Talos Rules 2016-05-10
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Security Bulletin MS16-051: Microsoft Internet Explorer suffers from programming errors that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 38763 through 38764, 38780 through 38781, 38828 through 38829, and 38841 through 38842.

Microsoft Security Bulletin MS16-052: A coding deficiency exists in Microsoft Edge that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 38776 through 38777 and 38805 through 38806.

Microsoft Security Bulletin MS16-053: A coding deficiency exists in Microsft JScript and VBScript that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 38828 through 38829.

Microsoft Security Bulletin MS16-054: A coding deficiency exists in Microsoft Office that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 38782 through 38783 and 38785 through 38786.

Microsoft Security Bulletin MS16-055: A coding deficiency exists in Microsoft Graphics Component that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 38768 through 38773, 38797 through 38798, and 38816 through 38817.

Microsoft Security Bulletin MS16-056: A coding deficiency exists in Microsoft Windows Journal that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 38810 through 38815.

Microsoft Security Bulletin MS16-059: A coding deficiency exists in Microsoft Windows Media Center that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 38778 through 38779.

Microsoft Security Bulletin MS16-060: A coding deficiency exists in the Microsoft Kernel that may lead to an escalatin of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 38803 through 38804.

Microsoft Security Bulletin MS16-061: A coding deficiency exists in Microsoft RPC that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 38839 through 38840.

Microsoft Security Bulletin MS16-062: A coding deficiency exists in Microsoft Kernel-Mode drivers that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 38759 through 38762, 38765 through 38766, 38774 through 38775, 38787 through 38788, 38801 through 38802, and 38808 through 38809.

Talos has added and modified multiple rules in the browser-ie, exploit-kit, file-flash, file-image, file-office, file-other, file-pdf, indicator-compromise, malware-cnc, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-05-10 18:08:02 UTC

Snort Subscriber Rules Update

Date: 2016-05-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38848 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadSound method use-after-free memory corruption attempt (file-flash.rules)
 * 1:38847 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadSound method use-after-free memory corruption attempt (file-flash.rules)
 * 1:38846 <-> DISABLED <-> FILE-PDF Adobe Reader out of bounds memory access violation attempt (file-pdf.rules)
 * 1:38845 <-> DISABLED <-> FILE-PDF Adobe Reader out of bounds memory access violation attempt (file-pdf.rules)
 * 1:38844 <-> DISABLED <-> FILE-PDF Adobe Reader javascript replace integer overflow attempt (file-pdf.rules)
 * 1:38843 <-> DISABLED <-> FILE-PDF Adobe Reader javascript replace integer overflow attempt (file-pdf.rules)
 * 1:38842 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript toString redim array use after free attempt (browser-ie.rules)
 * 1:38841 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript toString redim array use after free attempt (browser-ie.rules)
 * 1:38840 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RPC NDR64 denial of service attempt (os-windows.rules)
 * 1:38839 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RPC NDR64 denial of service attempt (os-windows.rules)
 * 1:38838 <-> ENABLED <-> FILE-FLASH Adobe Flash Player faulty x64 support out of bounds read attempt (file-flash.rules)
 * 1:38837 <-> ENABLED <-> FILE-FLASH Adobe Flash Player faulty x64 support out of bounds read attempt (file-flash.rules)
 * 1:38836 <-> ENABLED <-> FILE-FLASH Adobe Flash Player bitmap heap overflow attempt (file-flash.rules)
 * 1:38835 <-> ENABLED <-> FILE-FLASH Adobe Flash Player bitmap heap overflow attempt (file-flash.rules)
 * 1:38833 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ContentFactory memory corruption attempt (file-flash.rules)
 * 1:38832 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ContentFactory memory corruption attempt (file-flash.rules)
 * 1:38831 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ContentFactory memory corruption attempt (file-flash.rules)
 * 1:38830 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ContentFactory memory corruption attempt (file-flash.rules)
 * 1:38829 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer BooleanProtoObj objects JSONStringifyArray use-after-free attempt (browser-ie.rules)
 * 1:38828 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer BooleanProtoObj objects JSONStringifyArray use-after-free attempt (browser-ie.rules)
 * 1:38827 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip callback use after free attempt (file-flash.rules)
 * 1:38826 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip callback use after free attempt (file-flash.rules)
 * 1:38825 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip callback use after free attempt (file-flash.rules)
 * 1:38824 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip callback use after free attempt (file-flash.rules)
 * 1:38823 <-> DISABLED <-> POLICY-OTHER PDF containing XDP structure download detected (policy-other.rules)
 * 1:38822 <-> DISABLED <-> POLICY-OTHER PDF containing XDP structure download detected (policy-other.rules)
 * 1:38821 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA engine memory leak ASLR bypass attempt (file-pdf.rules)
 * 1:38820 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA engine memory leak - possible code instrumentation detected (file-pdf.rules)
 * 1:38819 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA engine memory leak ASLR bypass attempt (file-pdf.rules)
 * 1:38818 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA engine memory leak - possible code instrumentation detected (file-pdf.rules)
 * 1:38817 <-> DISABLED <-> FILE-OTHER Microsoft Windows gdi32 malformed EMF file ExtEscape buffer overflow attempt (file-other.rules)
 * 1:38816 <-> DISABLED <-> FILE-OTHER Microsoft Windows gdi32 malformed EMF file ExtEscape buffer overflow attempt (file-other.rules)
 * 1:38815 <-> DISABLED <-> FILE-OFFICE Microsoft Office wwlib out of bounds memory access attempt (file-office.rules)
 * 1:38814 <-> DISABLED <-> FILE-OFFICE Microsoft Office wwlib out of bounds memory access attempt (file-office.rules)
 * 1:38813 <-> DISABLED <-> FILE-OFFICE Microsoft Office wwlib out of bounds memory access attempt (file-office.rules)
 * 1:38812 <-> DISABLED <-> FILE-OFFICE Microsoft Office wwlib out of bounds memory access attempt (file-office.rules)
 * 1:38811 <-> DISABLED <-> FILE-OFFICE Microsoft Office wwlib out of bounds memory access attempt (file-office.rules)
 * 1:38810 <-> DISABLED <-> FILE-OFFICE Microsoft Office wwlib out of bounds memory access attempt (file-office.rules)
 * 1:38809 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32kfull.sys device context use after free attempt (os-windows.rules)
 * 1:38808 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32kfull.sys device context use after free attempt (os-windows.rules)
 * 1:38807 <-> DISABLED <-> SERVER-WEBAPP PHP-Address remote file include attempt (server-webapp.rules)
 * 1:38806 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.prototype.fill out of bounds write attempt (browser-ie.rules)
 * 1:38805 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.prototype.fill out of bounds write attempt (browser-ie.rules)
 * 1:38804 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel Configuration Manager failure attempt (os-windows.rules)
 * 1:38803 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel Configuration Manager failure attempt (os-windows.rules)
 * 1:38802 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtGdiGetEmbUFI kernel information disclosure attempt (os-windows.rules)
 * 1:38801 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtGdiGetEmbUFI kernel information disclosure attempt (os-windows.rules)
 * 1:38800 <-> ENABLED <-> FILE-PDF Adobe Acrobat FileAttachment use-after-free attempt (file-pdf.rules)
 * 1:38799 <-> ENABLED <-> FILE-PDF Adobe Acrobat FileAttachment use-after-free attempt (file-pdf.rules)
 * 1:38798 <-> ENABLED <-> BROWSER-IE Microsoft Edge graphics subcomponent use after free attempt (browser-ie.rules)
 * 1:38797 <-> ENABLED <-> BROWSER-IE Microsoft Edge graphics subcomponent use after free attempt (browser-ie.rules)
 * 1:38796 <-> DISABLED <-> SERVER-OTHER Adroit denial of service attempt (server-other.rules)
 * 1:38795 <-> ENABLED <-> FILE-PDF Adobe Reader XFA javascript use after free attempt (file-pdf.rules)
 * 1:38794 <-> ENABLED <-> FILE-PDF Adobe Reader XFA javascript use after free attempt (file-pdf.rules)
 * 1:38793 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASSetNativeAccessor use after free attempt (file-flash.rules)
 * 1:38792 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASSetNativeAccessor use after free attempt (file-flash.rules)
 * 1:38791 <-> ENABLED <-> SERVER-WEBAPP Oracle application testing suite DownloadServlet directory traversal attempt (server-webapp.rules)
 * 1:38790 <-> ENABLED <-> SERVER-WEBAPP Oracle application testing suite DownloadServlet directory traversal attempt (server-webapp.rules)
 * 1:38789 <-> ENABLED <-> SERVER-WEBAPP Oracle application testing suite DownloadServlet directory traversal attempt (server-webapp.rules)
 * 1:38788 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Device Context bitmap use after free attempt (os-windows.rules)
 * 1:38787 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Device Context bitmap use after free attempt (os-windows.rules)
 * 1:38786 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel BOF memory disclosure attempt (file-office.rules)
 * 1:38785 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel BOF memory disclosure attempt (file-office.rules)
 * 1:38784 <-> ENABLED <-> MALWARE-CNC CryptXXX initial outbound connection (malware-cnc.rules)
 * 1:38783 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word TTF out-of-bounds memory access attempt (file-office.rules)
 * 1:38782 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word TTF out-of-bounds memory access attempt (file-office.rules)
 * 1:38781 <-> ENABLED <-> OS-WINDOWS Microsoft Internet Explorer VerifyFile information disclosure attempt (os-windows.rules)
 * 1:38780 <-> ENABLED <-> OS-WINDOWS Microsoft Internet Explorer VerifyFile information disclosure attempt (os-windows.rules)
 * 1:38779 <-> ENABLED <-> FILE-OTHER Microsoft Windows Media Center link file remote code execution attempt (file-other.rules)
 * 1:38778 <-> ENABLED <-> FILE-OTHER Microsoft Windows Media Center link file remote code execution attempt (file-other.rules)
 * 1:38777 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer uninitialized pointer attempt (browser-ie.rules)
 * 1:38776 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer uninitialized pointer attempt (browser-ie.rules)
 * 1:38775 <-> ENABLED <-> OS-WINDOWS Microsoft Windows device content surface bitmap use after free attempt (os-windows.rules)
 * 1:38774 <-> ENABLED <-> OS-WINDOWS Microsoft Windows device content surface bitmap use after free attempt (os-windows.rules)
 * 1:38773 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EMF file integer overflow attempt (browser-ie.rules)
 * 1:38772 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EMF file integer overflow attempt (browser-ie.rules)
 * 1:38771 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CreateColorSpace vulnerability attempt (browser-ie.rules)
 * 1:38770 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CreateColorSpace vulnerability attempt (browser-ie.rules)
 * 1:38769 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CreateColorSpace vulnerability attempt (browser-ie.rules)
 * 1:38768 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CreateColorSpace vulnerability attempt (browser-ie.rules)
 * 1:38767 <-> DISABLED <-> INDICATOR-COMPROMISE potential abuse of originating page privileges by new tab (indicator-compromise.rules)
 * 1:38766 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Dxgkrnl.sys RtlMemoryCopy buffer overflow attempt (os-windows.rules)
 * 1:38765 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Dxgkrnl.sys RtlMemoryCopy buffer overflow attempt (os-windows.rules)
 * 1:38764 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer mshtml.dll null pointer dereference attempt (browser-ie.rules)
 * 1:38763 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer mshtml.dll null pointer dereference attempt (browser-ie.rules)
 * 1:38762 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32kfull.sys font object use after free attempt (os-windows.rules)
 * 1:38761 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32kfull.sys font object use after free attempt (os-windows.rules)
 * 1:38760 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k window handle use after free attempt (os-windows.rules)
 * 1:38759 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k window handle use after free attempt (os-windows.rules)
 * 3:38834 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:36316 <-> DISABLED <-> FILE-FLASH Adobe Flash Player URI loaded MP4 potential information leak attempt (file-flash.rules)
 * 1:38037 <-> DISABLED <-> POLICY-OTHER PDF containing AcroForm key download detected (policy-other.rules)
 * 1:38744 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38743 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38729 <-> ENABLED <-> SERVER-OTHER Mediabridge Medialink MWN-WAPR300N and Tenda N3 Wireless N150 inbound admin attempt (server-other.rules)
 * 1:34348 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit payload download (exploit-kit.rules)
 * 1:38044 <-> DISABLED <-> POLICY-OTHER PDF containing AcroForm key download detected (policy-other.rules)

2016-05-10 18:08:02 UTC

Snort Subscriber Rules Update

Date: 2016-05-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2980.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38759 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k window handle use after free attempt (os-windows.rules)
 * 1:38760 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k window handle use after free attempt (os-windows.rules)
 * 1:38761 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32kfull.sys font object use after free attempt (os-windows.rules)
 * 1:38762 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32kfull.sys font object use after free attempt (os-windows.rules)
 * 1:38763 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer mshtml.dll null pointer dereference attempt (browser-ie.rules)
 * 1:38764 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer mshtml.dll null pointer dereference attempt (browser-ie.rules)
 * 1:38765 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Dxgkrnl.sys RtlMemoryCopy buffer overflow attempt (os-windows.rules)
 * 1:38766 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Dxgkrnl.sys RtlMemoryCopy buffer overflow attempt (os-windows.rules)
 * 1:38767 <-> DISABLED <-> INDICATOR-COMPROMISE potential abuse of originating page privileges by new tab (indicator-compromise.rules)
 * 1:38768 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CreateColorSpace vulnerability attempt (browser-ie.rules)
 * 1:38769 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CreateColorSpace vulnerability attempt (browser-ie.rules)
 * 1:38770 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CreateColorSpace vulnerability attempt (browser-ie.rules)
 * 1:38771 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CreateColorSpace vulnerability attempt (browser-ie.rules)
 * 1:38772 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EMF file integer overflow attempt (browser-ie.rules)
 * 1:38773 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EMF file integer overflow attempt (browser-ie.rules)
 * 1:38774 <-> ENABLED <-> OS-WINDOWS Microsoft Windows device content surface bitmap use after free attempt (os-windows.rules)
 * 1:38775 <-> ENABLED <-> OS-WINDOWS Microsoft Windows device content surface bitmap use after free attempt (os-windows.rules)
 * 1:38776 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer uninitialized pointer attempt (browser-ie.rules)
 * 1:38777 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer uninitialized pointer attempt (browser-ie.rules)
 * 1:38778 <-> ENABLED <-> FILE-OTHER Microsoft Windows Media Center link file remote code execution attempt (file-other.rules)
 * 1:38779 <-> ENABLED <-> FILE-OTHER Microsoft Windows Media Center link file remote code execution attempt (file-other.rules)
 * 1:38780 <-> ENABLED <-> OS-WINDOWS Microsoft Internet Explorer VerifyFile information disclosure attempt (os-windows.rules)
 * 1:38781 <-> ENABLED <-> OS-WINDOWS Microsoft Internet Explorer VerifyFile information disclosure attempt (os-windows.rules)
 * 1:38782 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word TTF out-of-bounds memory access attempt (file-office.rules)
 * 1:38783 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word TTF out-of-bounds memory access attempt (file-office.rules)
 * 1:38784 <-> ENABLED <-> MALWARE-CNC CryptXXX initial outbound connection (malware-cnc.rules)
 * 1:38785 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel BOF memory disclosure attempt (file-office.rules)
 * 1:38786 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel BOF memory disclosure attempt (file-office.rules)
 * 1:38787 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Device Context bitmap use after free attempt (os-windows.rules)
 * 1:38788 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Device Context bitmap use after free attempt (os-windows.rules)
 * 1:38789 <-> ENABLED <-> SERVER-WEBAPP Oracle application testing suite DownloadServlet directory traversal attempt (server-webapp.rules)
 * 1:38790 <-> ENABLED <-> SERVER-WEBAPP Oracle application testing suite DownloadServlet directory traversal attempt (server-webapp.rules)
 * 1:38791 <-> ENABLED <-> SERVER-WEBAPP Oracle application testing suite DownloadServlet directory traversal attempt (server-webapp.rules)
 * 1:38792 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASSetNativeAccessor use after free attempt (file-flash.rules)
 * 1:38793 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASSetNativeAccessor use after free attempt (file-flash.rules)
 * 1:38794 <-> ENABLED <-> FILE-PDF Adobe Reader XFA javascript use after free attempt (file-pdf.rules)
 * 1:38795 <-> ENABLED <-> FILE-PDF Adobe Reader XFA javascript use after free attempt (file-pdf.rules)
 * 1:38796 <-> DISABLED <-> SERVER-OTHER Adroit denial of service attempt (server-other.rules)
 * 1:38797 <-> ENABLED <-> BROWSER-IE Microsoft Edge graphics subcomponent use after free attempt (browser-ie.rules)
 * 1:38798 <-> ENABLED <-> BROWSER-IE Microsoft Edge graphics subcomponent use after free attempt (browser-ie.rules)
 * 1:38799 <-> ENABLED <-> FILE-PDF Adobe Acrobat FileAttachment use-after-free attempt (file-pdf.rules)
 * 1:38800 <-> ENABLED <-> FILE-PDF Adobe Acrobat FileAttachment use-after-free attempt (file-pdf.rules)
 * 1:38801 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtGdiGetEmbUFI kernel information disclosure attempt (os-windows.rules)
 * 1:38802 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtGdiGetEmbUFI kernel information disclosure attempt (os-windows.rules)
 * 1:38803 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel Configuration Manager failure attempt (os-windows.rules)
 * 1:38804 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel Configuration Manager failure attempt (os-windows.rules)
 * 1:38805 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.prototype.fill out of bounds write attempt (browser-ie.rules)
 * 1:38806 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.prototype.fill out of bounds write attempt (browser-ie.rules)
 * 1:38807 <-> DISABLED <-> SERVER-WEBAPP PHP-Address remote file include attempt (server-webapp.rules)
 * 1:38808 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32kfull.sys device context use after free attempt (os-windows.rules)
 * 1:38809 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32kfull.sys device context use after free attempt (os-windows.rules)
 * 1:38810 <-> DISABLED <-> FILE-OFFICE Microsoft Office wwlib out of bounds memory access attempt (file-office.rules)
 * 1:38811 <-> DISABLED <-> FILE-OFFICE Microsoft Office wwlib out of bounds memory access attempt (file-office.rules)
 * 1:38812 <-> DISABLED <-> FILE-OFFICE Microsoft Office wwlib out of bounds memory access attempt (file-office.rules)
 * 1:38813 <-> DISABLED <-> FILE-OFFICE Microsoft Office wwlib out of bounds memory access attempt (file-office.rules)
 * 1:38814 <-> DISABLED <-> FILE-OFFICE Microsoft Office wwlib out of bounds memory access attempt (file-office.rules)
 * 1:38815 <-> DISABLED <-> FILE-OFFICE Microsoft Office wwlib out of bounds memory access attempt (file-office.rules)
 * 1:38816 <-> DISABLED <-> FILE-OTHER Microsoft Windows gdi32 malformed EMF file ExtEscape buffer overflow attempt (file-other.rules)
 * 1:38817 <-> DISABLED <-> FILE-OTHER Microsoft Windows gdi32 malformed EMF file ExtEscape buffer overflow attempt (file-other.rules)
 * 1:38818 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA engine memory leak - possible code instrumentation detected (file-pdf.rules)
 * 1:38819 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA engine memory leak ASLR bypass attempt (file-pdf.rules)
 * 1:38820 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA engine memory leak - possible code instrumentation detected (file-pdf.rules)
 * 1:38821 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA engine memory leak ASLR bypass attempt (file-pdf.rules)
 * 1:38822 <-> DISABLED <-> POLICY-OTHER PDF containing XDP structure download detected (policy-other.rules)
 * 1:38823 <-> DISABLED <-> POLICY-OTHER PDF containing XDP structure download detected (policy-other.rules)
 * 1:38824 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip callback use after free attempt (file-flash.rules)
 * 1:38825 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip callback use after free attempt (file-flash.rules)
 * 1:38848 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadSound method use-after-free memory corruption attempt (file-flash.rules)
 * 1:38847 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadSound method use-after-free memory corruption attempt (file-flash.rules)
 * 1:38846 <-> DISABLED <-> FILE-PDF Adobe Reader out of bounds memory access violation attempt (file-pdf.rules)
 * 1:38845 <-> DISABLED <-> FILE-PDF Adobe Reader out of bounds memory access violation attempt (file-pdf.rules)
 * 1:38844 <-> DISABLED <-> FILE-PDF Adobe Reader javascript replace integer overflow attempt (file-pdf.rules)
 * 1:38843 <-> DISABLED <-> FILE-PDF Adobe Reader javascript replace integer overflow attempt (file-pdf.rules)
 * 1:38842 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript toString redim array use after free attempt (browser-ie.rules)
 * 1:38841 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript toString redim array use after free attempt (browser-ie.rules)
 * 1:38840 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RPC NDR64 denial of service attempt (os-windows.rules)
 * 1:38839 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RPC NDR64 denial of service attempt (os-windows.rules)
 * 1:38838 <-> ENABLED <-> FILE-FLASH Adobe Flash Player faulty x64 support out of bounds read attempt (file-flash.rules)
 * 1:38837 <-> ENABLED <-> FILE-FLASH Adobe Flash Player faulty x64 support out of bounds read attempt (file-flash.rules)
 * 1:38836 <-> ENABLED <-> FILE-FLASH Adobe Flash Player bitmap heap overflow attempt (file-flash.rules)
 * 1:38835 <-> ENABLED <-> FILE-FLASH Adobe Flash Player bitmap heap overflow attempt (file-flash.rules)
 * 1:38833 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ContentFactory memory corruption attempt (file-flash.rules)
 * 1:38832 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ContentFactory memory corruption attempt (file-flash.rules)
 * 1:38831 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ContentFactory memory corruption attempt (file-flash.rules)
 * 1:38829 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer BooleanProtoObj objects JSONStringifyArray use-after-free attempt (browser-ie.rules)
 * 1:38830 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ContentFactory memory corruption attempt (file-flash.rules)
 * 1:38828 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer BooleanProtoObj objects JSONStringifyArray use-after-free attempt (browser-ie.rules)
 * 1:38826 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip callback use after free attempt (file-flash.rules)
 * 1:38827 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip callback use after free attempt (file-flash.rules)
 * 3:38834 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:38044 <-> DISABLED <-> POLICY-OTHER PDF containing AcroForm key download detected (policy-other.rules)
 * 1:38037 <-> DISABLED <-> POLICY-OTHER PDF containing AcroForm key download detected (policy-other.rules)
 * 1:38744 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38743 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38729 <-> ENABLED <-> SERVER-OTHER Mediabridge Medialink MWN-WAPR300N and Tenda N3 Wireless N150 inbound admin attempt (server-other.rules)
 * 1:36316 <-> DISABLED <-> FILE-FLASH Adobe Flash Player URI loaded MP4 potential information leak attempt (file-flash.rules)
 * 1:34348 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit payload download (exploit-kit.rules)

2016-05-10 18:08:02 UTC

Snort Subscriber Rules Update

Date: 2016-05-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:38830 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ContentFactory memory corruption attempt (file-flash.rules)
 * 1:38836 <-> ENABLED <-> FILE-FLASH Adobe Flash Player bitmap heap overflow attempt (file-flash.rules)
 * 1:38831 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ContentFactory memory corruption attempt (file-flash.rules)
 * 1:38838 <-> ENABLED <-> FILE-FLASH Adobe Flash Player faulty x64 support out of bounds read attempt (file-flash.rules)
 * 1:38839 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RPC NDR64 denial of service attempt (os-windows.rules)
 * 1:38833 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ContentFactory memory corruption attempt (file-flash.rules)
 * 1:38848 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadSound method use-after-free memory corruption attempt (file-flash.rules)
 * 1:38846 <-> DISABLED <-> FILE-PDF Adobe Reader out of bounds memory access violation attempt (file-pdf.rules)
 * 1:38847 <-> ENABLED <-> FILE-FLASH Adobe Flash Player loadSound method use-after-free memory corruption attempt (file-flash.rules)
 * 1:38844 <-> DISABLED <-> FILE-PDF Adobe Reader javascript replace integer overflow attempt (file-pdf.rules)
 * 1:38843 <-> DISABLED <-> FILE-PDF Adobe Reader javascript replace integer overflow attempt (file-pdf.rules)
 * 1:38840 <-> DISABLED <-> OS-WINDOWS Microsoft Windows RPC NDR64 denial of service attempt (os-windows.rules)
 * 1:38841 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript toString redim array use after free attempt (browser-ie.rules)
 * 1:38832 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ContentFactory memory corruption attempt (file-flash.rules)
 * 1:38837 <-> ENABLED <-> FILE-FLASH Adobe Flash Player faulty x64 support out of bounds read attempt (file-flash.rules)
 * 1:38761 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32kfull.sys font object use after free attempt (os-windows.rules)
 * 1:38759 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k window handle use after free attempt (os-windows.rules)
 * 1:38842 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript toString redim array use after free attempt (browser-ie.rules)
 * 1:38845 <-> DISABLED <-> FILE-PDF Adobe Reader out of bounds memory access violation attempt (file-pdf.rules)
 * 1:38835 <-> ENABLED <-> FILE-FLASH Adobe Flash Player bitmap heap overflow attempt (file-flash.rules)
 * 1:38760 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k window handle use after free attempt (os-windows.rules)
 * 1:38762 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32kfull.sys font object use after free attempt (os-windows.rules)
 * 1:38763 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer mshtml.dll null pointer dereference attempt (browser-ie.rules)
 * 1:38764 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer mshtml.dll null pointer dereference attempt (browser-ie.rules)
 * 1:38765 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Dxgkrnl.sys RtlMemoryCopy buffer overflow attempt (os-windows.rules)
 * 1:38766 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Dxgkrnl.sys RtlMemoryCopy buffer overflow attempt (os-windows.rules)
 * 1:38767 <-> DISABLED <-> INDICATOR-COMPROMISE potential abuse of originating page privileges by new tab (indicator-compromise.rules)
 * 1:38768 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CreateColorSpace vulnerability attempt (browser-ie.rules)
 * 1:38769 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CreateColorSpace vulnerability attempt (browser-ie.rules)
 * 1:38770 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CreateColorSpace vulnerability attempt (browser-ie.rules)
 * 1:38771 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CreateColorSpace vulnerability attempt (browser-ie.rules)
 * 1:38772 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EMF file integer overflow attempt (browser-ie.rules)
 * 1:38773 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer EMF file integer overflow attempt (browser-ie.rules)
 * 1:38774 <-> ENABLED <-> OS-WINDOWS Microsoft Windows device content surface bitmap use after free attempt (os-windows.rules)
 * 1:38775 <-> ENABLED <-> OS-WINDOWS Microsoft Windows device content surface bitmap use after free attempt (os-windows.rules)
 * 1:38776 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer uninitialized pointer attempt (browser-ie.rules)
 * 1:38777 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer uninitialized pointer attempt (browser-ie.rules)
 * 1:38778 <-> ENABLED <-> FILE-OTHER Microsoft Windows Media Center link file remote code execution attempt (file-other.rules)
 * 1:38779 <-> ENABLED <-> FILE-OTHER Microsoft Windows Media Center link file remote code execution attempt (file-other.rules)
 * 1:38780 <-> ENABLED <-> OS-WINDOWS Microsoft Internet Explorer VerifyFile information disclosure attempt (os-windows.rules)
 * 1:38781 <-> ENABLED <-> OS-WINDOWS Microsoft Internet Explorer VerifyFile information disclosure attempt (os-windows.rules)
 * 1:38782 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word TTF out-of-bounds memory access attempt (file-office.rules)
 * 1:38783 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word TTF out-of-bounds memory access attempt (file-office.rules)
 * 1:38784 <-> ENABLED <-> MALWARE-CNC CryptXXX initial outbound connection (malware-cnc.rules)
 * 1:38785 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel BOF memory disclosure attempt (file-office.rules)
 * 1:38786 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel BOF memory disclosure attempt (file-office.rules)
 * 1:38787 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Device Context bitmap use after free attempt (os-windows.rules)
 * 1:38788 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Device Context bitmap use after free attempt (os-windows.rules)
 * 1:38789 <-> ENABLED <-> SERVER-WEBAPP Oracle application testing suite DownloadServlet directory traversal attempt (server-webapp.rules)
 * 1:38790 <-> ENABLED <-> SERVER-WEBAPP Oracle application testing suite DownloadServlet directory traversal attempt (server-webapp.rules)
 * 1:38791 <-> ENABLED <-> SERVER-WEBAPP Oracle application testing suite DownloadServlet directory traversal attempt (server-webapp.rules)
 * 1:38792 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASSetNativeAccessor use after free attempt (file-flash.rules)
 * 1:38793 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ASSetNativeAccessor use after free attempt (file-flash.rules)
 * 1:38794 <-> ENABLED <-> FILE-PDF Adobe Reader XFA javascript use after free attempt (file-pdf.rules)
 * 1:38795 <-> ENABLED <-> FILE-PDF Adobe Reader XFA javascript use after free attempt (file-pdf.rules)
 * 1:38796 <-> DISABLED <-> SERVER-OTHER Adroit denial of service attempt (server-other.rules)
 * 1:38797 <-> ENABLED <-> BROWSER-IE Microsoft Edge graphics subcomponent use after free attempt (browser-ie.rules)
 * 1:38798 <-> ENABLED <-> BROWSER-IE Microsoft Edge graphics subcomponent use after free attempt (browser-ie.rules)
 * 1:38799 <-> ENABLED <-> FILE-PDF Adobe Acrobat FileAttachment use-after-free attempt (file-pdf.rules)
 * 1:38800 <-> ENABLED <-> FILE-PDF Adobe Acrobat FileAttachment use-after-free attempt (file-pdf.rules)
 * 1:38801 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtGdiGetEmbUFI kernel information disclosure attempt (os-windows.rules)
 * 1:38802 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtGdiGetEmbUFI kernel information disclosure attempt (os-windows.rules)
 * 1:38803 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel Configuration Manager failure attempt (os-windows.rules)
 * 1:38804 <-> DISABLED <-> OS-WINDOWS Microsoft Windows kernel Configuration Manager failure attempt (os-windows.rules)
 * 1:38805 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.prototype.fill out of bounds write attempt (browser-ie.rules)
 * 1:38806 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array.prototype.fill out of bounds write attempt (browser-ie.rules)
 * 1:38807 <-> DISABLED <-> SERVER-WEBAPP PHP-Address remote file include attempt (server-webapp.rules)
 * 1:38808 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32kfull.sys device context use after free attempt (os-windows.rules)
 * 1:38809 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32kfull.sys device context use after free attempt (os-windows.rules)
 * 1:38810 <-> DISABLED <-> FILE-OFFICE Microsoft Office wwlib out of bounds memory access attempt (file-office.rules)
 * 1:38811 <-> DISABLED <-> FILE-OFFICE Microsoft Office wwlib out of bounds memory access attempt (file-office.rules)
 * 1:38812 <-> DISABLED <-> FILE-OFFICE Microsoft Office wwlib out of bounds memory access attempt (file-office.rules)
 * 1:38813 <-> DISABLED <-> FILE-OFFICE Microsoft Office wwlib out of bounds memory access attempt (file-office.rules)
 * 1:38814 <-> DISABLED <-> FILE-OFFICE Microsoft Office wwlib out of bounds memory access attempt (file-office.rules)
 * 1:38815 <-> DISABLED <-> FILE-OFFICE Microsoft Office wwlib out of bounds memory access attempt (file-office.rules)
 * 1:38816 <-> DISABLED <-> FILE-OTHER Microsoft Windows gdi32 malformed EMF file ExtEscape buffer overflow attempt (file-other.rules)
 * 1:38817 <-> DISABLED <-> FILE-OTHER Microsoft Windows gdi32 malformed EMF file ExtEscape buffer overflow attempt (file-other.rules)
 * 1:38818 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA engine memory leak - possible code instrumentation detected (file-pdf.rules)
 * 1:38819 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA engine memory leak ASLR bypass attempt (file-pdf.rules)
 * 1:38820 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA engine memory leak - possible code instrumentation detected (file-pdf.rules)
 * 1:38821 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA engine memory leak ASLR bypass attempt (file-pdf.rules)
 * 1:38822 <-> DISABLED <-> POLICY-OTHER PDF containing XDP structure download detected (policy-other.rules)
 * 1:38823 <-> DISABLED <-> POLICY-OTHER PDF containing XDP structure download detected (policy-other.rules)
 * 1:38824 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip callback use after free attempt (file-flash.rules)
 * 1:38825 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip callback use after free attempt (file-flash.rules)
 * 1:38827 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip callback use after free attempt (file-flash.rules)
 * 1:38828 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer BooleanProtoObj objects JSONStringifyArray use-after-free attempt (browser-ie.rules)
 * 1:38829 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer BooleanProtoObj objects JSONStringifyArray use-after-free attempt (browser-ie.rules)
 * 1:38826 <-> ENABLED <-> FILE-FLASH Adobe Flash Player removeMovieClip callback use after free attempt (file-flash.rules)
 * 3:38834 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Locky variant outbound connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:36316 <-> DISABLED <-> FILE-FLASH Adobe Flash Player URI loaded MP4 potential information leak attempt (file-flash.rules)
 * 1:38037 <-> DISABLED <-> POLICY-OTHER PDF containing AcroForm key download detected (policy-other.rules)
 * 1:38744 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38743 <-> ENABLED <-> FILE-IMAGE ImageMagick WWWDecodeDelegate command injection attempt (file-image.rules)
 * 1:38729 <-> ENABLED <-> SERVER-OTHER Mediabridge Medialink MWN-WAPR300N and Tenda N3 Wireless N150 inbound admin attempt (server-other.rules)
 * 1:34348 <-> DISABLED <-> EXPLOIT-KIT Angler exploit kit payload download (exploit-kit.rules)
 * 1:38044 <-> DISABLED <-> POLICY-OTHER PDF containing AcroForm key download detected (policy-other.rules)