This SRU number: 2014-11-24-001
Previous SRU number: 2014-11-20-001
Applies to:
This SEU number: 1210
Previous SEU: 1209
Applies to:
This is the complete list of rules added in SRU 2014-11-24-001 and SEU 1210.
The format of the file is:
GID - SID - Rule Group - Rule Message - Policy State
The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.
The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.
Note: Unless stated explicitly, the rules are for the series of products listed above.
| GID | SID | Rule Group | Rule Message | Policy State | ||
|---|---|---|---|---|---|---|
| Con. | Bal. | Sec. | ||||
| 1 | 32598 | MALWARE-CNC | Win.Backdoor.Mysayad file wipe attempt | off | drop | drop |
| 1 | 32599 | MALWARE-CNC | Win.Backdoor.Mysayad outbound connection attempt | off | drop | drop |
| 1 | 32600 | MALWARE-CNC | Win.Backdoor.Mysayad file wipe attempt | off | drop | drop |
| 1 | 32601 | SERVER-OTHER | Hikvision DVR RTSP request buffer overflow attempt | off | off | off |
| 1 | 32604 | MALWARE-CNC | Win.Backdoor.Mysayad file wipe attempt | off | drop | drop |
| 1 | 32605 | MALWARE-CNC | Win.Worm.Jenxcus variant outbound connection attempt | off | drop | drop |
| 1 | 32606 | MALWARE-CNC | Win.Worm.Jenxcus variant outbound connection attempt | off | drop | drop |
| 1 | 32607 | MALWARE-CNC | Win.Trojan.Sodebral HTTP Response attempt | off | drop | drop |
| 1 | 32608 | MALWARE-CNC | Win.Trojan.Sodebral HTTP Response attempt | off | drop | drop |
| 1 | 32609 | MALWARE-CNC | Win.Trojan.NetWiredRC variant registration message | off | drop | drop |
| 1 | 32610 | MALWARE-CNC | Win.Trojan.NetWiredRC variant keepalive | off | drop | drop |
| 1 | 32611 | SERVER-WEBAPP | phpMemcachedAdmin path traversal attempt | off | off | drop |
| 1 | 32612 | BLACKLIST | DNS request for known malware domain cechire.com | off | drop | drop |
| 1 | 32613 | MALWARE-CNC | Win.Trojan.NetWiredRC variant keepalive | off | drop | drop |
| 1 | 32614 | MALWARE-CNC | Win.Trojan.NetWiredRC variant keepalive | off | drop | drop |
| 1 | 32615 | OS-WINDOWS | Microsoft Windows search protocol remote command injection attempt | off | off | off |
| 1 | 32619 | FILE-OTHER | MostGear EasyLanFolderShare serial key overflow attempt | off | off | off |
| 1 | 32620 | FILE-OTHER | MostGear EasyLanFolderShare serial key overflow attempt | off | off | off |
| 1 | 32621 | MALWARE-CNC | Win.Trojan.Regin outbound connection attempt | off | drop | drop |
| 1 | 32622 | MALWARE-CNC | Win.Trojan.Regin outbound connection attempt | off | drop | drop |
| 1 | 32623 | MALWARE-CNC | Win.Trojan.Regin outbound connection attempt | off | drop | drop |
| 1 | 32624 | MALWARE-CNC | Win.Trojan.Regin outbound connection attempt | off | drop | drop |
| 1 | 32625 | FILE-OFFICE | Microsoft Office Excel DV record buffer overflow attempt | off | off | drop |
| 1 | 32626 | BROWSER-PLUGINS | Adobe Flash broker privilege escalation file creation attempt | off | drop | drop |
| 1 | 32627 | BROWSER-PLUGINS | Adobe Flash broker privilege escalation file creation attempt | off | drop | drop |
| GID | SID | Rule Group | Rule Message | Policy State | ||
|---|---|---|---|---|---|---|
| Con. | Bal. | Sec. | ||||
| 1 | 32602 | POLICY-OTHER | ManageEngine Eventlog Analyzer credential disclosure attempt | off | off | off |
| 1 | 32603 | POLICY-OTHER | ManageEngine Eventlog Analyzer information disclosure attempt | off | off | off |
| GID | SID | Rule Group | Rule Message | Policy State | ||
|---|---|---|---|---|---|---|
| Con. | Bal. | Sec. | ||||
| 1 | 32616 | FILE-IDENTIFY | Microsoft Windows Registry file attachment detected | off | off | off |
| 1 | 32617 | FILE-IDENTIFY | Microsoft Windows Registry file attachment detected | off | off | off |
| 1 | 32618 | FILE-IDENTIFY | Microsoft Windows Registry file download request | off | off | off |
Updated rules can be found at this link.