Talos Rules 2019-12-10
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2019-1458: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 52410 through 52411.

Microsoft Vulnerability CVE-2019-1469: A coding deficiency exists in Microsoft Win32k that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 52419 through 52420.

Microsoft Vulnerability CVE-2019-1485: A coding deficiency exists in Microsoft Windows VBScript Engine that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 52402 through 52403.

Talos also has added and modified multiple rules in the browser-ie, browser-webkit, file-office, file-other, malware-backdoor, malware-tools, os-windows and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2019-12-10 18:12:15 UTC

Snort Subscriber Rules Update

Date: 2019-12-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:51332 <-> DISABLED <-> SERVER-WEBAPP GoAhead Embedded Web Server use after free attempt (server-webapp.rules)
 * 1:51331 <-> DISABLED <-> SERVER-WEBAPP GoAhead Embedded Web Server use after free attempt (server-webapp.rules)
 * 1:52420 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k information disclosure attempt (os-windows.rules)
 * 1:52419 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k information disclosure attempt (os-windows.rules)
 * 1:52411 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k local privilege escalation attempt (os-windows.rules)
 * 1:52410 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k local privilege escalation attempt (os-windows.rules)
 * 1:52406 <-> ENABLED <-> SERVER-WEBAPP Atlassian Jira makeRequest server side request forgery attempt (server-webapp.rules)
 * 1:52405 <-> ENABLED <-> MALWARE-TOOLS CKnife penetration testing tool attempt (malware-tools.rules)
 * 1:52404 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.NanoCore potential scanning attempt (malware-backdoor.rules)
 * 1:52403 <-> ENABLED <-> BROWSER-IE Microsoft Edge VBScript SafeArray memory corruption attempt (browser-ie.rules)
 * 1:52402 <-> ENABLED <-> BROWSER-IE Microsoft Edge VBScript SafeArray memory corruption attempt (browser-ie.rules)
 * 3:52417 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0968 attack attempt (file-office.rules)
 * 3:52416 <-> ENABLED <-> BROWSER-WEBKIT TRUFFLEHUNTER TALOS-2019-0967 attack attempt (browser-webkit.rules)
 * 3:52418 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0968 attack attempt (file-office.rules)
 * 3:52414 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0965 attack attempt (file-other.rules)
 * 3:52415 <-> ENABLED <-> BROWSER-WEBKIT TRUFFLEHUNTER TALOS-2019-0967 attack attempt (browser-webkit.rules)
 * 3:52412 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0963 attack attempt (file-other.rules)
 * 3:52413 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0966 attack attempt (file-other.rules)
 * 3:52408 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0962 attack attempt (file-other.rules)
 * 3:52409 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0962 attack attempt (file-other.rules)
 * 3:52407 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0961 attack attempt (policy-other.rules)

Modified Rules:


 * 1:51061 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt (file-office.rules)
 * 1:49291 <-> DISABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules)
 * 1:51062 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt (file-office.rules)
 * 1:49292 <-> DISABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules)

2019-12-10 18:12:15 UTC

Snort Subscriber Rules Update

Date: 2019-12-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52411 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k local privilege escalation attempt (os-windows.rules)
 * 1:51332 <-> DISABLED <-> SERVER-WEBAPP GoAhead Embedded Web Server use after free attempt (server-webapp.rules)
 * 1:52405 <-> ENABLED <-> MALWARE-TOOLS CKnife penetration testing tool attempt (malware-tools.rules)
 * 1:52402 <-> ENABLED <-> BROWSER-IE Microsoft Edge VBScript SafeArray memory corruption attempt (browser-ie.rules)
 * 1:52419 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k information disclosure attempt (os-windows.rules)
 * 1:52404 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.NanoCore potential scanning attempt (malware-backdoor.rules)
 * 1:52410 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k local privilege escalation attempt (os-windows.rules)
 * 1:52420 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k information disclosure attempt (os-windows.rules)
 * 1:51331 <-> DISABLED <-> SERVER-WEBAPP GoAhead Embedded Web Server use after free attempt (server-webapp.rules)
 * 1:52406 <-> ENABLED <-> SERVER-WEBAPP Atlassian Jira makeRequest server side request forgery attempt (server-webapp.rules)
 * 1:52403 <-> ENABLED <-> BROWSER-IE Microsoft Edge VBScript SafeArray memory corruption attempt (browser-ie.rules)
 * 3:52417 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0968 attack attempt (file-office.rules)
 * 3:52416 <-> ENABLED <-> BROWSER-WEBKIT TRUFFLEHUNTER TALOS-2019-0967 attack attempt (browser-webkit.rules)
 * 3:52418 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0968 attack attempt (file-office.rules)
 * 3:52407 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0961 attack attempt (policy-other.rules)
 * 3:52408 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0962 attack attempt (file-other.rules)
 * 3:52409 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0962 attack attempt (file-other.rules)
 * 3:52412 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0963 attack attempt (file-other.rules)
 * 3:52415 <-> ENABLED <-> BROWSER-WEBKIT TRUFFLEHUNTER TALOS-2019-0967 attack attempt (browser-webkit.rules)
 * 3:52413 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0966 attack attempt (file-other.rules)
 * 3:52414 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0965 attack attempt (file-other.rules)

Modified Rules:


 * 1:49291 <-> DISABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules)
 * 1:51061 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt (file-office.rules)
 * 1:51062 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt (file-office.rules)
 * 1:49292 <-> DISABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules)

2019-12-10 18:12:15 UTC

Snort Subscriber Rules Update

Date: 2019-12-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52419 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k information disclosure attempt (os-windows.rules)
 * 1:52402 <-> ENABLED <-> BROWSER-IE Microsoft Edge VBScript SafeArray memory corruption attempt (browser-ie.rules)
 * 1:52420 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k information disclosure attempt (os-windows.rules)
 * 1:52406 <-> ENABLED <-> SERVER-WEBAPP Atlassian Jira makeRequest server side request forgery attempt (server-webapp.rules)
 * 1:52404 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.NanoCore potential scanning attempt (malware-backdoor.rules)
 * 1:52410 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k local privilege escalation attempt (os-windows.rules)
 * 1:52403 <-> ENABLED <-> BROWSER-IE Microsoft Edge VBScript SafeArray memory corruption attempt (browser-ie.rules)
 * 1:52405 <-> ENABLED <-> MALWARE-TOOLS CKnife penetration testing tool attempt (malware-tools.rules)
 * 1:52411 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k local privilege escalation attempt (os-windows.rules)
 * 1:51332 <-> DISABLED <-> SERVER-WEBAPP GoAhead Embedded Web Server use after free attempt (server-webapp.rules)
 * 1:51331 <-> DISABLED <-> SERVER-WEBAPP GoAhead Embedded Web Server use after free attempt (server-webapp.rules)
 * 3:52407 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0961 attack attempt (policy-other.rules)
 * 3:52416 <-> ENABLED <-> BROWSER-WEBKIT TRUFFLEHUNTER TALOS-2019-0967 attack attempt (browser-webkit.rules)
 * 3:52415 <-> ENABLED <-> BROWSER-WEBKIT TRUFFLEHUNTER TALOS-2019-0967 attack attempt (browser-webkit.rules)
 * 3:52409 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0962 attack attempt (file-other.rules)
 * 3:52412 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0963 attack attempt (file-other.rules)
 * 3:52414 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0965 attack attempt (file-other.rules)
 * 3:52417 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0968 attack attempt (file-office.rules)
 * 3:52418 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0968 attack attempt (file-office.rules)
 * 3:52413 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0966 attack attempt (file-other.rules)
 * 3:52408 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0962 attack attempt (file-other.rules)

Modified Rules:


 * 1:49291 <-> DISABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules)
 * 1:51062 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt (file-office.rules)
 * 1:51061 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt (file-office.rules)
 * 1:49292 <-> DISABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules)

2019-12-10 18:12:15 UTC

Snort Subscriber Rules Update

Date: 2019-12-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091200.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52406 <-> ENABLED <-> SERVER-WEBAPP Atlassian Jira makeRequest server side request forgery attempt (server-webapp.rules)
 * 1:52405 <-> ENABLED <-> MALWARE-TOOLS CKnife penetration testing tool attempt (malware-tools.rules)
 * 1:52419 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k information disclosure attempt (os-windows.rules)
 * 1:52404 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.NanoCore potential scanning attempt (malware-backdoor.rules)
 * 1:51332 <-> DISABLED <-> SERVER-WEBAPP GoAhead Embedded Web Server use after free attempt (server-webapp.rules)
 * 1:52403 <-> ENABLED <-> BROWSER-IE Microsoft Edge VBScript SafeArray memory corruption attempt (browser-ie.rules)
 * 1:52410 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k local privilege escalation attempt (os-windows.rules)
 * 1:51331 <-> DISABLED <-> SERVER-WEBAPP GoAhead Embedded Web Server use after free attempt (server-webapp.rules)
 * 1:52402 <-> ENABLED <-> BROWSER-IE Microsoft Edge VBScript SafeArray memory corruption attempt (browser-ie.rules)
 * 1:52420 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k information disclosure attempt (os-windows.rules)
 * 1:52411 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k local privilege escalation attempt (os-windows.rules)
 * 3:52417 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0968 attack attempt (file-office.rules)
 * 3:52413 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0966 attack attempt (file-other.rules)
 * 3:52409 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0962 attack attempt (file-other.rules)
 * 3:52412 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0963 attack attempt (file-other.rules)
 * 3:52408 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0962 attack attempt (file-other.rules)
 * 3:52407 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0961 attack attempt (policy-other.rules)
 * 3:52415 <-> ENABLED <-> BROWSER-WEBKIT TRUFFLEHUNTER TALOS-2019-0967 attack attempt (browser-webkit.rules)
 * 3:52418 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0968 attack attempt (file-office.rules)
 * 3:52414 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0965 attack attempt (file-other.rules)
 * 3:52416 <-> ENABLED <-> BROWSER-WEBKIT TRUFFLEHUNTER TALOS-2019-0967 attack attempt (browser-webkit.rules)

Modified Rules:


 * 1:51062 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt (file-office.rules)
 * 1:49291 <-> DISABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules)
 * 1:49292 <-> DISABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules)
 * 1:51061 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt (file-office.rules)

2019-12-10 18:12:15 UTC

Snort Subscriber Rules Update

Date: 2019-12-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52419 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k information disclosure attempt (os-windows.rules)
 * 1:52404 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.NanoCore potential scanning attempt (malware-backdoor.rules)
 * 1:52410 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k local privilege escalation attempt (os-windows.rules)
 * 1:52406 <-> ENABLED <-> SERVER-WEBAPP Atlassian Jira makeRequest server side request forgery attempt (server-webapp.rules)
 * 1:52402 <-> ENABLED <-> BROWSER-IE Microsoft Edge VBScript SafeArray memory corruption attempt (browser-ie.rules)
 * 1:51332 <-> DISABLED <-> SERVER-WEBAPP GoAhead Embedded Web Server use after free attempt (server-webapp.rules)
 * 1:52411 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k local privilege escalation attempt (os-windows.rules)
 * 1:52405 <-> ENABLED <-> MALWARE-TOOLS CKnife penetration testing tool attempt (malware-tools.rules)
 * 1:52420 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k information disclosure attempt (os-windows.rules)
 * 1:51331 <-> DISABLED <-> SERVER-WEBAPP GoAhead Embedded Web Server use after free attempt (server-webapp.rules)
 * 1:52403 <-> ENABLED <-> BROWSER-IE Microsoft Edge VBScript SafeArray memory corruption attempt (browser-ie.rules)
 * 3:52414 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0965 attack attempt (file-other.rules)
 * 3:52417 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0968 attack attempt (file-office.rules)
 * 3:52413 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0966 attack attempt (file-other.rules)
 * 3:52409 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0962 attack attempt (file-other.rules)
 * 3:52407 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0961 attack attempt (policy-other.rules)
 * 3:52418 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0968 attack attempt (file-office.rules)
 * 3:52415 <-> ENABLED <-> BROWSER-WEBKIT TRUFFLEHUNTER TALOS-2019-0967 attack attempt (browser-webkit.rules)
 * 3:52408 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0962 attack attempt (file-other.rules)
 * 3:52412 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0963 attack attempt (file-other.rules)
 * 3:52416 <-> ENABLED <-> BROWSER-WEBKIT TRUFFLEHUNTER TALOS-2019-0967 attack attempt (browser-webkit.rules)

Modified Rules:


 * 1:49292 <-> DISABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules)
 * 1:51062 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt (file-office.rules)
 * 1:49291 <-> DISABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules)
 * 1:51061 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt (file-office.rules)

2019-12-10 18:12:15 UTC

Snort Subscriber Rules Update

Date: 2019-12-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52420 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k information disclosure attempt (snort3-os-windows.rules)
 * 1:52403 <-> ENABLED <-> BROWSER-IE Microsoft Edge VBScript SafeArray memory corruption attempt (snort3-browser-ie.rules)
 * 1:52411 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k local privilege escalation attempt (snort3-os-windows.rules)
 * 1:52410 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k local privilege escalation attempt (snort3-os-windows.rules)
 * 1:52404 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.NanoCore potential scanning attempt (snort3-malware-backdoor.rules)
 * 1:52419 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k information disclosure attempt (snort3-os-windows.rules)
 * 1:51331 <-> DISABLED <-> SERVER-WEBAPP GoAhead Embedded Web Server use after free attempt (snort3-server-webapp.rules)
 * 1:52406 <-> ENABLED <-> SERVER-WEBAPP Atlassian Jira makeRequest server side request forgery attempt (snort3-server-webapp.rules)
 * 1:52402 <-> ENABLED <-> BROWSER-IE Microsoft Edge VBScript SafeArray memory corruption attempt (snort3-browser-ie.rules)
 * 1:51332 <-> DISABLED <-> SERVER-WEBAPP GoAhead Embedded Web Server use after free attempt (snort3-server-webapp.rules)
 * 1:52405 <-> ENABLED <-> MALWARE-TOOLS CKnife penetration testing tool attempt (snort3-malware-tools.rules)

Modified Rules:


 * 1:49291 <-> DISABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (snort3-file-other.rules)
 * 1:49292 <-> DISABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (snort3-file-other.rules)
 * 1:51062 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt (snort3-file-office.rules)
 * 1:51061 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt (snort3-file-office.rules)

2019-12-10 18:12:15 UTC

Snort Subscriber Rules Update

Date: 2019-12-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2990.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52405 <-> ENABLED <-> MALWARE-TOOLS CKnife penetration testing tool attempt (malware-tools.rules)
 * 1:51331 <-> DISABLED <-> SERVER-WEBAPP GoAhead Embedded Web Server use after free attempt (server-webapp.rules)
 * 1:51332 <-> DISABLED <-> SERVER-WEBAPP GoAhead Embedded Web Server use after free attempt (server-webapp.rules)
 * 1:52406 <-> ENABLED <-> SERVER-WEBAPP Atlassian Jira makeRequest server side request forgery attempt (server-webapp.rules)
 * 1:52404 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.NanoCore potential scanning attempt (malware-backdoor.rules)
 * 1:52403 <-> ENABLED <-> BROWSER-IE Microsoft Edge VBScript SafeArray memory corruption attempt (browser-ie.rules)
 * 1:52420 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k information disclosure attempt (os-windows.rules)
 * 1:52410 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k local privilege escalation attempt (os-windows.rules)
 * 1:52419 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k information disclosure attempt (os-windows.rules)
 * 1:52411 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k local privilege escalation attempt (os-windows.rules)
 * 1:52402 <-> ENABLED <-> BROWSER-IE Microsoft Edge VBScript SafeArray memory corruption attempt (browser-ie.rules)
 * 3:52417 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0968 attack attempt (file-office.rules)
 * 3:52415 <-> ENABLED <-> BROWSER-WEBKIT TRUFFLEHUNTER TALOS-2019-0967 attack attempt (browser-webkit.rules)
 * 3:52407 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0961 attack attempt (policy-other.rules)
 * 3:52408 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0962 attack attempt (file-other.rules)
 * 3:52409 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0962 attack attempt (file-other.rules)
 * 3:52412 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0963 attack attempt (file-other.rules)
 * 3:52413 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0966 attack attempt (file-other.rules)
 * 3:52418 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0968 attack attempt (file-office.rules)
 * 3:52414 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0965 attack attempt (file-other.rules)
 * 3:52416 <-> ENABLED <-> BROWSER-WEBKIT TRUFFLEHUNTER TALOS-2019-0967 attack attempt (browser-webkit.rules)

Modified Rules:


 * 1:49291 <-> DISABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules)
 * 1:51062 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt (file-office.rules)
 * 1:49292 <-> DISABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules)
 * 1:51061 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt (file-office.rules)

2019-12-10 18:12:15 UTC

Snort Subscriber Rules Update

Date: 2019-12-10

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:52403 <-> ENABLED <-> BROWSER-IE Microsoft Edge VBScript SafeArray memory corruption attempt (browser-ie.rules)
 * 1:52419 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k information disclosure attempt (os-windows.rules)
 * 1:52404 <-> ENABLED <-> MALWARE-BACKDOOR Win.Backdoor.NanoCore potential scanning attempt (malware-backdoor.rules)
 * 1:51332 <-> DISABLED <-> SERVER-WEBAPP GoAhead Embedded Web Server use after free attempt (server-webapp.rules)
 * 1:52405 <-> ENABLED <-> MALWARE-TOOLS CKnife penetration testing tool attempt (malware-tools.rules)
 * 1:52410 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k local privilege escalation attempt (os-windows.rules)
 * 1:52406 <-> ENABLED <-> SERVER-WEBAPP Atlassian Jira makeRequest server side request forgery attempt (server-webapp.rules)
 * 1:52420 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k information disclosure attempt (os-windows.rules)
 * 1:51331 <-> DISABLED <-> SERVER-WEBAPP GoAhead Embedded Web Server use after free attempt (server-webapp.rules)
 * 1:52411 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k local privilege escalation attempt (os-windows.rules)
 * 1:52402 <-> ENABLED <-> BROWSER-IE Microsoft Edge VBScript SafeArray memory corruption attempt (browser-ie.rules)
 * 3:52418 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0968 attack attempt (file-office.rules)
 * 3:52415 <-> ENABLED <-> BROWSER-WEBKIT TRUFFLEHUNTER TALOS-2019-0967 attack attempt (browser-webkit.rules)
 * 3:52407 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2019-0961 attack attempt (policy-other.rules)
 * 3:52408 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0962 attack attempt (file-other.rules)
 * 3:52414 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0965 attack attempt (file-other.rules)
 * 3:52417 <-> ENABLED <-> FILE-OFFICE TRUFFLEHUNTER TALOS-2019-0968 attack attempt (file-office.rules)
 * 3:52412 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0963 attack attempt (file-other.rules)
 * 3:52413 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0966 attack attempt (file-other.rules)
 * 3:52409 <-> ENABLED <-> FILE-OTHER TRUFFLEHUNTER TALOS-2019-0962 attack attempt (file-other.rules)
 * 3:52416 <-> ENABLED <-> BROWSER-WEBKIT TRUFFLEHUNTER TALOS-2019-0967 attack attempt (browser-webkit.rules)

Modified Rules:


 * 1:49291 <-> DISABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules)
 * 1:51061 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt (file-office.rules)
 * 1:49292 <-> DISABLED <-> FILE-OTHER WinRAR ACE remote code execution attempt (file-other.rules)
 * 1:51062 <-> DISABLED <-> FILE-OFFICE Microsoft Office Excel Chart Sheet Substream memory corruption attempt (file-office.rules)