Talos Rules 2017-11-14
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2017-11791: A coding deficiency exists in Microsoft Scripting Engine that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44819 through 44820.

Microsoft Vulnerability CVE-2017-11837: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44809 through 44810.

Microsoft Vulnerability CVE-2017-11840: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44811 through 44812.

Microsoft Vulnerability CVE-2017-11841: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44813 through 44814.

Microsoft Vulnerability CVE-2017-11843: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44815 through 44816.

Microsoft Vulnerability CVE-2017-11845: A coding deficiency exists in Microsoft Edge that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44817 through 44818.

Microsoft Vulnerability CVE-2017-11846: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44845 through 44846.

Microsoft Vulnerability CVE-2017-11847: A coding deficiency exists in Microsoft Windows Kernel that may lead to elevation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44833 through 44834.

Microsoft Vulnerability CVE-2017-11854: A coding deficiency exists in Microsoft Word that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44838 through 44839.

Microsoft Vulnerability CVE-2017-11855: A coding deficiency exists in Microsoft Internet Explorer that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44831 through 44832.

Microsoft Vulnerability CVE-2017-11856: A coding deficiency exists in Microsoft Internet Explorer that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44829 through 44830.

Microsoft Vulnerability CVE-2017-11858: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44827 through 44828.

Microsoft Vulnerability CVE-2017-11861: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44825 through 44826.

Microsoft Vulnerability CVE-2017-11869: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44823 through 44824.

Microsoft Vulnerability CVE-2017-11873: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44843 through 44844.

Microsoft Vulnerability CVE-2017-11878: A coding deficiency exists in Microsoft Excel that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 44821 through 44822.

Talos also has added and modified multiple rules in the browser-ie, file-image, file-office, file-other, file-pdf, indicator-compromise, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2017-11-14 19:10:06 UTC

Snort Subscriber Rules Update

Date: 2017-11-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44818 <-> ENABLED <-> BROWSER-IE Microsoft Edge custom property memory corruption attempt (browser-ie.rules)
 * 1:44820 <-> ENABLED <-> BROWSER-IE Microsoft Edge array use after free attempt (browser-ie.rules)
 * 1:44821 <-> DISABLED <-> FILE-OFFICE Microsoft Excel use after free vulnerability exploit attempt (file-office.rules)
 * 1:44861 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed CommentExtension attempt (file-image.rules)
 * 1:44862 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed CommentExtension attempt (file-image.rules)
 * 1:44822 <-> DISABLED <-> FILE-OFFICE Microsoft Excel use after free vulnerability exploit attempt (file-office.rules)
 * 1:44830 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer array memory corruption attempt (browser-ie.rules)
 * 1:44815 <-> DISABLED <-> BROWSER-IE Microsoft Edge use after free attempt (browser-ie.rules)
 * 1:44810 <-> ENABLED <-> BROWSER-IE Microsoft Edge postMessage use after free attempt (browser-ie.rules)
 * 1:44814 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra Closure use after free attempt (browser-ie.rules)
 * 1:44813 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra Closure use after free attempt (browser-ie.rules)
 * 1:44853 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed TTF buffer over-read attempt (file-pdf.rules)
 * 1:44845 <-> ENABLED <-> BROWSER-IE Microsoft Edge heap overflow attempt (browser-ie.rules)
 * 1:44823 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript Join out of bounds memory access attempt (browser-ie.rules)
 * 1:44859 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro PNG file buffer over-read vulnerability attempt (file-other.rules)
 * 1:44811 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine type confusion attempt (browser-ie.rules)
 * 1:44856 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XI JavaScript annotation use after free attempt (file-pdf.rules)
 * 1:44825 <-> DISABLED <-> OS-WINDOWS Microsoft Edge out of bounds write attempt (os-windows.rules)
 * 1:44824 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript Join out of bounds memory access attempt (browser-ie.rules)
 * 1:44808 <-> DISABLED <-> INDICATOR-COMPROMISE Apache HTTP Server possible mod_dav.c remote denial of service vulnerability attempt (indicator-compromise.rules)
 * 1:44816 <-> DISABLED <-> BROWSER-IE Microsoft Edge use after free attempt (browser-ie.rules)
 * 1:44828 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:44827 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:44829 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer array memory corruption attempt (browser-ie.rules)
 * 1:44831 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption exploitation attempt (browser-ie.rules)
 * 1:44832 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption exploitation attempt (browser-ie.rules)
 * 1:44833 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys use after free attempt (os-windows.rules)
 * 1:44838 <-> DISABLED <-> FILE-OFFICE Microsoft Word RTF memory corruption attempt (file-office.rules)
 * 1:44834 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys use after free attempt (os-windows.rules)
 * 1:44839 <-> DISABLED <-> FILE-OFFICE Microsoft Word RTF memory corruption attempt (file-office.rules)
 * 1:44843 <-> DISABLED <-> BROWSER-IE Microsoft Edge Uint8Array memory corruption attempt (browser-ie.rules)
 * 1:44860 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro PNG file buffer over-read vulnerability attempt (file-other.rules)
 * 1:44846 <-> ENABLED <-> BROWSER-IE Microsoft Edge heap overflow attempt (browser-ie.rules)
 * 1:44819 <-> ENABLED <-> BROWSER-IE Microsoft Edge array use after free attempt (browser-ie.rules)
 * 1:44854 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed TTF buffer over-read attempt (file-pdf.rules)
 * 1:44826 <-> DISABLED <-> OS-WINDOWS Microsoft Edge out of bounds write attempt (os-windows.rules)
 * 1:44844 <-> DISABLED <-> BROWSER-IE Microsoft Edge Uint8Array memory corruption attempt (browser-ie.rules)
 * 1:44812 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine type confusion attempt (browser-ie.rules)
 * 1:44809 <-> ENABLED <-> BROWSER-IE Microsoft Edge postMessage use after free attempt (browser-ie.rules)
 * 1:44817 <-> ENABLED <-> BROWSER-IE Microsoft Edge custom property memory corruption attempt (browser-ie.rules)
 * 1:44857 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XI JavaScript annotation use after free attempt (file-pdf.rules)
 * 3:44855 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0480 attack attempt (policy-other.rules)
 * 3:44848 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0482 attack attempt (server-webapp.rules)
 * 3:44841 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0473 attack attempt (server-webapp.rules)
 * 3:44840 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0473 attack attempt (server-webapp.rules)
 * 3:44836 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0472 attack attempt (server-webapp.rules)
 * 3:44850 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0477 attack attempt (server-webapp.rules)
 * 3:44847 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0482 attack attempt (server-webapp.rules)
 * 3:44852 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0477 attack attempt (server-webapp.rules)
 * 3:44835 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0472 attack attempt (server-webapp.rules)
 * 3:44842 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0473 attack attempt (server-webapp.rules)
 * 3:44851 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0477 attack attempt (server-webapp.rules)
 * 3:44858 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0474 attack attempt (server-webapp.rules)
 * 3:44837 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0472 attack attempt (server-webapp.rules)
 * 3:44863 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0483 attack attempt (server-webapp.rules)
 * 3:44849 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0482 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:2707 <-> DISABLED <-> FILE-IMAGE JPEG parser multipacket heap overflow attempt (file-image.rules)
 * 1:27569 <-> DISABLED <-> FILE-IMAGE JPEG parser multipacket heap overflow attempt (file-image.rules)
 * 1:31028 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:31029 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:41202 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 segment out of bounds memory access attempt (file-image.rules)
 * 1:41203 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 segment out of bounds memory access attempt (file-image.rules)
 * 1:42937 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro SampleFormat heap overflow attempt (file-image.rules)
 * 1:42938 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro SampleFormat heap overflow attempt (file-image.rules)
 * 1:44025 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt (file-image.rules)
 * 1:44026 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt (file-image.rules)

2017-11-14 19:10:06 UTC

Snort Subscriber Rules Update

Date: 2017-11-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44856 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XI JavaScript annotation use after free attempt (file-pdf.rules)
 * 1:44830 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer array memory corruption attempt (browser-ie.rules)
 * 1:44829 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer array memory corruption attempt (browser-ie.rules)
 * 1:44810 <-> ENABLED <-> BROWSER-IE Microsoft Edge postMessage use after free attempt (browser-ie.rules)
 * 1:44812 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine type confusion attempt (browser-ie.rules)
 * 1:44818 <-> ENABLED <-> BROWSER-IE Microsoft Edge custom property memory corruption attempt (browser-ie.rules)
 * 1:44817 <-> ENABLED <-> BROWSER-IE Microsoft Edge custom property memory corruption attempt (browser-ie.rules)
 * 1:44815 <-> DISABLED <-> BROWSER-IE Microsoft Edge use after free attempt (browser-ie.rules)
 * 1:44820 <-> ENABLED <-> BROWSER-IE Microsoft Edge array use after free attempt (browser-ie.rules)
 * 1:44822 <-> DISABLED <-> FILE-OFFICE Microsoft Excel use after free vulnerability exploit attempt (file-office.rules)
 * 1:44813 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra Closure use after free attempt (browser-ie.rules)
 * 1:44823 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript Join out of bounds memory access attempt (browser-ie.rules)
 * 1:44824 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript Join out of bounds memory access attempt (browser-ie.rules)
 * 1:44814 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra Closure use after free attempt (browser-ie.rules)
 * 1:44825 <-> DISABLED <-> OS-WINDOWS Microsoft Edge out of bounds write attempt (os-windows.rules)
 * 1:44826 <-> DISABLED <-> OS-WINDOWS Microsoft Edge out of bounds write attempt (os-windows.rules)
 * 1:44827 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:44828 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:44831 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption exploitation attempt (browser-ie.rules)
 * 1:44808 <-> DISABLED <-> INDICATOR-COMPROMISE Apache HTTP Server possible mod_dav.c remote denial of service vulnerability attempt (indicator-compromise.rules)
 * 1:44832 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption exploitation attempt (browser-ie.rules)
 * 1:44833 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys use after free attempt (os-windows.rules)
 * 1:44834 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys use after free attempt (os-windows.rules)
 * 1:44838 <-> DISABLED <-> FILE-OFFICE Microsoft Word RTF memory corruption attempt (file-office.rules)
 * 1:44839 <-> DISABLED <-> FILE-OFFICE Microsoft Word RTF memory corruption attempt (file-office.rules)
 * 1:44843 <-> DISABLED <-> BROWSER-IE Microsoft Edge Uint8Array memory corruption attempt (browser-ie.rules)
 * 1:44844 <-> DISABLED <-> BROWSER-IE Microsoft Edge Uint8Array memory corruption attempt (browser-ie.rules)
 * 1:44845 <-> ENABLED <-> BROWSER-IE Microsoft Edge heap overflow attempt (browser-ie.rules)
 * 1:44846 <-> ENABLED <-> BROWSER-IE Microsoft Edge heap overflow attempt (browser-ie.rules)
 * 1:44853 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed TTF buffer over-read attempt (file-pdf.rules)
 * 1:44854 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed TTF buffer over-read attempt (file-pdf.rules)
 * 1:44862 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed CommentExtension attempt (file-image.rules)
 * 1:44861 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed CommentExtension attempt (file-image.rules)
 * 1:44860 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro PNG file buffer over-read vulnerability attempt (file-other.rules)
 * 1:44816 <-> DISABLED <-> BROWSER-IE Microsoft Edge use after free attempt (browser-ie.rules)
 * 1:44821 <-> DISABLED <-> FILE-OFFICE Microsoft Excel use after free vulnerability exploit attempt (file-office.rules)
 * 1:44811 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine type confusion attempt (browser-ie.rules)
 * 1:44819 <-> ENABLED <-> BROWSER-IE Microsoft Edge array use after free attempt (browser-ie.rules)
 * 1:44859 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro PNG file buffer over-read vulnerability attempt (file-other.rules)
 * 1:44809 <-> ENABLED <-> BROWSER-IE Microsoft Edge postMessage use after free attempt (browser-ie.rules)
 * 1:44857 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XI JavaScript annotation use after free attempt (file-pdf.rules)
 * 3:44850 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0477 attack attempt (server-webapp.rules)
 * 3:44847 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0482 attack attempt (server-webapp.rules)
 * 3:44835 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0472 attack attempt (server-webapp.rules)
 * 3:44837 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0472 attack attempt (server-webapp.rules)
 * 3:44836 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0472 attack attempt (server-webapp.rules)
 * 3:44842 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0473 attack attempt (server-webapp.rules)
 * 3:44848 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0482 attack attempt (server-webapp.rules)
 * 3:44849 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0482 attack attempt (server-webapp.rules)
 * 3:44840 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0473 attack attempt (server-webapp.rules)
 * 3:44851 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0477 attack attempt (server-webapp.rules)
 * 3:44855 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0480 attack attempt (policy-other.rules)
 * 3:44852 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0477 attack attempt (server-webapp.rules)
 * 3:44858 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0474 attack attempt (server-webapp.rules)
 * 3:44863 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0483 attack attempt (server-webapp.rules)
 * 3:44841 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0473 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:2707 <-> DISABLED <-> FILE-IMAGE JPEG parser multipacket heap overflow attempt (file-image.rules)
 * 1:27569 <-> DISABLED <-> FILE-IMAGE JPEG parser multipacket heap overflow attempt (file-image.rules)
 * 1:31028 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:31029 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:41202 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 segment out of bounds memory access attempt (file-image.rules)
 * 1:41203 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 segment out of bounds memory access attempt (file-image.rules)
 * 1:42937 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro SampleFormat heap overflow attempt (file-image.rules)
 * 1:42938 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro SampleFormat heap overflow attempt (file-image.rules)
 * 1:44025 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt (file-image.rules)
 * 1:44026 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt (file-image.rules)

2017-11-14 19:10:06 UTC

Snort Subscriber Rules Update

Date: 2017-11-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:44862 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed CommentExtension attempt (file-image.rules)
 * 1:44861 <-> ENABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed CommentExtension attempt (file-image.rules)
 * 1:44860 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro PNG file buffer over-read vulnerability attempt (file-other.rules)
 * 1:44859 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro PNG file buffer over-read vulnerability attempt (file-other.rules)
 * 1:44857 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XI JavaScript annotation use after free attempt (file-pdf.rules)
 * 1:44856 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XI JavaScript annotation use after free attempt (file-pdf.rules)
 * 1:44854 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed TTF buffer over-read attempt (file-pdf.rules)
 * 1:44853 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader malformed TTF buffer over-read attempt (file-pdf.rules)
 * 1:44846 <-> ENABLED <-> BROWSER-IE Microsoft Edge heap overflow attempt (browser-ie.rules)
 * 1:44845 <-> ENABLED <-> BROWSER-IE Microsoft Edge heap overflow attempt (browser-ie.rules)
 * 1:44844 <-> DISABLED <-> BROWSER-IE Microsoft Edge Uint8Array memory corruption attempt (browser-ie.rules)
 * 1:44843 <-> DISABLED <-> BROWSER-IE Microsoft Edge Uint8Array memory corruption attempt (browser-ie.rules)
 * 1:44839 <-> DISABLED <-> FILE-OFFICE Microsoft Word RTF memory corruption attempt (file-office.rules)
 * 1:44838 <-> DISABLED <-> FILE-OFFICE Microsoft Word RTF memory corruption attempt (file-office.rules)
 * 1:44834 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys use after free attempt (os-windows.rules)
 * 1:44833 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys use after free attempt (os-windows.rules)
 * 1:44832 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption exploitation attempt (browser-ie.rules)
 * 1:44831 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption exploitation attempt (browser-ie.rules)
 * 1:44830 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer array memory corruption attempt (browser-ie.rules)
 * 1:44829 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer array memory corruption attempt (browser-ie.rules)
 * 1:44828 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:44827 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:44826 <-> DISABLED <-> OS-WINDOWS Microsoft Edge out of bounds write attempt (os-windows.rules)
 * 1:44825 <-> DISABLED <-> OS-WINDOWS Microsoft Edge out of bounds write attempt (os-windows.rules)
 * 1:44824 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript Join out of bounds memory access attempt (browser-ie.rules)
 * 1:44823 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript Join out of bounds memory access attempt (browser-ie.rules)
 * 1:44822 <-> DISABLED <-> FILE-OFFICE Microsoft Excel use after free vulnerability exploit attempt (file-office.rules)
 * 1:44821 <-> DISABLED <-> FILE-OFFICE Microsoft Excel use after free vulnerability exploit attempt (file-office.rules)
 * 1:44820 <-> ENABLED <-> BROWSER-IE Microsoft Edge array use after free attempt (browser-ie.rules)
 * 1:44819 <-> ENABLED <-> BROWSER-IE Microsoft Edge array use after free attempt (browser-ie.rules)
 * 1:44818 <-> ENABLED <-> BROWSER-IE Microsoft Edge custom property memory corruption attempt (browser-ie.rules)
 * 1:44817 <-> ENABLED <-> BROWSER-IE Microsoft Edge custom property memory corruption attempt (browser-ie.rules)
 * 1:44816 <-> DISABLED <-> BROWSER-IE Microsoft Edge use after free attempt (browser-ie.rules)
 * 1:44815 <-> DISABLED <-> BROWSER-IE Microsoft Edge use after free attempt (browser-ie.rules)
 * 1:44814 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra Closure use after free attempt (browser-ie.rules)
 * 1:44813 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra Closure use after free attempt (browser-ie.rules)
 * 1:44812 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine type confusion attempt (browser-ie.rules)
 * 1:44811 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine type confusion attempt (browser-ie.rules)
 * 1:44810 <-> ENABLED <-> BROWSER-IE Microsoft Edge postMessage use after free attempt (browser-ie.rules)
 * 1:44809 <-> ENABLED <-> BROWSER-IE Microsoft Edge postMessage use after free attempt (browser-ie.rules)
 * 1:44808 <-> DISABLED <-> INDICATOR-COMPROMISE Apache HTTP Server possible mod_dav.c remote denial of service vulnerability attempt (indicator-compromise.rules)
 * 3:44835 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0472 attack attempt (server-webapp.rules)
 * 3:44836 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0472 attack attempt (server-webapp.rules)
 * 3:44837 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0472 attack attempt (server-webapp.rules)
 * 3:44840 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0473 attack attempt (server-webapp.rules)
 * 3:44841 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0473 attack attempt (server-webapp.rules)
 * 3:44842 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0473 attack attempt (server-webapp.rules)
 * 3:44847 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0482 attack attempt (server-webapp.rules)
 * 3:44848 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0482 attack attempt (server-webapp.rules)
 * 3:44849 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0482 attack attempt (server-webapp.rules)
 * 3:44850 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0477 attack attempt (server-webapp.rules)
 * 3:44851 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0477 attack attempt (server-webapp.rules)
 * 3:44852 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0477 attack attempt (server-webapp.rules)
 * 3:44855 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2017-0480 attack attempt (policy-other.rules)
 * 3:44858 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0474 attack attempt (server-webapp.rules)
 * 3:44863 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0483 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:2707 <-> DISABLED <-> FILE-IMAGE JPEG parser multipacket heap overflow attempt (file-image.rules)
 * 1:27569 <-> DISABLED <-> FILE-IMAGE JPEG parser multipacket heap overflow attempt (file-image.rules)
 * 1:31028 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:31029 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF conversion heap buffer overflow attempt (file-other.rules)
 * 1:41202 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 segment out of bounds memory access attempt (file-image.rules)
 * 1:41203 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed JPEG APP2 segment out of bounds memory access attempt (file-image.rules)
 * 1:42937 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro SampleFormat heap overflow attempt (file-image.rules)
 * 1:42938 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro SampleFormat heap overflow attempt (file-image.rules)
 * 1:44025 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt (file-image.rules)
 * 1:44026 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro malformed TIFF memory corruption attempt (file-image.rules)