* Talos combines our security experts from TRAC, SecApps, and VRT teams.
This SRU number: 2017-01-09-001
Previous SRU number: 2017-01-05-001
Applies to:
This SEU number: 1594
Previous SEU: 1593
Applies to:
This is the complete list of rules added in SRU 2017-01-09-001 and SEU 1594.
The format of the file is:
GID - SID - Rule Group - Rule Message - Policy State
The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.
The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.
Note: Unless stated explicitly, the rules are for the series of products listed above.
GID | SID | Rule Group | Rule Message | Policy State | ||
---|---|---|---|---|---|---|
Con. | Bal. | Sec. | ||||
3 | 41137 | SERVER-OTHER | Cisco IOS XR command line interface privilege escalation attempt | off | off | off |
1 | 41138 | FILE-FLASH | Adobe Flash Player display list structure memory corruption attempt | off | drop | drop |
1 | 41139 | FILE-FLASH | Adobe Flash Player display list structure memory corruption attempt | off | drop | drop |
1 | 41140 | FILE-OFFICE | Microsoft Word Out-of-Bounds Write attempt | off | drop | drop |
1 | 41141 | FILE-OFFICE | Microsoft Word Out-of-Bounds Write attempt | off | drop | drop |
1 | 41142 | FILE-PDF | Adobe Acrobat animateSyncButton use after free attempt | off | drop | drop |
1 | 41143 | FILE-PDF | Adobe Acrobat animateSyncButton use after free attempt | off | drop | drop |
1 | 41144 | FILE-IMAGE | Adobe Reader malformed app13 marker memory corruption attempt | off | off | drop |
1 | 41145 | FILE-IMAGE | Adobe Reader malformed app13 marker memory corruption attempt | off | off | drop |
1 | 41146 | FILE-IMAGE | Adobe Reader malformed app13 marker memory corruption attempt | off | off | drop |
1 | 41147 | FILE-IMAGE | Adobe Reader malformed app13 marker memory corruption attempt | off | off | drop |
1 | 41148 | FILE-IMAGE | Adobe Reader malformed app13 marker memory corruption attempt | off | off | drop |
1 | 41149 | FILE-IMAGE | Adobe Reader malformed app13 marker memory corruption attempt | off | off | drop |
1 | 41150 | FILE-PDF | Adobe Acrobat Reader JavaScript navigation pane use after free attempt | off | drop | drop |
1 | 41151 | FILE-PDF | Adobe Acrobat Reader JavaScript navigation pane use after free attempt | off | drop | drop |
1 | 41152 | FILE-PDF | Adobe Acrobat Reader Forms Data Format embedded javascript attempt | off | drop | drop |
1 | 41153 | FILE-PDF | Adobe Acrobat Reader Forms Data Format embedded javascript attempt | off | drop | drop |
1 | 41154 | FILE-PDF | Adobe Acrobat Reader malformed CFF global subroutine memory corruption attempt | off | off | drop |
1 | 41155 | FILE-PDF | Adobe Acrobat Reader malformed CFF global subroutine memory corruption attempt | off | off | drop |
1 | 41156 | FILE-FLASH | Adobe Flash Player malformed ATF file length heap overflow attempt | off | drop | drop |
1 | 41157 | FILE-FLASH | Adobe Flash Player malformed ATF file length heap overflow attempt | off | drop | drop |
1 | 41158 | FILE-FLASH | Adobe Flash Player visual blend out of bounds read attempt | off | drop | drop |
1 | 41159 | FILE-FLASH | Adobe Flash Player visual blend out of bounds read attempt | off | drop | drop |
1 | 41160 | FILE-FLASH | Acrobat Flash FileReference class use-after-free memory corruption attempt | off | drop | drop |
1 | 41161 | FILE-FLASH | Acrobat Flash FileReference class use-after-free memory corruption attempt | off | drop | drop |
1 | 41162 | MALWARE-CNC | Js.Trojan.Nemucod variant | off | drop | drop |
1 | 41163 | FILE-PDF | Adobe Acrobat Reader XSL stylesheet heap overflow attempt | off | off | drop |
1 | 41164 | FILE-PDF | Adobe Acrobat Reader XSL stylesheet heap overflow attempt | off | off | drop |
1 | 41165 | FILE-FLASH | Acrobat Flash FileReference class use-after-free memory corruption attempt | off | drop | drop |
1 | 41166 | FILE-FLASH | Acrobat Flash FileReference class use-after-free memory corruption attempt | off | drop | drop |
1 | 41167 | BLACKLIST | DNS request for known malware domain himalayard.de - Win.Trojan.August | off | drop | drop |
1 | 41168 | BLACKLIST | DNS request for known malware domain krusingtheworld.de - Win.Trojan.August | off | drop | drop |
1 | 41169 | BLACKLIST | DNS request for known malware domain muralegdanskzaspa.eu - Win.Trojan.August | off | drop | drop |
1 | 41170 | BLACKLIST | DNS request for known malware domain overstockage.com - Win.Trojan.August | off | drop | drop |
1 | 41171 | BLACKLIST | DNS request for known malware domain pg4pszczyna.edu.pl - Win.Trojan.August | off | drop | drop |
1 | 41172 | BLACKLIST | DNS request for known malware domain thedragon318.com - Win.Trojan.August | off | drop | drop |
1 | 41173 | MALWARE-CNC | Win.Trojan.August variant outbound connection attempt | off | drop | drop |
1 | 41174 | MALWARE-CNC | Win.Trojan.August variant outbound connection attempt | off | drop | drop |
1 | 41175 | MALWARE-CNC | Win.Trojan.August variant outbound connection attempt | off | drop | drop |
1 | 41176 | MALWARE-CNC | Win.Trojan.August variant outbound connection attempt | off | drop | drop |
1 | 41177 | MALWARE-CNC | Win.Trojan.August variant outbound connection attempt | off | drop | drop |
1 | 41178 | MALWARE-CNC | Win.Trojan.August variant outbound connection attempt | off | drop | drop |
1 | 41179 | MALWARE-CNC | Win.Trojan.August variant post compromise download attempt | off | drop | drop |
1 | 41180 | MALWARE-CNC | Win.Trojan.August variant post compromise download attempt | off | drop | drop |
1 | 41181 | FILE-IMAGE | Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt | off | drop | drop |
1 | 41182 | FILE-IMAGE | Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt | off | drop | drop |
1 | 41183 | FILE-IMAGE | Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt | off | drop | drop |
1 | 41184 | FILE-IMAGE | Adobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attempt | off | drop | drop |
1 | 41185 | POLICY-OTHER | SunRPC Portmap GETPORT request detected | off | off | off |
1 | 41186 | POLICY-OTHER | SunRPC Portmap GETPORT request detected | off | off | off |
1 | 41190 | POLICY-OTHER | Adobe Flash SMTP MIME attachment detected | off | off | off |
1 | 41191 | POLICY-OTHER | Adobe Flash SMTP MIME attachment detected | off | off | off |
1 | 41192 | POLICY-OTHER | Adobe Flash SMTP MIME attachment detected | off | off | off |
1 | 41193 | FILE-PDF | Adobe Acrobat XFA engine stack buffer overflow attempt | off | drop | drop |
1 | 41194 | FILE-PDF | Adobe Acrobat XFA engine stack buffer overflow attempt | off | drop | drop |
GID | SID | Rule Group | Rule Message | Policy State | ||
---|---|---|---|---|---|---|
Con. | Bal. | Sec. | ||||
1 | 41187 | SERVER-WEBAPP | IBM Lotus Domino BOX mailbox information disclosure attempt | off | off | off |
1 | 41188 | SERVER-WEBAPP | IBM Lotus Domino NSF database information disclosure attempt | off | off | off |
1 | 41189 | SERVER-WEBAPP | IBM Lotus Domino srvnam.htm information disclosure attempt | off | off | off |
Updated rules can be found at this link.