Talos Rules 2019-01-08
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2019-0539: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48772 through 48773.

Microsoft Vulnerability CVE-2019-0541: A coding deficiency exists in Microsoft Internet Explorer that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48782 through 48783.

Microsoft Vulnerability CVE-2019-0543: A coding deficiency exists in Microsoft Windows that may lead to elevation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48807 through 48808.

Microsoft Vulnerability CVE-2019-0552: A coding deficiency exists in Microsoft Windows COM that may lead to elevation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48787 through 48788.

Microsoft Vulnerability CVE-2019-0555: A coding deficiency exists in Microsoft XmlDocument that may lead to elevation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48795 through 48798.

Microsoft Vulnerability CVE-2019-0565: A coding deficiency exists in Microsoft Edge that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48770 through 48771.

Microsoft Vulnerability CVE-2019-0566: A coding deficiency exists in Microsoft Edge that may lead to elevation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48809 through 48810.

Microsoft Vulnerability CVE-2019-0567: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48780 through 48781.

Microsoft Vulnerability CVE-2019-0568: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48778 through 48779.

Microsoft Vulnerability CVE-2019-0569: A coding deficiency exists in Microsoft Windows Kernel that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48789 through 48790.

Microsoft Vulnerability CVE-2019-0572: A coding deficiency exists in Microsoft Windows Data Sharing Service that may lead to elevation of privilege.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 48776 and 48777.

Microsoft Vulnerability CVE-2019-0573: A coding deficiency exists in Microsoft Windows Data Sharing Service that may lead to elevation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48793 through 48794.

Microsoft Vulnerability CVE-2019-0574: A coding deficiency exists in Microsoft Windows Data Sharing Service that may lead to elevation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 48768 through 48769.

Talos also has added and modified multiple rules in the browser-ie, file-executable, file-other, file-pdf, malware-cnc, malware-other, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-01-08 18:59:48 UTC

Snort Subscriber Rules Update

Date: 2019-01-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48796 <-> DISABLED <-> OS-WINDOWS Microsoft XmlDocument privilege escalation attempt (os-windows.rules)
 * 1:48779 <-> ENABLED <-> BROWSER-IE Microsoft Edge prototype JsBuiltInEngineInterfaceExtensionObject use-after-free attempt (browser-ie.rules)
 * 1:48778 <-> ENABLED <-> BROWSER-IE Microsoft Edge prototype JsBuiltInEngineInterfaceExtensionObject use-after-free attempt (browser-ie.rules)
 * 1:48777 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Data Sharing Service privilege escalation attempt (os-windows.rules)
 * 1:48776 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Data Sharing Service privilege escalation attempt (os-windows.rules)
 * 1:48775 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file out of bounds read attempt (file-other.rules)
 * 1:48774 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file out of bounds read attempt (file-other.rules)
 * 1:48773 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine type confusion attempt (browser-ie.rules)
 * 1:48772 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine type confusion attempt (browser-ie.rules)
 * 1:48771 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:48770 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:48769 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows data sharing service privilege escalation attempt (file-executable.rules)
 * 1:48768 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows data sharing service privilege escalation attempt (file-executable.rules)
 * 1:48795 <-> DISABLED <-> OS-WINDOWS Microsoft XmlDocument privilege escalation attempt (os-windows.rules)
 * 1:48794 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Data Sharing Service privilege escalation attempt (os-windows.rules)
 * 1:48793 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Data Sharing Service privilege escalation attempt (os-windows.rules)
 * 1:48792 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent inbound payload download (malware-cnc.rules)
 * 1:48791 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent inbound payload download (malware-cnc.rules)
 * 1:48790 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel out of bounds read attempt (os-windows.rules)
 * 1:48789 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel out of bounds read attempt (os-windows.rules)
 * 1:48788 <-> ENABLED <-> OS-WINDOWS Microsoft Windows COM Desktop Broker sandbox escape attempt (os-windows.rules)
 * 1:48787 <-> ENABLED <-> OS-WINDOWS Microsoft Windows COM Desktop Broker sandbox escape attempt (os-windows.rules)
 * 1:48786 <-> DISABLED <-> SERVER-OTHER SQLite FTS integer overflow attempt (server-other.rules)
 * 1:48785 <-> DISABLED <-> SERVER-OTHER SQLite FTS integer overflow attempt (server-other.rules)
 * 1:48784 <-> ENABLED <-> MALWARE-OTHER Win.Worm.Shamoon propagation via SMB2 transfer attempt (malware-other.rules)
 * 1:48783 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ProgID arbitary code execution attempt (browser-ie.rules)
 * 1:48782 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ProgID arbitary code execution attempt (browser-ie.rules)
 * 1:48781 <-> ENABLED <-> BROWSER-IE Microsoft Edge object manipulation use-after-free attempt (browser-ie.rules)
 * 1:48780 <-> ENABLED <-> BROWSER-IE Microsoft Edge object manipulation use-after-free attempt (browser-ie.rules)
 * 1:48802 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds read attempt (file-pdf.rules)
 * 1:48799 <-> ENABLED <-> OS-WINDOWS Microsoft Windows arbitrary file read attempt (os-windows.rules)
 * 1:48798 <-> DISABLED <-> OS-WINDOWS Microsoft XmlDocument privilege escalation attempt (os-windows.rules)
 * 1:48797 <-> DISABLED <-> OS-WINDOWS Microsoft XmlDocument privilege escalation attempt (os-windows.rules)
 * 1:48801 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds read attempt (file-pdf.rules)
 * 1:48800 <-> ENABLED <-> OS-WINDOWS Microsoft Windows arbitrary file read attempt (os-windows.rules)
 * 1:48803 <-> ENABLED <-> MALWARE-OTHER samsam.exe file name detected (malware-other.rules)
 * 1:48806 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules)
 * 1:48805 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules)
 * 1:48804 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules)
 * 1:48808 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 AcquireCredentialsHandle privilege escalation attempt (os-windows.rules)
 * 1:48807 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 AcquireCredentialsHandle privilege escalation attempt (os-windows.rules)
 * 1:48809 <-> ENABLED <-> OS-WINDOWS Microsoft Edge session boundary violation attempt (os-windows.rules)
 * 1:48817 <-> ENABLED <-> FILE-PDF Adobe Acrobat javascript based security bypass attempt (file-pdf.rules)
 * 1:48816 <-> ENABLED <-> FILE-PDF Adobe Acrobat javascript based security bypass attempt (file-pdf.rules)
 * 1:48815 <-> ENABLED <-> SERVER-WEBAPP Kibana Console for Elasticsearch local file inclusion attempt (server-webapp.rules)
 * 1:48814 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules)
 * 1:48813 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules)
 * 1:48812 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules)
 * 1:48811 <-> ENABLED <-> MALWARE-OTHER SamSam associated file (malware-other.rules)
 * 1:48810 <-> ENABLED <-> OS-WINDOWS Microsoft Edge session boundary violation attempt (os-windows.rules)

Modified Rules:


 * 1:48628 <-> ENABLED <-> FILE-PDF Adobe Acrobat integer overflow attempt (file-pdf.rules)
 * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)
 * 1:48627 <-> ENABLED <-> FILE-PDF Adobe Acrobat integer overflow attempt (file-pdf.rules)
 * 1:46697 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (file-pdf.rules)
 * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)
 * 1:45692 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro tiff parser out of bounds read attempt (file-other.rules)
 * 1:46696 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (file-pdf.rules)
 * 1:45691 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro tiff parser out of bounds read attempt (file-other.rules)
 * 3:47135 <-> ENABLED <-> SERVER-WEBAPP ZyXEL Armor Series Routers ozkerz command injection attempt (server-webapp.rules)
 * 3:47134 <-> ENABLED <-> SERVER-WEBAPP ZyXEL Armor Series Routers ozkerz command injection attempt (server-webapp.rules)

2019-01-08 18:59:48 UTC

Snort Subscriber Rules Update

Date: 2019-01-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48807 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 AcquireCredentialsHandle privilege escalation attempt (os-windows.rules)
 * 1:48806 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules)
 * 1:48770 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:48773 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine type confusion attempt (browser-ie.rules)
 * 1:48768 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows data sharing service privilege escalation attempt (file-executable.rules)
 * 1:48774 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file out of bounds read attempt (file-other.rules)
 * 1:48775 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file out of bounds read attempt (file-other.rules)
 * 1:48776 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Data Sharing Service privilege escalation attempt (os-windows.rules)
 * 1:48777 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Data Sharing Service privilege escalation attempt (os-windows.rules)
 * 1:48778 <-> ENABLED <-> BROWSER-IE Microsoft Edge prototype JsBuiltInEngineInterfaceExtensionObject use-after-free attempt (browser-ie.rules)
 * 1:48779 <-> ENABLED <-> BROWSER-IE Microsoft Edge prototype JsBuiltInEngineInterfaceExtensionObject use-after-free attempt (browser-ie.rules)
 * 1:48772 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine type confusion attempt (browser-ie.rules)
 * 1:48780 <-> ENABLED <-> BROWSER-IE Microsoft Edge object manipulation use-after-free attempt (browser-ie.rules)
 * 1:48781 <-> ENABLED <-> BROWSER-IE Microsoft Edge object manipulation use-after-free attempt (browser-ie.rules)
 * 1:48771 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:48817 <-> ENABLED <-> FILE-PDF Adobe Acrobat javascript based security bypass attempt (file-pdf.rules)
 * 1:48816 <-> ENABLED <-> FILE-PDF Adobe Acrobat javascript based security bypass attempt (file-pdf.rules)
 * 1:48815 <-> ENABLED <-> SERVER-WEBAPP Kibana Console for Elasticsearch local file inclusion attempt (server-webapp.rules)
 * 1:48814 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules)
 * 1:48813 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules)
 * 1:48812 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules)
 * 1:48811 <-> ENABLED <-> MALWARE-OTHER SamSam associated file (malware-other.rules)
 * 1:48769 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows data sharing service privilege escalation attempt (file-executable.rules)
 * 1:48810 <-> ENABLED <-> OS-WINDOWS Microsoft Edge session boundary violation attempt (os-windows.rules)
 * 1:48809 <-> ENABLED <-> OS-WINDOWS Microsoft Edge session boundary violation attempt (os-windows.rules)
 * 1:48808 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 AcquireCredentialsHandle privilege escalation attempt (os-windows.rules)
 * 1:48799 <-> ENABLED <-> OS-WINDOWS Microsoft Windows arbitrary file read attempt (os-windows.rules)
 * 1:48800 <-> ENABLED <-> OS-WINDOWS Microsoft Windows arbitrary file read attempt (os-windows.rules)
 * 1:48797 <-> DISABLED <-> OS-WINDOWS Microsoft XmlDocument privilege escalation attempt (os-windows.rules)
 * 1:48798 <-> DISABLED <-> OS-WINDOWS Microsoft XmlDocument privilege escalation attempt (os-windows.rules)
 * 1:48795 <-> DISABLED <-> OS-WINDOWS Microsoft XmlDocument privilege escalation attempt (os-windows.rules)
 * 1:48796 <-> DISABLED <-> OS-WINDOWS Microsoft XmlDocument privilege escalation attempt (os-windows.rules)
 * 1:48793 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Data Sharing Service privilege escalation attempt (os-windows.rules)
 * 1:48794 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Data Sharing Service privilege escalation attempt (os-windows.rules)
 * 1:48791 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent inbound payload download (malware-cnc.rules)
 * 1:48792 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent inbound payload download (malware-cnc.rules)
 * 1:48789 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel out of bounds read attempt (os-windows.rules)
 * 1:48790 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel out of bounds read attempt (os-windows.rules)
 * 1:48787 <-> ENABLED <-> OS-WINDOWS Microsoft Windows COM Desktop Broker sandbox escape attempt (os-windows.rules)
 * 1:48788 <-> ENABLED <-> OS-WINDOWS Microsoft Windows COM Desktop Broker sandbox escape attempt (os-windows.rules)
 * 1:48786 <-> DISABLED <-> SERVER-OTHER SQLite FTS integer overflow attempt (server-other.rules)
 * 1:48785 <-> DISABLED <-> SERVER-OTHER SQLite FTS integer overflow attempt (server-other.rules)
 * 1:48784 <-> ENABLED <-> MALWARE-OTHER Win.Worm.Shamoon propagation via SMB2 transfer attempt (malware-other.rules)
 * 1:48783 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ProgID arbitary code execution attempt (browser-ie.rules)
 * 1:48782 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ProgID arbitary code execution attempt (browser-ie.rules)
 * 1:48805 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules)
 * 1:48803 <-> ENABLED <-> MALWARE-OTHER samsam.exe file name detected (malware-other.rules)
 * 1:48804 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules)
 * 1:48801 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds read attempt (file-pdf.rules)
 * 1:48802 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds read attempt (file-pdf.rules)

Modified Rules:


 * 1:48627 <-> ENABLED <-> FILE-PDF Adobe Acrobat integer overflow attempt (file-pdf.rules)
 * 1:48628 <-> ENABLED <-> FILE-PDF Adobe Acrobat integer overflow attempt (file-pdf.rules)
 * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)
 * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)
 * 1:46696 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (file-pdf.rules)
 * 1:46697 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (file-pdf.rules)
 * 1:45691 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro tiff parser out of bounds read attempt (file-other.rules)
 * 1:45692 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro tiff parser out of bounds read attempt (file-other.rules)
 * 3:47135 <-> ENABLED <-> SERVER-WEBAPP ZyXEL Armor Series Routers ozkerz command injection attempt (server-webapp.rules)
 * 3:47134 <-> ENABLED <-> SERVER-WEBAPP ZyXEL Armor Series Routers ozkerz command injection attempt (server-webapp.rules)

2019-01-08 18:59:48 UTC

Snort Subscriber Rules Update

Date: 2019-01-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091100.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48807 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 AcquireCredentialsHandle privilege escalation attempt (os-windows.rules)
 * 1:48806 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules)
 * 1:48810 <-> ENABLED <-> OS-WINDOWS Microsoft Edge session boundary violation attempt (os-windows.rules)
 * 1:48808 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 AcquireCredentialsHandle privilege escalation attempt (os-windows.rules)
 * 1:48809 <-> ENABLED <-> OS-WINDOWS Microsoft Edge session boundary violation attempt (os-windows.rules)
 * 1:48770 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:48803 <-> ENABLED <-> MALWARE-OTHER samsam.exe file name detected (malware-other.rules)
 * 1:48817 <-> ENABLED <-> FILE-PDF Adobe Acrobat javascript based security bypass attempt (file-pdf.rules)
 * 1:48816 <-> ENABLED <-> FILE-PDF Adobe Acrobat javascript based security bypass attempt (file-pdf.rules)
 * 1:48815 <-> ENABLED <-> SERVER-WEBAPP Kibana Console for Elasticsearch local file inclusion attempt (server-webapp.rules)
 * 1:48814 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules)
 * 1:48813 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules)
 * 1:48812 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules)
 * 1:48769 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows data sharing service privilege escalation attempt (file-executable.rules)
 * 1:48811 <-> ENABLED <-> MALWARE-OTHER SamSam associated file (malware-other.rules)
 * 1:48773 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine type confusion attempt (browser-ie.rules)
 * 1:48768 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows data sharing service privilege escalation attempt (file-executable.rules)
 * 1:48775 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file out of bounds read attempt (file-other.rules)
 * 1:48776 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Data Sharing Service privilege escalation attempt (os-windows.rules)
 * 1:48777 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Data Sharing Service privilege escalation attempt (os-windows.rules)
 * 1:48778 <-> ENABLED <-> BROWSER-IE Microsoft Edge prototype JsBuiltInEngineInterfaceExtensionObject use-after-free attempt (browser-ie.rules)
 * 1:48779 <-> ENABLED <-> BROWSER-IE Microsoft Edge prototype JsBuiltInEngineInterfaceExtensionObject use-after-free attempt (browser-ie.rules)
 * 1:48772 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine type confusion attempt (browser-ie.rules)
 * 1:48780 <-> ENABLED <-> BROWSER-IE Microsoft Edge object manipulation use-after-free attempt (browser-ie.rules)
 * 1:48781 <-> ENABLED <-> BROWSER-IE Microsoft Edge object manipulation use-after-free attempt (browser-ie.rules)
 * 1:48771 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:48802 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds read attempt (file-pdf.rules)
 * 1:48800 <-> ENABLED <-> OS-WINDOWS Microsoft Windows arbitrary file read attempt (os-windows.rules)
 * 1:48801 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds read attempt (file-pdf.rules)
 * 1:48798 <-> DISABLED <-> OS-WINDOWS Microsoft XmlDocument privilege escalation attempt (os-windows.rules)
 * 1:48799 <-> ENABLED <-> OS-WINDOWS Microsoft Windows arbitrary file read attempt (os-windows.rules)
 * 1:48796 <-> DISABLED <-> OS-WINDOWS Microsoft XmlDocument privilege escalation attempt (os-windows.rules)
 * 1:48797 <-> DISABLED <-> OS-WINDOWS Microsoft XmlDocument privilege escalation attempt (os-windows.rules)
 * 1:48794 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Data Sharing Service privilege escalation attempt (os-windows.rules)
 * 1:48795 <-> DISABLED <-> OS-WINDOWS Microsoft XmlDocument privilege escalation attempt (os-windows.rules)
 * 1:48792 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent inbound payload download (malware-cnc.rules)
 * 1:48793 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Data Sharing Service privilege escalation attempt (os-windows.rules)
 * 1:48790 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel out of bounds read attempt (os-windows.rules)
 * 1:48791 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent inbound payload download (malware-cnc.rules)
 * 1:48788 <-> ENABLED <-> OS-WINDOWS Microsoft Windows COM Desktop Broker sandbox escape attempt (os-windows.rules)
 * 1:48789 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel out of bounds read attempt (os-windows.rules)
 * 1:48786 <-> DISABLED <-> SERVER-OTHER SQLite FTS integer overflow attempt (server-other.rules)
 * 1:48787 <-> ENABLED <-> OS-WINDOWS Microsoft Windows COM Desktop Broker sandbox escape attempt (os-windows.rules)
 * 1:48784 <-> ENABLED <-> MALWARE-OTHER Win.Worm.Shamoon propagation via SMB2 transfer attempt (malware-other.rules)
 * 1:48785 <-> DISABLED <-> SERVER-OTHER SQLite FTS integer overflow attempt (server-other.rules)
 * 1:48782 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ProgID arbitary code execution attempt (browser-ie.rules)
 * 1:48783 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ProgID arbitary code execution attempt (browser-ie.rules)
 * 1:48774 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file out of bounds read attempt (file-other.rules)
 * 1:48805 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules)
 * 1:48804 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules)

Modified Rules:


 * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)
 * 1:48627 <-> ENABLED <-> FILE-PDF Adobe Acrobat integer overflow attempt (file-pdf.rules)
 * 1:48628 <-> ENABLED <-> FILE-PDF Adobe Acrobat integer overflow attempt (file-pdf.rules)
 * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)
 * 1:45691 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro tiff parser out of bounds read attempt (file-other.rules)
 * 1:46696 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (file-pdf.rules)
 * 1:46697 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (file-pdf.rules)
 * 1:45692 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro tiff parser out of bounds read attempt (file-other.rules)
 * 3:47135 <-> ENABLED <-> SERVER-WEBAPP ZyXEL Armor Series Routers ozkerz command injection attempt (server-webapp.rules)
 * 3:47134 <-> ENABLED <-> SERVER-WEBAPP ZyXEL Armor Series Routers ozkerz command injection attempt (server-webapp.rules)

2019-01-08 18:59:48 UTC

Snort Subscriber Rules Update

Date: 2019-01-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48811 <-> ENABLED <-> MALWARE-OTHER SamSam associated file (snort3-malware-other.rules)
 * 1:48809 <-> ENABLED <-> OS-WINDOWS Microsoft Edge session boundary violation attempt (snort3-os-windows.rules)
 * 1:48808 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 AcquireCredentialsHandle privilege escalation attempt (snort3-os-windows.rules)
 * 1:48771 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:48810 <-> ENABLED <-> OS-WINDOWS Microsoft Edge session boundary violation attempt (snort3-os-windows.rules)
 * 1:48815 <-> ENABLED <-> SERVER-WEBAPP Kibana Console for Elasticsearch local file inclusion attempt (snort3-server-webapp.rules)
 * 1:48813 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (snort3-malware-other.rules)
 * 1:48812 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (snort3-malware-other.rules)
 * 1:48817 <-> ENABLED <-> FILE-PDF Adobe Acrobat javascript based security bypass attempt (snort3-file-pdf.rules)
 * 1:48774 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file out of bounds read attempt (snort3-file-other.rules)
 * 1:48768 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows data sharing service privilege escalation attempt (snort3-file-executable.rules)
 * 1:48769 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows data sharing service privilege escalation attempt (snort3-file-executable.rules)
 * 1:48775 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file out of bounds read attempt (snort3-file-other.rules)
 * 1:48782 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ProgID arbitary code execution attempt (snort3-browser-ie.rules)
 * 1:48776 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Data Sharing Service privilege escalation attempt (snort3-os-windows.rules)
 * 1:48777 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Data Sharing Service privilege escalation attempt (snort3-os-windows.rules)
 * 1:48781 <-> ENABLED <-> BROWSER-IE Microsoft Edge object manipulation use-after-free attempt (snort3-browser-ie.rules)
 * 1:48772 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine type confusion attempt (snort3-browser-ie.rules)
 * 1:48814 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (snort3-malware-other.rules)
 * 1:48801 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds read attempt (snort3-file-pdf.rules)
 * 1:48803 <-> ENABLED <-> MALWARE-OTHER samsam.exe file name detected (snort3-malware-other.rules)
 * 1:48804 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (snort3-malware-other.rules)
 * 1:48797 <-> DISABLED <-> OS-WINDOWS Microsoft XmlDocument privilege escalation attempt (snort3-os-windows.rules)
 * 1:48802 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds read attempt (snort3-file-pdf.rules)
 * 1:48793 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Data Sharing Service privilege escalation attempt (snort3-os-windows.rules)
 * 1:48800 <-> ENABLED <-> OS-WINDOWS Microsoft Windows arbitrary file read attempt (snort3-os-windows.rules)
 * 1:48799 <-> ENABLED <-> OS-WINDOWS Microsoft Windows arbitrary file read attempt (snort3-os-windows.rules)
 * 1:48798 <-> DISABLED <-> OS-WINDOWS Microsoft XmlDocument privilege escalation attempt (snort3-os-windows.rules)
 * 1:48795 <-> DISABLED <-> OS-WINDOWS Microsoft XmlDocument privilege escalation attempt (snort3-os-windows.rules)
 * 1:48796 <-> DISABLED <-> OS-WINDOWS Microsoft XmlDocument privilege escalation attempt (snort3-os-windows.rules)
 * 1:48789 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel out of bounds read attempt (snort3-os-windows.rules)
 * 1:48794 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Data Sharing Service privilege escalation attempt (snort3-os-windows.rules)
 * 1:48791 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent inbound payload download (snort3-malware-cnc.rules)
 * 1:48792 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent inbound payload download (snort3-malware-cnc.rules)
 * 1:48785 <-> DISABLED <-> SERVER-OTHER SQLite FTS integer overflow attempt (snort3-server-other.rules)
 * 1:48790 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel out of bounds read attempt (snort3-os-windows.rules)
 * 1:48787 <-> ENABLED <-> OS-WINDOWS Microsoft Windows COM Desktop Broker sandbox escape attempt (snort3-os-windows.rules)
 * 1:48788 <-> ENABLED <-> OS-WINDOWS Microsoft Windows COM Desktop Broker sandbox escape attempt (snort3-os-windows.rules)
 * 1:48786 <-> DISABLED <-> SERVER-OTHER SQLite FTS integer overflow attempt (snort3-server-other.rules)
 * 1:48783 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ProgID arbitary code execution attempt (snort3-browser-ie.rules)
 * 1:48784 <-> ENABLED <-> MALWARE-OTHER Win.Worm.Shamoon propagation via SMB2 transfer attempt (snort3-malware-other.rules)
 * 1:48770 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:48816 <-> ENABLED <-> FILE-PDF Adobe Acrobat javascript based security bypass attempt (snort3-file-pdf.rules)
 * 1:48780 <-> ENABLED <-> BROWSER-IE Microsoft Edge object manipulation use-after-free attempt (snort3-browser-ie.rules)
 * 1:48773 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine type confusion attempt (snort3-browser-ie.rules)
 * 1:48778 <-> ENABLED <-> BROWSER-IE Microsoft Edge prototype JsBuiltInEngineInterfaceExtensionObject use-after-free attempt (snort3-browser-ie.rules)
 * 1:48779 <-> ENABLED <-> BROWSER-IE Microsoft Edge prototype JsBuiltInEngineInterfaceExtensionObject use-after-free attempt (snort3-browser-ie.rules)
 * 1:48806 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (snort3-malware-other.rules)
 * 1:48805 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (snort3-malware-other.rules)
 * 1:48807 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 AcquireCredentialsHandle privilege escalation attempt (snort3-os-windows.rules)

Modified Rules:


 * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (snort3-file-pdf.rules)
 * 1:48627 <-> ENABLED <-> FILE-PDF Adobe Acrobat integer overflow attempt (snort3-file-pdf.rules)
 * 1:48628 <-> ENABLED <-> FILE-PDF Adobe Acrobat integer overflow attempt (snort3-file-pdf.rules)
 * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (snort3-file-pdf.rules)
 * 1:46696 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (snort3-file-pdf.rules)
 * 1:46697 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (snort3-file-pdf.rules)
 * 1:45692 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro tiff parser out of bounds read attempt (snort3-file-other.rules)
 * 1:45691 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro tiff parser out of bounds read attempt (snort3-file-other.rules)

2019-01-08 18:59:49 UTC

Snort Subscriber Rules Update

Date: 2019-01-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48817 <-> ENABLED <-> FILE-PDF Adobe Acrobat javascript based security bypass attempt (file-pdf.rules)
 * 1:48810 <-> ENABLED <-> OS-WINDOWS Microsoft Edge session boundary violation attempt (os-windows.rules)
 * 1:48806 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules)
 * 1:48769 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows data sharing service privilege escalation attempt (file-executable.rules)
 * 1:48814 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules)
 * 1:48777 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Data Sharing Service privilege escalation attempt (os-windows.rules)
 * 1:48808 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 AcquireCredentialsHandle privilege escalation attempt (os-windows.rules)
 * 1:48807 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 AcquireCredentialsHandle privilege escalation attempt (os-windows.rules)
 * 1:48772 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine type confusion attempt (browser-ie.rules)
 * 1:48812 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules)
 * 1:48816 <-> ENABLED <-> FILE-PDF Adobe Acrobat javascript based security bypass attempt (file-pdf.rules)
 * 1:48780 <-> ENABLED <-> BROWSER-IE Microsoft Edge object manipulation use-after-free attempt (browser-ie.rules)
 * 1:48779 <-> ENABLED <-> BROWSER-IE Microsoft Edge prototype JsBuiltInEngineInterfaceExtensionObject use-after-free attempt (browser-ie.rules)
 * 1:48775 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file out of bounds read attempt (file-other.rules)
 * 1:48778 <-> ENABLED <-> BROWSER-IE Microsoft Edge prototype JsBuiltInEngineInterfaceExtensionObject use-after-free attempt (browser-ie.rules)
 * 1:48771 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:48770 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:48776 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Data Sharing Service privilege escalation attempt (os-windows.rules)
 * 1:48773 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine type confusion attempt (browser-ie.rules)
 * 1:48774 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file out of bounds read attempt (file-other.rules)
 * 1:48803 <-> ENABLED <-> MALWARE-OTHER samsam.exe file name detected (malware-other.rules)
 * 1:48799 <-> ENABLED <-> OS-WINDOWS Microsoft Windows arbitrary file read attempt (os-windows.rules)
 * 1:48795 <-> DISABLED <-> OS-WINDOWS Microsoft XmlDocument privilege escalation attempt (os-windows.rules)
 * 1:48804 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules)
 * 1:48801 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds read attempt (file-pdf.rules)
 * 1:48802 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds read attempt (file-pdf.rules)
 * 1:48791 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent inbound payload download (malware-cnc.rules)
 * 1:48800 <-> ENABLED <-> OS-WINDOWS Microsoft Windows arbitrary file read attempt (os-windows.rules)
 * 1:48797 <-> DISABLED <-> OS-WINDOWS Microsoft XmlDocument privilege escalation attempt (os-windows.rules)
 * 1:48798 <-> DISABLED <-> OS-WINDOWS Microsoft XmlDocument privilege escalation attempt (os-windows.rules)
 * 1:48787 <-> ENABLED <-> OS-WINDOWS Microsoft Windows COM Desktop Broker sandbox escape attempt (os-windows.rules)
 * 1:48796 <-> DISABLED <-> OS-WINDOWS Microsoft XmlDocument privilege escalation attempt (os-windows.rules)
 * 1:48793 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Data Sharing Service privilege escalation attempt (os-windows.rules)
 * 1:48794 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Data Sharing Service privilege escalation attempt (os-windows.rules)
 * 1:48783 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ProgID arbitary code execution attempt (browser-ie.rules)
 * 1:48792 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent inbound payload download (malware-cnc.rules)
 * 1:48789 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel out of bounds read attempt (os-windows.rules)
 * 1:48790 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel out of bounds read attempt (os-windows.rules)
 * 1:48788 <-> ENABLED <-> OS-WINDOWS Microsoft Windows COM Desktop Broker sandbox escape attempt (os-windows.rules)
 * 1:48785 <-> DISABLED <-> SERVER-OTHER SQLite FTS integer overflow attempt (server-other.rules)
 * 1:48786 <-> DISABLED <-> SERVER-OTHER SQLite FTS integer overflow attempt (server-other.rules)
 * 1:48784 <-> ENABLED <-> MALWARE-OTHER Win.Worm.Shamoon propagation via SMB2 transfer attempt (malware-other.rules)
 * 1:48781 <-> ENABLED <-> BROWSER-IE Microsoft Edge object manipulation use-after-free attempt (browser-ie.rules)
 * 1:48782 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ProgID arbitary code execution attempt (browser-ie.rules)
 * 1:48809 <-> ENABLED <-> OS-WINDOWS Microsoft Edge session boundary violation attempt (os-windows.rules)
 * 1:48768 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows data sharing service privilege escalation attempt (file-executable.rules)
 * 1:48805 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules)
 * 1:48811 <-> ENABLED <-> MALWARE-OTHER SamSam associated file (malware-other.rules)
 * 1:48815 <-> ENABLED <-> SERVER-WEBAPP Kibana Console for Elasticsearch local file inclusion attempt (server-webapp.rules)
 * 1:48813 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules)

Modified Rules:


 * 1:48628 <-> ENABLED <-> FILE-PDF Adobe Acrobat integer overflow attempt (file-pdf.rules)
 * 1:48627 <-> ENABLED <-> FILE-PDF Adobe Acrobat integer overflow attempt (file-pdf.rules)
 * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)
 * 1:46697 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (file-pdf.rules)
 * 1:46696 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (file-pdf.rules)
 * 1:45692 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro tiff parser out of bounds read attempt (file-other.rules)
 * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)
 * 1:45691 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro tiff parser out of bounds read attempt (file-other.rules)
 * 3:47135 <-> ENABLED <-> SERVER-WEBAPP ZyXEL Armor Series Routers ozkerz command injection attempt (server-webapp.rules)
 * 3:47134 <-> ENABLED <-> SERVER-WEBAPP ZyXEL Armor Series Routers ozkerz command injection attempt (server-webapp.rules)

2019-01-08 18:59:49 UTC

Snort Subscriber Rules Update

Date: 2019-01-08

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:48809 <-> ENABLED <-> OS-WINDOWS Microsoft Edge session boundary violation attempt (os-windows.rules)
 * 1:48807 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 AcquireCredentialsHandle privilege escalation attempt (os-windows.rules)
 * 1:48806 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules)
 * 1:48810 <-> ENABLED <-> OS-WINDOWS Microsoft Edge session boundary violation attempt (os-windows.rules)
 * 1:48772 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine type confusion attempt (browser-ie.rules)
 * 1:48817 <-> ENABLED <-> FILE-PDF Adobe Acrobat javascript based security bypass attempt (file-pdf.rules)
 * 1:48812 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules)
 * 1:48770 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:48803 <-> ENABLED <-> MALWARE-OTHER samsam.exe file name detected (malware-other.rules)
 * 1:48775 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file out of bounds read attempt (file-other.rules)
 * 1:48808 <-> ENABLED <-> OS-WINDOWS Microsoft Windows 10 AcquireCredentialsHandle privilege escalation attempt (os-windows.rules)
 * 1:48780 <-> ENABLED <-> BROWSER-IE Microsoft Edge object manipulation use-after-free attempt (browser-ie.rules)
 * 1:48811 <-> ENABLED <-> MALWARE-OTHER SamSam associated file (malware-other.rules)
 * 1:48816 <-> ENABLED <-> FILE-PDF Adobe Acrobat javascript based security bypass attempt (file-pdf.rules)
 * 1:48814 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules)
 * 1:48773 <-> ENABLED <-> BROWSER-IE Microsoft Edge Chakra scripting engine type confusion attempt (browser-ie.rules)
 * 1:48781 <-> ENABLED <-> BROWSER-IE Microsoft Edge object manipulation use-after-free attempt (browser-ie.rules)
 * 1:48768 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows data sharing service privilege escalation attempt (file-executable.rules)
 * 1:48779 <-> ENABLED <-> BROWSER-IE Microsoft Edge prototype JsBuiltInEngineInterfaceExtensionObject use-after-free attempt (browser-ie.rules)
 * 1:48777 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Data Sharing Service privilege escalation attempt (os-windows.rules)
 * 1:48778 <-> ENABLED <-> BROWSER-IE Microsoft Edge prototype JsBuiltInEngineInterfaceExtensionObject use-after-free attempt (browser-ie.rules)
 * 1:48800 <-> ENABLED <-> OS-WINDOWS Microsoft Windows arbitrary file read attempt (os-windows.rules)
 * 1:48796 <-> DISABLED <-> OS-WINDOWS Microsoft XmlDocument privilege escalation attempt (os-windows.rules)
 * 1:48792 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent inbound payload download (malware-cnc.rules)
 * 1:48802 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds read attempt (file-pdf.rules)
 * 1:48788 <-> ENABLED <-> OS-WINDOWS Microsoft Windows COM Desktop Broker sandbox escape attempt (os-windows.rules)
 * 1:48801 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader out of bounds read attempt (file-pdf.rules)
 * 1:48798 <-> DISABLED <-> OS-WINDOWS Microsoft XmlDocument privilege escalation attempt (os-windows.rules)
 * 1:48799 <-> ENABLED <-> OS-WINDOWS Microsoft Windows arbitrary file read attempt (os-windows.rules)
 * 1:48784 <-> ENABLED <-> MALWARE-OTHER Win.Worm.Shamoon propagation via SMB2 transfer attempt (malware-other.rules)
 * 1:48797 <-> DISABLED <-> OS-WINDOWS Microsoft XmlDocument privilege escalation attempt (os-windows.rules)
 * 1:48794 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Data Sharing Service privilege escalation attempt (os-windows.rules)
 * 1:48795 <-> DISABLED <-> OS-WINDOWS Microsoft XmlDocument privilege escalation attempt (os-windows.rules)
 * 1:48793 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Data Sharing Service privilege escalation attempt (os-windows.rules)
 * 1:48790 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel out of bounds read attempt (os-windows.rules)
 * 1:48791 <-> ENABLED <-> MALWARE-CNC Vbs.Trojan.Agent inbound payload download (malware-cnc.rules)
 * 1:48789 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel out of bounds read attempt (os-windows.rules)
 * 1:48786 <-> DISABLED <-> SERVER-OTHER SQLite FTS integer overflow attempt (server-other.rules)
 * 1:48787 <-> ENABLED <-> OS-WINDOWS Microsoft Windows COM Desktop Broker sandbox escape attempt (os-windows.rules)
 * 1:48785 <-> DISABLED <-> SERVER-OTHER SQLite FTS integer overflow attempt (server-other.rules)
 * 1:48782 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ProgID arbitary code execution attempt (browser-ie.rules)
 * 1:48783 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer ProgID arbitary code execution attempt (browser-ie.rules)
 * 1:48774 <-> ENABLED <-> FILE-OTHER Adobe Acrobat Pro XPS file out of bounds read attempt (file-other.rules)
 * 1:48769 <-> ENABLED <-> FILE-EXECUTABLE Microsoft Windows data sharing service privilege escalation attempt (file-executable.rules)
 * 1:48815 <-> ENABLED <-> SERVER-WEBAPP Kibana Console for Elasticsearch local file inclusion attempt (server-webapp.rules)
 * 1:48804 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules)
 * 1:48805 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules)
 * 1:48771 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:48776 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Data Sharing Service privilege escalation attempt (os-windows.rules)
 * 1:48813 <-> ENABLED <-> MALWARE-OTHER Ransomware SamSam variant detected (malware-other.rules)

Modified Rules:


 * 1:45692 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro tiff parser out of bounds read attempt (file-other.rules)
 * 1:48598 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)
 * 1:45691 <-> DISABLED <-> FILE-OTHER Adobe Acrobat Pro tiff parser out of bounds read attempt (file-other.rules)
 * 1:48628 <-> ENABLED <-> FILE-PDF Adobe Acrobat integer overflow attempt (file-pdf.rules)
 * 1:48627 <-> ENABLED <-> FILE-PDF Adobe Acrobat integer overflow attempt (file-pdf.rules)
 * 1:48599 <-> DISABLED <-> FILE-PDF Adobe Acrobat index file parsing memory corruption attempt (file-pdf.rules)
 * 1:46697 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (file-pdf.rules)
 * 1:46696 <-> ENABLED <-> FILE-PDF Adobe Acrobat Reader XFA use after free attempt (file-pdf.rules)
 * 3:47134 <-> ENABLED <-> SERVER-WEBAPP ZyXEL Armor Series Routers ozkerz command injection attempt (server-webapp.rules)
 * 3:47135 <-> ENABLED <-> SERVER-WEBAPP ZyXEL Armor Series Routers ozkerz command injection attempt (server-webapp.rules)