Talos Rules 2020-01-14
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2020-0601: A coding deficiency exists in Microsoft Windows CryptoAPI that may lead to spoofing.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 52593 through 52596.

Microsoft Vulnerability CVE-2020-0634: A coding deficiency exists in Microsoft Windows Common Log File System Driver that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 52604 through 52605.

Talos also has added and modified multiple rules in the app-detect, browser-chrome, browser-ie, browser-webkit, exploit-kit, malware-cnc and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2020-01-14 18:04:30 UTC

Snort Subscriber Rules Update

Date: 2020-01-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52598 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit css title memory corruption attempt (browser-webkit.rules)
 * 1:52597 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit css title memory corruption attempt (browser-webkit.rules)
 * 1:52596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52595 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52594 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52593 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52592 <-> DISABLED <-> SERVER-WEBAPP Enigma NMS command injection attempt (server-webapp.rules)
 * 1:52591 <-> DISABLED <-> SERVER-WEBAPP Enigma NMS command injection attempt (server-webapp.rules)
 * 1:52590 <-> DISABLED <-> SERVER-WEBAPP Enigma NMS command injection attempt (server-webapp.rules)
 * 1:52589 <-> DISABLED <-> SERVER-WEBAPP Enigma NMS command injection attempt (server-webapp.rules)
 * 1:52588 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai Enigma NMS command injection attempt (malware-cnc.rules)
 * 1:52587 <-> ENABLED <-> EXPLOIT-KIT BottleEK landing page detected (exploit-kit.rules)
 * 1:52586 <-> DISABLED <-> EXPLOIT-KIT BottleEK variant outbound connection (exploit-kit.rules)
 * 1:52585 <-> ENABLED <-> EXPLOIT-KIT BottleEK variant outbound connection (exploit-kit.rules)
 * 1:52584 <-> ENABLED <-> EXPLOIT-KIT BottleEK landing page detected (exploit-kit.rules)
 * 1:52605 <-> ENABLED <-> OS-WINDOWS Microsoft Windows clfs.sys local privilege escalation attempt (os-windows.rules)
 * 1:52604 <-> ENABLED <-> OS-WINDOWS Microsoft Windows clfs.sys local privilege escalation attempt (os-windows.rules)
 * 1:52603 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt (server-webapp.rules)
 * 1:52602 <-> ENABLED <-> BROWSER-CHROME Google V8 engine type confusion attempt (browser-chrome.rules)
 * 1:52601 <-> ENABLED <-> BROWSER-CHROME Google V8 engine type confusion attempt (browser-chrome.rules)
 * 1:52600 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:52599 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)

Modified Rules:


 * 1:24098 <-> DISABLED <-> APP-DETECT Teamviewer remote connection attempt (app-detect.rules)
 * 1:24097 <-> DISABLED <-> APP-DETECT Teamviewer remote connection attempt (app-detect.rules)
 * 1:24096 <-> DISABLED <-> APP-DETECT Teamviewer remote connection attempt (app-detect.rules)
 * 1:52512 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt (server-webapp.rules)
 * 1:52513 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt (server-webapp.rules)

2020-01-14 18:04:30 UTC

Snort Subscriber Rules Update

Date: 2020-01-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52602 <-> ENABLED <-> BROWSER-CHROME Google V8 engine type confusion attempt (browser-chrome.rules)
 * 1:52601 <-> ENABLED <-> BROWSER-CHROME Google V8 engine type confusion attempt (browser-chrome.rules)
 * 1:52584 <-> ENABLED <-> EXPLOIT-KIT BottleEK landing page detected (exploit-kit.rules)
 * 1:52585 <-> ENABLED <-> EXPLOIT-KIT BottleEK variant outbound connection (exploit-kit.rules)
 * 1:52591 <-> DISABLED <-> SERVER-WEBAPP Enigma NMS command injection attempt (server-webapp.rules)
 * 1:52587 <-> ENABLED <-> EXPLOIT-KIT BottleEK landing page detected (exploit-kit.rules)
 * 1:52592 <-> DISABLED <-> SERVER-WEBAPP Enigma NMS command injection attempt (server-webapp.rules)
 * 1:52586 <-> DISABLED <-> EXPLOIT-KIT BottleEK variant outbound connection (exploit-kit.rules)
 * 1:52593 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52594 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52590 <-> DISABLED <-> SERVER-WEBAPP Enigma NMS command injection attempt (server-webapp.rules)
 * 1:52595 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52605 <-> ENABLED <-> OS-WINDOWS Microsoft Windows clfs.sys local privilege escalation attempt (os-windows.rules)
 * 1:52589 <-> DISABLED <-> SERVER-WEBAPP Enigma NMS command injection attempt (server-webapp.rules)
 * 1:52604 <-> ENABLED <-> OS-WINDOWS Microsoft Windows clfs.sys local privilege escalation attempt (os-windows.rules)
 * 1:52603 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt (server-webapp.rules)
 * 1:52596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52597 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit css title memory corruption attempt (browser-webkit.rules)
 * 1:52598 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit css title memory corruption attempt (browser-webkit.rules)
 * 1:52599 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:52588 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai Enigma NMS command injection attempt (malware-cnc.rules)
 * 1:52600 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)

Modified Rules:


 * 1:24096 <-> DISABLED <-> APP-DETECT Teamviewer remote connection attempt (app-detect.rules)
 * 1:24097 <-> DISABLED <-> APP-DETECT Teamviewer remote connection attempt (app-detect.rules)
 * 1:24098 <-> DISABLED <-> APP-DETECT Teamviewer remote connection attempt (app-detect.rules)
 * 1:52513 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt (server-webapp.rules)
 * 1:52512 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt (server-webapp.rules)

2020-01-14 18:04:30 UTC

Snort Subscriber Rules Update

Date: 2020-01-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52602 <-> ENABLED <-> BROWSER-CHROME Google V8 engine type confusion attempt (browser-chrome.rules)
 * 1:52586 <-> DISABLED <-> EXPLOIT-KIT BottleEK variant outbound connection (exploit-kit.rules)
 * 1:52589 <-> DISABLED <-> SERVER-WEBAPP Enigma NMS command injection attempt (server-webapp.rules)
 * 1:52601 <-> ENABLED <-> BROWSER-CHROME Google V8 engine type confusion attempt (browser-chrome.rules)
 * 1:52605 <-> ENABLED <-> OS-WINDOWS Microsoft Windows clfs.sys local privilege escalation attempt (os-windows.rules)
 * 1:52604 <-> ENABLED <-> OS-WINDOWS Microsoft Windows clfs.sys local privilege escalation attempt (os-windows.rules)
 * 1:52588 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai Enigma NMS command injection attempt (malware-cnc.rules)
 * 1:52590 <-> DISABLED <-> SERVER-WEBAPP Enigma NMS command injection attempt (server-webapp.rules)
 * 1:52584 <-> ENABLED <-> EXPLOIT-KIT BottleEK landing page detected (exploit-kit.rules)
 * 1:52596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52585 <-> ENABLED <-> EXPLOIT-KIT BottleEK variant outbound connection (exploit-kit.rules)
 * 1:52603 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt (server-webapp.rules)
 * 1:52597 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit css title memory corruption attempt (browser-webkit.rules)
 * 1:52598 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit css title memory corruption attempt (browser-webkit.rules)
 * 1:52599 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:52600 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:52592 <-> DISABLED <-> SERVER-WEBAPP Enigma NMS command injection attempt (server-webapp.rules)
 * 1:52595 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52591 <-> DISABLED <-> SERVER-WEBAPP Enigma NMS command injection attempt (server-webapp.rules)
 * 1:52593 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52594 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52587 <-> ENABLED <-> EXPLOIT-KIT BottleEK landing page detected (exploit-kit.rules)

Modified Rules:


 * 1:24097 <-> DISABLED <-> APP-DETECT Teamviewer remote connection attempt (app-detect.rules)
 * 1:24096 <-> DISABLED <-> APP-DETECT Teamviewer remote connection attempt (app-detect.rules)
 * 1:52513 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt (server-webapp.rules)
 * 1:24098 <-> DISABLED <-> APP-DETECT Teamviewer remote connection attempt (app-detect.rules)
 * 1:52512 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt (server-webapp.rules)

2020-01-14 18:04:30 UTC

Snort Subscriber Rules Update

Date: 2020-01-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52587 <-> ENABLED <-> EXPLOIT-KIT BottleEK landing page detected (exploit-kit.rules)
 * 1:52602 <-> ENABLED <-> BROWSER-CHROME Google V8 engine type confusion attempt (browser-chrome.rules)
 * 1:52601 <-> ENABLED <-> BROWSER-CHROME Google V8 engine type confusion attempt (browser-chrome.rules)
 * 1:52604 <-> ENABLED <-> OS-WINDOWS Microsoft Windows clfs.sys local privilege escalation attempt (os-windows.rules)
 * 1:52594 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52591 <-> DISABLED <-> SERVER-WEBAPP Enigma NMS command injection attempt (server-webapp.rules)
 * 1:52589 <-> DISABLED <-> SERVER-WEBAPP Enigma NMS command injection attempt (server-webapp.rules)
 * 1:52603 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt (server-webapp.rules)
 * 1:52596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52605 <-> ENABLED <-> OS-WINDOWS Microsoft Windows clfs.sys local privilege escalation attempt (os-windows.rules)
 * 1:52586 <-> DISABLED <-> EXPLOIT-KIT BottleEK variant outbound connection (exploit-kit.rules)
 * 1:52595 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52588 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai Enigma NMS command injection attempt (malware-cnc.rules)
 * 1:52597 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit css title memory corruption attempt (browser-webkit.rules)
 * 1:52598 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit css title memory corruption attempt (browser-webkit.rules)
 * 1:52599 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:52585 <-> ENABLED <-> EXPLOIT-KIT BottleEK variant outbound connection (exploit-kit.rules)
 * 1:52593 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52600 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:52584 <-> ENABLED <-> EXPLOIT-KIT BottleEK landing page detected (exploit-kit.rules)
 * 1:52592 <-> DISABLED <-> SERVER-WEBAPP Enigma NMS command injection attempt (server-webapp.rules)
 * 1:52590 <-> DISABLED <-> SERVER-WEBAPP Enigma NMS command injection attempt (server-webapp.rules)

Modified Rules:


 * 1:24096 <-> DISABLED <-> APP-DETECT Teamviewer remote connection attempt (app-detect.rules)
 * 1:24097 <-> DISABLED <-> APP-DETECT Teamviewer remote connection attempt (app-detect.rules)
 * 1:24098 <-> DISABLED <-> APP-DETECT Teamviewer remote connection attempt (app-detect.rules)
 * 1:52512 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt (server-webapp.rules)
 * 1:52513 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt (server-webapp.rules)

2020-01-14 18:04:30 UTC

Snort Subscriber Rules Update

Date: 2020-01-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52604 <-> ENABLED <-> OS-WINDOWS Microsoft Windows clfs.sys local privilege escalation attempt (os-windows.rules)
 * 1:52586 <-> DISABLED <-> EXPLOIT-KIT BottleEK variant outbound connection (exploit-kit.rules)
 * 1:52588 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai Enigma NMS command injection attempt (malware-cnc.rules)
 * 1:52589 <-> DISABLED <-> SERVER-WEBAPP Enigma NMS command injection attempt (server-webapp.rules)
 * 1:52602 <-> ENABLED <-> BROWSER-CHROME Google V8 engine type confusion attempt (browser-chrome.rules)
 * 1:52592 <-> DISABLED <-> SERVER-WEBAPP Enigma NMS command injection attempt (server-webapp.rules)
 * 1:52593 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52591 <-> DISABLED <-> SERVER-WEBAPP Enigma NMS command injection attempt (server-webapp.rules)
 * 1:52605 <-> ENABLED <-> OS-WINDOWS Microsoft Windows clfs.sys local privilege escalation attempt (os-windows.rules)
 * 1:52594 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52590 <-> DISABLED <-> SERVER-WEBAPP Enigma NMS command injection attempt (server-webapp.rules)
 * 1:52601 <-> ENABLED <-> BROWSER-CHROME Google V8 engine type confusion attempt (browser-chrome.rules)
 * 1:52595 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52587 <-> ENABLED <-> EXPLOIT-KIT BottleEK landing page detected (exploit-kit.rules)
 * 1:52584 <-> ENABLED <-> EXPLOIT-KIT BottleEK landing page detected (exploit-kit.rules)
 * 1:52600 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:52598 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit css title memory corruption attempt (browser-webkit.rules)
 * 1:52599 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:52597 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit css title memory corruption attempt (browser-webkit.rules)
 * 1:52603 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt (server-webapp.rules)
 * 1:52596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52585 <-> ENABLED <-> EXPLOIT-KIT BottleEK variant outbound connection (exploit-kit.rules)

Modified Rules:


 * 1:24096 <-> DISABLED <-> APP-DETECT Teamviewer remote connection attempt (app-detect.rules)
 * 1:24097 <-> DISABLED <-> APP-DETECT Teamviewer remote connection attempt (app-detect.rules)
 * 1:24098 <-> DISABLED <-> APP-DETECT Teamviewer remote connection attempt (app-detect.rules)
 * 1:52512 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt (server-webapp.rules)
 * 1:52513 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt (server-webapp.rules)

2020-01-14 18:04:30 UTC

Snort Subscriber Rules Update

Date: 2020-01-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (snort3-os-windows.rules)
 * 1:52603 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt (snort3-server-webapp.rules)
 * 1:52595 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (snort3-os-windows.rules)
 * 1:52585 <-> ENABLED <-> EXPLOIT-KIT BottleEK variant outbound connection (snort3-exploit-kit.rules)
 * 1:52587 <-> ENABLED <-> EXPLOIT-KIT BottleEK landing page detected (snort3-exploit-kit.rules)
 * 1:52602 <-> ENABLED <-> BROWSER-CHROME Google V8 engine type confusion attempt (snort3-browser-chrome.rules)
 * 1:52604 <-> ENABLED <-> OS-WINDOWS Microsoft Windows clfs.sys local privilege escalation attempt (snort3-os-windows.rules)
 * 1:52589 <-> DISABLED <-> SERVER-WEBAPP Enigma NMS command injection attempt (snort3-server-webapp.rules)
 * 1:52591 <-> DISABLED <-> SERVER-WEBAPP Enigma NMS command injection attempt (snort3-server-webapp.rules)
 * 1:52600 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:52598 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit css title memory corruption attempt (snort3-browser-webkit.rules)
 * 1:52599 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:52597 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit css title memory corruption attempt (snort3-browser-webkit.rules)
 * 1:52588 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai Enigma NMS command injection attempt (snort3-malware-cnc.rules)
 * 1:52592 <-> DISABLED <-> SERVER-WEBAPP Enigma NMS command injection attempt (snort3-server-webapp.rules)
 * 1:52605 <-> ENABLED <-> OS-WINDOWS Microsoft Windows clfs.sys local privilege escalation attempt (snort3-os-windows.rules)
 * 1:52593 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (snort3-os-windows.rules)
 * 1:52584 <-> ENABLED <-> EXPLOIT-KIT BottleEK landing page detected (snort3-exploit-kit.rules)
 * 1:52594 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (snort3-os-windows.rules)
 * 1:52601 <-> ENABLED <-> BROWSER-CHROME Google V8 engine type confusion attempt (snort3-browser-chrome.rules)
 * 1:52590 <-> DISABLED <-> SERVER-WEBAPP Enigma NMS command injection attempt (snort3-server-webapp.rules)
 * 1:52586 <-> DISABLED <-> EXPLOIT-KIT BottleEK variant outbound connection (snort3-exploit-kit.rules)

Modified Rules:


 * 1:24096 <-> DISABLED <-> APP-DETECT Teamviewer remote connection attempt (snort3-app-detect.rules)
 * 1:24097 <-> DISABLED <-> APP-DETECT Teamviewer remote connection attempt (snort3-app-detect.rules)
 * 1:24098 <-> DISABLED <-> APP-DETECT Teamviewer remote connection attempt (snort3-app-detect.rules)
 * 1:52512 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt (snort3-server-webapp.rules)
 * 1:52513 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt (snort3-server-webapp.rules)

2020-01-14 18:04:30 UTC

Snort Subscriber Rules Update

Date: 2020-01-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52591 <-> DISABLED <-> SERVER-WEBAPP Enigma NMS command injection attempt (server-webapp.rules)
 * 1:52585 <-> ENABLED <-> EXPLOIT-KIT BottleEK variant outbound connection (exploit-kit.rules)
 * 1:52597 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit css title memory corruption attempt (browser-webkit.rules)
 * 1:52602 <-> ENABLED <-> BROWSER-CHROME Google V8 engine type confusion attempt (browser-chrome.rules)
 * 1:52596 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52605 <-> ENABLED <-> OS-WINDOWS Microsoft Windows clfs.sys local privilege escalation attempt (os-windows.rules)
 * 1:52603 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt (server-webapp.rules)
 * 1:52604 <-> ENABLED <-> OS-WINDOWS Microsoft Windows clfs.sys local privilege escalation attempt (os-windows.rules)
 * 1:52588 <-> ENABLED <-> MALWARE-CNC Unix.Trojan.Mirai Enigma NMS command injection attempt (malware-cnc.rules)
 * 1:52601 <-> ENABLED <-> BROWSER-CHROME Google V8 engine type confusion attempt (browser-chrome.rules)
 * 1:52589 <-> DISABLED <-> SERVER-WEBAPP Enigma NMS command injection attempt (server-webapp.rules)
 * 1:52598 <-> DISABLED <-> BROWSER-WEBKIT Apple Safari Webkit css title memory corruption attempt (browser-webkit.rules)
 * 1:52584 <-> ENABLED <-> EXPLOIT-KIT BottleEK landing page detected (exploit-kit.rules)
 * 1:52592 <-> DISABLED <-> SERVER-WEBAPP Enigma NMS command injection attempt (server-webapp.rules)
 * 1:52586 <-> DISABLED <-> EXPLOIT-KIT BottleEK variant outbound connection (exploit-kit.rules)
 * 1:52593 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52594 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52590 <-> DISABLED <-> SERVER-WEBAPP Enigma NMS command injection attempt (server-webapp.rules)
 * 1:52595 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CryptoAPI signed binary with spoofed certificate attempt (os-windows.rules)
 * 1:52600 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:52587 <-> ENABLED <-> EXPLOIT-KIT BottleEK landing page detected (exploit-kit.rules)
 * 1:52599 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)

Modified Rules:


 * 1:24096 <-> DISABLED <-> APP-DETECT Teamviewer remote connection attempt (app-detect.rules)
 * 1:24097 <-> DISABLED <-> APP-DETECT Teamviewer remote connection attempt (app-detect.rules)
 * 1:24098 <-> DISABLED <-> APP-DETECT Teamviewer remote connection attempt (app-detect.rules)
 * 1:52512 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt (server-webapp.rules)
 * 1:52513 <-> ENABLED <-> SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt (server-webapp.rules)