* Talos combines our security experts from TRAC, SecApps, and VRT teams.
This SRU number: 2016-09-16-001
Previous SRU number: 2016-09-15-001
Applies to:
This SEU number: 1546
Previous SEU: 1545
Applies to:
This is the complete list of rules added in SRU 2016-09-16-001 and SEU 1546.
The format of the file is:
GID - SID - Rule Group - Rule Message - Policy State
The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.
The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.
Note: Unless stated explicitly, the rules are for the series of products listed above.
| GID | SID | Rule Group | Rule Message | Policy State | ||
|---|---|---|---|---|---|---|
| Con. | Bal. | Sec. | ||||
| 1 | 40224 | SERVER-WEBAPP | Cisco ASA WebVPN auth_handle cross site scripting attempt | off | off | drop |
| 1 | 40225 | SERVER-WEBAPP | Cisco ASA WebVPN auth_handle cross site scripting attempt | off | off | drop |
| 1 | 40226 | SERVER-WEBAPP | Cisco ASA WebVPN auth_handle cross site scripting attempt | off | off | drop |
| 1 | 40227 | SERVER-WEBAPP | Cisco ASA WebVPN auth_handle cross site scripting attempt | off | off | drop |
| 1 | 40228 | SERVER-WEBAPP | Cisco ASA WebVPN auth_handle cross site scripting attempt | off | off | drop |
| 1 | 40229 | SERVER-WEBAPP | Cisco ASA WebVPN auth_handle cross site scripting attempt | off | off | drop |
| 1 | 40230 | SERVER-WEBAPP | Cisco ASA WebVPN auth_handle cross site scripting attempt | off | off | drop |
| 1 | 40231 | SERVER-WEBAPP | Cisco ASA WebVPN auth_handle cross site scripting attempt | off | off | drop |
| 1 | 40232 | MALWARE-CNC | Win.Trojan.Injector external connection attempt | off | drop | drop |
| 1 | 40233 | EXPLOIT-KIT | Sundown exploit kit landing page detected | off | drop | drop |
| 1 | 40234 | MALWARE-CNC | Installation Keylogger Osx.Trojan.Mokes ping reply | off | drop | drop |
| 1 | 40235 | MALWARE-CNC | Installation Keylogger Osx.Trojan.Mokes ping request | off | off | off |
| 1 | 40236 | FILE-PDF | Adobe Reader embedded font out of bounds memory access attempt | off | drop | drop |
| 1 | 40237 | FILE-PDF | Adobe Reader embedded font out of bounds memory access attempt | off | drop | drop |
| 1 | 40238 | MALWARE-CNC | Win.Keylogger.AgentTesla variant outbound connection | off | drop | drop |
| 3 | 40240 | SERVER-WEBAPP | Cisco WebEx Meetings Server config_dmz remote code execution attempt | off | drop | drop |
| GID | SID | Rule Group | Rule Message | Policy State | ||
|---|---|---|---|---|---|---|
| Con. | Bal. | Sec. | ||||
| 1 | 40220 | SERVER-OTHER | Cisco IOS Group-Prime memory disclosure attempt | off | drop | drop |
| 1 | 40221 | SERVER-OTHER | Cisco IOS Group-Prime MD5 memory disclosure attempt | off | drop | drop |
| 1 | 40222 | SERVER-OTHER | Cisco IOS Group-Prime SHA memory disclosure attempt | off | drop | drop |
| 3 | 40239 | SERVER-OTHER | Cisco WebEx meetings server denial of service attempt | off | off | off |
Updated rules can be found at this link.