Talos Rules 2019-03-12
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2019-0592: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49368 through 49369.

Microsoft Vulnerability CVE-2019-0609: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49394 through 49395.

Microsoft Vulnerability CVE-2019-0612: Microsoft Edge suffers from programming errors that may lead to a security feature bypass.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49371 through 49372.

Microsoft Vulnerability CVE-2019-0639: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49382 through 49383.

Microsoft Vulnerability CVE-2019-0665: A coding deficiency exists in Microsoft Windows VBScript Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49364 through 49365.

Microsoft Vulnerability CVE-2019-0666: A coding deficiency exists in Microsoft Windows VBScript Engine that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 46554 through 46555.

Microsoft Vulnerability CVE-2019-0667: A coding deficiency exists in Microsoft Windows VBScript Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49386 through 49387.

Microsoft Vulnerability CVE-2019-0680: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49388 through 49389.

Microsoft Vulnerability CVE-2019-0703: A coding deficiency exists in Microsoft SMB that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49366 through 49367.

Microsoft Vulnerability CVE-2019-0755: A coding deficiency exists in Microsoft Windows Kernel that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49392 through 49393.

Microsoft Vulnerability CVE-2019-0763: Microsoft Internet Explorer suffers from programming errors that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49384 through 49385.

Microsoft Vulnerability CVE-2019-0767: A coding deficiency exists in Microsoft Windows Kernel that may lead to information disclosure.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 49172 through 49173.

Microsoft Vulnerability CVE-2019-0768: Microsoft Internet Explorer suffers from programming errors that may lead to a security feature bypass.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49378 through 49379.

Microsoft Vulnerability CVE-2019-0769: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 45142 through 45143.

Microsoft Vulnerability CVE-2019-0770: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49388 through 49389.

Microsoft Vulnerability CVE-2019-0771: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 48051 through 48052.

Microsoft Vulnerability CVE-2019-0773: A coding deficiency exists in Microsoft Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49380 through 49381.

Microsoft Vulnerability CVE-2019-0775: A coding deficiency exists in Microsoft Windows Kernel that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49390 through 49391.

Microsoft Vulnerability CVE-2019-0797: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49400 through 49401.

Microsoft Vulnerability CVE-2019-0808: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 49402 through 49403.

Talos also has added and modified multiple rules in the browser-ie, file-office, indicator-compromise, malware-cnc, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-03-12 17:23:01 UTC

Snort Subscriber Rules Update

Date: 2019-03-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49398 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection (malware-cnc.rules)
 * 1:49381 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49380 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49379 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:49378 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:49377 <-> DISABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (server-apache.rules)
 * 1:49376 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (server-apache.rules)
 * 1:49375 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (browser-ie.rules)
 * 1:49374 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (browser-ie.rules)
 * 1:49372 <-> ENABLED <-> BROWSER-IE Microsoft Edge security feature bypass attempt (browser-ie.rules)
 * 1:49371 <-> ENABLED <-> BROWSER-IE Microsoft Edge security feature bypass attempt (browser-ie.rules)
 * 1:49369 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49368 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49367 <-> DISABLED <-> INDICATOR-COMPROMISE Windows SMBv2 information disclosure attempt (indicator-compromise.rules)
 * 1:49366 <-> DISABLED <-> INDICATOR-COMPROMISE Windows SMBv1 information disclosure attempt (indicator-compromise.rules)
 * 1:49365 <-> ENABLED <-> BROWSER-IE Microsoft Edge reference count memory corruption attempt (browser-ie.rules)
 * 1:49364 <-> ENABLED <-> BROWSER-IE Microsoft Edge reference count memory corruption attempt (browser-ie.rules)
 * 1:49397 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection (malware-cnc.rules)
 * 1:49396 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection (malware-cnc.rules)
 * 1:49395 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49394 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49393 <-> DISABLED <-> OS-WINDOWS Microsoft Windows mailslot kernel information leak attempt (os-windows.rules)
 * 1:49392 <-> DISABLED <-> OS-WINDOWS Microsoft Windows mailslot kernel information leak attempt (os-windows.rules)
 * 1:49391 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:49390 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:49389 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49388 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49387 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49386 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49385 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:49384 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:49383 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49382 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49401 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:49400 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:49399 <-> ENABLED <-> SERVER-WEBAPP Adobe ColdFusion unauthorized serialized object attempt (server-webapp.rules)
 * 1:49403 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NT kernel null pointer dereference attempt (os-windows.rules)
 * 1:49402 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NT kernel null pointer dereference attempt (os-windows.rules)
 * 3:49370 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0788 attack attempt (policy-other.rules)
 * 3:49373 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0789 attack attempt (policy-other.rules)
 * 3:49362 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0787 attack attempt (server-webapp.rules)
 * 3:49363 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0786 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:33606 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (browser-ie.rules)
 * 1:30103 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (browser-ie.rules)
 * 1:39346 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record exploit attempt (file-office.rules)
 * 1:39347 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record exploit attempt (file-office.rules)
 * 1:30105 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (browser-ie.rules)
 * 1:33605 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (browser-ie.rules)
 * 1:45142 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:30102 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (browser-ie.rules)
 * 1:49173 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:48052 <-> DISABLED <-> BROWSER-IE Microsoft Edge OP_Memset type confusion attempt (browser-ie.rules)
 * 1:49172 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:46555 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Regexp use after free attempt (browser-ie.rules)
 * 1:48051 <-> DISABLED <-> BROWSER-IE Microsoft Edge OP_Memset type confusion attempt (browser-ie.rules)
 * 1:45143 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:46554 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Regexp use after free attempt (browser-ie.rules)
 * 1:30104 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (browser-ie.rules)

2019-03-12 17:23:01 UTC

Snort Subscriber Rules Update

Date: 2019-03-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49400 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:49371 <-> ENABLED <-> BROWSER-IE Microsoft Edge security feature bypass attempt (browser-ie.rules)
 * 1:49401 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:49384 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:49385 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:49383 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49375 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (browser-ie.rules)
 * 1:49372 <-> ENABLED <-> BROWSER-IE Microsoft Edge security feature bypass attempt (browser-ie.rules)
 * 1:49386 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49387 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49388 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49376 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (server-apache.rules)
 * 1:49377 <-> DISABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (server-apache.rules)
 * 1:49379 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:49389 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49374 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (browser-ie.rules)
 * 1:49390 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:49391 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:49392 <-> DISABLED <-> OS-WINDOWS Microsoft Windows mailslot kernel information leak attempt (os-windows.rules)
 * 1:49393 <-> DISABLED <-> OS-WINDOWS Microsoft Windows mailslot kernel information leak attempt (os-windows.rules)
 * 1:49394 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49395 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49397 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection (malware-cnc.rules)
 * 1:49398 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection (malware-cnc.rules)
 * 1:49399 <-> ENABLED <-> SERVER-WEBAPP Adobe ColdFusion unauthorized serialized object attempt (server-webapp.rules)
 * 1:49396 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection (malware-cnc.rules)
 * 1:49402 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NT kernel null pointer dereference attempt (os-windows.rules)
 * 1:49403 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NT kernel null pointer dereference attempt (os-windows.rules)
 * 1:49368 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49369 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49366 <-> DISABLED <-> INDICATOR-COMPROMISE Windows SMBv1 information disclosure attempt (indicator-compromise.rules)
 * 1:49367 <-> DISABLED <-> INDICATOR-COMPROMISE Windows SMBv2 information disclosure attempt (indicator-compromise.rules)
 * 1:49364 <-> ENABLED <-> BROWSER-IE Microsoft Edge reference count memory corruption attempt (browser-ie.rules)
 * 1:49365 <-> ENABLED <-> BROWSER-IE Microsoft Edge reference count memory corruption attempt (browser-ie.rules)
 * 1:49378 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:49381 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49380 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49382 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 3:49373 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0789 attack attempt (policy-other.rules)
 * 3:49363 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0786 attack attempt (server-webapp.rules)
 * 3:49370 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0788 attack attempt (policy-other.rules)
 * 3:49362 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0787 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:30103 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (browser-ie.rules)
 * 1:33606 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (browser-ie.rules)
 * 1:30102 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (browser-ie.rules)
 * 1:39346 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record exploit attempt (file-office.rules)
 * 1:30105 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (browser-ie.rules)
 * 1:45142 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:39347 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record exploit attempt (file-office.rules)
 * 1:49173 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:49172 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:48051 <-> DISABLED <-> BROWSER-IE Microsoft Edge OP_Memset type confusion attempt (browser-ie.rules)
 * 1:48052 <-> DISABLED <-> BROWSER-IE Microsoft Edge OP_Memset type confusion attempt (browser-ie.rules)
 * 1:46554 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Regexp use after free attempt (browser-ie.rules)
 * 1:46555 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Regexp use after free attempt (browser-ie.rules)
 * 1:45143 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:30104 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (browser-ie.rules)
 * 1:33605 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (browser-ie.rules)

2019-03-12 17:23:01 UTC

Snort Subscriber Rules Update

Date: 2019-03-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49385 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (snort3-browser-ie.rules)
 * 1:49403 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NT kernel null pointer dereference attempt (snort3-os-windows.rules)
 * 1:49377 <-> DISABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (snort3-server-apache.rules)
 * 1:49401 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (snort3-os-windows.rules)
 * 1:49393 <-> DISABLED <-> OS-WINDOWS Microsoft Windows mailslot kernel information leak attempt (snort3-os-windows.rules)
 * 1:49399 <-> ENABLED <-> SERVER-WEBAPP Adobe ColdFusion unauthorized serialized object attempt (snort3-server-webapp.rules)
 * 1:49386 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:49394 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:49374 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (snort3-browser-ie.rules)
 * 1:49372 <-> ENABLED <-> BROWSER-IE Microsoft Edge security feature bypass attempt (snort3-browser-ie.rules)
 * 1:49369 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:49371 <-> ENABLED <-> BROWSER-IE Microsoft Edge security feature bypass attempt (snort3-browser-ie.rules)
 * 1:49367 <-> DISABLED <-> INDICATOR-COMPROMISE Windows SMBv2 information disclosure attempt (snort3-indicator-compromise.rules)
 * 1:49368 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:49365 <-> ENABLED <-> BROWSER-IE Microsoft Edge reference count memory corruption attempt (snort3-browser-ie.rules)
 * 1:49366 <-> DISABLED <-> INDICATOR-COMPROMISE Windows SMBv1 information disclosure attempt (snort3-indicator-compromise.rules)
 * 1:49364 <-> ENABLED <-> BROWSER-IE Microsoft Edge reference count memory corruption attempt (snort3-browser-ie.rules)
 * 1:49395 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:49388 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:49396 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection (snort3-malware-cnc.rules)
 * 1:49397 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection (snort3-malware-cnc.rules)
 * 1:49398 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection (snort3-malware-cnc.rules)
 * 1:49387 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:49389 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:49390 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (snort3-os-windows.rules)
 * 1:49400 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (snort3-os-windows.rules)
 * 1:49379 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (snort3-browser-ie.rules)
 * 1:49376 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (snort3-server-apache.rules)
 * 1:49391 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (snort3-os-windows.rules)
 * 1:49392 <-> DISABLED <-> OS-WINDOWS Microsoft Windows mailslot kernel information leak attempt (snort3-os-windows.rules)
 * 1:49375 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (snort3-browser-ie.rules)
 * 1:49383 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:49382 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:49384 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (snort3-browser-ie.rules)
 * 1:49378 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (snort3-browser-ie.rules)
 * 1:49381 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)
 * 1:49402 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NT kernel null pointer dereference attempt (snort3-os-windows.rules)
 * 1:49380 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (snort3-browser-ie.rules)

Modified Rules:


 * 1:30103 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (snort3-browser-ie.rules)
 * 1:30104 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (snort3-browser-ie.rules)
 * 1:30102 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (snort3-browser-ie.rules)
 * 1:49172 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (snort3-os-windows.rules)
 * 1:46554 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Regexp use after free attempt (snort3-browser-ie.rules)
 * 1:49173 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (snort3-os-windows.rules)
 * 1:48051 <-> DISABLED <-> BROWSER-IE Microsoft Edge OP_Memset type confusion attempt (snort3-browser-ie.rules)
 * 1:48052 <-> DISABLED <-> BROWSER-IE Microsoft Edge OP_Memset type confusion attempt (snort3-browser-ie.rules)
 * 1:39346 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record exploit attempt (snort3-file-office.rules)
 * 1:46555 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Regexp use after free attempt (snort3-browser-ie.rules)
 * 1:45142 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (snort3-browser-ie.rules)
 * 1:45143 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (snort3-browser-ie.rules)
 * 1:39347 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record exploit attempt (snort3-file-office.rules)
 * 1:33605 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (snort3-browser-ie.rules)
 * 1:33606 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (snort3-browser-ie.rules)
 * 1:30105 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (snort3-browser-ie.rules)

2019-03-12 17:23:01 UTC

Snort Subscriber Rules Update

Date: 2019-03-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49403 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NT kernel null pointer dereference attempt (os-windows.rules)
 * 1:49369 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49378 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:49392 <-> DISABLED <-> OS-WINDOWS Microsoft Windows mailslot kernel information leak attempt (os-windows.rules)
 * 1:49383 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49399 <-> ENABLED <-> SERVER-WEBAPP Adobe ColdFusion unauthorized serialized object attempt (server-webapp.rules)
 * 1:49398 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection (malware-cnc.rules)
 * 1:49400 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:49401 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:49393 <-> DISABLED <-> OS-WINDOWS Microsoft Windows mailslot kernel information leak attempt (os-windows.rules)
 * 1:49379 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:49364 <-> ENABLED <-> BROWSER-IE Microsoft Edge reference count memory corruption attempt (browser-ie.rules)
 * 1:49368 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49394 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49402 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NT kernel null pointer dereference attempt (os-windows.rules)
 * 1:49367 <-> DISABLED <-> INDICATOR-COMPROMISE Windows SMBv2 information disclosure attempt (indicator-compromise.rules)
 * 1:49365 <-> ENABLED <-> BROWSER-IE Microsoft Edge reference count memory corruption attempt (browser-ie.rules)
 * 1:49396 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection (malware-cnc.rules)
 * 1:49380 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49381 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49384 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:49385 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:49375 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (browser-ie.rules)
 * 1:49386 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49372 <-> ENABLED <-> BROWSER-IE Microsoft Edge security feature bypass attempt (browser-ie.rules)
 * 1:49371 <-> ENABLED <-> BROWSER-IE Microsoft Edge security feature bypass attempt (browser-ie.rules)
 * 1:49389 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49397 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection (malware-cnc.rules)
 * 1:49382 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49366 <-> DISABLED <-> INDICATOR-COMPROMISE Windows SMBv1 information disclosure attempt (indicator-compromise.rules)
 * 1:49395 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49388 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49376 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (server-apache.rules)
 * 1:49387 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49391 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:49374 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (browser-ie.rules)
 * 1:49377 <-> DISABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (server-apache.rules)
 * 1:49390 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 3:49363 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0786 attack attempt (server-webapp.rules)
 * 3:49373 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0789 attack attempt (policy-other.rules)
 * 3:49370 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0788 attack attempt (policy-other.rules)
 * 3:49362 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0787 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:45142 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:33606 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (browser-ie.rules)
 * 1:33605 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (browser-ie.rules)
 * 1:30103 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (browser-ie.rules)
 * 1:30102 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (browser-ie.rules)
 * 1:39347 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record exploit attempt (file-office.rules)
 * 1:49172 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:46554 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Regexp use after free attempt (browser-ie.rules)
 * 1:49173 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:48051 <-> DISABLED <-> BROWSER-IE Microsoft Edge OP_Memset type confusion attempt (browser-ie.rules)
 * 1:48052 <-> DISABLED <-> BROWSER-IE Microsoft Edge OP_Memset type confusion attempt (browser-ie.rules)
 * 1:30104 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (browser-ie.rules)
 * 1:46555 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Regexp use after free attempt (browser-ie.rules)
 * 1:45143 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:39346 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record exploit attempt (file-office.rules)
 * 1:30105 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (browser-ie.rules)

2019-03-12 17:23:01 UTC

Snort Subscriber Rules Update

Date: 2019-03-12

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:49383 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49379 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:49372 <-> ENABLED <-> BROWSER-IE Microsoft Edge security feature bypass attempt (browser-ie.rules)
 * 1:49400 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:49385 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:49402 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NT kernel null pointer dereference attempt (os-windows.rules)
 * 1:49401 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k privilege escalation attempt (os-windows.rules)
 * 1:49387 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49388 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49364 <-> ENABLED <-> BROWSER-IE Microsoft Edge reference count memory corruption attempt (browser-ie.rules)
 * 1:49403 <-> ENABLED <-> OS-WINDOWS Microsoft Windows NT kernel null pointer dereference attempt (os-windows.rules)
 * 1:49367 <-> DISABLED <-> INDICATOR-COMPROMISE Windows SMBv2 information disclosure attempt (indicator-compromise.rules)
 * 1:49366 <-> DISABLED <-> INDICATOR-COMPROMISE Windows SMBv1 information disclosure attempt (indicator-compromise.rules)
 * 1:49377 <-> DISABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (server-apache.rules)
 * 1:49398 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection (malware-cnc.rules)
 * 1:49376 <-> ENABLED <-> SERVER-APACHE Apache Struts remote code execution attempt (server-apache.rules)
 * 1:49365 <-> ENABLED <-> BROWSER-IE Microsoft Edge reference count memory corruption attempt (browser-ie.rules)
 * 1:49389 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49378 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:49381 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49382 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49380 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49371 <-> ENABLED <-> BROWSER-IE Microsoft Edge security feature bypass attempt (browser-ie.rules)
 * 1:49384 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:49374 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (browser-ie.rules)
 * 1:49368 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49391 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:49375 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (browser-ie.rules)
 * 1:49369 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49390 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:49394 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49386 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 1:49397 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection (malware-cnc.rules)
 * 1:49399 <-> ENABLED <-> SERVER-WEBAPP Adobe ColdFusion unauthorized serialized object attempt (server-webapp.rules)
 * 1:49396 <-> ENABLED <-> MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection (malware-cnc.rules)
 * 1:49393 <-> DISABLED <-> OS-WINDOWS Microsoft Windows mailslot kernel information leak attempt (os-windows.rules)
 * 1:49392 <-> DISABLED <-> OS-WINDOWS Microsoft Windows mailslot kernel information leak attempt (os-windows.rules)
 * 1:49395 <-> ENABLED <-> BROWSER-IE Microsoft Edge memory corruption attempt (browser-ie.rules)
 * 3:49370 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0788 attack attempt (policy-other.rules)
 * 3:49362 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0787 attack attempt (server-webapp.rules)
 * 3:49373 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0789 attack attempt (policy-other.rules)
 * 3:49363 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2019-0786 attack attempt (server-webapp.rules)

Modified Rules:


 * 1:45142 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:30103 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (browser-ie.rules)
 * 1:49172 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:46554 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Regexp use after free attempt (browser-ie.rules)
 * 1:30104 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (browser-ie.rules)
 * 1:49173 <-> ENABLED <-> OS-WINDOWS Microsoft Windows kernel information disclosure attempt (os-windows.rules)
 * 1:48051 <-> DISABLED <-> BROWSER-IE Microsoft Edge OP_Memset type confusion attempt (browser-ie.rules)
 * 1:48052 <-> DISABLED <-> BROWSER-IE Microsoft Edge OP_Memset type confusion attempt (browser-ie.rules)
 * 1:46555 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer Regexp use after free attempt (browser-ie.rules)
 * 1:45143 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:39347 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record exploit attempt (file-office.rules)
 * 1:33605 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (browser-ie.rules)
 * 1:33606 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (browser-ie.rules)
 * 1:30102 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (browser-ie.rules)
 * 1:30105 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer CAnchorElement use after free attempt (browser-ie.rules)
 * 1:39346 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel RealTimeData record exploit attempt (file-office.rules)