Talos Rules 2018-02-13
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2018-0742: A coding deficiency exists in Microsoft Windows Kernel that may lead to elevation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45649 through 45650.

Microsoft Vulnerability CVE-2018-0756: A coding deficiency exists in Microsoft Windows Kernel that may lead to elevation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45632 through 45635.

Microsoft Vulnerability CVE-2018-0825: A coding deficiency exists in Microsoft StructuredQuery that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45624 through 45625.

Microsoft Vulnerability CVE-2018-0834: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45626 through 45629.

Microsoft Vulnerability CVE-2018-0835: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45628 through 45629.

Microsoft Vulnerability CVE-2018-0837: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45628 through 45629.

Microsoft Vulnerability CVE-2018-0838: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45628 through 45629.

Microsoft Vulnerability CVE-2018-0840: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45628 through 45629.

Microsoft Vulnerability CVE-2018-0841: A coding deficiency exists in Microsoft Excel that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45654 through 45655.

Microsoft Vulnerability CVE-2018-0842: A coding deficiency exists in Microsoft Windows that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45656 through 45657.

Microsoft Vulnerability CVE-2018-0844: A coding deficiency exists in Microsoft Windows Common Log File System (CLFS) driver that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45630 through 45631.

Microsoft Vulnerability CVE-2018-0846: A coding deficiency exists in Microsoft Windows Common Log File System (CLFS) driver that may lead to an escalation of privilege.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 40691 through 40692.

Microsoft Vulnerability CVE-2018-0858: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45659 through 45660.

Microsoft Vulnerability CVE-2018-0860: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45628 through 45629 and 45636 through 45637.

Microsoft Vulnerability CVE-2018-0866: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45673 through 45674.

Talos also has added and modified multiple rules in the browser-ie, exploit-kit, file-office, file-other, file-pdf, malware-cnc, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-02-13 20:29:48 UTC

Snort Subscriber Rules Update

Date: 2018-02-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45656 <-> ENABLED <-> OS-WINDOWS Microsoft Windows HIDPARSE.sys memory corruption attempt (os-windows.rules)
 * 1:45637 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine type confusion attempt (browser-ie.rules)
 * 1:45636 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine type confusion attempt (browser-ie.rules)
 * 1:45635 <-> DISABLED <-> OS-WINDOWS Microsoft Windows use after free win32kbase.sys privilege escalation attempt (os-windows.rules)
 * 1:45634 <-> DISABLED <-> OS-WINDOWS Microsoft Windows use after free win32kbase.sys privilege escalation attempt (os-windows.rules)
 * 1:45633 <-> DISABLED <-> OS-WINDOWS Microsoft Windows use after free win32kbase.sys privilege escalation attempt (os-windows.rules)
 * 1:45632 <-> DISABLED <-> OS-WINDOWS Microsoft Windows use after free win32kbase.sys privilege escalation attempt (os-windows.rules)
 * 1:45631 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS privilege escalation attempt (file-other.rules)
 * 1:45630 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS privilege escalation attempt (file-other.rules)
 * 1:45629 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45628 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45627 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine memory corruption attempt (browser-ie.rules)
 * 1:45626 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine memory corruption attempt (browser-ie.rules)
 * 1:45625 <-> ENABLED <-> OS-WINDOWS Microsoft Windows malformed shortcut file with comment buffer overflow attempt (os-windows.rules)
 * 1:45624 <-> ENABLED <-> OS-WINDOWS Microsoft Windows malformed shortcut file with comment buffer overflow attempt (os-windows.rules)
 * 1:45655 <-> ENABLED <-> FILE-OFFICE Microsoft Office remote code execution attempt (file-office.rules)
 * 1:45654 <-> ENABLED <-> FILE-OFFICE Microsoft Office remote code execution attempt (file-office.rules)
 * 1:45651 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vermin outbound connection attempt (malware-cnc.rules)
 * 1:45650 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys privilege escalation attempt (os-windows.rules)
 * 1:45649 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys privilege escalation attempt (os-windows.rules)
 * 1:45648 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Lazarus initial download (malware-cnc.rules)
 * 1:45647 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Lazarus initial download (malware-cnc.rules)
 * 1:45646 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent outbound system information disclosure (malware-cnc.rules)
 * 1:45645 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent inbound payload download (malware-cnc.rules)
 * 1:45644 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent inbound payload download (malware-cnc.rules)
 * 1:45643 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent inbound payload download (malware-cnc.rules)
 * 1:45642 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent outbound connection (malware-cnc.rules)
 * 1:45641 <-> DISABLED <-> POLICY-OTHER Possible Cisco IOS upgrade attempt (policy-other.rules)
 * 1:45640 <-> DISABLED <-> POLICY-OTHER Possible Cisco IOS upgrade attempt (policy-other.rules)
 * 1:45639 <-> DISABLED <-> SERVER-MAIL SqWebMail print_header_ua cross site scripting attempt (server-mail.rules)
 * 1:45638 <-> DISABLED <-> SERVER-MAIL SqWebMail print_header_ua cross site scripting attempt (server-mail.rules)
 * 1:45662 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (file-other.rules)
 * 1:45659 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45658 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound connection (malware-cnc.rules)
 * 1:45657 <-> ENABLED <-> OS-WINDOWS Microsoft Windows HIDPARSE.sys memory corruption attempt (os-windows.rules)
 * 1:45661 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (file-other.rules)
 * 1:45660 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45663 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF EmfPlustDrawImagePoints out of bounds read attempt (file-other.rules)
 * 1:45666 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45665 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45664 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF EmfPlustDrawImagePoints out of bounds read attempt (file-other.rules)
 * 1:45668 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45667 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45669 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt (file-other.rules)
 * 1:45674 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer localeCompare use after free attempt (browser-ie.rules)
 * 1:45673 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer localeCompare use after free attempt (browser-ie.rules)
 * 1:45672 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt (file-other.rules)
 * 1:45671 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt (file-other.rules)
 * 1:45670 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt (file-other.rules)
 * 3:45652 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0526 attack attempt (file-pdf.rules)
 * 3:45653 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0526 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:40691 <-> ENABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:40692 <-> ENABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:45122 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:44738 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror/Grandsoft exploit kit landing page detected (exploit-kit.rules)
 * 1:43729 <-> DISABLED <-> EXPLOIT-KIT Rig/Grandsoft Exploit Kit IE exploit attempt (exploit-kit.rules)
 * 1:45121 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 3:45087 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0495 attack attempt (server-webapp.rules)

2018-02-13 20:29:48 UTC

Snort Subscriber Rules Update

Date: 2018-02-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45663 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF EmfPlustDrawImagePoints out of bounds read attempt (file-other.rules)
 * 1:45664 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF EmfPlustDrawImagePoints out of bounds read attempt (file-other.rules)
 * 1:45665 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45626 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine memory corruption attempt (browser-ie.rules)
 * 1:45627 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine memory corruption attempt (browser-ie.rules)
 * 1:45628 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45629 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45630 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS privilege escalation attempt (file-other.rules)
 * 1:45625 <-> ENABLED <-> OS-WINDOWS Microsoft Windows malformed shortcut file with comment buffer overflow attempt (os-windows.rules)
 * 1:45633 <-> DISABLED <-> OS-WINDOWS Microsoft Windows use after free win32kbase.sys privilege escalation attempt (os-windows.rules)
 * 1:45634 <-> DISABLED <-> OS-WINDOWS Microsoft Windows use after free win32kbase.sys privilege escalation attempt (os-windows.rules)
 * 1:45635 <-> DISABLED <-> OS-WINDOWS Microsoft Windows use after free win32kbase.sys privilege escalation attempt (os-windows.rules)
 * 1:45636 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine type confusion attempt (browser-ie.rules)
 * 1:45637 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine type confusion attempt (browser-ie.rules)
 * 1:45638 <-> DISABLED <-> SERVER-MAIL SqWebMail print_header_ua cross site scripting attempt (server-mail.rules)
 * 1:45639 <-> DISABLED <-> SERVER-MAIL SqWebMail print_header_ua cross site scripting attempt (server-mail.rules)
 * 1:45640 <-> DISABLED <-> POLICY-OTHER Possible Cisco IOS upgrade attempt (policy-other.rules)
 * 1:45641 <-> DISABLED <-> POLICY-OTHER Possible Cisco IOS upgrade attempt (policy-other.rules)
 * 1:45642 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent outbound connection (malware-cnc.rules)
 * 1:45643 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent inbound payload download (malware-cnc.rules)
 * 1:45646 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent outbound system information disclosure (malware-cnc.rules)
 * 1:45647 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Lazarus initial download (malware-cnc.rules)
 * 1:45648 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Lazarus initial download (malware-cnc.rules)
 * 1:45649 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys privilege escalation attempt (os-windows.rules)
 * 1:45645 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent inbound payload download (malware-cnc.rules)
 * 1:45656 <-> ENABLED <-> OS-WINDOWS Microsoft Windows HIDPARSE.sys memory corruption attempt (os-windows.rules)
 * 1:45644 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent inbound payload download (malware-cnc.rules)
 * 1:45654 <-> ENABLED <-> FILE-OFFICE Microsoft Office remote code execution attempt (file-office.rules)
 * 1:45655 <-> ENABLED <-> FILE-OFFICE Microsoft Office remote code execution attempt (file-office.rules)
 * 1:45650 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys privilege escalation attempt (os-windows.rules)
 * 1:45657 <-> ENABLED <-> OS-WINDOWS Microsoft Windows HIDPARSE.sys memory corruption attempt (os-windows.rules)
 * 1:45651 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vermin outbound connection attempt (malware-cnc.rules)
 * 1:45674 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer localeCompare use after free attempt (browser-ie.rules)
 * 1:45673 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer localeCompare use after free attempt (browser-ie.rules)
 * 1:45672 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt (file-other.rules)
 * 1:45671 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt (file-other.rules)
 * 1:45670 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt (file-other.rules)
 * 1:45669 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt (file-other.rules)
 * 1:45624 <-> ENABLED <-> OS-WINDOWS Microsoft Windows malformed shortcut file with comment buffer overflow attempt (os-windows.rules)
 * 1:45668 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45667 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45666 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45632 <-> DISABLED <-> OS-WINDOWS Microsoft Windows use after free win32kbase.sys privilege escalation attempt (os-windows.rules)
 * 1:45659 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45660 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45661 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (file-other.rules)
 * 1:45662 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (file-other.rules)
 * 1:45658 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound connection (malware-cnc.rules)
 * 1:45631 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS privilege escalation attempt (file-other.rules)
 * 3:45653 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0526 attack attempt (file-pdf.rules)
 * 3:45652 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0526 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:40691 <-> ENABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:43729 <-> DISABLED <-> EXPLOIT-KIT Rig/Grandsoft Exploit Kit IE exploit attempt (exploit-kit.rules)
 * 1:45122 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:40692 <-> ENABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:44738 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror/Grandsoft exploit kit landing page detected (exploit-kit.rules)
 * 1:45121 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 3:45087 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0495 attack attempt (server-webapp.rules)

2018-02-13 20:29:48 UTC

Snort Subscriber Rules Update

Date: 2018-02-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45656 <-> ENABLED <-> OS-WINDOWS Microsoft Windows HIDPARSE.sys memory corruption attempt (os-windows.rules)
 * 1:45637 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine type confusion attempt (browser-ie.rules)
 * 1:45636 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine type confusion attempt (browser-ie.rules)
 * 1:45635 <-> DISABLED <-> OS-WINDOWS Microsoft Windows use after free win32kbase.sys privilege escalation attempt (os-windows.rules)
 * 1:45634 <-> DISABLED <-> OS-WINDOWS Microsoft Windows use after free win32kbase.sys privilege escalation attempt (os-windows.rules)
 * 1:45633 <-> DISABLED <-> OS-WINDOWS Microsoft Windows use after free win32kbase.sys privilege escalation attempt (os-windows.rules)
 * 1:45632 <-> DISABLED <-> OS-WINDOWS Microsoft Windows use after free win32kbase.sys privilege escalation attempt (os-windows.rules)
 * 1:45631 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS privilege escalation attempt (file-other.rules)
 * 1:45630 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS privilege escalation attempt (file-other.rules)
 * 1:45629 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45628 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45627 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine memory corruption attempt (browser-ie.rules)
 * 1:45626 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine memory corruption attempt (browser-ie.rules)
 * 1:45625 <-> ENABLED <-> OS-WINDOWS Microsoft Windows malformed shortcut file with comment buffer overflow attempt (os-windows.rules)
 * 1:45624 <-> ENABLED <-> OS-WINDOWS Microsoft Windows malformed shortcut file with comment buffer overflow attempt (os-windows.rules)
 * 1:45655 <-> ENABLED <-> FILE-OFFICE Microsoft Office remote code execution attempt (file-office.rules)
 * 1:45654 <-> ENABLED <-> FILE-OFFICE Microsoft Office remote code execution attempt (file-office.rules)
 * 1:45651 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vermin outbound connection attempt (malware-cnc.rules)
 * 1:45650 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys privilege escalation attempt (os-windows.rules)
 * 1:45649 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys privilege escalation attempt (os-windows.rules)
 * 1:45648 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Lazarus initial download (malware-cnc.rules)
 * 1:45647 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Lazarus initial download (malware-cnc.rules)
 * 1:45646 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent outbound system information disclosure (malware-cnc.rules)
 * 1:45645 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent inbound payload download (malware-cnc.rules)
 * 1:45644 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent inbound payload download (malware-cnc.rules)
 * 1:45643 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent inbound payload download (malware-cnc.rules)
 * 1:45642 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent outbound connection (malware-cnc.rules)
 * 1:45641 <-> DISABLED <-> POLICY-OTHER Possible Cisco IOS upgrade attempt (policy-other.rules)
 * 1:45640 <-> DISABLED <-> POLICY-OTHER Possible Cisco IOS upgrade attempt (policy-other.rules)
 * 1:45639 <-> DISABLED <-> SERVER-MAIL SqWebMail print_header_ua cross site scripting attempt (server-mail.rules)
 * 1:45638 <-> DISABLED <-> SERVER-MAIL SqWebMail print_header_ua cross site scripting attempt (server-mail.rules)
 * 1:45662 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (file-other.rules)
 * 1:45659 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45658 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound connection (malware-cnc.rules)
 * 1:45657 <-> ENABLED <-> OS-WINDOWS Microsoft Windows HIDPARSE.sys memory corruption attempt (os-windows.rules)
 * 1:45661 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (file-other.rules)
 * 1:45660 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45663 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF EmfPlustDrawImagePoints out of bounds read attempt (file-other.rules)
 * 1:45666 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45665 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45664 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF EmfPlustDrawImagePoints out of bounds read attempt (file-other.rules)
 * 1:45668 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45667 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45669 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt (file-other.rules)
 * 1:45674 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer localeCompare use after free attempt (browser-ie.rules)
 * 1:45673 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer localeCompare use after free attempt (browser-ie.rules)
 * 1:45672 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt (file-other.rules)
 * 1:45671 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt (file-other.rules)
 * 1:45670 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt (file-other.rules)
 * 3:45652 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0526 attack attempt (file-pdf.rules)
 * 3:45653 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0526 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:40691 <-> ENABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:40692 <-> ENABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:45122 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:44738 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror/Grandsoft exploit kit landing page detected (exploit-kit.rules)
 * 1:43729 <-> DISABLED <-> EXPLOIT-KIT Rig/Grandsoft Exploit Kit IE exploit attempt (exploit-kit.rules)
 * 1:45121 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 3:45087 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0495 attack attempt (server-webapp.rules)

2018-02-13 20:29:48 UTC

Snort Subscriber Rules Update

Date: 2018-02-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45648 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Lazarus initial download (malware-cnc.rules)
 * 1:45644 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent inbound payload download (malware-cnc.rules)
 * 1:45637 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine type confusion attempt (browser-ie.rules)
 * 1:45632 <-> DISABLED <-> OS-WINDOWS Microsoft Windows use after free win32kbase.sys privilege escalation attempt (os-windows.rules)
 * 1:45673 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer localeCompare use after free attempt (browser-ie.rules)
 * 1:45655 <-> ENABLED <-> FILE-OFFICE Microsoft Office remote code execution attempt (file-office.rules)
 * 1:45658 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound connection (malware-cnc.rules)
 * 1:45633 <-> DISABLED <-> OS-WINDOWS Microsoft Windows use after free win32kbase.sys privilege escalation attempt (os-windows.rules)
 * 1:45625 <-> ENABLED <-> OS-WINDOWS Microsoft Windows malformed shortcut file with comment buffer overflow attempt (os-windows.rules)
 * 1:45631 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS privilege escalation attempt (file-other.rules)
 * 1:45662 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (file-other.rules)
 * 1:45651 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vermin outbound connection attempt (malware-cnc.rules)
 * 1:45667 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45635 <-> DISABLED <-> OS-WINDOWS Microsoft Windows use after free win32kbase.sys privilege escalation attempt (os-windows.rules)
 * 1:45650 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys privilege escalation attempt (os-windows.rules)
 * 1:45634 <-> DISABLED <-> OS-WINDOWS Microsoft Windows use after free win32kbase.sys privilege escalation attempt (os-windows.rules)
 * 1:45665 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45638 <-> DISABLED <-> SERVER-MAIL SqWebMail print_header_ua cross site scripting attempt (server-mail.rules)
 * 1:45674 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer localeCompare use after free attempt (browser-ie.rules)
 * 1:45626 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine memory corruption attempt (browser-ie.rules)
 * 1:45643 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent inbound payload download (malware-cnc.rules)
 * 1:45671 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt (file-other.rules)
 * 1:45666 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45670 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt (file-other.rules)
 * 1:45661 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (file-other.rules)
 * 1:45640 <-> DISABLED <-> POLICY-OTHER Possible Cisco IOS upgrade attempt (policy-other.rules)
 * 1:45654 <-> ENABLED <-> FILE-OFFICE Microsoft Office remote code execution attempt (file-office.rules)
 * 1:45639 <-> DISABLED <-> SERVER-MAIL SqWebMail print_header_ua cross site scripting attempt (server-mail.rules)
 * 1:45636 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine type confusion attempt (browser-ie.rules)
 * 1:45664 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF EmfPlustDrawImagePoints out of bounds read attempt (file-other.rules)
 * 1:45646 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent outbound system information disclosure (malware-cnc.rules)
 * 1:45657 <-> ENABLED <-> OS-WINDOWS Microsoft Windows HIDPARSE.sys memory corruption attempt (os-windows.rules)
 * 1:45647 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Lazarus initial download (malware-cnc.rules)
 * 1:45659 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45656 <-> ENABLED <-> OS-WINDOWS Microsoft Windows HIDPARSE.sys memory corruption attempt (os-windows.rules)
 * 1:45668 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45628 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45649 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys privilege escalation attempt (os-windows.rules)
 * 1:45641 <-> DISABLED <-> POLICY-OTHER Possible Cisco IOS upgrade attempt (policy-other.rules)
 * 1:45629 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45630 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS privilege escalation attempt (file-other.rules)
 * 1:45672 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt (file-other.rules)
 * 1:45624 <-> ENABLED <-> OS-WINDOWS Microsoft Windows malformed shortcut file with comment buffer overflow attempt (os-windows.rules)
 * 1:45645 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent inbound payload download (malware-cnc.rules)
 * 1:45669 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt (file-other.rules)
 * 1:45642 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent outbound connection (malware-cnc.rules)
 * 1:45663 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF EmfPlustDrawImagePoints out of bounds read attempt (file-other.rules)
 * 1:45627 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine memory corruption attempt (browser-ie.rules)
 * 1:45660 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 3:45652 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0526 attack attempt (file-pdf.rules)
 * 3:45653 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0526 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:40691 <-> ENABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:45121 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:44738 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror/Grandsoft exploit kit landing page detected (exploit-kit.rules)
 * 1:43729 <-> DISABLED <-> EXPLOIT-KIT Rig/Grandsoft Exploit Kit IE exploit attempt (exploit-kit.rules)
 * 1:40692 <-> ENABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:45122 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 3:45087 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0495 attack attempt (server-webapp.rules)

2018-02-13 20:29:48 UTC

Snort Subscriber Rules Update

Date: 2018-02-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45654 <-> ENABLED <-> FILE-OFFICE Microsoft Office remote code execution attempt (file-office.rules)
 * 1:45641 <-> DISABLED <-> POLICY-OTHER Possible Cisco IOS upgrade attempt (policy-other.rules)
 * 1:45660 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45630 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS privilege escalation attempt (file-other.rules)
 * 1:45655 <-> ENABLED <-> FILE-OFFICE Microsoft Office remote code execution attempt (file-office.rules)
 * 1:45632 <-> DISABLED <-> OS-WINDOWS Microsoft Windows use after free win32kbase.sys privilege escalation attempt (os-windows.rules)
 * 1:45659 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45626 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine memory corruption attempt (browser-ie.rules)
 * 1:45624 <-> ENABLED <-> OS-WINDOWS Microsoft Windows malformed shortcut file with comment buffer overflow attempt (os-windows.rules)
 * 1:45672 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt (file-other.rules)
 * 1:45651 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Vermin outbound connection attempt (malware-cnc.rules)
 * 1:45637 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine type confusion attempt (browser-ie.rules)
 * 1:45636 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine type confusion attempt (browser-ie.rules)
 * 1:45633 <-> DISABLED <-> OS-WINDOWS Microsoft Windows use after free win32kbase.sys privilege escalation attempt (os-windows.rules)
 * 1:45646 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent outbound system information disclosure (malware-cnc.rules)
 * 1:45649 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys privilege escalation attempt (os-windows.rules)
 * 1:45667 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45663 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF EmfPlustDrawImagePoints out of bounds read attempt (file-other.rules)
 * 1:45628 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45657 <-> ENABLED <-> OS-WINDOWS Microsoft Windows HIDPARSE.sys memory corruption attempt (os-windows.rules)
 * 1:45627 <-> ENABLED <-> BROWSER-IE Microsoft Edge Scripting Engine memory corruption attempt (browser-ie.rules)
 * 1:45673 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer localeCompare use after free attempt (browser-ie.rules)
 * 1:45658 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Agent outbound connection (malware-cnc.rules)
 * 1:45666 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45656 <-> ENABLED <-> OS-WINDOWS Microsoft Windows HIDPARSE.sys memory corruption attempt (os-windows.rules)
 * 1:45664 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro malformed EMF EmfPlustDrawImagePoints out of bounds read attempt (file-other.rules)
 * 1:45674 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer localeCompare use after free attempt (browser-ie.rules)
 * 1:45668 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45670 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt (file-other.rules)
 * 1:45669 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt (file-other.rules)
 * 1:45643 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent inbound payload download (malware-cnc.rules)
 * 1:45662 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (file-other.rules)
 * 1:45625 <-> ENABLED <-> OS-WINDOWS Microsoft Windows malformed shortcut file with comment buffer overflow attempt (os-windows.rules)
 * 1:45644 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent inbound payload download (malware-cnc.rules)
 * 1:45671 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro embedded TIFF heap overflow attempt (file-other.rules)
 * 1:45645 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent inbound payload download (malware-cnc.rules)
 * 1:45634 <-> DISABLED <-> OS-WINDOWS Microsoft Windows use after free win32kbase.sys privilege escalation attempt (os-windows.rules)
 * 1:45640 <-> DISABLED <-> POLICY-OTHER Possible Cisco IOS upgrade attempt (policy-other.rules)
 * 1:45661 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro out-of-bounds read attempt (file-other.rules)
 * 1:45639 <-> DISABLED <-> SERVER-MAIL SqWebMail print_header_ua cross site scripting attempt (server-mail.rules)
 * 1:45638 <-> DISABLED <-> SERVER-MAIL SqWebMail print_header_ua cross site scripting attempt (server-mail.rules)
 * 1:45647 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Lazarus initial download (malware-cnc.rules)
 * 1:45648 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Lazarus initial download (malware-cnc.rules)
 * 1:45631 <-> DISABLED <-> FILE-OTHER Microsoft Windows CLFS privilege escalation attempt (file-other.rules)
 * 1:45642 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent outbound connection (malware-cnc.rules)
 * 1:45665 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro TIFF embedded XPS file out of bounds read attempt (file-other.rules)
 * 1:45635 <-> DISABLED <-> OS-WINDOWS Microsoft Windows use after free win32kbase.sys privilege escalation attempt (os-windows.rules)
 * 1:45650 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys privilege escalation attempt (os-windows.rules)
 * 1:45629 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 3:45653 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0526 attack attempt (file-pdf.rules)
 * 3:45652 <-> ENABLED <-> FILE-PDF TRUFFLEHUNTER TALOS-2018-0526 attack attempt (file-pdf.rules)

Modified Rules:


 * 1:40691 <-> ENABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 1:43729 <-> DISABLED <-> EXPLOIT-KIT Rig/Grandsoft Exploit Kit IE exploit attempt (exploit-kit.rules)
 * 1:44738 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror/Grandsoft exploit kit landing page detected (exploit-kit.rules)
 * 1:45122 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:45121 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer use after free attempt (browser-ie.rules)
 * 1:40692 <-> ENABLED <-> FILE-OTHER Microsoft Windows BLF file local privilege escalation attempt (file-other.rules)
 * 3:45087 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2017-0495 attack attempt (server-webapp.rules)