Talos Rules 2019-11-12
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2019-1390: A coding deficiency exists in Microsoft Windows VBScript Engine that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 46548 through 46549.

Microsoft Vulnerability CVE-2019-1393: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 52205 through 52208.

Microsoft Vulnerability CVE-2019-1394: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 52209 through 52212.

Microsoft Vulnerability CVE-2019-1395: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 52217 through 52220.

Microsoft Vulnerability CVE-2019-1396: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 52213 through 52216.

Microsoft Vulnerability CVE-2019-1408: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 52225 through 52228.

Microsoft Vulnerability CVE-2019-1429: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 52239 through 52240.

Microsoft Vulnerability CVE-2019-1435: A coding deficiency exists in Microsoft Graphics Component that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 52229 through 52232.

Microsoft Vulnerability CVE-2019-1436: A coding deficiency exists in Microsoft Scripting Engine that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 52233 through 52234.

Microsoft Vulnerability CVE-2019-1437: A coding deficiency exists in Microsoft Graphics Component that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 52223 through 52224.

Microsoft Vulnerability CVE-2019-1438: A coding deficiency exists in Microsoft Graphics Component that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 52221 through 52222.

Talos also has added and modified multiple rules in the browser-firefox, browser-ie, malware-cnc, os-mobile, os-windows, policy-other, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-11-12 19:26:01 UTC

Snort Subscriber Rules Update

Date: 2019-11-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52152 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ST_NA_1 (protocol-scada.rules)
 * 1:52151 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_DP_NA_1 (protocol-scada.rules)
 * 1:52150 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_SP_NA_1 (protocol-scada.rules)
 * 1:52155 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_NB_1 (protocol-scada.rules)
 * 1:52154 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_NA_1 (protocol-scada.rules)
 * 1:52153 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_BO_NA_1 (protocol-scada.rules)
 * 1:52162 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ST_TB_1 (protocol-scada.rules)
 * 1:52156 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_ND_1 (protocol-scada.rules)
 * 1:52159 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_PS_NA_1 (protocol-scada.rules)
 * 1:52158 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_NC_1 (protocol-scada.rules)
 * 1:52157 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_DP_TB_1 (protocol-scada.rules)
 * 1:52161 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_IT_NA_1 (protocol-scada.rules)
 * 1:52160 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_SP_TB_1 (protocol-scada.rules)
 * 1:52183 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_TC_1 (protocol-scada.rules)
 * 1:52182 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_TB_1 (protocol-scada.rules)
 * 1:52181 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_TA_1 (protocol-scada.rules)
 * 1:52180 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_RC_TA_1 (protocol-scada.rules)
 * 1:52179 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_DC_TA_1 (protocol-scada.rules)
 * 1:52178 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SC_TA_1 (protocol-scada.rules)
 * 1:52177 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_BO_NA_1 (protocol-scada.rules)
 * 1:52176 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_NC_1 (protocol-scada.rules)
 * 1:52175 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_NB_1 (protocol-scada.rules)
 * 1:52174 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_NA_1 (protocol-scada.rules)
 * 1:52173 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_RC_NA_1 (protocol-scada.rules)
 * 1:52172 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_DC_NA_1 (protocol-scada.rules)
 * 1:52171 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SC_NA_1 (protocol-scada.rules)
 * 1:52170 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_EP_TF_1 (protocol-scada.rules)
 * 1:52169 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_EP_TE_1 (protocol-scada.rules)
 * 1:52168 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_EP_TD_1 (protocol-scada.rules)
 * 1:52167 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_IT_TB_1 (protocol-scada.rules)
 * 1:52166 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_TF_1 (protocol-scada.rules)
 * 1:52165 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_TE_1 (protocol-scada.rules)
 * 1:52164 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_BO_TB_1 (protocol-scada.rules)
 * 1:52163 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_TD_1 (protocol-scada.rules)
 * 1:52200 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_LS_NA_1 (protocol-scada.rules)
 * 1:52199 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_SC_NA_1 (protocol-scada.rules)
 * 1:52198 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_SR_NA_1 (protocol-scada.rules)
 * 1:52197 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 P_AC_NA_1 (protocol-scada.rules)
 * 1:52196 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_FR_NA_1 (protocol-scada.rules)
 * 1:52195 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_AF_NA_1 (protocol-scada.rules)
 * 1:52194 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 P_ME_NC_1 (protocol-scada.rules)
 * 1:52193 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_RP_NA_1 (protocol-scada.rules)
 * 1:52192 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_CS_NA_1 (protocol-scada.rules)
 * 1:52191 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_IC_NA_1 (protocol-scada.rules)
 * 1:52190 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_RD_NA_1 (protocol-scada.rules)
 * 1:52189 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_CI_NA_1 (protocol-scada.rules)
 * 1:52188 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 P_ME_NB_1 (protocol-scada.rules)
 * 1:52187 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 P_ME_NA_1 (protocol-scada.rules)
 * 1:52186 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_TS_TA_1 (protocol-scada.rules)
 * 1:52185 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_EI_NA_1 (protocol-scada.rules)
 * 1:52184 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_BO_TA_1 (protocol-scada.rules)
 * 1:52221 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NtGdiPlgBlt out-of-bounds write attempt (os-windows.rules)
 * 1:52220 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:52219 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:52218 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:52217 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:52216 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:52215 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:52214 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:52213 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:52212 <-> ENABLED <-> OS-WINDOWS Microsoft Windows vMatchAPal privilege escalation attempt (os-windows.rules)
 * 1:52211 <-> ENABLED <-> OS-WINDOWS Microsoft Windows vMatchAPal privilege escalation attempt (os-windows.rules)
 * 1:52210 <-> ENABLED <-> OS-WINDOWS Microsoft Windows vMatchAPal privilege escalation attempt (os-windows.rules)
 * 1:52209 <-> ENABLED <-> OS-WINDOWS Microsoft Windows vMatchAPal privilege escalation attempt (os-windows.rules)
 * 1:52208 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:52207 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:52206 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:52205 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:52204 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU informationReport message (protocol-scada.rules)
 * 1:52203 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_SC_NB_1 (protocol-scada.rules)
 * 1:52202 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_DR_TA_1 (protocol-scada.rules)
 * 1:52201 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_SG_NA_1 (protocol-scada.rules)
 * 1:52239 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:52236 <-> ENABLED <-> SERVER-OTHER Dameware Mini Remote Control agent access attempt (server-other.rules)
 * 1:52235 <-> DISABLED <-> SERVER-WEBAPP Wget HTTP non-200 negative chunk-size buffer overflow attempt (server-webapp.rules)
 * 1:52234 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel information disclosure attempt (os-windows.rules)
 * 1:52233 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel information disclosure attempt (os-windows.rules)
 * 1:52232 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI glyph bitmap elevation of privilege attempt (os-windows.rules)
 * 1:52231 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI glyph bitmap elevation of privilege attempt (os-windows.rules)
 * 1:52230 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI glyph bitmap elevation of privilege attempt (os-windows.rules)
 * 1:52229 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI glyph bitmap elevation of privilege attempt (os-windows.rules)
 * 1:52228 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k printer driver pallet privilege escalation attempt (os-windows.rules)
 * 1:52227 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k printer driver pallet privilege escalation attempt (os-windows.rules)
 * 1:52226 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k printer driver pallet privilege escalation attempt (os-windows.rules)
 * 1:52225 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k printer driver pallet privilege escalation attempt (os-windows.rules)
 * 1:52224 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CRedirectVisualMarshaler privilege escalation attempt (os-windows.rules)
 * 1:52223 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CRedirectVisualMarshaler privilege escalation attempt (os-windows.rules)
 * 1:52222 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NtGdiPlgBlt out-of-bounds write attempt (os-windows.rules)
 * 1:52240 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 3:52241 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0955 attack attempt (server-webapp.rules)
 * 3:52237 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0953 attack attempt (server-webapp.rules)
 * 3:52238 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0954 attack attempt (policy-other.rules)

Modified Rules:


 * 1:36061 <-> DISABLED <-> SERVER-OTHER SAP SQL Anywhere .NET malformed integer buffer overflow attempt (server-other.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:35435 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt (malware-cnc.rules)
 * 1:21154 <-> DISABLED <-> BROWSER-FIREFOX Mozilla products floating point buffer overflow attempt (browser-firefox.rules)
 * 1:35434 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)

2019-11-12 19:26:01 UTC

Snort Subscriber Rules Update

Date: 2019-11-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52217 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:52218 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:52150 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_SP_NA_1 (protocol-scada.rules)
 * 1:52151 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_DP_NA_1 (protocol-scada.rules)
 * 1:52152 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ST_NA_1 (protocol-scada.rules)
 * 1:52153 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_BO_NA_1 (protocol-scada.rules)
 * 1:52154 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_NA_1 (protocol-scada.rules)
 * 1:52155 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_NB_1 (protocol-scada.rules)
 * 1:52156 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_ND_1 (protocol-scada.rules)
 * 1:52157 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_DP_TB_1 (protocol-scada.rules)
 * 1:52158 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_NC_1 (protocol-scada.rules)
 * 1:52159 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_PS_NA_1 (protocol-scada.rules)
 * 1:52160 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_SP_TB_1 (protocol-scada.rules)
 * 1:52161 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_IT_NA_1 (protocol-scada.rules)
 * 1:52162 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ST_TB_1 (protocol-scada.rules)
 * 1:52164 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_BO_TB_1 (protocol-scada.rules)
 * 1:52165 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_TE_1 (protocol-scada.rules)
 * 1:52166 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_TF_1 (protocol-scada.rules)
 * 1:52167 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_IT_TB_1 (protocol-scada.rules)
 * 1:52168 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_EP_TD_1 (protocol-scada.rules)
 * 1:52169 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_EP_TE_1 (protocol-scada.rules)
 * 1:52170 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_EP_TF_1 (protocol-scada.rules)
 * 1:52171 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SC_NA_1 (protocol-scada.rules)
 * 1:52172 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_DC_NA_1 (protocol-scada.rules)
 * 1:52173 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_RC_NA_1 (protocol-scada.rules)
 * 1:52174 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_NA_1 (protocol-scada.rules)
 * 1:52175 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_NB_1 (protocol-scada.rules)
 * 1:52176 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_NC_1 (protocol-scada.rules)
 * 1:52177 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_BO_NA_1 (protocol-scada.rules)
 * 1:52178 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SC_TA_1 (protocol-scada.rules)
 * 1:52179 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_DC_TA_1 (protocol-scada.rules)
 * 1:52201 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_SG_NA_1 (protocol-scada.rules)
 * 1:52181 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_TA_1 (protocol-scada.rules)
 * 1:52182 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_TB_1 (protocol-scada.rules)
 * 1:52183 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_TC_1 (protocol-scada.rules)
 * 1:52184 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_BO_TA_1 (protocol-scada.rules)
 * 1:52185 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_EI_NA_1 (protocol-scada.rules)
 * 1:52186 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_TS_TA_1 (protocol-scada.rules)
 * 1:52187 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 P_ME_NA_1 (protocol-scada.rules)
 * 1:52188 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 P_ME_NB_1 (protocol-scada.rules)
 * 1:52189 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_CI_NA_1 (protocol-scada.rules)
 * 1:52190 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_RD_NA_1 (protocol-scada.rules)
 * 1:52191 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_IC_NA_1 (protocol-scada.rules)
 * 1:52192 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_CS_NA_1 (protocol-scada.rules)
 * 1:52193 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_RP_NA_1 (protocol-scada.rules)
 * 1:52194 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 P_ME_NC_1 (protocol-scada.rules)
 * 1:52195 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_AF_NA_1 (protocol-scada.rules)
 * 1:52196 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_FR_NA_1 (protocol-scada.rules)
 * 1:52197 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 P_AC_NA_1 (protocol-scada.rules)
 * 1:52198 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_SR_NA_1 (protocol-scada.rules)
 * 1:52199 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_SC_NA_1 (protocol-scada.rules)
 * 1:52200 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_LS_NA_1 (protocol-scada.rules)
 * 1:52163 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_TD_1 (protocol-scada.rules)
 * 1:52202 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_DR_TA_1 (protocol-scada.rules)
 * 1:52203 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_SC_NB_1 (protocol-scada.rules)
 * 1:52204 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU informationReport message (protocol-scada.rules)
 * 1:52205 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:52206 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:52207 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:52208 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:52209 <-> ENABLED <-> OS-WINDOWS Microsoft Windows vMatchAPal privilege escalation attempt (os-windows.rules)
 * 1:52210 <-> ENABLED <-> OS-WINDOWS Microsoft Windows vMatchAPal privilege escalation attempt (os-windows.rules)
 * 1:52211 <-> ENABLED <-> OS-WINDOWS Microsoft Windows vMatchAPal privilege escalation attempt (os-windows.rules)
 * 1:52212 <-> ENABLED <-> OS-WINDOWS Microsoft Windows vMatchAPal privilege escalation attempt (os-windows.rules)
 * 1:52213 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:52214 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:52215 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:52216 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:52180 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_RC_TA_1 (protocol-scada.rules)
 * 1:52222 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NtGdiPlgBlt out-of-bounds write attempt (os-windows.rules)
 * 1:52221 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NtGdiPlgBlt out-of-bounds write attempt (os-windows.rules)
 * 1:52220 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:52219 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:52226 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k printer driver pallet privilege escalation attempt (os-windows.rules)
 * 1:52225 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k printer driver pallet privilege escalation attempt (os-windows.rules)
 * 1:52224 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CRedirectVisualMarshaler privilege escalation attempt (os-windows.rules)
 * 1:52223 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CRedirectVisualMarshaler privilege escalation attempt (os-windows.rules)
 * 1:52227 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k printer driver pallet privilege escalation attempt (os-windows.rules)
 * 1:52239 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:52233 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel information disclosure attempt (os-windows.rules)
 * 1:52232 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI glyph bitmap elevation of privilege attempt (os-windows.rules)
 * 1:52231 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI glyph bitmap elevation of privilege attempt (os-windows.rules)
 * 1:52230 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI glyph bitmap elevation of privilege attempt (os-windows.rules)
 * 1:52229 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI glyph bitmap elevation of privilege attempt (os-windows.rules)
 * 1:52228 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k printer driver pallet privilege escalation attempt (os-windows.rules)
 * 1:52236 <-> ENABLED <-> SERVER-OTHER Dameware Mini Remote Control agent access attempt (server-other.rules)
 * 1:52235 <-> DISABLED <-> SERVER-WEBAPP Wget HTTP non-200 negative chunk-size buffer overflow attempt (server-webapp.rules)
 * 1:52234 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel information disclosure attempt (os-windows.rules)
 * 1:52240 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 3:52241 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0955 attack attempt (server-webapp.rules)
 * 3:52237 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0953 attack attempt (server-webapp.rules)
 * 3:52238 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0954 attack attempt (policy-other.rules)

Modified Rules:


 * 1:21154 <-> DISABLED <-> BROWSER-FIREFOX Mozilla products floating point buffer overflow attempt (browser-firefox.rules)
 * 1:36061 <-> DISABLED <-> SERVER-OTHER SAP SQL Anywhere .NET malformed integer buffer overflow attempt (server-other.rules)
 * 1:35435 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt (malware-cnc.rules)
 * 1:35434 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)

2019-11-12 19:26:01 UTC

Snort Subscriber Rules Update

Date: 2019-11-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52219 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:52240 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:52221 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NtGdiPlgBlt out-of-bounds write attempt (os-windows.rules)
 * 1:52220 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:52239 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:52236 <-> ENABLED <-> SERVER-OTHER Dameware Mini Remote Control agent access attempt (server-other.rules)
 * 1:52235 <-> DISABLED <-> SERVER-WEBAPP Wget HTTP non-200 negative chunk-size buffer overflow attempt (server-webapp.rules)
 * 1:52234 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel information disclosure attempt (os-windows.rules)
 * 1:52233 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel information disclosure attempt (os-windows.rules)
 * 1:52232 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI glyph bitmap elevation of privilege attempt (os-windows.rules)
 * 1:52231 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI glyph bitmap elevation of privilege attempt (os-windows.rules)
 * 1:52230 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI glyph bitmap elevation of privilege attempt (os-windows.rules)
 * 1:52229 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI glyph bitmap elevation of privilege attempt (os-windows.rules)
 * 1:52228 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k printer driver pallet privilege escalation attempt (os-windows.rules)
 * 1:52227 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k printer driver pallet privilege escalation attempt (os-windows.rules)
 * 1:52226 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k printer driver pallet privilege escalation attempt (os-windows.rules)
 * 1:52225 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k printer driver pallet privilege escalation attempt (os-windows.rules)
 * 1:52224 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CRedirectVisualMarshaler privilege escalation attempt (os-windows.rules)
 * 1:52223 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CRedirectVisualMarshaler privilege escalation attempt (os-windows.rules)
 * 1:52222 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NtGdiPlgBlt out-of-bounds write attempt (os-windows.rules)
 * 1:52213 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:52155 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_NB_1 (protocol-scada.rules)
 * 1:52156 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_ND_1 (protocol-scada.rules)
 * 1:52153 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_BO_NA_1 (protocol-scada.rules)
 * 1:52154 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_NA_1 (protocol-scada.rules)
 * 1:52151 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_DP_NA_1 (protocol-scada.rules)
 * 1:52152 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ST_NA_1 (protocol-scada.rules)
 * 1:52150 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_SP_NA_1 (protocol-scada.rules)
 * 1:52218 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:52211 <-> ENABLED <-> OS-WINDOWS Microsoft Windows vMatchAPal privilege escalation attempt (os-windows.rules)
 * 1:52212 <-> ENABLED <-> OS-WINDOWS Microsoft Windows vMatchAPal privilege escalation attempt (os-windows.rules)
 * 1:52209 <-> ENABLED <-> OS-WINDOWS Microsoft Windows vMatchAPal privilege escalation attempt (os-windows.rules)
 * 1:52210 <-> ENABLED <-> OS-WINDOWS Microsoft Windows vMatchAPal privilege escalation attempt (os-windows.rules)
 * 1:52207 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:52208 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:52205 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:52206 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:52203 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_SC_NB_1 (protocol-scada.rules)
 * 1:52204 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU informationReport message (protocol-scada.rules)
 * 1:52201 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_SG_NA_1 (protocol-scada.rules)
 * 1:52202 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_DR_TA_1 (protocol-scada.rules)
 * 1:52199 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_SC_NA_1 (protocol-scada.rules)
 * 1:52200 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_LS_NA_1 (protocol-scada.rules)
 * 1:52197 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 P_AC_NA_1 (protocol-scada.rules)
 * 1:52198 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_SR_NA_1 (protocol-scada.rules)
 * 1:52195 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_AF_NA_1 (protocol-scada.rules)
 * 1:52196 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_FR_NA_1 (protocol-scada.rules)
 * 1:52193 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_RP_NA_1 (protocol-scada.rules)
 * 1:52194 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 P_ME_NC_1 (protocol-scada.rules)
 * 1:52191 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_IC_NA_1 (protocol-scada.rules)
 * 1:52192 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_CS_NA_1 (protocol-scada.rules)
 * 1:52189 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_CI_NA_1 (protocol-scada.rules)
 * 1:52190 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_RD_NA_1 (protocol-scada.rules)
 * 1:52187 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 P_ME_NA_1 (protocol-scada.rules)
 * 1:52188 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 P_ME_NB_1 (protocol-scada.rules)
 * 1:52185 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_EI_NA_1 (protocol-scada.rules)
 * 1:52186 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_TS_TA_1 (protocol-scada.rules)
 * 1:52183 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_TC_1 (protocol-scada.rules)
 * 1:52184 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_BO_TA_1 (protocol-scada.rules)
 * 1:52181 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_TA_1 (protocol-scada.rules)
 * 1:52182 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_TB_1 (protocol-scada.rules)
 * 1:52179 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_DC_TA_1 (protocol-scada.rules)
 * 1:52180 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_RC_TA_1 (protocol-scada.rules)
 * 1:52177 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_BO_NA_1 (protocol-scada.rules)
 * 1:52178 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SC_TA_1 (protocol-scada.rules)
 * 1:52175 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_NB_1 (protocol-scada.rules)
 * 1:52176 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_NC_1 (protocol-scada.rules)
 * 1:52173 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_RC_NA_1 (protocol-scada.rules)
 * 1:52174 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_NA_1 (protocol-scada.rules)
 * 1:52171 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SC_NA_1 (protocol-scada.rules)
 * 1:52172 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_DC_NA_1 (protocol-scada.rules)
 * 1:52169 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_EP_TE_1 (protocol-scada.rules)
 * 1:52170 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_EP_TF_1 (protocol-scada.rules)
 * 1:52167 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_IT_TB_1 (protocol-scada.rules)
 * 1:52168 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_EP_TD_1 (protocol-scada.rules)
 * 1:52165 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_TE_1 (protocol-scada.rules)
 * 1:52166 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_TF_1 (protocol-scada.rules)
 * 1:52163 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_TD_1 (protocol-scada.rules)
 * 1:52164 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_BO_TB_1 (protocol-scada.rules)
 * 1:52161 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_IT_NA_1 (protocol-scada.rules)
 * 1:52162 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ST_TB_1 (protocol-scada.rules)
 * 1:52159 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_PS_NA_1 (protocol-scada.rules)
 * 1:52160 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_SP_TB_1 (protocol-scada.rules)
 * 1:52157 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_DP_TB_1 (protocol-scada.rules)
 * 1:52158 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_NC_1 (protocol-scada.rules)
 * 1:52216 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:52217 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:52214 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:52215 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 3:52238 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0954 attack attempt (policy-other.rules)
 * 3:52241 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0955 attack attempt (server-webapp.rules)
 * 3:52237 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0953 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:36061 <-> DISABLED <-> SERVER-OTHER SAP SQL Anywhere .NET malformed integer buffer overflow attempt (server-other.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:35435 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
 * 1:46240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt (malware-cnc.rules)
 * 1:35434 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
 * 1:21154 <-> DISABLED <-> BROWSER-FIREFOX Mozilla products floating point buffer overflow attempt (browser-firefox.rules)

2019-11-12 19:26:01 UTC

Snort Subscriber Rules Update

Date: 2019-11-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52222 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NtGdiPlgBlt out-of-bounds write attempt (os-windows.rules)
 * 1:52220 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:52223 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CRedirectVisualMarshaler privilege escalation attempt (os-windows.rules)
 * 1:52221 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NtGdiPlgBlt out-of-bounds write attempt (os-windows.rules)
 * 1:52234 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel information disclosure attempt (os-windows.rules)
 * 1:52224 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CRedirectVisualMarshaler privilege escalation attempt (os-windows.rules)
 * 1:52231 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI glyph bitmap elevation of privilege attempt (os-windows.rules)
 * 1:52228 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k printer driver pallet privilege escalation attempt (os-windows.rules)
 * 1:52230 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI glyph bitmap elevation of privilege attempt (os-windows.rules)
 * 1:52227 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k printer driver pallet privilege escalation attempt (os-windows.rules)
 * 1:52219 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:52229 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI glyph bitmap elevation of privilege attempt (os-windows.rules)
 * 1:52225 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k printer driver pallet privilege escalation attempt (os-windows.rules)
 * 1:52226 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k printer driver pallet privilege escalation attempt (os-windows.rules)
 * 1:52233 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel information disclosure attempt (os-windows.rules)
 * 1:52167 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_IT_TB_1 (protocol-scada.rules)
 * 1:52162 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ST_TB_1 (protocol-scada.rules)
 * 1:52164 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_BO_TB_1 (protocol-scada.rules)
 * 1:52165 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_TE_1 (protocol-scada.rules)
 * 1:52158 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_NC_1 (protocol-scada.rules)
 * 1:52163 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_TD_1 (protocol-scada.rules)
 * 1:52160 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_SP_TB_1 (protocol-scada.rules)
 * 1:52161 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_IT_NA_1 (protocol-scada.rules)
 * 1:52154 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_NA_1 (protocol-scada.rules)
 * 1:52159 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_PS_NA_1 (protocol-scada.rules)
 * 1:52156 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_ND_1 (protocol-scada.rules)
 * 1:52157 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_DP_TB_1 (protocol-scada.rules)
 * 1:52155 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_NB_1 (protocol-scada.rules)
 * 1:52152 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ST_NA_1 (protocol-scada.rules)
 * 1:52153 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_BO_NA_1 (protocol-scada.rules)
 * 1:52151 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_DP_NA_1 (protocol-scada.rules)
 * 1:52150 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_SP_NA_1 (protocol-scada.rules)
 * 1:52217 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:52215 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:52216 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:52214 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:52210 <-> ENABLED <-> OS-WINDOWS Microsoft Windows vMatchAPal privilege escalation attempt (os-windows.rules)
 * 1:52212 <-> ENABLED <-> OS-WINDOWS Microsoft Windows vMatchAPal privilege escalation attempt (os-windows.rules)
 * 1:52213 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:52206 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:52211 <-> ENABLED <-> OS-WINDOWS Microsoft Windows vMatchAPal privilege escalation attempt (os-windows.rules)
 * 1:52208 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:52209 <-> ENABLED <-> OS-WINDOWS Microsoft Windows vMatchAPal privilege escalation attempt (os-windows.rules)
 * 1:52202 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_DR_TA_1 (protocol-scada.rules)
 * 1:52207 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:52204 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU informationReport message (protocol-scada.rules)
 * 1:52205 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:52198 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_SR_NA_1 (protocol-scada.rules)
 * 1:52203 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_SC_NB_1 (protocol-scada.rules)
 * 1:52200 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_LS_NA_1 (protocol-scada.rules)
 * 1:52201 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_SG_NA_1 (protocol-scada.rules)
 * 1:52199 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_SC_NA_1 (protocol-scada.rules)
 * 1:52194 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 P_ME_NC_1 (protocol-scada.rules)
 * 1:52196 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_FR_NA_1 (protocol-scada.rules)
 * 1:52197 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 P_AC_NA_1 (protocol-scada.rules)
 * 1:52190 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_RD_NA_1 (protocol-scada.rules)
 * 1:52195 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_AF_NA_1 (protocol-scada.rules)
 * 1:52186 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_TS_TA_1 (protocol-scada.rules)
 * 1:52193 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_RP_NA_1 (protocol-scada.rules)
 * 1:52192 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_CS_NA_1 (protocol-scada.rules)
 * 1:52191 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_IC_NA_1 (protocol-scada.rules)
 * 1:52188 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 P_ME_NB_1 (protocol-scada.rules)
 * 1:52189 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_CI_NA_1 (protocol-scada.rules)
 * 1:52182 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_TB_1 (protocol-scada.rules)
 * 1:52187 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 P_ME_NA_1 (protocol-scada.rules)
 * 1:52184 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_BO_TA_1 (protocol-scada.rules)
 * 1:52185 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_EI_NA_1 (protocol-scada.rules)
 * 1:52178 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SC_TA_1 (protocol-scada.rules)
 * 1:52183 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_TC_1 (protocol-scada.rules)
 * 1:52180 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_RC_TA_1 (protocol-scada.rules)
 * 1:52181 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_TA_1 (protocol-scada.rules)
 * 1:52174 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_NA_1 (protocol-scada.rules)
 * 1:52179 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_DC_TA_1 (protocol-scada.rules)
 * 1:52176 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_NC_1 (protocol-scada.rules)
 * 1:52177 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_BO_NA_1 (protocol-scada.rules)
 * 1:52170 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_EP_TF_1 (protocol-scada.rules)
 * 1:52175 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_NB_1 (protocol-scada.rules)
 * 1:52172 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_DC_NA_1 (protocol-scada.rules)
 * 1:52173 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_RC_NA_1 (protocol-scada.rules)
 * 1:52166 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_TF_1 (protocol-scada.rules)
 * 1:52171 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SC_NA_1 (protocol-scada.rules)
 * 1:52168 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_EP_TD_1 (protocol-scada.rules)
 * 1:52169 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_EP_TE_1 (protocol-scada.rules)
 * 1:52218 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:52240 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:52232 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI glyph bitmap elevation of privilege attempt (os-windows.rules)
 * 1:52236 <-> ENABLED <-> SERVER-OTHER Dameware Mini Remote Control agent access attempt (server-other.rules)
 * 1:52239 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:52235 <-> DISABLED <-> SERVER-WEBAPP Wget HTTP non-200 negative chunk-size buffer overflow attempt (server-webapp.rules)
 * 3:52238 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0954 attack attempt (policy-other.rules)
 * 3:52241 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0955 attack attempt (server-webapp.rules)
 * 3:52237 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0953 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:36061 <-> DISABLED <-> SERVER-OTHER SAP SQL Anywhere .NET malformed integer buffer overflow attempt (server-other.rules)
 * 1:35435 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
 * 1:46240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt (malware-cnc.rules)
 * 1:21154 <-> DISABLED <-> BROWSER-FIREFOX Mozilla products floating point buffer overflow attempt (browser-firefox.rules)
 * 1:35434 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)

2019-11-12 19:26:01 UTC

Snort Subscriber Rules Update

Date: 2019-11-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52219 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:52220 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:52222 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NtGdiPlgBlt out-of-bounds write attempt (os-windows.rules)
 * 1:52223 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CRedirectVisualMarshaler privilege escalation attempt (os-windows.rules)
 * 1:52221 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NtGdiPlgBlt out-of-bounds write attempt (os-windows.rules)
 * 1:52231 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI glyph bitmap elevation of privilege attempt (os-windows.rules)
 * 1:52225 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k printer driver pallet privilege escalation attempt (os-windows.rules)
 * 1:52228 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k printer driver pallet privilege escalation attempt (os-windows.rules)
 * 1:52234 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel information disclosure attempt (os-windows.rules)
 * 1:52226 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k printer driver pallet privilege escalation attempt (os-windows.rules)
 * 1:52235 <-> DISABLED <-> SERVER-WEBAPP Wget HTTP non-200 negative chunk-size buffer overflow attempt (server-webapp.rules)
 * 1:52240 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:52233 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel information disclosure attempt (os-windows.rules)
 * 1:52191 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_IC_NA_1 (protocol-scada.rules)
 * 1:52190 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_RD_NA_1 (protocol-scada.rules)
 * 1:52184 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_BO_TA_1 (protocol-scada.rules)
 * 1:52185 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_EI_NA_1 (protocol-scada.rules)
 * 1:52186 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_TS_TA_1 (protocol-scada.rules)
 * 1:52187 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 P_ME_NA_1 (protocol-scada.rules)
 * 1:52180 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_RC_TA_1 (protocol-scada.rules)
 * 1:52181 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_TA_1 (protocol-scada.rules)
 * 1:52182 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_TB_1 (protocol-scada.rules)
 * 1:52183 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_TC_1 (protocol-scada.rules)
 * 1:52176 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_NC_1 (protocol-scada.rules)
 * 1:52177 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_BO_NA_1 (protocol-scada.rules)
 * 1:52178 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SC_TA_1 (protocol-scada.rules)
 * 1:52179 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_DC_TA_1 (protocol-scada.rules)
 * 1:52172 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_DC_NA_1 (protocol-scada.rules)
 * 1:52173 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_RC_NA_1 (protocol-scada.rules)
 * 1:52174 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_NA_1 (protocol-scada.rules)
 * 1:52175 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_NB_1 (protocol-scada.rules)
 * 1:52168 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_EP_TD_1 (protocol-scada.rules)
 * 1:52169 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_EP_TE_1 (protocol-scada.rules)
 * 1:52170 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_EP_TF_1 (protocol-scada.rules)
 * 1:52171 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SC_NA_1 (protocol-scada.rules)
 * 1:52164 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_BO_TB_1 (protocol-scada.rules)
 * 1:52165 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_TE_1 (protocol-scada.rules)
 * 1:52166 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_TF_1 (protocol-scada.rules)
 * 1:52167 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_IT_TB_1 (protocol-scada.rules)
 * 1:52160 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_SP_TB_1 (protocol-scada.rules)
 * 1:52161 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_IT_NA_1 (protocol-scada.rules)
 * 1:52162 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ST_TB_1 (protocol-scada.rules)
 * 1:52163 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_TD_1 (protocol-scada.rules)
 * 1:52156 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_ND_1 (protocol-scada.rules)
 * 1:52157 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_DP_TB_1 (protocol-scada.rules)
 * 1:52158 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_NC_1 (protocol-scada.rules)
 * 1:52159 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_PS_NA_1 (protocol-scada.rules)
 * 1:52152 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ST_NA_1 (protocol-scada.rules)
 * 1:52153 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_BO_NA_1 (protocol-scada.rules)
 * 1:52154 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_NA_1 (protocol-scada.rules)
 * 1:52155 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_NB_1 (protocol-scada.rules)
 * 1:52150 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_SP_NA_1 (protocol-scada.rules)
 * 1:52151 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_DP_NA_1 (protocol-scada.rules)
 * 1:52189 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_CI_NA_1 (protocol-scada.rules)
 * 1:52195 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_AF_NA_1 (protocol-scada.rules)
 * 1:52188 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 P_ME_NB_1 (protocol-scada.rules)
 * 1:52194 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 P_ME_NC_1 (protocol-scada.rules)
 * 1:52214 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:52215 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:52208 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:52209 <-> ENABLED <-> OS-WINDOWS Microsoft Windows vMatchAPal privilege escalation attempt (os-windows.rules)
 * 1:52210 <-> ENABLED <-> OS-WINDOWS Microsoft Windows vMatchAPal privilege escalation attempt (os-windows.rules)
 * 1:52211 <-> ENABLED <-> OS-WINDOWS Microsoft Windows vMatchAPal privilege escalation attempt (os-windows.rules)
 * 1:52204 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU informationReport message (protocol-scada.rules)
 * 1:52205 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:52206 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:52207 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:52200 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_LS_NA_1 (protocol-scada.rules)
 * 1:52201 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_SG_NA_1 (protocol-scada.rules)
 * 1:52202 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_DR_TA_1 (protocol-scada.rules)
 * 1:52203 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_SC_NB_1 (protocol-scada.rules)
 * 1:52196 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_FR_NA_1 (protocol-scada.rules)
 * 1:52197 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 P_AC_NA_1 (protocol-scada.rules)
 * 1:52198 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_SR_NA_1 (protocol-scada.rules)
 * 1:52199 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_SC_NA_1 (protocol-scada.rules)
 * 1:52192 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_CS_NA_1 (protocol-scada.rules)
 * 1:52193 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_RP_NA_1 (protocol-scada.rules)
 * 1:52213 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:52216 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:52212 <-> ENABLED <-> OS-WINDOWS Microsoft Windows vMatchAPal privilege escalation attempt (os-windows.rules)
 * 1:52217 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:52227 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k printer driver pallet privilege escalation attempt (os-windows.rules)
 * 1:52229 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI glyph bitmap elevation of privilege attempt (os-windows.rules)
 * 1:52230 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI glyph bitmap elevation of privilege attempt (os-windows.rules)
 * 1:52239 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:52236 <-> ENABLED <-> SERVER-OTHER Dameware Mini Remote Control agent access attempt (server-other.rules)
 * 1:52232 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI glyph bitmap elevation of privilege attempt (os-windows.rules)
 * 1:52224 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CRedirectVisualMarshaler privilege escalation attempt (os-windows.rules)
 * 1:52218 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 3:52237 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0953 attack attempt (server-webapp.rules)
 * 3:52241 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0955 attack attempt (server-webapp.rules)
 * 3:52238 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0954 attack attempt (policy-other.rules)

Modified Rules:


 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:36061 <-> DISABLED <-> SERVER-OTHER SAP SQL Anywhere .NET malformed integer buffer overflow attempt (server-other.rules)
 * 1:35434 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
 * 1:21154 <-> DISABLED <-> BROWSER-FIREFOX Mozilla products floating point buffer overflow attempt (browser-firefox.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:35435 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
 * 1:46240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt (malware-cnc.rules)

2019-11-12 19:26:01 UTC

Snort Subscriber Rules Update

Date: 2019-11-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52210 <-> ENABLED <-> OS-WINDOWS Microsoft Windows vMatchAPal privilege escalation attempt (snort3-os-windows.rules)
 * 1:52180 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_RC_TA_1 (snort3-protocol-scada.rules)
 * 1:52171 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SC_NA_1 (snort3-protocol-scada.rules)
 * 1:52224 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CRedirectVisualMarshaler privilege escalation attempt (snort3-os-windows.rules)
 * 1:52211 <-> ENABLED <-> OS-WINDOWS Microsoft Windows vMatchAPal privilege escalation attempt (snort3-os-windows.rules)
 * 1:52219 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (snort3-os-windows.rules)
 * 1:52236 <-> ENABLED <-> SERVER-OTHER Dameware Mini Remote Control agent access attempt (snort3-server-other.rules)
 * 1:52223 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CRedirectVisualMarshaler privilege escalation attempt (snort3-os-windows.rules)
 * 1:52181 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_TA_1 (snort3-protocol-scada.rules)
 * 1:52218 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (snort3-os-windows.rules)
 * 1:52172 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_DC_NA_1 (snort3-protocol-scada.rules)
 * 1:52170 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_EP_TF_1 (snort3-protocol-scada.rules)
 * 1:52233 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel information disclosure attempt (snort3-os-windows.rules)
 * 1:52220 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (snort3-os-windows.rules)
 * 1:52226 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k printer driver pallet privilege escalation attempt (snort3-os-windows.rules)
 * 1:52227 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k printer driver pallet privilege escalation attempt (snort3-os-windows.rules)
 * 1:52225 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k printer driver pallet privilege escalation attempt (snort3-os-windows.rules)
 * 1:52232 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI glyph bitmap elevation of privilege attempt (snort3-os-windows.rules)
 * 1:52229 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI glyph bitmap elevation of privilege attempt (snort3-os-windows.rules)
 * 1:52231 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI glyph bitmap elevation of privilege attempt (snort3-os-windows.rules)
 * 1:52230 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI glyph bitmap elevation of privilege attempt (snort3-os-windows.rules)
 * 1:52221 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NtGdiPlgBlt out-of-bounds write attempt (snort3-os-windows.rules)
 * 1:52209 <-> ENABLED <-> OS-WINDOWS Microsoft Windows vMatchAPal privilege escalation attempt (snort3-os-windows.rules)
 * 1:52189 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_CI_NA_1 (snort3-protocol-scada.rules)
 * 1:52208 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (snort3-os-windows.rules)
 * 1:52188 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 P_ME_NB_1 (snort3-protocol-scada.rules)
 * 1:52212 <-> ENABLED <-> OS-WINDOWS Microsoft Windows vMatchAPal privilege escalation attempt (snort3-os-windows.rules)
 * 1:52214 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (snort3-os-windows.rules)
 * 1:52213 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (snort3-os-windows.rules)
 * 1:52174 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_NA_1 (snort3-protocol-scada.rules)
 * 1:52175 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_NB_1 (snort3-protocol-scada.rules)
 * 1:52168 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_EP_TD_1 (snort3-protocol-scada.rules)
 * 1:52167 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_IT_TB_1 (snort3-protocol-scada.rules)
 * 1:52160 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_SP_TB_1 (snort3-protocol-scada.rules)
 * 1:52158 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_NC_1 (snort3-protocol-scada.rules)
 * 1:52156 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_ND_1 (snort3-protocol-scada.rules)
 * 1:52157 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_DP_TB_1 (snort3-protocol-scada.rules)
 * 1:52154 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_NA_1 (snort3-protocol-scada.rules)
 * 1:52184 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_BO_TA_1 (snort3-protocol-scada.rules)
 * 1:52187 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 P_ME_NA_1 (snort3-protocol-scada.rules)
 * 1:52204 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU informationReport message (snort3-protocol-scada.rules)
 * 1:52199 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_SC_NA_1 (snort3-protocol-scada.rules)
 * 1:52198 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_SR_NA_1 (snort3-protocol-scada.rules)
 * 1:52193 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_RP_NA_1 (snort3-protocol-scada.rules)
 * 1:52194 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 P_ME_NC_1 (snort3-protocol-scada.rules)
 * 1:52222 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NtGdiPlgBlt out-of-bounds write attempt (snort3-os-windows.rules)
 * 1:52192 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_CS_NA_1 (snort3-protocol-scada.rules)
 * 1:52191 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_IC_NA_1 (snort3-protocol-scada.rules)
 * 1:52190 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_RD_NA_1 (snort3-protocol-scada.rules)
 * 1:52197 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 P_AC_NA_1 (snort3-protocol-scada.rules)
 * 1:52183 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_TC_1 (snort3-protocol-scada.rules)
 * 1:52182 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_TB_1 (snort3-protocol-scada.rules)
 * 1:52179 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_DC_TA_1 (snort3-protocol-scada.rules)
 * 1:52173 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_RC_NA_1 (snort3-protocol-scada.rules)
 * 1:52166 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_TF_1 (snort3-protocol-scada.rules)
 * 1:52150 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_SP_NA_1 (snort3-protocol-scada.rules)
 * 1:52239 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:52240 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:52228 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k printer driver pallet privilege escalation attempt (snort3-os-windows.rules)
 * 1:52234 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel information disclosure attempt (snort3-os-windows.rules)
 * 1:52217 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (snort3-os-windows.rules)
 * 1:52216 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (snort3-os-windows.rules)
 * 1:52215 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (snort3-os-windows.rules)
 * 1:52235 <-> DISABLED <-> SERVER-WEBAPP Wget HTTP non-200 negative chunk-size buffer overflow attempt (snort3-server-webapp.rules)
 * 1:52162 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ST_TB_1 (snort3-protocol-scada.rules)
 * 1:52165 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_TE_1 (snort3-protocol-scada.rules)
 * 1:52196 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_FR_NA_1 (snort3-protocol-scada.rules)
 * 1:52164 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_BO_TB_1 (snort3-protocol-scada.rules)
 * 1:52169 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_EP_TE_1 (snort3-protocol-scada.rules)
 * 1:52177 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_BO_NA_1 (snort3-protocol-scada.rules)
 * 1:52176 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_NC_1 (snort3-protocol-scada.rules)
 * 1:52178 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SC_TA_1 (snort3-protocol-scada.rules)
 * 1:52203 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_SC_NB_1 (snort3-protocol-scada.rules)
 * 1:52159 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_PS_NA_1 (snort3-protocol-scada.rules)
 * 1:52207 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (snort3-os-windows.rules)
 * 1:52163 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_TD_1 (snort3-protocol-scada.rules)
 * 1:52151 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_DP_NA_1 (snort3-protocol-scada.rules)
 * 1:52186 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_TS_TA_1 (snort3-protocol-scada.rules)
 * 1:52153 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_BO_NA_1 (snort3-protocol-scada.rules)
 * 1:52152 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ST_NA_1 (snort3-protocol-scada.rules)
 * 1:52155 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_NB_1 (snort3-protocol-scada.rules)
 * 1:52161 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_IT_NA_1 (snort3-protocol-scada.rules)
 * 1:52206 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (snort3-os-windows.rules)
 * 1:52205 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (snort3-os-windows.rules)
 * 1:52185 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_EI_NA_1 (snort3-protocol-scada.rules)
 * 1:52195 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_AF_NA_1 (snort3-protocol-scada.rules)
 * 1:52200 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_LS_NA_1 (snort3-protocol-scada.rules)
 * 1:52201 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_SG_NA_1 (snort3-protocol-scada.rules)
 * 1:52202 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_DR_TA_1 (snort3-protocol-scada.rules)

Modified Rules:


 * 1:36061 <-> DISABLED <-> SERVER-OTHER SAP SQL Anywhere .NET malformed integer buffer overflow attempt (snort3-server-other.rules)
 * 1:35435 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (snort3-os-mobile.rules)
 * 1:35434 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (snort3-os-mobile.rules)
 * 1:21154 <-> DISABLED <-> BROWSER-FIREFOX Mozilla products floating point buffer overflow attempt (snort3-browser-firefox.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules)
 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules)
 * 1:46240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt (snort3-malware-cnc.rules)

2019-11-12 19:26:01 UTC

Snort Subscriber Rules Update

Date: 2019-11-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52217 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:52173 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_RC_NA_1 (protocol-scada.rules)
 * 1:52222 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NtGdiPlgBlt out-of-bounds write attempt (os-windows.rules)
 * 1:52234 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel information disclosure attempt (os-windows.rules)
 * 1:52228 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k printer driver pallet privilege escalation attempt (os-windows.rules)
 * 1:52225 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k printer driver pallet privilege escalation attempt (os-windows.rules)
 * 1:52218 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:52226 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k printer driver pallet privilege escalation attempt (os-windows.rules)
 * 1:52231 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI glyph bitmap elevation of privilege attempt (os-windows.rules)
 * 1:52223 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CRedirectVisualMarshaler privilege escalation attempt (os-windows.rules)
 * 1:52191 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_IC_NA_1 (protocol-scada.rules)
 * 1:52185 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_EI_NA_1 (protocol-scada.rules)
 * 1:52184 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_BO_TA_1 (protocol-scada.rules)
 * 1:52220 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:52219 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:52235 <-> DISABLED <-> SERVER-WEBAPP Wget HTTP non-200 negative chunk-size buffer overflow attempt (server-webapp.rules)
 * 1:52239 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:52221 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NtGdiPlgBlt out-of-bounds write attempt (os-windows.rules)
 * 1:52227 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k printer driver pallet privilege escalation attempt (os-windows.rules)
 * 1:52240 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:52233 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel information disclosure attempt (os-windows.rules)
 * 1:52232 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI glyph bitmap elevation of privilege attempt (os-windows.rules)
 * 1:52224 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CRedirectVisualMarshaler privilege escalation attempt (os-windows.rules)
 * 1:52156 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_ND_1 (protocol-scada.rules)
 * 1:52154 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_NA_1 (protocol-scada.rules)
 * 1:52150 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_SP_NA_1 (protocol-scada.rules)
 * 1:52155 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_NB_1 (protocol-scada.rules)
 * 1:52190 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_RD_NA_1 (protocol-scada.rules)
 * 1:52211 <-> ENABLED <-> OS-WINDOWS Microsoft Windows vMatchAPal privilege escalation attempt (os-windows.rules)
 * 1:52168 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_EP_TD_1 (protocol-scada.rules)
 * 1:52214 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:52200 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_LS_NA_1 (protocol-scada.rules)
 * 1:52171 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SC_NA_1 (protocol-scada.rules)
 * 1:52169 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_EP_TE_1 (protocol-scada.rules)
 * 1:52174 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_NA_1 (protocol-scada.rules)
 * 1:52172 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_DC_NA_1 (protocol-scada.rules)
 * 1:52153 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_BO_NA_1 (protocol-scada.rules)
 * 1:52205 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:52197 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 P_AC_NA_1 (protocol-scada.rules)
 * 1:52179 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_DC_TA_1 (protocol-scada.rules)
 * 1:52198 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_SR_NA_1 (protocol-scada.rules)
 * 1:52180 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_RC_TA_1 (protocol-scada.rules)
 * 1:52196 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_FR_NA_1 (protocol-scada.rules)
 * 1:52157 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_DP_TB_1 (protocol-scada.rules)
 * 1:52159 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_PS_NA_1 (protocol-scada.rules)
 * 1:52193 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_RP_NA_1 (protocol-scada.rules)
 * 1:52195 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_AF_NA_1 (protocol-scada.rules)
 * 1:52182 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_TB_1 (protocol-scada.rules)
 * 1:52203 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_SC_NB_1 (protocol-scada.rules)
 * 1:52163 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_TD_1 (protocol-scada.rules)
 * 1:52162 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ST_TB_1 (protocol-scada.rules)
 * 1:52204 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU informationReport message (protocol-scada.rules)
 * 1:52183 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_TC_1 (protocol-scada.rules)
 * 1:52207 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:52206 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:52165 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_TE_1 (protocol-scada.rules)
 * 1:52208 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:52164 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_BO_TB_1 (protocol-scada.rules)
 * 1:52201 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_SG_NA_1 (protocol-scada.rules)
 * 1:52161 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_IT_NA_1 (protocol-scada.rules)
 * 1:52209 <-> ENABLED <-> OS-WINDOWS Microsoft Windows vMatchAPal privilege escalation attempt (os-windows.rules)
 * 1:52192 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_CS_NA_1 (protocol-scada.rules)
 * 1:52160 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_SP_TB_1 (protocol-scada.rules)
 * 1:52181 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_TA_1 (protocol-scada.rules)
 * 1:52158 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_NC_1 (protocol-scada.rules)
 * 1:52199 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_SC_NA_1 (protocol-scada.rules)
 * 1:52229 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI glyph bitmap elevation of privilege attempt (os-windows.rules)
 * 1:52230 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI glyph bitmap elevation of privilege attempt (os-windows.rules)
 * 1:52178 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SC_TA_1 (protocol-scada.rules)
 * 1:52166 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_TF_1 (protocol-scada.rules)
 * 1:52212 <-> ENABLED <-> OS-WINDOWS Microsoft Windows vMatchAPal privilege escalation attempt (os-windows.rules)
 * 1:52167 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_IT_TB_1 (protocol-scada.rules)
 * 1:52151 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_DP_NA_1 (protocol-scada.rules)
 * 1:52176 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_NC_1 (protocol-scada.rules)
 * 1:52175 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_NB_1 (protocol-scada.rules)
 * 1:52213 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:52194 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 P_ME_NC_1 (protocol-scada.rules)
 * 1:52177 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_BO_NA_1 (protocol-scada.rules)
 * 1:52170 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_EP_TF_1 (protocol-scada.rules)
 * 1:52215 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:52210 <-> ENABLED <-> OS-WINDOWS Microsoft Windows vMatchAPal privilege escalation attempt (os-windows.rules)
 * 1:52202 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_DR_TA_1 (protocol-scada.rules)
 * 1:52152 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ST_NA_1 (protocol-scada.rules)
 * 1:52186 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_TS_TA_1 (protocol-scada.rules)
 * 1:52187 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 P_ME_NA_1 (protocol-scada.rules)
 * 1:52236 <-> ENABLED <-> SERVER-OTHER Dameware Mini Remote Control agent access attempt (server-other.rules)
 * 1:52216 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:52189 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_CI_NA_1 (protocol-scada.rules)
 * 1:52188 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 P_ME_NB_1 (protocol-scada.rules)
 * 3:52238 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0954 attack attempt (policy-other.rules)
 * 3:52237 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0953 attack attempt (server-webapp.rules)
 * 3:52241 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0955 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:21154 <-> DISABLED <-> BROWSER-FIREFOX Mozilla products floating point buffer overflow attempt (browser-firefox.rules)
 * 1:36061 <-> DISABLED <-> SERVER-OTHER SAP SQL Anywhere .NET malformed integer buffer overflow attempt (server-other.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:35434 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt (malware-cnc.rules)
 * 1:35435 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)

2019-11-12 19:26:01 UTC

Snort Subscriber Rules Update

Date: 2019-11-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52227 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k printer driver pallet privilege escalation attempt (os-windows.rules)
 * 1:52213 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:52231 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI glyph bitmap elevation of privilege attempt (os-windows.rules)
 * 1:52221 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NtGdiPlgBlt out-of-bounds write attempt (os-windows.rules)
 * 1:52223 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CRedirectVisualMarshaler privilege escalation attempt (os-windows.rules)
 * 1:52219 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:52234 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel information disclosure attempt (os-windows.rules)
 * 1:52222 <-> DISABLED <-> OS-WINDOWS Microsoft Windows NtGdiPlgBlt out-of-bounds write attempt (os-windows.rules)
 * 1:52226 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k printer driver pallet privilege escalation attempt (os-windows.rules)
 * 1:52228 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k printer driver pallet privilege escalation attempt (os-windows.rules)
 * 1:52235 <-> DISABLED <-> SERVER-WEBAPP Wget HTTP non-200 negative chunk-size buffer overflow attempt (server-webapp.rules)
 * 1:52224 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CRedirectVisualMarshaler privilege escalation attempt (os-windows.rules)
 * 1:52151 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_DP_NA_1 (protocol-scada.rules)
 * 1:52152 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ST_NA_1 (protocol-scada.rules)
 * 1:52153 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_BO_NA_1 (protocol-scada.rules)
 * 1:52154 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_NA_1 (protocol-scada.rules)
 * 1:52155 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_NB_1 (protocol-scada.rules)
 * 1:52156 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_ND_1 (protocol-scada.rules)
 * 1:52157 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_DP_TB_1 (protocol-scada.rules)
 * 1:52158 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_NC_1 (protocol-scada.rules)
 * 1:52225 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k printer driver pallet privilege escalation attempt (os-windows.rules)
 * 1:52159 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_PS_NA_1 (protocol-scada.rules)
 * 1:52161 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_IT_NA_1 (protocol-scada.rules)
 * 1:52162 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ST_TB_1 (protocol-scada.rules)
 * 1:52163 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_TD_1 (protocol-scada.rules)
 * 1:52164 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_BO_TB_1 (protocol-scada.rules)
 * 1:52165 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_TE_1 (protocol-scada.rules)
 * 1:52166 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_ME_TF_1 (protocol-scada.rules)
 * 1:52167 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_IT_TB_1 (protocol-scada.rules)
 * 1:52168 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_EP_TD_1 (protocol-scada.rules)
 * 1:52169 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_EP_TE_1 (protocol-scada.rules)
 * 1:52170 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_EP_TF_1 (protocol-scada.rules)
 * 1:52171 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SC_NA_1 (protocol-scada.rules)
 * 1:52172 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_DC_NA_1 (protocol-scada.rules)
 * 1:52173 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_RC_NA_1 (protocol-scada.rules)
 * 1:52220 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:52174 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_NA_1 (protocol-scada.rules)
 * 1:52175 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_NB_1 (protocol-scada.rules)
 * 1:52176 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_NC_1 (protocol-scada.rules)
 * 1:52178 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SC_TA_1 (protocol-scada.rules)
 * 1:52179 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_DC_TA_1 (protocol-scada.rules)
 * 1:52180 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_RC_TA_1 (protocol-scada.rules)
 * 1:52181 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_TA_1 (protocol-scada.rules)
 * 1:52182 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_TB_1 (protocol-scada.rules)
 * 1:52183 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_SE_TC_1 (protocol-scada.rules)
 * 1:52184 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_BO_TA_1 (protocol-scada.rules)
 * 1:52185 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_EI_NA_1 (protocol-scada.rules)
 * 1:52186 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_TS_TA_1 (protocol-scada.rules)
 * 1:52187 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 P_ME_NA_1 (protocol-scada.rules)
 * 1:52188 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 P_ME_NB_1 (protocol-scada.rules)
 * 1:52189 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_CI_NA_1 (protocol-scada.rules)
 * 1:52190 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_RD_NA_1 (protocol-scada.rules)
 * 1:52191 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_IC_NA_1 (protocol-scada.rules)
 * 1:52192 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_CS_NA_1 (protocol-scada.rules)
 * 1:52193 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_RP_NA_1 (protocol-scada.rules)
 * 1:52194 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 P_ME_NC_1 (protocol-scada.rules)
 * 1:52195 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_AF_NA_1 (protocol-scada.rules)
 * 1:52196 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_FR_NA_1 (protocol-scada.rules)
 * 1:52197 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 P_AC_NA_1 (protocol-scada.rules)
 * 1:52160 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_SP_TB_1 (protocol-scada.rules)
 * 1:52198 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_SR_NA_1 (protocol-scada.rules)
 * 1:52199 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_SC_NA_1 (protocol-scada.rules)
 * 1:52200 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_LS_NA_1 (protocol-scada.rules)
 * 1:52201 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_SG_NA_1 (protocol-scada.rules)
 * 1:52202 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_DR_TA_1 (protocol-scada.rules)
 * 1:52230 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI glyph bitmap elevation of privilege attempt (os-windows.rules)
 * 1:52203 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 F_SC_NB_1 (protocol-scada.rules)
 * 1:52204 <-> DISABLED <-> PROTOCOL-SCADA MMS Confirmed-RequestPDU informationReport message (protocol-scada.rules)
 * 1:52205 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:52206 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:52207 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:52215 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:52208 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:52209 <-> ENABLED <-> OS-WINDOWS Microsoft Windows vMatchAPal privilege escalation attempt (os-windows.rules)
 * 1:52210 <-> ENABLED <-> OS-WINDOWS Microsoft Windows vMatchAPal privilege escalation attempt (os-windows.rules)
 * 1:52216 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:52211 <-> ENABLED <-> OS-WINDOWS Microsoft Windows vMatchAPal privilege escalation attempt (os-windows.rules)
 * 1:52212 <-> ENABLED <-> OS-WINDOWS Microsoft Windows vMatchAPal privilege escalation attempt (os-windows.rules)
 * 1:52214 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:52217 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:52177 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 C_BO_NA_1 (protocol-scada.rules)
 * 1:52218 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:52229 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI glyph bitmap elevation of privilege attempt (os-windows.rules)
 * 1:52150 <-> DISABLED <-> PROTOCOL-SCADA IEC 104 M_SP_NA_1 (protocol-scada.rules)
 * 1:52239 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:52236 <-> ENABLED <-> SERVER-OTHER Dameware Mini Remote Control agent access attempt (server-other.rules)
 * 1:52233 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k kernel information disclosure attempt (os-windows.rules)
 * 1:52240 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:52232 <-> DISABLED <-> OS-WINDOWS Microsoft Windows GDI glyph bitmap elevation of privilege attempt (os-windows.rules)
 * 3:52241 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0955 attack attempt (server-webapp.rules)
 * 3:52237 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0953 attack attempt (server-webapp.rules)
 * 3:52238 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0954 attack attempt (policy-other.rules)

Modified Rules:


 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:36061 <-> DISABLED <-> SERVER-OTHER SAP SQL Anywhere .NET malformed integer buffer overflow attempt (server-other.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46240 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Rarog user-agent outbound communication attempt (malware-cnc.rules)
 * 1:21154 <-> DISABLED <-> BROWSER-FIREFOX Mozilla products floating point buffer overflow attempt (browser-firefox.rules)
 * 1:35435 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)
 * 1:35434 <-> DISABLED <-> OS-MOBILE Android Stagefright MP4 buffer overflow attempt (os-mobile.rules)