* Talos combines our security experts from TRAC, SecApps, and VRT teams.
This SRU number: 2017-01-24-001
Previous SRU number: 2017-01-20-001
Applies to:
This SEU number: 1603
Previous SEU: 1601
Applies to:
This is the complete list of rules added in SRU 2017-01-24-001 and SEU 1603.
The format of the file is:
GID - SID - Rule Group - Rule Message - Policy State
The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.
The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.
Note: Unless stated explicitly, the rules are for the series of products listed above.
| GID | SID | Rule Group | Rule Message | Policy State | ||
|---|---|---|---|---|---|---|
| Con. | Bal. | Sec. | ||||
| 3 | 41368 | FILE-OTHER | TRUFFLEHUNTER TALOS-2017-0273 attack attempt | off | off | off |
| 3 | 41369 | FILE-OTHER | TRUFFLEHUNTER TALOS-2017-0273 attack attempt | off | off | off |
| 3 | 41370 | FILE-OTHER | TRUFFLEHUNTER TALOS-2016-0269 attack attempt | off | drop | drop |
| 3 | 41371 | FILE-OTHER | TRUFFLEHUNTER TALOS-2016-0269 attack attempt | off | drop | drop |
| 3 | 41372 | FILE-IMAGE | Oracle Outside In libvs_gif out of bounds write attempt | off | off | drop |
| 3 | 41373 | FILE-IMAGE | Oracle Outside In libvs_gif out of bounds write attempt | off | off | drop |
| 1 | 41374 | MALWARE-CNC | Win.Trojan.NetWiredRC variant registration message | off | off | drop |
| 1 | 41375 | MALWARE-CNC | Win.Trojan.NetWiredRC variant check logs | off | off | drop |
| 1 | 41376 | MALWARE-CNC | Win.Trojan.NetWiredRC variant keepalive | off | off | drop |
| 1 | 41377 | BROWSER-IE | Microsoft Internet Explorer runtimeStyle use-after-free attempt | off | off | off |
| 1 | 41378 | BROWSER-IE | Microsoft Internet Explorer runtimeStyle use-after-free attempt | off | off | off |
| 1 | 41383 | SERVER-WEBAPP | PHP ZipArchive getFromIndex and getFromName integer overflow attempt | off | off | off |
| 1 | 41384 | SERVER-WEBAPP | PHP ZipArchive getFromIndex and getFromName integer overflow attempt | off | off | off |
| 1 | 41385 | BROWSER-IE | Microsoft Edge mutation event memory corruption attempt | off | off | drop |
| 1 | 41386 | BROWSER-IE | Microsoft Edge mutation event memory corruption attempt | off | off | drop |
| 1 | 41387 | SERVER-WEBAPP | ZyXEL P660HN ADSL Router logset.asp command injection attempt | off | off | drop |
| 1 | 41388 | SERVER-WEBAPP | ZyXEL P660HN ADSL Router viewlog.asp command injection attempt | off | off | drop |
| 1 | 41389 | POLICY-OTHER | Cisco Firepower Management Console rule import access detected | off | off | off |
| 1 | 41390 | SERVER-WEBAPP | Apache Commons Library FileUpload unauthorized Java object upload attempt | off | drop | drop |
| 1 | 41391 | FILE-IMAGE | Adobe Acrobat TIFF ICC tag heap buffer overflow attempt | off | drop | drop |
| 1 | 41392 | FILE-IMAGE | Adobe Acrobat TIFF ICC tag heap buffer overflow attempt | off | drop | drop |
| 1 | 41393 | FILE-IMAGE | Adobe Acrobat TIFF ICC tag heap buffer overflow attempt | off | drop | drop |
| 1 | 41394 | FILE-IMAGE | Adobe Acrobat TIFF ICC tag heap buffer overflow attempt | off | drop | drop |
| 1 | 41395 | FILE-IMAGE | Adobe Acrobat TIFF ICC tag heap buffer overflow attempt | off | drop | drop |
| 1 | 41396 | FILE-IMAGE | Adobe Acrobat TIFF ICC tag heap buffer overflow attempt | off | drop | drop |
| 1 | 41397 | FILE-IMAGE | Adobe Acrobat TIFF ICC tag heap buffer overflow attempt | off | drop | drop |
| 1 | 41398 | FILE-IMAGE | Adobe Acrobat TIFF ICC tag heap buffer overflow attempt | off | drop | drop |
| 1 | 41399 | FILE-PDF | Adobe Acrobat Reader xfa subform use after free attempt | off | drop | drop |
| 1 | 41400 | FILE-PDF | Adobe Acrobat Reader xfa subform use after free attempt | off | drop | drop |
| 1 | 41401 | SERVER-WEBAPP | Billion 5200W ADSL Router adv_remotelog.asp command injection attempt | off | off | drop |
| 1 | 41402 | SERVER-WEBAPP | Billion 5200W ADSL Router tools_time.asp command injection attempt | off | off | drop |
| 1 | 41403 | BLACKLIST | User-Agent known malicious user-agent string - Visbot | off | drop | drop |
| 1 | 41404 | SERVER-WEBAPP | Joomla JCE multiple plugin arbitrary PHP file upload attempt | off | off | off |
| 1 | 41405 | BROWSER-IE | Microsoft Internet Explorer object property change use after free attempt | off | drop | drop |
| 1 | 41406 | BROWSER-IE | Microsoft Internet Explorer object property change use after free attempt | off | drop | drop |
| 1 | 41407 | BROWSER-OTHER | Cisco WebEx extension command execution attempt | off | drop | drop |
| 1 | 41408 | BROWSER-OTHER | Cisco WebEx extension command execution attempt | off | drop | drop |
| 1 | 41409 | POLICY-OTHER | Cisco WebEx explicit use of web plugin | off | off | off |
| 3 | 41410 | SERVER-WEBAPP | TRUFFLEHUNTER TALOS-2016-0229 attack attempt | off | off | drop |
| GID | SID | Rule Group | Rule Message | Policy State | ||
|---|---|---|---|---|---|---|
| Con. | Bal. | Sec. | ||||
| 1 | 41366 | SERVER-OTHER | IBM Tivoli Storage Manager FastBack server denial of service attempt | off | off | off |
| 3 | 41367 | SERVER-OTHER | TRUFFLEHUNTER TALOS-2016-0260 attack attempt | off | drop | drop |
| 1 | 41379 | SERVER-OTHER | Squid HTTP Vary response header denial of service attempt | off | off | off |
| 1 | 41380 | SERVER-OTHER | OpenLDAP BER Message denial of service attempt | off | off | off |
| 1 | 41381 | SERVER-OTHER | OpenLDAP BER Message denial of service attempt | off | off | off |
| 1 | 41382 | SERVER-OTHER | OpenLDAP BER Message denial of service attempt | off | off | off |
Updated rules can be found at this link.