Talos Rules 2020-02-11
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2020-0657: A coding deficiency exists in Microsoft Windows Common Log File System driver that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 53086 through 53089.

Microsoft Vulnerability CVE-2020-0658: A coding deficiency exists in Microsoft Windows Common Log File System driver that may lead to information disclosure.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 53086 through 53089.

Microsoft Vulnerability CVE-2020-0674: A coding deficiency exists in Scripting Engine that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 48701 through 48702.

Microsoft Vulnerability CVE-2020-0681: A coding deficiency exists in Remote Desktop Client that may lead to remote code execution.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 53056.

Microsoft Vulnerability CVE-2020-0692: A coding deficiency exists in Microsoft Exchange Server that may lead to an escalation of privilege.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 53063.

Microsoft Vulnerability CVE-2020-0715: A coding deficiency exists in Microsoft Graphics Component that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 53054 through 53055.

Microsoft Vulnerability CVE-2020-0720: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 53052 through 53053.

Microsoft Vulnerability CVE-2020-0721: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 53061 through 53062.

Microsoft Vulnerability CVE-2020-0722: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 53072 through 53073.

Microsoft Vulnerability CVE-2020-0723: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 53084 through 53085.

Microsoft Vulnerability CVE-2020-0725: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 53079 through 53080.

Microsoft Vulnerability CVE-2020-0726: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 53047 through 53048.

Microsoft Vulnerability CVE-2020-0734: A coding deficiency exists in Remote Desktop Client that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 53082 through 53083.

Microsoft Vulnerability CVE-2020-0745: A coding deficiency exists in Microsoft Graphics Component that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 53050 through 53051.

Talos also has added and modified multiple rules in the browser-ie, browser-plugins, file-flash, file-image, os-windows, policy-other, protocol-dns, protocol-scada and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2020-02-11 19:21:46 UTC

Snort Subscriber Rules Update

Date: 2020-02-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53064 <-> DISABLED <-> SERVER-WEBAPP Jenkins Stapler web framework Accept-Language Header directory traversal attempt (server-webapp.rules)
 * 1:53063 <-> DISABLED <-> POLICY-OTHER Microsoft Windows Exchange Server remote privilege escalation attempt (policy-other.rules)
 * 1:53062 <-> ENABLED <-> OS-WINDOWS Windows kernel win32k driver elevation of privilege attempt (os-windows.rules)
 * 1:53061 <-> ENABLED <-> OS-WINDOWS Windows kernel win32k driver elevation of privilege attempt (os-windows.rules)
 * 1:53060 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MsMpEng JavaScript garbage collection use after free attempt (os-windows.rules)
 * 1:53059 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MsMpEng JavaScript garbage collection use after free attempt (os-windows.rules)
 * 1:53058 <-> DISABLED <-> FILE-FLASH Spelevo Exploit Kit download attempt (file-flash.rules)
 * 1:53057 <-> DISABLED <-> FILE-FLASH Spelevo Exploit Kit download attempt (file-flash.rules)
 * 1:53056 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client DYNVC PDU handling integer overflow attempt (os-windows.rules)
 * 1:53055 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics component privilege escalation attempt (os-windows.rules)
 * 1:53054 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics component privilege escalation attempt (os-windows.rules)
 * 1:53053 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k driver DestroyThreadsTimers use after free attempt (os-windows.rules)
 * 1:53052 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver DestroyThreadsTimers use after free attempt (os-windows.rules)
 * 1:53051 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k.sys rectangle region use after free attempt (os-windows.rules)
 * 1:53050 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k.sys rectangle region use after free attempt (os-windows.rules)
 * 1:53048 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k SendMinRectMessages use after free attempt (os-windows.rules)
 * 1:53047 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k SendMinRectMessages use after free attempt (os-windows.rules)
 * 1:53089 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver memory corruption attempt (os-windows.rules)
 * 1:53088 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver memory corruption attempt (os-windows.rules)
 * 1:53087 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver memory corruption attempt (os-windows.rules)
 * 1:53086 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver memory corruption attempt (os-windows.rules)
 * 1:53085 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k local privilege escalation attempt (os-windows.rules)
 * 1:53084 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k local privilege escalation attempt (os-windows.rules)
 * 1:53083 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client RDPGFX PDU handling integer overflow attempt (os-windows.rules)
 * 1:53082 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client RDPGFX PDU handling integer overflow attempt (os-windows.rules)
 * 1:53080 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver tagQ object use after free attempt (os-windows.rules)
 * 1:53079 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver tagQ object use after free attempt (os-windows.rules)
 * 1:53078 <-> DISABLED <-> SERVER-WEBAPP Axis Network Camera command injection attempt (server-webapp.rules)
 * 1:53077 <-> DISABLED <-> SERVER-WEBAPP Axis Network Camera command injection attempt (server-webapp.rules)
 * 1:53076 <-> DISABLED <-> SERVER-WEBAPP Axis Network Camera command injection attempt (server-webapp.rules)
 * 1:53075 <-> ENABLED <-> SERVER-WEBAPP Axis Network Camera authorization bypass attempt (server-webapp.rules)
 * 1:53074 <-> DISABLED <-> SERVER-WEBAPP Axis Network Camera command injection attempt (server-webapp.rules)
 * 1:53073 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k use after free privilege escalation attempt (os-windows.rules)
 * 1:53072 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k use after free privilege escalation attempt (os-windows.rules)
 * 3:53045 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-0985 attack attempt (server-webapp.rules)
 * 3:53046 <-> ENABLED <-> PROTOCOL-DNS TRUFFLEHUNTER TALOS-2020-1001 attack attempt (protocol-dns.rules)
 * 3:53049 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1006 attack attempt (protocol-scada.rules)
 * 3:53065 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1004 attack attempt (file-image.rules)
 * 3:53066 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1004 attack attempt (file-image.rules)
 * 3:53067 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0999 attack attempt (file-image.rules)
 * 3:53068 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0999 attack attempt (file-image.rules)
 * 3:53069 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1011 attack attempt (policy-other.rules)
 * 3:53070 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1011 attack attempt (policy-other.rules)
 * 3:53071 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2020-0996 attack attempt (server-other.rules)
 * 3:53081 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1010 attack attempt (policy-other.rules)

Modified Rules:


 * 1:46472 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra code execution attempt (browser-ie.rules)
 * 1:50628 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Trans Secondary kernel address write attempt (os-windows.rules)
 * 1:23396 <-> DISABLED <-> BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX function call access attempt (browser-plugins.rules)
 * 1:36533 <-> DISABLED <-> BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23395 <-> DISABLED <-> BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX clsid access attempt (browser-plugins.rules)
 * 1:43057 <-> ENABLED <-> OS-WINDOWS Microsoft Windows MsMpEng JavaScript garbage collection use after free attempt (os-windows.rules)
 * 1:46471 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra code execution attempt (browser-ie.rules)
 * 1:43056 <-> ENABLED <-> OS-WINDOWS Microsoft Windows MsMpEng JavaScript garbage collection use after free attempt (os-windows.rules)
 * 1:36534 <-> DISABLED <-> BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX function call access attempt (browser-plugins.rules)
 * 3:47811 <-> ENABLED <-> PROTOCOL-DNS TRUFFLEHUNTER TALOS-2018-0671 attack attempt (protocol-dns.rules)
 * 3:45019 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0490 attack attempt (file-image.rules)
 * 3:45020 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0490 attack attempt (file-image.rules)

2020-02-11 19:21:46 UTC

Snort Subscriber Rules Update

Date: 2020-02-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53083 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client RDPGFX PDU handling integer overflow attempt (os-windows.rules)
 * 1:53059 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MsMpEng JavaScript garbage collection use after free attempt (os-windows.rules)
 * 1:53061 <-> ENABLED <-> OS-WINDOWS Windows kernel win32k driver elevation of privilege attempt (os-windows.rules)
 * 1:53062 <-> ENABLED <-> OS-WINDOWS Windows kernel win32k driver elevation of privilege attempt (os-windows.rules)
 * 1:53051 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k.sys rectangle region use after free attempt (os-windows.rules)
 * 1:53063 <-> DISABLED <-> POLICY-OTHER Microsoft Windows Exchange Server remote privilege escalation attempt (policy-other.rules)
 * 1:53054 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics component privilege escalation attempt (os-windows.rules)
 * 1:53055 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics component privilege escalation attempt (os-windows.rules)
 * 1:53072 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k use after free privilege escalation attempt (os-windows.rules)
 * 1:53056 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client DYNVC PDU handling integer overflow attempt (os-windows.rules)
 * 1:53075 <-> ENABLED <-> SERVER-WEBAPP Axis Network Camera authorization bypass attempt (server-webapp.rules)
 * 1:53058 <-> DISABLED <-> FILE-FLASH Spelevo Exploit Kit download attempt (file-flash.rules)
 * 1:53057 <-> DISABLED <-> FILE-FLASH Spelevo Exploit Kit download attempt (file-flash.rules)
 * 1:53050 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k.sys rectangle region use after free attempt (os-windows.rules)
 * 1:53052 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver DestroyThreadsTimers use after free attempt (os-windows.rules)
 * 1:53048 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k SendMinRectMessages use after free attempt (os-windows.rules)
 * 1:53076 <-> DISABLED <-> SERVER-WEBAPP Axis Network Camera command injection attempt (server-webapp.rules)
 * 1:53077 <-> DISABLED <-> SERVER-WEBAPP Axis Network Camera command injection attempt (server-webapp.rules)
 * 1:53064 <-> DISABLED <-> SERVER-WEBAPP Jenkins Stapler web framework Accept-Language Header directory traversal attempt (server-webapp.rules)
 * 1:53078 <-> DISABLED <-> SERVER-WEBAPP Axis Network Camera command injection attempt (server-webapp.rules)
 * 1:53079 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver tagQ object use after free attempt (os-windows.rules)
 * 1:53080 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver tagQ object use after free attempt (os-windows.rules)
 * 1:53053 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k driver DestroyThreadsTimers use after free attempt (os-windows.rules)
 * 1:53085 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k local privilege escalation attempt (os-windows.rules)
 * 1:53060 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MsMpEng JavaScript garbage collection use after free attempt (os-windows.rules)
 * 1:53086 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver memory corruption attempt (os-windows.rules)
 * 1:53084 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k local privilege escalation attempt (os-windows.rules)
 * 1:53047 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k SendMinRectMessages use after free attempt (os-windows.rules)
 * 1:53087 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver memory corruption attempt (os-windows.rules)
 * 1:53082 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client RDPGFX PDU handling integer overflow attempt (os-windows.rules)
 * 1:53089 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver memory corruption attempt (os-windows.rules)
 * 1:53088 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver memory corruption attempt (os-windows.rules)
 * 1:53074 <-> DISABLED <-> SERVER-WEBAPP Axis Network Camera command injection attempt (server-webapp.rules)
 * 1:53073 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k use after free privilege escalation attempt (os-windows.rules)
 * 3:53049 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1006 attack attempt (protocol-scada.rules)
 * 3:53065 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1004 attack attempt (file-image.rules)
 * 3:53069 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1011 attack attempt (policy-other.rules)
 * 3:53066 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1004 attack attempt (file-image.rules)
 * 3:53081 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1010 attack attempt (policy-other.rules)
 * 3:53070 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1011 attack attempt (policy-other.rules)
 * 3:53067 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0999 attack attempt (file-image.rules)
 * 3:53045 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-0985 attack attempt (server-webapp.rules)
 * 3:53071 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2020-0996 attack attempt (server-other.rules)
 * 3:53046 <-> ENABLED <-> PROTOCOL-DNS TRUFFLEHUNTER TALOS-2020-1001 attack attempt (protocol-dns.rules)
 * 3:53068 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0999 attack attempt (file-image.rules)

Modified Rules:


 * 1:50628 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Trans Secondary kernel address write attempt (os-windows.rules)
 * 1:46472 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra code execution attempt (browser-ie.rules)
 * 1:43057 <-> ENABLED <-> OS-WINDOWS Microsoft Windows MsMpEng JavaScript garbage collection use after free attempt (os-windows.rules)
 * 1:46471 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra code execution attempt (browser-ie.rules)
 * 1:36533 <-> DISABLED <-> BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23396 <-> DISABLED <-> BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX function call access attempt (browser-plugins.rules)
 * 1:23395 <-> DISABLED <-> BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX clsid access attempt (browser-plugins.rules)
 * 1:43056 <-> ENABLED <-> OS-WINDOWS Microsoft Windows MsMpEng JavaScript garbage collection use after free attempt (os-windows.rules)
 * 1:36534 <-> DISABLED <-> BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX function call access attempt (browser-plugins.rules)
 * 3:45020 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0490 attack attempt (file-image.rules)
 * 3:47811 <-> ENABLED <-> PROTOCOL-DNS TRUFFLEHUNTER TALOS-2018-0671 attack attempt (protocol-dns.rules)
 * 3:45019 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0490 attack attempt (file-image.rules)

2020-02-11 19:21:46 UTC

Snort Subscriber Rules Update

Date: 2020-02-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53083 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client RDPGFX PDU handling integer overflow attempt (os-windows.rules)
 * 1:53080 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver tagQ object use after free attempt (os-windows.rules)
 * 1:53086 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver memory corruption attempt (os-windows.rules)
 * 1:53085 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k local privilege escalation attempt (os-windows.rules)
 * 1:53084 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k local privilege escalation attempt (os-windows.rules)
 * 1:53059 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MsMpEng JavaScript garbage collection use after free attempt (os-windows.rules)
 * 1:53078 <-> DISABLED <-> SERVER-WEBAPP Axis Network Camera command injection attempt (server-webapp.rules)
 * 1:53048 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k SendMinRectMessages use after free attempt (os-windows.rules)
 * 1:53051 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k.sys rectangle region use after free attempt (os-windows.rules)
 * 1:53063 <-> DISABLED <-> POLICY-OTHER Microsoft Windows Exchange Server remote privilege escalation attempt (policy-other.rules)
 * 1:53054 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics component privilege escalation attempt (os-windows.rules)
 * 1:53056 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client DYNVC PDU handling integer overflow attempt (os-windows.rules)
 * 1:53052 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver DestroyThreadsTimers use after free attempt (os-windows.rules)
 * 1:53055 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics component privilege escalation attempt (os-windows.rules)
 * 1:53089 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver memory corruption attempt (os-windows.rules)
 * 1:53088 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver memory corruption attempt (os-windows.rules)
 * 1:53047 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k SendMinRectMessages use after free attempt (os-windows.rules)
 * 1:53087 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver memory corruption attempt (os-windows.rules)
 * 1:53072 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k use after free privilege escalation attempt (os-windows.rules)
 * 1:53076 <-> DISABLED <-> SERVER-WEBAPP Axis Network Camera command injection attempt (server-webapp.rules)
 * 1:53053 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k driver DestroyThreadsTimers use after free attempt (os-windows.rules)
 * 1:53075 <-> ENABLED <-> SERVER-WEBAPP Axis Network Camera authorization bypass attempt (server-webapp.rules)
 * 1:53058 <-> DISABLED <-> FILE-FLASH Spelevo Exploit Kit download attempt (file-flash.rules)
 * 1:53060 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MsMpEng JavaScript garbage collection use after free attempt (os-windows.rules)
 * 1:53077 <-> DISABLED <-> SERVER-WEBAPP Axis Network Camera command injection attempt (server-webapp.rules)
 * 1:53064 <-> DISABLED <-> SERVER-WEBAPP Jenkins Stapler web framework Accept-Language Header directory traversal attempt (server-webapp.rules)
 * 1:53079 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver tagQ object use after free attempt (os-windows.rules)
 * 1:53062 <-> ENABLED <-> OS-WINDOWS Windows kernel win32k driver elevation of privilege attempt (os-windows.rules)
 * 1:53061 <-> ENABLED <-> OS-WINDOWS Windows kernel win32k driver elevation of privilege attempt (os-windows.rules)
 * 1:53073 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k use after free privilege escalation attempt (os-windows.rules)
 * 1:53074 <-> DISABLED <-> SERVER-WEBAPP Axis Network Camera command injection attempt (server-webapp.rules)
 * 1:53050 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k.sys rectangle region use after free attempt (os-windows.rules)
 * 1:53082 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client RDPGFX PDU handling integer overflow attempt (os-windows.rules)
 * 1:53057 <-> DISABLED <-> FILE-FLASH Spelevo Exploit Kit download attempt (file-flash.rules)
 * 3:53045 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-0985 attack attempt (server-webapp.rules)
 * 3:53066 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1004 attack attempt (file-image.rules)
 * 3:53068 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0999 attack attempt (file-image.rules)
 * 3:53071 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2020-0996 attack attempt (server-other.rules)
 * 3:53046 <-> ENABLED <-> PROTOCOL-DNS TRUFFLEHUNTER TALOS-2020-1001 attack attempt (protocol-dns.rules)
 * 3:53065 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1004 attack attempt (file-image.rules)
 * 3:53081 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1010 attack attempt (policy-other.rules)
 * 3:53069 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1011 attack attempt (policy-other.rules)
 * 3:53067 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0999 attack attempt (file-image.rules)
 * 3:53049 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1006 attack attempt (protocol-scada.rules)
 * 3:53070 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1011 attack attempt (policy-other.rules)

Modified Rules:


 * 1:46471 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra code execution attempt (browser-ie.rules)
 * 1:43057 <-> ENABLED <-> OS-WINDOWS Microsoft Windows MsMpEng JavaScript garbage collection use after free attempt (os-windows.rules)
 * 1:50628 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Trans Secondary kernel address write attempt (os-windows.rules)
 * 1:46472 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra code execution attempt (browser-ie.rules)
 * 1:36533 <-> DISABLED <-> BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23396 <-> DISABLED <-> BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX function call access attempt (browser-plugins.rules)
 * 1:23395 <-> DISABLED <-> BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX clsid access attempt (browser-plugins.rules)
 * 1:36534 <-> DISABLED <-> BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX function call access attempt (browser-plugins.rules)
 * 1:43056 <-> ENABLED <-> OS-WINDOWS Microsoft Windows MsMpEng JavaScript garbage collection use after free attempt (os-windows.rules)
 * 3:45020 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0490 attack attempt (file-image.rules)
 * 3:45019 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0490 attack attempt (file-image.rules)
 * 3:47811 <-> ENABLED <-> PROTOCOL-DNS TRUFFLEHUNTER TALOS-2018-0671 attack attempt (protocol-dns.rules)

2020-02-11 19:21:46 UTC

Snort Subscriber Rules Update

Date: 2020-02-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53082 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client RDPGFX PDU handling integer overflow attempt (os-windows.rules)
 * 1:53064 <-> DISABLED <-> SERVER-WEBAPP Jenkins Stapler web framework Accept-Language Header directory traversal attempt (server-webapp.rules)
 * 1:53083 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client RDPGFX PDU handling integer overflow attempt (os-windows.rules)
 * 1:53057 <-> DISABLED <-> FILE-FLASH Spelevo Exploit Kit download attempt (file-flash.rules)
 * 1:53061 <-> ENABLED <-> OS-WINDOWS Windows kernel win32k driver elevation of privilege attempt (os-windows.rules)
 * 1:53062 <-> ENABLED <-> OS-WINDOWS Windows kernel win32k driver elevation of privilege attempt (os-windows.rules)
 * 1:53051 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k.sys rectangle region use after free attempt (os-windows.rules)
 * 1:53088 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver memory corruption attempt (os-windows.rules)
 * 1:53063 <-> DISABLED <-> POLICY-OTHER Microsoft Windows Exchange Server remote privilege escalation attempt (policy-other.rules)
 * 1:53079 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver tagQ object use after free attempt (os-windows.rules)
 * 1:53054 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics component privilege escalation attempt (os-windows.rules)
 * 1:53055 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics component privilege escalation attempt (os-windows.rules)
 * 1:53085 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k local privilege escalation attempt (os-windows.rules)
 * 1:53050 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k.sys rectangle region use after free attempt (os-windows.rules)
 * 1:53052 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver DestroyThreadsTimers use after free attempt (os-windows.rules)
 * 1:53087 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver memory corruption attempt (os-windows.rules)
 * 1:53075 <-> ENABLED <-> SERVER-WEBAPP Axis Network Camera authorization bypass attempt (server-webapp.rules)
 * 1:53056 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client DYNVC PDU handling integer overflow attempt (os-windows.rules)
 * 1:53060 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MsMpEng JavaScript garbage collection use after free attempt (os-windows.rules)
 * 1:53077 <-> DISABLED <-> SERVER-WEBAPP Axis Network Camera command injection attempt (server-webapp.rules)
 * 1:53080 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver tagQ object use after free attempt (os-windows.rules)
 * 1:53078 <-> DISABLED <-> SERVER-WEBAPP Axis Network Camera command injection attempt (server-webapp.rules)
 * 1:53058 <-> DISABLED <-> FILE-FLASH Spelevo Exploit Kit download attempt (file-flash.rules)
 * 1:53048 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k SendMinRectMessages use after free attempt (os-windows.rules)
 * 1:53074 <-> DISABLED <-> SERVER-WEBAPP Axis Network Camera command injection attempt (server-webapp.rules)
 * 1:53073 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k use after free privilege escalation attempt (os-windows.rules)
 * 1:53086 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver memory corruption attempt (os-windows.rules)
 * 1:53089 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver memory corruption attempt (os-windows.rules)
 * 1:53084 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k local privilege escalation attempt (os-windows.rules)
 * 1:53047 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k SendMinRectMessages use after free attempt (os-windows.rules)
 * 1:53076 <-> DISABLED <-> SERVER-WEBAPP Axis Network Camera command injection attempt (server-webapp.rules)
 * 1:53072 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k use after free privilege escalation attempt (os-windows.rules)
 * 1:53053 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k driver DestroyThreadsTimers use after free attempt (os-windows.rules)
 * 1:53059 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MsMpEng JavaScript garbage collection use after free attempt (os-windows.rules)
 * 3:53071 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2020-0996 attack attempt (server-other.rules)
 * 3:53081 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1010 attack attempt (policy-other.rules)
 * 3:53045 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-0985 attack attempt (server-webapp.rules)
 * 3:53067 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0999 attack attempt (file-image.rules)
 * 3:53066 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1004 attack attempt (file-image.rules)
 * 3:53046 <-> ENABLED <-> PROTOCOL-DNS TRUFFLEHUNTER TALOS-2020-1001 attack attempt (protocol-dns.rules)
 * 3:53049 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1006 attack attempt (protocol-scada.rules)
 * 3:53069 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1011 attack attempt (policy-other.rules)
 * 3:53068 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0999 attack attempt (file-image.rules)
 * 3:53065 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1004 attack attempt (file-image.rules)
 * 3:53070 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1011 attack attempt (policy-other.rules)

Modified Rules:


 * 1:43056 <-> ENABLED <-> OS-WINDOWS Microsoft Windows MsMpEng JavaScript garbage collection use after free attempt (os-windows.rules)
 * 1:46472 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra code execution attempt (browser-ie.rules)
 * 1:23396 <-> DISABLED <-> BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX function call access attempt (browser-plugins.rules)
 * 1:23395 <-> DISABLED <-> BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX clsid access attempt (browser-plugins.rules)
 * 1:43057 <-> ENABLED <-> OS-WINDOWS Microsoft Windows MsMpEng JavaScript garbage collection use after free attempt (os-windows.rules)
 * 1:36533 <-> DISABLED <-> BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX clsid access attempt (browser-plugins.rules)
 * 1:46471 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra code execution attempt (browser-ie.rules)
 * 1:50628 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Trans Secondary kernel address write attempt (os-windows.rules)
 * 1:36534 <-> DISABLED <-> BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX function call access attempt (browser-plugins.rules)
 * 3:45019 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0490 attack attempt (file-image.rules)
 * 3:47811 <-> ENABLED <-> PROTOCOL-DNS TRUFFLEHUNTER TALOS-2018-0671 attack attempt (protocol-dns.rules)
 * 3:45020 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0490 attack attempt (file-image.rules)

2020-02-11 19:21:46 UTC

Snort Subscriber Rules Update

Date: 2020-02-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53082 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client RDPGFX PDU handling integer overflow attempt (os-windows.rules)
 * 1:53051 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k.sys rectangle region use after free attempt (os-windows.rules)
 * 1:53059 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MsMpEng JavaScript garbage collection use after free attempt (os-windows.rules)
 * 1:53083 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client RDPGFX PDU handling integer overflow attempt (os-windows.rules)
 * 1:53053 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k driver DestroyThreadsTimers use after free attempt (os-windows.rules)
 * 1:53085 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k local privilege escalation attempt (os-windows.rules)
 * 1:53047 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k SendMinRectMessages use after free attempt (os-windows.rules)
 * 1:53056 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client DYNVC PDU handling integer overflow attempt (os-windows.rules)
 * 1:53076 <-> DISABLED <-> SERVER-WEBAPP Axis Network Camera command injection attempt (server-webapp.rules)
 * 1:53073 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k use after free privilege escalation attempt (os-windows.rules)
 * 1:53048 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k SendMinRectMessages use after free attempt (os-windows.rules)
 * 1:53074 <-> DISABLED <-> SERVER-WEBAPP Axis Network Camera command injection attempt (server-webapp.rules)
 * 1:53054 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics component privilege escalation attempt (os-windows.rules)
 * 1:53052 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver DestroyThreadsTimers use after free attempt (os-windows.rules)
 * 1:53077 <-> DISABLED <-> SERVER-WEBAPP Axis Network Camera command injection attempt (server-webapp.rules)
 * 1:53086 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver memory corruption attempt (os-windows.rules)
 * 1:53075 <-> ENABLED <-> SERVER-WEBAPP Axis Network Camera authorization bypass attempt (server-webapp.rules)
 * 1:53058 <-> DISABLED <-> FILE-FLASH Spelevo Exploit Kit download attempt (file-flash.rules)
 * 1:53055 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics component privilege escalation attempt (os-windows.rules)
 * 1:53078 <-> DISABLED <-> SERVER-WEBAPP Axis Network Camera command injection attempt (server-webapp.rules)
 * 1:53079 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver tagQ object use after free attempt (os-windows.rules)
 * 1:53080 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver tagQ object use after free attempt (os-windows.rules)
 * 1:53064 <-> DISABLED <-> SERVER-WEBAPP Jenkins Stapler web framework Accept-Language Header directory traversal attempt (server-webapp.rules)
 * 1:53060 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MsMpEng JavaScript garbage collection use after free attempt (os-windows.rules)
 * 1:53057 <-> DISABLED <-> FILE-FLASH Spelevo Exploit Kit download attempt (file-flash.rules)
 * 1:53072 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k use after free privilege escalation attempt (os-windows.rules)
 * 1:53063 <-> DISABLED <-> POLICY-OTHER Microsoft Windows Exchange Server remote privilege escalation attempt (policy-other.rules)
 * 1:53050 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k.sys rectangle region use after free attempt (os-windows.rules)
 * 1:53084 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k local privilege escalation attempt (os-windows.rules)
 * 1:53088 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver memory corruption attempt (os-windows.rules)
 * 1:53087 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver memory corruption attempt (os-windows.rules)
 * 1:53089 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver memory corruption attempt (os-windows.rules)
 * 1:53062 <-> ENABLED <-> OS-WINDOWS Windows kernel win32k driver elevation of privilege attempt (os-windows.rules)
 * 1:53061 <-> ENABLED <-> OS-WINDOWS Windows kernel win32k driver elevation of privilege attempt (os-windows.rules)
 * 3:53045 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-0985 attack attempt (server-webapp.rules)
 * 3:53070 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1011 attack attempt (policy-other.rules)
 * 3:53069 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1011 attack attempt (policy-other.rules)
 * 3:53071 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2020-0996 attack attempt (server-other.rules)
 * 3:53066 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1004 attack attempt (file-image.rules)
 * 3:53068 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0999 attack attempt (file-image.rules)
 * 3:53081 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1010 attack attempt (policy-other.rules)
 * 3:53046 <-> ENABLED <-> PROTOCOL-DNS TRUFFLEHUNTER TALOS-2020-1001 attack attempt (protocol-dns.rules)
 * 3:53065 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1004 attack attempt (file-image.rules)
 * 3:53067 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0999 attack attempt (file-image.rules)
 * 3:53049 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1006 attack attempt (protocol-scada.rules)

Modified Rules:


 * 1:50628 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Trans Secondary kernel address write attempt (os-windows.rules)
 * 1:23396 <-> DISABLED <-> BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX function call access attempt (browser-plugins.rules)
 * 1:43057 <-> ENABLED <-> OS-WINDOWS Microsoft Windows MsMpEng JavaScript garbage collection use after free attempt (os-windows.rules)
 * 1:46471 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra code execution attempt (browser-ie.rules)
 * 1:36533 <-> DISABLED <-> BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX clsid access attempt (browser-plugins.rules)
 * 1:46472 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra code execution attempt (browser-ie.rules)
 * 1:36534 <-> DISABLED <-> BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX function call access attempt (browser-plugins.rules)
 * 1:23395 <-> DISABLED <-> BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX clsid access attempt (browser-plugins.rules)
 * 1:43056 <-> ENABLED <-> OS-WINDOWS Microsoft Windows MsMpEng JavaScript garbage collection use after free attempt (os-windows.rules)
 * 3:45020 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0490 attack attempt (file-image.rules)
 * 3:45019 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0490 attack attempt (file-image.rules)
 * 3:47811 <-> ENABLED <-> PROTOCOL-DNS TRUFFLEHUNTER TALOS-2018-0671 attack attempt (protocol-dns.rules)

2020-02-11 19:21:46 UTC

Snort Subscriber Rules Update

Date: 2020-02-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53052 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver DestroyThreadsTimers use after free attempt (snort3-os-windows.rules)
 * 1:53051 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k.sys rectangle region use after free attempt (snort3-os-windows.rules)
 * 1:53073 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k use after free privilege escalation attempt (snort3-os-windows.rules)
 * 1:53086 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver memory corruption attempt (snort3-os-windows.rules)
 * 1:53074 <-> DISABLED <-> SERVER-WEBAPP Axis Network Camera command injection attempt (snort3-server-webapp.rules)
 * 1:53064 <-> DISABLED <-> SERVER-WEBAPP Jenkins Stapler web framework Accept-Language Header directory traversal attempt (snort3-server-webapp.rules)
 * 1:53058 <-> DISABLED <-> FILE-FLASH Spelevo Exploit Kit download attempt (snort3-file-flash.rules)
 * 1:53088 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver memory corruption attempt (snort3-os-windows.rules)
 * 1:53059 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MsMpEng JavaScript garbage collection use after free attempt (snort3-os-windows.rules)
 * 1:53048 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k SendMinRectMessages use after free attempt (snort3-os-windows.rules)
 * 1:53057 <-> DISABLED <-> FILE-FLASH Spelevo Exploit Kit download attempt (snort3-file-flash.rules)
 * 1:53047 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k SendMinRectMessages use after free attempt (snort3-os-windows.rules)
 * 1:53050 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k.sys rectangle region use after free attempt (snort3-os-windows.rules)
 * 1:53053 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k driver DestroyThreadsTimers use after free attempt (snort3-os-windows.rules)
 * 1:53056 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client DYNVC PDU handling integer overflow attempt (snort3-os-windows.rules)
 * 1:53062 <-> ENABLED <-> OS-WINDOWS Windows kernel win32k driver elevation of privilege attempt (snort3-os-windows.rules)
 * 1:53089 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver memory corruption attempt (snort3-os-windows.rules)
 * 1:53077 <-> DISABLED <-> SERVER-WEBAPP Axis Network Camera command injection attempt (snort3-server-webapp.rules)
 * 1:53075 <-> ENABLED <-> SERVER-WEBAPP Axis Network Camera authorization bypass attempt (snort3-server-webapp.rules)
 * 1:53061 <-> ENABLED <-> OS-WINDOWS Windows kernel win32k driver elevation of privilege attempt (snort3-os-windows.rules)
 * 1:53063 <-> DISABLED <-> POLICY-OTHER Microsoft Windows Exchange Server remote privilege escalation attempt (snort3-policy-other.rules)
 * 1:53087 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver memory corruption attempt (snort3-os-windows.rules)
 * 1:53080 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver tagQ object use after free attempt (snort3-os-windows.rules)
 * 1:53084 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k local privilege escalation attempt (snort3-os-windows.rules)
 * 1:53055 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics component privilege escalation attempt (snort3-os-windows.rules)
 * 1:53060 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MsMpEng JavaScript garbage collection use after free attempt (snort3-os-windows.rules)
 * 1:53085 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k local privilege escalation attempt (snort3-os-windows.rules)
 * 1:53078 <-> DISABLED <-> SERVER-WEBAPP Axis Network Camera command injection attempt (snort3-server-webapp.rules)
 * 1:53082 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client RDPGFX PDU handling integer overflow attempt (snort3-os-windows.rules)
 * 1:53079 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver tagQ object use after free attempt (snort3-os-windows.rules)
 * 1:53083 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client RDPGFX PDU handling integer overflow attempt (snort3-os-windows.rules)
 * 1:53072 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k use after free privilege escalation attempt (snort3-os-windows.rules)
 * 1:53076 <-> DISABLED <-> SERVER-WEBAPP Axis Network Camera command injection attempt (snort3-server-webapp.rules)
 * 1:53054 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics component privilege escalation attempt (snort3-os-windows.rules)

Modified Rules:


 * 1:23395 <-> DISABLED <-> BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX clsid access attempt (snort3-browser-plugins.rules)
 * 1:23396 <-> DISABLED <-> BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX function call access attempt (snort3-browser-plugins.rules)
 * 1:36533 <-> DISABLED <-> BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX clsid access attempt (snort3-browser-plugins.rules)
 * 1:36534 <-> DISABLED <-> BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX function call access attempt (snort3-browser-plugins.rules)
 * 1:43056 <-> ENABLED <-> OS-WINDOWS Microsoft Windows MsMpEng JavaScript garbage collection use after free attempt (snort3-os-windows.rules)
 * 1:43057 <-> ENABLED <-> OS-WINDOWS Microsoft Windows MsMpEng JavaScript garbage collection use after free attempt (snort3-os-windows.rules)
 * 1:46471 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra code execution attempt (snort3-browser-ie.rules)
 * 1:46472 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra code execution attempt (snort3-browser-ie.rules)
 * 1:50628 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Trans Secondary kernel address write attempt (snort3-os-windows.rules)

2020-02-11 19:21:46 UTC

Snort Subscriber Rules Update

Date: 2020-02-11

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:53075 <-> ENABLED <-> SERVER-WEBAPP Axis Network Camera authorization bypass attempt (server-webapp.rules)
 * 1:53077 <-> DISABLED <-> SERVER-WEBAPP Axis Network Camera command injection attempt (server-webapp.rules)
 * 1:53088 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver memory corruption attempt (os-windows.rules)
 * 1:53086 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver memory corruption attempt (os-windows.rules)
 * 1:53074 <-> DISABLED <-> SERVER-WEBAPP Axis Network Camera command injection attempt (server-webapp.rules)
 * 1:53085 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k local privilege escalation attempt (os-windows.rules)
 * 1:53089 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver memory corruption attempt (os-windows.rules)
 * 1:53076 <-> DISABLED <-> SERVER-WEBAPP Axis Network Camera command injection attempt (server-webapp.rules)
 * 1:53052 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver DestroyThreadsTimers use after free attempt (os-windows.rules)
 * 1:53054 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics component privilege escalation attempt (os-windows.rules)
 * 1:53056 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client DYNVC PDU handling integer overflow attempt (os-windows.rules)
 * 1:53078 <-> DISABLED <-> SERVER-WEBAPP Axis Network Camera command injection attempt (server-webapp.rules)
 * 1:53061 <-> ENABLED <-> OS-WINDOWS Windows kernel win32k driver elevation of privilege attempt (os-windows.rules)
 * 1:53062 <-> ENABLED <-> OS-WINDOWS Windows kernel win32k driver elevation of privilege attempt (os-windows.rules)
 * 1:53080 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver tagQ object use after free attempt (os-windows.rules)
 * 1:53050 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k.sys rectangle region use after free attempt (os-windows.rules)
 * 1:53079 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k driver tagQ object use after free attempt (os-windows.rules)
 * 1:53051 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k.sys rectangle region use after free attempt (os-windows.rules)
 * 1:53060 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MsMpEng JavaScript garbage collection use after free attempt (os-windows.rules)
 * 1:53082 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client RDPGFX PDU handling integer overflow attempt (os-windows.rules)
 * 1:53087 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Common Log File System Driver memory corruption attempt (os-windows.rules)
 * 1:53059 <-> DISABLED <-> OS-WINDOWS Microsoft Windows MsMpEng JavaScript garbage collection use after free attempt (os-windows.rules)
 * 1:53057 <-> DISABLED <-> FILE-FLASH Spelevo Exploit Kit download attempt (file-flash.rules)
 * 1:53073 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k use after free privilege escalation attempt (os-windows.rules)
 * 1:53058 <-> DISABLED <-> FILE-FLASH Spelevo Exploit Kit download attempt (file-flash.rules)
 * 1:53084 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k local privilege escalation attempt (os-windows.rules)
 * 1:53047 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k SendMinRectMessages use after free attempt (os-windows.rules)
 * 1:53053 <-> ENABLED <-> OS-WINDOWS Microsoft Windows Win32k driver DestroyThreadsTimers use after free attempt (os-windows.rules)
 * 1:53083 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Remote Desktop client RDPGFX PDU handling integer overflow attempt (os-windows.rules)
 * 1:53055 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics component privilege escalation attempt (os-windows.rules)
 * 1:53064 <-> DISABLED <-> SERVER-WEBAPP Jenkins Stapler web framework Accept-Language Header directory traversal attempt (server-webapp.rules)
 * 1:53048 <-> ENABLED <-> OS-WINDOWS Microsoft Win32k SendMinRectMessages use after free attempt (os-windows.rules)
 * 1:53063 <-> DISABLED <-> POLICY-OTHER Microsoft Windows Exchange Server remote privilege escalation attempt (policy-other.rules)
 * 1:53072 <-> DISABLED <-> OS-WINDOWS Microsoft Windows win32k use after free privilege escalation attempt (os-windows.rules)
 * 3:53069 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1011 attack attempt (policy-other.rules)
 * 3:53045 <-> ENABLED <-> SERVER-WEBAPP TRUFFLEHUNTER TALOS-2020-0985 attack attempt (server-webapp.rules)
 * 3:53046 <-> ENABLED <-> PROTOCOL-DNS TRUFFLEHUNTER TALOS-2020-1001 attack attempt (protocol-dns.rules)
 * 3:53066 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1004 attack attempt (file-image.rules)
 * 3:53071 <-> ENABLED <-> SERVER-OTHER TRUFFLEHUNTER TALOS-2020-0996 attack attempt (server-other.rules)
 * 3:53067 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0999 attack attempt (file-image.rules)
 * 3:53068 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-0999 attack attempt (file-image.rules)
 * 3:53070 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1011 attack attempt (policy-other.rules)
 * 3:53081 <-> ENABLED <-> POLICY-OTHER TRUFFLEHUNTER TALOS-2020-1010 attack attempt (policy-other.rules)
 * 3:53065 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2020-1004 attack attempt (file-image.rules)
 * 3:53049 <-> ENABLED <-> PROTOCOL-SCADA TRUFFLEHUNTER TALOS-2020-1006 attack attempt (protocol-scada.rules)

Modified Rules:


 * 1:46472 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra code execution attempt (browser-ie.rules)
 * 1:23396 <-> DISABLED <-> BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX function call access attempt (browser-plugins.rules)
 * 1:36534 <-> DISABLED <-> BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX function call access attempt (browser-plugins.rules)
 * 1:43057 <-> ENABLED <-> OS-WINDOWS Microsoft Windows MsMpEng JavaScript garbage collection use after free attempt (os-windows.rules)
 * 1:36533 <-> DISABLED <-> BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX clsid access attempt (browser-plugins.rules)
 * 1:23395 <-> DISABLED <-> BROWSER-PLUGINS Quest InTrust Annotation Objects ActiveX clsid access attempt (browser-plugins.rules)
 * 1:46471 <-> DISABLED <-> BROWSER-IE Microsoft Edge Chakra code execution attempt (browser-ie.rules)
 * 1:43056 <-> ENABLED <-> OS-WINDOWS Microsoft Windows MsMpEng JavaScript garbage collection use after free attempt (os-windows.rules)
 * 3:47811 <-> ENABLED <-> PROTOCOL-DNS TRUFFLEHUNTER TALOS-2018-0671 attack attempt (protocol-dns.rules)
 * 3:45019 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0490 attack attempt (file-image.rules)
 * 3:45020 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2017-0490 attack attempt (file-image.rules)