* Talos combines our security experts from TRAC, SecApps, and VRT teams.
This SRU number: 2016-07-25-001
Previous SRU number: 2016-07-21-001
Applies to:
This SEU number: 1519
Previous SEU: 1518
Applies to:
This is the complete list of rules added in SRU 2016-07-25-001 and SEU 1519.
The format of the file is:
GID - SID - Rule Group - Rule Message - Policy State
The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.
The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.
Note: Unless stated explicitly, the rules are for the series of products listed above.
| GID | SID | Rule Group | Rule Message | Policy State | ||
|---|---|---|---|---|---|---|
| Con. | Bal. | Sec. | ||||
| 1 | 39683 | FILE-IMAGE | Apple Core Graphics BMP img_decode_read memory corruption attempt | off | drop | drop |
| 1 | 39684 | FILE-IMAGE | Apple Core Graphics BMP img_decode_read memory corruption attempt | off | drop | drop |
| 1 | 39713 | MALWARE-OTHER | MKVIS outbound communication attempt | off | drop | drop |
| 1 | 39714 | SERVER-WEBAPP | phpFileManager command injection attempt | off | off | off |
| 1 | 39715 | SERVER-WEBAPP | phpFileManager command injection attempt | off | off | off |
| 1 | 39716 | SERVER-WEBAPP | phpFileManager command injection attempt | off | off | off |
| 1 | 39717 | SERVER-WEBAPP | phpFileManager command injection attempt | off | off | off |
| 1 | 39718 | BLACKLIST | DNS request for known malware domain ns1.logitech-usa.com - pisloader | off | drop | drop |
| 1 | 39719 | BLACKLIST | DNS request for known malware domain globalprint-us.com - pisloader | off | drop | drop |
| 1 | 39720 | BLACKLIST | DNS request for known malware domain intranetwabcam.com - pisloader | off | drop | drop |
| 1 | 39721 | BLACKLIST | DNS request for known malware domain login.access-mail.com - pisloader | off | drop | drop |
| 1 | 39722 | BLACKLIST | DNS request for known malware domain glb.it-desktop.com - pisloader | off | drop | drop |
| 1 | 39723 | BLACKLIST | DNS request for known malware domain local.it-desktop.com - pisloader | off | drop | drop |
| 1 | 39724 | BLACKLIST | DNS request for known malware domain hi.getgo2.com - pisloader | off | drop | drop |
| 1 | 39725 | SERVER-WEBAPP | Drupal RESTWS restws_page_callback command injection attempt | off | drop | drop |
| 1 | 39726 | SERVER-WEBAPP | Drupal RESTWS restws_page_callback command injection attempt | off | drop | drop |
| 1 | 39727 | FILE-FLASH | Adobe Flash Player Rectangle constructor use after free attempt | off | drop | drop |
| 1 | 39728 | FILE-FLASH | Adobe Flash Player Rectangle constructor use after free attempt | off | drop | drop |
| 1 | 39729 | INDICATOR-COMPROMISE | binary download while image expected | off | off | off |
| 1 | 39730 | MALWARE-CNC | Win.Adware.Xiazai outbound connection attempt | off | drop | drop |
| 1 | 39731 | FILE-PDF | Adobe Reader malformed CID identity-H font file out of bounds read attempt | off | drop | drop |
| 1 | 39732 | FILE-PDF | Adobe Reader malformed CID identity-H font file out of bounds read attempt | off | drop | drop |
| 1 | 39733 | SERVER-WEBAPP | InBoundio Marketing for Wordpress plugin PHP file upload attempt | off | off | off |
Updated rules can be found at this link.