* Talos combines our security experts from TRAC, SecApps, and VRT teams.
This SRU number: 2016-09-06-001
Previous SRU number: 2016-08-31-001
Applies to:
This SEU number: 1540
Previous SEU: 1539
Applies to:
This is the complete list of rules added in SRU 2016-09-06-001 and SEU 1540.
The format of the file is:
GID - SID - Rule Group - Rule Message - Policy State
The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.
The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.
Note: Unless stated explicitly, the rules are for the series of products listed above.
| GID | SID | Rule Group | Rule Message | Policy State | ||
|---|---|---|---|---|---|---|
| Con. | Bal. | Sec. | ||||
| 1 | 40030 | SERVER-WEBAPP | FreePBX Module Administration config.php remotemod command injection attempt | off | off | drop |
| 1 | 40031 | SERVER-WEBAPP | FreePBX Module Administration config.php remotemod command injection attempt | off | off | drop |
| 1 | 40032 | SERVER-WEBAPP | FreePBX Module Administration config.php remotemod command injection attempt | off | off | drop |
| 1 | 40033 | SERVER-WEBAPP | FreePBX Module Administration config.php remotemod command injection attempt | off | off | drop |
| 1 | 40034 | EXPLOIT-KIT | Exploit kit embedded iframe redirection attempt | off | off | off |
| 1 | 40037 | PUA-ADWARE | Google Chrome Google Contacts extension adware | off | off | off |
| 1 | 40038 | SERVER-WEBAPP | PHP unserialize var_hash use-after-free attempt | off | off | off |
| 1 | 40039 | SERVER-WEBAPP | FreePBX config.php unauthenticated SQL injection attempt | off | off | drop |
| 1 | 40040 | SERVER-WEBAPP | FreePBX config.php unauthenticated SQL injection attempt | off | off | drop |
| 1 | 40041 | SERVER-WEBAPP | Meinberg LANTIME NTP appliance stack buffer overflow attempt | off | off | drop |
| 1 | 40042 | SERVER-WEBAPP | Meinberg LANTIME NTP appliance stack buffer overflow attempt | off | off | drop |
| 1 | 40043 | MALWARE-CNC | Win.Ransomware.Fantom outbound connection | off | drop | drop |
| 1 | 40044 | MALWARE-CNC | Win.Ransomware.Fantom post encryption outbound connection | off | drop | drop |
| 1 | 40045 | MALWARE-CNC | Win.Ransomware.Fantom post encryption outbound connection | off | drop | drop |
| 1 | 40046 | SERVER-OTHER | PHP locale_accept_from_http out of bounds read attempt | off | off | off |
| 1 | 40047 | SERVER-WEBAPP | Belkin F9K1122 webpage buffer overflow attempt | off | drop | drop |
| GID | SID | Rule Group | Rule Message | Policy State | ||
|---|---|---|---|---|---|---|
| Con. | Bal. | Sec. | ||||
| 3 | 40048 | SERVER-OTHER | Cisco Application Control Engine SSL handshake parsing denial of service attempt | off | off | drop |
| 3 | 40049 | SERVER-OTHER | Cisco IOS PPTP control message response information disclosure detected | off | off | alert |
| GID | SID | Rule Group | Rule Message | Policy State | ||
|---|---|---|---|---|---|---|
| Con. | Bal. | Sec. | ||||
| 1 | 40035 | FILE-IDENTIFY | XLSB file magic detected | off | off | off |
| 1 | 40036 | FILE-IDENTIFY | XLSB file magic detected | off | off | off |
Updated rules can be found at this link.