Talos Rules 2019-07-09
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2019-0880: A coding deficiency exists in Microsoft splwow64 that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50672 through 50673.

Microsoft Vulnerability CVE-2019-1001: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50662 through 50663.

Microsoft Vulnerability CVE-2019-1004: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50666 through 50667.

Microsoft Vulnerability CVE-2019-1062: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 45142 through 45143.

Microsoft Vulnerability CVE-2019-1063: A coding deficiency exists in Microsoft Internet Explorer that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 46548 through 46549.

Microsoft Vulnerability CVE-2019-1071: A coding deficiency exists in Microsoft Windows Kernel that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50678 through 50679.

Microsoft Vulnerability CVE-2019-1073: A coding deficiency exists in Microsoft Windows Kernel that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50682 through 50683.

Microsoft Vulnerability CVE-2019-1074: A coding deficiency exists in Microsoft Windows that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50664 through 50665.

Microsoft Vulnerability CVE-2019-1089: A coding deficiency exists in Microsoft Windows RPCSS that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50674 through 50675.

Microsoft Vulnerability CVE-2019-1092: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 49380 through 49381.

Microsoft Vulnerability CVE-2019-1103: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 45142 through 45143.

Microsoft Vulnerability CVE-2019-1104: A coding deficiency exists in Microsoft Browser that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50668 through 50669.

Microsoft Vulnerability CVE-2019-1106: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 45142 through 45143.

Microsoft Vulnerability CVE-2019-1107: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 45142 through 45143.

Microsoft Vulnerability CVE-2019-1108: A coding deficiency exists in Remote Desktop Protocol Client that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50676 through 50677.

Microsoft Vulnerability CVE-2019-1112: A coding deficiency exists in Microsoft Excel that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50680 through 50681.

Microsoft Vulnerability CVE-2019-1129: A coding deficiency exists in Microsoft Windows that may lead to an escalation of privilege.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 50198 through 50199.

Microsoft Vulnerability CVE-2019-1132: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50670 through 50671.

Talos also has added and modified multiple rules in the browser-ie, file-office, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-07-09 16:55:21 UTC

Snort Subscriber Rules Update

Date: 2019-07-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50672 <-> ENABLED <-> OS-WINDOWS Microsoft Windows splwow64 privilege escalation attempt (os-windows.rules)
 * 1:50671 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k null pointer dereference attempt (os-windows.rules)
 * 1:50670 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k null pointer dereference attempt (os-windows.rules)
 * 1:50669 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50668 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50667 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50666 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50665 <-> ENABLED <-> OS-WINDOWS Microsoft Windows COM object privilege escalation attempt (os-windows.rules)
 * 1:50664 <-> ENABLED <-> OS-WINDOWS Microsoft Windows COM object privilege escalation attempt (os-windows.rules)
 * 1:50663 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50662 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50661 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server remote code execution attempt (server-webapp.rules)
 * 1:50683 <-> ENABLED <-> OS-WINDOWS Windows kernel win32k driver elevation of privilege attempt (os-windows.rules)
 * 1:50682 <-> ENABLED <-> OS-WINDOWS Windows kernel win32k driver elevation of privilege attempt (os-windows.rules)
 * 1:50681 <-> ENABLED <-> FILE-OFFICE Microsoft Excel information disclosure attempt (file-office.rules)
 * 1:50680 <-> ENABLED <-> FILE-OFFICE Microsoft Excel information disclosure attempt (file-office.rules)
 * 1:50679 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k use after free attempt (os-windows.rules)
 * 1:50678 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k use after free attempt (os-windows.rules)
 * 1:50677 <-> DISABLED <-> OS-WINDOWS Windows Remote Desktop Protocol Client information disclosure attempt (os-windows.rules)
 * 1:50676 <-> DISABLED <-> OS-WINDOWS Windows Remote Desktop Protocol Client information disclosure attempt (os-windows.rules)
 * 1:50675 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RPCSS privilege escalation attempt (os-windows.rules)
 * 1:50674 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RPCSS privilege escalation attempt (os-windows.rules)
 * 1:50673 <-> ENABLED <-> OS-WINDOWS Microsoft Windows splwow64 privilege escalation attempt (os-windows.rules)

Modified Rules:


 * 1:49380 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:45143 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:19938 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Directory Server ibmslapd.exe stack buffer overflow attempt (server-other.rules)
 * 1:45142 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:50198 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (os-windows.rules)
 * 1:49381 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50199 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (os-windows.rules)

2019-07-09 16:55:21 UTC

Snort Subscriber Rules Update

Date: 2019-07-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50666 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50665 <-> ENABLED <-> OS-WINDOWS Microsoft Windows COM object privilege escalation attempt (os-windows.rules)
 * 1:50682 <-> ENABLED <-> OS-WINDOWS Windows kernel win32k driver elevation of privilege attempt (os-windows.rules)
 * 1:50670 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k null pointer dereference attempt (os-windows.rules)
 * 1:50671 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k null pointer dereference attempt (os-windows.rules)
 * 1:50661 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server remote code execution attempt (server-webapp.rules)
 * 1:50662 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50664 <-> ENABLED <-> OS-WINDOWS Microsoft Windows COM object privilege escalation attempt (os-windows.rules)
 * 1:50673 <-> ENABLED <-> OS-WINDOWS Microsoft Windows splwow64 privilege escalation attempt (os-windows.rules)
 * 1:50663 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50683 <-> ENABLED <-> OS-WINDOWS Windows kernel win32k driver elevation of privilege attempt (os-windows.rules)
 * 1:50674 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RPCSS privilege escalation attempt (os-windows.rules)
 * 1:50669 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50675 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RPCSS privilege escalation attempt (os-windows.rules)
 * 1:50676 <-> DISABLED <-> OS-WINDOWS Windows Remote Desktop Protocol Client information disclosure attempt (os-windows.rules)
 * 1:50677 <-> DISABLED <-> OS-WINDOWS Windows Remote Desktop Protocol Client information disclosure attempt (os-windows.rules)
 * 1:50678 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k use after free attempt (os-windows.rules)
 * 1:50679 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k use after free attempt (os-windows.rules)
 * 1:50680 <-> ENABLED <-> FILE-OFFICE Microsoft Excel information disclosure attempt (file-office.rules)
 * 1:50672 <-> ENABLED <-> OS-WINDOWS Microsoft Windows splwow64 privilege escalation attempt (os-windows.rules)
 * 1:50667 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50668 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50681 <-> ENABLED <-> FILE-OFFICE Microsoft Excel information disclosure attempt (file-office.rules)

Modified Rules:


 * 1:50199 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (os-windows.rules)
 * 1:49381 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50198 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (os-windows.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:49380 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:45143 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:19938 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Directory Server ibmslapd.exe stack buffer overflow attempt (server-other.rules)
 * 1:45142 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)

2019-07-09 16:55:21 UTC

Snort Subscriber Rules Update

Date: 2019-07-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50672 <-> ENABLED <-> OS-WINDOWS Microsoft Windows splwow64 privilege escalation attempt (os-windows.rules)
 * 1:50683 <-> ENABLED <-> OS-WINDOWS Windows kernel win32k driver elevation of privilege attempt (os-windows.rules)
 * 1:50668 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50666 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50662 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50674 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RPCSS privilege escalation attempt (os-windows.rules)
 * 1:50671 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k null pointer dereference attempt (os-windows.rules)
 * 1:50661 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server remote code execution attempt (server-webapp.rules)
 * 1:50664 <-> ENABLED <-> OS-WINDOWS Microsoft Windows COM object privilege escalation attempt (os-windows.rules)
 * 1:50663 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50673 <-> ENABLED <-> OS-WINDOWS Microsoft Windows splwow64 privilege escalation attempt (os-windows.rules)
 * 1:50681 <-> ENABLED <-> FILE-OFFICE Microsoft Excel information disclosure attempt (file-office.rules)
 * 1:50675 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RPCSS privilege escalation attempt (os-windows.rules)
 * 1:50670 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k null pointer dereference attempt (os-windows.rules)
 * 1:50676 <-> DISABLED <-> OS-WINDOWS Windows Remote Desktop Protocol Client information disclosure attempt (os-windows.rules)
 * 1:50677 <-> DISABLED <-> OS-WINDOWS Windows Remote Desktop Protocol Client information disclosure attempt (os-windows.rules)
 * 1:50678 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k use after free attempt (os-windows.rules)
 * 1:50679 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k use after free attempt (os-windows.rules)
 * 1:50680 <-> ENABLED <-> FILE-OFFICE Microsoft Excel information disclosure attempt (file-office.rules)
 * 1:50667 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50665 <-> ENABLED <-> OS-WINDOWS Microsoft Windows COM object privilege escalation attempt (os-windows.rules)
 * 1:50669 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50682 <-> ENABLED <-> OS-WINDOWS Windows kernel win32k driver elevation of privilege attempt (os-windows.rules)

Modified Rules:


 * 1:49381 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50198 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (os-windows.rules)
 * 1:50199 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (os-windows.rules)
 * 1:49380 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:45143 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:45142 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:19938 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Directory Server ibmslapd.exe stack buffer overflow attempt (server-other.rules)

2019-07-09 16:55:21 UTC

Snort Subscriber Rules Update

Date: 2019-07-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50661 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server remote code execution attempt (snort3-server-webapp.rules)
 * 1:50662 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:50682 <-> ENABLED <-> OS-WINDOWS Windows kernel win32k driver elevation of privilege attempt (snort3-os-windows.rules)
 * 1:50663 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:50666 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:50672 <-> ENABLED <-> OS-WINDOWS Microsoft Windows splwow64 privilege escalation attempt (snort3-os-windows.rules)
 * 1:50674 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RPCSS privilege escalation attempt (snort3-os-windows.rules)
 * 1:50683 <-> ENABLED <-> OS-WINDOWS Windows kernel win32k driver elevation of privilege attempt (snort3-os-windows.rules)
 * 1:50665 <-> ENABLED <-> OS-WINDOWS Microsoft Windows COM object privilege escalation attempt (snort3-os-windows.rules)
 * 1:50675 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RPCSS privilege escalation attempt (snort3-os-windows.rules)
 * 1:50664 <-> ENABLED <-> OS-WINDOWS Microsoft Windows COM object privilege escalation attempt (snort3-os-windows.rules)
 * 1:50667 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:50669 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:50676 <-> DISABLED <-> OS-WINDOWS Windows Remote Desktop Protocol Client information disclosure attempt (snort3-os-windows.rules)
 * 1:50677 <-> DISABLED <-> OS-WINDOWS Windows Remote Desktop Protocol Client information disclosure attempt (snort3-os-windows.rules)
 * 1:50678 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k use after free attempt (snort3-os-windows.rules)
 * 1:50679 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k use after free attempt (snort3-os-windows.rules)
 * 1:50680 <-> ENABLED <-> FILE-OFFICE Microsoft Excel information disclosure attempt (snort3-file-office.rules)
 * 1:50668 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:50671 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k null pointer dereference attempt (snort3-os-windows.rules)
 * 1:50670 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k null pointer dereference attempt (snort3-os-windows.rules)
 * 1:50681 <-> ENABLED <-> FILE-OFFICE Microsoft Excel information disclosure attempt (snort3-file-office.rules)
 * 1:50673 <-> ENABLED <-> OS-WINDOWS Microsoft Windows splwow64 privilege escalation attempt (snort3-os-windows.rules)

Modified Rules:


 * 1:50199 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (snort3-os-windows.rules)
 * 1:50198 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (snort3-os-windows.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules)
 * 1:49381 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules)
 * 1:19938 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Directory Server ibmslapd.exe stack buffer overflow attempt (snort3-server-other.rules)
 * 1:49380 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:45143 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (snort3-browser-ie.rules)
 * 1:45142 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (snort3-browser-ie.rules)

2019-07-09 16:55:21 UTC

Snort Subscriber Rules Update

Date: 2019-07-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50663 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50664 <-> ENABLED <-> OS-WINDOWS Microsoft Windows COM object privilege escalation attempt (os-windows.rules)
 * 1:50682 <-> ENABLED <-> OS-WINDOWS Windows kernel win32k driver elevation of privilege attempt (os-windows.rules)
 * 1:50661 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server remote code execution attempt (server-webapp.rules)
 * 1:50683 <-> ENABLED <-> OS-WINDOWS Windows kernel win32k driver elevation of privilege attempt (os-windows.rules)
 * 1:50672 <-> ENABLED <-> OS-WINDOWS Microsoft Windows splwow64 privilege escalation attempt (os-windows.rules)
 * 1:50666 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50665 <-> ENABLED <-> OS-WINDOWS Microsoft Windows COM object privilege escalation attempt (os-windows.rules)
 * 1:50674 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RPCSS privilege escalation attempt (os-windows.rules)
 * 1:50675 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RPCSS privilege escalation attempt (os-windows.rules)
 * 1:50667 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50669 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50676 <-> DISABLED <-> OS-WINDOWS Windows Remote Desktop Protocol Client information disclosure attempt (os-windows.rules)
 * 1:50677 <-> DISABLED <-> OS-WINDOWS Windows Remote Desktop Protocol Client information disclosure attempt (os-windows.rules)
 * 1:50678 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k use after free attempt (os-windows.rules)
 * 1:50679 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k use after free attempt (os-windows.rules)
 * 1:50680 <-> ENABLED <-> FILE-OFFICE Microsoft Excel information disclosure attempt (file-office.rules)
 * 1:50681 <-> ENABLED <-> FILE-OFFICE Microsoft Excel information disclosure attempt (file-office.rules)
 * 1:50668 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50671 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k null pointer dereference attempt (os-windows.rules)
 * 1:50670 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k null pointer dereference attempt (os-windows.rules)
 * 1:50673 <-> ENABLED <-> OS-WINDOWS Microsoft Windows splwow64 privilege escalation attempt (os-windows.rules)
 * 1:50662 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)

Modified Rules:


 * 1:49380 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50199 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (os-windows.rules)
 * 1:49381 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:50198 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (os-windows.rules)
 * 1:45143 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:45142 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:19938 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Directory Server ibmslapd.exe stack buffer overflow attempt (server-other.rules)
 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)

2019-07-09 16:55:21 UTC

Snort Subscriber Rules Update

Date: 2019-07-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50682 <-> ENABLED <-> OS-WINDOWS Windows kernel win32k driver elevation of privilege attempt (os-windows.rules)
 * 1:50663 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50661 <-> DISABLED <-> SERVER-WEBAPP Oracle WebLogic Server remote code execution attempt (server-webapp.rules)
 * 1:50665 <-> ENABLED <-> OS-WINDOWS Microsoft Windows COM object privilege escalation attempt (os-windows.rules)
 * 1:50672 <-> ENABLED <-> OS-WINDOWS Microsoft Windows splwow64 privilege escalation attempt (os-windows.rules)
 * 1:50683 <-> ENABLED <-> OS-WINDOWS Windows kernel win32k driver elevation of privilege attempt (os-windows.rules)
 * 1:50668 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50674 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RPCSS privilege escalation attempt (os-windows.rules)
 * 1:50664 <-> ENABLED <-> OS-WINDOWS Microsoft Windows COM object privilege escalation attempt (os-windows.rules)
 * 1:50675 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RPCSS privilege escalation attempt (os-windows.rules)
 * 1:50670 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k null pointer dereference attempt (os-windows.rules)
 * 1:50669 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:50671 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k null pointer dereference attempt (os-windows.rules)
 * 1:50666 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50667 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50676 <-> DISABLED <-> OS-WINDOWS Windows Remote Desktop Protocol Client information disclosure attempt (os-windows.rules)
 * 1:50677 <-> DISABLED <-> OS-WINDOWS Windows Remote Desktop Protocol Client information disclosure attempt (os-windows.rules)
 * 1:50678 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k use after free attempt (os-windows.rules)
 * 1:50679 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k use after free attempt (os-windows.rules)
 * 1:50680 <-> ENABLED <-> FILE-OFFICE Microsoft Excel information disclosure attempt (file-office.rules)
 * 1:50681 <-> ENABLED <-> FILE-OFFICE Microsoft Excel information disclosure attempt (file-office.rules)
 * 1:50662 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:50673 <-> ENABLED <-> OS-WINDOWS Microsoft Windows splwow64 privilege escalation attempt (os-windows.rules)

Modified Rules:


 * 1:45142 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:49381 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:49380 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:19938 <-> DISABLED <-> SERVER-OTHER IBM Tivoli Directory Server ibmslapd.exe stack buffer overflow attempt (server-other.rules)
 * 1:50198 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (os-windows.rules)
 * 1:45143 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:50199 <-> DISABLED <-> OS-WINDOWS Windows DACL privilege escalation attempt (os-windows.rules)
 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)