Talos Rules 2018-03-13
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2018-0817: A coding deficiency exists in Microsoft Windows GDI that may lead to elevation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45881 through 45882.

Microsoft Vulnerability CVE-2018-0872: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 42749 through 42750.

Microsoft Vulnerability CVE-2018-0874: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45875 through 45876.

Microsoft Vulnerability CVE-2018-0877: A coding deficiency exists in Microsoft Windows Desktop Bridge VFS that may lead to elevation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45873 through 45874.

Microsoft Vulnerability CVE-2018-0880: A coding deficiency exists in Microsoft Windows Desktop Bridge that may lead to elevation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45902 through 45903.

Microsoft Vulnerability CVE-2018-0882: A coding deficiency exists in Microsoft Windows Desktop Bridge that may lead to elevation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45900 through 45901.

Microsoft Vulnerability CVE-2018-0883: A coding deficiency exists in Microsoft Shell that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45892 through 45895.

Microsoft Vulnerability CVE-2018-0889: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45887 through 45888.

Microsoft Vulnerability CVE-2018-0893: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45898 through 45899.

Microsoft Vulnerability CVE-2018-0903: A coding deficiency exists in Microsoft Access that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45883 through 45884.

Microsoft Vulnerability CVE-2018-0922: A coding deficiency exists in Microsoft Office that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45879 through 45880.

Microsoft Vulnerability CVE-2018-0930: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45889 through 45890.

Microsoft Vulnerability CVE-2018-0933: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 45378 through 45379 and 45628 through 45629.

Microsoft Vulnerability CVE-2018-0934: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 45628 through 45629.

Microsoft Vulnerability CVE-2018-0935: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 45877 through 45878.

Talos also has added and modified multiple rules in the browser-ie, deleted, exploit-kit, file-executable, file-office, file-other, indicator-compromise, malware-backdoor, malware-cnc, os-windows, protocol-dns, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2018-03-13 19:17:21 UTC

Snort Subscriber Rules Update

Date: 2018-03-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45912 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager testCredential.do command injection attempt (server-webapp.rules)
 * 1:45930 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex initial file download (malware-cnc.rules)
 * 1:45876 <-> ENABLED <-> BROWSER-IE Microsoft Edge uninitialized memory use attempt (browser-ie.rules)
 * 1:45894 <-> DISABLED <-> FILE-OTHER ZIP file directory traversal attempt (file-other.rules)
 * 1:45927 <-> DISABLED <-> FILE-OTHER Sophos Tester Tool dll-load exploit attempt (file-other.rules)
 * 1:45875 <-> ENABLED <-> BROWSER-IE Microsoft Edge uninitialized memory use attempt (browser-ie.rules)
 * 1:45935 <-> DISABLED <-> SERVER-OTHER Memcached set opcode request heap buffer overflow attempt (server-other.rules)
 * 1:45920 <-> DISABLED <-> EXPLOIT-KIT Terror EK landing page attempt (exploit-kit.rules)
 * 1:45879 <-> DISABLED <-> FILE-OFFICE Microsoft Office RTF listoverride memory corruption attempt (file-office.rules)
 * 1:45929 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex initial file download (malware-cnc.rules)
 * 1:45880 <-> DISABLED <-> FILE-OFFICE Microsoft Office RTF listoverride memory corruption attempt (file-office.rules)
 * 1:45887 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:45889 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra Core type confusion attempt (browser-ie.rules)
 * 1:45890 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra Core type confusion attempt (browser-ie.rules)
 * 1:45928 <-> DISABLED <-> FILE-OTHER Sophos Tester Tool dll-load exploit attempt (file-other.rules)
 * 1:45892 <-> DISABLED <-> FILE-OTHER ZIP file directory traversal attempt (file-other.rules)
 * 1:45938 <-> DISABLED <-> SERVER-OTHER Memcached addq opcode request heap buffer overflow attempt (server-other.rules)
 * 1:45919 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror EK landing page attempt (exploit-kit.rules)
 * 1:45918 <-> DISABLED <-> SERVER-WEBAPP SugarCRM RSSDashlet XML external entity information disclosure attempt (server-webapp.rules)
 * 1:45874 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SetProcessDeviceMap arbitrary file read attempt (os-windows.rules)
 * 1:45917 <-> ENABLED <-> SERVER-WEBAPP PHPMailer command injection remote code execution attempt (server-webapp.rules)
 * 1:45939 <-> DISABLED <-> SERVER-OTHER Memcached replace opcode request heap buffer overflow attempt (server-other.rules)
 * 1:45940 <-> DISABLED <-> SERVER-OTHER Memcached replaceq opcode request heap buffer overflow attempt (server-other.rules)
 * 1:45936 <-> DISABLED <-> SERVER-OTHER Memcached setq opcode request heap buffer overflow attempt (server-other.rules)
 * 1:45937 <-> DISABLED <-> SERVER-OTHER Memcached add opcode request heap buffer overflow attempt (server-other.rules)
 * 1:45934 <-> DISABLED <-> FILE-EXECUTABLE Binutils objdump integer overflow attempt (file-executable.rules)
 * 1:45932 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex initial file download (malware-cnc.rules)
 * 1:45893 <-> DISABLED <-> FILE-OTHER ZIP file directory traversal attempt (file-other.rules)
 * 1:45916 <-> DISABLED <-> INDICATOR-COMPROMISE PHP shell_exec command execution attempt (indicator-compromise.rules)
 * 1:45941 <-> DISABLED <-> SERVER-OTHER Memcached UDP version discovery attempt (server-other.rules)
 * 1:45925 <-> ENABLED <-> EXPLOIT-KIT Terror EK page access attempt (exploit-kit.rules)
 * 1:45926 <-> ENABLED <-> SERVER-OTHER Flexense Syncbreeze buffer overflow attempt (server-other.rules)
 * 1:45924 <-> DISABLED <-> DELETED EXPLOIT-KIT Terror landing page redirect attempt (deleted.rules)
 * 1:45923 <-> ENABLED <-> EXPLOIT-KIT Terror EK dll download attempt (exploit-kit.rules)
 * 1:45922 <-> ENABLED <-> EXPLOIT-KIT Terror EK exe download attempt (exploit-kit.rules)
 * 1:45873 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SetProcessDeviceMap arbitrary file read attempt (os-windows.rules)
 * 1:45921 <-> DISABLED <-> EXPLOIT-KIT Terror EK resource access attempt (exploit-kit.rules)
 * 1:45911 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager testCredential.do command injection attempt (server-webapp.rules)
 * 1:45877 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45884 <-> ENABLED <-> FILE-OFFICE Microsoft Access remote code execution attempt  (file-office.rules)
 * 1:45881 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 gdi32 library integer overflow attempt (os-windows.rules)
 * 1:45895 <-> DISABLED <-> FILE-OTHER ZIP file directory traversal attempt (file-other.rules)
 * 1:45898 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45899 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45900 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Desktop Bridge privilege escalation attempt (os-windows.rules)
 * 1:45901 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Desktop Bridge privilege escalation attempt (os-windows.rules)
 * 1:45902 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Desktop Bridge privilege escalation attempt (os-windows.rules)
 * 1:45903 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Desktop Bridge privilege escalation attempt (os-windows.rules)
 * 1:45904 <-> ENABLED <-> MALWARE-BACKDOOR CobaltStrike inbound beacon download (malware-backdoor.rules)
 * 1:45905 <-> ENABLED <-> MALWARE-BACKDOOR CobaltStrike inbound beacon download (malware-backdoor.rules)
 * 1:45878 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45885 <-> ENABLED <-> SERVER-WEBAPP HP IMC perfAccessMgrServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:45883 <-> ENABLED <-> FILE-OFFICE Microsoft Access remote code execution attempt  (file-office.rules)
 * 1:45871 <-> DISABLED <-> PROTOCOL-SCADA IntegraXor 6x denial of service attempt (protocol-scada.rules)
 * 1:45882 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 gdi32 library integer overflow attempt (os-windows.rules)
 * 1:45906 <-> ENABLED <-> MALWARE-CNC CobaltStrike DNS Beacon outbound A record (malware-cnc.rules)
 * 1:45942 <-> DISABLED <-> SERVER-OTHER Memcached DDoS reflective attempt (server-other.rules)
 * 1:45914 <-> DISABLED <-> INDICATOR-COMPROMISE PHP phpinfo command execution attempt (indicator-compromise.rules)
 * 1:45915 <-> DISABLED <-> INDICATOR-COMPROMISE PHP obfuscated eval command execution attempt (indicator-compromise.rules)
 * 1:45907 <-> ENABLED <-> MALWARE-CNC Cobalt Strike DNS beacon outbound TXT record (malware-cnc.rules)
 * 1:45908 <-> ENABLED <-> MALWARE-CNC Cobalt Strike DNS beacon inbound TXT record (malware-cnc.rules)
 * 1:45909 <-> ENABLED <-> MALWARE-CNC CobaltStrike trial version inbound beacon response (malware-cnc.rules)
 * 1:45910 <-> DISABLED <-> MALWARE-CNC CobaltStrike outbound beacon command result (malware-cnc.rules)
 * 1:45888 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:45931 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex initial file download (malware-cnc.rules)
 * 1:45886 <-> DISABLED <-> SERVER-WEBAPP Potential Misfortune Cookie probe attempt (server-webapp.rules)
 * 1:45933 <-> DISABLED <-> FILE-EXECUTABLE Binutils objdump integer overflow attempt (file-executable.rules)
 * 1:45872 <-> DISABLED <-> SERVER-WEBAPP Reliance SCADA directory traversal attempt (server-webapp.rules)
 * 1:45913 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager testCredential.do command injection attempt (server-webapp.rules)
 * 3:45891 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0539 attack attempt (server-webapp.rules)
 * 3:45896 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0538 attack attempt (file-office.rules)
 * 3:45897 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0538 attack attempt (file-office.rules)

Modified Rules:


 * 1:33656 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Carbanak data exfiltration attempt (malware-cnc.rules)
 * 1:15514 <-> DISABLED <-> SERVER-OTHER Multiple Vendors NTP Daemon Autokey stack buffer overflow attempt (server-other.rules)
 * 1:33681 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Carbanak connection to server (malware-cnc.rules)
 * 1:45774 <-> DISABLED <-> SERVER-WEBAPP HP IMC operatorGroupSelectContent Java expression language injection attempt (server-webapp.rules)
 * 1:45628 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45378 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:45379 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:43875 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF with malformed embedded JPEG memory corruption attempt (file-other.rules)
 * 1:45629 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:42749 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (browser-ie.rules)
 * 1:42750 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (browser-ie.rules)
 * 1:41106 <-> ENABLED <-> SERVER-WEBAPP PHPMailer command injection remote code execution attempt (server-webapp.rules)
 * 1:43876 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF with malformed embedded JPEG memory corruption attempt (file-other.rules)
 * 1:40480 <-> DISABLED <-> SERVER-OTHER Memcached replace opcode request heap buffer overflow attempt (server-other.rules)
 * 1:40481 <-> DISABLED <-> SERVER-OTHER Memcached replaceq opcode request heap buffer overflow attempt (server-other.rules)
 * 1:40478 <-> DISABLED <-> SERVER-OTHER Memcached add opcode request heap buffer overflow attempt (server-other.rules)
 * 1:41813 <-> ENABLED <-> SERVER-WEBAPP PHPMailer command injection remote code execution attempt (server-webapp.rules)
 * 1:40477 <-> DISABLED <-> SERVER-OTHER Memcached setq opcode request heap buffer overflow attempt (server-other.rules)
 * 1:40479 <-> DISABLED <-> SERVER-OTHER Memcached addq opcode request heap buffer overflow attempt (server-other.rules)
 * 1:40476 <-> DISABLED <-> SERVER-OTHER Memcached set opcode request heap buffer overflow attempt (server-other.rules)
 * 3:35942 <-> ENABLED <-> PROTOCOL-DNS ISC BIND TKEY query processing denial of service attempt (protocol-dns.rules)
 * 3:35943 <-> ENABLED <-> PROTOCOL-DNS ISC BIND TKEY query processing denial of service attempt (protocol-dns.rules)

2018-03-13 19:17:21 UTC

Snort Subscriber Rules Update

Date: 2018-03-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45933 <-> DISABLED <-> FILE-EXECUTABLE Binutils objdump integer overflow attempt (file-executable.rules)
 * 1:45930 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex initial file download (malware-cnc.rules)
 * 1:45872 <-> DISABLED <-> SERVER-WEBAPP Reliance SCADA directory traversal attempt (server-webapp.rules)
 * 1:45874 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SetProcessDeviceMap arbitrary file read attempt (os-windows.rules)
 * 1:45907 <-> ENABLED <-> MALWARE-CNC Cobalt Strike DNS beacon outbound TXT record (malware-cnc.rules)
 * 1:45931 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex initial file download (malware-cnc.rules)
 * 1:45873 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SetProcessDeviceMap arbitrary file read attempt (os-windows.rules)
 * 1:45881 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 gdi32 library integer overflow attempt (os-windows.rules)
 * 1:45913 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager testCredential.do command injection attempt (server-webapp.rules)
 * 1:45883 <-> ENABLED <-> FILE-OFFICE Microsoft Access remote code execution attempt  (file-office.rules)
 * 1:45871 <-> DISABLED <-> PROTOCOL-SCADA IntegraXor 6x denial of service attempt (protocol-scada.rules)
 * 1:45929 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex initial file download (malware-cnc.rules)
 * 1:45880 <-> DISABLED <-> FILE-OFFICE Microsoft Office RTF listoverride memory corruption attempt (file-office.rules)
 * 1:45928 <-> DISABLED <-> FILE-OTHER Sophos Tester Tool dll-load exploit attempt (file-other.rules)
 * 1:45926 <-> ENABLED <-> SERVER-OTHER Flexense Syncbreeze buffer overflow attempt (server-other.rules)
 * 1:45927 <-> DISABLED <-> FILE-OTHER Sophos Tester Tool dll-load exploit attempt (file-other.rules)
 * 1:45886 <-> DISABLED <-> SERVER-WEBAPP Potential Misfortune Cookie probe attempt (server-webapp.rules)
 * 1:45887 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:45884 <-> ENABLED <-> FILE-OFFICE Microsoft Access remote code execution attempt  (file-office.rules)
 * 1:45900 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Desktop Bridge privilege escalation attempt (os-windows.rules)
 * 1:45888 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:45882 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 gdi32 library integer overflow attempt (os-windows.rules)
 * 1:45889 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra Core type confusion attempt (browser-ie.rules)
 * 1:45875 <-> ENABLED <-> BROWSER-IE Microsoft Edge uninitialized memory use attempt (browser-ie.rules)
 * 1:45877 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45934 <-> DISABLED <-> FILE-EXECUTABLE Binutils objdump integer overflow attempt (file-executable.rules)
 * 1:45879 <-> DISABLED <-> FILE-OFFICE Microsoft Office RTF listoverride memory corruption attempt (file-office.rules)
 * 1:45906 <-> ENABLED <-> MALWARE-CNC CobaltStrike DNS Beacon outbound A record (malware-cnc.rules)
 * 1:45890 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra Core type confusion attempt (browser-ie.rules)
 * 1:45892 <-> DISABLED <-> FILE-OTHER ZIP file directory traversal attempt (file-other.rules)
 * 1:45893 <-> DISABLED <-> FILE-OTHER ZIP file directory traversal attempt (file-other.rules)
 * 1:45895 <-> DISABLED <-> FILE-OTHER ZIP file directory traversal attempt (file-other.rules)
 * 1:45894 <-> DISABLED <-> FILE-OTHER ZIP file directory traversal attempt (file-other.rules)
 * 1:45898 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45899 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45932 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex initial file download (malware-cnc.rules)
 * 1:45901 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Desktop Bridge privilege escalation attempt (os-windows.rules)
 * 1:45902 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Desktop Bridge privilege escalation attempt (os-windows.rules)
 * 1:45903 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Desktop Bridge privilege escalation attempt (os-windows.rules)
 * 1:45904 <-> ENABLED <-> MALWARE-BACKDOOR CobaltStrike inbound beacon download (malware-backdoor.rules)
 * 1:45905 <-> ENABLED <-> MALWARE-BACKDOOR CobaltStrike inbound beacon download (malware-backdoor.rules)
 * 1:45924 <-> DISABLED <-> DELETED EXPLOIT-KIT Terror landing page redirect attempt (deleted.rules)
 * 1:45912 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager testCredential.do command injection attempt (server-webapp.rules)
 * 1:45908 <-> ENABLED <-> MALWARE-CNC Cobalt Strike DNS beacon inbound TXT record (malware-cnc.rules)
 * 1:45910 <-> DISABLED <-> MALWARE-CNC CobaltStrike outbound beacon command result (malware-cnc.rules)
 * 1:45911 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager testCredential.do command injection attempt (server-webapp.rules)
 * 1:45909 <-> ENABLED <-> MALWARE-CNC CobaltStrike trial version inbound beacon response (malware-cnc.rules)
 * 1:45876 <-> ENABLED <-> BROWSER-IE Microsoft Edge uninitialized memory use attempt (browser-ie.rules)
 * 1:45942 <-> DISABLED <-> SERVER-OTHER Memcached DDoS reflective attempt (server-other.rules)
 * 1:45878 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45914 <-> DISABLED <-> INDICATOR-COMPROMISE PHP phpinfo command execution attempt (indicator-compromise.rules)
 * 1:45915 <-> DISABLED <-> INDICATOR-COMPROMISE PHP obfuscated eval command execution attempt (indicator-compromise.rules)
 * 1:45916 <-> DISABLED <-> INDICATOR-COMPROMISE PHP shell_exec command execution attempt (indicator-compromise.rules)
 * 1:45925 <-> ENABLED <-> EXPLOIT-KIT Terror EK page access attempt (exploit-kit.rules)
 * 1:45917 <-> ENABLED <-> SERVER-WEBAPP PHPMailer command injection remote code execution attempt (server-webapp.rules)
 * 1:45935 <-> DISABLED <-> SERVER-OTHER Memcached set opcode request heap buffer overflow attempt (server-other.rules)
 * 1:45936 <-> DISABLED <-> SERVER-OTHER Memcached setq opcode request heap buffer overflow attempt (server-other.rules)
 * 1:45937 <-> DISABLED <-> SERVER-OTHER Memcached add opcode request heap buffer overflow attempt (server-other.rules)
 * 1:45938 <-> DISABLED <-> SERVER-OTHER Memcached addq opcode request heap buffer overflow attempt (server-other.rules)
 * 1:45939 <-> DISABLED <-> SERVER-OTHER Memcached replace opcode request heap buffer overflow attempt (server-other.rules)
 * 1:45940 <-> DISABLED <-> SERVER-OTHER Memcached replaceq opcode request heap buffer overflow attempt (server-other.rules)
 * 1:45941 <-> DISABLED <-> SERVER-OTHER Memcached UDP version discovery attempt (server-other.rules)
 * 1:45918 <-> DISABLED <-> SERVER-WEBAPP SugarCRM RSSDashlet XML external entity information disclosure attempt (server-webapp.rules)
 * 1:45919 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror EK landing page attempt (exploit-kit.rules)
 * 1:45920 <-> DISABLED <-> EXPLOIT-KIT Terror EK landing page attempt (exploit-kit.rules)
 * 1:45921 <-> DISABLED <-> EXPLOIT-KIT Terror EK resource access attempt (exploit-kit.rules)
 * 1:45922 <-> ENABLED <-> EXPLOIT-KIT Terror EK exe download attempt (exploit-kit.rules)
 * 1:45923 <-> ENABLED <-> EXPLOIT-KIT Terror EK dll download attempt (exploit-kit.rules)
 * 1:45885 <-> ENABLED <-> SERVER-WEBAPP HP IMC perfAccessMgrServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 3:45891 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0539 attack attempt (server-webapp.rules)
 * 3:45896 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0538 attack attempt (file-office.rules)
 * 3:45897 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0538 attack attempt (file-office.rules)

Modified Rules:


 * 1:15514 <-> DISABLED <-> SERVER-OTHER Multiple Vendors NTP Daemon Autokey stack buffer overflow attempt (server-other.rules)
 * 1:40476 <-> DISABLED <-> SERVER-OTHER Memcached set opcode request heap buffer overflow attempt (server-other.rules)
 * 1:33656 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Carbanak data exfiltration attempt (malware-cnc.rules)
 * 1:45378 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:33681 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Carbanak connection to server (malware-cnc.rules)
 * 1:41813 <-> ENABLED <-> SERVER-WEBAPP PHPMailer command injection remote code execution attempt (server-webapp.rules)
 * 1:42750 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (browser-ie.rules)
 * 1:41106 <-> ENABLED <-> SERVER-WEBAPP PHPMailer command injection remote code execution attempt (server-webapp.rules)
 * 1:40479 <-> DISABLED <-> SERVER-OTHER Memcached addq opcode request heap buffer overflow attempt (server-other.rules)
 * 1:42749 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (browser-ie.rules)
 * 1:40481 <-> DISABLED <-> SERVER-OTHER Memcached replaceq opcode request heap buffer overflow attempt (server-other.rules)
 * 1:40478 <-> DISABLED <-> SERVER-OTHER Memcached add opcode request heap buffer overflow attempt (server-other.rules)
 * 1:40480 <-> DISABLED <-> SERVER-OTHER Memcached replace opcode request heap buffer overflow attempt (server-other.rules)
 * 1:40477 <-> DISABLED <-> SERVER-OTHER Memcached setq opcode request heap buffer overflow attempt (server-other.rules)
 * 1:43875 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF with malformed embedded JPEG memory corruption attempt (file-other.rules)
 * 1:45774 <-> DISABLED <-> SERVER-WEBAPP HP IMC operatorGroupSelectContent Java expression language injection attempt (server-webapp.rules)
 * 1:45379 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:43876 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF with malformed embedded JPEG memory corruption attempt (file-other.rules)
 * 1:45629 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45628 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 3:35942 <-> ENABLED <-> PROTOCOL-DNS ISC BIND TKEY query processing denial of service attempt (protocol-dns.rules)
 * 3:35943 <-> ENABLED <-> PROTOCOL-DNS ISC BIND TKEY query processing denial of service attempt (protocol-dns.rules)

2018-03-13 19:17:21 UTC

Snort Subscriber Rules Update

Date: 2018-03-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45887 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules)
 * 1:45878 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:45886 <-> DISABLED <-> SERVER-WEBAPP Potential Misfortune Cookie probe attempt (snort3-server-webapp.rules)
 * 1:45879 <-> DISABLED <-> FILE-OFFICE Microsoft Office RTF listoverride memory corruption attempt (snort3-file-office.rules)
 * 1:45930 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex initial file download (snort3-malware-cnc.rules)
 * 1:45936 <-> DISABLED <-> SERVER-OTHER Memcached setq opcode request heap buffer overflow attempt (snort3-server-other.rules)
 * 1:45935 <-> DISABLED <-> SERVER-OTHER Memcached set opcode request heap buffer overflow attempt (snort3-server-other.rules)
 * 1:45934 <-> DISABLED <-> FILE-EXECUTABLE Binutils objdump integer overflow attempt (snort3-file-executable.rules)
 * 1:45933 <-> DISABLED <-> FILE-EXECUTABLE Binutils objdump integer overflow attempt (snort3-file-executable.rules)
 * 1:45931 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex initial file download (snort3-malware-cnc.rules)
 * 1:45932 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex initial file download (snort3-malware-cnc.rules)
 * 1:45942 <-> DISABLED <-> SERVER-OTHER Memcached DDoS reflective attempt (snort3-server-other.rules)
 * 1:45941 <-> DISABLED <-> SERVER-OTHER Memcached UDP version discovery attempt (snort3-server-other.rules)
 * 1:45940 <-> DISABLED <-> SERVER-OTHER Memcached replaceq opcode request heap buffer overflow attempt (snort3-server-other.rules)
 * 1:45939 <-> DISABLED <-> SERVER-OTHER Memcached replace opcode request heap buffer overflow attempt (snort3-server-other.rules)
 * 1:45938 <-> DISABLED <-> SERVER-OTHER Memcached addq opcode request heap buffer overflow attempt (snort3-server-other.rules)
 * 1:45937 <-> DISABLED <-> SERVER-OTHER Memcached add opcode request heap buffer overflow attempt (snort3-server-other.rules)
 * 1:45892 <-> DISABLED <-> FILE-OTHER ZIP file directory traversal attempt (snort3-file-other.rules)
 * 1:45893 <-> DISABLED <-> FILE-OTHER ZIP file directory traversal attempt (snort3-file-other.rules)
 * 1:45894 <-> DISABLED <-> FILE-OTHER ZIP file directory traversal attempt (snort3-file-other.rules)
 * 1:45895 <-> DISABLED <-> FILE-OTHER ZIP file directory traversal attempt (snort3-file-other.rules)
 * 1:45880 <-> DISABLED <-> FILE-OFFICE Microsoft Office RTF listoverride memory corruption attempt (snort3-file-office.rules)
 * 1:45882 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 gdi32 library integer overflow attempt (snort3-os-windows.rules)
 * 1:45883 <-> ENABLED <-> FILE-OFFICE Microsoft Access remote code execution attempt  (snort3-file-office.rules)
 * 1:45884 <-> ENABLED <-> FILE-OFFICE Microsoft Access remote code execution attempt  (snort3-file-office.rules)
 * 1:45898 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:45899 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:45900 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Desktop Bridge privilege escalation attempt (snort3-os-windows.rules)
 * 1:45901 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Desktop Bridge privilege escalation attempt (snort3-os-windows.rules)
 * 1:45885 <-> ENABLED <-> SERVER-WEBAPP HP IMC perfAccessMgrServlet arbitrary Java object deserialization attempt (snort3-server-webapp.rules)
 * 1:45902 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Desktop Bridge privilege escalation attempt (snort3-os-windows.rules)
 * 1:45904 <-> ENABLED <-> MALWARE-BACKDOOR CobaltStrike inbound beacon download (snort3-malware-backdoor.rules)
 * 1:45905 <-> ENABLED <-> MALWARE-BACKDOOR CobaltStrike inbound beacon download (snort3-malware-backdoor.rules)
 * 1:45906 <-> ENABLED <-> MALWARE-CNC CobaltStrike DNS Beacon outbound A record (snort3-malware-cnc.rules)
 * 1:45908 <-> ENABLED <-> MALWARE-CNC Cobalt Strike DNS beacon inbound TXT record (snort3-malware-cnc.rules)
 * 1:45907 <-> ENABLED <-> MALWARE-CNC Cobalt Strike DNS beacon outbound TXT record (snort3-malware-cnc.rules)
 * 1:45909 <-> ENABLED <-> MALWARE-CNC CobaltStrike trial version inbound beacon response (snort3-malware-cnc.rules)
 * 1:45910 <-> DISABLED <-> MALWARE-CNC CobaltStrike outbound beacon command result (snort3-malware-cnc.rules)
 * 1:45889 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra Core type confusion attempt (snort3-browser-ie.rules)
 * 1:45911 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager testCredential.do command injection attempt (snort3-server-webapp.rules)
 * 1:45912 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager testCredential.do command injection attempt (snort3-server-webapp.rules)
 * 1:45890 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra Core type confusion attempt (snort3-browser-ie.rules)
 * 1:45919 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror EK landing page attempt (snort3-exploit-kit.rules)
 * 1:45920 <-> DISABLED <-> EXPLOIT-KIT Terror EK landing page attempt (snort3-exploit-kit.rules)
 * 1:45903 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Desktop Bridge privilege escalation attempt (snort3-os-windows.rules)
 * 1:45877 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:45916 <-> DISABLED <-> INDICATOR-COMPROMISE PHP shell_exec command execution attempt (snort3-indicator-compromise.rules)
 * 1:45917 <-> ENABLED <-> SERVER-WEBAPP PHPMailer command injection remote code execution attempt (snort3-server-webapp.rules)
 * 1:45914 <-> DISABLED <-> INDICATOR-COMPROMISE PHP phpinfo command execution attempt (snort3-indicator-compromise.rules)
 * 1:45915 <-> DISABLED <-> INDICATOR-COMPROMISE PHP obfuscated eval command execution attempt (snort3-indicator-compromise.rules)
 * 1:45913 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager testCredential.do command injection attempt (snort3-server-webapp.rules)
 * 1:45881 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 gdi32 library integer overflow attempt (snort3-os-windows.rules)
 * 1:45871 <-> DISABLED <-> PROTOCOL-SCADA IntegraXor 6x denial of service attempt (snort3-protocol-scada.rules)
 * 1:45872 <-> DISABLED <-> SERVER-WEBAPP Reliance SCADA directory traversal attempt (snort3-server-webapp.rules)
 * 1:45873 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SetProcessDeviceMap arbitrary file read attempt (snort3-os-windows.rules)
 * 1:45874 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SetProcessDeviceMap arbitrary file read attempt (snort3-os-windows.rules)
 * 1:45875 <-> ENABLED <-> BROWSER-IE Microsoft Edge uninitialized memory use attempt (snort3-browser-ie.rules)
 * 1:45918 <-> DISABLED <-> SERVER-WEBAPP SugarCRM RSSDashlet XML external entity information disclosure attempt (snort3-server-webapp.rules)
 * 1:45876 <-> ENABLED <-> BROWSER-IE Microsoft Edge uninitialized memory use attempt (snort3-browser-ie.rules)
 * 1:45888 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules)
 * 1:45921 <-> DISABLED <-> EXPLOIT-KIT Terror EK resource access attempt (snort3-exploit-kit.rules)
 * 1:45922 <-> ENABLED <-> EXPLOIT-KIT Terror EK exe download attempt (snort3-exploit-kit.rules)
 * 1:45923 <-> ENABLED <-> EXPLOIT-KIT Terror EK dll download attempt (snort3-exploit-kit.rules)
 * 1:45924 <-> DISABLED <-> DELETED EXPLOIT-KIT Terror landing page redirect attempt (snort3-deleted.rules)
 * 1:45925 <-> ENABLED <-> EXPLOIT-KIT Terror EK page access attempt (snort3-exploit-kit.rules)
 * 1:45926 <-> ENABLED <-> SERVER-OTHER Flexense Syncbreeze buffer overflow attempt (snort3-server-other.rules)
 * 1:45927 <-> DISABLED <-> FILE-OTHER Sophos Tester Tool dll-load exploit attempt (snort3-file-other.rules)
 * 1:45928 <-> DISABLED <-> FILE-OTHER Sophos Tester Tool dll-load exploit attempt (snort3-file-other.rules)
 * 1:45929 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex initial file download (snort3-malware-cnc.rules)

Modified Rules:


 * 1:45628 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:45774 <-> DISABLED <-> SERVER-WEBAPP HP IMC operatorGroupSelectContent Java expression language injection attempt (snort3-server-webapp.rules)
 * 1:43875 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF with malformed embedded JPEG memory corruption attempt (snort3-file-other.rules)
 * 1:45629 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:45378 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (snort3-browser-ie.rules)
 * 1:45379 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (snort3-browser-ie.rules)
 * 1:41106 <-> ENABLED <-> SERVER-WEBAPP PHPMailer command injection remote code execution attempt (snort3-server-webapp.rules)
 * 1:43876 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF with malformed embedded JPEG memory corruption attempt (snort3-file-other.rules)
 * 1:42749 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (snort3-browser-ie.rules)
 * 1:42750 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (snort3-browser-ie.rules)
 * 1:40478 <-> DISABLED <-> SERVER-OTHER Memcached add opcode request heap buffer overflow attempt (snort3-server-other.rules)
 * 1:41813 <-> ENABLED <-> SERVER-WEBAPP PHPMailer command injection remote code execution attempt (snort3-server-webapp.rules)
 * 1:40480 <-> DISABLED <-> SERVER-OTHER Memcached replace opcode request heap buffer overflow attempt (snort3-server-other.rules)
 * 1:40481 <-> DISABLED <-> SERVER-OTHER Memcached replaceq opcode request heap buffer overflow attempt (snort3-server-other.rules)
 * 1:40479 <-> DISABLED <-> SERVER-OTHER Memcached addq opcode request heap buffer overflow attempt (snort3-server-other.rules)
 * 1:33681 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Carbanak connection to server (snort3-malware-cnc.rules)
 * 1:40477 <-> DISABLED <-> SERVER-OTHER Memcached setq opcode request heap buffer overflow attempt (snort3-server-other.rules)
 * 1:33656 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Carbanak data exfiltration attempt (snort3-malware-cnc.rules)
 * 1:40476 <-> DISABLED <-> SERVER-OTHER Memcached set opcode request heap buffer overflow attempt (snort3-server-other.rules)
 * 1:15514 <-> DISABLED <-> SERVER-OTHER Multiple Vendors NTP Daemon Autokey stack buffer overflow attempt (snort3-server-other.rules)

2018-03-13 19:17:21 UTC

Snort Subscriber Rules Update

Date: 2018-03-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45875 <-> ENABLED <-> BROWSER-IE Microsoft Edge uninitialized memory use attempt (browser-ie.rules)
 * 1:45927 <-> DISABLED <-> FILE-OTHER Sophos Tester Tool dll-load exploit attempt (file-other.rules)
 * 1:45883 <-> ENABLED <-> FILE-OFFICE Microsoft Access remote code execution attempt  (file-office.rules)
 * 1:45874 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SetProcessDeviceMap arbitrary file read attempt (os-windows.rules)
 * 1:45886 <-> DISABLED <-> SERVER-WEBAPP Potential Misfortune Cookie probe attempt (server-webapp.rules)
 * 1:45884 <-> ENABLED <-> FILE-OFFICE Microsoft Access remote code execution attempt  (file-office.rules)
 * 1:45882 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 gdi32 library integer overflow attempt (os-windows.rules)
 * 1:45876 <-> ENABLED <-> BROWSER-IE Microsoft Edge uninitialized memory use attempt (browser-ie.rules)
 * 1:45873 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SetProcessDeviceMap arbitrary file read attempt (os-windows.rules)
 * 1:45871 <-> DISABLED <-> PROTOCOL-SCADA IntegraXor 6x denial of service attempt (protocol-scada.rules)
 * 1:45888 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:45872 <-> DISABLED <-> SERVER-WEBAPP Reliance SCADA directory traversal attempt (server-webapp.rules)
 * 1:45889 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra Core type confusion attempt (browser-ie.rules)
 * 1:45890 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra Core type confusion attempt (browser-ie.rules)
 * 1:45907 <-> ENABLED <-> MALWARE-CNC Cobalt Strike DNS beacon outbound TXT record (malware-cnc.rules)
 * 1:45892 <-> DISABLED <-> FILE-OTHER ZIP file directory traversal attempt (file-other.rules)
 * 1:45877 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45879 <-> DISABLED <-> FILE-OFFICE Microsoft Office RTF listoverride memory corruption attempt (file-office.rules)
 * 1:45880 <-> DISABLED <-> FILE-OFFICE Microsoft Office RTF listoverride memory corruption attempt (file-office.rules)
 * 1:45881 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 gdi32 library integer overflow attempt (os-windows.rules)
 * 1:45893 <-> DISABLED <-> FILE-OTHER ZIP file directory traversal attempt (file-other.rules)
 * 1:45894 <-> DISABLED <-> FILE-OTHER ZIP file directory traversal attempt (file-other.rules)
 * 1:45895 <-> DISABLED <-> FILE-OTHER ZIP file directory traversal attempt (file-other.rules)
 * 1:45898 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45899 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45900 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Desktop Bridge privilege escalation attempt (os-windows.rules)
 * 1:45901 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Desktop Bridge privilege escalation attempt (os-windows.rules)
 * 1:45902 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Desktop Bridge privilege escalation attempt (os-windows.rules)
 * 1:45903 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Desktop Bridge privilege escalation attempt (os-windows.rules)
 * 1:45904 <-> ENABLED <-> MALWARE-BACKDOOR CobaltStrike inbound beacon download (malware-backdoor.rules)
 * 1:45905 <-> ENABLED <-> MALWARE-BACKDOOR CobaltStrike inbound beacon download (malware-backdoor.rules)
 * 1:45906 <-> ENABLED <-> MALWARE-CNC CobaltStrike DNS Beacon outbound A record (malware-cnc.rules)
 * 1:45908 <-> ENABLED <-> MALWARE-CNC Cobalt Strike DNS beacon inbound TXT record (malware-cnc.rules)
 * 1:45909 <-> ENABLED <-> MALWARE-CNC CobaltStrike trial version inbound beacon response (malware-cnc.rules)
 * 1:45887 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:45916 <-> DISABLED <-> INDICATOR-COMPROMISE PHP shell_exec command execution attempt (indicator-compromise.rules)
 * 1:45935 <-> DISABLED <-> SERVER-OTHER Memcached set opcode request heap buffer overflow attempt (server-other.rules)
 * 1:45934 <-> DISABLED <-> FILE-EXECUTABLE Binutils objdump integer overflow attempt (file-executable.rules)
 * 1:45933 <-> DISABLED <-> FILE-EXECUTABLE Binutils objdump integer overflow attempt (file-executable.rules)
 * 1:45932 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex initial file download (malware-cnc.rules)
 * 1:45930 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex initial file download (malware-cnc.rules)
 * 1:45931 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex initial file download (malware-cnc.rules)
 * 1:45929 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex initial file download (malware-cnc.rules)
 * 1:45928 <-> DISABLED <-> FILE-OTHER Sophos Tester Tool dll-load exploit attempt (file-other.rules)
 * 1:45917 <-> ENABLED <-> SERVER-WEBAPP PHPMailer command injection remote code execution attempt (server-webapp.rules)
 * 1:45918 <-> DISABLED <-> SERVER-WEBAPP SugarCRM RSSDashlet XML external entity information disclosure attempt (server-webapp.rules)
 * 1:45919 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror EK landing page attempt (exploit-kit.rules)
 * 1:45920 <-> DISABLED <-> EXPLOIT-KIT Terror EK landing page attempt (exploit-kit.rules)
 * 1:45921 <-> DISABLED <-> EXPLOIT-KIT Terror EK resource access attempt (exploit-kit.rules)
 * 1:45922 <-> ENABLED <-> EXPLOIT-KIT Terror EK exe download attempt (exploit-kit.rules)
 * 1:45923 <-> ENABLED <-> EXPLOIT-KIT Terror EK dll download attempt (exploit-kit.rules)
 * 1:45924 <-> DISABLED <-> DELETED EXPLOIT-KIT Terror landing page redirect attempt (deleted.rules)
 * 1:45925 <-> ENABLED <-> EXPLOIT-KIT Terror EK page access attempt (exploit-kit.rules)
 * 1:45942 <-> DISABLED <-> SERVER-OTHER Memcached DDoS reflective attempt (server-other.rules)
 * 1:45941 <-> DISABLED <-> SERVER-OTHER Memcached UDP version discovery attempt (server-other.rules)
 * 1:45940 <-> DISABLED <-> SERVER-OTHER Memcached replaceq opcode request heap buffer overflow attempt (server-other.rules)
 * 1:45939 <-> DISABLED <-> SERVER-OTHER Memcached replace opcode request heap buffer overflow attempt (server-other.rules)
 * 1:45938 <-> DISABLED <-> SERVER-OTHER Memcached addq opcode request heap buffer overflow attempt (server-other.rules)
 * 1:45937 <-> DISABLED <-> SERVER-OTHER Memcached add opcode request heap buffer overflow attempt (server-other.rules)
 * 1:45936 <-> DISABLED <-> SERVER-OTHER Memcached setq opcode request heap buffer overflow attempt (server-other.rules)
 * 1:45885 <-> ENABLED <-> SERVER-WEBAPP HP IMC perfAccessMgrServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:45878 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45915 <-> DISABLED <-> INDICATOR-COMPROMISE PHP obfuscated eval command execution attempt (indicator-compromise.rules)
 * 1:45914 <-> DISABLED <-> INDICATOR-COMPROMISE PHP phpinfo command execution attempt (indicator-compromise.rules)
 * 1:45913 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager testCredential.do command injection attempt (server-webapp.rules)
 * 1:45912 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager testCredential.do command injection attempt (server-webapp.rules)
 * 1:45910 <-> DISABLED <-> MALWARE-CNC CobaltStrike outbound beacon command result (malware-cnc.rules)
 * 1:45911 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager testCredential.do command injection attempt (server-webapp.rules)
 * 1:45926 <-> ENABLED <-> SERVER-OTHER Flexense Syncbreeze buffer overflow attempt (server-other.rules)
 * 3:45891 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0539 attack attempt (server-webapp.rules)
 * 3:45897 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0538 attack attempt (file-office.rules)
 * 3:45896 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0538 attack attempt (file-office.rules)

Modified Rules:


 * 1:15514 <-> DISABLED <-> SERVER-OTHER Multiple Vendors NTP Daemon Autokey stack buffer overflow attempt (server-other.rules)
 * 1:33656 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Carbanak data exfiltration attempt (malware-cnc.rules)
 * 1:45629 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45774 <-> DISABLED <-> SERVER-WEBAPP HP IMC operatorGroupSelectContent Java expression language injection attempt (server-webapp.rules)
 * 1:45379 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:45628 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:43876 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF with malformed embedded JPEG memory corruption attempt (file-other.rules)
 * 1:45378 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:42750 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (browser-ie.rules)
 * 1:43875 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF with malformed embedded JPEG memory corruption attempt (file-other.rules)
 * 1:41813 <-> ENABLED <-> SERVER-WEBAPP PHPMailer command injection remote code execution attempt (server-webapp.rules)
 * 1:42749 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (browser-ie.rules)
 * 1:40481 <-> DISABLED <-> SERVER-OTHER Memcached replaceq opcode request heap buffer overflow attempt (server-other.rules)
 * 1:41106 <-> ENABLED <-> SERVER-WEBAPP PHPMailer command injection remote code execution attempt (server-webapp.rules)
 * 1:40479 <-> DISABLED <-> SERVER-OTHER Memcached addq opcode request heap buffer overflow attempt (server-other.rules)
 * 1:40480 <-> DISABLED <-> SERVER-OTHER Memcached replace opcode request heap buffer overflow attempt (server-other.rules)
 * 1:40478 <-> DISABLED <-> SERVER-OTHER Memcached add opcode request heap buffer overflow attempt (server-other.rules)
 * 1:40477 <-> DISABLED <-> SERVER-OTHER Memcached setq opcode request heap buffer overflow attempt (server-other.rules)
 * 1:33681 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Carbanak connection to server (malware-cnc.rules)
 * 1:40476 <-> DISABLED <-> SERVER-OTHER Memcached set opcode request heap buffer overflow attempt (server-other.rules)
 * 3:35942 <-> ENABLED <-> PROTOCOL-DNS ISC BIND TKEY query processing denial of service attempt (protocol-dns.rules)
 * 3:35943 <-> ENABLED <-> PROTOCOL-DNS ISC BIND TKEY query processing denial of service attempt (protocol-dns.rules)

2018-03-13 19:17:21 UTC

Snort Subscriber Rules Update

Date: 2018-03-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:45878 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45877 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45876 <-> ENABLED <-> BROWSER-IE Microsoft Edge uninitialized memory use attempt (browser-ie.rules)
 * 1:45875 <-> ENABLED <-> BROWSER-IE Microsoft Edge uninitialized memory use attempt (browser-ie.rules)
 * 1:45874 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SetProcessDeviceMap arbitrary file read attempt (os-windows.rules)
 * 1:45873 <-> ENABLED <-> OS-WINDOWS Microsoft Windows SetProcessDeviceMap arbitrary file read attempt (os-windows.rules)
 * 1:45872 <-> DISABLED <-> SERVER-WEBAPP Reliance SCADA directory traversal attempt (server-webapp.rules)
 * 1:45871 <-> DISABLED <-> PROTOCOL-SCADA IntegraXor 6x denial of service attempt (protocol-scada.rules)
 * 1:45881 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 gdi32 library integer overflow attempt (os-windows.rules)
 * 1:45880 <-> DISABLED <-> FILE-OFFICE Microsoft Office RTF listoverride memory corruption attempt (file-office.rules)
 * 1:45879 <-> DISABLED <-> FILE-OFFICE Microsoft Office RTF listoverride memory corruption attempt (file-office.rules)
 * 1:45884 <-> ENABLED <-> FILE-OFFICE Microsoft Access remote code execution attempt  (file-office.rules)
 * 1:45883 <-> ENABLED <-> FILE-OFFICE Microsoft Access remote code execution attempt  (file-office.rules)
 * 1:45882 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 gdi32 library integer overflow attempt (os-windows.rules)
 * 1:45885 <-> ENABLED <-> SERVER-WEBAPP HP IMC perfAccessMgrServlet arbitrary Java object deserialization attempt (server-webapp.rules)
 * 1:45888 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:45887 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:45886 <-> DISABLED <-> SERVER-WEBAPP Potential Misfortune Cookie probe attempt (server-webapp.rules)
 * 1:45892 <-> DISABLED <-> FILE-OTHER ZIP file directory traversal attempt (file-other.rules)
 * 1:45890 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra Core type confusion attempt (browser-ie.rules)
 * 1:45889 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra Core type confusion attempt (browser-ie.rules)
 * 1:45893 <-> DISABLED <-> FILE-OTHER ZIP file directory traversal attempt (file-other.rules)
 * 1:45916 <-> DISABLED <-> INDICATOR-COMPROMISE PHP shell_exec command execution attempt (indicator-compromise.rules)
 * 1:45915 <-> DISABLED <-> INDICATOR-COMPROMISE PHP obfuscated eval command execution attempt (indicator-compromise.rules)
 * 1:45914 <-> DISABLED <-> INDICATOR-COMPROMISE PHP phpinfo command execution attempt (indicator-compromise.rules)
 * 1:45913 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager testCredential.do command injection attempt (server-webapp.rules)
 * 1:45912 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager testCredential.do command injection attempt (server-webapp.rules)
 * 1:45911 <-> DISABLED <-> SERVER-WEBAPP ManageEngine Applications Manager testCredential.do command injection attempt (server-webapp.rules)
 * 1:45910 <-> DISABLED <-> MALWARE-CNC CobaltStrike outbound beacon command result (malware-cnc.rules)
 * 1:45909 <-> ENABLED <-> MALWARE-CNC CobaltStrike trial version inbound beacon response (malware-cnc.rules)
 * 1:45908 <-> ENABLED <-> MALWARE-CNC Cobalt Strike DNS beacon inbound TXT record (malware-cnc.rules)
 * 1:45907 <-> ENABLED <-> MALWARE-CNC Cobalt Strike DNS beacon outbound TXT record (malware-cnc.rules)
 * 1:45906 <-> ENABLED <-> MALWARE-CNC CobaltStrike DNS Beacon outbound A record (malware-cnc.rules)
 * 1:45905 <-> ENABLED <-> MALWARE-BACKDOOR CobaltStrike inbound beacon download (malware-backdoor.rules)
 * 1:45904 <-> ENABLED <-> MALWARE-BACKDOOR CobaltStrike inbound beacon download (malware-backdoor.rules)
 * 1:45903 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Desktop Bridge privilege escalation attempt (os-windows.rules)
 * 1:45902 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Desktop Bridge privilege escalation attempt (os-windows.rules)
 * 1:45901 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Desktop Bridge privilege escalation attempt (os-windows.rules)
 * 1:45900 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Desktop Bridge privilege escalation attempt (os-windows.rules)
 * 1:45899 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45898 <-> DISABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45895 <-> DISABLED <-> FILE-OTHER ZIP file directory traversal attempt (file-other.rules)
 * 1:45894 <-> DISABLED <-> FILE-OTHER ZIP file directory traversal attempt (file-other.rules)
 * 1:45932 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex initial file download (malware-cnc.rules)
 * 1:45931 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex initial file download (malware-cnc.rules)
 * 1:45930 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex initial file download (malware-cnc.rules)
 * 1:45929 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Dridex initial file download (malware-cnc.rules)
 * 1:45928 <-> DISABLED <-> FILE-OTHER Sophos Tester Tool dll-load exploit attempt (file-other.rules)
 * 1:45927 <-> DISABLED <-> FILE-OTHER Sophos Tester Tool dll-load exploit attempt (file-other.rules)
 * 1:45926 <-> ENABLED <-> SERVER-OTHER Flexense Syncbreeze buffer overflow attempt (server-other.rules)
 * 1:45925 <-> ENABLED <-> EXPLOIT-KIT Terror EK page access attempt (exploit-kit.rules)
 * 1:45924 <-> DISABLED <-> DELETED EXPLOIT-KIT Terror landing page redirect attempt (deleted.rules)
 * 1:45923 <-> ENABLED <-> EXPLOIT-KIT Terror EK dll download attempt (exploit-kit.rules)
 * 1:45922 <-> ENABLED <-> EXPLOIT-KIT Terror EK exe download attempt (exploit-kit.rules)
 * 1:45921 <-> DISABLED <-> EXPLOIT-KIT Terror EK resource access attempt (exploit-kit.rules)
 * 1:45920 <-> DISABLED <-> EXPLOIT-KIT Terror EK landing page attempt (exploit-kit.rules)
 * 1:45919 <-> DISABLED <-> EXPLOIT-KIT Sundown/Terror EK landing page attempt (exploit-kit.rules)
 * 1:45918 <-> DISABLED <-> SERVER-WEBAPP SugarCRM RSSDashlet XML external entity information disclosure attempt (server-webapp.rules)
 * 1:45917 <-> ENABLED <-> SERVER-WEBAPP PHPMailer command injection remote code execution attempt (server-webapp.rules)
 * 1:45942 <-> DISABLED <-> SERVER-OTHER Memcached DDoS reflective attempt (server-other.rules)
 * 1:45941 <-> DISABLED <-> SERVER-OTHER Memcached UDP version discovery attempt (server-other.rules)
 * 1:45940 <-> DISABLED <-> SERVER-OTHER Memcached replaceq opcode request heap buffer overflow attempt (server-other.rules)
 * 1:45939 <-> DISABLED <-> SERVER-OTHER Memcached replace opcode request heap buffer overflow attempt (server-other.rules)
 * 1:45938 <-> DISABLED <-> SERVER-OTHER Memcached addq opcode request heap buffer overflow attempt (server-other.rules)
 * 1:45937 <-> DISABLED <-> SERVER-OTHER Memcached add opcode request heap buffer overflow attempt (server-other.rules)
 * 1:45936 <-> DISABLED <-> SERVER-OTHER Memcached setq opcode request heap buffer overflow attempt (server-other.rules)
 * 1:45935 <-> DISABLED <-> SERVER-OTHER Memcached set opcode request heap buffer overflow attempt (server-other.rules)
 * 1:45934 <-> DISABLED <-> FILE-EXECUTABLE Binutils objdump integer overflow attempt (file-executable.rules)
 * 1:45933 <-> DISABLED <-> FILE-EXECUTABLE Binutils objdump integer overflow attempt (file-executable.rules)
 * 3:45891 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0539 attack attempt (server-webapp.rules)
 * 3:45896 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0538 attack attempt (file-office.rules)
 * 3:45897 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0538 attack attempt (file-office.rules)

Modified Rules:


 * 1:40476 <-> DISABLED <-> SERVER-OTHER Memcached set opcode request heap buffer overflow attempt (server-other.rules)
 * 1:33656 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Carbanak data exfiltration attempt (malware-cnc.rules)
 * 1:15514 <-> DISABLED <-> SERVER-OTHER Multiple Vendors NTP Daemon Autokey stack buffer overflow attempt (server-other.rules)
 * 1:33681 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Carbanak connection to server (malware-cnc.rules)
 * 1:45629 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:45774 <-> DISABLED <-> SERVER-WEBAPP HP IMC operatorGroupSelectContent Java expression language injection attempt (server-webapp.rules)
 * 1:45379 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:45628 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption attempt (browser-ie.rules)
 * 1:43876 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF with malformed embedded JPEG memory corruption attempt (file-other.rules)
 * 1:45378 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:42750 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (browser-ie.rules)
 * 1:43875 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF with malformed embedded JPEG memory corruption attempt (file-other.rules)
 * 1:41813 <-> ENABLED <-> SERVER-WEBAPP PHPMailer command injection remote code execution attempt (server-webapp.rules)
 * 1:42749 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine postMessage use after free attempt (browser-ie.rules)
 * 1:40481 <-> DISABLED <-> SERVER-OTHER Memcached replaceq opcode request heap buffer overflow attempt (server-other.rules)
 * 1:41106 <-> ENABLED <-> SERVER-WEBAPP PHPMailer command injection remote code execution attempt (server-webapp.rules)
 * 1:40479 <-> DISABLED <-> SERVER-OTHER Memcached addq opcode request heap buffer overflow attempt (server-other.rules)
 * 1:40480 <-> DISABLED <-> SERVER-OTHER Memcached replace opcode request heap buffer overflow attempt (server-other.rules)
 * 1:40478 <-> DISABLED <-> SERVER-OTHER Memcached add opcode request heap buffer overflow attempt (server-other.rules)
 * 1:40477 <-> DISABLED <-> SERVER-OTHER Memcached setq opcode request heap buffer overflow attempt (server-other.rules)
 * 3:35943 <-> ENABLED <-> PROTOCOL-DNS ISC BIND TKEY query processing denial of service attempt (protocol-dns.rules)
 * 3:35942 <-> ENABLED <-> PROTOCOL-DNS ISC BIND TKEY query processing denial of service attempt (protocol-dns.rules)