Talos Rules 2016-07-12
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Security Bulletin MS16-084: Microsoft Internet Explorer suffers from programming errors that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 38112 through 38113.

New rules to detect attacks targeting these vulnerabilities are also included in this release and are identified with GID 1, SIDs 39484 through 39487, 39491 through 39492, 39499 through 39500, and 39510 through 39515.

Microsoft Security Bulletin MS16-085: A coding deficiency exists in Microsoft Edge that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 39493 through 39494 and 39505 through 39507.

Microsoft Security Bulletin MS16-088: A coding deficiency exists in Microsoft Office that may lead to remove code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 16234, 18545, 18548, and 25631.

New rules to detect attacks targeting these vulnerabilities are also included in this release and are identified with GID 1, SIDs 39503 through 39504 and 39518 through 39525.

Microsoft Security Bulletin MS16-090: A coding deficiency exists in Microsoft Kernel-Mode drivers that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 39478 through 39483, 39495 through 39496, 39508 through 39509, and 39516 through 39517.

Talos has added and modified multiple rules in the browser-ie, file-office, file-pdf, indicator-obfuscation, malware-cnc and policy-other rule sets to provide coverage for emerging threats from these technologies.

Change logs

2016-07-12 19:54:17 UTC

Snort Subscriber Rules Update

Date: 2016-07-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39529 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neurevt malicious RTF download attempt (malware-cnc.rules)
 * 1:39528 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neurevt malicious RTF download attempt (malware-cnc.rules)
 * 1:39527 <-> ENABLED <-> FILE-OFFICE RTF document incorrect file magic attempt (file-office.rules)
 * 1:39526 <-> ENABLED <-> FILE-OFFICE RTF document incorrect file magic attempt (file-office.rules)
 * 1:39525 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel empty bookViews element denial of service attempt (file-office.rules)
 * 1:39524 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel empty bookViews element denial of service attempt (file-office.rules)
 * 1:39523 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word unsupported XML schema out of bounds read attempt (file-office.rules)
 * 1:39522 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word unsupported XML schema out of bounds read attempt (file-office.rules)
 * 1:39521 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word unsupported XML schema out of bounds read attempt (file-office.rules)
 * 1:39520 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word unsupported XML schema out of bounds read attempt (file-office.rules)
 * 1:39519 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib out of bounds memory access attempt (file-office.rules)
 * 1:39518 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib out of bounds memory access attempt (file-office.rules)
 * 1:39517 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32kfull.sys out of bounds read attempt (os-windows.rules)
 * 1:39516 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32kfull.sys out of bounds read attempt (os-windows.rules)
 * 1:39515 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer textTransform out-of-bounds memory access attempt (browser-ie.rules)
 * 1:39514 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer textTransform out-of-bounds memory access attempt (browser-ie.rules)
 * 1:39513 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer IE7 compatibility mode attempt (browser-ie.rules)
 * 1:39512 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer IE7 compatibility mode attempt (browser-ie.rules)
 * 1:39511 <-> DISABLED <-> BROWSER-IE Microsoft Edge bypassing window.opener protection attempt (browser-ie.rules)
 * 1:39510 <-> DISABLED <-> BROWSER-IE Microsoft Edge bypassing window.opener protection attempt (browser-ie.rules)
 * 1:39509 <-> ENABLED <-> OS-WINDOWS Microsoft Windows EndDeferWindowPos null page dereference attempt (os-windows.rules)
 * 1:39508 <-> ENABLED <-> OS-WINDOWS Microsoft Windows EndDeferWindowPos null page dereference attempt (os-windows.rules)
 * 1:39507 <-> ENABLED <-> BROWSER-IE Microsoft Edge ArrayBuffer.transfer information disclosure attempt (browser-ie.rules)
 * 1:39506 <-> ENABLED <-> BROWSER-IE Microsoft Edge ArrayBuffer.transfer information disclosure attempt (browser-ie.rules)
 * 1:39505 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Edge text node table-cell use after free attempt (browser-ie.rules)
 * 1:39504 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib out-of-bounds memory access attempt (file-office.rules)
 * 1:39503 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib out-of-bounds memory access attempt (file-office.rules)
 * 1:39502 <-> DISABLED <-> POLICY-OTHER Google Chromium ClusterFuzz fuzzer generated code detected (policy-other.rules)
 * 1:39501 <-> DISABLED <-> POLICY-OTHER Google Chromium ClusterFuzz fuzzer generated code detected (policy-other.rules)
 * 1:39500 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer mshtml.dll invalid resize use after free attempt (browser-ie.rules)
 * 1:39499 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer mshtml.dll invalid resize use after free attempt (browser-ie.rules)
 * 1:39498 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer header tag HTML injection remote code execution attempt (browser-ie.rules)
 * 1:39497 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer header tag HTML injection remote code execution attempt (browser-ie.rules)
 * 1:39496 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys desktop switch use after free attempt (os-windows.rules)
 * 1:39495 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys desktop switch use after free attempt (os-windows.rules)
 * 1:39494 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml negative length out of bound memory copy attempt (browser-ie.rules)
 * 1:39493 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml negative length out of bound memory copy attempt (browser-ie.rules)
 * 1:39492 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Dxtrans table element use after free attempt (browser-ie.rules)
 * 1:39491 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Dxtrans table element use after free attempt (browser-ie.rules)
 * 1:39490 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated javascript fromCharCode with mixed number bases - potential attack (indicator-obfuscation.rules)
 * 1:39489 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated javascript fromCharCode with mixed number bases - potential attack (indicator-obfuscation.rules)
 * 1:39488 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated javascript excessive fromCharCode - potential attack (indicator-obfuscation.rules)
 * 1:39487 <-> ENABLED <-> BROWSER-IE Microsoft Edge chakra.dll invalid pointer access attempt (browser-ie.rules)
 * 1:39486 <-> ENABLED <-> BROWSER-IE Microsoft Edge chakra.dll invalid pointer access attempt (browser-ie.rules)
 * 1:39485 <-> DISABLED <-> BROWSER-IE Microsoft Edge DWrite.dll out of bounds read attempt (browser-ie.rules)
 * 1:39484 <-> DISABLED <-> BROWSER-IE Microsoft Edge DWrite.dll out of bounds read attempt (browser-ie.rules)
 * 1:39483 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserDraw privilege escalation attempt (os-windows.rules)
 * 1:39482 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserDraw privilege escalation attempt (os-windows.rules)
 * 1:39481 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k out of bound read attempt (os-windows.rules)
 * 1:39480 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k out of bound read attempt (os-windows.rules)
 * 1:39479 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtGdiSelectPen privilege escalation attempt (os-windows.rules)
 * 1:39478 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtGdiSelectPen privilege escalation attempt (os-windows.rules)

Modified Rules:


 * 1:15362 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated javascript excessive fromCharCode - potential attack (indicator-obfuscation.rules)
 * 1:16234 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word Document remote code execution attempt (file-office.rules)
 * 1:18545 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file transfer (file-office.rules)
 * 1:18548 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment (file-office.rules)
 * 1:25631 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word Document remote code execution attempt (file-office.rules)
 * 1:38112 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer addRow out-of-bounds read attempt (browser-ie.rules)
 * 1:38113 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer addRow out-of-bounds read attempt (browser-ie.rules)
 * 1:39242 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39243 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39244 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39245 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39246 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39247 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39248 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39249 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39250 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39251 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39252 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39253 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39254 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39255 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39256 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39257 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39258 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39259 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 3:37502 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0092 attack attempt (file-pdf.rules)
 * 3:37501 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0092 attack attempt (file-pdf.rules)

2016-07-12 19:54:17 UTC

Snort Subscriber Rules Update

Date: 2016-07-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2982.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39505 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Edge text node table-cell use after free attempt (browser-ie.rules)
 * 1:39496 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys desktop switch use after free attempt (os-windows.rules)
 * 1:39489 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated javascript fromCharCode with mixed number bases - potential attack (indicator-obfuscation.rules)
 * 1:39490 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated javascript fromCharCode with mixed number bases - potential attack (indicator-obfuscation.rules)
 * 1:39487 <-> ENABLED <-> BROWSER-IE Microsoft Edge chakra.dll invalid pointer access attempt (browser-ie.rules)
 * 1:39488 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated javascript excessive fromCharCode - potential attack (indicator-obfuscation.rules)
 * 1:39485 <-> DISABLED <-> BROWSER-IE Microsoft Edge DWrite.dll out of bounds read attempt (browser-ie.rules)
 * 1:39486 <-> ENABLED <-> BROWSER-IE Microsoft Edge chakra.dll invalid pointer access attempt (browser-ie.rules)
 * 1:39483 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserDraw privilege escalation attempt (os-windows.rules)
 * 1:39484 <-> DISABLED <-> BROWSER-IE Microsoft Edge DWrite.dll out of bounds read attempt (browser-ie.rules)
 * 1:39481 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k out of bound read attempt (os-windows.rules)
 * 1:39482 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserDraw privilege escalation attempt (os-windows.rules)
 * 1:39479 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtGdiSelectPen privilege escalation attempt (os-windows.rules)
 * 1:39480 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k out of bound read attempt (os-windows.rules)
 * 1:39478 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtGdiSelectPen privilege escalation attempt (os-windows.rules)
 * 1:39492 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Dxtrans table element use after free attempt (browser-ie.rules)
 * 1:39494 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml negative length out of bound memory copy attempt (browser-ie.rules)
 * 1:39495 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys desktop switch use after free attempt (os-windows.rules)
 * 1:39497 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer header tag HTML injection remote code execution attempt (browser-ie.rules)
 * 1:39498 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer header tag HTML injection remote code execution attempt (browser-ie.rules)
 * 1:39499 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer mshtml.dll invalid resize use after free attempt (browser-ie.rules)
 * 1:39500 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer mshtml.dll invalid resize use after free attempt (browser-ie.rules)
 * 1:39501 <-> DISABLED <-> POLICY-OTHER Google Chromium ClusterFuzz fuzzer generated code detected (policy-other.rules)
 * 1:39502 <-> DISABLED <-> POLICY-OTHER Google Chromium ClusterFuzz fuzzer generated code detected (policy-other.rules)
 * 1:39503 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib out-of-bounds memory access attempt (file-office.rules)
 * 1:39504 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib out-of-bounds memory access attempt (file-office.rules)
 * 1:39506 <-> ENABLED <-> BROWSER-IE Microsoft Edge ArrayBuffer.transfer information disclosure attempt (browser-ie.rules)
 * 1:39507 <-> ENABLED <-> BROWSER-IE Microsoft Edge ArrayBuffer.transfer information disclosure attempt (browser-ie.rules)
 * 1:39508 <-> ENABLED <-> OS-WINDOWS Microsoft Windows EndDeferWindowPos null page dereference attempt (os-windows.rules)
 * 1:39509 <-> ENABLED <-> OS-WINDOWS Microsoft Windows EndDeferWindowPos null page dereference attempt (os-windows.rules)
 * 1:39510 <-> DISABLED <-> BROWSER-IE Microsoft Edge bypassing window.opener protection attempt (browser-ie.rules)
 * 1:39511 <-> DISABLED <-> BROWSER-IE Microsoft Edge bypassing window.opener protection attempt (browser-ie.rules)
 * 1:39512 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer IE7 compatibility mode attempt (browser-ie.rules)
 * 1:39513 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer IE7 compatibility mode attempt (browser-ie.rules)
 * 1:39514 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer textTransform out-of-bounds memory access attempt (browser-ie.rules)
 * 1:39516 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32kfull.sys out of bounds read attempt (os-windows.rules)
 * 1:39515 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer textTransform out-of-bounds memory access attempt (browser-ie.rules)
 * 1:39517 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32kfull.sys out of bounds read attempt (os-windows.rules)
 * 1:39518 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib out of bounds memory access attempt (file-office.rules)
 * 1:39519 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib out of bounds memory access attempt (file-office.rules)
 * 1:39521 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word unsupported XML schema out of bounds read attempt (file-office.rules)
 * 1:39520 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word unsupported XML schema out of bounds read attempt (file-office.rules)
 * 1:39522 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word unsupported XML schema out of bounds read attempt (file-office.rules)
 * 1:39523 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word unsupported XML schema out of bounds read attempt (file-office.rules)
 * 1:39493 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml negative length out of bound memory copy attempt (browser-ie.rules)
 * 1:39529 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neurevt malicious RTF download attempt (malware-cnc.rules)
 * 1:39528 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neurevt malicious RTF download attempt (malware-cnc.rules)
 * 1:39527 <-> ENABLED <-> FILE-OFFICE RTF document incorrect file magic attempt (file-office.rules)
 * 1:39525 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel empty bookViews element denial of service attempt (file-office.rules)
 * 1:39526 <-> ENABLED <-> FILE-OFFICE RTF document incorrect file magic attempt (file-office.rules)
 * 1:39491 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Dxtrans table element use after free attempt (browser-ie.rules)
 * 1:39524 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel empty bookViews element denial of service attempt (file-office.rules)

Modified Rules:


 * 1:39247 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39246 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39243 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39244 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39245 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39248 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39249 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39250 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39242 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:38112 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer addRow out-of-bounds read attempt (browser-ie.rules)
 * 1:38113 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer addRow out-of-bounds read attempt (browser-ie.rules)
 * 1:39251 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:18548 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment (file-office.rules)
 * 1:25631 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word Document remote code execution attempt (file-office.rules)
 * 1:16234 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word Document remote code execution attempt (file-office.rules)
 * 1:18545 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file transfer (file-office.rules)
 * 1:39252 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:15362 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated javascript excessive fromCharCode - potential attack (indicator-obfuscation.rules)
 * 1:39253 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39254 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39255 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39256 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39257 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39258 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39259 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 3:37501 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0092 attack attempt (file-pdf.rules)
 * 3:37502 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0092 attack attempt (file-pdf.rules)

2016-07-12 19:54:17 UTC

Snort Subscriber Rules Update

Date: 2016-07-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:39529 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neurevt malicious RTF download attempt (malware-cnc.rules)
 * 1:39527 <-> ENABLED <-> FILE-OFFICE RTF document incorrect file magic attempt (file-office.rules)
 * 1:39492 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Dxtrans table element use after free attempt (browser-ie.rules)
 * 1:39494 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml negative length out of bound memory copy attempt (browser-ie.rules)
 * 1:39505 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Edge text node table-cell use after free attempt (browser-ie.rules)
 * 1:39496 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys desktop switch use after free attempt (os-windows.rules)
 * 1:39495 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys desktop switch use after free attempt (os-windows.rules)
 * 1:39499 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer mshtml.dll invalid resize use after free attempt (browser-ie.rules)
 * 1:39500 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer mshtml.dll invalid resize use after free attempt (browser-ie.rules)
 * 1:39501 <-> DISABLED <-> POLICY-OTHER Google Chromium ClusterFuzz fuzzer generated code detected (policy-other.rules)
 * 1:39502 <-> DISABLED <-> POLICY-OTHER Google Chromium ClusterFuzz fuzzer generated code detected (policy-other.rules)
 * 1:39498 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer header tag HTML injection remote code execution attempt (browser-ie.rules)
 * 1:39497 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer header tag HTML injection remote code execution attempt (browser-ie.rules)
 * 1:39503 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib out-of-bounds memory access attempt (file-office.rules)
 * 1:39504 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib out-of-bounds memory access attempt (file-office.rules)
 * 1:39506 <-> ENABLED <-> BROWSER-IE Microsoft Edge ArrayBuffer.transfer information disclosure attempt (browser-ie.rules)
 * 1:39507 <-> ENABLED <-> BROWSER-IE Microsoft Edge ArrayBuffer.transfer information disclosure attempt (browser-ie.rules)
 * 1:39508 <-> ENABLED <-> OS-WINDOWS Microsoft Windows EndDeferWindowPos null page dereference attempt (os-windows.rules)
 * 1:39509 <-> ENABLED <-> OS-WINDOWS Microsoft Windows EndDeferWindowPos null page dereference attempt (os-windows.rules)
 * 1:39510 <-> DISABLED <-> BROWSER-IE Microsoft Edge bypassing window.opener protection attempt (browser-ie.rules)
 * 1:39511 <-> DISABLED <-> BROWSER-IE Microsoft Edge bypassing window.opener protection attempt (browser-ie.rules)
 * 1:39512 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer IE7 compatibility mode attempt (browser-ie.rules)
 * 1:39513 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer IE7 compatibility mode attempt (browser-ie.rules)
 * 1:39514 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer textTransform out-of-bounds memory access attempt (browser-ie.rules)
 * 1:39516 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32kfull.sys out of bounds read attempt (os-windows.rules)
 * 1:39515 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer textTransform out-of-bounds memory access attempt (browser-ie.rules)
 * 1:39517 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32kfull.sys out of bounds read attempt (os-windows.rules)
 * 1:39490 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated javascript fromCharCode with mixed number bases - potential attack (indicator-obfuscation.rules)
 * 1:39489 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated javascript fromCharCode with mixed number bases - potential attack (indicator-obfuscation.rules)
 * 1:39486 <-> ENABLED <-> BROWSER-IE Microsoft Edge chakra.dll invalid pointer access attempt (browser-ie.rules)
 * 1:39487 <-> ENABLED <-> BROWSER-IE Microsoft Edge chakra.dll invalid pointer access attempt (browser-ie.rules)
 * 1:39488 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated javascript excessive fromCharCode - potential attack (indicator-obfuscation.rules)
 * 1:39481 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k out of bound read attempt (os-windows.rules)
 * 1:39485 <-> DISABLED <-> BROWSER-IE Microsoft Edge DWrite.dll out of bounds read attempt (browser-ie.rules)
 * 1:39483 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserDraw privilege escalation attempt (os-windows.rules)
 * 1:39484 <-> DISABLED <-> BROWSER-IE Microsoft Edge DWrite.dll out of bounds read attempt (browser-ie.rules)
 * 1:39480 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k out of bound read attempt (os-windows.rules)
 * 1:39482 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtUserDraw privilege escalation attempt (os-windows.rules)
 * 1:39479 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtGdiSelectPen privilege escalation attempt (os-windows.rules)
 * 1:39478 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtGdiSelectPen privilege escalation attempt (os-windows.rules)
 * 1:39491 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Dxtrans table element use after free attempt (browser-ie.rules)
 * 1:39518 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib out of bounds memory access attempt (file-office.rules)
 * 1:39519 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word wwlib out of bounds memory access attempt (file-office.rules)
 * 1:39520 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word unsupported XML schema out of bounds read attempt (file-office.rules)
 * 1:39522 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word unsupported XML schema out of bounds read attempt (file-office.rules)
 * 1:39523 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word unsupported XML schema out of bounds read attempt (file-office.rules)
 * 1:39521 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word unsupported XML schema out of bounds read attempt (file-office.rules)
 * 1:39493 <-> ENABLED <-> BROWSER-IE Microsoft Edge edgehtml negative length out of bound memory copy attempt (browser-ie.rules)
 * 1:39524 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel empty bookViews element denial of service attempt (file-office.rules)
 * 1:39525 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel empty bookViews element denial of service attempt (file-office.rules)
 * 1:39528 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Neurevt malicious RTF download attempt (malware-cnc.rules)
 * 1:39526 <-> ENABLED <-> FILE-OFFICE RTF document incorrect file magic attempt (file-office.rules)

Modified Rules:


 * 1:38112 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer addRow out-of-bounds read attempt (browser-ie.rules)
 * 1:25631 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word Document remote code execution attempt (file-office.rules)
 * 1:39255 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:15362 <-> DISABLED <-> INDICATOR-OBFUSCATION obfuscated javascript excessive fromCharCode - potential attack (indicator-obfuscation.rules)
 * 1:16234 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word Document remote code execution attempt (file-office.rules)
 * 1:39254 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:18545 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file transfer (file-office.rules)
 * 1:18548 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel with embedded Flash file attachment (file-office.rules)
 * 1:38113 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer addRow out-of-bounds read attempt (browser-ie.rules)
 * 1:39257 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39258 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39259 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39256 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39242 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39243 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39244 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39246 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39245 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39247 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39248 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39249 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39251 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39250 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39253 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 1:39252 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Typed Array use after free attempt (browser-ie.rules)
 * 3:37502 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0092 attack attempt (file-pdf.rules)
 * 3:37501 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0092 attack attempt (file-pdf.rules)