Talos Rules 2017-04-11
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2017-0106: A coding deficiency exists in Microsoft Outlook that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 41962 through 41963.

Microsoft Vulnerability CVE-2017-0155: A coding deficiency exists in Microsoft Graphics that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 42173 through 42174.

Microsoft Vulnerability CVE-2017-0156: A coding deficiency exists in Microsoft Graphics Component that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 42199 through 42200.

Microsoft Vulnerability CVE-2017-0158: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 42156 through 42157.

Microsoft Vulnerability CVE-2017-0160: A coding deficiency exists in Microsoft .NET that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 42185 through 42186.

Microsoft Vulnerability CVE-2017-0165: A coding deficiency exists in Microsoft Windows that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 42187 through 42188.

Microsoft Vulnerability CVE-2017-0166: A coding deficiency exists in Microsoft LDAP that may lead to an escalation of privilege.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 42160.

Microsoft Vulnerability CVE-2017-0167: A coding deficiency exists in Microsoft Windows Kernel that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 42154 through 42155.

Microsoft Vulnerability CVE-2017-0188: A coding deficiency exists in Microsoft Win32k that may lead to information disclosure.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 41997 through 41998.

Microsoft Vulnerability CVE-2017-0189: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 42158 through 42159.

Microsoft Vulnerability CVE-2017-0192: A coding deficiency exists in Microsoft ATMFD.dll that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 42148 through 42151.

Microsoft Vulnerability CVE-2017-0194: A coding deficiency exists in Microsoft Office that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 42161 through 42162.

Microsoft Vulnerability CVE-2017-0197: A coding deficiency exists in Microsoft Office that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 42163 through 42164.

Microsoft Vulnerability CVE-2017-0199: A coding deficiency exists in Microsoft Outlook that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 42189 through 42190.

Microsoft Vulnerability CVE-2017-0200: Microsoft Edge suffers from programming errors that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 42210 through 42211.

Microsoft Vulnerability CVE-2017-0201: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 42152 through 42153.

Microsoft Vulnerability CVE-2017-0202: Microsoft Internet Explorer suffers from programming errors that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 42165 through 42166.

Microsoft Vulnerability CVE-2017-0204: A coding deficiency exists in Microsoft Office that may lead to a security feature bypass.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 42167 through 42168.

Microsoft Vulnerability CVE-2017-0205: Microsoft Edge suffers from programming errors that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 42183 through 42184.

Microsoft Vulnerability CVE-2017-0210: Microsoft Internet Explorer suffers from programming errors that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 42204 through 42205.

Microsoft Vulnerability CVE-2017-0211: A coding deficiency exists in Microsoft Windows OLE that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 42208 through 42209.

Talos has also added and modified multiple rules in the browser-ie, deleted, file-flash, file-image, file-office, file-other, file-pdf, malware-cnc, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-04-11 22:58:56 UTC

Snort Subscriber Rules Update

Date: 2017-04-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42220 <-> DISABLED <-> SERVER-WEBAPP BlueCoat CAS report-email command injection attempt (server-webapp.rules)
 * 1:42219 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIF memory corruption attempt (file-image.rules)
 * 1:42218 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed GIF memory corruption attempt (file-image.rules)
 * 1:42217 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader pcx planes memory corruption attempt (file-other.rules)
 * 1:42216 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader pcx planes memory corruption attempt (file-other.rules)
 * 1:42215 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetStream use after free attempt (file-flash.rules)
 * 1:42214 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetStream use after free attempt (file-flash.rules)
 * 1:42213 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded JPEG 2000 flst heap overflow attempt (file-pdf.rules)
 * 1:42212 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded JPEG 2000 flst heap overflow attempt (file-pdf.rules)
 * 1:42211 <-> ENABLED <-> BROWSER-IE Microsoft Edge xlink type confusion memory corruption attempt (browser-ie.rules)
 * 1:42210 <-> ENABLED <-> BROWSER-IE Microsoft Edge xlink type confusion memory corruption attempt (browser-ie.rules)
 * 1:42209 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Clipboard Broker privilege escalation vulnerability attempt (os-windows.rules)
 * 1:42208 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Clipboard Broker privilege escalation vulnerability attempt (os-windows.rules)
 * 1:42207 <-> ENABLED <-> FILE-FLASH Adobe Flash Player allocator use-after-free attempt (file-flash.rules)
 * 1:42206 <-> ENABLED <-> FILE-FLASH Adobe Flash Player allocator use-after-free attempt (file-flash.rules)
 * 1:42205 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer htmlFile ActiveX control universal XSS attempt (browser-ie.rules)
 * 1:42204 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer htmlFile ActiveX control universal XSS attempt (browser-ie.rules)
 * 1:42203 <-> ENABLED <-> FILE-PDF Adobe Reader JavaScript string from stream memory corruption attempt (file-pdf.rules)
 * 1:42202 <-> ENABLED <-> FILE-PDF Adobe Reader JavaScript string from stream memory corruption attempt (file-pdf.rules)
 * 1:42201 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules)
 * 1:42200 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI null pointer dereference attempt (os-windows.rules)
 * 1:42199 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI null pointer dereference attempt (os-windows.rules)
 * 1:42198 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules)
 * 1:42197 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules)
 * 1:42190 <-> DISABLED <-> FILE-OFFICE RTF objautlink url moniker file download attempt (file-office.rules)
 * 1:42189 <-> DISABLED <-> FILE-OFFICE RTF objautlink url moniker file download attempt (file-office.rules)
 * 1:42188 <-> ENABLED <-> OS-WINDOWS Microsoft Windows IE ETW Collector Service privilege escalation attempt (os-windows.rules)
 * 1:42187 <-> ENABLED <-> OS-WINDOWS Microsoft Windows IE ETW Collector Service privilege escalation attempt (os-windows.rules)
 * 1:42186 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WMI DCOM arbitrary .NET serialization code execution attempt (os-windows.rules)
 * 1:42185 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WMI DCOM arbitrary .NET serialization code execution attempt (os-windows.rules)
 * 1:42184 <-> ENABLED <-> BROWSER-IE Microsoft Edge format rendering type confusion attempt (browser-ie.rules)
 * 1:42183 <-> ENABLED <-> BROWSER-IE Microsoft Edge format rendering type confusion attempt (browser-ie.rules)
 * 1:42182 <-> DISABLED <-> DELETED esjQk5MDxNnLLZ57GfDW (deleted.rules)
 * 1:42181 <-> DISABLED <-> DELETED gyEMoybvxbllnqLg0n4E (deleted.rules)
 * 1:42176 <-> ENABLED <-> FILE-PDF Adobe Reader JavaScript API documentToStream use after free attempt (file-pdf.rules)
 * 1:42175 <-> ENABLED <-> FILE-PDF Adobe Reader JavaScript API documentToStream use after free attempt (file-pdf.rules)
 * 1:42174 <-> ENABLED <-> OS-WINDOWS Microsoft GDI PolyTextOutW out of bounds memory write attempt (os-windows.rules)
 * 1:42173 <-> ENABLED <-> OS-WINDOWS Microsoft GDI PolyTextOutW out of bounds memory write attempt (os-windows.rules)
 * 1:42172 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Agent variant certificate negotiation (malware-cnc.rules)
 * 1:42171 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Agent variant outbound connection (malware-cnc.rules)
 * 1:42170 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt (browser-ie.rules)
 * 1:42169 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt (browser-ie.rules)
 * 1:42168 <-> ENABLED <-> FILE-OFFICE Microsoft Office custom message class security bypass attempt (file-office.rules)
 * 1:42167 <-> ENABLED <-> FILE-OFFICE Microsoft Office custom message class security bypass attempt (file-office.rules)
 * 1:42166 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion vulnerability attempt (browser-ie.rules)
 * 1:42165 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion vulnerability attempt (browser-ie.rules)
 * 1:42164 <-> DISABLED <-> FILE-OTHER Microsoft Office OneNote 2007 dll-load exploit attempt (file-other.rules)
 * 1:42163 <-> DISABLED <-> FILE-OTHER Microsoft Office OneNote 2007 dll-load exploit attempt (file-other.rules)
 * 1:42162 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel out of bounds memory attempt (file-office.rules)
 * 1:42161 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel  out of bounds memory attempt (file-office.rules)
 * 1:42160 <-> ENABLED <-> SERVER-OTHER Microsoft LDAP MaxBuffSize buffer overflow attempt (server-other.rules)
 * 1:42159 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k privilege escalation attempt (os-windows.rules)
 * 1:42158 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k privilege escalation attempt (os-windows.rules)
 * 1:42157 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer recordset use after free attempt (browser-ie.rules)
 * 1:42156 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer recordset use after free attempt (browser-ie.rules)
 * 1:42155 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k information disclosure attempt (os-windows.rules)
 * 1:42154 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k information disclosure attempt (os-windows.rules)
 * 1:42153 <-> ENABLED <-> BROWSER-IE Microsoft Edge JavaScript string object type confusion attempt (browser-ie.rules)
 * 1:42152 <-> ENABLED <-> BROWSER-IE Microsoft Edge JavaScript string object type confusion attempt (browser-ie.rules)
 * 1:42151 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD font driver malformed OTF file out-of-bounds memory access attempt (file-other.rules)
 * 1:42150 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD font driver malformed OTF file out-of-bounds memory access attempt (file-other.rules)
 * 1:42149 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD font driver malformed OTF file out-of-bounds memory access attempt (file-other.rules)
 * 1:42148 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD font driver malformed OTF file out-of-bounds memory access attempt (file-other.rules)
 * 3:42177 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0310 attack attempt (file-other.rules)
 * 3:42178 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0310 attack attempt (file-other.rules)
 * 3:42179 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-2811 attack attempt (file-image.rules)
 * 3:42180 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-2811 attack attempt (file-image.rules)
 * 3:42191 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0309 attack attempt (file-image.rules)
 * 3:42192 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0309 attack attempt (file-image.rules)
 * 3:42193 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0309 attack attempt (file-image.rules)
 * 3:42194 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0309 attack attempt (file-image.rules)
 * 3:42195 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0307 attack attempt (file-other.rules)
 * 3:42196 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0307 attack attempt (file-other.rules)

Modified Rules:


 * 1:41981 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word out of bounds read attempt (file-office.rules)
 * 1:38533 <-> DISABLED <-> FILE-FLASH Rig Exploit Kit exploitation attempt (file-flash.rules)
 * 1:40312 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules)
 * 1:24339 <-> DISABLED <-> SERVER-WEBAPP XML entity parsing information disclosure attempt (server-webapp.rules)
 * 1:41997 <-> DISABLED <-> OS-WINDOWS Microsoft GDI+ privilege escalation attempt (os-windows.rules)
 * 1:41998 <-> DISABLED <-> OS-WINDOWS Microsoft GDI+ privilege escalation attempt (os-windows.rules)
 * 1:41982 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word out of bounds read attempt (file-office.rules)

2017-04-11 22:58:56 UTC

Snort Subscriber Rules Update

Date: 2017-04-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42204 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer htmlFile ActiveX control universal XSS attempt (browser-ie.rules)
 * 1:42205 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer htmlFile ActiveX control universal XSS attempt (browser-ie.rules)
 * 1:42202 <-> ENABLED <-> FILE-PDF Adobe Reader JavaScript string from stream memory corruption attempt (file-pdf.rules)
 * 1:42203 <-> ENABLED <-> FILE-PDF Adobe Reader JavaScript string from stream memory corruption attempt (file-pdf.rules)
 * 1:42200 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI null pointer dereference attempt (os-windows.rules)
 * 1:42201 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules)
 * 1:42198 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules)
 * 1:42199 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI null pointer dereference attempt (os-windows.rules)
 * 1:42190 <-> DISABLED <-> FILE-OFFICE RTF objautlink url moniker file download attempt (file-office.rules)
 * 1:42197 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules)
 * 1:42189 <-> DISABLED <-> FILE-OFFICE RTF objautlink url moniker file download attempt (file-office.rules)
 * 1:42187 <-> ENABLED <-> OS-WINDOWS Microsoft Windows IE ETW Collector Service privilege escalation attempt (os-windows.rules)
 * 1:42188 <-> ENABLED <-> OS-WINDOWS Microsoft Windows IE ETW Collector Service privilege escalation attempt (os-windows.rules)
 * 1:42185 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WMI DCOM arbitrary .NET serialization code execution attempt (os-windows.rules)
 * 1:42186 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WMI DCOM arbitrary .NET serialization code execution attempt (os-windows.rules)
 * 1:42183 <-> ENABLED <-> BROWSER-IE Microsoft Edge format rendering type confusion attempt (browser-ie.rules)
 * 1:42184 <-> ENABLED <-> BROWSER-IE Microsoft Edge format rendering type confusion attempt (browser-ie.rules)
 * 1:42181 <-> DISABLED <-> DELETED gyEMoybvxbllnqLg0n4E (deleted.rules)
 * 1:42182 <-> DISABLED <-> DELETED esjQk5MDxNnLLZ57GfDW (deleted.rules)
 * 1:42175 <-> ENABLED <-> FILE-PDF Adobe Reader JavaScript API documentToStream use after free attempt (file-pdf.rules)
 * 1:42176 <-> ENABLED <-> FILE-PDF Adobe Reader JavaScript API documentToStream use after free attempt (file-pdf.rules)
 * 1:42173 <-> ENABLED <-> OS-WINDOWS Microsoft GDI PolyTextOutW out of bounds memory write attempt (os-windows.rules)
 * 1:42174 <-> ENABLED <-> OS-WINDOWS Microsoft GDI PolyTextOutW out of bounds memory write attempt (os-windows.rules)
 * 1:42171 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Agent variant outbound connection (malware-cnc.rules)
 * 1:42172 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Agent variant certificate negotiation (malware-cnc.rules)
 * 1:42170 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt (browser-ie.rules)
 * 1:42169 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt (browser-ie.rules)
 * 1:42167 <-> ENABLED <-> FILE-OFFICE Microsoft Office custom message class security bypass attempt (file-office.rules)
 * 1:42168 <-> ENABLED <-> FILE-OFFICE Microsoft Office custom message class security bypass attempt (file-office.rules)
 * 1:42166 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion vulnerability attempt (browser-ie.rules)
 * 1:42162 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel out of bounds memory attempt (file-office.rules)
 * 1:42160 <-> ENABLED <-> SERVER-OTHER Microsoft LDAP MaxBuffSize buffer overflow attempt (server-other.rules)
 * 1:42161 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel  out of bounds memory attempt (file-office.rules)
 * 1:42158 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k privilege escalation attempt (os-windows.rules)
 * 1:42159 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k privilege escalation attempt (os-windows.rules)
 * 1:42157 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer recordset use after free attempt (browser-ie.rules)
 * 1:42156 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer recordset use after free attempt (browser-ie.rules)
 * 1:42155 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k information disclosure attempt (os-windows.rules)
 * 1:42151 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD font driver malformed OTF file out-of-bounds memory access attempt (file-other.rules)
 * 1:42148 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD font driver malformed OTF file out-of-bounds memory access attempt (file-other.rules)
 * 1:42149 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD font driver malformed OTF file out-of-bounds memory access attempt (file-other.rules)
 * 1:42152 <-> ENABLED <-> BROWSER-IE Microsoft Edge JavaScript string object type confusion attempt (browser-ie.rules)
 * 1:42153 <-> ENABLED <-> BROWSER-IE Microsoft Edge JavaScript string object type confusion attempt (browser-ie.rules)
 * 1:42154 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k information disclosure attempt (os-windows.rules)
 * 1:42163 <-> DISABLED <-> FILE-OTHER Microsoft Office OneNote 2007 dll-load exploit attempt (file-other.rules)
 * 1:42164 <-> DISABLED <-> FILE-OTHER Microsoft Office OneNote 2007 dll-load exploit attempt (file-other.rules)
 * 1:42165 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion vulnerability attempt (browser-ie.rules)
 * 1:42220 <-> DISABLED <-> SERVER-WEBAPP BlueCoat CAS report-email command injection attempt (server-webapp.rules)
 * 1:42219 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIF memory corruption attempt (file-image.rules)
 * 1:42218 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed GIF memory corruption attempt (file-image.rules)
 * 1:42217 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader pcx planes memory corruption attempt (file-other.rules)
 * 1:42216 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader pcx planes memory corruption attempt (file-other.rules)
 * 1:42215 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetStream use after free attempt (file-flash.rules)
 * 1:42214 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetStream use after free attempt (file-flash.rules)
 * 1:42213 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded JPEG 2000 flst heap overflow attempt (file-pdf.rules)
 * 1:42212 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded JPEG 2000 flst heap overflow attempt (file-pdf.rules)
 * 1:42150 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD font driver malformed OTF file out-of-bounds memory access attempt (file-other.rules)
 * 1:42211 <-> ENABLED <-> BROWSER-IE Microsoft Edge xlink type confusion memory corruption attempt (browser-ie.rules)
 * 1:42210 <-> ENABLED <-> BROWSER-IE Microsoft Edge xlink type confusion memory corruption attempt (browser-ie.rules)
 * 1:42209 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Clipboard Broker privilege escalation vulnerability attempt (os-windows.rules)
 * 1:42208 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Clipboard Broker privilege escalation vulnerability attempt (os-windows.rules)
 * 1:42207 <-> ENABLED <-> FILE-FLASH Adobe Flash Player allocator use-after-free attempt (file-flash.rules)
 * 1:42206 <-> ENABLED <-> FILE-FLASH Adobe Flash Player allocator use-after-free attempt (file-flash.rules)
 * 3:42196 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0307 attack attempt (file-other.rules)
 * 3:42195 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0307 attack attempt (file-other.rules)
 * 3:42193 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0309 attack attempt (file-image.rules)
 * 3:42194 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0309 attack attempt (file-image.rules)
 * 3:42191 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0309 attack attempt (file-image.rules)
 * 3:42192 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0309 attack attempt (file-image.rules)
 * 3:42179 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-2811 attack attempt (file-image.rules)
 * 3:42180 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-2811 attack attempt (file-image.rules)
 * 3:42177 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0310 attack attempt (file-other.rules)
 * 3:42178 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0310 attack attempt (file-other.rules)

Modified Rules:


 * 1:24339 <-> DISABLED <-> SERVER-WEBAPP XML entity parsing information disclosure attempt (server-webapp.rules)
 * 1:41982 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word out of bounds read attempt (file-office.rules)
 * 1:41981 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word out of bounds read attempt (file-office.rules)
 * 1:41997 <-> DISABLED <-> OS-WINDOWS Microsoft GDI+ privilege escalation attempt (os-windows.rules)
 * 1:41998 <-> DISABLED <-> OS-WINDOWS Microsoft GDI+ privilege escalation attempt (os-windows.rules)
 * 1:38533 <-> DISABLED <-> FILE-FLASH Rig Exploit Kit exploitation attempt (file-flash.rules)
 * 1:40312 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules)

2017-04-11 22:58:56 UTC

Snort Subscriber Rules Update

Date: 2017-04-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42148 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD font driver malformed OTF file out-of-bounds memory access attempt (file-other.rules)
 * 1:42184 <-> ENABLED <-> BROWSER-IE Microsoft Edge format rendering type confusion attempt (browser-ie.rules)
 * 1:42183 <-> ENABLED <-> BROWSER-IE Microsoft Edge format rendering type confusion attempt (browser-ie.rules)
 * 1:42182 <-> DISABLED <-> DELETED esjQk5MDxNnLLZ57GfDW (deleted.rules)
 * 1:42175 <-> ENABLED <-> FILE-PDF Adobe Reader JavaScript API documentToStream use after free attempt (file-pdf.rules)
 * 1:42218 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed GIF memory corruption attempt (file-image.rules)
 * 1:42164 <-> DISABLED <-> FILE-OTHER Microsoft Office OneNote 2007 dll-load exploit attempt (file-other.rules)
 * 1:42165 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion vulnerability attempt (browser-ie.rules)
 * 1:42155 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k information disclosure attempt (os-windows.rules)
 * 1:42150 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD font driver malformed OTF file out-of-bounds memory access attempt (file-other.rules)
 * 1:42219 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIF memory corruption attempt (file-image.rules)
 * 1:42216 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader pcx planes memory corruption attempt (file-other.rules)
 * 1:42149 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD font driver malformed OTF file out-of-bounds memory access attempt (file-other.rules)
 * 1:42217 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Reader pcx planes memory corruption attempt (file-other.rules)
 * 1:42211 <-> ENABLED <-> BROWSER-IE Microsoft Edge xlink type confusion memory corruption attempt (browser-ie.rules)
 * 1:42210 <-> ENABLED <-> BROWSER-IE Microsoft Edge xlink type confusion memory corruption attempt (browser-ie.rules)
 * 1:42212 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded JPEG 2000 flst heap overflow attempt (file-pdf.rules)
 * 1:42214 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetStream use after free attempt (file-flash.rules)
 * 1:42173 <-> ENABLED <-> OS-WINDOWS Microsoft GDI PolyTextOutW out of bounds memory write attempt (os-windows.rules)
 * 1:42176 <-> ENABLED <-> FILE-PDF Adobe Reader JavaScript API documentToStream use after free attempt (file-pdf.rules)
 * 1:42201 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules)
 * 1:42181 <-> DISABLED <-> DELETED gyEMoybvxbllnqLg0n4E (deleted.rules)
 * 1:42172 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Agent variant certificate negotiation (malware-cnc.rules)
 * 1:42171 <-> ENABLED <-> MALWARE-CNC Win.Downloader.Agent variant outbound connection (malware-cnc.rules)
 * 1:42170 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt (browser-ie.rules)
 * 1:42168 <-> ENABLED <-> FILE-OFFICE Microsoft Office custom message class security bypass attempt (file-office.rules)
 * 1:42169 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer classid remote code execution attempt (browser-ie.rules)
 * 1:42166 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer type confusion vulnerability attempt (browser-ie.rules)
 * 1:42167 <-> ENABLED <-> FILE-OFFICE Microsoft Office custom message class security bypass attempt (file-office.rules)
 * 1:42185 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WMI DCOM arbitrary .NET serialization code execution attempt (os-windows.rules)
 * 1:42163 <-> DISABLED <-> FILE-OTHER Microsoft Office OneNote 2007 dll-load exploit attempt (file-other.rules)
 * 1:42161 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel  out of bounds memory attempt (file-office.rules)
 * 1:42162 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel out of bounds memory attempt (file-office.rules)
 * 1:42159 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k privilege escalation attempt (os-windows.rules)
 * 1:42160 <-> ENABLED <-> SERVER-OTHER Microsoft LDAP MaxBuffSize buffer overflow attempt (server-other.rules)
 * 1:42157 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer recordset use after free attempt (browser-ie.rules)
 * 1:42158 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k privilege escalation attempt (os-windows.rules)
 * 1:42151 <-> ENABLED <-> FILE-OTHER Microsoft Windows ATMFD font driver malformed OTF file out-of-bounds memory access attempt (file-other.rules)
 * 1:42154 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k information disclosure attempt (os-windows.rules)
 * 1:42156 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer recordset use after free attempt (browser-ie.rules)
 * 1:42152 <-> ENABLED <-> BROWSER-IE Microsoft Edge JavaScript string object type confusion attempt (browser-ie.rules)
 * 1:42153 <-> ENABLED <-> BROWSER-IE Microsoft Edge JavaScript string object type confusion attempt (browser-ie.rules)
 * 1:42186 <-> ENABLED <-> OS-WINDOWS Microsoft Windows WMI DCOM arbitrary .NET serialization code execution attempt (os-windows.rules)
 * 1:42220 <-> DISABLED <-> SERVER-WEBAPP BlueCoat CAS report-email command injection attempt (server-webapp.rules)
 * 1:42187 <-> ENABLED <-> OS-WINDOWS Microsoft Windows IE ETW Collector Service privilege escalation attempt (os-windows.rules)
 * 1:42188 <-> ENABLED <-> OS-WINDOWS Microsoft Windows IE ETW Collector Service privilege escalation attempt (os-windows.rules)
 * 1:42189 <-> DISABLED <-> FILE-OFFICE RTF objautlink url moniker file download attempt (file-office.rules)
 * 1:42190 <-> DISABLED <-> FILE-OFFICE RTF objautlink url moniker file download attempt (file-office.rules)
 * 1:42197 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules)
 * 1:42198 <-> ENABLED <-> FILE-OFFICE Microsoft Office mqrt.dll dll-load exploit attempt (file-office.rules)
 * 1:42199 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI null pointer dereference attempt (os-windows.rules)
 * 1:42200 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GDI null pointer dereference attempt (os-windows.rules)
 * 1:42202 <-> ENABLED <-> FILE-PDF Adobe Reader JavaScript string from stream memory corruption attempt (file-pdf.rules)
 * 1:42174 <-> ENABLED <-> OS-WINDOWS Microsoft GDI PolyTextOutW out of bounds memory write attempt (os-windows.rules)
 * 1:42203 <-> ENABLED <-> FILE-PDF Adobe Reader JavaScript string from stream memory corruption attempt (file-pdf.rules)
 * 1:42204 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer htmlFile ActiveX control universal XSS attempt (browser-ie.rules)
 * 1:42205 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer htmlFile ActiveX control universal XSS attempt (browser-ie.rules)
 * 1:42209 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Clipboard Broker privilege escalation vulnerability attempt (os-windows.rules)
 * 1:42208 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Clipboard Broker privilege escalation vulnerability attempt (os-windows.rules)
 * 1:42213 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader embedded JPEG 2000 flst heap overflow attempt (file-pdf.rules)
 * 1:42215 <-> ENABLED <-> FILE-FLASH Adobe Flash Player NetStream use after free attempt (file-flash.rules)
 * 1:42206 <-> ENABLED <-> FILE-FLASH Adobe Flash Player allocator use-after-free attempt (file-flash.rules)
 * 1:42207 <-> ENABLED <-> FILE-FLASH Adobe Flash Player allocator use-after-free attempt (file-flash.rules)
 * 3:42180 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-2811 attack attempt (file-image.rules)
 * 3:42194 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0309 attack attempt (file-image.rules)
 * 3:42196 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0307 attack attempt (file-other.rules)
 * 3:42179 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-2811 attack attempt (file-image.rules)
 * 3:42192 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0309 attack attempt (file-image.rules)
 * 3:42178 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0310 attack attempt (file-other.rules)
 * 3:42177 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0310 attack attempt (file-other.rules)
 * 3:42191 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0309 attack attempt (file-image.rules)
 * 3:42193 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0309 attack attempt (file-image.rules)
 * 3:42195 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2017-0307 attack attempt (file-other.rules)

Modified Rules:


 * 1:41981 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word out of bounds read attempt (file-office.rules)
 * 1:24339 <-> DISABLED <-> SERVER-WEBAPP XML entity parsing information disclosure attempt (server-webapp.rules)
 * 1:41997 <-> DISABLED <-> OS-WINDOWS Microsoft GDI+ privilege escalation attempt (os-windows.rules)
 * 1:41998 <-> DISABLED <-> OS-WINDOWS Microsoft GDI+ privilege escalation attempt (os-windows.rules)
 * 1:41982 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word out of bounds read attempt (file-office.rules)
 * 1:40312 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer CTreePos type confusion attempt (browser-ie.rules)
 * 1:38533 <-> DISABLED <-> FILE-FLASH Rig Exploit Kit exploitation attempt (file-flash.rules)