Talos Rules 2017-05-09
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2017-0290: Microsoft Malware Protection Engine suffers from a programming error that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 42820 through 42821.

Microsoft Vulnerability CVE-2017-0077: A coding deficiency exists in Microsoft Win32k that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 42757 through 42758.

Microsoft Vulnerability CVE-2017-0171: A coding deficiency exists in Microsoft Windows DNS that may lead to a Denial of Service (DoS).

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 42785.

Microsoft Vulnerability CVE-2017-0213: A coding deficiency exists in Microsoft Windows COM that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 42773 through 42774.

Microsoft Vulnerability CVE-2017-0214: A coding deficiency exists in Microsoft Windows COM that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 42759 through 42760.

Microsoft Vulnerability CVE-2017-0220: A coding deficiency exists in Microsoft Windows Kernel that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 42751 through 42752.

Microsoft Vulnerability CVE-2017-0221: Microsoft Edge suffers from programming errors that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 42798 through 42799.

Microsoft Vulnerability CVE-2017-0227: Microsoft Edge suffers from programming errors that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 42779 through 42780.

Microsoft Vulnerability CVE-2017-0228: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 42811 through 42812.

Microsoft Vulnerability CVE-2017-0234: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 42775 through 42776.

Microsoft Vulnerability CVE-2017-0236: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 42749 through 42750.

Microsoft Vulnerability CVE-2017-0238: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 42761 through 42762.

Microsoft Vulnerability CVE-2017-0240: Microsoft Edge suffers from programming errors that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 42781 through 42782.

Microsoft Vulnerability CVE-2017-0243: A coding deficiency exists in Microsoft Office that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 42755 through 42756.

Microsoft Vulnerability CVE-2017-0245: A coding deficiency exists in Microsoft Win32k that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 42769 through 42770.

Microsoft Vulnerability CVE-2017-0246: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 42771 through 42772.

Microsoft Vulnerability CVE-2017-0258: A coding deficiency exists in Microsoft Windows Kernel that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 42783 through 42784.

Microsoft Vulnerability CVE-2017-0259: A coding deficiency exists in Microsoft Windows Kernel that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 42763 through 42764.

Microsoft Vulnerability CVE-2017-0263: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 42765 through 42766.

Microsoft Vulnerability CVE-2017-0266: Microsoft Edge suffers from programming errors that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 42753 through 42754.

Talos also has added and modified multiple rules in the browser-ie, exploit-kit, file-flash, file-image, file-office, file-pdf, indicator-scan, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2017-05-09 18:10:04 UTC

Snort Subscriber Rules Update

Date: 2017-05-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2976.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42749 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (browser-ie.rules)
 * 1:42819 <-> DISABLED <-> SERVER-WEBAPP WordPress admin password reset attempt (server-webapp.rules)
 * 1:42820 <-> ENABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:42817 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayObject use after free attempt (file-flash.rules)
 * 1:42818 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayObject use after free attempt (file-flash.rules)
 * 1:42816 <-> ENABLED <-> FILE-FLASH Adobe Flash Player display object mask use after free attempt (file-flash.rules)
 * 1:42815 <-> ENABLED <-> FILE-FLASH Adobe Flash Player display object mask use after free attempt (file-flash.rules)
 * 1:42809 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BitmapData out of bounds memory access attempt (file-flash.rules)
 * 1:42811 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra Engine use-after-free attempt (browser-ie.rules)
 * 1:42813 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed URI information disclosure attempt (file-pdf.rules)
 * 1:42821 <-> ENABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:42785 <-> DISABLED <-> INDICATOR-SCAN DNS version.bind string information disclosure attempt (indicator-scan.rules)
 * 1:42786 <-> DISABLED <-> PROTOCOL-SCADA Moxa unlock function code attempt (protocol-scada.rules)
 * 1:42783 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ntoskrnl information disclosure attempt (os-windows.rules)
 * 1:42784 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ntoskrnl information disclosure attempt (os-windows.rules)
 * 1:42781 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge AudioContext use after free attempt (browser-ie.rules)
 * 1:42782 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge AudioContext use after free attempt (browser-ie.rules)
 * 1:42779 <-> ENABLED <-> BROWSER-IE Microsoft Edge CSS writing mode type confusion attempt (browser-ie.rules)
 * 1:42780 <-> ENABLED <-> BROWSER-IE Microsoft Edge CSS writing mode type confusion attempt (browser-ie.rules)
 * 1:42777 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine security bypass css attempt (browser-ie.rules)
 * 1:42778 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine security bypass css attempt (browser-ie.rules)
 * 1:42775 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra JIT memory corruption attempt (browser-ie.rules)
 * 1:42776 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra JIT memory corruption attempt (browser-ie.rules)
 * 1:42773 <-> DISABLED <-> OS-WINDOWS Microsoft Windows COM privilege escalation attempt (os-windows.rules)
 * 1:42774 <-> DISABLED <-> OS-WINDOWS Microsoft Windows COM privilege escalation attempt (os-windows.rules)
 * 1:42772 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GdiGradientFill null pointer dereference attempt (os-windows.rules)
 * 1:42770 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k kernel memory leak attempt (os-windows.rules)
 * 1:42771 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GdiGradientFill null pointer dereference attempt (os-windows.rules)
 * 1:42768 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DeviceIoControl double fetch race condition attempt (os-windows.rules)
 * 1:42769 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k kernel memory leak attempt (os-windows.rules)
 * 1:42766 <-> DISABLED <-> OS-WINDOWS Microsoft win32k privilege escalation attempt (os-windows.rules)
 * 1:42767 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DeviceIoControl double fetch race condition attempt (os-windows.rules)
 * 1:42764 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtTraceControl information disclosure attempt (os-windows.rules)
 * 1:42765 <-> DISABLED <-> OS-WINDOWS Microsoft win32k privilege escalation attempt (os-windows.rules)
 * 1:42762 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra array unshift heap overflow attempt (browser-ie.rules)
 * 1:42763 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtTraceControl information disclosure attempt (os-windows.rules)
 * 1:42760 <-> DISABLED <-> OS-WINDOWS Microsoft Windows COM privilege escalation attempt (os-windows.rules)
 * 1:42761 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra array unshift heap overflow attempt (browser-ie.rules)
 * 1:42758 <-> ENABLED <-> OS-WINDOWS Microsoft Windows dxgkrnl CreateDriverAllocations null pointer dereference attempt (os-windows.rules)
 * 1:42759 <-> DISABLED <-> OS-WINDOWS Microsoft Windows COM privilege escalation attempt (os-windows.rules)
 * 1:42756 <-> ENABLED <-> FILE-OFFICE Microsoft Word 2010 Sepx memory corruption attempt (file-office.rules)
 * 1:42757 <-> ENABLED <-> OS-WINDOWS Microsoft Windows dxgkrnl CreateDriverAllocations null pointer dereference attempt (os-windows.rules)
 * 1:42754 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra Core type confusion attempt (browser-ie.rules)
 * 1:42755 <-> ENABLED <-> FILE-OFFICE Microsoft Word 2010 Sepx memory corruption attempt (file-office.rules)
 * 1:42753 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra Core type confusion attempt (browser-ie.rules)
 * 1:42752 <-> ENABLED <-> OS-WINDOWS Microsoft Windows AFD.sys double fetch race condition attempt (os-windows.rules)
 * 1:42751 <-> ENABLED <-> OS-WINDOWS Microsoft Windows AFD.sys double fetch race condition attempt (os-windows.rules)
 * 1:42750 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (browser-ie.rules)
 * 1:42787 <-> DISABLED <-> POLICY-OTHER Schneider Electric hardcoded FTP login attempt (policy-other.rules)
 * 1:42812 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra Engine use-after-free attempt (browser-ie.rules)
 * 1:42788 <-> DISABLED <-> FILE-PDF Adobe Reader malformed app13 tag information disclosure attempt (file-pdf.rules)
 * 1:42789 <-> DISABLED <-> FILE-PDF Adobe Reader malformed app13 tag information disclosure attempt (file-pdf.rules)
 * 1:42790 <-> ENABLED <-> FILE-PDF Adobe Reader invalid object reference use after free attempt (file-pdf.rules)
 * 1:42791 <-> ENABLED <-> FILE-PDF Adobe Reader invalid object reference use after free attempt (file-pdf.rules)
 * 1:42792 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FLV invalid tag buffer overflow attempt (file-flash.rules)
 * 1:42793 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FLV invalid tag buffer overflow attempt (file-flash.rules)
 * 1:42794 <-> ENABLED <-> FILE-FLASH Adobe Flash Player beginGradientFill color array out of bounds read attempt (file-flash.rules)
 * 1:42795 <-> ENABLED <-> FILE-FLASH Adobe Flash Player beginGradientFill color array out of bounds read attempt (file-flash.rules)
 * 1:42796 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ConvolutionFilter memory corruption attempt (file-flash.rules)
 * 1:42797 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ConvolutionFilter memory corruption attempt (file-flash.rules)
 * 1:42798 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds read attempt (browser-ie.rules)
 * 1:42799 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds read attempt (browser-ie.rules)
 * 1:42801 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionPush out of bounds read attempt (file-flash.rules)
 * 1:42814 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed URI information disclosure attempt (file-pdf.rules)
 * 1:42800 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionPush out of bounds read attempt (file-flash.rules)
 * 1:42802 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed AES key memory corruption attempt (file-pdf.rules)
 * 1:42807 <-> ENABLED <-> FILE-FLASH Adobe Standalone Flash Player BlendMode memory corruption attempt (file-flash.rules)
 * 1:42806 <-> ENABLED <-> EXPLOIT-KIT Rig Exploit Kit URL outbound communication (exploit-kit.rules)
 * 1:42803 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed AES key memory corruption attempt (file-pdf.rules)
 * 1:42808 <-> ENABLED <-> FILE-FLASH Adobe Standalone Flash Player BlendMode memory corruption attempt (file-flash.rules)
 * 1:42805 <-> DISABLED <-> SERVER-WEBAPP Intel AMT remote administration tool authentication bypass attempt (server-webapp.rules)
 * 1:42804 <-> DISABLED <-> SERVER-WEBAPP IntegraXor directory traversal attempt (server-webapp.rules)
 * 1:42810 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BitmapData out of bounds memory access attempt (file-flash.rules)

Modified Rules:


 * 3:42432 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0328 attack attempt (server-webapp.rules)
 * 3:42194 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0309 attack attempt (file-image.rules)
 * 3:42191 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0309 attack attempt (file-image.rules)
 * 3:42192 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0309 attack attempt (file-image.rules)
 * 3:42193 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0309 attack attempt (file-image.rules)

2017-05-09 18:10:04 UTC

Snort Subscriber Rules Update

Date: 2017-05-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42803 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed AES key memory corruption attempt (file-pdf.rules)
 * 1:42801 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionPush out of bounds read attempt (file-flash.rules)
 * 1:42802 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed AES key memory corruption attempt (file-pdf.rules)
 * 1:42799 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds read attempt (browser-ie.rules)
 * 1:42800 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionPush out of bounds read attempt (file-flash.rules)
 * 1:42797 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ConvolutionFilter memory corruption attempt (file-flash.rules)
 * 1:42798 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds read attempt (browser-ie.rules)
 * 1:42795 <-> ENABLED <-> FILE-FLASH Adobe Flash Player beginGradientFill color array out of bounds read attempt (file-flash.rules)
 * 1:42796 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ConvolutionFilter memory corruption attempt (file-flash.rules)
 * 1:42793 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FLV invalid tag buffer overflow attempt (file-flash.rules)
 * 1:42794 <-> ENABLED <-> FILE-FLASH Adobe Flash Player beginGradientFill color array out of bounds read attempt (file-flash.rules)
 * 1:42792 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FLV invalid tag buffer overflow attempt (file-flash.rules)
 * 1:42791 <-> ENABLED <-> FILE-PDF Adobe Reader invalid object reference use after free attempt (file-pdf.rules)
 * 1:42789 <-> DISABLED <-> FILE-PDF Adobe Reader malformed app13 tag information disclosure attempt (file-pdf.rules)
 * 1:42790 <-> ENABLED <-> FILE-PDF Adobe Reader invalid object reference use after free attempt (file-pdf.rules)
 * 1:42787 <-> DISABLED <-> POLICY-OTHER Schneider Electric hardcoded FTP login attempt (policy-other.rules)
 * 1:42788 <-> DISABLED <-> FILE-PDF Adobe Reader malformed app13 tag information disclosure attempt (file-pdf.rules)
 * 1:42785 <-> DISABLED <-> INDICATOR-SCAN DNS version.bind string information disclosure attempt (indicator-scan.rules)
 * 1:42786 <-> DISABLED <-> PROTOCOL-SCADA Moxa unlock function code attempt (protocol-scada.rules)
 * 1:42784 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ntoskrnl information disclosure attempt (os-windows.rules)
 * 1:42783 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ntoskrnl information disclosure attempt (os-windows.rules)
 * 1:42782 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge AudioContext use after free attempt (browser-ie.rules)
 * 1:42780 <-> ENABLED <-> BROWSER-IE Microsoft Edge CSS writing mode type confusion attempt (browser-ie.rules)
 * 1:42781 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge AudioContext use after free attempt (browser-ie.rules)
 * 1:42778 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine security bypass css attempt (browser-ie.rules)
 * 1:42779 <-> ENABLED <-> BROWSER-IE Microsoft Edge CSS writing mode type confusion attempt (browser-ie.rules)
 * 1:42776 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra JIT memory corruption attempt (browser-ie.rules)
 * 1:42777 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine security bypass css attempt (browser-ie.rules)
 * 1:42774 <-> DISABLED <-> OS-WINDOWS Microsoft Windows COM privilege escalation attempt (os-windows.rules)
 * 1:42775 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra JIT memory corruption attempt (browser-ie.rules)
 * 1:42772 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GdiGradientFill null pointer dereference attempt (os-windows.rules)
 * 1:42773 <-> DISABLED <-> OS-WINDOWS Microsoft Windows COM privilege escalation attempt (os-windows.rules)
 * 1:42770 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k kernel memory leak attempt (os-windows.rules)
 * 1:42771 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GdiGradientFill null pointer dereference attempt (os-windows.rules)
 * 1:42768 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DeviceIoControl double fetch race condition attempt (os-windows.rules)
 * 1:42769 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k kernel memory leak attempt (os-windows.rules)
 * 1:42766 <-> DISABLED <-> OS-WINDOWS Microsoft win32k privilege escalation attempt (os-windows.rules)
 * 1:42767 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DeviceIoControl double fetch race condition attempt (os-windows.rules)
 * 1:42764 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtTraceControl information disclosure attempt (os-windows.rules)
 * 1:42765 <-> DISABLED <-> OS-WINDOWS Microsoft win32k privilege escalation attempt (os-windows.rules)
 * 1:42763 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtTraceControl information disclosure attempt (os-windows.rules)
 * 1:42761 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra array unshift heap overflow attempt (browser-ie.rules)
 * 1:42762 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra array unshift heap overflow attempt (browser-ie.rules)
 * 1:42759 <-> DISABLED <-> OS-WINDOWS Microsoft Windows COM privilege escalation attempt (os-windows.rules)
 * 1:42760 <-> DISABLED <-> OS-WINDOWS Microsoft Windows COM privilege escalation attempt (os-windows.rules)
 * 1:42757 <-> ENABLED <-> OS-WINDOWS Microsoft Windows dxgkrnl CreateDriverAllocations null pointer dereference attempt (os-windows.rules)
 * 1:42758 <-> ENABLED <-> OS-WINDOWS Microsoft Windows dxgkrnl CreateDriverAllocations null pointer dereference attempt (os-windows.rules)
 * 1:42755 <-> ENABLED <-> FILE-OFFICE Microsoft Word 2010 Sepx memory corruption attempt (file-office.rules)
 * 1:42756 <-> ENABLED <-> FILE-OFFICE Microsoft Word 2010 Sepx memory corruption attempt (file-office.rules)
 * 1:42753 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra Core type confusion attempt (browser-ie.rules)
 * 1:42754 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra Core type confusion attempt (browser-ie.rules)
 * 1:42751 <-> ENABLED <-> OS-WINDOWS Microsoft Windows AFD.sys double fetch race condition attempt (os-windows.rules)
 * 1:42752 <-> ENABLED <-> OS-WINDOWS Microsoft Windows AFD.sys double fetch race condition attempt (os-windows.rules)
 * 1:42749 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (browser-ie.rules)
 * 1:42750 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (browser-ie.rules)
 * 1:42821 <-> ENABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:42820 <-> ENABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:42819 <-> DISABLED <-> SERVER-WEBAPP WordPress admin password reset attempt (server-webapp.rules)
 * 1:42818 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayObject use after free attempt (file-flash.rules)
 * 1:42817 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayObject use after free attempt (file-flash.rules)
 * 1:42816 <-> ENABLED <-> FILE-FLASH Adobe Flash Player display object mask use after free attempt (file-flash.rules)
 * 1:42815 <-> ENABLED <-> FILE-FLASH Adobe Flash Player display object mask use after free attempt (file-flash.rules)
 * 1:42814 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed URI information disclosure attempt (file-pdf.rules)
 * 1:42813 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed URI information disclosure attempt (file-pdf.rules)
 * 1:42812 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra Engine use-after-free attempt (browser-ie.rules)
 * 1:42811 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra Engine use-after-free attempt (browser-ie.rules)
 * 1:42810 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BitmapData out of bounds memory access attempt (file-flash.rules)
 * 1:42809 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BitmapData out of bounds memory access attempt (file-flash.rules)
 * 1:42807 <-> ENABLED <-> FILE-FLASH Adobe Standalone Flash Player BlendMode memory corruption attempt (file-flash.rules)
 * 1:42808 <-> ENABLED <-> FILE-FLASH Adobe Standalone Flash Player BlendMode memory corruption attempt (file-flash.rules)
 * 1:42806 <-> ENABLED <-> EXPLOIT-KIT Rig Exploit Kit URL outbound communication (exploit-kit.rules)
 * 1:42805 <-> DISABLED <-> SERVER-WEBAPP Intel AMT remote administration tool authentication bypass attempt (server-webapp.rules)
 * 1:42804 <-> DISABLED <-> SERVER-WEBAPP IntegraXor directory traversal attempt (server-webapp.rules)

Modified Rules:


 * 3:42432 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0328 attack attempt (server-webapp.rules)
 * 3:42193 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0309 attack attempt (file-image.rules)
 * 3:42194 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0309 attack attempt (file-image.rules)
 * 3:42191 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0309 attack attempt (file-image.rules)
 * 3:42192 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0309 attack attempt (file-image.rules)

2017-05-09 18:10:04 UTC

Snort Subscriber Rules Update

Date: 2017-05-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:42821 <-> ENABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:42820 <-> ENABLED <-> OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt (os-windows.rules)
 * 1:42819 <-> DISABLED <-> SERVER-WEBAPP WordPress admin password reset attempt (server-webapp.rules)
 * 1:42818 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayObject use after free attempt (file-flash.rules)
 * 1:42817 <-> ENABLED <-> FILE-FLASH Adobe Flash Player DisplayObject use after free attempt (file-flash.rules)
 * 1:42816 <-> ENABLED <-> FILE-FLASH Adobe Flash Player display object mask use after free attempt (file-flash.rules)
 * 1:42815 <-> ENABLED <-> FILE-FLASH Adobe Flash Player display object mask use after free attempt (file-flash.rules)
 * 1:42814 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed URI information disclosure attempt (file-pdf.rules)
 * 1:42813 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed URI information disclosure attempt (file-pdf.rules)
 * 1:42812 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra Engine use-after-free attempt (browser-ie.rules)
 * 1:42811 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra Engine use-after-free attempt (browser-ie.rules)
 * 1:42810 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BitmapData out of bounds memory access attempt (file-flash.rules)
 * 1:42809 <-> ENABLED <-> FILE-FLASH Adobe Flash Player BitmapData out of bounds memory access attempt (file-flash.rules)
 * 1:42808 <-> ENABLED <-> FILE-FLASH Adobe Standalone Flash Player BlendMode memory corruption attempt (file-flash.rules)
 * 1:42807 <-> ENABLED <-> FILE-FLASH Adobe Standalone Flash Player BlendMode memory corruption attempt (file-flash.rules)
 * 1:42806 <-> ENABLED <-> EXPLOIT-KIT Rig Exploit Kit URL outbound communication (exploit-kit.rules)
 * 1:42805 <-> DISABLED <-> SERVER-WEBAPP Intel AMT remote administration tool authentication bypass attempt (server-webapp.rules)
 * 1:42804 <-> DISABLED <-> SERVER-WEBAPP IntegraXor directory traversal attempt (server-webapp.rules)
 * 1:42803 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed AES key memory corruption attempt (file-pdf.rules)
 * 1:42802 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader malformed AES key memory corruption attempt (file-pdf.rules)
 * 1:42801 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionPush out of bounds read attempt (file-flash.rules)
 * 1:42800 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ActionPush out of bounds read attempt (file-flash.rules)
 * 1:42799 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds read attempt (browser-ie.rules)
 * 1:42798 <-> DISABLED <-> BROWSER-IE Microsoft Edge out of bounds read attempt (browser-ie.rules)
 * 1:42797 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ConvolutionFilter memory corruption attempt (file-flash.rules)
 * 1:42796 <-> ENABLED <-> FILE-FLASH Adobe Flash Player ConvolutionFilter memory corruption attempt (file-flash.rules)
 * 1:42795 <-> ENABLED <-> FILE-FLASH Adobe Flash Player beginGradientFill color array out of bounds read attempt (file-flash.rules)
 * 1:42794 <-> ENABLED <-> FILE-FLASH Adobe Flash Player beginGradientFill color array out of bounds read attempt (file-flash.rules)
 * 1:42793 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FLV invalid tag buffer overflow attempt (file-flash.rules)
 * 1:42792 <-> ENABLED <-> FILE-FLASH Adobe Flash Player FLV invalid tag buffer overflow attempt (file-flash.rules)
 * 1:42791 <-> ENABLED <-> FILE-PDF Adobe Reader invalid object reference use after free attempt (file-pdf.rules)
 * 1:42790 <-> ENABLED <-> FILE-PDF Adobe Reader invalid object reference use after free attempt (file-pdf.rules)
 * 1:42789 <-> DISABLED <-> FILE-PDF Adobe Reader malformed app13 tag information disclosure attempt (file-pdf.rules)
 * 1:42788 <-> DISABLED <-> FILE-PDF Adobe Reader malformed app13 tag information disclosure attempt (file-pdf.rules)
 * 1:42787 <-> DISABLED <-> POLICY-OTHER Schneider Electric hardcoded FTP login attempt (policy-other.rules)
 * 1:42786 <-> DISABLED <-> PROTOCOL-SCADA Moxa unlock function code attempt (protocol-scada.rules)
 * 1:42785 <-> DISABLED <-> INDICATOR-SCAN DNS version.bind string information disclosure attempt (indicator-scan.rules)
 * 1:42784 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ntoskrnl information disclosure attempt (os-windows.rules)
 * 1:42783 <-> DISABLED <-> OS-WINDOWS Microsoft Windows ntoskrnl information disclosure attempt (os-windows.rules)
 * 1:42782 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge AudioContext use after free attempt (browser-ie.rules)
 * 1:42781 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge AudioContext use after free attempt (browser-ie.rules)
 * 1:42780 <-> ENABLED <-> BROWSER-IE Microsoft Edge CSS writing mode type confusion attempt (browser-ie.rules)
 * 1:42779 <-> ENABLED <-> BROWSER-IE Microsoft Edge CSS writing mode type confusion attempt (browser-ie.rules)
 * 1:42778 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine security bypass css attempt (browser-ie.rules)
 * 1:42777 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine security bypass css attempt (browser-ie.rules)
 * 1:42776 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra JIT memory corruption attempt (browser-ie.rules)
 * 1:42775 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra JIT memory corruption attempt (browser-ie.rules)
 * 1:42774 <-> DISABLED <-> OS-WINDOWS Microsoft Windows COM privilege escalation attempt (os-windows.rules)
 * 1:42773 <-> DISABLED <-> OS-WINDOWS Microsoft Windows COM privilege escalation attempt (os-windows.rules)
 * 1:42772 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GdiGradientFill null pointer dereference attempt (os-windows.rules)
 * 1:42771 <-> ENABLED <-> OS-WINDOWS Microsoft Windows GdiGradientFill null pointer dereference attempt (os-windows.rules)
 * 1:42770 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k kernel memory leak attempt (os-windows.rules)
 * 1:42769 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k kernel memory leak attempt (os-windows.rules)
 * 1:42768 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DeviceIoControl double fetch race condition attempt (os-windows.rules)
 * 1:42767 <-> ENABLED <-> OS-WINDOWS Microsoft Windows DeviceIoControl double fetch race condition attempt (os-windows.rules)
 * 1:42766 <-> DISABLED <-> OS-WINDOWS Microsoft win32k privilege escalation attempt (os-windows.rules)
 * 1:42765 <-> DISABLED <-> OS-WINDOWS Microsoft win32k privilege escalation attempt (os-windows.rules)
 * 1:42764 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtTraceControl information disclosure attempt (os-windows.rules)
 * 1:42763 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NtTraceControl information disclosure attempt (os-windows.rules)
 * 1:42762 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra array unshift heap overflow attempt (browser-ie.rules)
 * 1:42761 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra array unshift heap overflow attempt (browser-ie.rules)
 * 1:42760 <-> DISABLED <-> OS-WINDOWS Microsoft Windows COM privilege escalation attempt (os-windows.rules)
 * 1:42759 <-> DISABLED <-> OS-WINDOWS Microsoft Windows COM privilege escalation attempt (os-windows.rules)
 * 1:42758 <-> ENABLED <-> OS-WINDOWS Microsoft Windows dxgkrnl CreateDriverAllocations null pointer dereference attempt (os-windows.rules)
 * 1:42757 <-> ENABLED <-> OS-WINDOWS Microsoft Windows dxgkrnl CreateDriverAllocations null pointer dereference attempt (os-windows.rules)
 * 1:42756 <-> ENABLED <-> FILE-OFFICE Microsoft Word 2010 Sepx memory corruption attempt (file-office.rules)
 * 1:42755 <-> ENABLED <-> FILE-OFFICE Microsoft Word 2010 Sepx memory corruption attempt (file-office.rules)
 * 1:42754 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra Core type confusion attempt (browser-ie.rules)
 * 1:42753 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra Core type confusion attempt (browser-ie.rules)
 * 1:42752 <-> ENABLED <-> OS-WINDOWS Microsoft Windows AFD.sys double fetch race condition attempt (os-windows.rules)
 * 1:42751 <-> ENABLED <-> OS-WINDOWS Microsoft Windows AFD.sys double fetch race condition attempt (os-windows.rules)
 * 1:42750 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (browser-ie.rules)
 * 1:42749 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (browser-ie.rules)

Modified Rules:


 * 3:42432 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0328 attack attempt (server-webapp.rules)
 * 3:42193 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0309 attack attempt (file-image.rules)
 * 3:42194 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0309 attack attempt (file-image.rules)
 * 3:42191 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0309 attack attempt (file-image.rules)
 * 3:42192 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0309 attack attempt (file-image.rules)