* Talos combines our security experts from TRAC, SecApps, and VRT teams.
This SRU number: 2015-05-12-002
Previous SRU number: 2015-05-06-001
Applies to:
This SEU number: 1295
Previous SEU: 1292
Applies to:
This is the complete list of rules modified in SRU 2015-05-12-002 and SEU 1295.
The format of the file is:
GID - SID - Rule Group - Rule Message - Policy State
The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.
The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.
Note: Unless stated explicitly, the rules are for the series of products listed above.
| GID | SID | Rule Group | Rule Message | Policy State | ||
|---|---|---|---|---|---|---|
| Con. | Bal. | Sec. | ||||
| 1 | 26294 | FILE-OTHER | Watering Hole Campaign applet download | drop | drop | drop |
| 1 | 26295 | FILE-OTHER | Watering Hole Campaign applet download | drop | drop | drop |
| 1 | 26380 | MALWARE-OTHER | UTF-8 BOM in zip file attachment detected | off | off | drop |
| 1 | 26381 | MALWARE-OTHER | UTF-8 BOM in zip file attachment detected | off | off | drop |
| 1 | 26382 | MALWARE-OTHER | UTF-8 BOM in zip file attachment detected | off | off | drop |
| 1 | 26837 | MALWARE-CNC | BitBot Idle C2 response | off | drop | drop |
| 1 | 26850 | BROWSER-IE | Microsoft Internet Explorer IE5 compatibility mode enable attempt | off | off | drop |
| 1 | 27966 | MALWARE-CNC | Win.Backdoor.Chopper web shell connection | off | drop | drop |
| 1 | 27967 | MALWARE-CNC | Win.Backdoor.Chopper web shell connection | off | off | off |
| 1 | 27968 | MALWARE-CNC | Win.Backdoor.Chopper web shell connection | off | drop | drop |
| 1 | 27980 | BLACKLIST | URI request for known malicious URI - /botnet/adduser.php?uid= | off | drop | drop |
| 1 | 27981 | BLACKLIST | URI request for known malicious URI - /botnet/tasks.php?uid= | off | drop | drop |
| 1 | 28247 | MALWARE-CNC | Win.Trojan.Dropper variant outbound connection | off | drop | drop |
| 1 | 28323 | MALWARE-CNC | Win.Backdoor.Chopper web shell connection | off | drop | drop |
| 1 | 28362 | BLACKLIST | User-Agent known malicious user-agent string SUiCiDE/1.5 | off | drop | drop |
| 1 | 28479 | BLACKLIST | DNS request for known malware domain liumingzhen.zapto.org | off | off | off |
| 1 | 28480 | BLACKLIST | DNS request for known malware domain liumingzhen.myftp.org | off | off | off |
| 1 | 28481 | BLACKLIST | DNS request for known malware domain catlovers.25u.com | off | off | off |
| 1 | 28482 | MALWARE-CNC | Win.Trojan.Terminator RAT variant outbound connection | drop | drop | drop |
| 1 | 30989 | BLACKLIST | DNS request for known malware domain help.2012hi.hk | off | drop | drop |
| 1 | 30990 | MALWARE-CNC | Shiqiang Gang malicious XLS targeted attack detection | drop | drop | drop |
| 1 | 30991 | MALWARE-CNC | Shiqiang Gang malicious XLS targeted attack detection | off | drop | drop |
| 1 | 34238 | SERVER-OTHER | PHP zip_cdir_new function integer overflow file upload attempt | off | off | off |
| 1 | 34239 | SERVER-OTHER | PHP zip_cdir_new function integer overflow file upload attempt | off | off | off |
| GID | SID | Rule Group | Rule Message | Policy State | ||
|---|---|---|---|---|---|---|
| Con. | Bal. | Sec. | ||||
| 1 | 5789 | BLACKLIST | User-Agent known malicious user agent - ActMon | off | off | off |
| 1 | 20436 | MALWARE-TOOLS | THC SSL renegotiation DOS attempt | off | off | off |
| 1 | 20437 | MALWARE-TOOLS | THC SSL renegotiation DOS attempt | off | off | off |
| 1 | 20438 | MALWARE-TOOLS | THC SSL renegotiation DOS attempt | off | off | off |
| 1 | 20439 | MALWARE-TOOLS | THC SSL renegotiation DOS attempt | off | off | off |
| 1 | 33769 | OS-WINDOWS | Microsoft Windows NtUserfnINSTRINGNULL memory leak kernel ASLR bypass attempt | off | drop | drop |
| 1 | 33770 | OS-WINDOWS | Microsoft Windows NtUserfnINSTRINGNULL memory leak kernel ASLR bypass attempt | off | drop | drop |