Talos Rules 2018-08-14
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2018-8266: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 47490 through 47491.

Microsoft Vulnerability CVE-2018-8344: A coding deficiency exists in Microsoft Graphics that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 47519 through 47520.

Microsoft Vulnerability CVE-2018-8345: A coding deficiency exists in Microsoft LNK that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 47476 through 47477.

Microsoft Vulnerability CVE-2018-8353: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 45877 through 45878.

Microsoft Vulnerability CVE-2018-8355: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 47492 through 47493.

Microsoft Vulnerability CVE-2018-8371: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 46548 through 46549.

Microsoft Vulnerability CVE-2018-8372: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 47478 through 47479.

Microsoft Vulnerability CVE-2018-8376: A coding deficiency exists in Microsoft PowerPoint that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 47482 through 47483.

Microsoft Vulnerability CVE-2018-8379: A coding deficiency exists in Microsoft Excel that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 47495 through 47496.

Microsoft Vulnerability CVE-2018-8383: A coding deficiency exists in Microsoft Edge that may lead to spoofing.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 47474 through 47475.

Microsoft Vulnerability CVE-2018-8384: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 47480 through 47481.

Microsoft Vulnerability CVE-2018-8387: A coding deficiency exists in Microsoft Edge that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 47486 through 47487.

Microsoft Vulnerability CVE-2018-8389: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 47484 through 47485.

Microsoft Vulnerability CVE-2018-8401: A coding deficiency exists in DirectX Graphics Kernel that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 47517 through 47518.

Microsoft Vulnerability CVE-2018-8403: A coding deficiency exists in Microsoft Browser that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 47488 through 47489.

Microsoft Vulnerability CVE-2018-8404: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 47503 through 47504.

Microsoft Vulnerability CVE-2018-8405: A coding deficiency exists in DirectX Graphics Kernel that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 47515 through 47516.

Microsoft Vulnerability CVE-2018-8406: A coding deficiency exists in DirectX Graphics Kernel that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 47512 through 47513.

Microsoft Vulnerability CVE-2018-8414: A coding deficiency exists in Microsoft Windows Shell that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 46999 through 47002.

Talos also has added and modified multiple rules in the browser-ie, file-executable, file-office, file-other, indicator-compromise, malware-cnc, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

For information about Snort Subscriber Rulesets available for purchase, please visit the Snort product page.

Change logs

2018-08-14 17:55:09 UTC

Snort Subscriber Rules Update

Date: 2018-08-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47513 <-> ENABLED <-> OS-WINDOWS Microsoft Windows D3D memory corruption attempt (os-windows.rules)
 * 1:47519 <-> ENABLED <-> FILE-OTHER Microsoft Graphics remote code execution attempt (file-other.rules)
 * 1:47512 <-> ENABLED <-> OS-WINDOWS Microsoft Windows D3D memory corruption attempt (os-windows.rules)
 * 1:47482 <-> DISABLED <-> FILE-OFFICE Microsoft PowerPoint slide show type confusion attempt (file-office.rules)
 * 1:47489 <-> ENABLED <-> BROWSER-IE Microsoft Edge transform type confusion attempt (browser-ie.rules)
 * 1:47491 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra Scripting Engine memory corruption attempt (browser-ie.rules)
 * 1:47492 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra Scripting Engine localeCompare type confusion attempt (browser-ie.rules)
 * 1:47479 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra Scripting Engine type confusion attempt (browser-ie.rules)
 * 1:47477 <-> ENABLED <-> FILE-OTHER Microsoft LNK remote code execution attempt (file-other.rules)
 * 1:47514 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server checksession authentication bypass attempt (server-webapp.rules)
 * 1:47474 <-> ENABLED <-> BROWSER-IE Microsoft Edge browser redirection vulnerability attempt (browser-ie.rules)
 * 1:47515 <-> ENABLED <-> OS-WINDOWS Microsoft Windows D3D memory corruption attempt (os-windows.rules)
 * 1:47478 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra Scripting Engine type confusion attempt (browser-ie.rules)
 * 1:47493 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra Scripting Engine localeCompare type confusion attempt (browser-ie.rules)
 * 1:47475 <-> ENABLED <-> BROWSER-IE Microsoft Edge browser redirection vulnerability attempt (browser-ie.rules)
 * 1:47506 <-> DISABLED <-> SERVER-WEBAPP Sitecore CMS default.aspx directory traversal attempt (server-webapp.rules)
 * 1:47484 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:47494 <-> DISABLED <-> SERVER-WEBAPP Easy File Sharing stack buffer overflow attempt (server-webapp.rules)
 * 1:47483 <-> DISABLED <-> FILE-OFFICE Microsoft PowerPoint slide show type confusion attempt (file-office.rules)
 * 1:47520 <-> ENABLED <-> FILE-OTHER Microsoft Graphics remote code execution attempt (file-other.rules)
 * 1:47487 <-> ENABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:47488 <-> ENABLED <-> BROWSER-IE Microsoft Edge transform type confusion attempt (browser-ie.rules)
 * 1:47486 <-> ENABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:47525 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Grobios outbound connection (malware-cnc.rules)
 * 1:47518 <-> ENABLED <-> OS-WINDOWS Microsoft Windows D3D memory corruption attempt (os-windows.rules)
 * 1:47476 <-> ENABLED <-> FILE-OTHER Microsoft LNK remote code execution attempt (file-other.rules)
 * 1:47516 <-> ENABLED <-> OS-WINDOWS Microsoft Windows D3D memory corruption attempt (os-windows.rules)
 * 1:47517 <-> ENABLED <-> OS-WINDOWS Microsoft Windows D3D memory corruption attempt (os-windows.rules)
 * 1:47490 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra Scripting Engine memory corruption attempt (browser-ie.rules)
 * 1:47481 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion vulnerability attempt (browser-ie.rules)
 * 1:47502 <-> ENABLED <-> SERVER-WEBAPP Joomla ProjectLog search SQL injection attempt (server-webapp.rules)
 * 1:47497 <-> DISABLED <-> SERVER-WEBAPP Joomla CheckList extension SQL injection attempt (server-webapp.rules)
 * 1:47496 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel use after free attempt (file-office.rules)
 * 1:47498 <-> DISABLED <-> SERVER-WEBAPP Joomla CheckList extension SQL injection attempt (server-webapp.rules)
 * 1:47499 <-> DISABLED <-> SERVER-WEBAPP TestLink Open Source Test Management PHP code injection attempt (server-webapp.rules)
 * 1:47500 <-> DISABLED <-> SERVER-WEBAPP TestLink Open Source Test Management PHP code injection attempt (server-webapp.rules)
 * 1:47501 <-> ENABLED <-> SERVER-WEBAPP Joomla ProjectLog search SQL injection attempt (server-webapp.rules)
 * 1:47503 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows Win32k privilege escalation attempt (file-executable.rules)
 * 1:47505 <-> ENABLED <-> MALWARE-CNC Py.Malware.EvilOSX 404 Error Page Payload/Command Delivery (malware-cnc.rules)
 * 1:47504 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows Win32k privilege escalation attempt (file-executable.rules)
 * 1:47507 <-> DISABLED <-> SERVER-WEBAPP Sitecore CMS default.aspx directory traversal attempt (server-webapp.rules)
 * 1:47508 <-> DISABLED <-> SERVER-WEBAPP Sitecore CMS default.aspx directory traversal attempt (server-webapp.rules)
 * 1:47509 <-> DISABLED <-> SERVER-WEBAPP RoundCube WebMail IMAP command injection attempt (server-webapp.rules)
 * 1:47510 <-> DISABLED <-> SERVER-WEBAPP RoundCube WebMail IMAP command injection attempt (server-webapp.rules)
 * 1:47511 <-> ENABLED <-> MALWARE-CNC Win32.Backdoor.Ropindo variant outbound post detected (malware-cnc.rules)
 * 1:47485 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:47480 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion vulnerability attempt (browser-ie.rules)
 * 1:47526 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Grobios C2 inbound server command (malware-cnc.rules)
 * 1:47495 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel use after free attempt (file-office.rules)
 * 3:47522 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0652 attack attempt (file-office.rules)
 * 3:47523 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0651 attack attempt (file-office.rules)
 * 3:47524 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0651 attack attempt (file-office.rules)
 * 3:47521 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0652 attack attempt (file-office.rules)
 * 3:47528 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0650 attack attempt (file-office.rules)
 * 3:47527 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0650 attack attempt (file-office.rules)

Modified Rules:


 * 1:44388 <-> ENABLED <-> SERVER-WEBAPP Multiple routers getcfg.php credential disclosure attempt (server-webapp.rules)
 * 1:17391 <-> DISABLED <-> SERVER-OTHER Multiple products UNIX platform backslash directory traversal attempt (server-other.rules)
 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:45878 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt (browser-ie.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:47002 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules)
 * 1:46999 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules)
 * 1:47001 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules)
 * 1:47000 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules)
 * 1:45877 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt (browser-ie.rules)

2018-08-14 17:55:09 UTC

Snort Subscriber Rules Update

Date: 2018-08-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47474 <-> ENABLED <-> BROWSER-IE Microsoft Edge browser redirection vulnerability attempt (browser-ie.rules)
 * 1:47489 <-> ENABLED <-> BROWSER-IE Microsoft Edge transform type confusion attempt (browser-ie.rules)
 * 1:47488 <-> ENABLED <-> BROWSER-IE Microsoft Edge transform type confusion attempt (browser-ie.rules)
 * 1:47514 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server checksession authentication bypass attempt (server-webapp.rules)
 * 1:47510 <-> DISABLED <-> SERVER-WEBAPP RoundCube WebMail IMAP command injection attempt (server-webapp.rules)
 * 1:47526 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Grobios C2 inbound server command (malware-cnc.rules)
 * 1:47513 <-> ENABLED <-> OS-WINDOWS Microsoft Windows D3D memory corruption attempt (os-windows.rules)
 * 1:47475 <-> ENABLED <-> BROWSER-IE Microsoft Edge browser redirection vulnerability attempt (browser-ie.rules)
 * 1:47518 <-> ENABLED <-> OS-WINDOWS Microsoft Windows D3D memory corruption attempt (os-windows.rules)
 * 1:47525 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Grobios outbound connection (malware-cnc.rules)
 * 1:47477 <-> ENABLED <-> FILE-OTHER Microsoft LNK remote code execution attempt (file-other.rules)
 * 1:47517 <-> ENABLED <-> OS-WINDOWS Microsoft Windows D3D memory corruption attempt (os-windows.rules)
 * 1:47512 <-> ENABLED <-> OS-WINDOWS Microsoft Windows D3D memory corruption attempt (os-windows.rules)
 * 1:47511 <-> ENABLED <-> MALWARE-CNC Win32.Backdoor.Ropindo variant outbound post detected (malware-cnc.rules)
 * 1:47481 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion vulnerability attempt (browser-ie.rules)
 * 1:47482 <-> DISABLED <-> FILE-OFFICE Microsoft PowerPoint slide show type confusion attempt (file-office.rules)
 * 1:47483 <-> DISABLED <-> FILE-OFFICE Microsoft PowerPoint slide show type confusion attempt (file-office.rules)
 * 1:47491 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra Scripting Engine memory corruption attempt (browser-ie.rules)
 * 1:47484 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:47485 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:47476 <-> ENABLED <-> FILE-OTHER Microsoft LNK remote code execution attempt (file-other.rules)
 * 1:47515 <-> ENABLED <-> OS-WINDOWS Microsoft Windows D3D memory corruption attempt (os-windows.rules)
 * 1:47519 <-> ENABLED <-> FILE-OTHER Microsoft Graphics remote code execution attempt (file-other.rules)
 * 1:47487 <-> ENABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:47478 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra Scripting Engine type confusion attempt (browser-ie.rules)
 * 1:47480 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion vulnerability attempt (browser-ie.rules)
 * 1:47486 <-> ENABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:47500 <-> DISABLED <-> SERVER-WEBAPP TestLink Open Source Test Management PHP code injection attempt (server-webapp.rules)
 * 1:47490 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra Scripting Engine memory corruption attempt (browser-ie.rules)
 * 1:47479 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra Scripting Engine type confusion attempt (browser-ie.rules)
 * 1:47508 <-> DISABLED <-> SERVER-WEBAPP Sitecore CMS default.aspx directory traversal attempt (server-webapp.rules)
 * 1:47493 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra Scripting Engine localeCompare type confusion attempt (browser-ie.rules)
 * 1:47492 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra Scripting Engine localeCompare type confusion attempt (browser-ie.rules)
 * 1:47494 <-> DISABLED <-> SERVER-WEBAPP Easy File Sharing stack buffer overflow attempt (server-webapp.rules)
 * 1:47495 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel use after free attempt (file-office.rules)
 * 1:47496 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel use after free attempt (file-office.rules)
 * 1:47497 <-> DISABLED <-> SERVER-WEBAPP Joomla CheckList extension SQL injection attempt (server-webapp.rules)
 * 1:47520 <-> ENABLED <-> FILE-OTHER Microsoft Graphics remote code execution attempt (file-other.rules)
 * 1:47498 <-> DISABLED <-> SERVER-WEBAPP Joomla CheckList extension SQL injection attempt (server-webapp.rules)
 * 1:47501 <-> ENABLED <-> SERVER-WEBAPP Joomla ProjectLog search SQL injection attempt (server-webapp.rules)
 * 1:47499 <-> DISABLED <-> SERVER-WEBAPP TestLink Open Source Test Management PHP code injection attempt (server-webapp.rules)
 * 1:47509 <-> DISABLED <-> SERVER-WEBAPP RoundCube WebMail IMAP command injection attempt (server-webapp.rules)
 * 1:47502 <-> ENABLED <-> SERVER-WEBAPP Joomla ProjectLog search SQL injection attempt (server-webapp.rules)
 * 1:47503 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows Win32k privilege escalation attempt (file-executable.rules)
 * 1:47504 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows Win32k privilege escalation attempt (file-executable.rules)
 * 1:47505 <-> ENABLED <-> MALWARE-CNC Py.Malware.EvilOSX 404 Error Page Payload/Command Delivery (malware-cnc.rules)
 * 1:47506 <-> DISABLED <-> SERVER-WEBAPP Sitecore CMS default.aspx directory traversal attempt (server-webapp.rules)
 * 1:47507 <-> DISABLED <-> SERVER-WEBAPP Sitecore CMS default.aspx directory traversal attempt (server-webapp.rules)
 * 1:47516 <-> ENABLED <-> OS-WINDOWS Microsoft Windows D3D memory corruption attempt (os-windows.rules)
 * 3:47523 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0651 attack attempt (file-office.rules)
 * 3:47522 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0652 attack attempt (file-office.rules)
 * 3:47527 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0650 attack attempt (file-office.rules)
 * 3:47524 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0651 attack attempt (file-office.rules)
 * 3:47521 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0652 attack attempt (file-office.rules)
 * 3:47528 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0650 attack attempt (file-office.rules)

Modified Rules:


 * 1:45877 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt (browser-ie.rules)
 * 1:44388 <-> ENABLED <-> SERVER-WEBAPP Multiple routers getcfg.php credential disclosure attempt (server-webapp.rules)
 * 1:17391 <-> DISABLED <-> SERVER-OTHER Multiple products UNIX platform backslash directory traversal attempt (server-other.rules)
 * 1:45878 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt (browser-ie.rules)
 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46999 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules)
 * 1:47001 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules)
 * 1:47002 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:47000 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules)

2018-08-14 17:55:09 UTC

Snort Subscriber Rules Update

Date: 2018-08-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47515 <-> ENABLED <-> OS-WINDOWS Microsoft Windows D3D memory corruption attempt (snort3-os-windows.rules)
 * 1:47477 <-> ENABLED <-> FILE-OTHER Microsoft LNK remote code execution attempt (snort3-file-other.rules)
 * 1:47479 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra Scripting Engine type confusion attempt (snort3-browser-ie.rules)
 * 1:47478 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra Scripting Engine type confusion attempt (snort3-browser-ie.rules)
 * 1:47494 <-> DISABLED <-> SERVER-WEBAPP Easy File Sharing stack buffer overflow attempt (snort3-server-webapp.rules)
 * 1:47495 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel use after free attempt (snort3-file-office.rules)
 * 1:47475 <-> ENABLED <-> BROWSER-IE Microsoft Edge browser redirection vulnerability attempt (snort3-browser-ie.rules)
 * 1:47488 <-> ENABLED <-> BROWSER-IE Microsoft Edge transform type confusion attempt (snort3-browser-ie.rules)
 * 1:47474 <-> ENABLED <-> BROWSER-IE Microsoft Edge browser redirection vulnerability attempt (snort3-browser-ie.rules)
 * 1:47483 <-> DISABLED <-> FILE-OFFICE Microsoft PowerPoint slide show type confusion attempt (snort3-file-office.rules)
 * 1:47482 <-> DISABLED <-> FILE-OFFICE Microsoft PowerPoint slide show type confusion attempt (snort3-file-office.rules)
 * 1:47517 <-> ENABLED <-> OS-WINDOWS Microsoft Windows D3D memory corruption attempt (snort3-os-windows.rules)
 * 1:47516 <-> ENABLED <-> OS-WINDOWS Microsoft Windows D3D memory corruption attempt (snort3-os-windows.rules)
 * 1:47481 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion vulnerability attempt (snort3-browser-ie.rules)
 * 1:47476 <-> ENABLED <-> FILE-OTHER Microsoft LNK remote code execution attempt (snort3-file-other.rules)
 * 1:47526 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Grobios C2 inbound server command (snort3-malware-cnc.rules)
 * 1:47525 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Grobios outbound connection (snort3-malware-cnc.rules)
 * 1:47520 <-> ENABLED <-> FILE-OTHER Microsoft Graphics remote code execution attempt (snort3-file-other.rules)
 * 1:47519 <-> ENABLED <-> FILE-OTHER Microsoft Graphics remote code execution attempt (snort3-file-other.rules)
 * 1:47518 <-> ENABLED <-> OS-WINDOWS Microsoft Windows D3D memory corruption attempt (snort3-os-windows.rules)
 * 1:47480 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion vulnerability attempt (snort3-browser-ie.rules)
 * 1:47486 <-> ENABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (snort3-browser-ie.rules)
 * 1:47487 <-> ENABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (snort3-browser-ie.rules)
 * 1:47491 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra Scripting Engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:47485 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (snort3-browser-ie.rules)
 * 1:47489 <-> ENABLED <-> BROWSER-IE Microsoft Edge transform type confusion attempt (snort3-browser-ie.rules)
 * 1:47514 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server checksession authentication bypass attempt (snort3-server-webapp.rules)
 * 1:47493 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra Scripting Engine localeCompare type confusion attempt (snort3-browser-ie.rules)
 * 1:47492 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra Scripting Engine localeCompare type confusion attempt (snort3-browser-ie.rules)
 * 1:47484 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (snort3-browser-ie.rules)
 * 1:47498 <-> DISABLED <-> SERVER-WEBAPP Joomla CheckList extension SQL injection attempt (snort3-server-webapp.rules)
 * 1:47497 <-> DISABLED <-> SERVER-WEBAPP Joomla CheckList extension SQL injection attempt (snort3-server-webapp.rules)
 * 1:47500 <-> DISABLED <-> SERVER-WEBAPP TestLink Open Source Test Management PHP code injection attempt (snort3-server-webapp.rules)
 * 1:47501 <-> ENABLED <-> SERVER-WEBAPP Joomla ProjectLog search SQL injection attempt (snort3-server-webapp.rules)
 * 1:47502 <-> ENABLED <-> SERVER-WEBAPP Joomla ProjectLog search SQL injection attempt (snort3-server-webapp.rules)
 * 1:47503 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows Win32k privilege escalation attempt (snort3-file-executable.rules)
 * 1:47504 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows Win32k privilege escalation attempt (snort3-file-executable.rules)
 * 1:47506 <-> DISABLED <-> SERVER-WEBAPP Sitecore CMS default.aspx directory traversal attempt (snort3-server-webapp.rules)
 * 1:47490 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra Scripting Engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:47505 <-> ENABLED <-> MALWARE-CNC Py.Malware.EvilOSX 404 Error Page Payload/Command Delivery (snort3-malware-cnc.rules)
 * 1:47507 <-> DISABLED <-> SERVER-WEBAPP Sitecore CMS default.aspx directory traversal attempt (snort3-server-webapp.rules)
 * 1:47508 <-> DISABLED <-> SERVER-WEBAPP Sitecore CMS default.aspx directory traversal attempt (snort3-server-webapp.rules)
 * 1:47509 <-> DISABLED <-> SERVER-WEBAPP RoundCube WebMail IMAP command injection attempt (snort3-server-webapp.rules)
 * 1:47510 <-> DISABLED <-> SERVER-WEBAPP RoundCube WebMail IMAP command injection attempt (snort3-server-webapp.rules)
 * 1:47511 <-> ENABLED <-> MALWARE-CNC Win32.Backdoor.Ropindo variant outbound post detected (snort3-malware-cnc.rules)
 * 1:47512 <-> ENABLED <-> OS-WINDOWS Microsoft Windows D3D memory corruption attempt (snort3-os-windows.rules)
 * 1:47496 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel use after free attempt (snort3-file-office.rules)
 * 1:47499 <-> DISABLED <-> SERVER-WEBAPP TestLink Open Source Test Management PHP code injection attempt (snort3-server-webapp.rules)
 * 1:47513 <-> ENABLED <-> OS-WINDOWS Microsoft Windows D3D memory corruption attempt (snort3-os-windows.rules)

Modified Rules:


 * 1:44388 <-> ENABLED <-> SERVER-WEBAPP Multiple routers getcfg.php credential disclosure attempt (snort3-server-webapp.rules)
 * 1:47002 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (snort3-indicator-compromise.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules)
 * 1:46999 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (snort3-indicator-compromise.rules)
 * 1:47001 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (snort3-indicator-compromise.rules)
 * 1:17391 <-> DISABLED <-> SERVER-OTHER Multiple products UNIX platform backslash directory traversal attempt (snort3-server-other.rules)
 * 1:47000 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (snort3-indicator-compromise.rules)
 * 1:45877 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:45878 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt (snort3-browser-ie.rules)
 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules)

2018-08-14 17:55:09 UTC

Snort Subscriber Rules Update

Date: 2018-08-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47512 <-> ENABLED <-> OS-WINDOWS Microsoft Windows D3D memory corruption attempt (os-windows.rules)
 * 1:47480 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion vulnerability attempt (browser-ie.rules)
 * 1:47492 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra Scripting Engine localeCompare type confusion attempt (browser-ie.rules)
 * 1:47491 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra Scripting Engine memory corruption attempt (browser-ie.rules)
 * 1:47513 <-> ENABLED <-> OS-WINDOWS Microsoft Windows D3D memory corruption attempt (os-windows.rules)
 * 1:47474 <-> ENABLED <-> BROWSER-IE Microsoft Edge browser redirection vulnerability attempt (browser-ie.rules)
 * 1:47477 <-> ENABLED <-> FILE-OTHER Microsoft LNK remote code execution attempt (file-other.rules)
 * 1:47486 <-> ENABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:47479 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra Scripting Engine type confusion attempt (browser-ie.rules)
 * 1:47482 <-> DISABLED <-> FILE-OFFICE Microsoft PowerPoint slide show type confusion attempt (file-office.rules)
 * 1:47475 <-> ENABLED <-> BROWSER-IE Microsoft Edge browser redirection vulnerability attempt (browser-ie.rules)
 * 1:47476 <-> ENABLED <-> FILE-OTHER Microsoft LNK remote code execution attempt (file-other.rules)
 * 1:47484 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:47483 <-> DISABLED <-> FILE-OFFICE Microsoft PowerPoint slide show type confusion attempt (file-office.rules)
 * 1:47487 <-> ENABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:47488 <-> ENABLED <-> BROWSER-IE Microsoft Edge transform type confusion attempt (browser-ie.rules)
 * 1:47489 <-> ENABLED <-> BROWSER-IE Microsoft Edge transform type confusion attempt (browser-ie.rules)
 * 1:47490 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra Scripting Engine memory corruption attempt (browser-ie.rules)
 * 1:47481 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion vulnerability attempt (browser-ie.rules)
 * 1:47478 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra Scripting Engine type confusion attempt (browser-ie.rules)
 * 1:47495 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel use after free attempt (file-office.rules)
 * 1:47494 <-> DISABLED <-> SERVER-WEBAPP Easy File Sharing stack buffer overflow attempt (server-webapp.rules)
 * 1:47496 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel use after free attempt (file-office.rules)
 * 1:47497 <-> DISABLED <-> SERVER-WEBAPP Joomla CheckList extension SQL injection attempt (server-webapp.rules)
 * 1:47498 <-> DISABLED <-> SERVER-WEBAPP Joomla CheckList extension SQL injection attempt (server-webapp.rules)
 * 1:47499 <-> DISABLED <-> SERVER-WEBAPP TestLink Open Source Test Management PHP code injection attempt (server-webapp.rules)
 * 1:47500 <-> DISABLED <-> SERVER-WEBAPP TestLink Open Source Test Management PHP code injection attempt (server-webapp.rules)
 * 1:47501 <-> ENABLED <-> SERVER-WEBAPP Joomla ProjectLog search SQL injection attempt (server-webapp.rules)
 * 1:47503 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows Win32k privilege escalation attempt (file-executable.rules)
 * 1:47504 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows Win32k privilege escalation attempt (file-executable.rules)
 * 1:47502 <-> ENABLED <-> SERVER-WEBAPP Joomla ProjectLog search SQL injection attempt (server-webapp.rules)
 * 1:47526 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Grobios C2 inbound server command (malware-cnc.rules)
 * 1:47525 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Grobios outbound connection (malware-cnc.rules)
 * 1:47520 <-> ENABLED <-> FILE-OTHER Microsoft Graphics remote code execution attempt (file-other.rules)
 * 1:47519 <-> ENABLED <-> FILE-OTHER Microsoft Graphics remote code execution attempt (file-other.rules)
 * 1:47518 <-> ENABLED <-> OS-WINDOWS Microsoft Windows D3D memory corruption attempt (os-windows.rules)
 * 1:47517 <-> ENABLED <-> OS-WINDOWS Microsoft Windows D3D memory corruption attempt (os-windows.rules)
 * 1:47516 <-> ENABLED <-> OS-WINDOWS Microsoft Windows D3D memory corruption attempt (os-windows.rules)
 * 1:47515 <-> ENABLED <-> OS-WINDOWS Microsoft Windows D3D memory corruption attempt (os-windows.rules)
 * 1:47514 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server checksession authentication bypass attempt (server-webapp.rules)
 * 1:47506 <-> DISABLED <-> SERVER-WEBAPP Sitecore CMS default.aspx directory traversal attempt (server-webapp.rules)
 * 1:47507 <-> DISABLED <-> SERVER-WEBAPP Sitecore CMS default.aspx directory traversal attempt (server-webapp.rules)
 * 1:47508 <-> DISABLED <-> SERVER-WEBAPP Sitecore CMS default.aspx directory traversal attempt (server-webapp.rules)
 * 1:47509 <-> DISABLED <-> SERVER-WEBAPP RoundCube WebMail IMAP command injection attempt (server-webapp.rules)
 * 1:47510 <-> DISABLED <-> SERVER-WEBAPP RoundCube WebMail IMAP command injection attempt (server-webapp.rules)
 * 1:47511 <-> ENABLED <-> MALWARE-CNC Win32.Backdoor.Ropindo variant outbound post detected (malware-cnc.rules)
 * 1:47493 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra Scripting Engine localeCompare type confusion attempt (browser-ie.rules)
 * 1:47505 <-> ENABLED <-> MALWARE-CNC Py.Malware.EvilOSX 404 Error Page Payload/Command Delivery (malware-cnc.rules)
 * 1:47485 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 3:47527 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0650 attack attempt (file-office.rules)
 * 3:47521 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0652 attack attempt (file-office.rules)
 * 3:47523 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0651 attack attempt (file-office.rules)
 * 3:47522 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0652 attack attempt (file-office.rules)
 * 3:47528 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0650 attack attempt (file-office.rules)
 * 3:47524 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0651 attack attempt (file-office.rules)

Modified Rules:


 * 1:47000 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules)
 * 1:44388 <-> ENABLED <-> SERVER-WEBAPP Multiple routers getcfg.php credential disclosure attempt (server-webapp.rules)
 * 1:17391 <-> DISABLED <-> SERVER-OTHER Multiple products UNIX platform backslash directory traversal attempt (server-other.rules)
 * 1:45878 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt (browser-ie.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46999 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules)
 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:47001 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules)
 * 1:45877 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt (browser-ie.rules)
 * 1:47002 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules)

2018-08-14 17:55:09 UTC

Snort Subscriber Rules Update

Date: 2018-08-14

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:47484 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:47483 <-> DISABLED <-> FILE-OFFICE Microsoft PowerPoint slide show type confusion attempt (file-office.rules)
 * 1:47482 <-> DISABLED <-> FILE-OFFICE Microsoft PowerPoint slide show type confusion attempt (file-office.rules)
 * 1:47481 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion vulnerability attempt (browser-ie.rules)
 * 1:47480 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion vulnerability attempt (browser-ie.rules)
 * 1:47479 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra Scripting Engine type confusion attempt (browser-ie.rules)
 * 1:47478 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra Scripting Engine type confusion attempt (browser-ie.rules)
 * 1:47477 <-> ENABLED <-> FILE-OTHER Microsoft LNK remote code execution attempt (file-other.rules)
 * 1:47476 <-> ENABLED <-> FILE-OTHER Microsoft LNK remote code execution attempt (file-other.rules)
 * 1:47475 <-> ENABLED <-> BROWSER-IE Microsoft Edge browser redirection vulnerability attempt (browser-ie.rules)
 * 1:47474 <-> ENABLED <-> BROWSER-IE Microsoft Edge browser redirection vulnerability attempt (browser-ie.rules)
 * 1:47500 <-> DISABLED <-> SERVER-WEBAPP TestLink Open Source Test Management PHP code injection attempt (server-webapp.rules)
 * 1:47499 <-> DISABLED <-> SERVER-WEBAPP TestLink Open Source Test Management PHP code injection attempt (server-webapp.rules)
 * 1:47498 <-> DISABLED <-> SERVER-WEBAPP Joomla CheckList extension SQL injection attempt (server-webapp.rules)
 * 1:47497 <-> DISABLED <-> SERVER-WEBAPP Joomla CheckList extension SQL injection attempt (server-webapp.rules)
 * 1:47496 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel use after free attempt (file-office.rules)
 * 1:47495 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel use after free attempt (file-office.rules)
 * 1:47494 <-> DISABLED <-> SERVER-WEBAPP Easy File Sharing stack buffer overflow attempt (server-webapp.rules)
 * 1:47493 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra Scripting Engine localeCompare type confusion attempt (browser-ie.rules)
 * 1:47492 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra Scripting Engine localeCompare type confusion attempt (browser-ie.rules)
 * 1:47491 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra Scripting Engine memory corruption attempt (browser-ie.rules)
 * 1:47490 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra Scripting Engine memory corruption attempt (browser-ie.rules)
 * 1:47489 <-> ENABLED <-> BROWSER-IE Microsoft Edge transform type confusion attempt (browser-ie.rules)
 * 1:47488 <-> ENABLED <-> BROWSER-IE Microsoft Edge transform type confusion attempt (browser-ie.rules)
 * 1:47487 <-> ENABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:47486 <-> ENABLED <-> BROWSER-IE Microsoft Edge out of bounds write attempt (browser-ie.rules)
 * 1:47485 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:47503 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows Win32k privilege escalation attempt (file-executable.rules)
 * 1:47502 <-> ENABLED <-> SERVER-WEBAPP Joomla ProjectLog search SQL injection attempt (server-webapp.rules)
 * 1:47501 <-> ENABLED <-> SERVER-WEBAPP Joomla ProjectLog search SQL injection attempt (server-webapp.rules)
 * 1:47506 <-> DISABLED <-> SERVER-WEBAPP Sitecore CMS default.aspx directory traversal attempt (server-webapp.rules)
 * 1:47505 <-> ENABLED <-> MALWARE-CNC Py.Malware.EvilOSX 404 Error Page Payload/Command Delivery (malware-cnc.rules)
 * 1:47504 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows Win32k privilege escalation attempt (file-executable.rules)
 * 1:47507 <-> DISABLED <-> SERVER-WEBAPP Sitecore CMS default.aspx directory traversal attempt (server-webapp.rules)
 * 1:47510 <-> DISABLED <-> SERVER-WEBAPP RoundCube WebMail IMAP command injection attempt (server-webapp.rules)
 * 1:47509 <-> DISABLED <-> SERVER-WEBAPP RoundCube WebMail IMAP command injection attempt (server-webapp.rules)
 * 1:47508 <-> DISABLED <-> SERVER-WEBAPP Sitecore CMS default.aspx directory traversal attempt (server-webapp.rules)
 * 1:47513 <-> ENABLED <-> OS-WINDOWS Microsoft Windows D3D memory corruption attempt (os-windows.rules)
 * 1:47512 <-> ENABLED <-> OS-WINDOWS Microsoft Windows D3D memory corruption attempt (os-windows.rules)
 * 1:47511 <-> ENABLED <-> MALWARE-CNC Win32.Backdoor.Ropindo variant outbound post detected (malware-cnc.rules)
 * 1:47514 <-> DISABLED <-> SERVER-WEBAPP Quest NetVault Backup Server checksession authentication bypass attempt (server-webapp.rules)
 * 1:47526 <-> DISABLED <-> MALWARE-CNC Win.Trojan.Grobios C2 inbound server command (malware-cnc.rules)
 * 1:47525 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Grobios outbound connection (malware-cnc.rules)
 * 1:47520 <-> ENABLED <-> FILE-OTHER Microsoft Graphics remote code execution attempt (file-other.rules)
 * 1:47519 <-> ENABLED <-> FILE-OTHER Microsoft Graphics remote code execution attempt (file-other.rules)
 * 1:47518 <-> ENABLED <-> OS-WINDOWS Microsoft Windows D3D memory corruption attempt (os-windows.rules)
 * 1:47517 <-> ENABLED <-> OS-WINDOWS Microsoft Windows D3D memory corruption attempt (os-windows.rules)
 * 1:47516 <-> ENABLED <-> OS-WINDOWS Microsoft Windows D3D memory corruption attempt (os-windows.rules)
 * 1:47515 <-> ENABLED <-> OS-WINDOWS Microsoft Windows D3D memory corruption attempt (os-windows.rules)
 * 3:47521 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0652 attack attempt (file-office.rules)
 * 3:47522 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0652 attack attempt (file-office.rules)
 * 3:47523 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0651 attack attempt (file-office.rules)
 * 3:47524 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0651 attack attempt (file-office.rules)
 * 3:47527 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0650 attack attempt (file-office.rules)
 * 3:47528 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2018-0650 attack attempt (file-office.rules)

Modified Rules:


 * 1:47000 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules)
 * 1:45878 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt (browser-ie.rules)
 * 1:47002 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules)
 * 1:17391 <-> DISABLED <-> SERVER-OTHER Multiple products UNIX platform backslash directory traversal attempt (server-other.rules)
 * 1:44388 <-> ENABLED <-> SERVER-WEBAPP Multiple routers getcfg.php credential disclosure attempt (server-webapp.rules)
 * 1:46999 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules)
 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:47001 <-> DISABLED <-> INDICATOR-COMPROMISE SettingContent-ms file type download attempt (indicator-compromise.rules)
 * 1:45877 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer scripting engine memory corruption attempt (browser-ie.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)