* Talos combines our security experts from TRAC, SecApps, and VRT teams.
This SRU number: 2017-02-16-001
Previous SRU number: 2017-02-14-001
Applies to:
This SEU number: 1616
Previous SEU: 1615
Applies to:
This is the complete list of rules added in SRU 2017-02-16-001 and SEU 1616.
The format of the file is:
GID - SID - Rule Group - Rule Message - Policy State
The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.
The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.
Note: Unless stated explicitly, the rules are for the series of products listed above.
| GID | SID | Rule Group | Rule Message | Policy State | ||
|---|---|---|---|---|---|---|
| Con. | Bal. | Sec. | ||||
| 1 | 41643 | SERVER-WEBAPP | Wordpress xmlrpc.php multiple failed authentication response | off | off | off |
| 1 | 41644 | FILE-FLASH | Adobe Flash Player malformed DefineSprite tag memory corruption attempt | off | drop | drop |
| 1 | 41645 | FILE-FLASH | Adobe Flash Player malformed DefineSprite tag memory corruption attempt | off | drop | drop |
| 1 | 41647 | POLICY-OTHER | Piwik Analytics Platform PHP plugin installation detected | off | off | off |
| 1 | 41649 | POLICY-OTHER | Wordpress Press-This page access detected | off | off | off |
| 1 | 41650 | SERVER-WEBAPP | Wordpress Excerpt cross site scripting attempt | off | off | off |
| 1 | 41652 | SERVER-WEBAPP | Geutebruck IP Camera testaction.cgi command injection attempt | off | off | drop |
| 1 | 41653 | SERVER-WEBAPP | Geutebruck IP Camera testaction.cgi command injection attempt | off | off | drop |
| 1 | 41654 | SERVER-WEBAPP | Geutebruck IP Camera testaction.cgi command injection attempt | off | off | drop |
| 1 | 41655 | BLACKLIST | DNS request for known malware domain chrome-up.date - Win.Trojan.MagicHound | off | drop | drop |
| 1 | 41656 | BLACKLIST | User-Agent known malicious user-agent string - Win.Trojan.MagicHound | off | drop | drop |
| 1 | 41657 | MALWARE-CNC | Win.Trojan.MagicHound variant outbound connection attempt | off | drop | drop |
| 1 | 41658 | MALWARE-OTHER | Win.Trojan.MagicHound dropper document file detected | off | drop | drop |
| 1 | 41659 | MALWARE-OTHER | Win.Trojan.MagicHound dropper document file detected | off | drop | drop |
| GID | SID | Rule Group | Rule Message | Policy State | ||
|---|---|---|---|---|---|---|
| Con. | Bal. | Sec. | ||||
| 1 | 41646 | PROTOCOL-SCADA | BB-Elec ethernet gateway DOS attempt | off | off | drop |
| 1 | 41648 | PROTOCOL-SCADA | SCADA Trace Mode DoS attempt | off | off | off |
| 1 | 41651 | SERVER-OTHER | Schneider Electric ETY Telnet DOS attempt | off | off | off |
Updated rules can be found at this link.