Talos Rules 2018-12-13
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2018-8587: A coding deficiency exists in Microsoft Outlook that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 48405 through 48406.

Microsoft Vulnerability CVE-2018-8611: A coding deficiency exists in Microsoft Windows Kernel that may lead to elevation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48612 through 48613.

Microsoft Vulnerability CVE-2018-8625: A coding deficiency exists in Microsoft Windows VBScript Engine that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 46548 through 46549.

Microsoft Vulnerability CVE-2018-8628: A coding deficiency exists in Microsoft PowerPoint that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48601 through 48602.

Microsoft Vulnerability CVE-2018-8639: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48606 through 48607.

Microsoft Vulnerability CVE-2018-8643: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48596 through 48597.

Talos also has added and modified multiple rules in the browser-ie, file-executable, file-image, file-office, file-other, file-pdf, indicator-compromise, malware-cnc, malware-other, malware-tools, os-windows, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2018-12-13 23:23:56 UTC

Snort Subscriber Rules Update

Date: 2018-12-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48578 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (file-pdf.rules)
 * 1:48577 <-> DISABLED <-> PROTOCOL-SCADA PNIO-CM Connect Operation (protocol-scada.rules)
 * 1:48576 <-> DISABLED <-> PROTOCOL-SCADA PNIO-CM Connect Operation (protocol-scada.rules)
 * 1:48575 <-> DISABLED <-> INDICATOR-COMPROMISE malicious jquery.js load attempt (indicator-compromise.rules)
 * 1:48574 <-> DISABLED <-> INDICATOR-COMPROMISE malicious jquery.js load attempt (indicator-compromise.rules)
 * 1:48573 <-> DISABLED <-> SERVER-WEBAPP WordPress arbitrary file deletion attempt (server-webapp.rules)
 * 1:48572 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Fastcash download attempt (malware-other.rules)
 * 1:48571 <-> ENABLED <-> MALWARE-TOOLS JexBoss User-Agent detected (malware-tools.rules)
 * 1:48570 <-> ENABLED <-> MALWARE-TOOLS JexBoss webshell commands sent in X-JEX headers (malware-tools.rules)
 * 1:48569 <-> ENABLED <-> MALWARE-TOOLS JexBoss webshell download (malware-tools.rules)
 * 1:48568 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:48581 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS ODTTF out-of-bounds read attempt (file-other.rules)
 * 1:48580 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS ODTTF out-of-bounds read attempt (file-other.rules)
 * 1:48579 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (file-pdf.rules)
 * 1:48584 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript resolveNode use-after-free attempt (file-pdf.rules)
 * 1:48583 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader removeLinks use after free attempt (file-pdf.rules)
 * 1:48582 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader removeLinks use after free attempt (file-pdf.rules)
 * 1:48585 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript resolveNode use-after-free attempt (file-pdf.rules)
 * 1:48588 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.Cannon payload download attempt (malware-cnc.rules)
 * 1:48587 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds write attempt (file-other.rules)
 * 1:48586 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds write attempt (file-other.rules)
 * 1:48591 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.Cannon payload download attempt (malware-cnc.rules)
 * 1:48590 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy variant outbound cnc connection (malware-cnc.rules)
 * 1:48589 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.Cannon payload download attempt (malware-cnc.rules)
 * 1:48592 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy variant outbound cnc connection (malware-cnc.rules)
 * 1:48613 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows kernel use-after-free attempt (file-executable.rules)
 * 1:48612 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows kernel use-after-free attempt (file-executable.rules)
 * 1:48611 <-> ENABLED <-> FILE-PDF Adobe Acrobat out of bounds read attempt (file-pdf.rules)
 * 1:48610 <-> ENABLED <-> FILE-PDF Adobe Acrobat out of bounds read attempt (file-pdf.rules)
 * 1:48609 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS ODTTF out-of-bounds read attempt (file-other.rules)
 * 1:48608 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS ODTTF out-of-bounds read attempt (file-other.rules)
 * 1:48607 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k NtGdiCreateDIBitmapInternal memory corruption attempt (os-windows.rules)
 * 1:48606 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k NtGdiCreateDIBitmapInternal memory corruption attempt (os-windows.rules)
 * 1:48605 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:48604 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:48602 <-> ENABLED <-> FILE-OFFICE Microsoft Office Powerpoint use after free attempt (file-office.rules)
 * 1:48601 <-> ENABLED <-> FILE-OFFICE Microsoft Office Powerpoint use after free attempt (file-office.rules)
 * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF out-of-bound read attempt (file-pdf.rules)
 * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF out-of-bound read attempt (file-pdf.rules)
 * 1:48597 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out-of-bounds read attempt (browser-ie.rules)
 * 1:48596 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out-of-bounds read attempt (browser-ie.rules)
 * 1:48595 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out-of-bounds read attempt (file-pdf.rules)
 * 1:48594 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out-of-bounds read attempt (file-pdf.rules)
 * 1:48593 <-> DISABLED <-> PROTOCOL-VOIP SIP over SCTP wildcard VIA address attempt (protocol-voip.rules)
 * 3:48600 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0755 attack attempt (server-webapp.rules)
 * 3:48603 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0756 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:46940 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word malformed RTF memory corruption attempt (file-office.rules)
 * 1:46601 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook use-after-free vulnerability attempt (file-office.rules)
 * 1:48137 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:46602 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook use-after-free vulnerability attempt (file-office.rules)
 * 1:48404 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook email rules file memory corruption attempt (file-office.rules)
 * 1:48403 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook email rules file memory corruption attempt (file-office.rules)
 * 1:48139 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:48138 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:48424 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word document malicious iframe code injection attempt  (file-office.rules)
 * 1:48423 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word document malicious iframe code injection attempt  (file-office.rules)
 * 1:48408 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook rwz file memory corruption attempt (file-office.rules)
 * 1:48407 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook rwz file memory corruption attempt (file-office.rules)
 * 1:48406 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook rwz file memory corruption attempt (file-office.rules)
 * 1:48405 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook rwz file memory corruption attempt (file-office.rules)
 * 1:37011 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook embedded OLE object sandbox bypass attempt (file-office.rules)
 * 1:37012 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook embedded OLE object sandbox bypass attempt (file-office.rules)
 * 1:37013 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook embedded OLE object sandbox bypass attempt (file-office.rules)
 * 1:20207 <-> DISABLED <-> PROTOCOL-SCADA Cogent unicode buffer overflow attempt (protocol-scada.rules)
 * 1:37120 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook embedded OLE object sandbox bypass attempt (file-office.rules)
 * 1:40444 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Agent variant outbound connection (malware-cnc.rules)
 * 1:40445 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Agent variant outbound connection (malware-cnc.rules)
 * 1:41636 <-> ENABLED <-> FILE-OTHER Adobe AcrobatDC EMF buffer underflow attempt (file-other.rules)
 * 1:44331 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge memory corruption attempt (browser-ie.rules)
 * 1:41635 <-> ENABLED <-> FILE-OTHER Adobe AcrobatDC EMF buffer underflow attempt (file-other.rules)
 * 1:45402 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word memory corruption exploit attempt (file-office.rules)
 * 1:45403 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word memory corruption exploit attempt (file-office.rules)
 * 1:45491 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word PlfLfo use after free attempt (file-office.rules)
 * 1:45492 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word PlfLfo use after free attempt (file-office.rules)
 * 1:45691 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro tiff parser out of bounds read attempt (file-other.rules)
 * 1:45692 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro tiff parser out of bounds read attempt (file-other.rules)
 * 1:46178 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel out of bounds read attempt (file-office.rules)
 * 1:46179 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel out of bounds read attempt (file-office.rules)
 * 1:46180 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel use after free remote code execution attempt (file-office.rules)
 * 1:46181 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel use after free remote code execution attempt (file-office.rules)
 * 1:46208 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel use after free remote code execution attempt (file-office.rules)
 * 1:46209 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel use after free remote code execution attempt (file-office.rules)
 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46552 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel remote code execution attempt (file-office.rules)
 * 1:46553 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel remote code execution attempt (file-office.rules)
 * 1:46556 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel remote code execution attempt  (file-office.rules)
 * 1:46557 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel remote code execution attempt (file-office.rules)
 * 1:44332 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge memory corruption attempt (browser-ie.rules)
 * 1:48136 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:47964 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture JavaScript manipulation type confusion attempt (file-other.rules)
 * 1:47963 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture JavaScript manipulation type confusion attempt (file-other.rules)
 * 1:47892 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt (file-image.rules)
 * 1:47891 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt (file-image.rules)
 * 1:47064 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word malformed emf remote code execution attempt (file-office.rules)
 * 1:47063 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word malformed emf remote code execution attempt (file-office.rules)
 * 1:46941 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word malformed RTF memory corruption attempt (file-office.rules)
 * 3:48523 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0738 attack attempt (protocol-scada.rules)
 * 3:42923 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration ScriptMgr authentication bypass attempt (server-webapp.rules)

2018-12-13 23:23:56 UTC

Snort Subscriber Rules Update

Date: 2018-12-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48610 <-> ENABLED <-> FILE-PDF Adobe Acrobat out of bounds read attempt (file-pdf.rules)
 * 1:48613 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows kernel use-after-free attempt (file-executable.rules)
 * 1:48611 <-> ENABLED <-> FILE-PDF Adobe Acrobat out of bounds read attempt (file-pdf.rules)
 * 1:48612 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows kernel use-after-free attempt (file-executable.rules)
 * 1:48608 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS ODTTF out-of-bounds read attempt (file-other.rules)
 * 1:48609 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS ODTTF out-of-bounds read attempt (file-other.rules)
 * 1:48606 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k NtGdiCreateDIBitmapInternal memory corruption attempt (os-windows.rules)
 * 1:48607 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k NtGdiCreateDIBitmapInternal memory corruption attempt (os-windows.rules)
 * 1:48604 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:48605 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:48601 <-> ENABLED <-> FILE-OFFICE Microsoft Office Powerpoint use after free attempt (file-office.rules)
 * 1:48602 <-> ENABLED <-> FILE-OFFICE Microsoft Office Powerpoint use after free attempt (file-office.rules)
 * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF out-of-bound read attempt (file-pdf.rules)
 * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF out-of-bound read attempt (file-pdf.rules)
 * 1:48596 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out-of-bounds read attempt (browser-ie.rules)
 * 1:48597 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out-of-bounds read attempt (browser-ie.rules)
 * 1:48594 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out-of-bounds read attempt (file-pdf.rules)
 * 1:48595 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out-of-bounds read attempt (file-pdf.rules)
 * 1:48592 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy variant outbound cnc connection (malware-cnc.rules)
 * 1:48593 <-> DISABLED <-> PROTOCOL-VOIP SIP over SCTP wildcard VIA address attempt (protocol-voip.rules)
 * 1:48590 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy variant outbound cnc connection (malware-cnc.rules)
 * 1:48591 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.Cannon payload download attempt (malware-cnc.rules)
 * 1:48588 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.Cannon payload download attempt (malware-cnc.rules)
 * 1:48589 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.Cannon payload download attempt (malware-cnc.rules)
 * 1:48586 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds write attempt (file-other.rules)
 * 1:48587 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds write attempt (file-other.rules)
 * 1:48584 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript resolveNode use-after-free attempt (file-pdf.rules)
 * 1:48585 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript resolveNode use-after-free attempt (file-pdf.rules)
 * 1:48582 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader removeLinks use after free attempt (file-pdf.rules)
 * 1:48583 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader removeLinks use after free attempt (file-pdf.rules)
 * 1:48580 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS ODTTF out-of-bounds read attempt (file-other.rules)
 * 1:48581 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS ODTTF out-of-bounds read attempt (file-other.rules)
 * 1:48578 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (file-pdf.rules)
 * 1:48579 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (file-pdf.rules)
 * 1:48576 <-> DISABLED <-> PROTOCOL-SCADA PNIO-CM Connect Operation (protocol-scada.rules)
 * 1:48577 <-> DISABLED <-> PROTOCOL-SCADA PNIO-CM Connect Operation (protocol-scada.rules)
 * 1:48574 <-> DISABLED <-> INDICATOR-COMPROMISE malicious jquery.js load attempt (indicator-compromise.rules)
 * 1:48575 <-> DISABLED <-> INDICATOR-COMPROMISE malicious jquery.js load attempt (indicator-compromise.rules)
 * 1:48572 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Fastcash download attempt (malware-other.rules)
 * 1:48573 <-> DISABLED <-> SERVER-WEBAPP WordPress arbitrary file deletion attempt (server-webapp.rules)
 * 1:48570 <-> ENABLED <-> MALWARE-TOOLS JexBoss webshell commands sent in X-JEX headers (malware-tools.rules)
 * 1:48571 <-> ENABLED <-> MALWARE-TOOLS JexBoss User-Agent detected (malware-tools.rules)
 * 1:48569 <-> ENABLED <-> MALWARE-TOOLS JexBoss webshell download (malware-tools.rules)
 * 1:48568 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 3:48600 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0755 attack attempt (server-webapp.rules)
 * 3:48603 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0756 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:46602 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook use-after-free vulnerability attempt (file-office.rules)
 * 1:48403 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook email rules file memory corruption attempt (file-office.rules)
 * 1:48405 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook rwz file memory corruption attempt (file-office.rules)
 * 1:46601 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook use-after-free vulnerability attempt (file-office.rules)
 * 1:46940 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word malformed RTF memory corruption attempt (file-office.rules)
 * 1:48406 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook rwz file memory corruption attempt (file-office.rules)
 * 1:48423 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word document malicious iframe code injection attempt  (file-office.rules)
 * 1:48138 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:48408 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook rwz file memory corruption attempt (file-office.rules)
 * 1:48139 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:46941 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word malformed RTF memory corruption attempt (file-office.rules)
 * 1:48424 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word document malicious iframe code injection attempt  (file-office.rules)
 * 1:46557 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel remote code execution attempt (file-office.rules)
 * 1:46553 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel remote code execution attempt (file-office.rules)
 * 1:47063 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word malformed emf remote code execution attempt (file-office.rules)
 * 1:46209 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel use after free remote code execution attempt (file-office.rules)
 * 1:48407 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook rwz file memory corruption attempt (file-office.rules)
 * 1:46556 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel remote code execution attempt  (file-office.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46552 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel remote code execution attempt (file-office.rules)
 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46181 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel use after free remote code execution attempt (file-office.rules)
 * 1:45692 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro tiff parser out of bounds read attempt (file-other.rules)
 * 1:46179 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel out of bounds read attempt (file-office.rules)
 * 1:46208 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel use after free remote code execution attempt (file-office.rules)
 * 1:48136 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:46178 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel out of bounds read attempt (file-office.rules)
 * 1:45492 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word PlfLfo use after free attempt (file-office.rules)
 * 1:45691 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro tiff parser out of bounds read attempt (file-other.rules)
 * 1:47964 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture JavaScript manipulation type confusion attempt (file-other.rules)
 * 1:45403 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word memory corruption exploit attempt (file-office.rules)
 * 1:45491 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word PlfLfo use after free attempt (file-office.rules)
 * 1:44332 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge memory corruption attempt (browser-ie.rules)
 * 1:45402 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word memory corruption exploit attempt (file-office.rules)
 * 1:47963 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture JavaScript manipulation type confusion attempt (file-other.rules)
 * 1:41636 <-> ENABLED <-> FILE-OTHER Adobe AcrobatDC EMF buffer underflow attempt (file-other.rules)
 * 1:44331 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge memory corruption attempt (browser-ie.rules)
 * 1:40445 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Agent variant outbound connection (malware-cnc.rules)
 * 1:41635 <-> ENABLED <-> FILE-OTHER Adobe AcrobatDC EMF buffer underflow attempt (file-other.rules)
 * 1:37120 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook embedded OLE object sandbox bypass attempt (file-office.rules)
 * 1:47892 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt (file-image.rules)
 * 1:40444 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Agent variant outbound connection (malware-cnc.rules)
 * 1:37012 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook embedded OLE object sandbox bypass attempt (file-office.rules)
 * 1:37013 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook embedded OLE object sandbox bypass attempt (file-office.rules)
 * 1:47891 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt (file-image.rules)
 * 1:20207 <-> DISABLED <-> PROTOCOL-SCADA Cogent unicode buffer overflow attempt (protocol-scada.rules)
 * 1:37011 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook embedded OLE object sandbox bypass attempt (file-office.rules)
 * 1:47064 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word malformed emf remote code execution attempt (file-office.rules)
 * 1:46180 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel use after free remote code execution attempt (file-office.rules)
 * 1:48137 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:48404 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook email rules file memory corruption attempt (file-office.rules)
 * 3:48523 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0738 attack attempt (protocol-scada.rules)
 * 3:42923 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration ScriptMgr authentication bypass attempt (server-webapp.rules)

2018-12-13 23:23:56 UTC

Snort Subscriber Rules Update

Date: 2018-12-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48612 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows kernel use-after-free attempt (file-executable.rules)
 * 1:48610 <-> ENABLED <-> FILE-PDF Adobe Acrobat out of bounds read attempt (file-pdf.rules)
 * 1:48609 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS ODTTF out-of-bounds read attempt (file-other.rules)
 * 1:48574 <-> DISABLED <-> INDICATOR-COMPROMISE malicious jquery.js load attempt (indicator-compromise.rules)
 * 1:48568 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:48572 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Fastcash download attempt (malware-other.rules)
 * 1:48613 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows kernel use-after-free attempt (file-executable.rules)
 * 1:48607 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k NtGdiCreateDIBitmapInternal memory corruption attempt (os-windows.rules)
 * 1:48587 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds write attempt (file-other.rules)
 * 1:48592 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy variant outbound cnc connection (malware-cnc.rules)
 * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF out-of-bound read attempt (file-pdf.rules)
 * 1:48604 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:48583 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader removeLinks use after free attempt (file-pdf.rules)
 * 1:48611 <-> ENABLED <-> FILE-PDF Adobe Acrobat out of bounds read attempt (file-pdf.rules)
 * 1:48570 <-> ENABLED <-> MALWARE-TOOLS JexBoss webshell commands sent in X-JEX headers (malware-tools.rules)
 * 1:48605 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:48606 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k NtGdiCreateDIBitmapInternal memory corruption attempt (os-windows.rules)
 * 1:48601 <-> ENABLED <-> FILE-OFFICE Microsoft Office Powerpoint use after free attempt (file-office.rules)
 * 1:48602 <-> ENABLED <-> FILE-OFFICE Microsoft Office Powerpoint use after free attempt (file-office.rules)
 * 1:48597 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out-of-bounds read attempt (browser-ie.rules)
 * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF out-of-bound read attempt (file-pdf.rules)
 * 1:48595 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out-of-bounds read attempt (file-pdf.rules)
 * 1:48596 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out-of-bounds read attempt (browser-ie.rules)
 * 1:48593 <-> DISABLED <-> PROTOCOL-VOIP SIP over SCTP wildcard VIA address attempt (protocol-voip.rules)
 * 1:48594 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out-of-bounds read attempt (file-pdf.rules)
 * 1:48590 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy variant outbound cnc connection (malware-cnc.rules)
 * 1:48591 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.Cannon payload download attempt (malware-cnc.rules)
 * 1:48588 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.Cannon payload download attempt (malware-cnc.rules)
 * 1:48589 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.Cannon payload download attempt (malware-cnc.rules)
 * 1:48585 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript resolveNode use-after-free attempt (file-pdf.rules)
 * 1:48586 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds write attempt (file-other.rules)
 * 1:48580 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS ODTTF out-of-bounds read attempt (file-other.rules)
 * 1:48584 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript resolveNode use-after-free attempt (file-pdf.rules)
 * 1:48581 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS ODTTF out-of-bounds read attempt (file-other.rules)
 * 1:48608 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS ODTTF out-of-bounds read attempt (file-other.rules)
 * 1:48579 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (file-pdf.rules)
 * 1:48582 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader removeLinks use after free attempt (file-pdf.rules)
 * 1:48573 <-> DISABLED <-> SERVER-WEBAPP WordPress arbitrary file deletion attempt (server-webapp.rules)
 * 1:48578 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (file-pdf.rules)
 * 1:48576 <-> DISABLED <-> PROTOCOL-SCADA PNIO-CM Connect Operation (protocol-scada.rules)
 * 1:48577 <-> DISABLED <-> PROTOCOL-SCADA PNIO-CM Connect Operation (protocol-scada.rules)
 * 1:48571 <-> ENABLED <-> MALWARE-TOOLS JexBoss User-Agent detected (malware-tools.rules)
 * 1:48575 <-> DISABLED <-> INDICATOR-COMPROMISE malicious jquery.js load attempt (indicator-compromise.rules)
 * 1:48569 <-> ENABLED <-> MALWARE-TOOLS JexBoss webshell download (malware-tools.rules)
 * 3:48600 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0755 attack attempt (server-webapp.rules)
 * 3:48603 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0756 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:46601 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook use-after-free vulnerability attempt (file-office.rules)
 * 1:48405 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook rwz file memory corruption attempt (file-office.rules)
 * 1:48407 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook rwz file memory corruption attempt (file-office.rules)
 * 1:48403 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook email rules file memory corruption attempt (file-office.rules)
 * 1:48139 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:48408 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook rwz file memory corruption attempt (file-office.rules)
 * 1:46602 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook use-after-free vulnerability attempt (file-office.rules)
 * 1:48138 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:46940 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word malformed RTF memory corruption attempt (file-office.rules)
 * 1:48406 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook rwz file memory corruption attempt (file-office.rules)
 * 1:48137 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:20207 <-> DISABLED <-> PROTOCOL-SCADA Cogent unicode buffer overflow attempt (protocol-scada.rules)
 * 1:46556 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel remote code execution attempt  (file-office.rules)
 * 1:46941 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word malformed RTF memory corruption attempt (file-office.rules)
 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:47063 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word malformed emf remote code execution attempt (file-office.rules)
 * 1:46557 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel remote code execution attempt (file-office.rules)
 * 1:48404 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook email rules file memory corruption attempt (file-office.rules)
 * 1:46552 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel remote code execution attempt (file-office.rules)
 * 1:46553 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel remote code execution attempt (file-office.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46208 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel use after free remote code execution attempt (file-office.rules)
 * 1:46178 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel out of bounds read attempt (file-office.rules)
 * 1:46180 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel use after free remote code execution attempt (file-office.rules)
 * 1:46209 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel use after free remote code execution attempt (file-office.rules)
 * 1:46179 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel out of bounds read attempt (file-office.rules)
 * 1:45691 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro tiff parser out of bounds read attempt (file-other.rules)
 * 1:45692 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro tiff parser out of bounds read attempt (file-other.rules)
 * 1:45491 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word PlfLfo use after free attempt (file-office.rules)
 * 1:47064 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word malformed emf remote code execution attempt (file-office.rules)
 * 1:45492 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word PlfLfo use after free attempt (file-office.rules)
 * 1:45402 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word memory corruption exploit attempt (file-office.rules)
 * 1:47891 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt (file-image.rules)
 * 1:45403 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word memory corruption exploit attempt (file-office.rules)
 * 1:44331 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge memory corruption attempt (browser-ie.rules)
 * 1:44332 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge memory corruption attempt (browser-ie.rules)
 * 1:41635 <-> ENABLED <-> FILE-OTHER Adobe AcrobatDC EMF buffer underflow attempt (file-other.rules)
 * 1:47892 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt (file-image.rules)
 * 1:41636 <-> ENABLED <-> FILE-OTHER Adobe AcrobatDC EMF buffer underflow attempt (file-other.rules)
 * 1:40444 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Agent variant outbound connection (malware-cnc.rules)
 * 1:40445 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Agent variant outbound connection (malware-cnc.rules)
 * 1:37013 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook embedded OLE object sandbox bypass attempt (file-office.rules)
 * 1:47963 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture JavaScript manipulation type confusion attempt (file-other.rules)
 * 1:37120 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook embedded OLE object sandbox bypass attempt (file-office.rules)
 * 1:37011 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook embedded OLE object sandbox bypass attempt (file-office.rules)
 * 1:37012 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook embedded OLE object sandbox bypass attempt (file-office.rules)
 * 1:46181 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel use after free remote code execution attempt (file-office.rules)
 * 1:47964 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture JavaScript manipulation type confusion attempt (file-other.rules)
 * 1:48136 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:48423 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word document malicious iframe code injection attempt  (file-office.rules)
 * 1:48424 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word document malicious iframe code injection attempt  (file-office.rules)
 * 3:48523 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0738 attack attempt (protocol-scada.rules)
 * 3:42923 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration ScriptMgr authentication bypass attempt (server-webapp.rules)

2018-12-13 23:23:56 UTC

Snort Subscriber Rules Update

Date: 2018-12-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48569 <-> ENABLED <-> MALWARE-TOOLS JexBoss webshell download (snort3-malware-tools.rules)
 * 1:48568 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Agent variant outbound connection (snort3-malware-cnc.rules)
 * 1:48612 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows kernel use-after-free attempt (snort3-file-executable.rules)
 * 1:48611 <-> ENABLED <-> FILE-PDF Adobe Acrobat out of bounds read attempt (snort3-file-pdf.rules)
 * 1:48575 <-> DISABLED <-> INDICATOR-COMPROMISE malicious jquery.js load attempt (snort3-indicator-compromise.rules)
 * 1:48589 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.Cannon payload download attempt (snort3-malware-cnc.rules)
 * 1:48573 <-> DISABLED <-> SERVER-WEBAPP WordPress arbitrary file deletion attempt (snort3-server-webapp.rules)
 * 1:48592 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy variant outbound cnc connection (snort3-malware-cnc.rules)
 * 1:48597 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out-of-bounds read attempt (snort3-browser-ie.rules)
 * 1:48604 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (snort3-file-other.rules)
 * 1:48576 <-> DISABLED <-> PROTOCOL-SCADA PNIO-CM Connect Operation (snort3-protocol-scada.rules)
 * 1:48609 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS ODTTF out-of-bounds read attempt (snort3-file-other.rules)
 * 1:48577 <-> DISABLED <-> PROTOCOL-SCADA PNIO-CM Connect Operation (snort3-protocol-scada.rules)
 * 1:48613 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows kernel use-after-free attempt (snort3-file-executable.rules)
 * 1:48610 <-> ENABLED <-> FILE-PDF Adobe Acrobat out of bounds read attempt (snort3-file-pdf.rules)
 * 1:48571 <-> ENABLED <-> MALWARE-TOOLS JexBoss User-Agent detected (snort3-malware-tools.rules)
 * 1:48606 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k NtGdiCreateDIBitmapInternal memory corruption attempt (snort3-os-windows.rules)
 * 1:48607 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k NtGdiCreateDIBitmapInternal memory corruption attempt (snort3-os-windows.rules)
 * 1:48602 <-> ENABLED <-> FILE-OFFICE Microsoft Office Powerpoint use after free attempt (snort3-file-office.rules)
 * 1:48605 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (snort3-file-other.rules)
 * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF out-of-bound read attempt (snort3-file-pdf.rules)
 * 1:48601 <-> ENABLED <-> FILE-OFFICE Microsoft Office Powerpoint use after free attempt (snort3-file-office.rules)
 * 1:48596 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out-of-bounds read attempt (snort3-browser-ie.rules)
 * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF out-of-bound read attempt (snort3-file-pdf.rules)
 * 1:48594 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out-of-bounds read attempt (snort3-file-pdf.rules)
 * 1:48595 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out-of-bounds read attempt (snort3-file-pdf.rules)
 * 1:48591 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.Cannon payload download attempt (snort3-malware-cnc.rules)
 * 1:48593 <-> DISABLED <-> PROTOCOL-VOIP SIP over SCTP wildcard VIA address attempt (snort3-protocol-voip.rules)
 * 1:48588 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.Cannon payload download attempt (snort3-malware-cnc.rules)
 * 1:48590 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy variant outbound cnc connection (snort3-malware-cnc.rules)
 * 1:48586 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds write attempt (snort3-file-other.rules)
 * 1:48587 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds write attempt (snort3-file-other.rules)
 * 1:48582 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader removeLinks use after free attempt (snort3-file-pdf.rules)
 * 1:48585 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript resolveNode use-after-free attempt (snort3-file-pdf.rules)
 * 1:48583 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader removeLinks use after free attempt (snort3-file-pdf.rules)
 * 1:48608 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS ODTTF out-of-bounds read attempt (snort3-file-other.rules)
 * 1:48581 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS ODTTF out-of-bounds read attempt (snort3-file-other.rules)
 * 1:48584 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript resolveNode use-after-free attempt (snort3-file-pdf.rules)
 * 1:48574 <-> DISABLED <-> INDICATOR-COMPROMISE malicious jquery.js load attempt (snort3-indicator-compromise.rules)
 * 1:48580 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS ODTTF out-of-bounds read attempt (snort3-file-other.rules)
 * 1:48578 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (snort3-file-pdf.rules)
 * 1:48579 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (snort3-file-pdf.rules)
 * 1:48572 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Fastcash download attempt (snort3-malware-other.rules)
 * 1:48570 <-> ENABLED <-> MALWARE-TOOLS JexBoss webshell commands sent in X-JEX headers (snort3-malware-tools.rules)

Modified Rules:


 * 1:46601 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook use-after-free vulnerability attempt (snort3-file-office.rules)
 * 1:46940 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word malformed RTF memory corruption attempt (snort3-file-office.rules)
 * 1:48407 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook rwz file memory corruption attempt (snort3-file-office.rules)
 * 1:48405 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook rwz file memory corruption attempt (snort3-file-office.rules)
 * 1:48404 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook email rules file memory corruption attempt (snort3-file-office.rules)
 * 1:48403 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook email rules file memory corruption attempt (snort3-file-office.rules)
 * 1:48406 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook rwz file memory corruption attempt (snort3-file-office.rules)
 * 1:46602 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook use-after-free vulnerability attempt (snort3-file-office.rules)
 * 1:48424 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word document malicious iframe code injection attempt  (snort3-file-office.rules)
 * 1:47063 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word malformed emf remote code execution attempt (snort3-file-office.rules)
 * 1:37011 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook embedded OLE object sandbox bypass attempt (snort3-file-office.rules)
 * 1:46941 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word malformed RTF memory corruption attempt (snort3-file-office.rules)
 * 1:46557 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel remote code execution attempt (snort3-file-office.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules)
 * 1:46553 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel remote code execution attempt (snort3-file-office.rules)
 * 1:46556 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel remote code execution attempt  (snort3-file-office.rules)
 * 1:47064 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word malformed emf remote code execution attempt (snort3-file-office.rules)
 * 1:46552 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel remote code execution attempt (snort3-file-office.rules)
 * 1:46209 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel use after free remote code execution attempt (snort3-file-office.rules)
 * 1:47891 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt (snort3-file-image.rules)
 * 1:46179 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel out of bounds read attempt (snort3-file-office.rules)
 * 1:46181 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel use after free remote code execution attempt (snort3-file-office.rules)
 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (snort3-browser-ie.rules)
 * 1:47963 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture JavaScript manipulation type confusion attempt (snort3-file-other.rules)
 * 1:46180 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel use after free remote code execution attempt (snort3-file-office.rules)
 * 1:47892 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt (snort3-file-image.rules)
 * 1:45692 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro tiff parser out of bounds read attempt (snort3-file-other.rules)
 * 1:46178 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel out of bounds read attempt (snort3-file-office.rules)
 * 1:45492 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word PlfLfo use after free attempt (snort3-file-office.rules)
 * 1:45691 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro tiff parser out of bounds read attempt (snort3-file-other.rules)
 * 1:45403 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word memory corruption exploit attempt (snort3-file-office.rules)
 * 1:45491 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word PlfLfo use after free attempt (snort3-file-office.rules)
 * 1:47964 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture JavaScript manipulation type confusion attempt (snort3-file-other.rules)
 * 1:44332 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:45402 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word memory corruption exploit attempt (snort3-file-office.rules)
 * 1:41636 <-> ENABLED <-> FILE-OTHER Adobe AcrobatDC EMF buffer underflow attempt (snort3-file-other.rules)
 * 1:44331 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:48137 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SYLK file arbitrary code execution attempt (snort3-file-office.rules)
 * 1:48136 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SYLK file arbitrary code execution attempt (snort3-file-office.rules)
 * 1:40445 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Agent variant outbound connection (snort3-malware-cnc.rules)
 * 1:41635 <-> ENABLED <-> FILE-OTHER Adobe AcrobatDC EMF buffer underflow attempt (snort3-file-other.rules)
 * 1:37120 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook embedded OLE object sandbox bypass attempt (snort3-file-office.rules)
 * 1:40444 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Agent variant outbound connection (snort3-malware-cnc.rules)
 * 1:37012 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook embedded OLE object sandbox bypass attempt (snort3-file-office.rules)
 * 1:37013 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook embedded OLE object sandbox bypass attempt (snort3-file-office.rules)
 * 1:46208 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel use after free remote code execution attempt (snort3-file-office.rules)
 * 1:48139 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SYLK file arbitrary code execution attempt (snort3-file-office.rules)
 * 1:48408 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook rwz file memory corruption attempt (snort3-file-office.rules)
 * 1:48423 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word document malicious iframe code injection attempt  (snort3-file-office.rules)
 * 1:20207 <-> DISABLED <-> PROTOCOL-SCADA Cogent unicode buffer overflow attempt (snort3-protocol-scada.rules)
 * 1:48138 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SYLK file arbitrary code execution attempt (snort3-file-office.rules)

2018-12-13 23:23:56 UTC

Snort Subscriber Rules Update

Date: 2018-12-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48593 <-> DISABLED <-> PROTOCOL-VOIP SIP over SCTP wildcard VIA address attempt (protocol-voip.rules)
 * 1:48604 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:48605 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:48609 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS ODTTF out-of-bounds read attempt (file-other.rules)
 * 1:48572 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Fastcash download attempt (malware-other.rules)
 * 1:48612 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows kernel use-after-free attempt (file-executable.rules)
 * 1:48579 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (file-pdf.rules)
 * 1:48594 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out-of-bounds read attempt (file-pdf.rules)
 * 1:48588 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.Cannon payload download attempt (malware-cnc.rules)
 * 1:48606 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k NtGdiCreateDIBitmapInternal memory corruption attempt (os-windows.rules)
 * 1:48575 <-> DISABLED <-> INDICATOR-COMPROMISE malicious jquery.js load attempt (indicator-compromise.rules)
 * 1:48581 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS ODTTF out-of-bounds read attempt (file-other.rules)
 * 1:48613 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows kernel use-after-free attempt (file-executable.rules)
 * 1:48610 <-> ENABLED <-> FILE-PDF Adobe Acrobat out of bounds read attempt (file-pdf.rules)
 * 1:48568 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:48608 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS ODTTF out-of-bounds read attempt (file-other.rules)
 * 1:48611 <-> ENABLED <-> FILE-PDF Adobe Acrobat out of bounds read attempt (file-pdf.rules)
 * 1:48607 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k NtGdiCreateDIBitmapInternal memory corruption attempt (os-windows.rules)
 * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF out-of-bound read attempt (file-pdf.rules)
 * 1:48601 <-> ENABLED <-> FILE-OFFICE Microsoft Office Powerpoint use after free attempt (file-office.rules)
 * 1:48597 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out-of-bounds read attempt (browser-ie.rules)
 * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF out-of-bound read attempt (file-pdf.rules)
 * 1:48595 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out-of-bounds read attempt (file-pdf.rules)
 * 1:48596 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out-of-bounds read attempt (browser-ie.rules)
 * 1:48591 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.Cannon payload download attempt (malware-cnc.rules)
 * 1:48592 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy variant outbound cnc connection (malware-cnc.rules)
 * 1:48589 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.Cannon payload download attempt (malware-cnc.rules)
 * 1:48590 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy variant outbound cnc connection (malware-cnc.rules)
 * 1:48586 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds write attempt (file-other.rules)
 * 1:48587 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds write attempt (file-other.rules)
 * 1:48584 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript resolveNode use-after-free attempt (file-pdf.rules)
 * 1:48585 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript resolveNode use-after-free attempt (file-pdf.rules)
 * 1:48582 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader removeLinks use after free attempt (file-pdf.rules)
 * 1:48583 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader removeLinks use after free attempt (file-pdf.rules)
 * 1:48576 <-> DISABLED <-> PROTOCOL-SCADA PNIO-CM Connect Operation (protocol-scada.rules)
 * 1:48580 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS ODTTF out-of-bounds read attempt (file-other.rules)
 * 1:48577 <-> DISABLED <-> PROTOCOL-SCADA PNIO-CM Connect Operation (protocol-scada.rules)
 * 1:48602 <-> ENABLED <-> FILE-OFFICE Microsoft Office Powerpoint use after free attempt (file-office.rules)
 * 1:48574 <-> DISABLED <-> INDICATOR-COMPROMISE malicious jquery.js load attempt (indicator-compromise.rules)
 * 1:48578 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (file-pdf.rules)
 * 1:48569 <-> ENABLED <-> MALWARE-TOOLS JexBoss webshell download (malware-tools.rules)
 * 1:48573 <-> DISABLED <-> SERVER-WEBAPP WordPress arbitrary file deletion attempt (server-webapp.rules)
 * 1:48570 <-> ENABLED <-> MALWARE-TOOLS JexBoss webshell commands sent in X-JEX headers (malware-tools.rules)
 * 1:48571 <-> ENABLED <-> MALWARE-TOOLS JexBoss User-Agent detected (malware-tools.rules)
 * 3:48603 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0756 attack attempt (server-webapp.rules)
 * 3:48600 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0755 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:48405 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook rwz file memory corruption attempt (file-office.rules)
 * 1:48407 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook rwz file memory corruption attempt (file-office.rules)
 * 1:48138 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:48403 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook email rules file memory corruption attempt (file-office.rules)
 * 1:46601 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook use-after-free vulnerability attempt (file-office.rules)
 * 1:48408 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook rwz file memory corruption attempt (file-office.rules)
 * 1:46602 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook use-after-free vulnerability attempt (file-office.rules)
 * 1:46940 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word malformed RTF memory corruption attempt (file-office.rules)
 * 1:48404 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook email rules file memory corruption attempt (file-office.rules)
 * 1:47964 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture JavaScript manipulation type confusion attempt (file-other.rules)
 * 1:48137 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:20207 <-> DISABLED <-> PROTOCOL-SCADA Cogent unicode buffer overflow attempt (protocol-scada.rules)
 * 1:46553 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel remote code execution attempt (file-office.rules)
 * 1:46557 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel remote code execution attempt (file-office.rules)
 * 1:46556 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel remote code execution attempt  (file-office.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46181 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel use after free remote code execution attempt (file-office.rules)
 * 1:46209 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel use after free remote code execution attempt (file-office.rules)
 * 1:46552 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel remote code execution attempt (file-office.rules)
 * 1:46208 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel use after free remote code execution attempt (file-office.rules)
 * 1:48139 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:46179 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel out of bounds read attempt (file-office.rules)
 * 1:46180 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel use after free remote code execution attempt (file-office.rules)
 * 1:45692 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro tiff parser out of bounds read attempt (file-other.rules)
 * 1:46178 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel out of bounds read attempt (file-office.rules)
 * 1:45492 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word PlfLfo use after free attempt (file-office.rules)
 * 1:45691 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro tiff parser out of bounds read attempt (file-other.rules)
 * 1:45403 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word memory corruption exploit attempt (file-office.rules)
 * 1:45491 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word PlfLfo use after free attempt (file-office.rules)
 * 1:44332 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge memory corruption attempt (browser-ie.rules)
 * 1:45402 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word memory corruption exploit attempt (file-office.rules)
 * 1:47891 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt (file-image.rules)
 * 1:48136 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:41636 <-> ENABLED <-> FILE-OTHER Adobe AcrobatDC EMF buffer underflow attempt (file-other.rules)
 * 1:44331 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge memory corruption attempt (browser-ie.rules)
 * 1:40445 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Agent variant outbound connection (malware-cnc.rules)
 * 1:41635 <-> ENABLED <-> FILE-OTHER Adobe AcrobatDC EMF buffer underflow attempt (file-other.rules)
 * 1:37120 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook embedded OLE object sandbox bypass attempt (file-office.rules)
 * 1:40444 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Agent variant outbound connection (malware-cnc.rules)
 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:37012 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook embedded OLE object sandbox bypass attempt (file-office.rules)
 * 1:37011 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook embedded OLE object sandbox bypass attempt (file-office.rules)
 * 1:37013 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook embedded OLE object sandbox bypass attempt (file-office.rules)
 * 1:48424 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word document malicious iframe code injection attempt  (file-office.rules)
 * 1:48423 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word document malicious iframe code injection attempt  (file-office.rules)
 * 1:47064 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word malformed emf remote code execution attempt (file-office.rules)
 * 1:47063 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word malformed emf remote code execution attempt (file-office.rules)
 * 1:46941 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word malformed RTF memory corruption attempt (file-office.rules)
 * 1:48406 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook rwz file memory corruption attempt (file-office.rules)
 * 1:47963 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture JavaScript manipulation type confusion attempt (file-other.rules)
 * 1:47892 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt (file-image.rules)
 * 3:42923 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration ScriptMgr authentication bypass attempt (server-webapp.rules)
 * 3:48523 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0738 attack attempt (protocol-scada.rules)

2018-12-13 23:23:56 UTC

Snort Subscriber Rules Update

Date: 2018-12-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48590 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy variant outbound cnc connection (malware-cnc.rules)
 * 1:48608 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS ODTTF out-of-bounds read attempt (file-other.rules)
 * 1:48610 <-> ENABLED <-> FILE-PDF Adobe Acrobat out of bounds read attempt (file-pdf.rules)
 * 1:48612 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows kernel use-after-free attempt (file-executable.rules)
 * 1:48578 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (file-pdf.rules)
 * 1:48571 <-> ENABLED <-> MALWARE-TOOLS JexBoss User-Agent detected (malware-tools.rules)
 * 1:48609 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS ODTTF out-of-bounds read attempt (file-other.rules)
 * 1:48611 <-> ENABLED <-> FILE-PDF Adobe Acrobat out of bounds read attempt (file-pdf.rules)
 * 1:48568 <-> ENABLED <-> MALWARE-CNC Osx.Trojan.Agent variant outbound connection (malware-cnc.rules)
 * 1:48613 <-> DISABLED <-> FILE-EXECUTABLE Microsoft Windows kernel use-after-free attempt (file-executable.rules)
 * 1:48602 <-> ENABLED <-> FILE-OFFICE Microsoft Office Powerpoint use after free attempt (file-office.rules)
 * 1:48569 <-> ENABLED <-> MALWARE-TOOLS JexBoss webshell download (malware-tools.rules)
 * 1:48605 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:48607 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k NtGdiCreateDIBitmapInternal memory corruption attempt (os-windows.rules)
 * 1:48606 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k NtGdiCreateDIBitmapInternal memory corruption attempt (os-windows.rules)
 * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF out-of-bound read attempt (file-pdf.rules)
 * 1:48589 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.Cannon payload download attempt (malware-cnc.rules)
 * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat PDF out-of-bound read attempt (file-pdf.rules)
 * 1:48604 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro out of bounds read attempt (file-other.rules)
 * 1:48601 <-> ENABLED <-> FILE-OFFICE Microsoft Office Powerpoint use after free attempt (file-office.rules)
 * 1:48595 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out-of-bounds read attempt (file-pdf.rules)
 * 1:48596 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out-of-bounds read attempt (browser-ie.rules)
 * 1:48593 <-> DISABLED <-> PROTOCOL-VOIP SIP over SCTP wildcard VIA address attempt (protocol-voip.rules)
 * 1:48594 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader out-of-bounds read attempt (file-pdf.rules)
 * 1:48591 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.Cannon payload download attempt (malware-cnc.rules)
 * 1:48592 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy variant outbound cnc connection (malware-cnc.rules)
 * 1:48587 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds write attempt (file-other.rules)
 * 1:48588 <-> ENABLED <-> MALWARE-CNC Doc.Downloader.Cannon payload download attempt (malware-cnc.rules)
 * 1:48585 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript resolveNode use-after-free attempt (file-pdf.rules)
 * 1:48586 <-> DISABLED <-> FILE-OTHER Adobe Acrobat EMF out of bounds write attempt (file-other.rules)
 * 1:48583 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader removeLinks use after free attempt (file-pdf.rules)
 * 1:48584 <-> DISABLED <-> FILE-PDF Adobe Reader JavaScript resolveNode use-after-free attempt (file-pdf.rules)
 * 1:48581 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS ODTTF out-of-bounds read attempt (file-other.rules)
 * 1:48582 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader removeLinks use after free attempt (file-pdf.rules)
 * 1:48579 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader xfa use after free attempt (file-pdf.rules)
 * 1:48580 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS ODTTF out-of-bounds read attempt (file-other.rules)
 * 1:48574 <-> DISABLED <-> INDICATOR-COMPROMISE malicious jquery.js load attempt (indicator-compromise.rules)
 * 1:48577 <-> DISABLED <-> PROTOCOL-SCADA PNIO-CM Connect Operation (protocol-scada.rules)
 * 1:48575 <-> DISABLED <-> INDICATOR-COMPROMISE malicious jquery.js load attempt (indicator-compromise.rules)
 * 1:48597 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer out-of-bounds read attempt (browser-ie.rules)
 * 1:48573 <-> DISABLED <-> SERVER-WEBAPP WordPress arbitrary file deletion attempt (server-webapp.rules)
 * 1:48576 <-> DISABLED <-> PROTOCOL-SCADA PNIO-CM Connect Operation (protocol-scada.rules)
 * 1:48570 <-> ENABLED <-> MALWARE-TOOLS JexBoss webshell commands sent in X-JEX headers (malware-tools.rules)
 * 1:48572 <-> ENABLED <-> MALWARE-OTHER Unix.Trojan.Fastcash download attempt (malware-other.rules)
 * 3:48603 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0756 attack attempt (server-webapp.rules)
 * 3:48600 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2018-0755 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:48408 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook rwz file memory corruption attempt (file-office.rules)
 * 1:48139 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:48406 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook rwz file memory corruption attempt (file-office.rules)
 * 1:48403 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook email rules file memory corruption attempt (file-office.rules)
 * 1:47892 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt (file-image.rules)
 * 1:46940 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word malformed RTF memory corruption attempt (file-office.rules)
 * 1:48424 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word document malicious iframe code injection attempt  (file-office.rules)
 * 1:48404 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook email rules file memory corruption attempt (file-office.rules)
 * 1:48405 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook rwz file memory corruption attempt (file-office.rules)
 * 1:48138 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:46557 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel remote code execution attempt (file-office.rules)
 * 1:46601 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook use-after-free vulnerability attempt (file-office.rules)
 * 1:46553 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel remote code execution attempt (file-office.rules)
 * 1:46209 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel use after free remote code execution attempt (file-office.rules)
 * 1:46549 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46556 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel remote code execution attempt  (file-office.rules)
 * 1:46548 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer VBScript remote code execution attempt (browser-ie.rules)
 * 1:46181 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel use after free remote code execution attempt (file-office.rules)
 * 1:46208 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel use after free remote code execution attempt (file-office.rules)
 * 1:46179 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel out of bounds read attempt (file-office.rules)
 * 1:46180 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel use after free remote code execution attempt (file-office.rules)
 * 1:45692 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro tiff parser out of bounds read attempt (file-other.rules)
 * 1:46178 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel out of bounds read attempt (file-office.rules)
 * 1:45492 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word PlfLfo use after free attempt (file-office.rules)
 * 1:45691 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro tiff parser out of bounds read attempt (file-other.rules)
 * 1:45403 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word memory corruption exploit attempt (file-office.rules)
 * 1:45491 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word PlfLfo use after free attempt (file-office.rules)
 * 1:37012 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook embedded OLE object sandbox bypass attempt (file-office.rules)
 * 1:44332 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge memory corruption attempt (browser-ie.rules)
 * 1:45402 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word memory corruption exploit attempt (file-office.rules)
 * 1:41636 <-> ENABLED <-> FILE-OTHER Adobe AcrobatDC EMF buffer underflow attempt (file-other.rules)
 * 1:44331 <-> ENABLED <-> BROWSER-IE Microsoft Windows Edge memory corruption attempt (browser-ie.rules)
 * 1:40445 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Agent variant outbound connection (malware-cnc.rules)
 * 1:41635 <-> ENABLED <-> FILE-OTHER Adobe AcrobatDC EMF buffer underflow attempt (file-other.rules)
 * 1:48423 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word document malicious iframe code injection attempt  (file-office.rules)
 * 1:46552 <-> ENABLED <-> FILE-OFFICE Microsoft Office Excel remote code execution attempt (file-office.rules)
 * 1:46941 <-> ENABLED <-> FILE-OFFICE Microsoft Office Word malformed RTF memory corruption attempt (file-office.rules)
 * 1:48136 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:37013 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook embedded OLE object sandbox bypass attempt (file-office.rules)
 * 1:48137 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel SYLK file arbitrary code execution attempt (file-office.rules)
 * 1:37011 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook embedded OLE object sandbox bypass attempt (file-office.rules)
 * 1:46602 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook use-after-free vulnerability attempt (file-office.rules)
 * 1:47963 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture JavaScript manipulation type confusion attempt (file-other.rules)
 * 1:47891 <-> DISABLED <-> FILE-IMAGE Adobe Acrobat Pro EMF file EMFPlusPath object out of bounds read attempt (file-image.rules)
 * 1:47064 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word malformed emf remote code execution attempt (file-office.rules)
 * 1:47964 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro WebCapture JavaScript manipulation type confusion attempt (file-other.rules)
 * 1:47063 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word malformed emf remote code execution attempt (file-office.rules)
 * 1:40444 <-> ENABLED <-> MALWARE-CNC Doc.Dropper.Agent variant outbound connection (malware-cnc.rules)
 * 1:48407 <-> ENABLED <-> FILE-OFFICE Microsoft Office Outlook rwz file memory corruption attempt (file-office.rules)
 * 1:37120 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook embedded OLE object sandbox bypass attempt (file-office.rules)
 * 1:20207 <-> DISABLED <-> PROTOCOL-SCADA Cogent unicode buffer overflow attempt (protocol-scada.rules)
 * 3:48523 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2018-0738 attack attempt (protocol-scada.rules)
 * 3:42923 <-> ENABLED <-> SERVER-WEBAPP Cisco Prime Collaboration ScriptMgr authentication bypass attempt (server-webapp.rules)