Talos Rules 2017-12-12
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2017-11885: A coding deficiency exists in Windows RRAS Service that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45130 through 45131.

Microsoft Vulnerability CVE-2017-11886: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 37283 through 37284.

Microsoft Vulnerability CVE-2017-11888: A coding deficiency exists in Microsoft Edge that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45121 through 45122.

Microsoft Vulnerability CVE-2017-11889: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 42749 through 42750.

Microsoft Vulnerability CVE-2017-11890: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45138 through 45139.

Microsoft Vulnerability CVE-2017-11893: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45162 through 45163.

Microsoft Vulnerability CVE-2017-11894: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45140 through 45141.

Microsoft Vulnerability CVE-2017-11895: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45142 through 45143.

Microsoft Vulnerability CVE-2017-11901: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45144 through 45145.

Microsoft Vulnerability CVE-2017-11903: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45146 through 45147.

Microsoft Vulnerability CVE-2017-11907: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45148 through 45149.

Microsoft Vulnerability CVE-2017-11909: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45150 through 45151.

Microsoft Vulnerability CVE-2017-11911: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45155 through 45156.

Microsoft Vulnerability CVE-2017-11913: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 40132 through 40133.

Microsoft Vulnerability CVE-2017-11914: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45128 through 45129.

Microsoft Vulnerability CVE-2017-11916: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45169 through 45170.

Microsoft Vulnerability CVE-2017-11918: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45160 through 45161.

Microsoft Vulnerability CVE-2017-11930: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45167 through 45168.

Microsoft Vulnerability CVE-2017-11935: A coding deficiency exists in Microsoft Excel that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45123 through 45124.

Microsoft Vulnerability CVE-2017-11937: A coding deficiency exists in Microsoft Malware Protection Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45152 through 45153.

Talos also has added and modified multiple rules in the browser-firefox, browser-ie, browser-plugins, file-multimedia, file-office, file-other, file-pdf, indicator-compromise, os-windows, policy-other, protocol-snmp and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2017-12-12 22:01:55 UTC

Snort Subscriber Rules Update

Date: 2017-12-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45170 <-> ENABLED <-> BROWSER-IE Microsoft Edge array type confusion attempt (browser-ie.rules)
 * 1:45169 <-> ENABLED <-> BROWSER-IE Microsoft Edge array type confusion attempt (browser-ie.rules)
 * 1:45168 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:45167 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:45166 <-> DISABLED <-> POLICY-OTHER RPC Portmapper getstat request attempt (policy-other.rules)
 * 1:45165 <-> DISABLED <-> POLICY-OTHER RPC Portmapper version 2 dump request attempt (policy-other.rules)
 * 1:45164 <-> DISABLED <-> POLICY-OTHER RPC Portmapper version 3 dump request attempt (policy-other.rules)
 * 1:45163 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:45162 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:45161 <-> DISABLED <-> BROWSER-IE Microsoft Edge null pointer dereference attempt (browser-ie.rules)
 * 1:45160 <-> DISABLED <-> BROWSER-IE Microsoft Edge null pointer dereference attempt (browser-ie.rules)
 * 1:45157 <-> DISABLED <-> SERVER-OTHER SSDP M-SEARCH ssdp-all potential amplified distributed denial-of-service attempt (server-other.rules)
 * 1:45156 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules)
 * 1:45155 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules)
 * 1:45154 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer dynamic style update memory corruption attempt (browser-ie.rules)
 * 1:45153 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft MsMpEng shrink compressed zip code execution attempt (indicator-compromise.rules)
 * 1:45152 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft MsMpEng shrink compressed zip code execution attempt (indicator-compromise.rules)
 * 1:45151 <-> ENABLED <-> BROWSER-IE Microsoft Edge JsSetCurrentContext out of bounds read attempt (browser-ie.rules)
 * 1:45150 <-> ENABLED <-> BROWSER-IE Microsoft Edge JsSetCurrentContext out of bounds read attempt (browser-ie.rules)
 * 1:45149 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Array out of bounds write attempt (browser-ie.rules)
 * 1:45148 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Array out of bounds write attempt (browser-ie.rules)
 * 1:45147 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45146 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45145 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45144 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45143 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array type confusion attempt (browser-ie.rules)
 * 1:45142 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array type confusion attempt (browser-ie.rules)
 * 1:45141 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra RegExp engine memory corruption attempt (browser-ie.rules)
 * 1:45140 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra RegExp engine memory corruption attempt (browser-ie.rules)
 * 1:45139 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45138 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45137 <-> ENABLED <-> INDICATOR-COMPROMISE Metasploit run hidden powershell attempt (indicator-compromise.rules)
 * 1:45136 <-> ENABLED <-> INDICATOR-COMPROMISE Metasploit PowerShell CLI Download and Run attempt (indicator-compromise.rules)
 * 1:45135 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor object stack buffer overflow attempt (file-office.rules)
 * 1:45134 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor object stack buffer overflow attempt (file-office.rules)
 * 1:45133 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor object stack buffer overflow attempt (file-office.rules)
 * 1:45132 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor object stack buffer overflow attempt (file-office.rules)
 * 1:45131 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RRAS service arbitrary pointer dereference attempt (os-windows.rules)
 * 1:45130 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RRAS service arbitrary pointer dereference attempt (os-windows.rules)
 * 1:45129 <-> ENABLED <-> BROWSER-IE Microsoft Edge defineGetter type confusion attempt (browser-ie.rules)
 * 1:45128 <-> ENABLED <-> BROWSER-IE Microsoft Edge defineGetter type confusion attempt (browser-ie.rules)
 * 1:45127 <-> DISABLED <-> BROWSER-FIREFOX Mozilla SSL certificate spoofing attempt (browser-firefox.rules)
 * 1:45126 <-> DISABLED <-> FILE-OTHER Adobe Shockwave newModel memory disclosure attempt (file-other.rules)
 * 1:45125 <-> DISABLED <-> FILE-OTHER Adobe Shockwave newModel memory disclosure attempt (file-other.rules)
 * 1:45124 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel malformed spreadsheet use-after-free attempt (file-office.rules)
 * 1:45123 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel malformed spreadsheet use-after-free attempt (file-office.rules)
 * 1:45122 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:45121 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 3:45159 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0506 attack attempt (file-pdf.rules)
 * 3:45120 <-> ENABLED <-> SERVER-OTHER Cisco Application Control Engine padding oracle attack attempt (server-other.rules)
 * 3:45158 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0506 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:19894 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint TextCharsAtom record buffer overflow attempt (file-office.rules)
 * 1:21670 <-> DISABLED <-> SERVER-WEBAPP PHP phpinfo cross site scripting attempt (server-webapp.rules)
 * 1:25527 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint TextCharsAtom record buffer overflow attempt (file-office.rules)
 * 1:25528 <-> DISABLED <-> SERVER-WEBAPP Moveable Type unauthenticated remote command execution attempt (server-webapp.rules)
 * 1:25608 <-> DISABLED <-> FILE-OTHER cSounds.com Csound hetro audio file buffer overflow attempt (file-other.rules)
 * 1:33062 <-> DISABLED <-> FILE-OTHER BulletProof FTP Client BPS file buffer overflow attempt (file-other.rules)
 * 1:33063 <-> DISABLED <-> FILE-OTHER BulletProof FTP Client BPS file buffer overflow attempt (file-other.rules)
 * 1:33070 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33071 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33072 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33073 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33492 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer dynamic style update memory corruption attempt (browser-ie.rules)
 * 1:35725 <-> ENABLED <-> FILE-MULTIMEDIA Matroska libmatroska ebml unicode string out of bounds read attempt (file-multimedia.rules)
 * 1:35726 <-> ENABLED <-> FILE-MULTIMEDIA Matroska libmatroska ebml unicode string out of bounds read attempt (file-multimedia.rules)
 * 1:37283 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:37284 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:40132 <-> ENABLED <-> BROWSER-IE VBScript ADODB.Connection object use after free attempt (browser-ie.rules)
 * 1:40133 <-> ENABLED <-> BROWSER-IE VBScript ADODB.Connection object use after free attempt (browser-ie.rules)
 * 1:42749 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (browser-ie.rules)
 * 1:42750 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (browser-ie.rules)
 * 1:45052 <-> DISABLED <-> SERVER-WEBAPP Wordpress wpdb prepare sprintf placeholder SQL injection attempt (server-webapp.rules)
 * 3:44910 <-> ENABLED <-> SERVER-OTHER Altiris Express Server Engine stack buffer overflow attempt (server-other.rules)
 * 3:44725 <-> ENABLED <-> PROTOCOL-SNMP Cisco Wireless LAN Controller clExtApDot11IfTable OID memory leak attempt (protocol-snmp.rules)

2017-12-12 22:01:55 UTC

Snort Subscriber Rules Update

Date: 2017-12-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45132 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor object stack buffer overflow attempt (file-office.rules)
 * 1:45133 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor object stack buffer overflow attempt (file-office.rules)
 * 1:45135 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor object stack buffer overflow attempt (file-office.rules)
 * 1:45137 <-> ENABLED <-> INDICATOR-COMPROMISE Metasploit run hidden powershell attempt (indicator-compromise.rules)
 * 1:45138 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45139 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45140 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra RegExp engine memory corruption attempt (browser-ie.rules)
 * 1:45121 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:45122 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:45123 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel malformed spreadsheet use-after-free attempt (file-office.rules)
 * 1:45124 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel malformed spreadsheet use-after-free attempt (file-office.rules)
 * 1:45141 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra RegExp engine memory corruption attempt (browser-ie.rules)
 * 1:45130 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RRAS service arbitrary pointer dereference attempt (os-windows.rules)
 * 1:45125 <-> DISABLED <-> FILE-OTHER Adobe Shockwave newModel memory disclosure attempt (file-other.rules)
 * 1:45126 <-> DISABLED <-> FILE-OTHER Adobe Shockwave newModel memory disclosure attempt (file-other.rules)
 * 1:45127 <-> DISABLED <-> BROWSER-FIREFOX Mozilla SSL certificate spoofing attempt (browser-firefox.rules)
 * 1:45128 <-> ENABLED <-> BROWSER-IE Microsoft Edge defineGetter type confusion attempt (browser-ie.rules)
 * 1:45142 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array type confusion attempt (browser-ie.rules)
 * 1:45129 <-> ENABLED <-> BROWSER-IE Microsoft Edge defineGetter type confusion attempt (browser-ie.rules)
 * 1:45143 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array type confusion attempt (browser-ie.rules)
 * 1:45144 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45145 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45146 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45147 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45148 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Array out of bounds write attempt (browser-ie.rules)
 * 1:45149 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Array out of bounds write attempt (browser-ie.rules)
 * 1:45150 <-> ENABLED <-> BROWSER-IE Microsoft Edge JsSetCurrentContext out of bounds read attempt (browser-ie.rules)
 * 1:45151 <-> ENABLED <-> BROWSER-IE Microsoft Edge JsSetCurrentContext out of bounds read attempt (browser-ie.rules)
 * 1:45152 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft MsMpEng shrink compressed zip code execution attempt (indicator-compromise.rules)
 * 1:45153 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft MsMpEng shrink compressed zip code execution attempt (indicator-compromise.rules)
 * 1:45154 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer dynamic style update memory corruption attempt (browser-ie.rules)
 * 1:45155 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules)
 * 1:45156 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules)
 * 1:45157 <-> DISABLED <-> SERVER-OTHER SSDP M-SEARCH ssdp-all potential amplified distributed denial-of-service attempt (server-other.rules)
 * 1:45160 <-> DISABLED <-> BROWSER-IE Microsoft Edge null pointer dereference attempt (browser-ie.rules)
 * 1:45161 <-> DISABLED <-> BROWSER-IE Microsoft Edge null pointer dereference attempt (browser-ie.rules)
 * 1:45162 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:45163 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:45136 <-> ENABLED <-> INDICATOR-COMPROMISE Metasploit PowerShell CLI Download and Run attempt (indicator-compromise.rules)
 * 1:45170 <-> ENABLED <-> BROWSER-IE Microsoft Edge array type confusion attempt (browser-ie.rules)
 * 1:45169 <-> ENABLED <-> BROWSER-IE Microsoft Edge array type confusion attempt (browser-ie.rules)
 * 1:45168 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:45167 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:45166 <-> DISABLED <-> POLICY-OTHER RPC Portmapper getstat request attempt (policy-other.rules)
 * 1:45134 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor object stack buffer overflow attempt (file-office.rules)
 * 1:45165 <-> DISABLED <-> POLICY-OTHER RPC Portmapper version 2 dump request attempt (policy-other.rules)
 * 1:45164 <-> DISABLED <-> POLICY-OTHER RPC Portmapper version 3 dump request attempt (policy-other.rules)
 * 1:45131 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RRAS service arbitrary pointer dereference attempt (os-windows.rules)
 * 3:45159 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0506 attack attempt (file-pdf.rules)
 * 3:45120 <-> ENABLED <-> SERVER-OTHER Cisco Application Control Engine padding oracle attack attempt (server-other.rules)
 * 3:45158 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0506 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:42750 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (browser-ie.rules)
 * 1:45052 <-> DISABLED <-> SERVER-WEBAPP Wordpress wpdb prepare sprintf placeholder SQL injection attempt (server-webapp.rules)
 * 1:40133 <-> ENABLED <-> BROWSER-IE VBScript ADODB.Connection object use after free attempt (browser-ie.rules)
 * 1:37284 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:40132 <-> ENABLED <-> BROWSER-IE VBScript ADODB.Connection object use after free attempt (browser-ie.rules)
 * 1:35726 <-> ENABLED <-> FILE-MULTIMEDIA Matroska libmatroska ebml unicode string out of bounds read attempt (file-multimedia.rules)
 * 1:37283 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:33063 <-> DISABLED <-> FILE-OTHER BulletProof FTP Client BPS file buffer overflow attempt (file-other.rules)
 * 1:19894 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint TextCharsAtom record buffer overflow attempt (file-office.rules)
 * 1:25527 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint TextCharsAtom record buffer overflow attempt (file-office.rules)
 * 1:25528 <-> DISABLED <-> SERVER-WEBAPP Moveable Type unauthenticated remote command execution attempt (server-webapp.rules)
 * 1:21670 <-> DISABLED <-> SERVER-WEBAPP PHP phpinfo cross site scripting attempt (server-webapp.rules)
 * 1:25608 <-> DISABLED <-> FILE-OTHER cSounds.com Csound hetro audio file buffer overflow attempt (file-other.rules)
 * 1:33062 <-> DISABLED <-> FILE-OTHER BulletProof FTP Client BPS file buffer overflow attempt (file-other.rules)
 * 1:33070 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33071 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33072 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33073 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33492 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer dynamic style update memory corruption attempt (browser-ie.rules)
 * 1:35725 <-> ENABLED <-> FILE-MULTIMEDIA Matroska libmatroska ebml unicode string out of bounds read attempt (file-multimedia.rules)
 * 1:42749 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (browser-ie.rules)
 * 3:44910 <-> ENABLED <-> SERVER-OTHER Altiris Express Server Engine stack buffer overflow attempt (server-other.rules)
 * 3:44725 <-> ENABLED <-> PROTOCOL-SNMP Cisco Wireless LAN Controller clExtApDot11IfTable OID memory leak attempt (protocol-snmp.rules)

2017-12-12 22:01:55 UTC

Snort Subscriber Rules Update

Date: 2017-12-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45167 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:45165 <-> DISABLED <-> POLICY-OTHER RPC Portmapper version 2 dump request attempt (policy-other.rules)
 * 1:45149 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Array out of bounds write attempt (browser-ie.rules)
 * 1:45133 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor object stack buffer overflow attempt (file-office.rules)
 * 1:45169 <-> ENABLED <-> BROWSER-IE Microsoft Edge array type confusion attempt (browser-ie.rules)
 * 1:45143 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array type confusion attempt (browser-ie.rules)
 * 1:45137 <-> ENABLED <-> INDICATOR-COMPROMISE Metasploit run hidden powershell attempt (indicator-compromise.rules)
 * 1:45131 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RRAS service arbitrary pointer dereference attempt (os-windows.rules)
 * 1:45121 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:45134 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor object stack buffer overflow attempt (file-office.rules)
 * 1:45132 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor object stack buffer overflow attempt (file-office.rules)
 * 1:45124 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel malformed spreadsheet use-after-free attempt (file-office.rules)
 * 1:45125 <-> DISABLED <-> FILE-OTHER Adobe Shockwave newModel memory disclosure attempt (file-other.rules)
 * 1:45126 <-> DISABLED <-> FILE-OTHER Adobe Shockwave newModel memory disclosure attempt (file-other.rules)
 * 1:45127 <-> DISABLED <-> BROWSER-FIREFOX Mozilla SSL certificate spoofing attempt (browser-firefox.rules)
 * 1:45139 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45140 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra RegExp engine memory corruption attempt (browser-ie.rules)
 * 1:45128 <-> ENABLED <-> BROWSER-IE Microsoft Edge defineGetter type confusion attempt (browser-ie.rules)
 * 1:45129 <-> ENABLED <-> BROWSER-IE Microsoft Edge defineGetter type confusion attempt (browser-ie.rules)
 * 1:45130 <-> ENABLED <-> OS-WINDOWS Microsoft Windows RRAS service arbitrary pointer dereference attempt (os-windows.rules)
 * 1:45138 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45141 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra RegExp engine memory corruption attempt (browser-ie.rules)
 * 1:45142 <-> ENABLED <-> BROWSER-IE Microsoft Edge Array type confusion attempt (browser-ie.rules)
 * 1:45144 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45145 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45136 <-> ENABLED <-> INDICATOR-COMPROMISE Metasploit PowerShell CLI Download and Run attempt (indicator-compromise.rules)
 * 1:45146 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45147 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45168 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:45148 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Array out of bounds write attempt (browser-ie.rules)
 * 1:45150 <-> ENABLED <-> BROWSER-IE Microsoft Edge JsSetCurrentContext out of bounds read attempt (browser-ie.rules)
 * 1:45151 <-> ENABLED <-> BROWSER-IE Microsoft Edge JsSetCurrentContext out of bounds read attempt (browser-ie.rules)
 * 1:45152 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft MsMpEng shrink compressed zip code execution attempt (indicator-compromise.rules)
 * 1:45153 <-> DISABLED <-> INDICATOR-COMPROMISE Microsoft MsMpEng shrink compressed zip code execution attempt (indicator-compromise.rules)
 * 1:45154 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer dynamic style update memory corruption attempt (browser-ie.rules)
 * 1:45122 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:45170 <-> ENABLED <-> BROWSER-IE Microsoft Edge array type confusion attempt (browser-ie.rules)
 * 1:45155 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules)
 * 1:45156 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out of bounds read attempt (browser-ie.rules)
 * 1:45157 <-> DISABLED <-> SERVER-OTHER SSDP M-SEARCH ssdp-all potential amplified distributed denial-of-service attempt (server-other.rules)
 * 1:45160 <-> DISABLED <-> BROWSER-IE Microsoft Edge null pointer dereference attempt (browser-ie.rules)
 * 1:45161 <-> DISABLED <-> BROWSER-IE Microsoft Edge null pointer dereference attempt (browser-ie.rules)
 * 1:45123 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel malformed spreadsheet use-after-free attempt (file-office.rules)
 * 1:45162 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:45163 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:45135 <-> ENABLED <-> FILE-OFFICE Microsoft Office Equation Editor object stack buffer overflow attempt (file-office.rules)
 * 1:45164 <-> DISABLED <-> POLICY-OTHER RPC Portmapper version 3 dump request attempt (policy-other.rules)
 * 1:45166 <-> DISABLED <-> POLICY-OTHER RPC Portmapper getstat request attempt (policy-other.rules)
 * 3:45120 <-> ENABLED <-> SERVER-OTHER Cisco Application Control Engine padding oracle attack attempt (server-other.rules)
 * 3:45159 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0506 attack attempt (file-pdf.rules)
 * 3:45158 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2017-0506 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:33073 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client ActiveX clsid access attempt (browser-plugins.rules)
 * 1:19894 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint TextCharsAtom record buffer overflow attempt (file-office.rules)
 * 1:35725 <-> ENABLED <-> FILE-MULTIMEDIA Matroska libmatroska ebml unicode string out of bounds read attempt (file-multimedia.rules)
 * 1:33071 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33492 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer dynamic style update memory corruption attempt (browser-ie.rules)
 * 1:33063 <-> DISABLED <-> FILE-OTHER BulletProof FTP Client BPS file buffer overflow attempt (file-other.rules)
 * 1:33070 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client ActiveX clsid access attempt (browser-plugins.rules)
 * 1:33062 <-> DISABLED <-> FILE-OTHER BulletProof FTP Client BPS file buffer overflow attempt (file-other.rules)
 * 1:42750 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (browser-ie.rules)
 * 1:25527 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint TextCharsAtom record buffer overflow attempt (file-office.rules)
 * 1:25528 <-> DISABLED <-> SERVER-WEBAPP Moveable Type unauthenticated remote command execution attempt (server-webapp.rules)
 * 1:25608 <-> DISABLED <-> FILE-OTHER cSounds.com Csound hetro audio file buffer overflow attempt (file-other.rules)
 * 1:37283 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:33072 <-> DISABLED <-> BROWSER-PLUGINS Attachmate Reflection FTP Client ActiveX clsid access attempt (browser-plugins.rules)
 * 1:21670 <-> DISABLED <-> SERVER-WEBAPP PHP phpinfo cross site scripting attempt (server-webapp.rules)
 * 1:37284 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript engine use after free attempt (browser-ie.rules)
 * 1:40132 <-> ENABLED <-> BROWSER-IE VBScript ADODB.Connection object use after free attempt (browser-ie.rules)
 * 1:40133 <-> ENABLED <-> BROWSER-IE VBScript ADODB.Connection object use after free attempt (browser-ie.rules)
 * 1:42749 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (browser-ie.rules)
 * 1:45052 <-> DISABLED <-> SERVER-WEBAPP Wordpress wpdb prepare sprintf placeholder SQL injection attempt (server-webapp.rules)
 * 1:35726 <-> ENABLED <-> FILE-MULTIMEDIA Matroska libmatroska ebml unicode string out of bounds read attempt (file-multimedia.rules)
 * 3:44725 <-> ENABLED <-> PROTOCOL-SNMP Cisco Wireless LAN Controller clExtApDot11IfTable OID memory leak attempt (protocol-snmp.rules)
 * 3:44910 <-> ENABLED <-> SERVER-OTHER Altiris Express Server Engine stack buffer overflow attempt (server-other.rules)