This SRU number: 2014-07-21-001
Previous SRU number: 2014-07-16-001
Applies to:
This SEU number: 1144
Previous SEU: 1143
Applies to:
This is the complete list of rules added in SRU 2014-07-21-001 and SEU 1144.
The format of the file is:
GID - SID - Rule Group - Rule Message - Policy State
The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.
The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.
Note: Unless stated explicitly, the rules are for the series of products listed above.
| GID | SID | Rule Group | Rule Message | Policy State | ||
|---|---|---|---|---|---|---|
| Con. | Bal. | Sec. | ||||
| 3 | 31451 | EXPLOIT | Cisco Unified IP phone BVSMWeb portal attack attempt | off | drop | drop |
| 1 | 31452 | MALWARE-CNC | Win.Trojan.Symmi variant outbound connection attempt | off | drop | drop |
| 1 | 31453 | MALWARE-CNC | Win.Trojan.ChoHeap variant outbound connection | off | off | drop |
| 1 | 31454 | MALWARE-CNC | Win.Trojan.ChoHeap variant outbound connection | off | off | off |
| 1 | 31455 | EXPLOIT-KIT | Rig Exploit Kit Outbound DGA Request | off | drop | drop |
| 1 | 31456 | BLACKLIST | DNS request for known malware domain infolooks.org - Win.Trojan.SDBot | off | drop | drop |
| 1 | 31457 | BLACKLIST | DNS request for known malware domain joydagaspy.biz - Win.Trojan.SDBot | off | drop | drop |
| 1 | 31458 | MALWARE-CNC | Win.Trojan.SDBot variant outbound connection attempt | off | drop | drop |
| 1 | 31459 | MALWARE-CNC | Win.Trojan.Jaktinier.A connection attempt | off | off | off |
| 1 | 31460 | SERVER-WEBAPP | PHP DNS parsing heap overflow attempt | off | off | drop |
| 1 | 31461 | FILE-OFFICE | Microsoft Office Excel Malformed MSODrawing Record attempt | off | off | drop |
| 1 | 31462 | FILE-OFFICE | Microsoft Office Malformed MSODrawing Record attempt | off | off | drop |
| 1 | 31463 | BLACKLIST | DNS request for known malware domain cd5c5c.com - Win.Trojan.Androm | off | drop | drop |
| 1 | 31464 | BLACKLIST | DNS request for known malware domain disk57.com - Win.Trojan.Androm | off | drop | drop |
| 1 | 31465 | MALWARE-CNC | Win.Trojan.Androm Click Fraud Request | off | drop | drop |
| 1 | 31466 | MALWARE-CNC | Win.Trojan.Androm Click Fraud Request | off | drop | drop |
| 1 | 31467 | MALWARE-CNC | Win.Trojan.Androm variant outbound connection | off | drop | drop |
| 1 | 31468 | MALWARE-CNC | Win.Trojan.Papras variant outbound connection | off | drop | drop |
| 1 | 31469 | BROWSER-IE | Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt | off | off | off |
| 1 | 31470 | BROWSER-IE | Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt | off | off | drop |
| 1 | 31471 | BROWSER-IE | Microsoft Internet Explorer getBoundingClientRect incorrect rebalancing attempt | off | off | off |
| 1 | 31472 | BLACKLIST | DNS request for known malware domain nanoseklo.net - Win.Trojan.HW32 | off | drop | drop |
| 1 | 31473 | FILE-OFFICE | Microsoft Office Excel PtgName invalid index exploit attempt | off | off | drop |
| 1 | 31474 | FILE-OFFICE | Microsoft Office Excel PtgName invalid index exploit attempt | off | off | drop |
| 1 | 31475 | FILE-OFFICE | Microsoft Office Excel PtgName invalid index exploit attempt | off | off | drop |
| 1 | 31476 | FILE-OFFICE | Microsoft Office Excel PtgName invalid index exploit attempt | off | off | drop |
| 1 | 31485 | BROWSER-IE | Microsoft Internet Explorer onbeforeeditfocus element attribute use after free attempt | off | drop | drop |
| 1 | 31486 | BROWSER-IE | Microsoft Internet Explorer onbeforeeditfocus element attribute use after free attempt | off | drop | drop |
| 1 | 31487 | MALWARE-OTHER | Game Over Zeus executable download detected | off | drop | drop |
| 1 | 31488 | MALWARE-OTHER | Game Over Zeus executable download detected | off | drop | drop |
| 1 | 31489 | FILE-FLASH | Adobe Flash security sandbox bypass attempt | off | off | off |
| 1 | 31490 | FILE-FLASH | Adobe Flash security sandbox bypass attempt | off | off | off |
| 1 | 31491 | FILE-FLASH | Adobe Flash security sandbox bypass attempt | off | off | off |
| 1 | 31492 | FILE-FLASH | Adobe Flash security sandbox bypass attempt | off | off | off |
| 1 | 31493 | FILE-FLASH | Adobe Flash security sandbox bypass attempt | off | off | off |
| 1 | 31494 | FILE-FLASH | Adobe Flash security sandbox bypass attempt | off | off | off |
| 1 | 31495 | FILE-FLASH | Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt | off | drop | drop |
| 1 | 31496 | FILE-FLASH | Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt | off | drop | drop |
| GID | SID | Rule Group | Rule Message | Policy State | ||
|---|---|---|---|---|---|---|
| Con. | Bal. | Sec. | ||||
| 1 | 31477 | SERVER-OTHER | OpenSSL SSL ChangeCipherSpec man-in-the-middle exploitation attempt | off | off | drop |
| 1 | 31478 | SERVER-OTHER | OpenSSL TLSv1.0 ChangeCipherSpec man-in-the-middle exploitation attempt | off | off | drop |
| 1 | 31479 | SERVER-OTHER | OpenSSL TLSv1.1 ChangeCipherSpec man-in-the-middle exploitation attempt | off | off | drop |
| 1 | 31480 | SERVER-OTHER | OpenSSL TLSv1.2 ChangeCipherSpec man-in-the-middle exploitation attempt | off | off | drop |
| 1 | 31481 | SERVER-OTHER | OpenSSL SSL ChangeCipherSpec man-in-the-middle exploitation attempt | off | off | off |
| 1 | 31482 | SERVER-OTHER | OpenSSL TLSv1.0 ChangeCipherSpec man-in-the-middle exploitation attempt | off | off | off |
| 1 | 31483 | SERVER-OTHER | OpenSSL TLSv1.1 ChangeCipherSpec man-in-the-middle exploitation attempt | off | off | off |
| 1 | 31484 | SERVER-OTHER | OpenSSL TLSv1.2 ChangeCipherSpec man-in-the-middle exploitation attempt | off | off | off |
Updated rules can be found at this link.