Talos Rules 2019-08-13
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2019-1078: A coding deficiency exists in Microsoft Graphics Component that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50969 through 50974.

Microsoft Vulnerability CVE-2019-1139: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 48051 through 48052.

Microsoft Vulnerability CVE-2019-1140: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50938 through 50939.

Microsoft Vulnerability CVE-2019-1141: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 45142 through 45143.

Microsoft Vulnerability CVE-2019-1159: A coding deficiency exists in Microsoft Windows Kernel that may lead to escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50963 through 50964.

Microsoft Vulnerability CVE-2019-1164: A coding deficiency exists in Microsoft Windows Kernel that may lead to escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50942 through 50943.

Microsoft Vulnerability CVE-2019-1170: A coding deficiency exists in Windows NTFS that may lead to security feature bypass.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50936 through 50937.

Microsoft Vulnerability CVE-2019-1173: A coding deficiency exists in Microsoft Windows that may lead to escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 51001 through 51014.

Microsoft Vulnerability CVE-2019-1174: A coding deficiency exists in Microsoft Windows that may lead to escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50987 through 50988.

Microsoft Vulnerability CVE-2019-1175: A coding deficiency exists in Microsoft Windows that may lead to escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 51015 through 51016.

Microsoft Vulnerability CVE-2019-1184: A coding deficiency exists in Microsoft Windows that may lead to escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50966 through 50967.

Microsoft Vulnerability CVE-2019-1195: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 45142 through 45143.

Microsoft Vulnerability CVE-2019-1196: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50940 through 50941.

Microsoft Vulnerability CVE-2019-1197: A coding deficiency exists in Microsoft Chakra Scripting Engine that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 48051 through 48052.

Microsoft Vulnerability CVE-2019-1199: A coding deficiency exists in Microsoft Outlook that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 50998 through 50999.

Microsoft Vulnerability CVE-2019-1201: A coding deficiency exists in Microsoft Word that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 35190 through 35191.

Talos also has added and modified multiple rules in the browser-ie, file-image, file-multimedia, file-office, file-other, indicator-compromise, malware-cnc, os-windows, policy-other, protocol-dns, protocol-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-08-13 17:14:02 UTC

Snort Subscriber Rules Update

Date: 2019-08-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50937 <-> ENABLED <-> OS-WINDOWS Microsoft Windows shell privilege escalation attempt (os-windows.rules)
 * 1:50936 <-> ENABLED <-> OS-WINDOWS Microsoft Windows shell privilege escalation attempt (os-windows.rules)
 * 1:50940 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50939 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50938 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50943 <-> ENABLED <-> OS-WINDOWS Microsoft Windows graphics component privilege escalation attempt (os-windows.rules)
 * 1:50942 <-> ENABLED <-> OS-WINDOWS Microsoft Windows graphics component privilege escalation attempt (os-windows.rules)
 * 1:50941 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50944 <-> DISABLED <-> FILE-OTHER VideoLAN VLC media player out-of-bounds read attempt (file-other.rules)
 * 1:50947 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (indicator-compromise.rules)
 * 1:50946 <-> DISABLED <-> SERVER-OTHER GnuTLS x509 certificate validation policy bypass attempt  (server-other.rules)
 * 1:50945 <-> DISABLED <-> FILE-OTHER  VideoLAN VLC media player out-of-bounds read attempt (file-other.rules)
 * 1:50950 <-> DISABLED <-> INDICATOR-COMPROMISE PHP backdoor communication attempt (indicator-compromise.rules)
 * 1:50949 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor installation attempt (indicator-compromise.rules)
 * 1:50948 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (indicator-compromise.rules)
 * 1:50951 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (indicator-compromise.rules)
 * 1:50972 <-> ENABLED <-> OS-WINDOWS Microsoft win32k driver buffer over read attempt (os-windows.rules)
 * 1:50971 <-> ENABLED <-> OS-WINDOWS Microsoft win32k driver buffer over read attempt (os-windows.rules)
 * 1:50970 <-> ENABLED <-> OS-WINDOWS Microsoft win32k driver buffer over read attempt (os-windows.rules)
 * 1:50969 <-> ENABLED <-> OS-WINDOWS Microsoft win32k driver buffer over read attempt (os-windows.rules)
 * 1:50968 <-> DISABLED <-> SERVER-WEBAPP WordPress Crop Image arbitrary file write attempt (server-webapp.rules)
 * 1:50967 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CoreShellCOMServerRegistrar privilege escalation attempt (os-windows.rules)
 * 1:50966 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CoreShellCOMServerRegistrar privilege escalation attempt (os-windows.rules)
 * 1:50965 <-> DISABLED <-> FILE-MULTIMEDIA MPlayer SMI file buffer overflow attempt (file-multimedia.rules)
 * 1:50964 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:50963 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:50962 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint OfficeArt atom memory corruption attempt (file-office.rules)
 * 1:50961 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop CS5 gif file heap corruption attempt (file-image.rules)
 * 1:50960 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop CS5 gif file heap corruption attempt (file-image.rules)
 * 1:50959 <-> DISABLED <-> FILE-OFFICE Microsoft VBE6.dll stack corruption attempt (file-office.rules)
 * 1:50958 <-> DISABLED <-> SERVER-OTHER Chicken of the VNC ServerInit denial of service attempt (server-other.rules)
 * 1:50957 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:50956 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:50955 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (indicator-compromise.rules)
 * 1:50954 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (indicator-compromise.rules)
 * 1:50953 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (indicator-compromise.rules)
 * 1:50952 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (indicator-compromise.rules)
 * 1:50988 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CrmRpcSrvUnregister privilege escalation attempt (os-windows.rules)
 * 1:50987 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CrmRpcSrvUnregister privilege escalation attempt (os-windows.rules)
 * 1:50986 <-> DISABLED <-> FILE-IMAGE GraphicsMagick WMF use after free attempt (file-image.rules)
 * 1:50985 <-> DISABLED <-> FILE-IMAGE GraphicsMagick WMF use after free attempt (file-image.rules)
 * 1:50984 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50983 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50982 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50981 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50980 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50979 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50978 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50977 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50976 <-> DISABLED <-> FILE-OTHER OMRON CX-One arbitrary code execution attempt (file-other.rules)
 * 1:50975 <-> DISABLED <-> FILE-OTHER OMRON CX-One arbitrary code execution attempt (file-other.rules)
 * 1:50974 <-> ENABLED <-> OS-WINDOWS Microsoft win32k driver buffer over read attempt (os-windows.rules)
 * 1:50973 <-> ENABLED <-> OS-WINDOWS Microsoft win32k driver buffer over read attempt (os-windows.rules)
 * 1:51009 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51008 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51007 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51006 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51005 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51004 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51003 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51002 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51001 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51000 <-> DISABLED <-> PROTOCOL-DNS PowerDNS Recursor query denial of service attempt (protocol-dns.rules)
 * 1:50999 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook memory corruption attempt (file-office.rules)
 * 1:50998 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook memory corruption attempt (file-office.rules)
 * 1:50997 <-> DISABLED <-> SERVER-OTHER Network Time Server denial of service attempt (server-other.rules)
 * 1:50996 <-> DISABLED <-> SERVER-WEBAPP PHP ProjectPier remote file include attempt (server-webapp.rules)
 * 1:50995 <-> DISABLED <-> SERVER-WEBAPP PHP ProjectPier remote file include attempt (server-webapp.rules)
 * 1:50994 <-> DISABLED <-> SERVER-WEBAPP PHP ProjectPier remote file include attempt (server-webapp.rules)
 * 1:50993 <-> ENABLED <-> MALWARE-CNC Unix.Malware.ech0raix outbound connection attempt (malware-cnc.rules)
 * 1:50992 <-> ENABLED <-> MALWARE-CNC Unix.Malware.ech0raix outbound connection attempt (malware-cnc.rules)
 * 1:50991 <-> ENABLED <-> MALWARE-CNC Unix.Malware.ech0raix outbound connection attempt (malware-cnc.rules)
 * 1:50990 <-> ENABLED <-> MALWARE-CNC Unix.Malware.ech0raix outbound connection attempt (malware-cnc.rules)
 * 1:50989 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Clipbanker variant outbound connection (malware-cnc.rules)
 * 1:51017 <-> DISABLED <-> PROTOCOL-OTHER Losant Arduino MQTT Client buffer overflow attempt (protocol-other.rules)
 * 1:51016 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PsmSrvDisconnect privilege escalation attempt (os-windows.rules)
 * 1:51015 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PsmSrvDisconnect privilege escalation attempt (os-windows.rules)
 * 1:51014 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51013 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51012 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51011 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51010 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)

Modified Rules:


 * 1:38265 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Formula record remote code execution attempt (file-office.rules)
 * 1:45142 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:35190 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmPItap heap corruption attempt (file-office.rules)
 * 1:35191 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmPItap heap corruption attempt (file-office.rules)
 * 1:18637 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint OfficeArt atom memory corruption attempt (file-office.rules)
 * 1:32940 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed Label record exploit attempt (file-office.rules)
 * 1:18632 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed Label record exploit attempt (file-office.rules)
 * 1:1826 <-> DISABLED <-> SERVER-WEBAPP WEB-INF access (server-webapp.rules)
 * 1:15539 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Formula record remote code execution attempt (file-office.rules)
 * 1:1807 <-> DISABLED <-> POLICY-OTHER Chunked-Encoding transfer with no data attempt (policy-other.rules)
 * 1:48052 <-> DISABLED <-> BROWSER-IE Microsoft Edge OP_Memset type confusion attempt (browser-ie.rules)
 * 1:50920 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station information disclosure attempt (server-webapp.rules)
 * 1:47577 <-> DISABLED <-> SERVER-WEBAPP Cobub Razor channel name SQL injection attempt (server-webapp.rules)
 * 1:48051 <-> DISABLED <-> BROWSER-IE Microsoft Edge OP_Memset type confusion attempt (browser-ie.rules)
 * 1:45143 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:47576 <-> DISABLED <-> SERVER-WEBAPP Cobub Razor channel name SQL injection attempt (server-webapp.rules)

2019-08-13 17:14:02 UTC

Snort Subscriber Rules Update

Date: 2019-08-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50997 <-> DISABLED <-> SERVER-OTHER Network Time Server denial of service attempt (server-other.rules)
 * 1:50999 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook memory corruption attempt (file-office.rules)
 * 1:50998 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook memory corruption attempt (file-office.rules)
 * 1:50942 <-> ENABLED <-> OS-WINDOWS Microsoft Windows graphics component privilege escalation attempt (os-windows.rules)
 * 1:50939 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50940 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50941 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50944 <-> DISABLED <-> FILE-OTHER VideoLAN VLC media player out-of-bounds read attempt (file-other.rules)
 * 1:50945 <-> DISABLED <-> FILE-OTHER  VideoLAN VLC media player out-of-bounds read attempt (file-other.rules)
 * 1:50946 <-> DISABLED <-> SERVER-OTHER GnuTLS x509 certificate validation policy bypass attempt  (server-other.rules)
 * 1:50947 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (indicator-compromise.rules)
 * 1:50936 <-> ENABLED <-> OS-WINDOWS Microsoft Windows shell privilege escalation attempt (os-windows.rules)
 * 1:50959 <-> DISABLED <-> FILE-OFFICE Microsoft VBE6.dll stack corruption attempt (file-office.rules)
 * 1:50960 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop CS5 gif file heap corruption attempt (file-image.rules)
 * 1:50961 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop CS5 gif file heap corruption attempt (file-image.rules)
 * 1:50962 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint OfficeArt atom memory corruption attempt (file-office.rules)
 * 1:50963 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:50964 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:50965 <-> DISABLED <-> FILE-MULTIMEDIA MPlayer SMI file buffer overflow attempt (file-multimedia.rules)
 * 1:50966 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CoreShellCOMServerRegistrar privilege escalation attempt (os-windows.rules)
 * 1:50967 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CoreShellCOMServerRegistrar privilege escalation attempt (os-windows.rules)
 * 1:50968 <-> DISABLED <-> SERVER-WEBAPP WordPress Crop Image arbitrary file write attempt (server-webapp.rules)
 * 1:50970 <-> ENABLED <-> OS-WINDOWS Microsoft win32k driver buffer over read attempt (os-windows.rules)
 * 1:50971 <-> ENABLED <-> OS-WINDOWS Microsoft win32k driver buffer over read attempt (os-windows.rules)
 * 1:50972 <-> ENABLED <-> OS-WINDOWS Microsoft win32k driver buffer over read attempt (os-windows.rules)
 * 1:50973 <-> ENABLED <-> OS-WINDOWS Microsoft win32k driver buffer over read attempt (os-windows.rules)
 * 1:50974 <-> ENABLED <-> OS-WINDOWS Microsoft win32k driver buffer over read attempt (os-windows.rules)
 * 1:50975 <-> DISABLED <-> FILE-OTHER OMRON CX-One arbitrary code execution attempt (file-other.rules)
 * 1:50976 <-> DISABLED <-> FILE-OTHER OMRON CX-One arbitrary code execution attempt (file-other.rules)
 * 1:50977 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50978 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50979 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50980 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50981 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50982 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50983 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50984 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50985 <-> DISABLED <-> FILE-IMAGE GraphicsMagick WMF use after free attempt (file-image.rules)
 * 1:50986 <-> DISABLED <-> FILE-IMAGE GraphicsMagick WMF use after free attempt (file-image.rules)
 * 1:50987 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CrmRpcSrvUnregister privilege escalation attempt (os-windows.rules)
 * 1:50988 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CrmRpcSrvUnregister privilege escalation attempt (os-windows.rules)
 * 1:50989 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Clipbanker variant outbound connection (malware-cnc.rules)
 * 1:51004 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51003 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51002 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:50937 <-> ENABLED <-> OS-WINDOWS Microsoft Windows shell privilege escalation attempt (os-windows.rules)
 * 1:51001 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51000 <-> DISABLED <-> PROTOCOL-DNS PowerDNS Recursor query denial of service attempt (protocol-dns.rules)
 * 1:50990 <-> ENABLED <-> MALWARE-CNC Unix.Malware.ech0raix outbound connection attempt (malware-cnc.rules)
 * 1:50991 <-> ENABLED <-> MALWARE-CNC Unix.Malware.ech0raix outbound connection attempt (malware-cnc.rules)
 * 1:50992 <-> ENABLED <-> MALWARE-CNC Unix.Malware.ech0raix outbound connection attempt (malware-cnc.rules)
 * 1:50993 <-> ENABLED <-> MALWARE-CNC Unix.Malware.ech0raix outbound connection attempt (malware-cnc.rules)
 * 1:50994 <-> DISABLED <-> SERVER-WEBAPP PHP ProjectPier remote file include attempt (server-webapp.rules)
 * 1:50995 <-> DISABLED <-> SERVER-WEBAPP PHP ProjectPier remote file include attempt (server-webapp.rules)
 * 1:50996 <-> DISABLED <-> SERVER-WEBAPP PHP ProjectPier remote file include attempt (server-webapp.rules)
 * 1:50969 <-> ENABLED <-> OS-WINDOWS Microsoft win32k driver buffer over read attempt (os-windows.rules)
 * 1:51007 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51005 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51006 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51012 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51011 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51010 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51009 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51008 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51016 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PsmSrvDisconnect privilege escalation attempt (os-windows.rules)
 * 1:51015 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PsmSrvDisconnect privilege escalation attempt (os-windows.rules)
 * 1:51014 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51013 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51017 <-> DISABLED <-> PROTOCOL-OTHER Losant Arduino MQTT Client buffer overflow attempt (protocol-other.rules)
 * 1:50943 <-> ENABLED <-> OS-WINDOWS Microsoft Windows graphics component privilege escalation attempt (os-windows.rules)
 * 1:50957 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:50958 <-> DISABLED <-> SERVER-OTHER Chicken of the VNC ServerInit denial of service attempt (server-other.rules)
 * 1:50955 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (indicator-compromise.rules)
 * 1:50956 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:50953 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (indicator-compromise.rules)
 * 1:50954 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (indicator-compromise.rules)
 * 1:50951 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (indicator-compromise.rules)
 * 1:50952 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (indicator-compromise.rules)
 * 1:50949 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor installation attempt (indicator-compromise.rules)
 * 1:50950 <-> DISABLED <-> INDICATOR-COMPROMISE PHP backdoor communication attempt (indicator-compromise.rules)
 * 1:50938 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50948 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (indicator-compromise.rules)

Modified Rules:


 * 1:1826 <-> DISABLED <-> SERVER-WEBAPP WEB-INF access (server-webapp.rules)
 * 1:1807 <-> DISABLED <-> POLICY-OTHER Chunked-Encoding transfer with no data attempt (policy-other.rules)
 * 1:15539 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Formula record remote code execution attempt (file-office.rules)
 * 1:50920 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station information disclosure attempt (server-webapp.rules)
 * 1:48051 <-> DISABLED <-> BROWSER-IE Microsoft Edge OP_Memset type confusion attempt (browser-ie.rules)
 * 1:48052 <-> DISABLED <-> BROWSER-IE Microsoft Edge OP_Memset type confusion attempt (browser-ie.rules)
 * 1:47576 <-> DISABLED <-> SERVER-WEBAPP Cobub Razor channel name SQL injection attempt (server-webapp.rules)
 * 1:47577 <-> DISABLED <-> SERVER-WEBAPP Cobub Razor channel name SQL injection attempt (server-webapp.rules)
 * 1:45142 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:45143 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:35191 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmPItap heap corruption attempt (file-office.rules)
 * 1:38265 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Formula record remote code execution attempt (file-office.rules)
 * 1:32940 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed Label record exploit attempt (file-office.rules)
 * 1:35190 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmPItap heap corruption attempt (file-office.rules)
 * 1:18632 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed Label record exploit attempt (file-office.rules)
 * 1:18637 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint OfficeArt atom memory corruption attempt (file-office.rules)

2019-08-13 17:14:02 UTC

Snort Subscriber Rules Update

Date: 2019-08-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50939 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50999 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook memory corruption attempt (file-office.rules)
 * 1:50998 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook memory corruption attempt (file-office.rules)
 * 1:51001 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51002 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51000 <-> DISABLED <-> PROTOCOL-DNS PowerDNS Recursor query denial of service attempt (protocol-dns.rules)
 * 1:51017 <-> DISABLED <-> PROTOCOL-OTHER Losant Arduino MQTT Client buffer overflow attempt (protocol-other.rules)
 * 1:51016 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PsmSrvDisconnect privilege escalation attempt (os-windows.rules)
 * 1:51015 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PsmSrvDisconnect privilege escalation attempt (os-windows.rules)
 * 1:51014 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51013 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51012 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51011 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51010 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51009 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51008 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51007 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51006 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51005 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51004 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51003 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:50940 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50941 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50942 <-> ENABLED <-> OS-WINDOWS Microsoft Windows graphics component privilege escalation attempt (os-windows.rules)
 * 1:50993 <-> ENABLED <-> MALWARE-CNC Unix.Malware.ech0raix outbound connection attempt (malware-cnc.rules)
 * 1:50945 <-> DISABLED <-> FILE-OTHER  VideoLAN VLC media player out-of-bounds read attempt (file-other.rules)
 * 1:50946 <-> DISABLED <-> SERVER-OTHER GnuTLS x509 certificate validation policy bypass attempt  (server-other.rules)
 * 1:50947 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (indicator-compromise.rules)
 * 1:50963 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:50938 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50948 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (indicator-compromise.rules)
 * 1:50949 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor installation attempt (indicator-compromise.rules)
 * 1:50950 <-> DISABLED <-> INDICATOR-COMPROMISE PHP backdoor communication attempt (indicator-compromise.rules)
 * 1:50951 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (indicator-compromise.rules)
 * 1:50952 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (indicator-compromise.rules)
 * 1:50953 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (indicator-compromise.rules)
 * 1:50954 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (indicator-compromise.rules)
 * 1:50955 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (indicator-compromise.rules)
 * 1:50956 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:50957 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:50958 <-> DISABLED <-> SERVER-OTHER Chicken of the VNC ServerInit denial of service attempt (server-other.rules)
 * 1:50959 <-> DISABLED <-> FILE-OFFICE Microsoft VBE6.dll stack corruption attempt (file-office.rules)
 * 1:50944 <-> DISABLED <-> FILE-OTHER VideoLAN VLC media player out-of-bounds read attempt (file-other.rules)
 * 1:50943 <-> ENABLED <-> OS-WINDOWS Microsoft Windows graphics component privilege escalation attempt (os-windows.rules)
 * 1:50991 <-> ENABLED <-> MALWARE-CNC Unix.Malware.ech0raix outbound connection attempt (malware-cnc.rules)
 * 1:50992 <-> ENABLED <-> MALWARE-CNC Unix.Malware.ech0raix outbound connection attempt (malware-cnc.rules)
 * 1:50989 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Clipbanker variant outbound connection (malware-cnc.rules)
 * 1:50990 <-> ENABLED <-> MALWARE-CNC Unix.Malware.ech0raix outbound connection attempt (malware-cnc.rules)
 * 1:50987 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CrmRpcSrvUnregister privilege escalation attempt (os-windows.rules)
 * 1:50988 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CrmRpcSrvUnregister privilege escalation attempt (os-windows.rules)
 * 1:50985 <-> DISABLED <-> FILE-IMAGE GraphicsMagick WMF use after free attempt (file-image.rules)
 * 1:50986 <-> DISABLED <-> FILE-IMAGE GraphicsMagick WMF use after free attempt (file-image.rules)
 * 1:50983 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50984 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50981 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50982 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50979 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50980 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50977 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50978 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50975 <-> DISABLED <-> FILE-OTHER OMRON CX-One arbitrary code execution attempt (file-other.rules)
 * 1:50976 <-> DISABLED <-> FILE-OTHER OMRON CX-One arbitrary code execution attempt (file-other.rules)
 * 1:50973 <-> ENABLED <-> OS-WINDOWS Microsoft win32k driver buffer over read attempt (os-windows.rules)
 * 1:50974 <-> ENABLED <-> OS-WINDOWS Microsoft win32k driver buffer over read attempt (os-windows.rules)
 * 1:50971 <-> ENABLED <-> OS-WINDOWS Microsoft win32k driver buffer over read attempt (os-windows.rules)
 * 1:50972 <-> ENABLED <-> OS-WINDOWS Microsoft win32k driver buffer over read attempt (os-windows.rules)
 * 1:50969 <-> ENABLED <-> OS-WINDOWS Microsoft win32k driver buffer over read attempt (os-windows.rules)
 * 1:50970 <-> ENABLED <-> OS-WINDOWS Microsoft win32k driver buffer over read attempt (os-windows.rules)
 * 1:50967 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CoreShellCOMServerRegistrar privilege escalation attempt (os-windows.rules)
 * 1:50968 <-> DISABLED <-> SERVER-WEBAPP WordPress Crop Image arbitrary file write attempt (server-webapp.rules)
 * 1:50965 <-> DISABLED <-> FILE-MULTIMEDIA MPlayer SMI file buffer overflow attempt (file-multimedia.rules)
 * 1:50966 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CoreShellCOMServerRegistrar privilege escalation attempt (os-windows.rules)
 * 1:50964 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:50937 <-> ENABLED <-> OS-WINDOWS Microsoft Windows shell privilege escalation attempt (os-windows.rules)
 * 1:50962 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint OfficeArt atom memory corruption attempt (file-office.rules)
 * 1:50960 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop CS5 gif file heap corruption attempt (file-image.rules)
 * 1:50961 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop CS5 gif file heap corruption attempt (file-image.rules)
 * 1:50936 <-> ENABLED <-> OS-WINDOWS Microsoft Windows shell privilege escalation attempt (os-windows.rules)
 * 1:50996 <-> DISABLED <-> SERVER-WEBAPP PHP ProjectPier remote file include attempt (server-webapp.rules)
 * 1:50997 <-> DISABLED <-> SERVER-OTHER Network Time Server denial of service attempt (server-other.rules)
 * 1:50995 <-> DISABLED <-> SERVER-WEBAPP PHP ProjectPier remote file include attempt (server-webapp.rules)
 * 1:50994 <-> DISABLED <-> SERVER-WEBAPP PHP ProjectPier remote file include attempt (server-webapp.rules)

Modified Rules:


 * 1:47577 <-> DISABLED <-> SERVER-WEBAPP Cobub Razor channel name SQL injection attempt (server-webapp.rules)
 * 1:48052 <-> DISABLED <-> BROWSER-IE Microsoft Edge OP_Memset type confusion attempt (browser-ie.rules)
 * 1:50920 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station information disclosure attempt (server-webapp.rules)
 * 1:38265 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Formula record remote code execution attempt (file-office.rules)
 * 1:48051 <-> DISABLED <-> BROWSER-IE Microsoft Edge OP_Memset type confusion attempt (browser-ie.rules)
 * 1:45143 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:47576 <-> DISABLED <-> SERVER-WEBAPP Cobub Razor channel name SQL injection attempt (server-webapp.rules)
 * 1:18637 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint OfficeArt atom memory corruption attempt (file-office.rules)
 * 1:45142 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:35190 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmPItap heap corruption attempt (file-office.rules)
 * 1:35191 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmPItap heap corruption attempt (file-office.rules)
 * 1:15539 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Formula record remote code execution attempt (file-office.rules)
 * 1:32940 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed Label record exploit attempt (file-office.rules)
 * 1:1826 <-> DISABLED <-> SERVER-WEBAPP WEB-INF access (server-webapp.rules)
 * 1:18632 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed Label record exploit attempt (file-office.rules)
 * 1:1807 <-> DISABLED <-> POLICY-OTHER Chunked-Encoding transfer with no data attempt (policy-other.rules)

2019-08-13 17:14:02 UTC

Snort Subscriber Rules Update

Date: 2019-08-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51004 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51001 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51002 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51000 <-> DISABLED <-> PROTOCOL-DNS PowerDNS Recursor query denial of service attempt (protocol-dns.rules)
 * 1:50939 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50940 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50941 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50942 <-> ENABLED <-> OS-WINDOWS Microsoft Windows graphics component privilege escalation attempt (os-windows.rules)
 * 1:51003 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:50945 <-> DISABLED <-> FILE-OTHER  VideoLAN VLC media player out-of-bounds read attempt (file-other.rules)
 * 1:50946 <-> DISABLED <-> SERVER-OTHER GnuTLS x509 certificate validation policy bypass attempt  (server-other.rules)
 * 1:50947 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (indicator-compromise.rules)
 * 1:50936 <-> ENABLED <-> OS-WINDOWS Microsoft Windows shell privilege escalation attempt (os-windows.rules)
 * 1:50949 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor installation attempt (indicator-compromise.rules)
 * 1:51006 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:50963 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:50998 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook memory corruption attempt (file-office.rules)
 * 1:51015 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PsmSrvDisconnect privilege escalation attempt (os-windows.rules)
 * 1:50938 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:51005 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:50948 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (indicator-compromise.rules)
 * 1:50952 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (indicator-compromise.rules)
 * 1:50953 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (indicator-compromise.rules)
 * 1:50954 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (indicator-compromise.rules)
 * 1:50955 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (indicator-compromise.rules)
 * 1:50956 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:50957 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:50958 <-> DISABLED <-> SERVER-OTHER Chicken of the VNC ServerInit denial of service attempt (server-other.rules)
 * 1:50959 <-> DISABLED <-> FILE-OFFICE Microsoft VBE6.dll stack corruption attempt (file-office.rules)
 * 1:50944 <-> DISABLED <-> FILE-OTHER VideoLAN VLC media player out-of-bounds read attempt (file-other.rules)
 * 1:50962 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint OfficeArt atom memory corruption attempt (file-office.rules)
 * 1:50951 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (indicator-compromise.rules)
 * 1:50950 <-> DISABLED <-> INDICATOR-COMPROMISE PHP backdoor communication attempt (indicator-compromise.rules)
 * 1:51017 <-> DISABLED <-> PROTOCOL-OTHER Losant Arduino MQTT Client buffer overflow attempt (protocol-other.rules)
 * 1:50937 <-> ENABLED <-> OS-WINDOWS Microsoft Windows shell privilege escalation attempt (os-windows.rules)
 * 1:50968 <-> DISABLED <-> SERVER-WEBAPP WordPress Crop Image arbitrary file write attempt (server-webapp.rules)
 * 1:50964 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:50965 <-> DISABLED <-> FILE-MULTIMEDIA MPlayer SMI file buffer overflow attempt (file-multimedia.rules)
 * 1:50967 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CoreShellCOMServerRegistrar privilege escalation attempt (os-windows.rules)
 * 1:50966 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CoreShellCOMServerRegistrar privilege escalation attempt (os-windows.rules)
 * 1:50969 <-> ENABLED <-> OS-WINDOWS Microsoft win32k driver buffer over read attempt (os-windows.rules)
 * 1:50992 <-> ENABLED <-> MALWARE-CNC Unix.Malware.ech0raix outbound connection attempt (malware-cnc.rules)
 * 1:50991 <-> ENABLED <-> MALWARE-CNC Unix.Malware.ech0raix outbound connection attempt (malware-cnc.rules)
 * 1:50986 <-> DISABLED <-> FILE-IMAGE GraphicsMagick WMF use after free attempt (file-image.rules)
 * 1:50989 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Clipbanker variant outbound connection (malware-cnc.rules)
 * 1:50987 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CrmRpcSrvUnregister privilege escalation attempt (os-windows.rules)
 * 1:50988 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CrmRpcSrvUnregister privilege escalation attempt (os-windows.rules)
 * 1:50985 <-> DISABLED <-> FILE-IMAGE GraphicsMagick WMF use after free attempt (file-image.rules)
 * 1:50982 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50983 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50984 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50981 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50978 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50979 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50980 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50977 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50974 <-> ENABLED <-> OS-WINDOWS Microsoft win32k driver buffer over read attempt (os-windows.rules)
 * 1:50975 <-> DISABLED <-> FILE-OTHER OMRON CX-One arbitrary code execution attempt (file-other.rules)
 * 1:50976 <-> DISABLED <-> FILE-OTHER OMRON CX-One arbitrary code execution attempt (file-other.rules)
 * 1:50973 <-> ENABLED <-> OS-WINDOWS Microsoft win32k driver buffer over read attempt (os-windows.rules)
 * 1:50970 <-> ENABLED <-> OS-WINDOWS Microsoft win32k driver buffer over read attempt (os-windows.rules)
 * 1:50971 <-> ENABLED <-> OS-WINDOWS Microsoft win32k driver buffer over read attempt (os-windows.rules)
 * 1:50972 <-> ENABLED <-> OS-WINDOWS Microsoft win32k driver buffer over read attempt (os-windows.rules)
 * 1:50996 <-> DISABLED <-> SERVER-WEBAPP PHP ProjectPier remote file include attempt (server-webapp.rules)
 * 1:50997 <-> DISABLED <-> SERVER-OTHER Network Time Server denial of service attempt (server-other.rules)
 * 1:50994 <-> DISABLED <-> SERVER-WEBAPP PHP ProjectPier remote file include attempt (server-webapp.rules)
 * 1:50995 <-> DISABLED <-> SERVER-WEBAPP PHP ProjectPier remote file include attempt (server-webapp.rules)
 * 1:50993 <-> ENABLED <-> MALWARE-CNC Unix.Malware.ech0raix outbound connection attempt (malware-cnc.rules)
 * 1:50990 <-> ENABLED <-> MALWARE-CNC Unix.Malware.ech0raix outbound connection attempt (malware-cnc.rules)
 * 1:50999 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook memory corruption attempt (file-office.rules)
 * 1:51007 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51008 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51016 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PsmSrvDisconnect privilege escalation attempt (os-windows.rules)
 * 1:50943 <-> ENABLED <-> OS-WINDOWS Microsoft Windows graphics component privilege escalation attempt (os-windows.rules)
 * 1:50961 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop CS5 gif file heap corruption attempt (file-image.rules)
 * 1:50960 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop CS5 gif file heap corruption attempt (file-image.rules)
 * 1:51014 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51009 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51010 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51011 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51012 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51013 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)

Modified Rules:


 * 1:48052 <-> DISABLED <-> BROWSER-IE Microsoft Edge OP_Memset type confusion attempt (browser-ie.rules)
 * 1:47577 <-> DISABLED <-> SERVER-WEBAPP Cobub Razor channel name SQL injection attempt (server-webapp.rules)
 * 1:45143 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:50920 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station information disclosure attempt (server-webapp.rules)
 * 1:38265 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Formula record remote code execution attempt (file-office.rules)
 * 1:48051 <-> DISABLED <-> BROWSER-IE Microsoft Edge OP_Memset type confusion attempt (browser-ie.rules)
 * 1:47576 <-> DISABLED <-> SERVER-WEBAPP Cobub Razor channel name SQL injection attempt (server-webapp.rules)
 * 1:35190 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmPItap heap corruption attempt (file-office.rules)
 * 1:18637 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint OfficeArt atom memory corruption attempt (file-office.rules)
 * 1:45142 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:1826 <-> DISABLED <-> SERVER-WEBAPP WEB-INF access (server-webapp.rules)
 * 1:35191 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmPItap heap corruption attempt (file-office.rules)
 * 1:15539 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Formula record remote code execution attempt (file-office.rules)
 * 1:32940 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed Label record exploit attempt (file-office.rules)
 * 1:18632 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed Label record exploit attempt (file-office.rules)
 * 1:1807 <-> DISABLED <-> POLICY-OTHER Chunked-Encoding transfer with no data attempt (policy-other.rules)

2019-08-13 17:14:02 UTC

Snort Subscriber Rules Update

Date: 2019-08-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51006 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (snort3-os-windows.rules)
 * 1:50961 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop CS5 gif file heap corruption attempt (snort3-file-image.rules)
 * 1:51000 <-> DISABLED <-> PROTOCOL-DNS PowerDNS Recursor query denial of service attempt (snort3-protocol-dns.rules)
 * 1:51005 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (snort3-os-windows.rules)
 * 1:51003 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (snort3-os-windows.rules)
 * 1:50939 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (snort3-browser-ie.rules)
 * 1:51004 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (snort3-os-windows.rules)
 * 1:50940 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (snort3-browser-ie.rules)
 * 1:51017 <-> DISABLED <-> PROTOCOL-OTHER Losant Arduino MQTT Client buffer overflow attempt (snort3-protocol-other.rules)
 * 1:51015 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PsmSrvDisconnect privilege escalation attempt (snort3-os-windows.rules)
 * 1:51002 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (snort3-os-windows.rules)
 * 1:51001 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (snort3-os-windows.rules)
 * 1:50941 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (snort3-browser-ie.rules)
 * 1:50942 <-> ENABLED <-> OS-WINDOWS Microsoft Windows graphics component privilege escalation attempt (snort3-os-windows.rules)
 * 1:50951 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (snort3-indicator-compromise.rules)
 * 1:50945 <-> DISABLED <-> FILE-OTHER  VideoLAN VLC media player out-of-bounds read attempt (snort3-file-other.rules)
 * 1:51008 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (snort3-os-windows.rules)
 * 1:50944 <-> DISABLED <-> FILE-OTHER VideoLAN VLC media player out-of-bounds read attempt (snort3-file-other.rules)
 * 1:50946 <-> DISABLED <-> SERVER-OTHER GnuTLS x509 certificate validation policy bypass attempt  (snort3-server-other.rules)
 * 1:50952 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (snort3-indicator-compromise.rules)
 * 1:50955 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (snort3-indicator-compromise.rules)
 * 1:51012 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (snort3-os-windows.rules)
 * 1:51014 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (snort3-os-windows.rules)
 * 1:50956 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (snort3-file-office.rules)
 * 1:50959 <-> DISABLED <-> FILE-OFFICE Microsoft VBE6.dll stack corruption attempt (snort3-file-office.rules)
 * 1:50960 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop CS5 gif file heap corruption attempt (snort3-file-image.rules)
 * 1:50947 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (snort3-indicator-compromise.rules)
 * 1:51009 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (snort3-os-windows.rules)
 * 1:51007 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (snort3-os-windows.rules)
 * 1:50954 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (snort3-indicator-compromise.rules)
 * 1:50953 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (snort3-indicator-compromise.rules)
 * 1:50938 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (snort3-browser-ie.rules)
 * 1:50948 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (snort3-indicator-compromise.rules)
 * 1:50949 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor installation attempt (snort3-indicator-compromise.rules)
 * 1:50950 <-> DISABLED <-> INDICATOR-COMPROMISE PHP backdoor communication attempt (snort3-indicator-compromise.rules)
 * 1:50963 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (snort3-os-windows.rules)
 * 1:50998 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook memory corruption attempt (snort3-file-office.rules)
 * 1:50962 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint OfficeArt atom memory corruption attempt (snort3-file-office.rules)
 * 1:50957 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (snort3-file-office.rules)
 * 1:50937 <-> ENABLED <-> OS-WINDOWS Microsoft Windows shell privilege escalation attempt (snort3-os-windows.rules)
 * 1:50996 <-> DISABLED <-> SERVER-WEBAPP PHP ProjectPier remote file include attempt (snort3-server-webapp.rules)
 * 1:50994 <-> DISABLED <-> SERVER-WEBAPP PHP ProjectPier remote file include attempt (snort3-server-webapp.rules)
 * 1:50992 <-> ENABLED <-> MALWARE-CNC Unix.Malware.ech0raix outbound connection attempt (snort3-malware-cnc.rules)
 * 1:50997 <-> DISABLED <-> SERVER-OTHER Network Time Server denial of service attempt (snort3-server-other.rules)
 * 1:50990 <-> ENABLED <-> MALWARE-CNC Unix.Malware.ech0raix outbound connection attempt (snort3-malware-cnc.rules)
 * 1:50995 <-> DISABLED <-> SERVER-WEBAPP PHP ProjectPier remote file include attempt (snort3-server-webapp.rules)
 * 1:50988 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CrmRpcSrvUnregister privilege escalation attempt (snort3-os-windows.rules)
 * 1:50993 <-> ENABLED <-> MALWARE-CNC Unix.Malware.ech0raix outbound connection attempt (snort3-malware-cnc.rules)
 * 1:50986 <-> DISABLED <-> FILE-IMAGE GraphicsMagick WMF use after free attempt (snort3-file-image.rules)
 * 1:50991 <-> ENABLED <-> MALWARE-CNC Unix.Malware.ech0raix outbound connection attempt (snort3-malware-cnc.rules)
 * 1:50984 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (snort3-server-webapp.rules)
 * 1:50989 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Clipbanker variant outbound connection (snort3-malware-cnc.rules)
 * 1:50982 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (snort3-server-webapp.rules)
 * 1:50987 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CrmRpcSrvUnregister privilege escalation attempt (snort3-os-windows.rules)
 * 1:50980 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (snort3-server-webapp.rules)
 * 1:50985 <-> DISABLED <-> FILE-IMAGE GraphicsMagick WMF use after free attempt (snort3-file-image.rules)
 * 1:50978 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (snort3-server-webapp.rules)
 * 1:50983 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (snort3-server-webapp.rules)
 * 1:50976 <-> DISABLED <-> FILE-OTHER OMRON CX-One arbitrary code execution attempt (snort3-file-other.rules)
 * 1:50981 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (snort3-server-webapp.rules)
 * 1:50974 <-> ENABLED <-> OS-WINDOWS Microsoft win32k driver buffer over read attempt (snort3-os-windows.rules)
 * 1:50979 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (snort3-server-webapp.rules)
 * 1:50972 <-> ENABLED <-> OS-WINDOWS Microsoft win32k driver buffer over read attempt (snort3-os-windows.rules)
 * 1:50977 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (snort3-server-webapp.rules)
 * 1:50970 <-> ENABLED <-> OS-WINDOWS Microsoft win32k driver buffer over read attempt (snort3-os-windows.rules)
 * 1:50975 <-> DISABLED <-> FILE-OTHER OMRON CX-One arbitrary code execution attempt (snort3-file-other.rules)
 * 1:50968 <-> DISABLED <-> SERVER-WEBAPP WordPress Crop Image arbitrary file write attempt (snort3-server-webapp.rules)
 * 1:50973 <-> ENABLED <-> OS-WINDOWS Microsoft win32k driver buffer over read attempt (snort3-os-windows.rules)
 * 1:50966 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CoreShellCOMServerRegistrar privilege escalation attempt (snort3-os-windows.rules)
 * 1:50971 <-> ENABLED <-> OS-WINDOWS Microsoft win32k driver buffer over read attempt (snort3-os-windows.rules)
 * 1:50964 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (snort3-os-windows.rules)
 * 1:50969 <-> ENABLED <-> OS-WINDOWS Microsoft win32k driver buffer over read attempt (snort3-os-windows.rules)
 * 1:50967 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CoreShellCOMServerRegistrar privilege escalation attempt (snort3-os-windows.rules)
 * 1:50965 <-> DISABLED <-> FILE-MULTIMEDIA MPlayer SMI file buffer overflow attempt (snort3-file-multimedia.rules)
 * 1:50936 <-> ENABLED <-> OS-WINDOWS Microsoft Windows shell privilege escalation attempt (snort3-os-windows.rules)
 * 1:50943 <-> ENABLED <-> OS-WINDOWS Microsoft Windows graphics component privilege escalation attempt (snort3-os-windows.rules)
 * 1:51016 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PsmSrvDisconnect privilege escalation attempt (snort3-os-windows.rules)
 * 1:50999 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook memory corruption attempt (snort3-file-office.rules)
 * 1:51011 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (snort3-os-windows.rules)
 * 1:51013 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (snort3-os-windows.rules)
 * 1:51010 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (snort3-os-windows.rules)
 * 1:50958 <-> DISABLED <-> SERVER-OTHER Chicken of the VNC ServerInit denial of service attempt (snort3-server-other.rules)

Modified Rules:


 * 1:15539 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Formula record remote code execution attempt (snort3-file-office.rules)
 * 1:18632 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed Label record exploit attempt (snort3-file-office.rules)
 * 1:1807 <-> DISABLED <-> POLICY-OTHER Chunked-Encoding transfer with no data attempt (snort3-policy-other.rules)
 * 1:32940 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed Label record exploit attempt (snort3-file-office.rules)
 * 1:48052 <-> DISABLED <-> BROWSER-IE Microsoft Edge OP_Memset type confusion attempt (snort3-browser-ie.rules)
 * 1:45143 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (snort3-browser-ie.rules)
 * 1:47577 <-> DISABLED <-> SERVER-WEBAPP Cobub Razor channel name SQL injection attempt (snort3-server-webapp.rules)
 * 1:35190 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmPItap heap corruption attempt (snort3-file-office.rules)
 * 1:50920 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station information disclosure attempt (snort3-server-webapp.rules)
 * 1:38265 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Formula record remote code execution attempt (snort3-file-office.rules)
 * 1:48051 <-> DISABLED <-> BROWSER-IE Microsoft Edge OP_Memset type confusion attempt (snort3-browser-ie.rules)
 * 1:1826 <-> DISABLED <-> SERVER-WEBAPP WEB-INF access (snort3-server-webapp.rules)
 * 1:47576 <-> DISABLED <-> SERVER-WEBAPP Cobub Razor channel name SQL injection attempt (snort3-server-webapp.rules)
 * 1:18637 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint OfficeArt atom memory corruption attempt (snort3-file-office.rules)
 * 1:45142 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (snort3-browser-ie.rules)
 * 1:35191 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmPItap heap corruption attempt (snort3-file-office.rules)

2019-08-13 17:14:02 UTC

Snort Subscriber Rules Update

Date: 2019-08-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51000 <-> DISABLED <-> PROTOCOL-DNS PowerDNS Recursor query denial of service attempt (protocol-dns.rules)
 * 1:50938 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50939 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:51004 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:50940 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50958 <-> DISABLED <-> SERVER-OTHER Chicken of the VNC ServerInit denial of service attempt (server-other.rules)
 * 1:51002 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51017 <-> DISABLED <-> PROTOCOL-OTHER Losant Arduino MQTT Client buffer overflow attempt (protocol-other.rules)
 * 1:50941 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50942 <-> ENABLED <-> OS-WINDOWS Microsoft Windows graphics component privilege escalation attempt (os-windows.rules)
 * 1:50953 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (indicator-compromise.rules)
 * 1:50963 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:51006 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51005 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51003 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:50945 <-> DISABLED <-> FILE-OTHER  VideoLAN VLC media player out-of-bounds read attempt (file-other.rules)
 * 1:50948 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (indicator-compromise.rules)
 * 1:50960 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop CS5 gif file heap corruption attempt (file-image.rules)
 * 1:51001 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51011 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51013 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51014 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51007 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51012 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51009 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51010 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:50999 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook memory corruption attempt (file-office.rules)
 * 1:51008 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:50946 <-> DISABLED <-> SERVER-OTHER GnuTLS x509 certificate validation policy bypass attempt  (server-other.rules)
 * 1:50998 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook memory corruption attempt (file-office.rules)
 * 1:50947 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (indicator-compromise.rules)
 * 1:50949 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor installation attempt (indicator-compromise.rules)
 * 1:50950 <-> DISABLED <-> INDICATOR-COMPROMISE PHP backdoor communication attempt (indicator-compromise.rules)
 * 1:50961 <-> DISABLED <-> FILE-IMAGE Adobe Photoshop CS5 gif file heap corruption attempt (file-image.rules)
 * 1:50954 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (indicator-compromise.rules)
 * 1:50955 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (indicator-compromise.rules)
 * 1:50956 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:50959 <-> DISABLED <-> FILE-OFFICE Microsoft VBE6.dll stack corruption attempt (file-office.rules)
 * 1:50952 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (indicator-compromise.rules)
 * 1:50951 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (indicator-compromise.rules)
 * 1:50965 <-> DISABLED <-> FILE-MULTIMEDIA MPlayer SMI file buffer overflow attempt (file-multimedia.rules)
 * 1:50937 <-> ENABLED <-> OS-WINDOWS Microsoft Windows shell privilege escalation attempt (os-windows.rules)
 * 1:50967 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CoreShellCOMServerRegistrar privilege escalation attempt (os-windows.rules)
 * 1:50996 <-> DISABLED <-> SERVER-WEBAPP PHP ProjectPier remote file include attempt (server-webapp.rules)
 * 1:50992 <-> ENABLED <-> MALWARE-CNC Unix.Malware.ech0raix outbound connection attempt (malware-cnc.rules)
 * 1:50994 <-> DISABLED <-> SERVER-WEBAPP PHP ProjectPier remote file include attempt (server-webapp.rules)
 * 1:50988 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CrmRpcSrvUnregister privilege escalation attempt (os-windows.rules)
 * 1:50997 <-> DISABLED <-> SERVER-OTHER Network Time Server denial of service attempt (server-other.rules)
 * 1:50990 <-> ENABLED <-> MALWARE-CNC Unix.Malware.ech0raix outbound connection attempt (malware-cnc.rules)
 * 1:50995 <-> DISABLED <-> SERVER-WEBAPP PHP ProjectPier remote file include attempt (server-webapp.rules)
 * 1:50984 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50993 <-> ENABLED <-> MALWARE-CNC Unix.Malware.ech0raix outbound connection attempt (malware-cnc.rules)
 * 1:50986 <-> DISABLED <-> FILE-IMAGE GraphicsMagick WMF use after free attempt (file-image.rules)
 * 1:50991 <-> ENABLED <-> MALWARE-CNC Unix.Malware.ech0raix outbound connection attempt (malware-cnc.rules)
 * 1:50980 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50989 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Clipbanker variant outbound connection (malware-cnc.rules)
 * 1:50982 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50987 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CrmRpcSrvUnregister privilege escalation attempt (os-windows.rules)
 * 1:50976 <-> DISABLED <-> FILE-OTHER OMRON CX-One arbitrary code execution attempt (file-other.rules)
 * 1:50985 <-> DISABLED <-> FILE-IMAGE GraphicsMagick WMF use after free attempt (file-image.rules)
 * 1:50978 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50983 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50972 <-> ENABLED <-> OS-WINDOWS Microsoft win32k driver buffer over read attempt (os-windows.rules)
 * 1:50981 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50974 <-> ENABLED <-> OS-WINDOWS Microsoft win32k driver buffer over read attempt (os-windows.rules)
 * 1:50979 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50968 <-> DISABLED <-> SERVER-WEBAPP WordPress Crop Image arbitrary file write attempt (server-webapp.rules)
 * 1:50977 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50975 <-> DISABLED <-> FILE-OTHER OMRON CX-One arbitrary code execution attempt (file-other.rules)
 * 1:50970 <-> ENABLED <-> OS-WINDOWS Microsoft win32k driver buffer over read attempt (os-windows.rules)
 * 1:50964 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:50973 <-> ENABLED <-> OS-WINDOWS Microsoft win32k driver buffer over read attempt (os-windows.rules)
 * 1:50966 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CoreShellCOMServerRegistrar privilege escalation attempt (os-windows.rules)
 * 1:50971 <-> ENABLED <-> OS-WINDOWS Microsoft win32k driver buffer over read attempt (os-windows.rules)
 * 1:50969 <-> ENABLED <-> OS-WINDOWS Microsoft win32k driver buffer over read attempt (os-windows.rules)
 * 1:51016 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PsmSrvDisconnect privilege escalation attempt (os-windows.rules)
 * 1:50943 <-> ENABLED <-> OS-WINDOWS Microsoft Windows graphics component privilege escalation attempt (os-windows.rules)
 * 1:50944 <-> DISABLED <-> FILE-OTHER VideoLAN VLC media player out-of-bounds read attempt (file-other.rules)
 * 1:51015 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PsmSrvDisconnect privilege escalation attempt (os-windows.rules)
 * 1:50936 <-> ENABLED <-> OS-WINDOWS Microsoft Windows shell privilege escalation attempt (os-windows.rules)
 * 1:50957 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:50962 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint OfficeArt atom memory corruption attempt (file-office.rules)

Modified Rules:


 * 1:45142 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:1826 <-> DISABLED <-> SERVER-WEBAPP WEB-INF access (server-webapp.rules)
 * 1:48051 <-> DISABLED <-> BROWSER-IE Microsoft Edge OP_Memset type confusion attempt (browser-ie.rules)
 * 1:47577 <-> DISABLED <-> SERVER-WEBAPP Cobub Razor channel name SQL injection attempt (server-webapp.rules)
 * 1:50920 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station information disclosure attempt (server-webapp.rules)
 * 1:35190 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmPItap heap corruption attempt (file-office.rules)
 * 1:45143 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:48052 <-> DISABLED <-> BROWSER-IE Microsoft Edge OP_Memset type confusion attempt (browser-ie.rules)
 * 1:18637 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint OfficeArt atom memory corruption attempt (file-office.rules)
 * 1:18632 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed Label record exploit attempt (file-office.rules)
 * 1:1807 <-> DISABLED <-> POLICY-OTHER Chunked-Encoding transfer with no data attempt (policy-other.rules)
 * 1:15539 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Formula record remote code execution attempt (file-office.rules)
 * 1:38265 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Formula record remote code execution attempt (file-office.rules)
 * 1:35191 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmPItap heap corruption attempt (file-office.rules)
 * 1:32940 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed Label record exploit attempt (file-office.rules)
 * 1:47576 <-> DISABLED <-> SERVER-WEBAPP Cobub Razor channel name SQL injection attempt (server-webapp.rules)

2019-08-13 17:14:02 UTC

Snort Subscriber Rules Update

Date: 2019-08-13

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:50986 <-> DISABLED <-> FILE-IMAGE GraphicsMagick WMF use after free attempt (file-image.rules)
 * 1:51007 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51006 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:50989 <-> ENABLED <-> MALWARE-CNC Win.Dropper.Clipbanker variant outbound connection (malware-cnc.rules)
 * 1:50967 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CoreShellCOMServerRegistrar privilege escalation attempt (os-windows.rules)
 * 1:51005 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:50946 <-> DISABLED <-> SERVER-OTHER GnuTLS x509 certificate validation policy bypass attempt  (server-other.rules)
 * 1:50947 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (indicator-compromise.rules)
 * 1:50941 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50942 <-> ENABLED <-> OS-WINDOWS Microsoft Windows graphics component privilege escalation attempt (os-windows.rules)
 * 1:50997 <-> DISABLED <-> SERVER-OTHER Network Time Server denial of service attempt (server-other.rules)
 * 1:50995 <-> DISABLED <-> SERVER-WEBAPP PHP ProjectPier remote file include attempt (server-webapp.rules)
 * 1:51003 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:50998 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook memory corruption attempt (file-office.rules)
 * 1:51008 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51010 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:50948 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (indicator-compromise.rules)
 * 1:50938 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50949 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor installation attempt (indicator-compromise.rules)
 * 1:50988 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CrmRpcSrvUnregister privilege escalation attempt (os-windows.rules)
 * 1:50940 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50950 <-> DISABLED <-> INDICATOR-COMPROMISE PHP backdoor communication attempt (indicator-compromise.rules)
 * 1:51004 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:50952 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (indicator-compromise.rules)
 * 1:51001 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:50959 <-> DISABLED <-> FILE-OFFICE Microsoft VBE6.dll stack corruption attempt (file-office.rules)
 * 1:50939 <-> ENABLED <-> BROWSER-IE Microsoft Edge scripting engine memory corruption vulnerability attempt (browser-ie.rules)
 * 1:50955 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (indicator-compromise.rules)
 * 1:50945 <-> DISABLED <-> FILE-OTHER  VideoLAN VLC media player out-of-bounds read attempt (file-other.rules)
 * 1:50951 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (indicator-compromise.rules)
 * 1:50987 <-> DISABLED <-> OS-WINDOWS Microsoft Windows CrmRpcSrvUnregister privilege escalation attempt (os-windows.rules)
 * 1:50957 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:50962 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint OfficeArt atom memory corruption attempt (file-office.rules)
 * 1:50936 <-> ENABLED <-> OS-WINDOWS Microsoft Windows shell privilege escalation attempt (os-windows.rules)
 * 1:50958 <-> DISABLED <-> SERVER-OTHER Chicken of the VNC ServerInit denial of service attempt (server-other.rules)
 * 1:50953 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (indicator-compromise.rules)
 * 1:50956 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel MsoDrawingGroup record remote code execution attempt (file-office.rules)
 * 1:50954 <-> DISABLED <-> INDICATOR-COMPROMISE PhpSploit backdoor communication attempt (indicator-compromise.rules)
 * 1:50993 <-> ENABLED <-> MALWARE-CNC Unix.Malware.ech0raix outbound connection attempt (malware-cnc.rules)
 * 1:50994 <-> DISABLED <-> SERVER-WEBAPP PHP ProjectPier remote file include attempt (server-webapp.rules)
 * 1:50990 <-> ENABLED <-> MALWARE-CNC Unix.Malware.ech0raix outbound connection attempt (malware-cnc.rules)
 * 1:50971 <-> ENABLED <-> OS-WINDOWS Microsoft win32k driver buffer over read attempt (os-windows.rules)
 * 1:50974 <-> ENABLED <-> OS-WINDOWS Microsoft win32k driver buffer over read attempt (os-windows.rules)
 * 1:50991 <-> ENABLED <-> MALWARE-CNC Unix.Malware.ech0raix outbound connection attempt (malware-cnc.rules)
 * 1:50968 <-> DISABLED <-> SERVER-WEBAPP WordPress Crop Image arbitrary file write attempt (server-webapp.rules)
 * 1:50943 <-> ENABLED <-> OS-WINDOWS Microsoft Windows graphics component privilege escalation attempt (os-windows.rules)
 * 1:50992 <-> ENABLED <-> MALWARE-CNC Unix.Malware.ech0raix outbound connection attempt (malware-cnc.rules)
 * 1:51000 <-> DISABLED <-> PROTOCOL-DNS PowerDNS Recursor query denial of service attempt (protocol-dns.rules)
 * 1:51009 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:50970 <-> ENABLED <-> OS-WINDOWS Microsoft win32k driver buffer over read attempt (os-windows.rules)
 * 1:50972 <-> ENABLED <-> OS-WINDOWS Microsoft win32k driver buffer over read attempt (os-windows.rules)
 * 1:50963 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:50977 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50976 <-> DISABLED <-> FILE-OTHER OMRON CX-One arbitrary code execution attempt (file-other.rules)
 * 1:50979 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50980 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50981 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50982 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50984 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50985 <-> DISABLED <-> FILE-IMAGE GraphicsMagick WMF use after free attempt (file-image.rules)
 * 1:50996 <-> DISABLED <-> SERVER-WEBAPP PHP ProjectPier remote file include attempt (server-webapp.rules)
 * 1:50978 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50983 <-> DISABLED <-> SERVER-WEBAPP LCDS Laquis SCADA command injection attempt (server-webapp.rules)
 * 1:50964 <-> ENABLED <-> OS-WINDOWS Microsoft Windows win32k.sys memory corruption attempt (os-windows.rules)
 * 1:50965 <-> DISABLED <-> FILE-MULTIMEDIA MPlayer SMI file buffer overflow attempt (file-multimedia.rules)
 * 1:50944 <-> DISABLED <-> FILE-OTHER VideoLAN VLC media player out-of-bounds read attempt (file-other.rules)
 * 1:50966 <-> ENABLED <-> OS-WINDOWS Microsoft Windows CoreShellCOMServerRegistrar privilege escalation attempt (os-windows.rules)
 * 1:50973 <-> ENABLED <-> OS-WINDOWS Microsoft win32k driver buffer over read attempt (os-windows.rules)
 * 1:51011 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51012 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51013 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51014 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:51015 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PsmSrvDisconnect privilege escalation attempt (os-windows.rules)
 * 1:51016 <-> DISABLED <-> OS-WINDOWS Microsoft Windows PsmSrvDisconnect privilege escalation attempt (os-windows.rules)
 * 1:51017 <-> DISABLED <-> PROTOCOL-OTHER Losant Arduino MQTT Client buffer overflow attempt (protocol-other.rules)
 * 1:50937 <-> ENABLED <-> OS-WINDOWS Microsoft Windows shell privilege escalation attempt (os-windows.rules)
 * 1:50999 <-> DISABLED <-> FILE-OFFICE Microsoft Office Outlook memory corruption attempt (file-office.rules)
 * 1:51002 <-> DISABLED <-> OS-WINDOWS Microsoft Windows privilege escalation attempt (os-windows.rules)
 * 1:50969 <-> ENABLED <-> OS-WINDOWS Microsoft win32k driver buffer over read attempt (os-windows.rules)
 * 1:50975 <-> DISABLED <-> FILE-OTHER OMRON CX-One arbitrary code execution attempt (file-other.rules)

Modified Rules:


 * 1:35191 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmPItap heap corruption attempt (file-office.rules)
 * 1:50920 <-> DISABLED <-> SERVER-WEBAPP Synology Photo Station information disclosure attempt (server-webapp.rules)
 * 1:47576 <-> DISABLED <-> SERVER-WEBAPP Cobub Razor channel name SQL injection attempt (server-webapp.rules)
 * 1:15539 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Formula record remote code execution attempt (file-office.rules)
 * 1:1807 <-> DISABLED <-> POLICY-OTHER Chunked-Encoding transfer with no data attempt (policy-other.rules)
 * 1:1826 <-> DISABLED <-> SERVER-WEBAPP WEB-INF access (server-webapp.rules)
 * 1:18637 <-> DISABLED <-> FILE-OFFICE Microsoft Office PowerPoint OfficeArt atom memory corruption attempt (file-office.rules)
 * 1:32940 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed Label record exploit attempt (file-office.rules)
 * 1:18632 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel malformed Label record exploit attempt (file-office.rules)
 * 1:35190 <-> DISABLED <-> FILE-OFFICE Microsoft Office Word sprmPItap heap corruption attempt (file-office.rules)
 * 1:38265 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Formula record remote code execution attempt (file-office.rules)
 * 1:45142 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:45143 <-> ENABLED <-> BROWSER-IE Microsoft Edge type confusion attempt (browser-ie.rules)
 * 1:47577 <-> DISABLED <-> SERVER-WEBAPP Cobub Razor channel name SQL injection attempt (server-webapp.rules)
 * 1:48051 <-> DISABLED <-> BROWSER-IE Microsoft Edge OP_Memset type confusion attempt (browser-ie.rules)
 * 1:48052 <-> DISABLED <-> BROWSER-IE Microsoft Edge OP_Memset type confusion attempt (browser-ie.rules)