* Talos combines our security experts from TRAC, SecApps, and VRT teams.
This SRU number: 2015-07-01-001
Previous SRU number: 2015-06-30-001
Applies to:
This SEU number: 1314
Previous SEU: 1313
Applies to:
This is the complete list of rules added in SRU 2015-07-01-001 and SEU 1314.
The format of the file is:
GID - SID - Rule Group - Rule Message - Policy State
The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.
The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.
Note: Unless stated explicitly, the rules are for the series of products listed above.
| GID | SID | Rule Group | Rule Message | Policy State | ||
|---|---|---|---|---|---|---|
| Con. | Bal. | Sec. | ||||
| 1 | 35024 | SERVER-WEBAPP | Watchguard XCS mailqueue.spl command injection attempt | off | off | drop |
| 1 | 35025 | SERVER-WEBAPP | Watchguard XCS mailqueue.spl command injection attempt | off | off | drop |
| 1 | 35026 | SERVER-WEBAPP | Watchguard XCS mailqueue.spl command injection attempt | off | off | drop |
| 1 | 35027 | MALWARE-CNC | known malicious SSL certificate - Troldesh C&C | off | drop | drop |
| 1 | 35028 | BLACKLIST | DNS request for known malware domain killer0709.pf-control.de - Win.Keylogger.Lotronc | off | drop | drop |
| 1 | 35029 | MALWARE-CNC | Win.Keylogger.Lotronc variant outbound connection | off | drop | drop |
| 1 | 35030 | MALWARE-CNC | Win.Trojan.Zeus variant outbound connection | off | drop | drop |
| 1 | 35031 | MALWARE-CNC | Win.Trojan.Konus outbound connection attempt | off | drop | drop |
| 1 | 35032 | SERVER-WEBAPP | LANDesk Management Suite remote file include attempt | off | off | drop |
| 1 | 35033 | SERVER-WEBAPP | LANDesk Management Suite remote file include attempt | off | off | drop |
| 1 | 35034 | MALWARE-CNC | Win.Trojan.Konus outbound connection attempt | off | drop | drop |
| 1 | 35035 | MALWARE-CNC | Win.Trojan.Taleretzbj outbound connection | off | drop | drop |
| 1 | 35036 | MALWARE-CNC | Backdoor.Perl.Santy inbound variant connection | off | drop | drop |
| 1 | 35037 | MALWARE-CNC | Backdoor.Perl.Santy outbound variant connection | off | drop | drop |
| 1 | 35038 | SERVER-OTHER | Trustwave ModSecurity chunked transfer encoding policy bypass attempt | off | off | drop |
| 1 | 35039 | MALWARE-CNC | Trojan.Linux.Linuxor outbound variant connection | off | drop | drop |
| 1 | 35042 | POLICY-OTHER | Apple Cups cupsd.conf change attempt | off | off | off |
| 1 | 35043 | SERVER-OTHER | Apple Cups cupsd privilege escalation attempt | off | off | drop |
| 1 | 35044 | BROWSER-WEBKIT | Apple Safari URI spoofing attempt | off | off | off |
| 1 | 35045 | BROWSER-WEBKIT | Apple Safari URI spoofing attempt | off | off | off |
| 1 | 35046 | BLACKLIST | DNS request for known malware domain gotrubs.us | off | drop | drop |
| 1 | 35047 | MALWARE-CNC | Win.Trojan.Scar variant outbound connection | off | drop | drop |
| 1 | 35048 | FILE-FLASH | Adobe Flash Player ByteArray uncompress domainMemory use after free attempt | drop | drop | drop |
| 1 | 35049 | FILE-FLASH | Adobe Flash Player ByteArray uncompress domainMemory use after free attempt | drop | drop | drop |
| 1 | 35050 | MALWARE-CNC | Win.Trojan.Scar variant outbound connection | off | drop | drop |
| 1 | 35051 | BROWSER-FIREFOX | Mozilla Firefox IDL fragment privilege escalation attempt | off | drop | drop |
| 1 | 35052 | BROWSER-FIREFOX | Mozilla Firefox IDL fragment privilege escalation attempt | off | drop | drop |
| 1 | 35053 | BROWSER-IE | Microsoft Internet Explorer CSVGMarkerElement use after free attempt | off | off | off |
| GID | SID | Rule Group | Rule Message | Policy State | ||
|---|---|---|---|---|---|---|
| Con. | Bal. | Sec. | ||||
| 1 | 35040 | SERVER-WEBAPP | PHP php_parse_metadata heap corruption attempt | off | off | off |
| 1 | 35041 | SERVER-WEBAPP | PHP php_parse_metadata heap corruption attempt | off | off | off |
Updated rules can be found at this link.