Talos Rules 2017-03-14
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Security Bulletin MS17-006: Microsoft Internet Explorer suffers from programming errors that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 41575 through 41576, 41585 through 41590, and 41625 through 41626.

New rules to detect attacks targeting these vulnerabilities are also included in this release and are identified with GID 1, SIDs 41954 through 41957.

Microsoft Security Bulletin MS17-007: Microsoft Edge suffers from programming errors that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 41553 through 41554, 41557 through 41562, 41573 through 41574, 41583 through 41584, 41593 through 41594, 41605 through 41606, and 41625 through 41626.

New rules to detect attacks targeting these vulnerabilities are also included in this release and are identified with GID 1, SIDs 41936 through 41939, 41942 through 41945, 41948 through 41953, 41958 through 41959, 41968 through 41969, and 41987 through 41988.

Microsoft Security Bulletin MS17-009: A coding deficiency exists in Microsoft Windows PDF Library that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 41601 through 41602.

Microsoft Security Bulletin MS17-010: A coding deficiency exists in Microsoft Windows SMB Server that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 41978 and 41983 through 41984.

Microsoft Security Bulletin MS17-011: A coding deficiency exists in Microsoft Uniscribe that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 41597 through 41598.

New rules to detect attacks targeting these vulnerabilities are also included in this release and are identified with GID 1, SIDs 41934 through 41935, 41940 through 41941, 41960 through 41961, 41966 through 41967, 41972 through 41975, 41985 through 41986, and 41991 through 41992.

Microsoft Security Bulletin MS17-012: A coding deficiency exists in Microsoft Windows that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 41563 through 41564 and 41567 through 41572.

New rules to detect attacks targeting these vulnerabilities are also included in this release and are identified with GID 1, SIDs 41989 through 41990.

Microsoft Security Bulletin MS17-013: A coding deficiency exists in Microsoft Graphics Component that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 41591 through 41592.

New rules to detect attacks targeting these vulnerabilities are also included in this release and are identified with GID 1, SIDs 41932 through 41933, 41946 through 41947, 41970 through 41971, and 41993 through 41994.

Microsoft Security Bulletin MS17-014: A coding deficiency exists in Microsoft Office that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 41565 through 41566, 41577 through 41578, 41581 through 41582, 41597 through 41598, and 41797 through 41798.

New rules to detect attacks targeting these vulnerabilities are also included in this release and are identified with GID 1, SIDs 41962 through 41965, 41976 through 41977, and 41979 through 41982.

Microsoft Security Bulletin MS17-017: A coding deficiency exists in Microsoft Windows Kernel that may lead to an escalation of privilege.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 40394 through 40395 and 41607 through 41610.

Microsoft Security Bulletin MS17-018: A coding deficiency exists in Microsoft Windows Kernel-Mode Drivers that may lead to an escalation of privilege.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 41579 through 41580.

New rules to detect attacks targeting these vulnerabilities are also included in this release and are identified with GID 1, SIDs 41926 through 41931 and 41995 through 41998.

Microsoft Security Bulletin MS17-021: A coding deficiency exists in Microsoft DirectShow that may lead to information disclosure.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 41633 through 41634.

Microsoft Security Bulletin MS17-022: A coding deficiency exists in Microsoft XML Core Services that may lead to information disclosure.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 40364 through 40365.

Talos also has added and modified multiple rules in the browser-ie, file-executable, file-flash, file-image, file-office, file-other, file-pdf, os-other, os-windows and server-samba rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-03-14 20:09:33 UTC

Snort Subscriber Rules Update

Date: 2017-03-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41998 <-> DISABLED <-> OS-WINDOWS Microsoft GDI+ privilege escalation attempt (os-windows.rules)
 * 1:41997 <-> DISABLED <-> OS-WINDOWS Microsoft GDI+ privilege escalation attempt (os-windows.rules)
 * 1:41996 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DDI privilege escalation attempt (os-windows.rules)
 * 1:41995 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DDI privilege escalation attempt (os-windows.rules)
 * 1:41994 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI WMF out of bounds read attempt (os-windows.rules)
 * 1:41993 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI WMF out of bounds read attempt (os-windows.rules)
 * 1:41992 <-> ENABLED <-> FILE-OTHER Microsoft Windows TTF file out of bounds access attempt (file-other.rules)
 * 1:41991 <-> ENABLED <-> FILE-OTHER Microsoft Windows TTF file out of bounds access attempt (file-other.rules)
 * 1:41990 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Com Session Moniker pivilege escalation attempt (file-executable.rules)
 * 1:41989 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Com Session Moniker pivilege escalation attempt (file-executable.rules)
 * 1:41988 <-> DISABLED <-> BROWSER-IE Microsoft Edge web address spoofing attempt (browser-ie.rules)
 * 1:41987 <-> DISABLED <-> BROWSER-IE Microsoft Edge web address spoofing attempt (browser-ie.rules)
 * 1:41986 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueTypeFont post table out of bounds write attempt (os-windows.rules)
 * 1:41985 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueTypeFont post table out of bounds write attempt (os-windows.rules)
 * 1:41984 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMBv1 identical MID and FID type confusion attempt (os-windows.rules)
 * 1:41983 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMBv1 identical MID and FID type confusion attempt (os-windows.rules)
 * 1:41982 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word out of bounds read attempt (file-office.rules)
 * 1:41981 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word out of bounds read attempt (file-office.rules)
 * 1:41980 <-> ENABLED <-> FILE-OFFICE Microsoft Excel shared strings memory corruption attempt (file-office.rules)
 * 1:41979 <-> ENABLED <-> FILE-OFFICE Microsoft Excel shared strings memory corruption attempt (file-office.rules)
 * 1:41978 <-> ENABLED <-> SERVER-SAMBA Microsoft Windows Samba buffer overflow attempt (server-samba.rules)
 * 1:41977 <-> ENABLED <-> FILE-OFFICE Microsoft Excel shared strings memory corruption attempt (file-office.rules)
 * 1:41976 <-> ENABLED <-> FILE-OFFICE Microsoft Excel shared strings memory corruption attempt (file-office.rules)
 * 1:41975 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType Font out of bounds write attempt (os-windows.rules)
 * 1:41974 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType Font out of bounds write attempt (os-windows.rules)
 * 1:41973 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType Font out of bounds write attempt (os-windows.rules)
 * 1:41972 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType Font out of bounds write attempt (os-windows.rules)
 * 1:41971 <-> ENABLED <-> FILE-IMAGE GDI+ malformed EMF comment heap access violation attempt (file-image.rules)
 * 1:41970 <-> ENABLED <-> FILE-IMAGE GDI+ malformed EMF comment heap access violation attempt (file-image.rules)
 * 1:41969 <-> DISABLED <-> BROWSER-IE Microsoft Edge JavascriptProxy SetPropertyTrap type confusion attempt (browser-ie.rules)
 * 1:41968 <-> DISABLED <-> BROWSER-IE Microsoft Edge JavascriptProxy SetPropertyTrap type confusion attempt (browser-ie.rules)
 * 1:41967 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueTypeFont GSUB table out of bounds write attempt (os-windows.rules)
 * 1:41966 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueTypeFont GSUB table out of bounds write attempt (os-windows.rules)
 * 1:41965 <-> DISABLED <-> FILE-OFFICE Microsoft Word 2010 use-after-free memory corruption vulnerability attempt (file-office.rules)
 * 1:41964 <-> DISABLED <-> FILE-OFFICE Microsoft Word 2010 use-after-free memory corruption vulnerability attempt (file-office.rules)
 * 1:41963 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word template remote code execution attempt (file-office.rules)
 * 1:41962 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word template remote code execution attempt (file-office.rules)
 * 1:41961 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType Font LookupTable out of bounds write attempt (os-windows.rules)
 * 1:41960 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType Font LookupTable out of bounds write attempt (os-windows.rules)
 * 1:41959 <-> ENABLED <-> BROWSER-IE Microsoft Edge malformed UTF-8 decode arbitrary read attempt (browser-ie.rules)
 * 1:41958 <-> ENABLED <-> BROWSER-IE Microsoft Edge malformed UTF-8 decode arbitrary read attempt (browser-ie.rules)
 * 1:41957 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt (browser-ie.rules)
 * 1:41956 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt (browser-ie.rules)
 * 1:41955 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer textarea type confusion attempt (browser-ie.rules)
 * 1:41954 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer textarea type confusion attempt (browser-ie.rules)
 * 1:41953 <-> ENABLED <-> BROWSER-IE Microsoft Edge local file read information leak attempt (browser-ie.rules)
 * 1:41952 <-> ENABLED <-> BROWSER-IE Microsoft Edge local file read information leak attempt (browser-ie.rules)
 * 1:41951 <-> ENABLED <-> BROWSER-IE Microsoft Edge WebAssembly memory corruption attempt (browser-ie.rules)
 * 1:41950 <-> ENABLED <-> BROWSER-IE Microsoft Edge WebAssembly memory corruption attempt (browser-ie.rules)
 * 1:41949 <-> DISABLED <-> BROWSER-IE Microsoft Edge fetch API same origin policy bypass attempt (browser-ie.rules)
 * 1:41948 <-> DISABLED <-> BROWSER-IE Microsoft Edge fetch API same origin policy bypass attempt (browser-ie.rules)
 * 1:41947 <-> DISABLED <-> FILE-IMAGE GDI+ malformed EMF description out of bounds read attempt (file-image.rules)
 * 1:41946 <-> DISABLED <-> FILE-IMAGE Microsoft GDI+ malformed EMF description out of bounds read attempt (file-image.rules)
 * 1:41945 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine security bypass css attempt (browser-ie.rules)
 * 1:41944 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine security bypass css attempt (browser-ie.rules)
 * 1:41943 <-> ENABLED <-> BROWSER-IE Microsoft Edge EntrySimpleSlotGetter use after free attempt (browser-ie.rules)
 * 1:41942 <-> ENABLED <-> BROWSER-IE Microsoft Edge EntrySimpleSlotGetter use after free attempt (browser-ie.rules)
 * 1:41941 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueTypeFont post table out of bounds write attempt (os-windows.rules)
 * 1:41940 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueTypeFont post table out of bounds write attempt (os-windows.rules)
 * 1:41939 <-> ENABLED <-> BROWSER-IE Microsoft Edge reverse helper heap buffer overflow attempt (browser-ie.rules)
 * 1:41938 <-> ENABLED <-> BROWSER-IE Microsoft Edge reverse helper heap buffer overflow attempt (browser-ie.rules)
 * 1:41937 <-> ENABLED <-> BROWSER-IE Microsoft Edge TypedArray setter arbitrary write attempt (browser-ie.rules)
 * 1:41936 <-> ENABLED <-> BROWSER-IE Microsoft Edge TypedArray setter arbitrary write attempt (browser-ie.rules)
 * 1:41935 <-> ENABLED <-> FILE-OTHER Microsoft Windows Uniscribe privilege escalation attempt (file-other.rules)
 * 1:41934 <-> ENABLED <-> FILE-OTHER Microsoft Windows Uniscribe privilege escalation attempt (file-other.rules)
 * 1:41933 <-> ENABLED <-> FILE-OTHER Microsoft Windows Uniscribe privilege escalation attempt (file-other.rules)
 * 1:41932 <-> ENABLED <-> FILE-OTHER Microsoft Windows Uniscribe privilege escalation attempt (file-other.rules)
 * 1:41931 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k DDI use after free attempt (os-windows.rules)
 * 1:41930 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k DDI use after free attempt (os-windows.rules)
 * 1:41929 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k DDI use after free attempt (os-windows.rules)
 * 1:41928 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k DDI use after free attempt (os-windows.rules)
 * 1:41927 <-> ENABLED <-> OS-WINDOWS Microsoft Win32u NtUserThunkedMenuItemInfo use after free attempt (os-windows.rules)
 * 1:41926 <-> ENABLED <-> OS-WINDOWS Microsoft Win32u NtUserThunkedMenuItemInfo use after free attempt (os-windows.rules)
 * 1:41925 <-> DISABLED <-> FILE-OTHER Notepad++ scilexer.dll dll-load exploit attempt (file-other.rules)
 * 1:41924 <-> DISABLED <-> FILE-OTHER Notepad++ scilexer.dll dll-load exploit attempt (file-other.rules)
 * 3:41999 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2017-0296 attack attempt (os-other.rules)
 * 3:42000 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0293 attack attempt (server-other.rules)

Modified Rules:


 * 1:41633 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 Windows Media Player information disclosure attempt (browser-ie.rules)
 * 1:33469 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PCRE regex compilation memory corruption attempt (file-flash.rules)
 * 1:33470 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PCRE regex compilation memory corruption attempt (file-flash.rules)
 * 1:40364 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer loadXML parseError.errorCode information disclosure attempt (browser-ie.rules)
 * 1:40365 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer loadXML parseError.errorCode information disclosure attempt (browser-ie.rules)
 * 1:40394 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Ntoskrnl integer overflow privilege escalation attempt (os-windows.rules)
 * 1:40395 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Ntoskrnl integer overflow privilege escalation attempt (os-windows.rules)
 * 1:41553 <-> ENABLED <-> BROWSER-IE Microsoft Edge url forgery attempt (browser-ie.rules)
 * 1:41554 <-> ENABLED <-> BROWSER-IE Microsoft Edge url forgery attempt (browser-ie.rules)
 * 1:41557 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array out of bounds memory corruption attempt (browser-ie.rules)
 * 1:41558 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array out of bounds memory corruption attempt (browser-ie.rules)
 * 1:41559 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array out of bounds memory corruption attempt (browser-ie.rules)
 * 1:41560 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array out of bounds memory corruption attempt (browser-ie.rules)
 * 1:41561 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer array proto chain manipulation memory corruption attempt (browser-ie.rules)
 * 1:41562 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer array proto chain manipulation memory corruption attempt (browser-ie.rules)
 * 1:41563 <-> DISABLED <-> FILE-OFFICE Microsoft Office imjp12k.dll dll-load exploit attempt (file-office.rules)
 * 1:41564 <-> DISABLED <-> FILE-OFFICE Microsoft Office imjp12k.dll dll-load exploit attempt (file-office.rules)
 * 1:41565 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt (file-office.rules)
 * 1:41566 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt (file-office.rules)
 * 1:41567 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Device Guard code execution attempt (os-windows.rules)
 * 1:41568 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Device Guard code execution attempt (os-windows.rules)
 * 1:41569 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Device Guard code execution attempt (os-windows.rules)
 * 1:41570 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Device Guard code execution attempt (os-windows.rules)
 * 1:41571 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Device Guard code execution attempt (os-windows.rules)
 * 1:41572 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Device Guard code execution attempt (os-windows.rules)
 * 1:41573 <-> ENABLED <-> BROWSER-IE Microsoft Edge CSS animation style information disclosure attempt (browser-ie.rules)
 * 1:41574 <-> ENABLED <-> BROWSER-IE Microsoft Edge CSS animation style information disclosure attempt (browser-ie.rules)
 * 1:41575 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer mhtml and res protocol information disclosure attempt (browser-ie.rules)
 * 1:41576 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer mhtml and res protocol information disclosure attempt (browser-ie.rules)
 * 1:41577 <-> ENABLED <-> FILE-OFFICE Microsoft Office RTF footnote format use after free attempt (file-office.rules)
 * 1:41578 <-> ENABLED <-> FILE-OFFICE Microsoft Office RTF footnote format use after free attempt (file-office.rules)
 * 1:41579 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DirectComposition double free attempt (os-windows.rules)
 * 1:41580 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DirectComposition double free attempt (os-windows.rules)
 * 1:41581 <-> DISABLED <-> FILE-OFFICE Microsoft Excel malformed CellXF memory corruption attempt (file-office.rules)
 * 1:41582 <-> DISABLED <-> FILE-OFFICE Microsoft Excel malformed CellXF memory corruption attempt (file-office.rules)
 * 1:41583 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DOMAttrModified event use after free attempt (browser-ie.rules)
 * 1:41584 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DOMAttrModified event use after free attempt (browser-ie.rules)
 * 1:41585 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer mutated scope with generator memory corruption attempt (browser-ie.rules)
 * 1:41586 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer mutated scope with generator memory corruption attempt (browser-ie.rules)
 * 1:41587 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Array out of bounds memory corruption (browser-ie.rules)
 * 1:41588 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Array out of bounds memory corruption (browser-ie.rules)
 * 1:41589 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CHtmlTab use after free attempt (browser-ie.rules)
 * 1:41590 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CHtmlTab use after free attempt (browser-ie.rules)
 * 1:41591 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI privilege escalation attempt (os-windows.rules)
 * 1:41592 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI privilege escalation attempt (os-windows.rules)
 * 1:41593 <-> DISABLED <-> BROWSER-IE Microsoft Edge Data URI same origin policy bypass attempt (browser-ie.rules)
 * 1:41594 <-> DISABLED <-> BROWSER-IE Microsoft Edge Data URI same origin policy bypass attempt (browser-ie.rules)
 * 1:41597 <-> DISABLED <-> FILE-OTHER Windows Uniscribe remote code execution vulnerability attempt (file-other.rules)
 * 1:41598 <-> DISABLED <-> FILE-OTHER Windows Uniscribe remote code execution vulnerability attempt (file-other.rules)
 * 1:41601 <-> ENABLED <-> FILE-PDF Microsoft Edge PDF Builder out of bounds read attempt (file-pdf.rules)
 * 1:41602 <-> ENABLED <-> FILE-PDF Microsoft Edge PDF Builder out of bounds read attempt (file-pdf.rules)
 * 1:41605 <-> DISABLED <-> BROWSER-IE Microsoft Edge AsmJs memory corruption attempt (browser-ie.rules)
 * 1:41606 <-> DISABLED <-> BROWSER-IE Microsoft Edge AsmJs memory corruption attempt (browser-ie.rules)
 * 1:41607 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel NtCreateProfile privilege escalation attempt (os-windows.rules)
 * 1:41608 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel NtCreateProfile privilege escalation attempt (os-windows.rules)
 * 1:41609 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel NtCreateProfile privilege escalation attempt (os-windows.rules)
 * 1:41610 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel NtCreateProfile privilege escalation attempt (os-windows.rules)
 * 1:41625 <-> ENABLED <-> BROWSER-IE Microsoft Edge HandleColumnBreakOnColumnSpanningElement type confusion attempt (browser-ie.rules)
 * 1:41895 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer frameset null pointer dereference attempt (browser-ie.rules)
 * 1:41896 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer frameset null pointer dereference attempt (browser-ie.rules)
 * 1:41634 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 Windows Media Player information disclosure attempt (browser-ie.rules)
 * 1:41626 <-> ENABLED <-> BROWSER-IE Microsoft Edge HandleColumnBreakOnColumnSpanningElement type confusion attempt (browser-ie.rules)

2017-03-14 20:09:33 UTC

Snort Subscriber Rules Update

Date: 2017-03-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41984 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMBv1 identical MID and FID type confusion attempt (os-windows.rules)
 * 1:41982 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word out of bounds read attempt (file-office.rules)
 * 1:41983 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMBv1 identical MID and FID type confusion attempt (os-windows.rules)
 * 1:41980 <-> ENABLED <-> FILE-OFFICE Microsoft Excel shared strings memory corruption attempt (file-office.rules)
 * 1:41981 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word out of bounds read attempt (file-office.rules)
 * 1:41978 <-> ENABLED <-> SERVER-SAMBA Microsoft Windows Samba buffer overflow attempt (server-samba.rules)
 * 1:41979 <-> ENABLED <-> FILE-OFFICE Microsoft Excel shared strings memory corruption attempt (file-office.rules)
 * 1:41977 <-> ENABLED <-> FILE-OFFICE Microsoft Excel shared strings memory corruption attempt (file-office.rules)
 * 1:41975 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType Font out of bounds write attempt (os-windows.rules)
 * 1:41969 <-> DISABLED <-> BROWSER-IE Microsoft Edge JavascriptProxy SetPropertyTrap type confusion attempt (browser-ie.rules)
 * 1:41967 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueTypeFont GSUB table out of bounds write attempt (os-windows.rules)
 * 1:41966 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueTypeFont GSUB table out of bounds write attempt (os-windows.rules)
 * 1:41970 <-> ENABLED <-> FILE-IMAGE GDI+ malformed EMF comment heap access violation attempt (file-image.rules)
 * 1:41973 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType Font out of bounds write attempt (os-windows.rules)
 * 1:41974 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType Font out of bounds write attempt (os-windows.rules)
 * 1:41976 <-> ENABLED <-> FILE-OFFICE Microsoft Excel shared strings memory corruption attempt (file-office.rules)
 * 1:41985 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueTypeFont post table out of bounds write attempt (os-windows.rules)
 * 1:41986 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueTypeFont post table out of bounds write attempt (os-windows.rules)
 * 1:41987 <-> DISABLED <-> BROWSER-IE Microsoft Edge web address spoofing attempt (browser-ie.rules)
 * 1:41988 <-> DISABLED <-> BROWSER-IE Microsoft Edge web address spoofing attempt (browser-ie.rules)
 * 1:41989 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Com Session Moniker pivilege escalation attempt (file-executable.rules)
 * 1:41924 <-> DISABLED <-> FILE-OTHER Notepad++ scilexer.dll dll-load exploit attempt (file-other.rules)
 * 1:41925 <-> DISABLED <-> FILE-OTHER Notepad++ scilexer.dll dll-load exploit attempt (file-other.rules)
 * 1:41926 <-> ENABLED <-> OS-WINDOWS Microsoft Win32u NtUserThunkedMenuItemInfo use after free attempt (os-windows.rules)
 * 1:41927 <-> ENABLED <-> OS-WINDOWS Microsoft Win32u NtUserThunkedMenuItemInfo use after free attempt (os-windows.rules)
 * 1:41928 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k DDI use after free attempt (os-windows.rules)
 * 1:41990 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Com Session Moniker pivilege escalation attempt (file-executable.rules)
 * 1:41929 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k DDI use after free attempt (os-windows.rules)
 * 1:41930 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k DDI use after free attempt (os-windows.rules)
 * 1:41931 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k DDI use after free attempt (os-windows.rules)
 * 1:41991 <-> ENABLED <-> FILE-OTHER Microsoft Windows TTF file out of bounds access attempt (file-other.rules)
 * 1:41932 <-> ENABLED <-> FILE-OTHER Microsoft Windows Uniscribe privilege escalation attempt (file-other.rules)
 * 1:41933 <-> ENABLED <-> FILE-OTHER Microsoft Windows Uniscribe privilege escalation attempt (file-other.rules)
 * 1:41934 <-> ENABLED <-> FILE-OTHER Microsoft Windows Uniscribe privilege escalation attempt (file-other.rules)
 * 1:41935 <-> ENABLED <-> FILE-OTHER Microsoft Windows Uniscribe privilege escalation attempt (file-other.rules)
 * 1:41936 <-> ENABLED <-> BROWSER-IE Microsoft Edge TypedArray setter arbitrary write attempt (browser-ie.rules)
 * 1:41992 <-> ENABLED <-> FILE-OTHER Microsoft Windows TTF file out of bounds access attempt (file-other.rules)
 * 1:41937 <-> ENABLED <-> BROWSER-IE Microsoft Edge TypedArray setter arbitrary write attempt (browser-ie.rules)
 * 1:41938 <-> ENABLED <-> BROWSER-IE Microsoft Edge reverse helper heap buffer overflow attempt (browser-ie.rules)
 * 1:41939 <-> ENABLED <-> BROWSER-IE Microsoft Edge reverse helper heap buffer overflow attempt (browser-ie.rules)
 * 1:41940 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueTypeFont post table out of bounds write attempt (os-windows.rules)
 * 1:41993 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI WMF out of bounds read attempt (os-windows.rules)
 * 1:41941 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueTypeFont post table out of bounds write attempt (os-windows.rules)
 * 1:41942 <-> ENABLED <-> BROWSER-IE Microsoft Edge EntrySimpleSlotGetter use after free attempt (browser-ie.rules)
 * 1:41943 <-> ENABLED <-> BROWSER-IE Microsoft Edge EntrySimpleSlotGetter use after free attempt (browser-ie.rules)
 * 1:41994 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI WMF out of bounds read attempt (os-windows.rules)
 * 1:41944 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine security bypass css attempt (browser-ie.rules)
 * 1:41945 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine security bypass css attempt (browser-ie.rules)
 * 1:41946 <-> DISABLED <-> FILE-IMAGE Microsoft GDI+ malformed EMF description out of bounds read attempt (file-image.rules)
 * 1:41947 <-> DISABLED <-> FILE-IMAGE GDI+ malformed EMF description out of bounds read attempt (file-image.rules)
 * 1:41995 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DDI privilege escalation attempt (os-windows.rules)
 * 1:41948 <-> DISABLED <-> BROWSER-IE Microsoft Edge fetch API same origin policy bypass attempt (browser-ie.rules)
 * 1:41949 <-> DISABLED <-> BROWSER-IE Microsoft Edge fetch API same origin policy bypass attempt (browser-ie.rules)
 * 1:41950 <-> ENABLED <-> BROWSER-IE Microsoft Edge WebAssembly memory corruption attempt (browser-ie.rules)
 * 1:41951 <-> ENABLED <-> BROWSER-IE Microsoft Edge WebAssembly memory corruption attempt (browser-ie.rules)
 * 1:41996 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DDI privilege escalation attempt (os-windows.rules)
 * 1:41952 <-> ENABLED <-> BROWSER-IE Microsoft Edge local file read information leak attempt (browser-ie.rules)
 * 1:41953 <-> ENABLED <-> BROWSER-IE Microsoft Edge local file read information leak attempt (browser-ie.rules)
 * 1:41954 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer textarea type confusion attempt (browser-ie.rules)
 * 1:41955 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer textarea type confusion attempt (browser-ie.rules)
 * 1:41956 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt (browser-ie.rules)
 * 1:41997 <-> DISABLED <-> OS-WINDOWS Microsoft GDI+ privilege escalation attempt (os-windows.rules)
 * 1:41957 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt (browser-ie.rules)
 * 1:41958 <-> ENABLED <-> BROWSER-IE Microsoft Edge malformed UTF-8 decode arbitrary read attempt (browser-ie.rules)
 * 1:41959 <-> ENABLED <-> BROWSER-IE Microsoft Edge malformed UTF-8 decode arbitrary read attempt (browser-ie.rules)
 * 1:41998 <-> DISABLED <-> OS-WINDOWS Microsoft GDI+ privilege escalation attempt (os-windows.rules)
 * 1:41960 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType Font LookupTable out of bounds write attempt (os-windows.rules)
 * 1:41961 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType Font LookupTable out of bounds write attempt (os-windows.rules)
 * 1:41962 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word template remote code execution attempt (file-office.rules)
 * 1:41971 <-> ENABLED <-> FILE-IMAGE GDI+ malformed EMF comment heap access violation attempt (file-image.rules)
 * 1:41972 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType Font out of bounds write attempt (os-windows.rules)
 * 1:41963 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word template remote code execution attempt (file-office.rules)
 * 1:41964 <-> DISABLED <-> FILE-OFFICE Microsoft Word 2010 use-after-free memory corruption vulnerability attempt (file-office.rules)
 * 1:41965 <-> DISABLED <-> FILE-OFFICE Microsoft Word 2010 use-after-free memory corruption vulnerability attempt (file-office.rules)
 * 1:41968 <-> DISABLED <-> BROWSER-IE Microsoft Edge JavascriptProxy SetPropertyTrap type confusion attempt (browser-ie.rules)
 * 3:42000 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0293 attack attempt (server-other.rules)
 * 3:41999 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2017-0296 attack attempt (os-other.rules)

Modified Rules:


 * 1:41896 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer frameset null pointer dereference attempt (browser-ie.rules)
 * 1:41606 <-> DISABLED <-> BROWSER-IE Microsoft Edge AsmJs memory corruption attempt (browser-ie.rules)
 * 1:41602 <-> ENABLED <-> FILE-PDF Microsoft Edge PDF Builder out of bounds read attempt (file-pdf.rules)
 * 1:41605 <-> DISABLED <-> BROWSER-IE Microsoft Edge AsmJs memory corruption attempt (browser-ie.rules)
 * 1:41597 <-> DISABLED <-> FILE-OTHER Windows Uniscribe remote code execution vulnerability attempt (file-other.rules)
 * 1:41598 <-> DISABLED <-> FILE-OTHER Windows Uniscribe remote code execution vulnerability attempt (file-other.rules)
 * 1:41592 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI privilege escalation attempt (os-windows.rules)
 * 1:41594 <-> DISABLED <-> BROWSER-IE Microsoft Edge Data URI same origin policy bypass attempt (browser-ie.rules)
 * 1:41590 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CHtmlTab use after free attempt (browser-ie.rules)
 * 1:41591 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI privilege escalation attempt (os-windows.rules)
 * 1:41588 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Array out of bounds memory corruption (browser-ie.rules)
 * 1:41589 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CHtmlTab use after free attempt (browser-ie.rules)
 * 1:41585 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer mutated scope with generator memory corruption attempt (browser-ie.rules)
 * 1:41586 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer mutated scope with generator memory corruption attempt (browser-ie.rules)
 * 1:41583 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DOMAttrModified event use after free attempt (browser-ie.rules)
 * 1:41584 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DOMAttrModified event use after free attempt (browser-ie.rules)
 * 1:41580 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DirectComposition double free attempt (os-windows.rules)
 * 1:41581 <-> DISABLED <-> FILE-OFFICE Microsoft Excel malformed CellXF memory corruption attempt (file-office.rules)
 * 1:41578 <-> ENABLED <-> FILE-OFFICE Microsoft Office RTF footnote format use after free attempt (file-office.rules)
 * 1:41579 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DirectComposition double free attempt (os-windows.rules)
 * 1:41575 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer mhtml and res protocol information disclosure attempt (browser-ie.rules)
 * 1:41576 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer mhtml and res protocol information disclosure attempt (browser-ie.rules)
 * 1:41572 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Device Guard code execution attempt (os-windows.rules)
 * 1:41574 <-> ENABLED <-> BROWSER-IE Microsoft Edge CSS animation style information disclosure attempt (browser-ie.rules)
 * 1:41570 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Device Guard code execution attempt (os-windows.rules)
 * 1:41571 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Device Guard code execution attempt (os-windows.rules)
 * 1:41567 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Device Guard code execution attempt (os-windows.rules)
 * 1:41569 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Device Guard code execution attempt (os-windows.rules)
 * 1:41566 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt (file-office.rules)
 * 1:41565 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt (file-office.rules)
 * 1:41564 <-> DISABLED <-> FILE-OFFICE Microsoft Office imjp12k.dll dll-load exploit attempt (file-office.rules)
 * 1:41561 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer array proto chain manipulation memory corruption attempt (browser-ie.rules)
 * 1:41563 <-> DISABLED <-> FILE-OFFICE Microsoft Office imjp12k.dll dll-load exploit attempt (file-office.rules)
 * 1:41559 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array out of bounds memory corruption attempt (browser-ie.rules)
 * 1:41560 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array out of bounds memory corruption attempt (browser-ie.rules)
 * 1:41554 <-> ENABLED <-> BROWSER-IE Microsoft Edge url forgery attempt (browser-ie.rules)
 * 1:41557 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array out of bounds memory corruption attempt (browser-ie.rules)
 * 1:40395 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Ntoskrnl integer overflow privilege escalation attempt (os-windows.rules)
 * 1:41553 <-> ENABLED <-> BROWSER-IE Microsoft Edge url forgery attempt (browser-ie.rules)
 * 1:40394 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Ntoskrnl integer overflow privilege escalation attempt (os-windows.rules)
 * 1:41607 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel NtCreateProfile privilege escalation attempt (os-windows.rules)
 * 1:33469 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PCRE regex compilation memory corruption attempt (file-flash.rules)
 * 1:33470 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PCRE regex compilation memory corruption attempt (file-flash.rules)
 * 1:40364 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer loadXML parseError.errorCode information disclosure attempt (browser-ie.rules)
 * 1:40365 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer loadXML parseError.errorCode information disclosure attempt (browser-ie.rules)
 * 1:41558 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array out of bounds memory corruption attempt (browser-ie.rules)
 * 1:41562 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer array proto chain manipulation memory corruption attempt (browser-ie.rules)
 * 1:41568 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Device Guard code execution attempt (os-windows.rules)
 * 1:41573 <-> ENABLED <-> BROWSER-IE Microsoft Edge CSS animation style information disclosure attempt (browser-ie.rules)
 * 1:41577 <-> ENABLED <-> FILE-OFFICE Microsoft Office RTF footnote format use after free attempt (file-office.rules)
 * 1:41582 <-> DISABLED <-> FILE-OFFICE Microsoft Excel malformed CellXF memory corruption attempt (file-office.rules)
 * 1:41587 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Array out of bounds memory corruption (browser-ie.rules)
 * 1:41593 <-> DISABLED <-> BROWSER-IE Microsoft Edge Data URI same origin policy bypass attempt (browser-ie.rules)
 * 1:41601 <-> ENABLED <-> FILE-PDF Microsoft Edge PDF Builder out of bounds read attempt (file-pdf.rules)
 * 1:41610 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel NtCreateProfile privilege escalation attempt (os-windows.rules)
 * 1:41608 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel NtCreateProfile privilege escalation attempt (os-windows.rules)
 * 1:41625 <-> ENABLED <-> BROWSER-IE Microsoft Edge HandleColumnBreakOnColumnSpanningElement type confusion attempt (browser-ie.rules)
 * 1:41609 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel NtCreateProfile privilege escalation attempt (os-windows.rules)
 * 1:41895 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer frameset null pointer dereference attempt (browser-ie.rules)
 * 1:41633 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 Windows Media Player information disclosure attempt (browser-ie.rules)
 * 1:41634 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 Windows Media Player information disclosure attempt (browser-ie.rules)
 * 1:41626 <-> ENABLED <-> BROWSER-IE Microsoft Edge HandleColumnBreakOnColumnSpanningElement type confusion attempt (browser-ie.rules)

2017-03-14 20:09:33 UTC

Snort Subscriber Rules Update

Date: 2017-03-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:41970 <-> ENABLED <-> FILE-IMAGE GDI+ malformed EMF comment heap access violation attempt (file-image.rules)
 * 1:41969 <-> DISABLED <-> BROWSER-IE Microsoft Edge JavascriptProxy SetPropertyTrap type confusion attempt (browser-ie.rules)
 * 1:41998 <-> DISABLED <-> OS-WINDOWS Microsoft GDI+ privilege escalation attempt (os-windows.rules)
 * 1:41997 <-> DISABLED <-> OS-WINDOWS Microsoft GDI+ privilege escalation attempt (os-windows.rules)
 * 1:41996 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DDI privilege escalation attempt (os-windows.rules)
 * 1:41995 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DDI privilege escalation attempt (os-windows.rules)
 * 1:41994 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI WMF out of bounds read attempt (os-windows.rules)
 * 1:41993 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI WMF out of bounds read attempt (os-windows.rules)
 * 1:41992 <-> ENABLED <-> FILE-OTHER Microsoft Windows TTF file out of bounds access attempt (file-other.rules)
 * 1:41991 <-> ENABLED <-> FILE-OTHER Microsoft Windows TTF file out of bounds access attempt (file-other.rules)
 * 1:41990 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Com Session Moniker pivilege escalation attempt (file-executable.rules)
 * 1:41988 <-> DISABLED <-> BROWSER-IE Microsoft Edge web address spoofing attempt (browser-ie.rules)
 * 1:41989 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows Com Session Moniker pivilege escalation attempt (file-executable.rules)
 * 1:41987 <-> DISABLED <-> BROWSER-IE Microsoft Edge web address spoofing attempt (browser-ie.rules)
 * 1:41986 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueTypeFont post table out of bounds write attempt (os-windows.rules)
 * 1:41968 <-> DISABLED <-> BROWSER-IE Microsoft Edge JavascriptProxy SetPropertyTrap type confusion attempt (browser-ie.rules)
 * 1:41973 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType Font out of bounds write attempt (os-windows.rules)
 * 1:41975 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType Font out of bounds write attempt (os-windows.rules)
 * 1:41974 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType Font out of bounds write attempt (os-windows.rules)
 * 1:41963 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word template remote code execution attempt (file-office.rules)
 * 1:41960 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType Font LookupTable out of bounds write attempt (os-windows.rules)
 * 1:41961 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType Font LookupTable out of bounds write attempt (os-windows.rules)
 * 1:41959 <-> ENABLED <-> BROWSER-IE Microsoft Edge malformed UTF-8 decode arbitrary read attempt (browser-ie.rules)
 * 1:41957 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt (browser-ie.rules)
 * 1:41958 <-> ENABLED <-> BROWSER-IE Microsoft Edge malformed UTF-8 decode arbitrary read attempt (browser-ie.rules)
 * 1:41956 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer arguments type confusion attempt (browser-ie.rules)
 * 1:41955 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer textarea type confusion attempt (browser-ie.rules)
 * 1:41925 <-> DISABLED <-> FILE-OTHER Notepad++ scilexer.dll dll-load exploit attempt (file-other.rules)
 * 1:41924 <-> DISABLED <-> FILE-OTHER Notepad++ scilexer.dll dll-load exploit attempt (file-other.rules)
 * 1:41926 <-> ENABLED <-> OS-WINDOWS Microsoft Win32u NtUserThunkedMenuItemInfo use after free attempt (os-windows.rules)
 * 1:41931 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k DDI use after free attempt (os-windows.rules)
 * 1:41954 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer textarea type confusion attempt (browser-ie.rules)
 * 1:41929 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k DDI use after free attempt (os-windows.rules)
 * 1:41930 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k DDI use after free attempt (os-windows.rules)
 * 1:41934 <-> ENABLED <-> FILE-OTHER Microsoft Windows Uniscribe privilege escalation attempt (file-other.rules)
 * 1:41953 <-> ENABLED <-> BROWSER-IE Microsoft Edge local file read information leak attempt (browser-ie.rules)
 * 1:41933 <-> ENABLED <-> FILE-OTHER Microsoft Windows Uniscribe privilege escalation attempt (file-other.rules)
 * 1:41952 <-> ENABLED <-> BROWSER-IE Microsoft Edge local file read information leak attempt (browser-ie.rules)
 * 1:41935 <-> ENABLED <-> FILE-OTHER Microsoft Windows Uniscribe privilege escalation attempt (file-other.rules)
 * 1:41938 <-> ENABLED <-> BROWSER-IE Microsoft Edge reverse helper heap buffer overflow attempt (browser-ie.rules)
 * 1:41936 <-> ENABLED <-> BROWSER-IE Microsoft Edge TypedArray setter arbitrary write attempt (browser-ie.rules)
 * 1:41940 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueTypeFont post table out of bounds write attempt (os-windows.rules)
 * 1:41941 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueTypeFont post table out of bounds write attempt (os-windows.rules)
 * 1:41951 <-> ENABLED <-> BROWSER-IE Microsoft Edge WebAssembly memory corruption attempt (browser-ie.rules)
 * 1:41939 <-> ENABLED <-> BROWSER-IE Microsoft Edge reverse helper heap buffer overflow attempt (browser-ie.rules)
 * 1:41950 <-> ENABLED <-> BROWSER-IE Microsoft Edge WebAssembly memory corruption attempt (browser-ie.rules)
 * 1:41944 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine security bypass css attempt (browser-ie.rules)
 * 1:41943 <-> ENABLED <-> BROWSER-IE Microsoft Edge EntrySimpleSlotGetter use after free attempt (browser-ie.rules)
 * 1:41945 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine security bypass css attempt (browser-ie.rules)
 * 1:41979 <-> ENABLED <-> FILE-OFFICE Microsoft Excel shared strings memory corruption attempt (file-office.rules)
 * 1:41978 <-> ENABLED <-> SERVER-SAMBA Microsoft Windows Samba buffer overflow attempt (server-samba.rules)
 * 1:41971 <-> ENABLED <-> FILE-IMAGE GDI+ malformed EMF comment heap access violation attempt (file-image.rules)
 * 1:41982 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word out of bounds read attempt (file-office.rules)
 * 1:41983 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMBv1 identical MID and FID type confusion attempt (os-windows.rules)
 * 1:41976 <-> ENABLED <-> FILE-OFFICE Microsoft Excel shared strings memory corruption attempt (file-office.rules)
 * 1:41972 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueType Font out of bounds write attempt (os-windows.rules)
 * 1:41984 <-> DISABLED <-> OS-WINDOWS Microsoft Windows SMBv1 identical MID and FID type confusion attempt (os-windows.rules)
 * 1:41985 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueTypeFont post table out of bounds write attempt (os-windows.rules)
 * 1:41947 <-> DISABLED <-> FILE-IMAGE GDI+ malformed EMF description out of bounds read attempt (file-image.rules)
 * 1:41948 <-> DISABLED <-> BROWSER-IE Microsoft Edge fetch API same origin policy bypass attempt (browser-ie.rules)
 * 1:41949 <-> DISABLED <-> BROWSER-IE Microsoft Edge fetch API same origin policy bypass attempt (browser-ie.rules)
 * 1:41942 <-> ENABLED <-> BROWSER-IE Microsoft Edge EntrySimpleSlotGetter use after free attempt (browser-ie.rules)
 * 1:41937 <-> ENABLED <-> BROWSER-IE Microsoft Edge TypedArray setter arbitrary write attempt (browser-ie.rules)
 * 1:41932 <-> ENABLED <-> FILE-OTHER Microsoft Windows Uniscribe privilege escalation attempt (file-other.rules)
 * 1:41928 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k DDI use after free attempt (os-windows.rules)
 * 1:41927 <-> ENABLED <-> OS-WINDOWS Microsoft Win32u NtUserThunkedMenuItemInfo use after free attempt (os-windows.rules)
 * 1:41980 <-> ENABLED <-> FILE-OFFICE Microsoft Excel shared strings memory corruption attempt (file-office.rules)
 * 1:41981 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word out of bounds read attempt (file-office.rules)
 * 1:41946 <-> DISABLED <-> FILE-IMAGE Microsoft GDI+ malformed EMF description out of bounds read attempt (file-image.rules)
 * 1:41966 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueTypeFont GSUB table out of bounds write attempt (os-windows.rules)
 * 1:41977 <-> ENABLED <-> FILE-OFFICE Microsoft Excel shared strings memory corruption attempt (file-office.rules)
 * 1:41967 <-> ENABLED <-> OS-WINDOWS Microsoft Windows TrueTypeFont GSUB table out of bounds write attempt (os-windows.rules)
 * 1:41962 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word template remote code execution attempt (file-office.rules)
 * 1:41965 <-> DISABLED <-> FILE-OFFICE Microsoft Word 2010 use-after-free memory corruption vulnerability attempt (file-office.rules)
 * 1:41964 <-> DISABLED <-> FILE-OFFICE Microsoft Word 2010 use-after-free memory corruption vulnerability attempt (file-office.rules)
 * 3:41999 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2017-0296 attack attempt (os-other.rules)
 * 3:42000 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2017-0293 attack attempt (server-other.rules)

Modified Rules:


 * 1:41560 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array out of bounds memory corruption attempt (browser-ie.rules)
 * 1:41559 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array out of bounds memory corruption attempt (browser-ie.rules)
 * 1:41561 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer array proto chain manipulation memory corruption attempt (browser-ie.rules)
 * 1:41601 <-> ENABLED <-> FILE-PDF Microsoft Edge PDF Builder out of bounds read attempt (file-pdf.rules)
 * 1:41598 <-> DISABLED <-> FILE-OTHER Windows Uniscribe remote code execution vulnerability attempt (file-other.rules)
 * 1:41564 <-> DISABLED <-> FILE-OFFICE Microsoft Office imjp12k.dll dll-load exploit attempt (file-office.rules)
 * 1:41565 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt (file-office.rules)
 * 1:41562 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer array proto chain manipulation memory corruption attempt (browser-ie.rules)
 * 1:41597 <-> DISABLED <-> FILE-OTHER Windows Uniscribe remote code execution vulnerability attempt (file-other.rules)
 * 1:41568 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Device Guard code execution attempt (os-windows.rules)
 * 1:41566 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel xlsb use-after-free attempt (file-office.rules)
 * 1:41570 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Device Guard code execution attempt (os-windows.rules)
 * 1:41572 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Device Guard code execution attempt (os-windows.rules)
 * 1:41594 <-> DISABLED <-> BROWSER-IE Microsoft Edge Data URI same origin policy bypass attempt (browser-ie.rules)
 * 1:41571 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Device Guard code execution attempt (os-windows.rules)
 * 1:41576 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer mhtml and res protocol information disclosure attempt (browser-ie.rules)
 * 1:41573 <-> ENABLED <-> BROWSER-IE Microsoft Edge CSS animation style information disclosure attempt (browser-ie.rules)
 * 1:41574 <-> ENABLED <-> BROWSER-IE Microsoft Edge CSS animation style information disclosure attempt (browser-ie.rules)
 * 1:41593 <-> DISABLED <-> BROWSER-IE Microsoft Edge Data URI same origin policy bypass attempt (browser-ie.rules)
 * 1:41579 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DirectComposition double free attempt (os-windows.rules)
 * 1:41578 <-> ENABLED <-> FILE-OFFICE Microsoft Office RTF footnote format use after free attempt (file-office.rules)
 * 1:41609 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel NtCreateProfile privilege escalation attempt (os-windows.rules)
 * 1:33469 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PCRE regex compilation memory corruption attempt (file-flash.rules)
 * 1:41586 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer mutated scope with generator memory corruption attempt (browser-ie.rules)
 * 1:41608 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel NtCreateProfile privilege escalation attempt (os-windows.rules)
 * 1:41589 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CHtmlTab use after free attempt (browser-ie.rules)
 * 1:33470 <-> ENABLED <-> FILE-FLASH Adobe Flash Player PCRE regex compilation memory corruption attempt (file-flash.rules)
 * 1:41582 <-> DISABLED <-> FILE-OFFICE Microsoft Excel malformed CellXF memory corruption attempt (file-office.rules)
 * 1:41607 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel NtCreateProfile privilege escalation attempt (os-windows.rules)
 * 1:41583 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DOMAttrModified event use after free attempt (browser-ie.rules)
 * 1:41581 <-> DISABLED <-> FILE-OFFICE Microsoft Excel malformed CellXF memory corruption attempt (file-office.rules)
 * 1:41580 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DirectComposition double free attempt (os-windows.rules)
 * 1:41602 <-> ENABLED <-> FILE-PDF Microsoft Edge PDF Builder out of bounds read attempt (file-pdf.rules)
 * 1:41605 <-> DISABLED <-> BROWSER-IE Microsoft Edge AsmJs memory corruption attempt (browser-ie.rules)
 * 1:41584 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer DOMAttrModified event use after free attempt (browser-ie.rules)
 * 1:41585 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer mutated scope with generator memory corruption attempt (browser-ie.rules)
 * 1:41588 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Array out of bounds memory corruption (browser-ie.rules)
 * 1:41606 <-> DISABLED <-> BROWSER-IE Microsoft Edge AsmJs memory corruption attempt (browser-ie.rules)
 * 1:41590 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CHtmlTab use after free attempt (browser-ie.rules)
 * 1:41591 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI privilege escalation attempt (os-windows.rules)
 * 1:41592 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI privilege escalation attempt (os-windows.rules)
 * 1:41577 <-> ENABLED <-> FILE-OFFICE Microsoft Office RTF footnote format use after free attempt (file-office.rules)
 * 1:41575 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer mhtml and res protocol information disclosure attempt (browser-ie.rules)
 * 1:41569 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Device Guard code execution attempt (os-windows.rules)
 * 1:41567 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Device Guard code execution attempt (os-windows.rules)
 * 1:41563 <-> DISABLED <-> FILE-OFFICE Microsoft Office imjp12k.dll dll-load exploit attempt (file-office.rules)
 * 1:41558 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array out of bounds memory corruption attempt (browser-ie.rules)
 * 1:41557 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array out of bounds memory corruption attempt (browser-ie.rules)
 * 1:41553 <-> ENABLED <-> BROWSER-IE Microsoft Edge url forgery attempt (browser-ie.rules)
 * 1:41554 <-> ENABLED <-> BROWSER-IE Microsoft Edge url forgery attempt (browser-ie.rules)
 * 1:40395 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Ntoskrnl integer overflow privilege escalation attempt (os-windows.rules)
 * 1:40365 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer loadXML parseError.errorCode information disclosure attempt (browser-ie.rules)
 * 1:40394 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Ntoskrnl integer overflow privilege escalation attempt (os-windows.rules)
 * 1:41610 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Kernel NtCreateProfile privilege escalation attempt (os-windows.rules)
 * 1:40364 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer loadXML parseError.errorCode information disclosure attempt (browser-ie.rules)
 * 1:41895 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer frameset null pointer dereference attempt (browser-ie.rules)
 * 1:41634 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 Windows Media Player information disclosure attempt (browser-ie.rules)
 * 1:41896 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer frameset null pointer dereference attempt (browser-ie.rules)
 * 1:41625 <-> ENABLED <-> BROWSER-IE Microsoft Edge HandleColumnBreakOnColumnSpanningElement type confusion attempt (browser-ie.rules)
 * 1:41626 <-> ENABLED <-> BROWSER-IE Microsoft Edge HandleColumnBreakOnColumnSpanningElement type confusion attempt (browser-ie.rules)
 * 1:41633 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 11 Windows Media Player information disclosure attempt (browser-ie.rules)
 * 1:41587 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Array out of bounds memory corruption (browser-ie.rules)