* Talos combines our security experts from TRAC, SecApps, and VRT teams.
This SRU number: 2015-11-23-003
Previous SRU number: 2015-11-18-001
Applies to:
This SEU number: 1388
Previous SEU: 1384
Applies to:
This is the complete list of rules modified in SRU 2015-11-23-003 and SEU 1388.
The format of the file is:
GID - SID - Rule Group - Rule Message - Policy State
The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.
The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.
Note: Unless stated explicitly, the rules are for the series of products listed above.
| GID | SID | Rule Group | Rule Message | Policy State | ||
|---|---|---|---|---|---|---|
| Con. | Bal. | Sec. | ||||
| 1 | 1394 | INDICATOR-SHELLCODE | x86 inc ecx NOOP | off | off | off |
| 3 | 7196 | OS-WINDOWS | Microsoft DHCP option overflow attempt | off | off | off |
| 3 | 10161 | NETBIOS | SMB write_andx overflow attempt | off | off | off |
| 3 | 11619 | SERVER-MYSQL | MySQL COM_TABLE_DUMP Function Stack Overflow attempt | off | off | off |
| 3 | 12028 | SERVER-MAIL | Microsoft Exchange Server MIME base64 decoding code execution attempt | off | off | off |
| 3 | 13308 | SERVER-APACHE | Apache HTTP server auth_ldap logging function format string vulnerability | off | off | drop |
| 3 | 13417 | SERVER-OTHER | Citrix MetaFrame IMA authentication processing buffer overflow attempt | off | off | off |
| 3 | 13510 | SERVER-OTHER | Novell eDirectory EventsRequest heap overflow attempt | off | off | off |
| 3 | 13511 | SERVER-OTHER | Novell eDirectory EventsRequest invalid event count exploit attempt | off | off | off |
| 3 | 13790 | FILE-OFFICE | Microsoft Word malformed css remote code execution attempt | off | off | off |
| 3 | 13879 | OS-WINDOWS | Windows BMP image conversion arbitrary code execution attempt | off | off | off |
| 3 | 13921 | SERVER-MAIL | Altrium Software MERCUR IMAPD NTLMSSP command handling memory corruption attempt | off | off | off |
| 3 | 14251 | OS-WINDOWS | Microsoft GDI malformed metarecord buffer overflow attempt | off | off | off |
| 3 | 14260 | OS-WINDOWS | Microsoft Windows GDI+ GIF image invalid number of extension blocks buffer overflow attempt | off | off | off |
| 3 | 14263 | POLICY-SOCIAL | Pidgin MSN MSNP2P message integer overflow attempt | off | drop | drop |
| 3 | 15009 | OS-WINDOWS | possible SMB replay attempt - overlapping encryption keys detected | off | off | off |
| 3 | 15117 | FILE-OFFICE | Microsoft Excel malformed OBJ record arbitrary code execution attempt | off | off | off |
| 3 | 15124 | OS-WINDOWS | Web-based NTLM replay attack attempt | off | off | off |
| 3 | 15125 | FILE-OFFICE | Microsoft Word rich text file unpaired dpendgroup exploit attempt | off | off | off |
| 3 | 15298 | FILE-OFFICE | Microsoft Visio could allow remote code execution | off | off | off |
| 3 | 15301 | SERVER-MAIL | Exchange compressed RTF remote code execution attempt | off | off | off |
| 3 | 15327 | PROTOCOL-DNS | libspf2 DNS TXT record parsing buffer overflow attempt | off | off | off |
| 3 | 15453 | OS-WINDOWS | SMB replay attempt via NTLMSSP - overlapping encryption keys detected | off | off | off |
| 3 | 15454 | FILE-OFFICE | Microsoft Office PowerPoint malformed msofbtTextbox exploit attempt | off | off | off |
| 3 | 15465 | FILE-OFFICE | Microsoft Excel malformed object record remote code execution attempt | off | off | off |
| 3 | 15519 | FILE-OFFICE | Microsoft Office Excel BRAI record remote code execution attempt | off | off | off |
| 3 | 15847 | OS-WINDOWS | Telnet-based NTLM replay attack attempt | off | off | off |
| 3 | 15920 | FILE-MULTIMEDIA | Microsoft mp3 malformed APIC header RCE attempt | off | off | off |
| 3 | 15968 | SERVER-OTHER | LANDesk Management Suite QIP service heal packet buffer overflow attempt | off | drop | drop |
| 3 | 15973 | SERVER-OTHER | Novell eDirectory LDAP null search parameter buffer overflow attempt | off | off | off |
| 1 | 16153 | FILE-IMAGE | Microsoft Windows malformed WMF meta escape record memory corruption attempt | off | off | off |
| 3 | 16232 | OS-WINDOWS | Windows TrueType font file parsing integer overflow attempt | off | off | off |
| 3 | 16370 | FILE-PDF | Adobe Reader JP2C Region Atom CompNum memory corruption attempt | off | off | off |
| 3 | 16415 | OS-WINDOWS | Microsoft DirectShow memory corruption attempt | off | off | off |
| 3 | 16531 | NETBIOS | SMB client TRANS response ring0 remote code execution attempt | off | off | off |
| 3 | 16532 | NETBIOS | SMB client TRANS response ring0 remote code execution attempt | off | off | off |
| 3 | 16649 | FILE-OFFICE | Microsoft Excel HFPicture record stack buffer overflow attempt | off | off | off |
| 3 | 16662 | FILE-OFFICE | Microsoft Excel SxView heap overflow attempt | off | off | off |
| 1 | 16727 | FILE-OTHER | IDEAL Administration IPJ file handling stack overflow attempt | off | off | off |
| 3 | 16728 | NETBIOS | Samba SMB1 chain_reply function memory corruption attempt | off | off | drop |
| 1 | 16739 | FILE-MULTIMEDIA | MultiMedia Jukebox playlist file handling heap overflow attempt | off | off | off |
| 3 | 17632 | PROTOCOL-SNMP | Castle Rock Computing SNMPc Network Manager community string attempted stack overflow | off | drop | drop |
| 1 | 17635 | NETBIOS | DCERPC NCACN-IP-TCP brightstor-arc function 0 little endian overflow attempt | off | off | off |
| 3 | 17663 | SERVER-OTHER | Apple CUPS SGI image format decoding imagetops filter buffer overflow attempt | off | drop | drop |
| 3 | 17665 | FILE-OFFICE | OpenOffice Word document table parsing multiple heap based buffer overflow attempt | off | drop | drop |
| 3 | 17693 | SERVER-MAIL | MailEnable NTLM Authentication buffer overflow attempt | off | off | alert |
| 3 | 17697 | POLICY-SOCIAL | GnuPG Message Packet Length overflow attempt | off | off | drop |
| 3 | 17699 | PROTOCOL-SNMP | Multiple vendor SNMPv3 HMAC handling authentication bypass attempt | off | off | off |
| 3 | 17741 | SERVER-OTHER | MIT Kerberos ASN.1 asn1_decode_generaltime uninitialized pointer reference attempt | off | drop | drop |
| 3 | 17762 | FILE-OFFICE | Microsoft Excel corrupted TABLE record clean up exploit attempt | off | off | off |
| 3 | 17765 | OS-WINDOWS | OpenType Font file parsing buffer overflow attempt | off | off | off |
| 3 | 17775 | INDICATOR-SHELLCODE | Shikata Ga Nai x86 polymorphic shellcode decoder detected | off | off | off |
| 3 | 18063 | FILE-OFFICE | Microsoft Office embedded Office Art drawings execution attempt | off | off | off |
| 3 | 18673 | OS-WINDOWS | Microsoft Fax Cover Page Editor heap corruption attempt | off | off | off |
| 1 | 18802 | SERVER-WEBAPP | HP Power Manager formExportDataLogs directory traversal attempt | off | off | drop |
| 3 | 18949 | FILE-OFFICE | PowerPoint malformed RecolorInfoAtom exploit attempt | off | off | off |
| 3 | 19187 | PROTOCOL-DNS | TMG Firewall Client long host entry exploit attempt | off | off | off |
| 1 | 19259 | FILE-OFFICE | Microsoft Office Excel WOpt record memory corruption attempt | off | off | off |
| 1 | 20237 | FILE-MULTIMEDIA | MultiMedia Jukebox playlist file handling heap overflow attempt | off | off | off |
| 1 | 20431 | FILE-OTHER | Wireshark DECT packet dissector overflow attempt | off | drop | drop |
| 3 | 21352 | OS-WINDOWS | Microsoft Fax Cover Page Editor heap corruption attempt | off | off | off |
| 3 | 21619 | OS-WINDOWS | Microsoft Windows RemoteDesktop connect-initial pdu remote code execution attempt | off | drop | drop |
| 3 | 22089 | FILE-OFFICE | Microsoft RTF improper listoverride nesting attempt | off | off | drop |
| 1 | 23283 | BROWSER-PLUGINS | Oracle WebCenter Forms Recognition ActiveX clsid access attempt | off | off | drop |
| 1 | 23284 | BROWSER-PLUGINS | Oracle WebCenter Forms Recognition ActiveX clsid access attempt | off | off | drop |
| 1 | 23395 | BROWSER-PLUGINS | Quest InTrust Annotation Objects ActiveX clsid access attempt | off | off | drop |
| 3 | 24973 | NETBIOS | SMB Trans2 FIND_FIRST2 response file name length overflow attempt | off | off | drop |
| 3 | 26972 | SERVER-OTHER | CUPS IPP multi-valued attribute memory corruption attempt | off | drop | drop |
| 3 | 28487 | OS-WINDOWS | Microsoft GDI library TIFF handling memory corruption attempt | off | drop | drop |
| 3 | 28488 | OS-WINDOWS | Microsoft GDI library TIFF handling memory corruption attempt | off | drop | drop |
| 1 | 28623 | FILE-PDF | Adobe Acrobat font parsing integer overflow attempt | off | off | drop |
| 1 | 28624 | FILE-PDF | Adobe Acrobat font parsing integer overflow attempt | off | off | drop |
| 1 | 31105 | FILE-PDF | Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt | off | drop | drop |
| 1 | 31106 | FILE-PDF | Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt | off | drop | drop |
| 1 | 31403 | BROWSER-IE | Microsoft Internet Explorer celement use after free | off | drop | drop |
| 1 | 31404 | BROWSER-IE | Microsoft Internet Explorer celement use after free | off | drop | drop |
| 3 | 33587 | FILE-OFFICE | Microsoft RTF improper listoverride nesting attempt | off | off | drop |
| 1 | 33987 | SERVER-OTHER | Symantec System Center Alert Management System untrusted command execution attempt | off | off | off |
| 3 | 35894 | SERVER-OTHER | HP OpenView Data Protector Omnilnet command injection attempt | off | drop | drop |
| 1 | 36125 | FILE-FLASH | Adobe Flash Player AS3 opaqueBackground use-after-free attempt | off | drop | drop |
| 3 | 36153 | SERVER-OTHER | IBM Domino LDAP server ModifyRequest stack buffer overflow attempt | off | drop | drop |
| 1 | 36334 | SERVER-WEBAPP | Ignite Realtime Openfire user-password cross site request forgery attempt | off | off | off |
| 1 | 36401 | BROWSER-IE | Microsoft Internet Explorer CQuickLinks object use-after-free attempt | off | drop | drop |
| 1 | 36402 | BROWSER-IE | Microsoft Internet Explorer CQuickLinks object use-after-free attempt | off | drop | drop |
| 1 | 36549 | FILE-FLASH | Adobe Flash Player writeExternal type confusion attempt | off | drop | drop |
| 1 | 36798 | EXPLOIT-KIT | Gong Da exploit kit landing page detected | off | off | drop |
| GID | SID | Rule Group | Rule Message | Policy State | ||
|---|---|---|---|---|---|---|
| Con. | Bal. | Sec. | ||||
| 3 | 13418 | SERVER-OTHER | IBM Tivoli Director LDAP server invalid DN message buffer overflow attempt | off | off | off |
| 3 | 13425 | SERVER-OTHER | openldap server bind request denial of service attempt | off | off | off |
| 3 | 13475 | OS-WINDOWS | Microsoft Active Directory LDAP denial of service attempt | off | off | off |
| 3 | 13667 | PROTOCOL-DNS | dns cache poisoning attempt | off | off | off |
| 3 | 13773 | OS-LINUX | linux kernel snmp nat netfilter memory corruption attempt | off | off | off |
| 3 | 13825 | OS-WINDOWS | Microsoft PGM fragment denial of service attempt | off | off | off |
| 3 | 13835 | OS-WINDOWS | Microsoft Active Directory LDAP cookie denial of service attempt | off | off | off |
| 3 | 15149 | SERVER-ORACLE | Oracle Internet Directory pre-auth ldap denial of service attempt | off | off | off |
| 3 | 15474 | SERVER-OTHER | Microsoft ISA Server and Forefront Threat Management Gateway invalid RST denial of service attempt | off | off | off |
| 3 | 15734 | PROTOCOL-DNS | BIND named 9 dynamic update message remote dos attempt | off | off | off |
| 3 | 15959 | SERVER-IIS | Microsoft ASP.NET viewstate DoS attempt | off | drop | drop |
| 1 | 16147 | SERVER-IIS | Microsoft Windows IIS malformed URL .dll denial of service attempt | off | off | off |
| 1 | 17495 | SERVER-OTHER | Squid proxy DNS response spoofing attempt | off | off | off |
| 3 | 18101 | SERVER-OTHER | Sun Directory Server LDAP denial of service attempt | off | off | off |
| 3 | 20825 | SERVER-WEBAPP | generic web server hashing collision attack | off | off | off |
| 3 | 23039 | PROTOCOL-DNS | Multiple vendor DNS message decompression denial of service attempt | off | off | drop |
| 3 | 23040 | PROTOCOL-DNS | Multiple vendor DNS message decompression denial of service attempt | off | off | drop |
| 1 | 25774 | DELETED | OS-WINDOWS TCP FIN handshake resource exhaustion attempt | |||
| 1 | 32470 | BROWSER-IE | Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt | off | drop | drop |
| 1 | 32471 | BROWSER-IE | Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt | off | drop | drop |
| 1 | 32472 | BROWSER-IE | Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt | off | drop | drop |
| 1 | 32473 | BROWSER-IE | Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt | off | drop | drop |
| 1 | 32564 | BROWSER-IE | Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt | off | drop | drop |
| 1 | 32565 | BROWSER-IE | Microsoft Internet Explorer 11 VBScript redim preserve denial-of-service attempt | off | drop | drop |
| GID | SID | Rule Group | Rule Message | Policy State | ||
|---|---|---|---|---|---|---|
| Con. | Bal. | Sec. | ||||
| 1 | 10018 | NETBIOS | DCERPC NCACN-IP-TCP brightstor-arc ReserveGroup attempt | off | off | off |
| 1 | 10486 | NETBIOS | DCERPC NCACN-IP-TCP brightstor-arc corrupt user-supplied memory address attempt | off | off | off |
| 3 | 16343 | FILE-PDF | obfuscated header in PDF | off | drop | drop |
| 1 | 17696 | PROTOCOL-DNS | Microsoft Windows DNS Server ANY query cache weakness | off | drop | drop |
| 3 | 23180 | FILE-PDF | obfuscated header in PDF attachment | off | drop | drop |
| 1 | 25970 | DELETED | OS-WINDOWS TCP FIN sent to client | |||
| 1 | 34864 | INDICATOR-COMPROMISE | Metasploit Meterpreter reverse HTTPS certificate | off | off | off |
| 1 | 36611 | INDICATOR-COMPROMISE | Metasploit Meterpreter reverse HTTPS certificate | off | off | off |
| 1 | 36612 | INDICATOR-COMPROMISE | Metasploit Meterpreter reverse HTTPS certificate | off | off | off |