* Talos combines our security experts from TRAC, SecApps, and VRT teams.
This SRU number: 2016-02-18-003
Previous SRU number: 2016-02-15-001
Applies to:
This SEU number: 1428
Previous SEU: 1425
Applies to:
This is the complete list of rules modified in SRU 2016-02-18-003 and SEU 1428.
The format of the file is:
GID - SID - Rule Group - Rule Message - Policy State
The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.
The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.
Note: Unless stated explicitly, the rules are for the series of products listed above.
| GID | SID | Rule Group | Rule Message | Policy State | ||
|---|---|---|---|---|---|---|
| Con. | Bal. | Sec. | ||||
| 1 | 8375 | BROWSER-PLUGINS | QuickTime Object ActiveX clsid access | off | off | off |
| 1 | 9806 | NETBIOS | DCERPC NCACN-IP-TCP brightstor-arc GetGroupStatus overflow attempt | off | off | off |
| 1 | 12197 | SERVER-OTHER | CA message queuing server buffer overflow attempt | off | off | off |
| 1 | 13287 | OS-WINDOWS | Windows remote kernel tcp/ip igmp vulnerability exploit attempt | off | off | off |
| 1 | 15194 | BROWSER-PLUGINS | SizerOne ActiveX function call access | off | off | off |
| 1 | 15478 | FILE-FLASH | Adobe Flash Player invalid object reference code execution attempt | off | off | off |
| 1 | 16510 | BROWSER-PLUGINS | Microsoft Internet Explorer Tabular Control ActiveX overflow by CLSID | off | off | off |
| 1 | 17526 | FILE-PDF | Adobe Acrobat and Adobe Acrobat Reader U3D RHAdobeMeta buffer overflow attempt | off | off | off |
| 1 | 18702 | FILE-OFFICE | Microsoft Office RTF malformed pfragments field | off | off | drop |
| 1 | 18703 | FILE-OFFICE | Microsoft Office RTF malformed pfragments field | off | off | drop |
| 1 | 18704 | FILE-OFFICE | Microsoft Office RTF malformed second pfragments field | off | off | drop |
| 1 | 18705 | FILE-OFFICE | Microsoft Office RTF malformed second pfragments field | off | off | drop |
| 1 | 18706 | FILE-OFFICE | Microsoft Office RTF malformed second pfragments field | off | off | drop |
| 1 | 19151 | BROWSER-PLUGINS | Trend Micro HouseCall ActiveX clsid access | off | off | off |
| 1 | 19152 | BROWSER-PLUGINS | Trend Micro HouseCall ActiveX function call access | off | off | off |
| 1 | 20247 | FILE-OFFICE | Microsoft Office Outlook SMB attach by reference code execution attempt | off | off | drop |
| 1 | 20262 | BROWSER-IE | Microsoft Internet Explorer onscroll DOS attempt | off | off | off |
| 1 | 20264 | BROWSER-IE | Microsoft Internet Explorer form selection reset attempt | off | off | off |
| 1 | 20634 | BROWSER-IE | Microsoft Internet Explorer onscroll DOS attempt | off | off | off |
| 1 | 21077 | BROWSER-PLUGINS | HP Easy Printer Care Software ActiveX function call | off | off | off |
| 1 | 21429 | FILE-PDF | Possible unknown malicious PDF | off | off | drop |
| 1 | 21453 | FILE-PDF | Possible unknown malicious PDF | off | off | drop |
| 1 | 22101 | FILE-OFFICE | Microsoft Office RTF malformed pfragments field | off | off | drop |
| 1 | 22102 | FILE-OFFICE | Microsoft Office RTF malformed pfragments field | off | off | drop |
| 1 | 23517 | FILE-PDF | Adobe Acrobat Reader libtiff TIFFFetchShortPair stack buffer overflow attempt | off | off | drop |
| 1 | 23518 | FILE-PDF | Adobe Acrobat Reader libtiff TIFFFetchShortPair stack buffer overflow attempt | off | off | drop |
| 1 | 23520 | FILE-PDF | Possible unknown malicious PDF | off | off | drop |
| 1 | 23521 | FILE-PDF | Possible unknown malicious PDF | off | off | drop |
| 1 | 23522 | FILE-PDF | Adobe Acrobat Reader malicious TIFF remote code execution attempt | off | off | drop |
| 1 | 23523 | FILE-PDF | Adobe Acrobat Reader malformed TIFF remote code execution attempt | off | off | drop |
| 1 | 23524 | FILE-PDF | Adobe Acrobat Reader malformed TIFF remote code execution attempt | off | off | drop |
| 1 | 23611 | FILE-PDF | JavaScript contained in an xml template embedded in a pdf attempt | off | off | drop |
| 1 | 23612 | FILE-PDF | JavaScript contained in an xml template embedded in a pdf attempt | off | off | drop |
| 1 | 25393 | FILE-OFFICE | Microsoft Office RTF malformed pfragments field | off | off | drop |
| 1 | 25475 | FILE-PDF | JavaScript contained in an xml template embedded in a pdf attempt | off | off | drop |
| 1 | 25779 | FILE-EXECUTABLE | Microsoft Windows Authenticode signature verification bypass attempt | off | off | drop |
| 1 | 25832 | FILE-JAVA | Oracle Java JMX class arbitrary code execution attempt | off | drop | drop |
| 1 | 26592 | BROWSER-WEBKIT | Apple Safari Webkit libxslt arbitrary file creation attempt | off | off | off |
| 1 | 26824 | SERVER-OTHER | Apache Struts allowStaticMethodAccess invocation attempt | off | drop | drop |
| 1 | 27822 | FILE-OTHER | Microsoft Windows XP .theme file remote code execution attempt | off | drop | drop |
| 1 | 28303 | FILE-PDF | Adobe Acrobat and Adobe Acrobat Reader U3D RHAdobeMeta buffer overflow attempt | off | off | off |
| 1 | 28626 | FILE-PDF | Adobe Acrobat and Adobe Acrobat Reader U3D RHAdobeMeta buffer overflow attempt | off | off | off |
| 1 | 28887 | FILE-PDF | Adobe Acrobat Reader malformed TIFF remote code execution attempt | off | off | drop |
| 1 | 28888 | FILE-PDF | Adobe Acrobat Reader malformed TIFF remote code execution attempt | off | off | drop |
| 1 | 28889 | FILE-PDF | Adobe Acrobat Reader malformed TIFF remote code execution attempt | off | off | drop |
| 1 | 28890 | FILE-PDF | Adobe Acrobat Reader malformed TIFF remote code execution attempt | off | off | drop |
| 1 | 29213 | INDICATOR-OBFUSCATION | potential math library debugging | off | drop | drop |
| 1 | 29394 | BROWSER-WEBKIT | Apple WebKit QuickTime plugin content-type http header buffer overflow attempt | off | off | off |
| 1 | 29622 | FILE-PDF | Adobe Acrobat Reader malformed shading modifier heap corruption attempt | off | off | off |
| 1 | 29749 | BROWSER-PLUGINS | SizerOne 2 ActiveX clsid access | off | off | drop |
| 1 | 29859 | SERVER-APACHE | Apache Struts allowStaticMethodAccess invocation attempt | off | drop | drop |
| 1 | 30153 | FILE-OFFICE | Microsoft Windows common controls stack buffer overflow via MIME HTML document attempt | off | drop | drop |
| 1 | 30154 | FILE-OFFICE | Microsoft Windows common controls stack buffer overflow via MIME HTML document attempt | off | drop | drop |
| 1 | 30155 | FILE-OFFICE | Microsoft Windows common controls stack buffer overflow via MIME HTML document attempt | off | drop | drop |
| 1 | 30156 | FILE-OFFICE | Microsoft Windows common controls stack buffer overflow via MIME HTML document attempt | off | drop | drop |
| 1 | 30157 | FILE-OFFICE | Microsoft Windows common controls stack buffer overflow via MIME HTML document attempt | off | drop | drop |
| 1 | 30158 | FILE-OFFICE | Microsoft Windows common controls stack buffer overflow via MIME HTML document attempt | off | drop | drop |
| 1 | 30159 | FILE-OFFICE | Microsoft Windows common controls stack buffer overflow via MIME HTML document attempt | off | drop | drop |
| 1 | 30160 | FILE-OFFICE | Microsoft Windows common controls stack buffer overflow via MIME HTML document attempt | off | drop | drop |
| 1 | 30161 | FILE-OFFICE | Microsoft Windows common controls stack buffer overflow via malicious MSComctlLib object attempt | off | drop | drop |
| 1 | 30162 | FILE-OFFICE | Microsoft Windows common controls stack buffer overflow via malicious MSComctlLib xls object attempt | off | off | drop |
| 1 | 30163 | FILE-OFFICE | Microsoft Windows common controls stack buffer overflow via malicious MSComctlLib object attempt | off | drop | drop |
| 1 | 30164 | FILE-OFFICE | Microsoft Windows common controls stack buffer overflow via malicious MSComctlLib xls object attempt | off | off | drop |
| 1 | 30165 | FILE-OFFICE | Microsoft Windows common controls stack buffer overflow via malicious toolbar and author attempt | off | drop | drop |
| 1 | 30166 | FILE-OFFICE | Microsoft Windows common controls stack buffer overflow via malicious toolbar and author attempt | off | drop | drop |
| 1 | 30754 | FILE-FLASH | Adobe Flash malformed regular expression exploit attempt | off | drop | drop |
| 1 | 30755 | FILE-FLASH | Adobe Flash malformed regular expression exploit attempt | off | drop | drop |
| 3 | 30901 | FILE-FLASH | known malicious flash actionscript decryption routine | off | off | drop |
| 1 | 31686 | FILE-PDF | Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt | drop | drop | drop |
| 1 | 31687 | FILE-PDF | Adobe Acrobat Reader X XML forms specially crafted RLE8 format BMP integer overflow attempt | off | drop | drop |
| 1 | 31926 | FILE-OFFICE | Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt | off | drop | drop |
| 1 | 31927 | FILE-OFFICE | Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt | off | drop | drop |
| 1 | 32353 | SQL | Drupal 7 pre auth SQL injection attempt | off | off | drop |
| 1 | 32360 | FILE-FLASH | Adobe Flash Player worker shared object use-after-free attempt | off | drop | drop |
| 1 | 32730 | FILE-OTHER | Microsoft Windows XP .theme file remote code execution attempt | off | drop | drop |
| 1 | 32857 | FILE-OFFICE | Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt | off | drop | drop |
| 1 | 32858 | FILE-OFFICE | Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt | off | drop | drop |
| 1 | 32859 | FILE-OFFICE | Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt | off | drop | drop |
| 1 | 32860 | FILE-OFFICE | Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt | off | drop | drop |
| 1 | 32861 | FILE-OFFICE | Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt | off | drop | drop |
| 1 | 32862 | FILE-OFFICE | Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt | off | drop | drop |
| 1 | 32863 | FILE-OFFICE | Microsoft Windows common controls MSCOMCTL.OCX buffer overflow attempt | off | drop | drop |
| 1 | 34389 | FILE-OTHER | Microsoft Journal out of bounds read attempt | off | drop | drop |
| 1 | 34390 | FILE-OTHER | Microsoft Journal out of bounds read attempt | off | drop | drop |
| 1 | 35266 | FILE-FLASH | Adobe Flash Player remote code execution attempt | off | off | drop |
| 1 | 35449 | FILE-FLASH | Adobe Flash Player AS3 opaqueBackground use-after-free attempt | off | drop | drop |
| 1 | 35450 | FILE-FLASH | Adobe Flash Player AS3 opaqueBackground use-after-free attempt | off | drop | drop |
| 1 | 35451 | FILE-FLASH | Adobe Flash Player AS3 opaqueBackground use-after-free attempt | off | drop | drop |
| 1 | 35452 | FILE-FLASH | Adobe Flash Player AS3 opaqueBackground use-after-free attempt | off | drop | drop |
| 1 | 35453 | FILE-FLASH | Adobe Flash Player AS3 opaqueBackground use-after-free attempt | off | drop | drop |
| 1 | 35454 | FILE-FLASH | Adobe Flash Player AS3 opaqueBackground use-after-free attempt | off | drop | drop |
| 1 | 35538 | POLICY-OTHER | EMC AutoStart ftagent insecure opcode 20 subcode 2060 access attempt | off | off | off |
| 1 | 35539 | POLICY-OTHER | EMC AutoStart ftagent insecure opcode 20 subcode 2219 access attempt | off | off | off |
| 1 | 35540 | SERVER-OTHER | EMC AutoStart ftagent SQL injection attempt | off | drop | drop |
| 1 | 35541 | SERVER-OTHER | EMC AutoStart ftagent SQL injection attempt | off | drop | drop |
| 1 | 36116 | BROWSER-PLUGINS | HP LoadRunner ActiveX clsid access attempt | off | off | off |
| 1 | 36117 | BROWSER-PLUGINS | HP LoadRunner ActiveX clsid access attempt | off | off | off |
| 1 | 36118 | BROWSER-PLUGINS | HP LoadRunner ActiveX clsid access attempt | off | off | off |
| 1 | 36119 | BROWSER-PLUGINS | HP LoadRunner ActiveX clsid access attempt | off | off | off |
| 1 | 36124 | FILE-FLASH | Adobe Flash Player AS3 opaqueBackground use-after-free attempt | off | drop | drop |
| 1 | 36126 | FILE-FLASH | Adobe Flash Player AS3 opaqueBackground use-after-free attempt | off | drop | drop |
| 1 | 36127 | FILE-FLASH | Adobe Flash Player AS3 opaqueBackground use-after-free attempt | off | drop | drop |
| 1 | 36128 | FILE-FLASH | Adobe Flash Player AS3 opaqueBackground use-after-free attempt | off | drop | drop |
| 1 | 36129 | FILE-FLASH | Adobe Flash Player AS3 opaqueBackground use-after-free attempt | off | drop | drop |
| 1 | 36158 | SERVER-OTHER | HP OpenView Storage Data Protector arbitrary command execution attempt | off | drop | drop |
| 1 | 36771 | EXPLOIT-KIT | Angler exploit kit viewforum uri request attempt | off | off | drop |
| 1 | 36819 | FILE-FLASH | Adobe Flash Player AS3 opaqueBackground use-after-free attempt | off | drop | drop |
| 1 | 36820 | FILE-FLASH | Adobe Flash Player AS3 opaqueBackground use-after-free attempt | off | drop | drop |
| 1 | 36821 | FILE-FLASH | Adobe Flash Player AS3 opaqueBackground use-after-free attempt | off | drop | drop |
| 1 | 36822 | FILE-FLASH | Adobe Flash Player AS3 opaqueBackground use-after-free attempt | off | drop | drop |
| 1 | 37626 | BROWSER-FIREFOX | Mozilla Firefox IDL fragment privilege escalation attempt | off | drop | drop |
| 1 | 37629 | FILE-FLASH | Adobe Flash Player dangling bytearray pointer code execution attempt | off | drop | drop |
| 1 | 37630 | FILE-FLASH | Adobe Flash Player dangling bytearray pointer code execution attempt | off | drop | drop |
| 1 | 37631 | FILE-FLASH | Adobe Flash Player dangling bytearray pointer code execution attempt | off | drop | drop |
| 1 | 37632 | FILE-FLASH | Adobe Flash Player dangling bytearray pointer code execution attempt | off | drop | drop |
| 1 | 37633 | BROWSER-IE | Microsoft Internet Explorer CTextElement use after free attempt | off | drop | drop |
| 1 | 37645 | FILE-FLASH | Adobe Flash copyPixelsToByteArray integer overflow attempt | drop | drop | drop |
| 1 | 37650 | FILE-OTHER | CA BrightStor stack buffer overflow attempt | off | off | off |
| GID | SID | Rule Group | Rule Message | Policy State | ||
|---|---|---|---|---|---|---|
| Con. | Bal. | Sec. | ||||
| 1 | 30327 | INDICATOR-OBFUSCATION | multiple binary tags in close proximity - potentially malicious | off | off | off |
| 1 | 30328 | INDICATOR-OBFUSCATION | multiple binary tags in close proximity - potentially malicious | off | off | off |