attempt (os-windows.rules)
 * 1:50069 <-> ENABLED <-> OS-WINDOWS Microsoft Windows arbitrary registry access privilege escalation attempt (os-windows.rules)
 * 1:50070 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50071 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50072 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50073 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50074 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50075 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50076 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50077 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50078 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50079 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50080 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50081 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50082 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:50084 <-> DISABLED <-> OS-WINDOWS Windows Kernel Registry Virtualization privilege escalation attempt (os-windows.rules)
 * 1:50085 <-> DISABLED <-> OS-WINDOWS Windows Kernel Registry Virtualization privilege escalation attempt (os-windows.rules)
 * 1:50087 <-> DISABLED <-> FILE-OFFICE Microsoft Windows GDI EMR_POLYTEXTOUTW out-of-bounds read attempt (file-office.rules)
 * 1:50088 <-> ENABLED <-> FILE-IMAGE Microsoft Windows OLE Load Picture remote code execution attempt (file-image.rules)
 * 1:50083 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:50086 <-> DISABLED <-> FILE-OFFICE Microsoft Windows GDI EMR_POLYTEXTOUTW out-of-bounds read attempt (file-office.rules)
 * 1:50092 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Filensfer connection attempt (malware-cnc.rules)
 * 1:50093 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner HTTP attack attempt (indicator-compromise.rules)
 * 1:50090 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NDIS elevation of privilege attempt (os-windows.rules)
 * 1:50094 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner HTTP attack attempt (indicator-compromise.rules)
 * 1:50095 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner self-signed certificate attempt (indicator-compromise.rules)
 * 1:50091 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NDIS elevation of privilege attempt (os-windows.rules)
 * 1:50089 <-> ENABLED <-> FILE-IMAGE Microsoft Windows OLE Load Picture remote code execution attempt (file-image.rules)
 * 1:50116 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Error Reporting elevation of privilege attempt (os-windows.rules)
 * 1:50115 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Error Reporting elevation of privilege attempt (os-windows.rules)
 * 1:50113 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.MegaLocker ransom note transfer over SMB (malware-other.rules)
 * 1:50112 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Agent ransom note transfer over SMB (malware-other.rules)
 * 1:50108 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound cnc connection (malware-cnc.rules)
 * 1:50109 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound cnc connection (malware-cnc.rules)
 * 1:50096 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner toolkit download attempt (indicator-compromise.rules)
 * 1:50097 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner HTTP attack attempt (indicator-compromise.rules)
 * 1:50098 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner HTTP attack attempt (indicator-compromise.rules)
 * 1:50099 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner HTTP attack attempt (indicator-compromise.rules)
 * 1:50100 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMTP attack attempt (indicator-compromise.rules)
 * 1:50101 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner MSSQL attack attempt (indicator-compromise.rules)
 * 1:50102 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner LDAP attack attempt (indicator-compromise.rules)
 * 1:50103 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (indicator-compromise.rules)
 * 1:50104 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (indicator-compromise.rules)
 * 1:50105 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (indicator-compromise.rules)
 * 1:50122 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TrueType font parsing integer underflow attempt (os-windows.rules)
 * 1:50121 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TrueType font parsing integer underflow attempt (os-windows.rules)
 * 1:50120 <-> DISABLED <-> FILE-OTHER Windows GDI font out-of-bounds read attempt (file-other.rules)
 * 1:50119 <-> DISABLED <-> FILE-OTHER Windows GDI font out-of-bounds read attempt (file-other.rules)
 * 1:50067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrackXTSR variant outbound response attempt (malware-cnc.rules)
 * 1:50065 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Robinhood malicious executable download attempt (malware-cnc.rules)
 * 1:50066 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Robinhood malicious executable download attempt (malware-cnc.rules)
 * 3:50110 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0836 attack attempt (server-webapp.rules)
 * 3:50111 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0839 attack attempt (server-webapp.rules)
 * 3:50114 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0833 attack attempt (server-webapp.rules)
 * 3:50117 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:50118 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:35525 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TrueType font parsing integer underflow attempt (os-windows.rules)
 * 1:35526 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TrueType font parsing integer underflow attempt (os-windows.rules)

2019-05-14 18:01:55 UTC

Snort Subscriber Rules Update

Date: 2019-05-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50107 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound cnc connection (malware-cnc.rules)
 * 1:50101 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner MSSQL attack attempt (indicator-compromise.rules)
 * 1:50106 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB attack attempt (indicator-compromise.rules)
 * 1:50109 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound cnc connection (malware-cnc.rules)
 * 1:50108 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound cnc connection (malware-cnc.rules)
 * 1:50105 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (indicator-compromise.rules)
 * 1:50122 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TrueType font parsing integer underflow attempt (os-windows.rules)
 * 1:50121 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TrueType font parsing integer underflow attempt (os-windows.rules)
 * 1:50120 <-> DISABLED <-> FILE-OTHER Windows GDI font out-of-bounds read attempt (file-other.rules)
 * 1:50119 <-> DISABLED <-> FILE-OTHER Windows GDI font out-of-bounds read attempt (file-other.rules)
 * 1:50116 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Error Reporting elevation of privilege attempt (os-windows.rules)
 * 1:50115 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Error Reporting elevation of privilege attempt (os-windows.rules)
 * 1:50113 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.MegaLocker ransom note transfer over SMB (malware-other.rules)
 * 1:50112 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Agent ransom note transfer over SMB (malware-other.rules)
 * 1:50068 <-> ENABLED <-> OS-WINDOWS Microsoft Windows arbitrary registry access privilege escalation attempt (os-windows.rules)
 * 1:50069 <-> ENABLED <-> OS-WINDOWS Microsoft Windows arbitrary registry access privilege escalation attempt (os-windows.rules)
 * 1:50070 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50076 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50072 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50077 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50074 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50071 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50084 <-> DISABLED <-> OS-WINDOWS Windows Kernel Registry Virtualization privilege escalation attempt (os-windows.rules)
 * 1:50073 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50080 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50083 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:50078 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50079 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50081 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50075 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50086 <-> DISABLED <-> FILE-OFFICE Microsoft Windows GDI EMR_POLYTEXTOUTW out-of-bounds read attempt (file-office.rules)
 * 1:50087 <-> DISABLED <-> FILE-OFFICE Microsoft Windows GDI EMR_POLYTEXTOUTW out-of-bounds read attempt (file-office.rules)
 * 1:50088 <-> ENABLED <-> FILE-IMAGE Microsoft Windows OLE Load Picture remote code execution attempt (file-image.rules)
 * 1:50090 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NDIS elevation of privilege attempt (os-windows.rules)
 * 1:50089 <-> ENABLED <-> FILE-IMAGE Microsoft Windows OLE Load Picture remote code execution attempt (file-image.rules)
 * 1:50082 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:50091 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NDIS elevation of privilege attempt (os-windows.rules)
 * 1:50092 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Filensfer connection attempt (malware-cnc.rules)
 * 1:50093 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner HTTP attack attempt (indicator-compromise.rules)
 * 1:50094 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner HTTP attack attempt (indicator-compromise.rules)
 * 1:50095 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner self-signed certificate attempt (indicator-compromise.rules)
 * 1:50096 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner toolkit download attempt (indicator-compromise.rules)
 * 1:50097 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner HTTP attack attempt (indicator-compromise.rules)
 * 1:50098 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner HTTP attack attempt (indicator-compromise.rules)
 * 1:50099 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner HTTP attack attempt (indicator-compromise.rules)
 * 1:50102 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner LDAP attack attempt (indicator-compromise.rules)
 * 1:50103 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (indicator-compromise.rules)
 * 1:50104 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (indicator-compromise.rules)
 * 1:50085 <-> DISABLED <-> OS-WINDOWS Windows Kernel Registry Virtualization privilege escalation attempt (os-windows.rules)
 * 1:50067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrackXTSR variant outbound response attempt (malware-cnc.rules)
 * 1:50065 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Robinhood malicious executable download attempt (malware-cnc.rules)
 * 1:50066 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Robinhood malicious executable download attempt (malware-cnc.rules)
 * 1:50100 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMTP attack attempt (indicator-compromise.rules)
 * 3:50110 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0836 attack attempt (server-webapp.rules)
 * 3:50111 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0839 attack attempt (server-webapp.rules)
 * 3:50114 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0833 attack attempt (server-webapp.rules)
 * 3:50117 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:50118 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:35526 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TrueType font parsing integer underflow attempt (os-windows.rules)
 * 1:35525 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TrueType font parsing integer underflow attempt (os-windows.rules)

2019-05-14 18:01:55 UTC

Snort Subscriber Rules Update

Date: 2019-05-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50121 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TrueType font parsing integer underflow attempt (snort3-os-windows.rules)
 * 1:50122 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TrueType font parsing integer underflow attempt (snort3-os-windows.rules)
 * 1:50109 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound cnc connection (snort3-malware-cnc.rules)
 * 1:50115 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Error Reporting elevation of privilege attempt (snort3-os-windows.rules)
 * 1:50112 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Agent ransom note transfer over SMB (snort3-malware-other.rules)
 * 1:50113 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.MegaLocker ransom note transfer over SMB (snort3-malware-other.rules)
 * 1:50068 <-> ENABLED <-> OS-WINDOWS Microsoft Windows arbitrary registry access privilege escalation attempt (snort3-os-windows.rules)
 * 1:50069 <-> ENABLED <-> OS-WINDOWS Microsoft Windows arbitrary registry access privilege escalation attempt (snort3-os-windows.rules)
 * 1:50070 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:50066 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Robinhood malicious executable download attempt (snort3-malware-cnc.rules)
 * 1:50071 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:50120 <-> DISABLED <-> FILE-OTHER Windows GDI font out-of-bounds read attempt (snort3-file-other.rules)
 * 1:50119 <-> DISABLED <-> FILE-OTHER Windows GDI font out-of-bounds read attempt (snort3-file-other.rules)
 * 1:50072 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:50073 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:50074 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:50075 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:50076 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:50077 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:50078 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:50079 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:50080 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:50081 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:50082 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (snort3-browser-ie.rules)
 * 1:50083 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (snort3-browser-ie.rules)
 * 1:50084 <-> DISABLED <-> OS-WINDOWS Windows Kernel Registry Virtualization privilege escalation attempt (snort3-os-windows.rules)
 * 1:50085 <-> DISABLED <-> OS-WINDOWS Windows Kernel Registry Virtualization privilege escalation attempt (snort3-os-windows.rules)
 * 1:50086 <-> DISABLED <-> FILE-OFFICE Microsoft Windows GDI EMR_POLYTEXTOUTW out-of-bounds read attempt (snort3-file-office.rules)
 * 1:50087 <-> DISABLED <-> FILE-OFFICE Microsoft Windows GDI EMR_POLYTEXTOUTW out-of-bounds read attempt (snort3-file-office.rules)
 * 1:50088 <-> ENABLED <-> FILE-IMAGE Microsoft Windows OLE Load Picture remote code execution attempt (snort3-file-image.rules)
 * 1:50089 <-> ENABLED <-> FILE-IMAGE Microsoft Windows OLE Load Picture remote code execution attempt (snort3-file-image.rules)
 * 1:50090 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NDIS elevation of privilege attempt (snort3-os-windows.rules)
 * 1:50091 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NDIS elevation of privilege attempt (snort3-os-windows.rules)
 * 1:50092 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Filensfer connection attempt (snort3-malware-cnc.rules)
 * 1:50093 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner HTTP attack attempt (snort3-indicator-compromise.rules)
 * 1:50094 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner HTTP attack attempt (snort3-indicator-compromise.rules)
 * 1:50095 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner self-signed certificate attempt (snort3-indicator-compromise.rules)
 * 1:50096 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner toolkit download attempt (snort3-indicator-compromise.rules)
 * 1:50097 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner HTTP attack attempt (snort3-indicator-compromise.rules)
 * 1:50098 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner HTTP attack attempt (snort3-indicator-compromise.rules)
 * 1:50099 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner HTTP attack attempt (snort3-indicator-compromise.rules)
 * 1:50100 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMTP attack attempt (snort3-indicator-compromise.rules)
 * 1:50101 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner MSSQL attack attempt (snort3-indicator-compromise.rules)
 * 1:50102 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner LDAP attack attempt (snort3-indicator-compromise.rules)
 * 1:50103 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (snort3-indicator-compromise.rules)
 * 1:50104 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (snort3-indicator-compromise.rules)
 * 1:50105 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (snort3-indicator-compromise.rules)
 * 1:50065 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Robinhood malicious executable download attempt (snort3-malware-cnc.rules)
 * 1:50106 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB attack attempt (snort3-indicator-compromise.rules)
 * 1:50107 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound cnc connection (snort3-malware-cnc.rules)
 * 1:50108 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound cnc connection (snort3-malware-cnc.rules)
 * 1:50116 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Error Reporting elevation of privilege attempt (snort3-os-windows.rules)
 * 1:50067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrackXTSR variant outbound response attempt (snort3-malware-cnc.rules)

Modified Rules:


 * 1:35525 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TrueType font parsing integer underflow attempt (snort3-os-windows.rules)
 * 1:35526 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TrueType font parsing integer underflow attempt (snort3-os-windows.rules)

2019-05-14 18:01:55 UTC

Snort Subscriber Rules Update

Date: 2019-05-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50121 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TrueType font parsing integer underflow attempt (os-windows.rules)
 * 1:50116 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Error Reporting elevation of privilege attempt (os-windows.rules)
 * 1:50104 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (indicator-compromise.rules)
 * 1:50108 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound cnc connection (malware-cnc.rules)
 * 1:50113 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.MegaLocker ransom note transfer over SMB (malware-other.rules)
 * 1:50112 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Agent ransom note transfer over SMB (malware-other.rules)
 * 1:50122 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TrueType font parsing integer underflow attempt (os-windows.rules)
 * 1:50120 <-> DISABLED <-> FILE-OTHER Windows GDI font out-of-bounds read attempt (file-other.rules)
 * 1:50107 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound cnc connection (malware-cnc.rules)
 * 1:50115 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Error Reporting elevation of privilege attempt (os-windows.rules)
 * 1:50119 <-> DISABLED <-> FILE-OTHER Windows GDI font out-of-bounds read attempt (file-other.rules)
 * 1:50065 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Robinhood malicious executable download attempt (malware-cnc.rules)
 * 1:50066 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Robinhood malicious executable download attempt (malware-cnc.rules)
 * 1:50067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrackXTSR variant outbound response attempt (malware-cnc.rules)
 * 1:50068 <-> ENABLED <-> OS-WINDOWS Microsoft Windows arbitrary registry access privilege escalation attempt (os-windows.rules)
 * 1:50106 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB attack attempt (indicator-compromise.rules)
 * 1:50069 <-> ENABLED <-> OS-WINDOWS Microsoft Windows arbitrary registry access privilege escalation attempt (os-windows.rules)
 * 1:50070 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50071 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50072 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50073 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50074 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50075 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50076 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50077 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50078 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50079 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50080 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50081 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50082 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:50083 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:50084 <-> DISABLED <-> OS-WINDOWS Windows Kernel Registry Virtualization privilege escalation attempt (os-windows.rules)
 * 1:50085 <-> DISABLED <-> OS-WINDOWS Windows Kernel Registry Virtualization privilege escalation attempt (os-windows.rules)
 * 1:50086 <-> DISABLED <-> FILE-OFFICE Microsoft Windows GDI EMR_POLYTEXTOUTW out-of-bounds read attempt (file-office.rules)
 * 1:50087 <-> DISABLED <-> FILE-OFFICE Microsoft Windows GDI EMR_POLYTEXTOUTW out-of-bounds read attempt (file-office.rules)
 * 1:50088 <-> ENABLED <-> FILE-IMAGE Microsoft Windows OLE Load Picture remote code execution attempt (file-image.rules)
 * 1:50089 <-> ENABLED <-> FILE-IMAGE Microsoft Windows OLE Load Picture remote code execution attempt (file-image.rules)
 * 1:50090 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NDIS elevation of privilege attempt (os-windows.rules)
 * 1:50091 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NDIS elevation of privilege attempt (os-windows.rules)
 * 1:50092 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Filensfer connection attempt (malware-cnc.rules)
 * 1:50093 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner HTTP attack attempt (indicator-compromise.rules)
 * 1:50094 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner HTTP attack attempt (indicator-compromise.rules)
 * 1:50095 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner self-signed certificate attempt (indicator-compromise.rules)
 * 1:50096 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner toolkit download attempt (indicator-compromise.rules)
 * 1:50097 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner HTTP attack attempt (indicator-compromise.rules)
 * 1:50098 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner HTTP attack attempt (indicator-compromise.rules)
 * 1:50099 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner HTTP attack attempt (indicator-compromise.rules)
 * 1:50103 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (indicator-compromise.rules)
 * 1:50100 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMTP attack attempt (indicator-compromise.rules)
 * 1:50101 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner MSSQL attack attempt (indicator-compromise.rules)
 * 1:50109 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound cnc connection (malware-cnc.rules)
 * 1:50102 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner LDAP attack attempt (indicator-compromise.rules)
 * 1:50105 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (indicator-compromise.rules)
 * 3:50110 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0836 attack attempt (server-webapp.rules)
 * 3:50111 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0839 attack attempt (server-webapp.rules)
 * 3:50114 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0833 attack attempt (server-webapp.rules)
 * 3:50117 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:50118 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:35526 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TrueType font parsing integer underflow attempt (os-windows.rules)
 * 1:35525 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TrueType font parsing integer underflow attempt (os-windows.rules)

2019-05-14 18:01:55 UTC

Snort Subscriber Rules Update

Date: 2019-05-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50116 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Error Reporting elevation of privilege attempt (os-windows.rules)
 * 1:50105 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (indicator-compromise.rules)
 * 1:50102 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner LDAP attack attempt (indicator-compromise.rules)
 * 1:50107 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound cnc connection (malware-cnc.rules)
 * 1:50115 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Error Reporting elevation of privilege attempt (os-windows.rules)
 * 1:50119 <-> DISABLED <-> FILE-OTHER Windows GDI font out-of-bounds read attempt (file-other.rules)
 * 1:50109 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound cnc connection (malware-cnc.rules)
 * 1:50068 <-> ENABLED <-> OS-WINDOWS Microsoft Windows arbitrary registry access privilege escalation attempt (os-windows.rules)
 * 1:50069 <-> ENABLED <-> OS-WINDOWS Microsoft Windows arbitrary registry access privilege escalation attempt (os-windows.rules)
 * 1:50066 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Robinhood malicious executable download attempt (malware-cnc.rules)
 * 1:50067 <-> ENABLED <-> MALWARE-CNC Win.Trojan.CrackXTSR variant outbound response attempt (malware-cnc.rules)
 * 1:50065 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Robinhood malicious executable download attempt (malware-cnc.rules)
 * 1:50120 <-> DISABLED <-> FILE-OTHER Windows GDI font out-of-bounds read attempt (file-other.rules)
 * 1:50108 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent variant outbound cnc connection (malware-cnc.rules)
 * 1:50122 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TrueType font parsing integer underflow attempt (os-windows.rules)
 * 1:50103 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (indicator-compromise.rules)
 * 1:50101 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner MSSQL attack attempt (indicator-compromise.rules)
 * 1:50098 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner HTTP attack attempt (indicator-compromise.rules)
 * 1:50104 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB negotiation attack attempt (indicator-compromise.rules)
 * 1:50100 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMTP attack attempt (indicator-compromise.rules)
 * 1:50097 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner HTTP attack attempt (indicator-compromise.rules)
 * 1:50094 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner HTTP attack attempt (indicator-compromise.rules)
 * 1:50099 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner HTTP attack attempt (indicator-compromise.rules)
 * 1:50096 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner toolkit download attempt (indicator-compromise.rules)
 * 1:50093 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner HTTP attack attempt (indicator-compromise.rules)
 * 1:50090 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NDIS elevation of privilege attempt (os-windows.rules)
 * 1:50095 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner self-signed certificate attempt (indicator-compromise.rules)
 * 1:50092 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Filensfer connection attempt (malware-cnc.rules)
 * 1:50089 <-> ENABLED <-> FILE-IMAGE Microsoft Windows OLE Load Picture remote code execution attempt (file-image.rules)
 * 1:50086 <-> DISABLED <-> FILE-OFFICE Microsoft Windows GDI EMR_POLYTEXTOUTW out-of-bounds read attempt (file-office.rules)
 * 1:50091 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NDIS elevation of privilege attempt (os-windows.rules)
 * 1:50088 <-> ENABLED <-> FILE-IMAGE Microsoft Windows OLE Load Picture remote code execution attempt (file-image.rules)
 * 1:50085 <-> DISABLED <-> OS-WINDOWS Windows Kernel Registry Virtualization privilege escalation attempt (os-windows.rules)
 * 1:50082 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:50087 <-> DISABLED <-> FILE-OFFICE Microsoft Windows GDI EMR_POLYTEXTOUTW out-of-bounds read attempt (file-office.rules)
 * 1:50084 <-> DISABLED <-> OS-WINDOWS Windows Kernel Registry Virtualization privilege escalation attempt (os-windows.rules)
 * 1:50081 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50078 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50083 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:50080 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50077 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50074 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50079 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50076 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50073 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50075 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50072 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50071 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50113 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.MegaLocker ransom note transfer over SMB (malware-other.rules)
 * 1:50106 <-> ENABLED <-> INDICATOR-COMPROMISE Responder poisoner SMB attack attempt (indicator-compromise.rules)
 * 1:50070 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50121 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TrueType font parsing integer underflow attempt (os-windows.rules)
 * 1:50112 <-> ENABLED <-> MALWARE-OTHER Win.Ransomware.Agent ransom note transfer over SMB (malware-other.rules)
 * 3:50110 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0836 attack attempt (server-webapp.rules)
 * 3:50111 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0839 attack attempt (server-webapp.rules)
 * 3:50114 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0833 attack attempt (server-webapp.rules)
 * 3:50117 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)
 * 3:50118 <-> ENABLED <-> SERVER-WEBAPP Cisco IOS XE Web UI command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:35525 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TrueType font parsing integer underflow attempt (os-windows.rules)
 * 1:35526 <-> DISABLED <-> OS-WINDOWS Microsoft Windows TrueType font parsing integer underflow attempt (os-windows.rules)