Talos Rules 2018-07-12
This release adds and modifies rules in several categories.

Talos has added and modified multiple rules in the browser-ie, file-image, file-other, file-pdf, indicator-obfuscation, malware-cnc, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-07-12 17:24:17 UTC

Snort Subscriber Rules Update

Date: 2018-07-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47151 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules)
 * 1:47150 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader removeLinks use after free attempt (file-pdf.rules)
 * 1:47149 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader removeLinks use after free attempt (file-pdf.rules)
 * 1:47148 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious file download (malware-cnc.rules)
 * 1:47147 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious file download (malware-cnc.rules)
 * 1:47146 <-> DISABLED <-> POLICY-OTHER Siemens SICAM PAS hard coded factory account usage attempt (policy-other.rules)
 * 1:47145 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup EmailRelayHostService.pm command injection attempt (server-webapp.rules)
 * 1:47170 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules)
 * 1:47169 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules)
 * 1:47168 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules)
 * 1:47167 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules)
 * 1:47165 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro HTML image input element use-after-free attempt (file-pdf.rules)
 * 1:47164 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro HTML image input element use-after-free attempt (file-pdf.rules)
 * 1:47163 <-> DISABLED <-> FILE-PDF Adobe Reader XFA nested subforms out-of-bounds read attempt (file-pdf.rules)
 * 1:47162 <-> DISABLED <-> FILE-PDF Adobe Reader XFA nested subforms out-of-bounds read attempt (file-pdf.rules)
 * 1:47161 <-> DISABLED <-> BROWSER-IE Microsoft Edge mutation event memory corruption attempt (browser-ie.rules)
 * 1:47160 <-> DISABLED <-> BROWSER-IE Microsoft Edge mutation event memory corruption attempt (browser-ie.rules)
 * 1:47159 <-> DISABLED <-> SERVER-WEBAPP Cognex VisionView directory traversal attempt (server-webapp.rules)
 * 1:47158 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jp2 out-of-bounds read attempt (file-image.rules)
 * 1:47157 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jp2 out-of-bounds read attempt (file-image.rules)
 * 1:47156 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:47155 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:47154 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (file-other.rules)
 * 1:47153 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (file-other.rules)
 * 1:47152 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules)
 * 3:47166 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director launcher.jsp cross site scripting attempt (server-webapp.rules)

Modified Rules:


 * 1:35479 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (browser-ie.rules)
 * 1:35480 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (browser-ie.rules)
 * 1:38085 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules)
 * 1:38086 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules)
 * 1:38090 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt (browser-ie.rules)
 * 1:38091 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt (browser-ie.rules)
 * 1:38641 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid header line evasion attempt (indicator-obfuscation.rules)
 * 1:38666 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt (indicator-obfuscation.rules)
 * 1:43758 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules)
 * 1:43759 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules)
 * 1:45568 <-> DISABLED <-> SERVER-SAMBA Samba LDAP Server libldb denial of service attempt (server-samba.rules)
 * 1:45768 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:45769 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:46469 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:46470 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:17513 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Script Action Handler buffer overflow attempt (browser-ie.rules)

2018-07-12 17:24:17 UTC

Snort Subscriber Rules Update

Date: 2018-07-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47161 <-> DISABLED <-> BROWSER-IE Microsoft Edge mutation event memory corruption attempt (browser-ie.rules)
 * 1:47160 <-> DISABLED <-> BROWSER-IE Microsoft Edge mutation event memory corruption attempt (browser-ie.rules)
 * 1:47157 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jp2 out-of-bounds read attempt (file-image.rules)
 * 1:47168 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules)
 * 1:47163 <-> DISABLED <-> FILE-PDF Adobe Reader XFA nested subforms out-of-bounds read attempt (file-pdf.rules)
 * 1:47159 <-> DISABLED <-> SERVER-WEBAPP Cognex VisionView directory traversal attempt (server-webapp.rules)
 * 1:47155 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:47167 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules)
 * 1:47169 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules)
 * 1:47170 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules)
 * 1:47158 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jp2 out-of-bounds read attempt (file-image.rules)
 * 1:47164 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro HTML image input element use-after-free attempt (file-pdf.rules)
 * 1:47152 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules)
 * 1:47154 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (file-other.rules)
 * 1:47148 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious file download (malware-cnc.rules)
 * 1:47153 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (file-other.rules)
 * 1:47150 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader removeLinks use after free attempt (file-pdf.rules)
 * 1:47151 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules)
 * 1:47149 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader removeLinks use after free attempt (file-pdf.rules)
 * 1:47146 <-> DISABLED <-> POLICY-OTHER Siemens SICAM PAS hard coded factory account usage attempt (policy-other.rules)
 * 1:47147 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious file download (malware-cnc.rules)
 * 1:47145 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup EmailRelayHostService.pm command injection attempt (server-webapp.rules)
 * 1:47162 <-> DISABLED <-> FILE-PDF Adobe Reader XFA nested subforms out-of-bounds read attempt (file-pdf.rules)
 * 1:47165 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro HTML image input element use-after-free attempt (file-pdf.rules)
 * 1:47156 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 3:47166 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director launcher.jsp cross site scripting attempt (server-webapp.rules)

Modified Rules:


 * 1:17513 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Script Action Handler buffer overflow attempt (browser-ie.rules)
 * 1:35479 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (browser-ie.rules)
 * 1:35480 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (browser-ie.rules)
 * 1:38085 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules)
 * 1:38086 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules)
 * 1:38090 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt (browser-ie.rules)
 * 1:38091 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt (browser-ie.rules)
 * 1:38641 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid header line evasion attempt (indicator-obfuscation.rules)
 * 1:38666 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt (indicator-obfuscation.rules)
 * 1:43758 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules)
 * 1:43759 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules)
 * 1:45568 <-> DISABLED <-> SERVER-SAMBA Samba LDAP Server libldb denial of service attempt (server-samba.rules)
 * 1:45768 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:45769 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:46469 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:46470 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)

2018-07-12 17:24:17 UTC

Snort Subscriber Rules Update

Date: 2018-07-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47161 <-> DISABLED <-> BROWSER-IE Microsoft Edge mutation event memory corruption attempt (snort3-browser-ie.rules)
 * 1:47163 <-> DISABLED <-> FILE-PDF Adobe Reader XFA nested subforms out-of-bounds read attempt (snort3-file-pdf.rules)
 * 1:47155 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (snort3-server-webapp.rules)
 * 1:47164 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro HTML image input element use-after-free attempt (snort3-file-pdf.rules)
 * 1:47160 <-> DISABLED <-> BROWSER-IE Microsoft Edge mutation event memory corruption attempt (snort3-browser-ie.rules)
 * 1:47162 <-> DISABLED <-> FILE-PDF Adobe Reader XFA nested subforms out-of-bounds read attempt (snort3-file-pdf.rules)
 * 1:47170 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (snort3-file-pdf.rules)
 * 1:47169 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (snort3-file-pdf.rules)
 * 1:47165 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro HTML image input element use-after-free attempt (snort3-file-pdf.rules)
 * 1:47167 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (snort3-file-pdf.rules)
 * 1:47168 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (snort3-file-pdf.rules)
 * 1:47153 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (snort3-file-other.rules)
 * 1:47158 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jp2 out-of-bounds read attempt (snort3-file-image.rules)
 * 1:47157 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jp2 out-of-bounds read attempt (snort3-file-image.rules)
 * 1:47156 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (snort3-server-webapp.rules)
 * 1:47152 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (snort3-browser-ie.rules)
 * 1:47150 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader removeLinks use after free attempt (snort3-file-pdf.rules)
 * 1:47151 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (snort3-browser-ie.rules)
 * 1:47148 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious file download (snort3-malware-cnc.rules)
 * 1:47149 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader removeLinks use after free attempt (snort3-file-pdf.rules)
 * 1:47146 <-> DISABLED <-> POLICY-OTHER Siemens SICAM PAS hard coded factory account usage attempt (snort3-policy-other.rules)
 * 1:47147 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious file download (snort3-malware-cnc.rules)
 * 1:47145 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup EmailRelayHostService.pm command injection attempt (snort3-server-webapp.rules)
 * 1:47154 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (snort3-file-other.rules)
 * 1:47159 <-> DISABLED <-> SERVER-WEBAPP Cognex VisionView directory traversal attempt (snort3-server-webapp.rules)

Modified Rules:


 * 1:17513 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Script Action Handler buffer overflow attempt (snort3-browser-ie.rules)
 * 1:35479 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (snort3-browser-ie.rules)
 * 1:35480 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (snort3-browser-ie.rules)
 * 1:38085 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (snort3-browser-ie.rules)
 * 1:38086 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (snort3-browser-ie.rules)
 * 1:38090 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt (snort3-browser-ie.rules)
 * 1:38091 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt (snort3-browser-ie.rules)
 * 1:38641 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid header line evasion attempt (snort3-indicator-obfuscation.rules)
 * 1:38666 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt (snort3-indicator-obfuscation.rules)
 * 1:43758 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (snort3-browser-ie.rules)
 * 1:43759 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (snort3-browser-ie.rules)
 * 1:45568 <-> DISABLED <-> SERVER-SAMBA Samba LDAP Server libldb denial of service attempt (snort3-server-samba.rules)
 * 1:45768 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (snort3-server-webapp.rules)
 * 1:45769 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (snort3-server-webapp.rules)
 * 1:46469 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (snort3-server-webapp.rules)
 * 1:46470 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (snort3-server-webapp.rules)

2018-07-12 17:24:17 UTC

Snort Subscriber Rules Update

Date: 2018-07-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47160 <-> DISABLED <-> BROWSER-IE Microsoft Edge mutation event memory corruption attempt (browser-ie.rules)
 * 1:47164 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro HTML image input element use-after-free attempt (file-pdf.rules)
 * 1:47154 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (file-other.rules)
 * 1:47155 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:47168 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules)
 * 1:47159 <-> DISABLED <-> SERVER-WEBAPP Cognex VisionView directory traversal attempt (server-webapp.rules)
 * 1:47161 <-> DISABLED <-> BROWSER-IE Microsoft Edge mutation event memory corruption attempt (browser-ie.rules)
 * 1:47162 <-> DISABLED <-> FILE-PDF Adobe Reader XFA nested subforms out-of-bounds read attempt (file-pdf.rules)
 * 1:47157 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jp2 out-of-bounds read attempt (file-image.rules)
 * 1:47156 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:47167 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules)
 * 1:47170 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules)
 * 1:47169 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules)
 * 1:47146 <-> DISABLED <-> POLICY-OTHER Siemens SICAM PAS hard coded factory account usage attempt (policy-other.rules)
 * 1:47153 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (file-other.rules)
 * 1:47149 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader removeLinks use after free attempt (file-pdf.rules)
 * 1:47151 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules)
 * 1:47152 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules)
 * 1:47145 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup EmailRelayHostService.pm command injection attempt (server-webapp.rules)
 * 1:47150 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader removeLinks use after free attempt (file-pdf.rules)
 * 1:47147 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious file download (malware-cnc.rules)
 * 1:47148 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious file download (malware-cnc.rules)
 * 1:47165 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro HTML image input element use-after-free attempt (file-pdf.rules)
 * 1:47163 <-> DISABLED <-> FILE-PDF Adobe Reader XFA nested subforms out-of-bounds read attempt (file-pdf.rules)
 * 1:47158 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jp2 out-of-bounds read attempt (file-image.rules)
 * 3:47166 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director launcher.jsp cross site scripting attempt (server-webapp.rules)

Modified Rules:


 * 1:17513 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Script Action Handler buffer overflow attempt (browser-ie.rules)
 * 1:35479 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (browser-ie.rules)
 * 1:35480 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (browser-ie.rules)
 * 1:38085 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules)
 * 1:38086 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules)
 * 1:38090 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt (browser-ie.rules)
 * 1:38091 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt (browser-ie.rules)
 * 1:38641 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid header line evasion attempt (indicator-obfuscation.rules)
 * 1:38666 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt (indicator-obfuscation.rules)
 * 1:43758 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules)
 * 1:43759 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules)
 * 1:45568 <-> DISABLED <-> SERVER-SAMBA Samba LDAP Server libldb denial of service attempt (server-samba.rules)
 * 1:45768 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:45769 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:46469 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:46470 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)

2018-07-12 17:24:17 UTC

Snort Subscriber Rules Update

Date: 2018-07-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47160 <-> DISABLED <-> BROWSER-IE Microsoft Edge mutation event memory corruption attempt (browser-ie.rules)
 * 1:47164 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro HTML image input element use-after-free attempt (file-pdf.rules)
 * 1:47155 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:47161 <-> DISABLED <-> BROWSER-IE Microsoft Edge mutation event memory corruption attempt (browser-ie.rules)
 * 1:47167 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules)
 * 1:47163 <-> DISABLED <-> FILE-PDF Adobe Reader XFA nested subforms out-of-bounds read attempt (file-pdf.rules)
 * 1:47150 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader removeLinks use after free attempt (file-pdf.rules)
 * 1:47145 <-> DISABLED <-> SERVER-WEBAPP Quest DR Series Disk Backup EmailRelayHostService.pm command injection attempt (server-webapp.rules)
 * 1:47159 <-> DISABLED <-> SERVER-WEBAPP Cognex VisionView directory traversal attempt (server-webapp.rules)
 * 1:47149 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader removeLinks use after free attempt (file-pdf.rules)
 * 1:47168 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules)
 * 1:47152 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules)
 * 1:47154 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (file-other.rules)
 * 1:47158 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jp2 out-of-bounds read attempt (file-image.rules)
 * 1:47147 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious file download (malware-cnc.rules)
 * 1:47162 <-> DISABLED <-> FILE-PDF Adobe Reader XFA nested subforms out-of-bounds read attempt (file-pdf.rules)
 * 1:47156 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:47165 <-> DISABLED <-> FILE-PDF Adobe Acrobat Pro HTML image input element use-after-free attempt (file-pdf.rules)
 * 1:47169 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules)
 * 1:47146 <-> DISABLED <-> POLICY-OTHER Siemens SICAM PAS hard coded factory account usage attempt (policy-other.rules)
 * 1:47170 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader PageLabels heap buffer overflow attempt (file-pdf.rules)
 * 1:47151 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules)
 * 1:47148 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Ursnif malicious file download (malware-cnc.rules)
 * 1:47153 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro use after free attempt (file-other.rules)
 * 1:47157 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Reader jp2 out-of-bounds read attempt (file-image.rules)
 * 3:47166 <-> ENABLED <-> SERVER-WEBAPP Cisco UCS Director launcher.jsp cross site scripting attempt (server-webapp.rules)

Modified Rules:


 * 1:35479 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (browser-ie.rules)
 * 1:35480 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer RecyclableObject type-confusion remote code execution attempt (browser-ie.rules)
 * 1:38085 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules)
 * 1:38086 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules)
 * 1:38090 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt (browser-ie.rules)
 * 1:38091 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CSVGHelpers use-after-free attempt (browser-ie.rules)
 * 1:38641 <-> DISABLED <-> INDICATOR-OBFUSCATION Invalid header line evasion attempt (indicator-obfuscation.rules)
 * 1:38666 <-> DISABLED <-> INDICATOR-OBFUSCATION HTTP header invalid entry evasion attempt (indicator-obfuscation.rules)
 * 1:43758 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules)
 * 1:43759 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CTravelEntry use after free attempt (browser-ie.rules)
 * 1:45568 <-> DISABLED <-> SERVER-SAMBA Samba LDAP Server libldb denial of service attempt (server-samba.rules)
 * 1:45768 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:45769 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:46469 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:46470 <-> DISABLED <-> SERVER-WEBAPP PHP unserialize integer overflow attempt (server-webapp.rules)
 * 1:17513 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer Script Action Handler buffer overflow attempt (browser-ie.rules)