Talos Rules 2021-03-09
Talos is aware of vulnerabilities affecting products from Microsoft Corporation.

Microsoft Vulnerability CVE-2021-24095: A coding deficiency exists in DirectX that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 57259 through 57260.

Microsoft Vulnerability CVE-2021-26411: A coding deficiency exists in Microsoft Internet Explorer that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 57268 through 57269.

Microsoft Vulnerability CVE-2021-26855: A coding deficiency exists in Microsoft Exchange Server that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 57241 through 57244.

Microsoft Vulnerability CVE-2021-26857: A coding deficiency exists in Microsoft Exchange Server that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 57233 through 57234.

Microsoft Vulnerability CVE-2021-26858: A coding deficiency exists in Microsoft Exchange Server that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 57245 through 57246.

Microsoft Vulnerability CVE-2021-26863: A coding deficiency exists in Microsoft Win32k that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 57263 through 57264.

Microsoft Vulnerability CVE-2021-26868: A coding deficiency exists in Microsoft Graphics Component that may lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 57261 through 57262.

Microsoft Vulnerability CVE-2021-26877: A coding deficiency exists in Microsoft Windows DNS server that may lead to remote code execution.

A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 57274.

Microsoft Vulnerability CVE-2021-26897: A coding deficiency exists in Microsoft Windows DNS server that may lead to remote code execution.

A previously released rule will detect attacks targeting these vulnerabilities and has been updated with the appropriate reference information. It is included in this release and is identified with GID 1, SID 54518.

Microsoft Vulnerability CVE-2021-27065: A coding deficiency exists in Microsoft Exchange Server that may lead to remote code execution.

Previously released rules will detect attacks targeting these vulnerabilities and have been updated with the appropriate reference information. They are also included in this release and are identified with GID 1, SIDs 57245 through 57246 and 57252 through 57253.

Microsoft Vulnerability CVE-2021-27076: A coding deficiency exists in Microsoft SharePoint Server that may lead to remote code execution.

Rules to detect attacks targeting these vulnerabilities are included in this release and are identified with GID 1, SIDs 57275 through 57276.

Talos also has added and modified multiple rules in the browser-firefox, browser-ie, file-image, file-pdf, indicator-compromise, netbios, os-other, os-windows, policy-other and server-webapp rule sets to provide coverage for emerging threats from these technologies.

Change logs

2021-03-09 14:01:29 UTC

Snort Subscriber Rules Update

Date: 2021-03-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091700.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57254 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 7 Beta BGsound denial of service attempt (browser-ie.rules)
 * 1:57255 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Same Origin Policy bypass attempt (browser-firefox.rules)
 * 1:57256 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC TTF parsing heap overflow attempt (file-pdf.rules)
 * 1:57257 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC TTF parsing heap overflow attempt (file-pdf.rules)
 * 1:57258 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious generation of space character for shell attacks attempt (indicator-compromise.rules)
 * 1:57259 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DirectX kernel driver use after free attempt (os-windows.rules)
 * 1:57260 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DirectX kernel driver use after free attempt (os-windows.rules)
 * 1:57261 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics Component privilege escalation attempt (os-windows.rules)
 * 1:57262 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics Component privilege escalation attempt (os-windows.rules)
 * 1:57263 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:57264 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:57268 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57269 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57274 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DNS Server out of bounds read attempt (os-windows.rules)
 * 1:57275 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint attachment upload deserialization attempt (server-webapp.rules)
 * 1:57276 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint potential deserialization attempt (server-webapp.rules)
 * 3:57265 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1263 attack attempt (netbios.rules)
 * 3:57266 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1262 attack attempt (os-other.rules)
 * 3:57267 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1262 attack attempt (os-other.rules)
 * 3:57270 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1261 attack attempt (file-image.rules)
 * 3:57271 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1261 attack attempt (file-image.rules)
 * 3:57272 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1261 attack attempt (file-image.rules)
 * 3:57273 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1261 attack attempt (file-image.rules)

Modified Rules:


 * 1:17577 <-> DISABLED <-> SERVER-OTHER CA BightStor ARCserver Backup possible insecure method access (server-other.rules)
 * 1:57242 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt (server-webapp.rules)
 * 1:57241 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt (server-webapp.rules)
 * 1:57243 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt (server-webapp.rules)
 * 1:20616 <-> DISABLED <-> SERVER-OTHER Peercast Basic HTTP authentication buffer overflow attempt (server-other.rules)
 * 1:54518 <-> ENABLED <-> SERVER-OTHER Microsoft Windows DNS server remote integer overflow attempt (server-other.rules)
 * 1:24987 <-> DISABLED <-> POLICY-OTHER Adobe InDesign SOAP interface RunScript method access attempt (policy-other.rules)
 * 1:15115 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WebDAV pathname buffer overflow attempt (os-windows.rules)
 * 1:17536 <-> DISABLED <-> SERVER-WEBAPP generic server HTTP Auth Header buffer overflow attempt (server-webapp.rules)
 * 1:16681 <-> DISABLED <-> SERVER-WEBAPP Basic Authorization string overflow attempt (server-webapp.rules)
 * 1:57244 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt (server-webapp.rules)

2021-03-09 14:01:29 UTC

Snort Subscriber Rules Update

Date: 2021-03-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091601.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57261 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics Component privilege escalation attempt (os-windows.rules)
 * 1:57276 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint potential deserialization attempt (server-webapp.rules)
 * 1:57263 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:57260 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DirectX kernel driver use after free attempt (os-windows.rules)
 * 1:57262 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics Component privilege escalation attempt (os-windows.rules)
 * 1:57254 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 7 Beta BGsound denial of service attempt (browser-ie.rules)
 * 1:57256 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC TTF parsing heap overflow attempt (file-pdf.rules)
 * 1:57259 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DirectX kernel driver use after free attempt (os-windows.rules)
 * 1:57258 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious generation of space character for shell attacks attempt (indicator-compromise.rules)
 * 1:57275 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint attachment upload deserialization attempt (server-webapp.rules)
 * 1:57255 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Same Origin Policy bypass attempt (browser-firefox.rules)
 * 1:57274 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DNS Server out of bounds read attempt (os-windows.rules)
 * 1:57257 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC TTF parsing heap overflow attempt (file-pdf.rules)
 * 1:57268 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57264 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:57269 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 3:57265 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1263 attack attempt (netbios.rules)
 * 3:57270 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1261 attack attempt (file-image.rules)
 * 3:57273 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1261 attack attempt (file-image.rules)
 * 3:57271 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1261 attack attempt (file-image.rules)
 * 3:57272 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1261 attack attempt (file-image.rules)
 * 3:57267 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1262 attack attempt (os-other.rules)
 * 3:57266 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1262 attack attempt (os-other.rules)

Modified Rules:


 * 1:24987 <-> DISABLED <-> POLICY-OTHER Adobe InDesign SOAP interface RunScript method access attempt (policy-other.rules)
 * 1:57242 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt (server-webapp.rules)
 * 1:17577 <-> DISABLED <-> SERVER-OTHER CA BightStor ARCserver Backup possible insecure method access (server-other.rules)
 * 1:54518 <-> ENABLED <-> SERVER-OTHER Microsoft Windows DNS server remote integer overflow attempt (server-other.rules)
 * 1:17536 <-> DISABLED <-> SERVER-WEBAPP generic server HTTP Auth Header buffer overflow attempt (server-webapp.rules)
 * 1:16681 <-> DISABLED <-> SERVER-WEBAPP Basic Authorization string overflow attempt (server-webapp.rules)
 * 1:15115 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WebDAV pathname buffer overflow attempt (os-windows.rules)
 * 1:57244 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt (server-webapp.rules)
 * 1:20616 <-> DISABLED <-> SERVER-OTHER Peercast Basic HTTP authentication buffer overflow attempt (server-other.rules)
 * 1:57243 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt (server-webapp.rules)
 * 1:57241 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt (server-webapp.rules)

2021-03-09 14:01:29 UTC

Snort Subscriber Rules Update

Date: 2021-03-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091600.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57262 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics Component privilege escalation attempt (os-windows.rules)
 * 1:57261 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics Component privilege escalation attempt (os-windows.rules)
 * 1:57274 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DNS Server out of bounds read attempt (os-windows.rules)
 * 1:57254 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 7 Beta BGsound denial of service attempt (browser-ie.rules)
 * 1:57268 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57269 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57263 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:57275 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint attachment upload deserialization attempt (server-webapp.rules)
 * 1:57255 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Same Origin Policy bypass attempt (browser-firefox.rules)
 * 1:57256 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC TTF parsing heap overflow attempt (file-pdf.rules)
 * 1:57257 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC TTF parsing heap overflow attempt (file-pdf.rules)
 * 1:57258 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious generation of space character for shell attacks attempt (indicator-compromise.rules)
 * 1:57259 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DirectX kernel driver use after free attempt (os-windows.rules)
 * 1:57260 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DirectX kernel driver use after free attempt (os-windows.rules)
 * 1:57264 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:57276 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint potential deserialization attempt (server-webapp.rules)
 * 3:57271 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1261 attack attempt (file-image.rules)
 * 3:57267 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1262 attack attempt (os-other.rules)
 * 3:57270 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1261 attack attempt (file-image.rules)
 * 3:57265 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1263 attack attempt (netbios.rules)
 * 3:57272 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1261 attack attempt (file-image.rules)
 * 3:57273 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1261 attack attempt (file-image.rules)
 * 3:57266 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1262 attack attempt (os-other.rules)

Modified Rules:


 * 1:54518 <-> ENABLED <-> SERVER-OTHER Microsoft Windows DNS server remote integer overflow attempt (server-other.rules)
 * 1:57242 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt (server-webapp.rules)
 * 1:24987 <-> DISABLED <-> POLICY-OTHER Adobe InDesign SOAP interface RunScript method access attempt (policy-other.rules)
 * 1:57243 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt (server-webapp.rules)
 * 1:17577 <-> DISABLED <-> SERVER-OTHER CA BightStor ARCserver Backup possible insecure method access (server-other.rules)
 * 1:20616 <-> DISABLED <-> SERVER-OTHER Peercast Basic HTTP authentication buffer overflow attempt (server-other.rules)
 * 1:15115 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WebDAV pathname buffer overflow attempt (os-windows.rules)
 * 1:16681 <-> DISABLED <-> SERVER-WEBAPP Basic Authorization string overflow attempt (server-webapp.rules)
 * 1:57244 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt (server-webapp.rules)
 * 1:17536 <-> DISABLED <-> SERVER-WEBAPP generic server HTTP Auth Header buffer overflow attempt (server-webapp.rules)
 * 1:57241 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt (server-webapp.rules)

2021-03-09 14:01:29 UTC

Snort Subscriber Rules Update

Date: 2021-03-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091501.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57264 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:57263 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:57254 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 7 Beta BGsound denial of service attempt (browser-ie.rules)
 * 1:57255 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Same Origin Policy bypass attempt (browser-firefox.rules)
 * 1:57274 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DNS Server out of bounds read attempt (os-windows.rules)
 * 1:57268 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57256 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC TTF parsing heap overflow attempt (file-pdf.rules)
 * 1:57276 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint potential deserialization attempt (server-webapp.rules)
 * 1:57257 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC TTF parsing heap overflow attempt (file-pdf.rules)
 * 1:57258 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious generation of space character for shell attacks attempt (indicator-compromise.rules)
 * 1:57259 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DirectX kernel driver use after free attempt (os-windows.rules)
 * 1:57260 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DirectX kernel driver use after free attempt (os-windows.rules)
 * 1:57261 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics Component privilege escalation attempt (os-windows.rules)
 * 1:57262 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics Component privilege escalation attempt (os-windows.rules)
 * 1:57275 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint attachment upload deserialization attempt (server-webapp.rules)
 * 1:57269 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 3:57273 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1261 attack attempt (file-image.rules)
 * 3:57270 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1261 attack attempt (file-image.rules)
 * 3:57271 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1261 attack attempt (file-image.rules)
 * 3:57267 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1262 attack attempt (os-other.rules)
 * 3:57265 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1263 attack attempt (netbios.rules)
 * 3:57272 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1261 attack attempt (file-image.rules)
 * 3:57266 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1262 attack attempt (os-other.rules)

Modified Rules:


 * 1:17577 <-> DISABLED <-> SERVER-OTHER CA BightStor ARCserver Backup possible insecure method access (server-other.rules)
 * 1:57242 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt (server-webapp.rules)
 * 1:15115 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WebDAV pathname buffer overflow attempt (os-windows.rules)
 * 1:54518 <-> ENABLED <-> SERVER-OTHER Microsoft Windows DNS server remote integer overflow attempt (server-other.rules)
 * 1:17536 <-> DISABLED <-> SERVER-WEBAPP generic server HTTP Auth Header buffer overflow attempt (server-webapp.rules)
 * 1:16681 <-> DISABLED <-> SERVER-WEBAPP Basic Authorization string overflow attempt (server-webapp.rules)
 * 1:57244 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt (server-webapp.rules)
 * 1:20616 <-> DISABLED <-> SERVER-OTHER Peercast Basic HTTP authentication buffer overflow attempt (server-other.rules)
 * 1:24987 <-> DISABLED <-> POLICY-OTHER Adobe InDesign SOAP interface RunScript method access attempt (policy-other.rules)
 * 1:57243 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt (server-webapp.rules)
 * 1:57241 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt (server-webapp.rules)

2021-03-09 14:01:29 UTC

Snort Subscriber Rules Update

Date: 2021-03-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091500.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57276 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint potential deserialization attempt (server-webapp.rules)
 * 1:57254 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 7 Beta BGsound denial of service attempt (browser-ie.rules)
 * 1:57262 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics Component privilege escalation attempt (os-windows.rules)
 * 1:57261 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics Component privilege escalation attempt (os-windows.rules)
 * 1:57258 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious generation of space character for shell attacks attempt (indicator-compromise.rules)
 * 1:57256 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC TTF parsing heap overflow attempt (file-pdf.rules)
 * 1:57264 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:57269 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57259 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DirectX kernel driver use after free attempt (os-windows.rules)
 * 1:57268 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57263 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:57260 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DirectX kernel driver use after free attempt (os-windows.rules)
 * 1:57255 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Same Origin Policy bypass attempt (browser-firefox.rules)
 * 1:57274 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DNS Server out of bounds read attempt (os-windows.rules)
 * 1:57275 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint attachment upload deserialization attempt (server-webapp.rules)
 * 1:57257 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC TTF parsing heap overflow attempt (file-pdf.rules)
 * 3:57265 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1263 attack attempt (netbios.rules)
 * 3:57267 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1262 attack attempt (os-other.rules)
 * 3:57266 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1262 attack attempt (os-other.rules)
 * 3:57271 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1261 attack attempt (file-image.rules)
 * 3:57272 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1261 attack attempt (file-image.rules)
 * 3:57270 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1261 attack attempt (file-image.rules)
 * 3:57273 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1261 attack attempt (file-image.rules)

Modified Rules:


 * 1:57241 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt (server-webapp.rules)
 * 1:17577 <-> DISABLED <-> SERVER-OTHER CA BightStor ARCserver Backup possible insecure method access (server-other.rules)
 * 1:57242 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt (server-webapp.rules)
 * 1:57243 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt (server-webapp.rules)
 * 1:16681 <-> DISABLED <-> SERVER-WEBAPP Basic Authorization string overflow attempt (server-webapp.rules)
 * 1:57244 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt (server-webapp.rules)
 * 1:15115 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WebDAV pathname buffer overflow attempt (os-windows.rules)
 * 1:17536 <-> DISABLED <-> SERVER-WEBAPP generic server HTTP Auth Header buffer overflow attempt (server-webapp.rules)
 * 1:24987 <-> DISABLED <-> POLICY-OTHER Adobe InDesign SOAP interface RunScript method access attempt (policy-other.rules)
 * 1:20616 <-> DISABLED <-> SERVER-OTHER Peercast Basic HTTP authentication buffer overflow attempt (server-other.rules)
 * 1:54518 <-> ENABLED <-> SERVER-OTHER Microsoft Windows DNS server remote integer overflow attempt (server-other.rules)

2021-03-09 14:01:29 UTC

Snort Subscriber Rules Update

Date: 2021-03-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091401.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57276 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint potential deserialization attempt (server-webapp.rules)
 * 1:57257 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC TTF parsing heap overflow attempt (file-pdf.rules)
 * 1:57258 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious generation of space character for shell attacks attempt (indicator-compromise.rules)
 * 1:57262 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics Component privilege escalation attempt (os-windows.rules)
 * 1:57256 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC TTF parsing heap overflow attempt (file-pdf.rules)
 * 1:57263 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:57268 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57264 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:57261 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics Component privilege escalation attempt (os-windows.rules)
 * 1:57274 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DNS Server out of bounds read attempt (os-windows.rules)
 * 1:57255 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Same Origin Policy bypass attempt (browser-firefox.rules)
 * 1:57260 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DirectX kernel driver use after free attempt (os-windows.rules)
 * 1:57269 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57275 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint attachment upload deserialization attempt (server-webapp.rules)
 * 1:57254 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 7 Beta BGsound denial of service attempt (browser-ie.rules)
 * 1:57259 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DirectX kernel driver use after free attempt (os-windows.rules)
 * 3:57271 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1261 attack attempt (file-image.rules)
 * 3:57267 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1262 attack attempt (os-other.rules)
 * 3:57270 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1261 attack attempt (file-image.rules)
 * 3:57272 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1261 attack attempt (file-image.rules)
 * 3:57265 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1263 attack attempt (netbios.rules)
 * 3:57273 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1261 attack attempt (file-image.rules)
 * 3:57266 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1262 attack attempt (os-other.rules)

Modified Rules:


 * 1:57241 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt (server-webapp.rules)
 * 1:57242 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt (server-webapp.rules)
 * 1:20616 <-> DISABLED <-> SERVER-OTHER Peercast Basic HTTP authentication buffer overflow attempt (server-other.rules)
 * 1:17577 <-> DISABLED <-> SERVER-OTHER CA BightStor ARCserver Backup possible insecure method access (server-other.rules)
 * 1:16681 <-> DISABLED <-> SERVER-WEBAPP Basic Authorization string overflow attempt (server-webapp.rules)
 * 1:17536 <-> DISABLED <-> SERVER-WEBAPP generic server HTTP Auth Header buffer overflow attempt (server-webapp.rules)
 * 1:15115 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WebDAV pathname buffer overflow attempt (os-windows.rules)
 * 1:54518 <-> ENABLED <-> SERVER-OTHER Microsoft Windows DNS server remote integer overflow attempt (server-other.rules)
 * 1:57243 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt (server-webapp.rules)
 * 1:57244 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt (server-webapp.rules)
 * 1:24987 <-> DISABLED <-> POLICY-OTHER Adobe InDesign SOAP interface RunScript method access attempt (policy-other.rules)

2021-03-09 14:01:29 UTC

Snort Subscriber Rules Update

Date: 2021-03-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091300.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57261 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics Component privilege escalation attempt (os-windows.rules)
 * 1:57254 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 7 Beta BGsound denial of service attempt (browser-ie.rules)
 * 1:57259 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DirectX kernel driver use after free attempt (os-windows.rules)
 * 1:57255 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Same Origin Policy bypass attempt (browser-firefox.rules)
 * 1:57263 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:57276 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint potential deserialization attempt (server-webapp.rules)
 * 1:57257 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC TTF parsing heap overflow attempt (file-pdf.rules)
 * 1:57264 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:57269 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57275 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint attachment upload deserialization attempt (server-webapp.rules)
 * 1:57262 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics Component privilege escalation attempt (os-windows.rules)
 * 1:57258 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious generation of space character for shell attacks attempt (indicator-compromise.rules)
 * 1:57274 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DNS Server out of bounds read attempt (os-windows.rules)
 * 1:57268 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57256 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC TTF parsing heap overflow attempt (file-pdf.rules)
 * 1:57260 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DirectX kernel driver use after free attempt (os-windows.rules)
 * 3:57273 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1261 attack attempt (file-image.rules)
 * 3:57265 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1263 attack attempt (netbios.rules)
 * 3:57266 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1262 attack attempt (os-other.rules)
 * 3:57270 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1261 attack attempt (file-image.rules)
 * 3:57272 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1261 attack attempt (file-image.rules)
 * 3:57271 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1261 attack attempt (file-image.rules)
 * 3:57267 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1262 attack attempt (os-other.rules)

Modified Rules:


 * 1:57242 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt (server-webapp.rules)
 * 1:17577 <-> DISABLED <-> SERVER-OTHER CA BightStor ARCserver Backup possible insecure method access (server-other.rules)
 * 1:57241 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt (server-webapp.rules)
 * 1:57243 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt (server-webapp.rules)
 * 1:20616 <-> DISABLED <-> SERVER-OTHER Peercast Basic HTTP authentication buffer overflow attempt (server-other.rules)
 * 1:54518 <-> ENABLED <-> SERVER-OTHER Microsoft Windows DNS server remote integer overflow attempt (server-other.rules)
 * 1:17536 <-> DISABLED <-> SERVER-WEBAPP generic server HTTP Auth Header buffer overflow attempt (server-webapp.rules)
 * 1:15115 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WebDAV pathname buffer overflow attempt (os-windows.rules)
 * 1:16681 <-> DISABLED <-> SERVER-WEBAPP Basic Authorization string overflow attempt (server-webapp.rules)
 * 1:24987 <-> DISABLED <-> POLICY-OTHER Adobe InDesign SOAP interface RunScript method access attempt (policy-other.rules)
 * 1:57244 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt (server-webapp.rules)

2021-03-09 14:01:29 UTC

Snort Subscriber Rules Update

Date: 2021-03-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2091101.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57259 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DirectX kernel driver use after free attempt (os-windows.rules)
 * 1:57258 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious generation of space character for shell attacks attempt (indicator-compromise.rules)
 * 1:57260 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DirectX kernel driver use after free attempt (os-windows.rules)
 * 1:57276 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint potential deserialization attempt (server-webapp.rules)
 * 1:57275 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint attachment upload deserialization attempt (server-webapp.rules)
 * 1:57254 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 7 Beta BGsound denial of service attempt (browser-ie.rules)
 * 1:57269 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57255 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Same Origin Policy bypass attempt (browser-firefox.rules)
 * 1:57261 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics Component privilege escalation attempt (os-windows.rules)
 * 1:57264 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:57257 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC TTF parsing heap overflow attempt (file-pdf.rules)
 * 1:57256 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC TTF parsing heap overflow attempt (file-pdf.rules)
 * 1:57274 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DNS Server out of bounds read attempt (os-windows.rules)
 * 1:57262 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics Component privilege escalation attempt (os-windows.rules)
 * 1:57263 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:57268 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 3:57270 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1261 attack attempt (file-image.rules)
 * 3:57273 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1261 attack attempt (file-image.rules)
 * 3:57266 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1262 attack attempt (os-other.rules)
 * 3:57265 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1263 attack attempt (netbios.rules)
 * 3:57271 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1261 attack attempt (file-image.rules)
 * 3:57272 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1261 attack attempt (file-image.rules)
 * 3:57267 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1262 attack attempt (os-other.rules)

Modified Rules:


 * 1:57242 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt (server-webapp.rules)
 * 1:17577 <-> DISABLED <-> SERVER-OTHER CA BightStor ARCserver Backup possible insecure method access (server-other.rules)
 * 1:57241 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt (server-webapp.rules)
 * 1:15115 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WebDAV pathname buffer overflow attempt (os-windows.rules)
 * 1:16681 <-> DISABLED <-> SERVER-WEBAPP Basic Authorization string overflow attempt (server-webapp.rules)
 * 1:20616 <-> DISABLED <-> SERVER-OTHER Peercast Basic HTTP authentication buffer overflow attempt (server-other.rules)
 * 1:57243 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt (server-webapp.rules)
 * 1:24987 <-> DISABLED <-> POLICY-OTHER Adobe InDesign SOAP interface RunScript method access attempt (policy-other.rules)
 * 1:54518 <-> ENABLED <-> SERVER-OTHER Microsoft Windows DNS server remote integer overflow attempt (server-other.rules)
 * 1:17536 <-> DISABLED <-> SERVER-WEBAPP generic server HTTP Auth Header buffer overflow attempt (server-webapp.rules)
 * 1:57244 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt (server-webapp.rules)

2021-03-09 14:01:29 UTC

Snort Subscriber Rules Update

Date: 2021-03-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 3000.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57260 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DirectX kernel driver use after free attempt (snort3-os-windows.rules)
 * 1:57275 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint attachment upload deserialization attempt (snort3-server-webapp.rules)
 * 1:57255 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Same Origin Policy bypass attempt (snort3-browser-firefox.rules)
 * 1:57276 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint potential deserialization attempt (snort3-server-webapp.rules)
 * 1:57264 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (snort3-os-windows.rules)
 * 1:57259 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DirectX kernel driver use after free attempt (snort3-os-windows.rules)
 * 1:57254 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 7 Beta BGsound denial of service attempt (snort3-browser-ie.rules)
 * 1:57269 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (snort3-browser-ie.rules)
 * 1:57258 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious generation of space character for shell attacks attempt (snort3-indicator-compromise.rules)
 * 1:57257 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC TTF parsing heap overflow attempt (snort3-file-pdf.rules)
 * 1:57262 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics Component privilege escalation attempt (snort3-os-windows.rules)
 * 1:57274 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DNS Server out of bounds read attempt (snort3-os-windows.rules)
 * 1:57263 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (snort3-os-windows.rules)
 * 1:57261 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics Component privilege escalation attempt (snort3-os-windows.rules)
 * 1:57268 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (snort3-browser-ie.rules)
 * 1:57256 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC TTF parsing heap overflow attempt (snort3-file-pdf.rules)

Modified Rules:


 * 1:54518 <-> ENABLED <-> SERVER-OTHER Microsoft Windows DNS server remote integer overflow attempt (snort3-server-other.rules)
 * 1:17577 <-> DISABLED <-> SERVER-OTHER CA BightStor ARCserver Backup possible insecure method access (snort3-server-other.rules)
 * 1:17536 <-> DISABLED <-> SERVER-WEBAPP generic server HTTP Auth Header buffer overflow attempt (snort3-server-webapp.rules)
 * 1:15115 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WebDAV pathname buffer overflow attempt (snort3-os-windows.rules)
 * 1:57244 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt (snort3-server-webapp.rules)
 * 1:24987 <-> DISABLED <-> POLICY-OTHER Adobe InDesign SOAP interface RunScript method access attempt (snort3-policy-other.rules)
 * 1:57241 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt (snort3-server-webapp.rules)
 * 1:57243 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt (snort3-server-webapp.rules)
 * 1:16681 <-> DISABLED <-> SERVER-WEBAPP Basic Authorization string overflow attempt (snort3-server-webapp.rules)
 * 1:20616 <-> DISABLED <-> SERVER-OTHER Peercast Basic HTTP authentication buffer overflow attempt (snort3-server-other.rules)
 * 1:57242 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt (snort3-server-webapp.rules)

2021-03-09 14:01:29 UTC

Snort Subscriber Rules Update

Date: 2021-03-09

This is the complete list of rules modified and added in the Sourcefire VRT Certified rule pack for Snort version 2983.

The format of the file is:

gid:sid <-> Default rule state <-> Message (rule group)

New Rules:


 * 1:57275 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint attachment upload deserialization attempt (server-webapp.rules)
 * 1:57276 <-> DISABLED <-> SERVER-WEBAPP Microsoft SharePoint potential deserialization attempt (server-webapp.rules)
 * 1:57269 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57260 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DirectX kernel driver use after free attempt (os-windows.rules)
 * 1:57255 <-> DISABLED <-> BROWSER-FIREFOX Mozilla Firefox Same Origin Policy bypass attempt (browser-firefox.rules)
 * 1:57259 <-> DISABLED <-> OS-WINDOWS Microsoft Windows DirectX kernel driver use after free attempt (os-windows.rules)
 * 1:57261 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics Component privilege escalation attempt (os-windows.rules)
 * 1:57254 <-> DISABLED <-> BROWSER-IE Microsoft Internet Explorer 7 Beta BGsound denial of service attempt (browser-ie.rules)
 * 1:57263 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:57268 <-> ENABLED <-> BROWSER-IE Microsoft Internet Explorer memory corruption attempt (browser-ie.rules)
 * 1:57264 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Win32k elevation of privilege attempt (os-windows.rules)
 * 1:57262 <-> DISABLED <-> OS-WINDOWS Microsoft Windows Graphics Component privilege escalation attempt (os-windows.rules)
 * 1:57256 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC TTF parsing heap overflow attempt (file-pdf.rules)
 * 1:57258 <-> DISABLED <-> INDICATOR-COMPROMISE suspicious generation of space character for shell attacks attempt (indicator-compromise.rules)
 * 1:57257 <-> DISABLED <-> FILE-PDF Adobe Acrobat Reader DC TTF parsing heap overflow attempt (file-pdf.rules)
 * 3:57265 <-> ENABLED <-> NETBIOS TRUFFLEHUNTER TALOS-2021-1263 attack attempt (netbios.rules)
 * 3:57273 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1261 attack attempt (file-image.rules)
 * 3:57267 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1262 attack attempt (os-other.rules)
 * 3:57272 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1261 attack attempt (file-image.rules)
 * 3:57266 <-> ENABLED <-> OS-OTHER TRUFFLEHUNTER TALOS-2021-1262 attack attempt (os-other.rules)
 * 3:57270 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1261 attack attempt (file-image.rules)
 * 3:57271 <-> ENABLED <-> FILE-IMAGE TRUFFLEHUNTER TALOS-2021-1261 attack attempt (file-image.rules)

Modified Rules:


 * 1:17577 <-> DISABLED <-> SERVER-OTHER CA BightStor ARCserver Backup possible insecure method access (server-other.rules)
 * 1:57243 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt (server-webapp.rules)
 * 1:57241 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt (server-webapp.rules)
 * 1:57244 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt (server-webapp.rules)
 * 1:15115 <-> DISABLED <-> OS-WINDOWS Microsoft Windows WebDAV pathname buffer overflow attempt (os-windows.rules)
 * 1:16681 <-> DISABLED <-> SERVER-WEBAPP Basic Authorization string overflow attempt (server-webapp.rules)
 * 1:20616 <-> DISABLED <-> SERVER-OTHER Peercast Basic HTTP authentication buffer overflow attempt (server-other.rules)
 * 1:17536 <-> DISABLED <-> SERVER-WEBAPP generic server HTTP Auth Header buffer overflow attempt (server-webapp.rules)
 * 1:24987 <-> DISABLED <-> POLICY-OTHER Adobe InDesign SOAP interface RunScript method access attempt (policy-other.rules)
 * 1:57242 <-> ENABLED <-> SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt (server-webapp.rules)