Talos Rules 2018-01-09
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2018-0758: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45383 through 45384.

Microsoft Vulnerability CVE-2018-0762: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45389 through 45390.

Microsoft Vulnerability CVE-2018-0769: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45376 through 45377.

Microsoft Vulnerability CVE-2018-0773: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45395 through 45396.

Microsoft Vulnerability CVE-2018-0774: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45387 through 45388.

Microsoft Vulnerability CVE-2018-0775: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45391 through 45392.

Microsoft Vulnerability CVE-2018-0776: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45378 through 45379.

Microsoft Vulnerability CVE-2018-0777: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45374 through 45375.

Microsoft Vulnerability CVE-2018-0797: A coding deficiency exists in Microsoft Word that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45402 through 45403.

Talos also has added and modified multiple rules in the browser-firefox, browser-ie, file-flash, file-office, file-other, file-pdf, malware-cnc, os-other, os-windows, policy-other, protocol-voip, pua-adware, server-apache, server-other and sql rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-01-09 20:57:46 UTC

Snort Subscriber Rules Update

Date: 2018-01-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45405 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF buffer overflow attempt (file-flash.rules)
 * 1:45404 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF buffer overflow attempt (file-flash.rules)
 * 1:45403 <-> DISABLED <-> FILE-OFFICE Microsoft Word memory corruption exploit attempt (file-office.rules)
 * 1:45402 <-> DISABLED <-> FILE-OFFICE Microsoft Word memory corruption exploit attempt (file-office.rules)
 * 1:45401 <-> ENABLED <-> SERVER-WEBAPP Fortinet FortiOS redir parameter cross site scripting attempt (server-webapp.rules)
 * 1:45400 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.OceanLotus outbound connection attempt (malware-cnc.rules)
 * 1:45399 <-> DISABLED <-> FILE-OTHER Adobe Photoshop asset elements stack based buffer overflow attempt (file-other.rules)
 * 1:45398 <-> DISABLED <-> PUA-ADWARE Osx.Adware.SurfBuyer adware outbound connection detected (pua-adware.rules)
 * 1:45397 <-> DISABLED <-> PUA-ADWARE Osx.Adware.SurfBuyer adware outbound connection detected (pua-adware.rules)
 * 1:45396 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine toString use after free attempt (browser-ie.rules)
 * 1:45395 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine toString use after free attempt (browser-ie.rules)
 * 1:45394 <-> DISABLED <-> SERVER-OTHER Quest Privilege Manager pmmasterd denial of service attempt (server-other.rules)
 * 1:45393 <-> DISABLED <-> SERVER-OTHER Quest Privilege Manager pmmasterd buffer overflow attempt (server-other.rules)
 * 1:45392 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine type confusion attempt (browser-ie.rules)
 * 1:45391 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine type confusion attempt (browser-ie.rules)
 * 1:45390 <-> ENABLED <-> BROWSER-IE Microsoft IE array type confusion attempt (browser-ie.rules)
 * 1:45389 <-> ENABLED <-> BROWSER-IE Microsoft IE array type confusion attempt (browser-ie.rules)
 * 1:45388 <-> ENABLED <-> BROWSER-IE Microsoft Edge anonymous function type confusion attempt (browser-ie.rules)
 * 1:45387 <-> ENABLED <-> BROWSER-IE Microsoft Edge anonymous function type confusion attempt (browser-ie.rules)
 * 1:45386 <-> DISABLED <-> OS-OTHER Mac OS X setuid privilege esclatation exploit attempt (os-other.rules)
 * 1:45385 <-> DISABLED <-> OS-OTHER Mac OS X setuid privilege esclatation exploit attempt (os-other.rules)
 * 1:45384 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine integer overflow attempt (browser-ie.rules)
 * 1:45383 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine integer overflow attempt (browser-ie.rules)
 * 1:45382 <-> DISABLED <-> SERVER-WEBAPP Huawei router command injection attempt (server-webapp.rules)
 * 1:45381 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection cross site scripting attempt (server-webapp.rules)
 * 1:45380 <-> DISABLED <-> SERVER-OTHER Sixnet SixView Manager directory traversal attempt (server-other.rules)
 * 1:45379 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:45378 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:45377 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45376 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45375 <-> ENABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:45374 <-> ENABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:45373 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server directory traversal attempt (server-webapp.rules)
 * 1:45372 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server admin_update_program.php command injection attempt (server-webapp.rules)
 * 1:45371 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word docx subDocument file include attempt (file-office.rules)
 * 1:45370 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word docx subDocument file include attempt (file-office.rules)
 * 1:45369 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader getAnnots exploit attempt (file-pdf.rules)

Modified Rules:


 * 1:11971 <-> DISABLED <-> PROTOCOL-VOIP CSeq buffer overflow attempt (protocol-voip.rules)
 * 1:15493 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader getAnnots exploit attempt (file-pdf.rules)
 * 1:19076 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt (browser-firefox.rules)
 * 1:19077 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt (browser-firefox.rules)
 * 1:19292 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt (browser-firefox.rules)
 * 1:21363 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt (browser-firefox.rules)
 * 1:31181 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS handshake recursion denial of service attempt (server-other.rules)
 * 1:35479 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (browser-ie.rules)
 * 1:35480 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (browser-ie.rules)
 * 1:35670 <-> DISABLED <-> POLICY-OTHER Symantec Endpoint Protection insecure password reset attempt (policy-other.rules)
 * 1:36334 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire user-password cross site request forgery attempt (server-webapp.rules)
 * 1:36335 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire user-create cross site request forgery attempt (server-webapp.rules)
 * 1:36336 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire server properties cross site request forgery attempt (server-webapp.rules)
 * 1:36337 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire permitted-clients cross site request forgery attempt (server-webapp.rules)
 * 1:36437 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ieframe.dll ActiveX clsid access (browser-ie.rules)
 * 1:36438 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ieframe.dll ActiveX clsid access (browser-ie.rules)
 * 1:36511 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire server properties cross site request forgery attempt (server-webapp.rules)
 * 1:38110 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word bitmap stream parsing remote code execution attempt (file-office.rules)
 * 1:38111 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word bitmap stream parsing remote code execution attempt (file-office.rules)
 * 1:38507 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ConvertStringFromUnicodeEx out of bounds write attempt (browser-ie.rules)
 * 1:38508 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ConvertStringFromUnicodeEx out of bounds write attempt (browser-ie.rules)
 * 1:38731 <-> DISABLED <-> SERVER-OTHER Squid Proxy range header denial of service attempt (server-other.rules)
 * 1:41410 <-> DISABLED <-> SERVER-WEBAPP McAfee ePolicy Orchestrator data channel SQL injection attempt (server-webapp.rules)
 * 1:42110 <-> DISABLED <-> SERVER-WEBAPP Microsoft IIS ScStoragePathFromUrl function buffer overflow attempt (server-webapp.rules)
 * 1:42805 <-> DISABLED <-> SERVER-WEBAPP Intel AMT remote administration tool authentication bypass attempt (server-webapp.rules)
 * 1:42878 <-> DISABLED <-> SERVER-WEBAPP Apache TomEE java deserialization attempt (server-webapp.rules)
 * 1:45269 <-> DISABLED <-> SERVER-OTHER Apache CouchDB remote code execution attempt (server-other.rules)
 * 1:45107 <-> DISABLED <-> SERVER-OTHER Fatek Automation PLC WinProladder buffer overflow attempt (server-other.rules)
 * 1:44575 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire user-create cross site request forgery attempt (server-webapp.rules)
 * 1:44565 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SPS and IMS diagnostic.log session disclosure attempt (server-webapp.rules)
 * 1:43671 <-> DISABLED <-> SQL Oracle MySQL Pluggable Auth denial of service attempt (sql.rules)
 * 1:43587 <-> DISABLED <-> SERVER-APACHE httpd ap_find_token buffer overread attempt (server-apache.rules)
 * 1:43224 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Micropsia outbound connection (malware-cnc.rules)
 * 1:43222 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Micropsia outbound connection (malware-cnc.rules)
 * 1:43223 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Micropsia outbound connection (malware-cnc.rules)
 * 3:15912 <-> ENABLED <-> OS-WINDOWS TCP window closed before receiving data (os-windows.rules)

2018-01-09 20:57:46 UTC

Snort Subscriber Rules Update

Date: 2018-01-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45394 <-> DISABLED <-> SERVER-OTHER Quest Privilege Manager pmmasterd denial of service attempt (server-other.rules)
 * 1:45392 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine type confusion attempt (browser-ie.rules)
 * 1:45393 <-> DISABLED <-> SERVER-OTHER Quest Privilege Manager pmmasterd buffer overflow attempt (server-other.rules)
 * 1:45390 <-> ENABLED <-> BROWSER-IE Microsoft IE array type confusion attempt (browser-ie.rules)
 * 1:45391 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine type confusion attempt (browser-ie.rules)
 * 1:45388 <-> ENABLED <-> BROWSER-IE Microsoft Edge anonymous function type confusion attempt (browser-ie.rules)
 * 1:45389 <-> ENABLED <-> BROWSER-IE Microsoft IE array type confusion attempt (browser-ie.rules)
 * 1:45386 <-> DISABLED <-> OS-OTHER Mac OS X setuid privilege esclatation exploit attempt (os-other.rules)
 * 1:45387 <-> ENABLED <-> BROWSER-IE Microsoft Edge anonymous function type confusion attempt (browser-ie.rules)
 * 1:45384 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine integer overflow attempt (browser-ie.rules)
 * 1:45385 <-> DISABLED <-> OS-OTHER Mac OS X setuid privilege esclatation exploit attempt (os-other.rules)
 * 1:45382 <-> DISABLED <-> SERVER-WEBAPP Huawei router command injection attempt (server-webapp.rules)
 * 1:45383 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine integer overflow attempt (browser-ie.rules)
 * 1:45380 <-> DISABLED <-> SERVER-OTHER Sixnet SixView Manager directory traversal attempt (server-other.rules)
 * 1:45381 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection cross site scripting attempt (server-webapp.rules)
 * 1:45378 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:45379 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:45376 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45377 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45374 <-> ENABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:45375 <-> ENABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:45372 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server admin_update_program.php command injection attempt (server-webapp.rules)
 * 1:45373 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server directory traversal attempt (server-webapp.rules)
 * 1:45371 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word docx subDocument file include attempt (file-office.rules)
 * 1:45369 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader getAnnots exploit attempt (file-pdf.rules)
 * 1:45370 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word docx subDocument file include attempt (file-office.rules)
 * 1:45396 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine toString use after free attempt (browser-ie.rules)
 * 1:45397 <-> DISABLED <-> PUA-ADWARE Osx.Adware.SurfBuyer adware outbound connection detected (pua-adware.rules)
 * 1:45398 <-> DISABLED <-> PUA-ADWARE Osx.Adware.SurfBuyer adware outbound connection detected (pua-adware.rules)
 * 1:45399 <-> DISABLED <-> FILE-OTHER Adobe Photoshop asset elements stack based buffer overflow attempt (file-other.rules)
 * 1:45401 <-> ENABLED <-> SERVER-WEBAPP Fortinet FortiOS redir parameter cross site scripting attempt (server-webapp.rules)
 * 1:45402 <-> DISABLED <-> FILE-OFFICE Microsoft Word memory corruption exploit attempt (file-office.rules)
 * 1:45403 <-> DISABLED <-> FILE-OFFICE Microsoft Word memory corruption exploit attempt (file-office.rules)
 * 1:45404 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF buffer overflow attempt (file-flash.rules)
 * 1:45405 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF buffer overflow attempt (file-flash.rules)
 * 1:45400 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.OceanLotus outbound connection attempt (malware-cnc.rules)
 * 1:45395 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine toString use after free attempt (browser-ie.rules)

Modified Rules:


 * 1:43224 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Micropsia outbound connection (malware-cnc.rules)
 * 1:43222 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Micropsia outbound connection (malware-cnc.rules)
 * 1:45269 <-> DISABLED <-> SERVER-OTHER Apache CouchDB remote code execution attempt (server-other.rules)
 * 1:43671 <-> DISABLED <-> SQL Oracle MySQL Pluggable Auth denial of service attempt (sql.rules)
 * 1:11971 <-> DISABLED <-> PROTOCOL-VOIP CSeq buffer overflow attempt (protocol-voip.rules)
 * 1:15493 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader getAnnots exploit attempt (file-pdf.rules)
 * 1:19076 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt (browser-firefox.rules)
 * 1:19077 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt (browser-firefox.rules)
 * 1:19292 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt (browser-firefox.rules)
 * 1:21363 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt (browser-firefox.rules)
 * 1:31181 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS handshake recursion denial of service attempt (server-other.rules)
 * 1:35479 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (browser-ie.rules)
 * 1:35480 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (browser-ie.rules)
 * 1:35670 <-> DISABLED <-> POLICY-OTHER Symantec Endpoint Protection insecure password reset attempt (policy-other.rules)
 * 1:36334 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire user-password cross site request forgery attempt (server-webapp.rules)
 * 1:36335 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire user-create cross site request forgery attempt (server-webapp.rules)
 * 1:36336 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire server properties cross site request forgery attempt (server-webapp.rules)
 * 1:36337 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire permitted-clients cross site request forgery attempt (server-webapp.rules)
 * 1:36437 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ieframe.dll ActiveX clsid access (browser-ie.rules)
 * 1:36438 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ieframe.dll ActiveX clsid access (browser-ie.rules)
 * 1:36511 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire server properties cross site request forgery attempt (server-webapp.rules)
 * 1:38110 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word bitmap stream parsing remote code execution attempt (file-office.rules)
 * 1:38111 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word bitmap stream parsing remote code execution attempt (file-office.rules)
 * 1:38507 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ConvertStringFromUnicodeEx out of bounds write attempt (browser-ie.rules)
 * 1:38508 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ConvertStringFromUnicodeEx out of bounds write attempt (browser-ie.rules)
 * 1:45107 <-> DISABLED <-> SERVER-OTHER Fatek Automation PLC WinProladder buffer overflow attempt (server-other.rules)
 * 1:38731 <-> DISABLED <-> SERVER-OTHER Squid Proxy range header denial of service attempt (server-other.rules)
 * 1:41410 <-> DISABLED <-> SERVER-WEBAPP McAfee ePolicy Orchestrator data channel SQL injection attempt (server-webapp.rules)
 * 1:42110 <-> DISABLED <-> SERVER-WEBAPP Microsoft IIS ScStoragePathFromUrl function buffer overflow attempt (server-webapp.rules)
 * 1:42805 <-> DISABLED <-> SERVER-WEBAPP Intel AMT remote administration tool authentication bypass attempt (server-webapp.rules)
 * 1:44565 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SPS and IMS diagnostic.log session disclosure attempt (server-webapp.rules)
 * 1:44575 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire user-create cross site request forgery attempt (server-webapp.rules)
 * 1:43587 <-> DISABLED <-> SERVER-APACHE httpd ap_find_token buffer overread attempt (server-apache.rules)
 * 1:42878 <-> DISABLED <-> SERVER-WEBAPP Apache TomEE java deserialization attempt (server-webapp.rules)
 * 1:43223 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Micropsia outbound connection (malware-cnc.rules)
 * 3:15912 <-> ENABLED <-> OS-WINDOWS TCP window closed before receiving data (os-windows.rules)

2018-01-09 20:57:46 UTC

Snort Subscriber Rules Update

Date: 2018-01-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45390 <-> ENABLED <-> BROWSER-IE Microsoft IE array type confusion attempt (browser-ie.rules)
 * 1:45394 <-> DISABLED <-> SERVER-OTHER Quest Privilege Manager pmmasterd denial of service attempt (server-other.rules)
 * 1:45389 <-> ENABLED <-> BROWSER-IE Microsoft IE array type confusion attempt (browser-ie.rules)
 * 1:45392 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine type confusion attempt (browser-ie.rules)
 * 1:45398 <-> DISABLED <-> PUA-ADWARE Osx.Adware.SurfBuyer adware outbound connection detected (pua-adware.rules)
 * 1:45387 <-> ENABLED <-> BROWSER-IE Microsoft Edge anonymous function type confusion attempt (browser-ie.rules)
 * 1:45388 <-> ENABLED <-> BROWSER-IE Microsoft Edge anonymous function type confusion attempt (browser-ie.rules)
 * 1:45384 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine integer overflow attempt (browser-ie.rules)
 * 1:45385 <-> DISABLED <-> OS-OTHER Mac OS X setuid privilege esclatation exploit attempt (os-other.rules)
 * 1:45382 <-> DISABLED <-> SERVER-WEBAPP Huawei router command injection attempt (server-webapp.rules)
 * 1:45383 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine integer overflow attempt (browser-ie.rules)
 * 1:45380 <-> DISABLED <-> SERVER-OTHER Sixnet SixView Manager directory traversal attempt (server-other.rules)
 * 1:45381 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection cross site scripting attempt (server-webapp.rules)
 * 1:45378 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:45379 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:45376 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45377 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45395 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine toString use after free attempt (browser-ie.rules)
 * 1:45399 <-> DISABLED <-> FILE-OTHER Adobe Photoshop asset elements stack based buffer overflow attempt (file-other.rules)
 * 1:45401 <-> ENABLED <-> SERVER-WEBAPP Fortinet FortiOS redir parameter cross site scripting attempt (server-webapp.rules)
 * 1:45402 <-> DISABLED <-> FILE-OFFICE Microsoft Word memory corruption exploit attempt (file-office.rules)
 * 1:45403 <-> DISABLED <-> FILE-OFFICE Microsoft Word memory corruption exploit attempt (file-office.rules)
 * 1:45404 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF buffer overflow attempt (file-flash.rules)
 * 1:45405 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF buffer overflow attempt (file-flash.rules)
 * 1:45391 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine type confusion attempt (browser-ie.rules)
 * 1:45375 <-> ENABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:45374 <-> ENABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:45371 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word docx subDocument file include attempt (file-office.rules)
 * 1:45372 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server admin_update_program.php command injection attempt (server-webapp.rules)
 * 1:45373 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server directory traversal attempt (server-webapp.rules)
 * 1:45370 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word docx subDocument file include attempt (file-office.rules)
 * 1:45369 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader getAnnots exploit attempt (file-pdf.rules)
 * 1:45397 <-> DISABLED <-> PUA-ADWARE Osx.Adware.SurfBuyer adware outbound connection detected (pua-adware.rules)
 * 1:45396 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine toString use after free attempt (browser-ie.rules)
 * 1:45393 <-> DISABLED <-> SERVER-OTHER Quest Privilege Manager pmmasterd buffer overflow attempt (server-other.rules)
 * 1:45386 <-> DISABLED <-> OS-OTHER Mac OS X setuid privilege esclatation exploit attempt (os-other.rules)
 * 1:45400 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.OceanLotus outbound connection attempt (malware-cnc.rules)

Modified Rules:


 * 1:45269 <-> DISABLED <-> SERVER-OTHER Apache CouchDB remote code execution attempt (server-other.rules)
 * 1:38731 <-> DISABLED <-> SERVER-OTHER Squid Proxy range header denial of service attempt (server-other.rules)
 * 1:38508 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ConvertStringFromUnicodeEx out of bounds write attempt (browser-ie.rules)
 * 1:38110 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word bitmap stream parsing remote code execution attempt (file-office.rules)
 * 1:38111 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word bitmap stream parsing remote code execution attempt (file-office.rules)
 * 1:38507 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ConvertStringFromUnicodeEx out of bounds write attempt (browser-ie.rules)
 * 1:36511 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire server properties cross site request forgery attempt (server-webapp.rules)
 * 1:36438 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ieframe.dll ActiveX clsid access (browser-ie.rules)
 * 1:21363 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt (browser-firefox.rules)
 * 1:31181 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS handshake recursion denial of service attempt (server-other.rules)
 * 1:19077 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt (browser-firefox.rules)
 * 1:19292 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt (browser-firefox.rules)
 * 1:42110 <-> DISABLED <-> SERVER-WEBAPP Microsoft IIS ScStoragePathFromUrl function buffer overflow attempt (server-webapp.rules)
 * 1:44575 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire user-create cross site request forgery attempt (server-webapp.rules)
 * 1:15493 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader getAnnots exploit attempt (file-pdf.rules)
 * 1:19076 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt (browser-firefox.rules)
 * 1:11971 <-> DISABLED <-> PROTOCOL-VOIP CSeq buffer overflow attempt (protocol-voip.rules)
 * 1:42878 <-> DISABLED <-> SERVER-WEBAPP Apache TomEE java deserialization attempt (server-webapp.rules)
 * 1:36437 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ieframe.dll ActiveX clsid access (browser-ie.rules)
 * 1:43587 <-> DISABLED <-> SERVER-APACHE httpd ap_find_token buffer overread attempt (server-apache.rules)
 * 1:36337 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire permitted-clients cross site request forgery attempt (server-webapp.rules)
 * 1:36335 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire user-create cross site request forgery attempt (server-webapp.rules)
 * 1:36336 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire server properties cross site request forgery attempt (server-webapp.rules)
 * 1:35670 <-> DISABLED <-> POLICY-OTHER Symantec Endpoint Protection insecure password reset attempt (policy-other.rules)
 * 1:36334 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire user-password cross site request forgery attempt (server-webapp.rules)
 * 1:42805 <-> DISABLED <-> SERVER-WEBAPP Intel AMT remote administration tool authentication bypass attempt (server-webapp.rules)
 * 1:35480 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (browser-ie.rules)
 * 1:45107 <-> DISABLED <-> SERVER-OTHER Fatek Automation PLC WinProladder buffer overflow attempt (server-other.rules)
 * 1:35479 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (browser-ie.rules)
 * 1:43223 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Micropsia outbound connection (malware-cnc.rules)
 * 1:43224 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Micropsia outbound connection (malware-cnc.rules)
 * 1:43222 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Micropsia outbound connection (malware-cnc.rules)
 * 1:41410 <-> DISABLED <-> SERVER-WEBAPP McAfee ePolicy Orchestrator data channel SQL injection attempt (server-webapp.rules)
 * 1:44565 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SPS and IMS diagnostic.log session disclosure attempt (server-webapp.rules)
 * 1:43671 <-> DISABLED <-> SQL Oracle MySQL Pluggable Auth denial of service attempt (sql.rules)
 * 3:15912 <-> ENABLED <-> OS-WINDOWS TCP window closed before receiving data (os-windows.rules)

2018-01-09 20:57:46 UTC

Snort Subscriber Rules Update

Date: 2018-01-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45397 <-> DISABLED <-> PUA-ADWARE Osx.Adware.SurfBuyer adware outbound connection detected (pua-adware.rules)
 * 1:45398 <-> DISABLED <-> PUA-ADWARE Osx.Adware.SurfBuyer adware outbound connection detected (pua-adware.rules)
 * 1:45395 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine toString use after free attempt (browser-ie.rules)
 * 1:45390 <-> ENABLED <-> BROWSER-IE Microsoft IE array type confusion attempt (browser-ie.rules)
 * 1:45396 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine toString use after free attempt (browser-ie.rules)
 * 1:45392 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine type confusion attempt (browser-ie.rules)
 * 1:45391 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine type confusion attempt (browser-ie.rules)
 * 1:45393 <-> DISABLED <-> SERVER-OTHER Quest Privilege Manager pmmasterd buffer overflow attempt (server-other.rules)
 * 1:45386 <-> DISABLED <-> OS-OTHER Mac OS X setuid privilege esclatation exploit attempt (os-other.rules)
 * 1:45387 <-> ENABLED <-> BROWSER-IE Microsoft Edge anonymous function type confusion attempt (browser-ie.rules)
 * 1:45388 <-> ENABLED <-> BROWSER-IE Microsoft Edge anonymous function type confusion attempt (browser-ie.rules)
 * 1:45389 <-> ENABLED <-> BROWSER-IE Microsoft IE array type confusion attempt (browser-ie.rules)
 * 1:45382 <-> DISABLED <-> SERVER-WEBAPP Huawei router command injection attempt (server-webapp.rules)
 * 1:45383 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine integer overflow attempt (browser-ie.rules)
 * 1:45384 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine integer overflow attempt (browser-ie.rules)
 * 1:45385 <-> DISABLED <-> OS-OTHER Mac OS X setuid privilege esclatation exploit attempt (os-other.rules)
 * 1:45378 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:45379 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:45380 <-> DISABLED <-> SERVER-OTHER Sixnet SixView Manager directory traversal attempt (server-other.rules)
 * 1:45381 <-> DISABLED <-> SERVER-WEBAPP Symantec Endpoint Protection cross site scripting attempt (server-webapp.rules)
 * 1:45371 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word docx subDocument file include attempt (file-office.rules)
 * 1:45375 <-> ENABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:45376 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45373 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server directory traversal attempt (server-webapp.rules)
 * 1:45377 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45374 <-> ENABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:45372 <-> DISABLED <-> SERVER-WEBAPP Trend Micro Smart Protection Server admin_update_program.php command injection attempt (server-webapp.rules)
 * 1:45369 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader getAnnots exploit attempt (file-pdf.rules)
 * 1:45370 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word docx subDocument file include attempt (file-office.rules)
 * 1:45405 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF buffer overflow attempt (file-flash.rules)
 * 1:45403 <-> DISABLED <-> FILE-OFFICE Microsoft Word memory corruption exploit attempt (file-office.rules)
 * 1:45404 <-> ENABLED <-> FILE-FLASH Adobe Flash Player malformed ATF buffer overflow attempt (file-flash.rules)
 * 1:45399 <-> DISABLED <-> FILE-OTHER Adobe Photoshop asset elements stack based buffer overflow attempt (file-other.rules)
 * 1:45400 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.OceanLotus outbound connection attempt (malware-cnc.rules)
 * 1:45401 <-> ENABLED <-> SERVER-WEBAPP Fortinet FortiOS redir parameter cross site scripting attempt (server-webapp.rules)
 * 1:45402 <-> DISABLED <-> FILE-OFFICE Microsoft Word memory corruption exploit attempt (file-office.rules)

Modified Rules:


 * 1:42878 <-> DISABLED <-> SERVER-WEBAPP Apache TomEE java deserialization attempt (server-webapp.rules)
 * 1:44565 <-> DISABLED <-> SERVER-WEBAPP Trend Micro SPS and IMS diagnostic.log session disclosure attempt (server-webapp.rules)
 * 1:42110 <-> DISABLED <-> SERVER-WEBAPP Microsoft IIS ScStoragePathFromUrl function buffer overflow attempt (server-webapp.rules)
 * 1:38508 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ConvertStringFromUnicodeEx out of bounds write attempt (browser-ie.rules)
 * 1:38731 <-> DISABLED <-> SERVER-OTHER Squid Proxy range header denial of service attempt (server-other.rules)
 * 1:38507 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ConvertStringFromUnicodeEx out of bounds write attempt (browser-ie.rules)
 * 1:36438 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ieframe.dll ActiveX clsid access (browser-ie.rules)
 * 1:42805 <-> DISABLED <-> SERVER-WEBAPP Intel AMT remote administration tool authentication bypass attempt (server-webapp.rules)
 * 1:45269 <-> DISABLED <-> SERVER-OTHER Apache CouchDB remote code execution attempt (server-other.rules)
 * 1:45107 <-> DISABLED <-> SERVER-OTHER Fatek Automation PLC WinProladder buffer overflow attempt (server-other.rules)
 * 1:11971 <-> DISABLED <-> PROTOCOL-VOIP CSeq buffer overflow attempt (protocol-voip.rules)
 * 1:41410 <-> DISABLED <-> SERVER-WEBAPP McAfee ePolicy Orchestrator data channel SQL injection attempt (server-webapp.rules)
 * 1:31181 <-> DISABLED <-> SERVER-OTHER OpenSSL DTLS handshake recursion denial of service attempt (server-other.rules)
 * 1:36337 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire permitted-clients cross site request forgery attempt (server-webapp.rules)
 * 1:35670 <-> DISABLED <-> POLICY-OTHER Symantec Endpoint Protection insecure password reset attempt (policy-other.rules)
 * 1:43671 <-> DISABLED <-> SQL Oracle MySQL Pluggable Auth denial of service attempt (sql.rules)
 * 1:35479 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (browser-ie.rules)
 * 1:19077 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt (browser-firefox.rules)
 * 1:21363 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt (browser-firefox.rules)
 * 1:38111 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word bitmap stream parsing remote code execution attempt (file-office.rules)
 * 1:19076 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt (browser-firefox.rules)
 * 1:43222 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Micropsia outbound connection (malware-cnc.rules)
 * 1:36336 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire server properties cross site request forgery attempt (server-webapp.rules)
 * 1:15493 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader getAnnots exploit attempt (file-pdf.rules)
 * 1:19292 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt (browser-firefox.rules)
 * 1:36334 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire user-password cross site request forgery attempt (server-webapp.rules)
 * 1:38110 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word bitmap stream parsing remote code execution attempt (file-office.rules)
 * 1:36511 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire server properties cross site request forgery attempt (server-webapp.rules)
 * 1:36335 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire user-create cross site request forgery attempt (server-webapp.rules)
 * 1:36437 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ieframe.dll ActiveX clsid access (browser-ie.rules)
 * 1:43587 <-> DISABLED <-> SERVER-APACHE httpd ap_find_token buffer overread attempt (server-apache.rules)
 * 1:43224 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Micropsia outbound connection (malware-cnc.rules)
 * 1:35480 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (browser-ie.rules)
 * 1:44575 <-> DISABLED <-> SERVER-WEBAPP Ignite Realtime Openfire user-create cross site request forgery attempt (server-webapp.rules)
 * 1:43223 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Micropsia outbound connection (malware-cnc.rules)
 * 3:15912 <-> ENABLED <-> OS-WINDOWS TCP window closed before receiving data (os-windows.rules)