Snort - Network Intrusion Detection & Prevention System

Talos Rules 2016-10-11

Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Security Bulletin MS16-118: Microsoft Internet Explorer suffers from programming errors that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 40364 through 40365, 40372 through 40375, 40378 through 40379, 40385 through 40386, 40396 through 40397, and 40420 through 40421.

Microsoft Security Bulletin MS16-119: A coding deficiency exists in Microsoft Edge that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 40366 through 40367, 40370 through 40371, 40383 through 40384, 40404 through 40405, 40420 through 40421, and 40423 through 40424.

Microsoft Security Bulletin MS16-120: A coding deficiency exists in Microsoft Graphics Component that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 39824 through 39825.

New rules to detect attacks targeting these vulnerabilities are also included in this release and are identified with GID 1, SIDs 40408 through 40411 and 40425 through 40428.

Microsoft Security Bulletin MS16-121: A coding deficiency exists in Microsoft Office that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 40368 through 40369.

Microsoft Security Bulletin MS16-123: A coding deficiency exists in a Microsoft Kernel mode driver that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 40376 through 40377, 40380 through 40381, 40392 through 40393, and 40418 through 40419.

Microsoft Security Bulletin MS16-124: A coding deficiency exists in a Microsoft Windows Registry that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 40394 through 40395, 40400 through 40403, and 40412 through 40413.

Microsoft Security Bulletin MS16-125: A coding deficiency exists in a Microsoft Diagnostic Hub that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 40398 through 40399.

Microsoft Security Bulletin MS16-126: Microsoft Internet Explorer suffers from programming errors that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 40364 through 40365.

Talos also has added and modified multiple rules in the browser-firefox, browser-ie, browser-other, browser-plugins, deleted, exploit-kit, file-flash, file-identify, file-office, file-other, file-pdf, indicator-compromise, malware-cnc, os-windows, protocol-dns, protocol-ftp, server-apache and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2976

2016-10-11 19:13:03 UTC

Snort Subscriber Rules Update

Date: 2016-10-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:40409 <-> ENABLED <-> FILE-OTHER Microsoft Windows malformed TrueType file RCVT out of bounds read attempt (file-other.rules)
 * 1:40407 <-> DISABLED <-> DELETED OS-WINDOWS 6ca2bcd7-66af-46db-b547-8315d2d8df13 (deleted.rules)
 * 1:40405 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer eval type confusion attempt (browser-ie.rules)
 * 1:40406 <-> DISABLED <-> DELETED OS-WINDOWS a2b4478d-c21d-4b9f-9e4e-eaa898e23748 (deleted.rules)
 * 1:40403 <-> ENABLED <-> OS-WINDOWS Microsoft Windows user hive impersonation privelege escalation attempt (os-windows.rules)
 * 1:40404 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer eval type confusion attempt (browser-ie.rules)
 * 1:40401 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 arbitrary registry key access privelege escalation attempt (os-windows.rules)
 * 1:40402 <-> ENABLED <-> OS-WINDOWS Microsoft Windows user hive impersonation privelege escalation attempt (os-windows.rules)
 * 1:40399 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Diagnostics Hub dll load from stream attempt (os-windows.rules)
 * 1:40400 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 arbitrary registry key access privelege escalation attempt (os-windows.rules)
 * 1:40397 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Edge DACL privilege escalation attempt (os-windows.rules)
 * 1:40398 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Diagnostics Hub dll load from stream attempt (os-windows.rules)
 * 1:40395 <-> ENABLED <-> OS-WINDOWS Ntoskrnl integer overflow privilege escalation attempt (os-windows.rules)
 * 1:40396 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Edge DACL privilege escalation attempt (os-windows.rules)
 * 1:40393 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Ntoskrnl privilege escalation attempt (os-windows.rules)
 * 1:40394 <-> ENABLED <-> OS-WINDOWS Ntoskrnl integer overflow privilege escalation attempt (os-windows.rules)
 * 1:40391 <-> ENABLED <-> FILE-IDENTIFY Windows registry hive file download request (file-identify.rules)
 * 1:40392 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Ntoskrnl privilege escalation attempt (os-windows.rules)
 * 1:40389 <-> ENABLED <-> FILE-IDENTIFY Windows registry hive file attachment detected (file-identify.rules)
 * 1:40390 <-> ENABLED <-> FILE-IDENTIFY Windows registry hive file magic detected (file-identify.rules)
 * 1:40387 <-> ENABLED <-> FILE-IDENTIFY Windows registry hive file magic detected (file-identify.rules)
 * 1:40388 <-> ENABLED <-> FILE-IDENTIFY Windows registry hive file attachment detected (file-identify.rules)
 * 1:40383 <-> ENABLED <-> BROWSER-IE Microsoft Edge array.join information disclosure attempt (browser-ie.rules)
 * 1:40386 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript variable type confusion attempt (browser-ie.rules)
 * 1:40385 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer vbscript variable type confusion attempt (browser-ie.rules)
 * 1:40384 <-> ENABLED <-> BROWSER-IE Microsoft Edge array.join information disclosure attempt (browser-ie.rules)
 * 1:40381 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32kfull.sys FBitsTouch use after free attempt (os-windows.rules)
 * 1:40382 <-> DISABLED <-> SERVER-OTHER Easy File Sharing Server remote code execution attempt (server-other.rules)
 * 1:40379 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer iframe type confusion attempt (browser-ie.rules)
 * 1:40380 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32kfull.sys FBitsTouch use after free attempt (os-windows.rules)
 * 1:40377 <-> DISABLED <-> OS-WINDOWS Microsoft GDI local privilege escalation attempt (os-windows.rules)
 * 1:40378 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer iframe type confusion attempt (browser-ie.rules)
 * 1:40375 <-> ENABLED <-> OS-WINDOWS Microsoft Windows insecure BoundaryDescriptor privilege escalation attempt (os-windows.rules)
 * 1:40376 <-> DISABLED <-> OS-WINDOWS Microsoft GDI local privilege escalation attempt (os-windows.rules)
 * 1:40345 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:40346 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:40347 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:40348 <-> DISABLED <-> BROWSER-PLUGINS Samsung SmartViewer ActiveX clsid access attempt (browser-plugins.rules)
 * 1:40349 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules)
 * 1:40350 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules)
 * 1:40351 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules)
 * 1:40352 <-> DISABLED <-> SERVER-WEBAPP IPFire proxy.cgi command injection attempt (server-webapp.rules)
 * 1:40353 <-> DISABLED <-> SERVER-OTHER Linknat Vos Manager potential directory traversal attempt (server-other.rules)
 * 1:40354 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Runtime malformed ASF codec memory corruption attempt (os-windows.rules)
 * 1:40355 <-> DISABLED <-> PROTOCOL-FTP z/OS FTP Job Entry Subsystem JCL execution attempt (protocol-ftp.rules)
 * 1:40356 <-> ENABLED <-> MALWARE-CNC Win.Trojan.InstantAccess variant outbound connection (malware-cnc.rules)
 * 1:40357 <-> ENABLED <-> MALWARE-CNC Win.Trojan.InstantAccess variant outbound connection (malware-cnc.rules)
 * 1:40358 <-> ENABLED <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack opcode 1301 remote code execution attempt (server-other.rules)
 * 1:40359 <-> ENABLED <-> SERVER-APACHE Apache Struts xslt.location local file inclusion attempt (server-apache.rules)
 * 1:40360 <-> ENABLED <-> SERVER-OTHER OpenSSL OCSP Status Request Extension denial of service attempt (server-other.rules)
 * 1:40361 <-> DISABLED <-> BROWSER-OTHER Android Browser potential denial of service attempt (browser-other.rules)
 * 1:40362 <-> DISABLED <-> PROTOCOL-DNS ISC BIND DNS duplicate cookie denial of service attempt (protocol-dns.rules)
 * 1:40363 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox CSP report-uri arbitrary file write attempt (browser-firefox.rules)
 * 1:40364 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer loadXML parseError.errorCode information disclosure attempt (browser-ie.rules)
 * 1:40365 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer loadXML parseError.errorCode information disclosure attempt (browser-ie.rules)
 * 1:40366 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ArraySpeciesCreate type confusion attempt (browser-ie.rules)
 * 1:40367 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ArraySpeciesCreate type confusion attempt (browser-ie.rules)
 * 1:40368 <-> ENABLED <-> FILE-OFFICE Microsoft Word RTF file parsing buffer overflow attempt (file-office.rules)
 * 1:40369 <-> ENABLED <-> FILE-OFFICE Microsoft Word RTF file parsing buffer overflow attempt (file-office.rules)
 * 1:40370 <-> ENABLED <-> BROWSER-IE Microsoft Edge spread operator memory corruption attempt (browser-ie.rules)
 * 1:40371 <-> ENABLED <-> BROWSER-IE Microsoft Edge spread operator memory corruption attempt (browser-ie.rules)
 * 1:40372 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge emodel use after free attempt (browser-ie.rules)
 * 1:40373 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge emodel use after free attempt (browser-ie.rules)
 * 1:40374 <-> ENABLED <-> OS-WINDOWS Microsoft Windows insecure BoundaryDescriptor privilege escalation attempt (os-windows.rules)
 * 1:40428 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k.sys sbit_Embolden use after free attempt (os-windows.rules)
 * 1:40427 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k.sys sbit_Embolden use after free attempt (os-windows.rules)
 * 1:40426 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overread attempt (os-windows.rules)
 * 1:40425 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI+ EMF buffer overread attempt (os-windows.rules)
 * 1:40424 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge function.apply use afterfree attempt (browser-ie.rules)
 * 1:40423 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge function.apply use afterfree attempt (browser-ie.rules)
 * 1:40422 <-> ENABLED <-> SERVER-OTHER IBM Tivoli Storage Manager FastBack opcode 4115 remote code execution attempt (server-other.rules)
 * 1:40421 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer readyState property information disclosure attempt (browser-ie.rules)
 * 1:40420 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer readyState property information disclosure attempt (browser-ie.rules)
 * 1:40419 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DFS client driver privilege escalation attempt (os-windows.rules)
 * 1:40418 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DFS client driver privilege escalation attempt (os-windows.rules)
 * 1:40417 <-> DISABLED <-> DELETED FILE-OTHER 71617d78-897a-4c86-8554-32f4bfbd1541 (deleted.rules)
 * 1:40416 <-> DISABLED <-> DELETED FILE-OTHER 6195c8d8-fd1e-4aca-bcd3-79ef7f3266f9 (deleted.rules)
 * 1:40415 <-> DISABLED <-> DELETED FILE-OTHER 558ddb9b-ed9c-41e3-b541-7aca6b028d03 (deleted.rules)
 * 1:40414 <-> DISABLED <-> DELETED FILE-OTHER 1a757a82-e018-4f13-9104-4e7dafaf0538 (deleted.rules)
 * 1:40413 <-> ENABLED <-> OS-WINDOWS Microsoft Windows registry hive privilege escalation attempt (os-windows.rules)
 * 1:40412 <-> ENABLED <-> OS-WINDOWS Microsoft Windows registry hive privilege escalation attempt (os-windows.rules)
 * 1:40411 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys ExtTextOut memory corruption attempt (os-windows.rules)
 * 1:40410 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys ExtTextOut memory corruption attempt (os-windows.rules)
 * 1:40408 <-> ENABLED <-> FILE-OTHER Microsoft Windows malformed TrueType file RCVT out of bounds read attempt (file-other.rules)
 * 3:40430 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0201 attack attempt (file-pdf.rules)
 * 3:40429 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-CAN-0201 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:28851 <-> ENABLED <-> SERVER-OTHER JBoss EJBInvokerServlet remote code execution attempt (server-other.rules)
 * 1:39826 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CStr internal string use-after-free attempt (browser-ie.rules)
 * 1:39827 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CStr internal string use-after-free attempt (browser-ie.rules)
 * 1:39824 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI emf file integer overflow attempt (os-windows.rules)
 * 1:39825 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI emf file integer overflow attempt (os-windows.rules)
 * 1:38532 <-> DISABLED <-> FILE-FLASH Rig Exploit Kit exploitation attempt (file-flash.rules)
 * 1:38534 <-> DISABLED <-> FILE-FLASH Rig Exploit Kit exploitation attempt (file-flash.rules)
 * 1:36759 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft Internet Explorer setAttributeNS ASLR bypass attempt (indicator-compromise.rules)
 * 1:36760 <-> ENABLED <-> INDICATOR-COMPROMISE Microsoft Internet Explorer setAttributeNS ASLR bypass attempt (indicator-compromise.rules)
 * 1:36450 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RegExp object use after free attempt (browser-ie.rules)
 * 1:36451 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RegExp object use after free attempt (browser-ie.rules)
 * 1:32429 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word document malicious lcbSttbfBkmkArto value attempt (file-office.rules)
 * 1:33905 <-> ENABLED <-> EXPLOIT-KIT Rig exploit kit outbound communication (exploit-kit.rules)
 * 1:32428 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word document malicious lcbSttbfBkmkArto value attempt (file-office.rules)
 * 1:29909 <-> ENABLED <-> SERVER-OTHER JBoss JMXInvokerServlet remote code execution attempt (server-other.rules)
 * 1:16158 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Media Runtime malformed ASF codec memory corruption attempt (os-windows.rules)

2983