* Talos combines our security experts from TRAC, SecApps, and VRT teams.
This SRU number: 2017-04-25-003
Previous SRU number: 2017-04-19-002
Applies to:
This SEU number: 1662
Previous SEU: 1659
Applies to:
This is the complete list of rules added in SRU 2017-04-25-003 and SEU 1662.
The format of the file is:
GID - SID - Rule Group - Rule Message - Policy State
The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.
The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.
Note: Unless stated explicitly, the rules are for the series of products listed above.
| GID | SID | Rule Group | Rule Message | Policy State | ||
|---|---|---|---|---|---|---|
| Con. | Bal. | Sec. | ||||
| 3 | 42313 | FILE-PDF | TRUFFLEHUNTER TALOS-2017-0322 attack attempt | off | drop | drop |
| 3 | 42314 | FILE-PDF | TRUFFLEHUNTER TALOS-2017-0322 attack attempt | off | drop | drop |
| 1 | 42315 | FILE-PDF | Adobe Acrobat malformed JPEG 2000 codestream tile height out of bounds read attempt | off | off | off |
| 1 | 42316 | FILE-PDF | Adobe Acrobat malformed JPEG 2000 codestream tile height out of bounds read attempt | off | off | off |
| 1 | 42317 | FILE-PDF | Adobe Acrobat malformed JPEG 2000 codestream width out of bounds read attempt | off | off | off |
| 1 | 42318 | FILE-PDF | Adobe Acrobat malformed JPEG 2000 codestream width out of bounds read attempt | off | off | off |
| 3 | 42319 | FILE-PDF | TRUFFLEHUNTER TALOS-2017-0321 attack attempt | off | off | off |
| 3 | 42320 | FILE-PDF | TRUFFLEHUNTER TALOS-2017-0321 attack attempt | off | off | off |
| 3 | 42321 | FILE-OTHER | TRUFFLEHUNTER TALOS-2017-0324 attack attempt | off | off | drop |
| 3 | 42322 | FILE-OTHER | TRUFFLEHUNTER TALOS-2017-0324 attack attempt | off | off | drop |
| 1 | 42323 | SERVER-WEBAPP | IOServer OPC Server directory traversal exploitation attempt | off | off | off |
| 1 | 42324 | FILE-IMAGE | Adobe Acrobat Reader overly large segment size out of bounds read attempt | off | drop | drop |
| 1 | 42325 | FILE-IMAGE | Adobe Acrobat Reader overly large segment size out of bounds read attempt | off | drop | drop |
| 1 | 42326 | SERVER-OTHER | Zabbix Server Trapper code execution attempt | off | drop | drop |
| 1 | 42327 | SERVER-WEBAPP | Cpanel cgiemail format string code execution attempt | off | off | drop |
| 1 | 42328 | SERVER-WEBAPP | Cpanel cgiemail format string code execution attempt | off | off | drop |
| 1 | 42329 | MALWARE-CNC | Win.Trojan.Doublepulsar variant successful ping response | off | drop | drop |
| 1 | 42330 | MALWARE-CNC | Win.Trojan.Doublepulsar variant successful injection response | off | drop | drop |
| 1 | 42331 | MALWARE-CNC | Win.Trojan.Doublepulsar variant process injection command | off | drop | drop |
| 1 | 42332 | MALWARE-CNC | Win.Trojan.Doublepulsar variant ping command | off | off | off |
| 1 | 42333 | SERVER-WEBAPP | Trend Micro Threat Discovery Appliance admin_sys_time.cgi command injection attempt | off | off | drop |
| 1 | 42334 | SERVER-WEBAPP | Trend Micro Threat Discovery Appliance admin_sys_time.cgi command injection attempt | off | off | drop |
| 1 | 42335 | SERVER-WEBAPP | Trend Micro Threat Discovery Appliance admin_sys_time.cgi command injection attempt | off | off | drop |
| 1 | 42336 | SERVER-WEBAPP | Trend Micro Threat Discovery Appliance logoff.cgi directory traversal attempt | off | drop | drop |
| 1 | 42337 | INDICATOR-COMPROMISE | Zabbix Proxy configuration containing script detected | off | off | drop |
| 1 | 42341 | FILE-PDF | Adobe PDF CFF font parsing memory corruption vulnerability attempt | off | off | off |
| 1 | 42342 | FILE-PDF | Adobe PDF CFF font parsing memory corruption vulnerability attempt | off | off | off |
| 1 | 42343 | FILE-PDF | Adobe PDF CFF font parsing memory corruption vulnerability attempt | off | off | off |
| 1 | 42344 | FILE-PDF | Adobe PDF CFF font parsing memory corruption vulnerability attempt | off | off | off |
| 1 | 42345 | SERVER-WEBAPP | Tenable Appliance simpleupload.py command injection attempt | off | off | drop |
| 1 | 42346 | SERVER-WEBAPP | Tenable Appliance simpleupload.py command injection attempt | off | off | drop |
| 1 | 42347 | SERVER-WEBAPP | Tenable Appliance simpleupload.py command injection attempt | off | off | drop |
| 1 | 42348 | MALWARE-CNC | Win.Trojan.QQPass variant outbound connection attempt | off | drop | drop |
| 3 | 42352 | FILE-PDF | TRUFFLEHUNTER TALOS-2017-0319 attack attempt | off | off | off |
| 3 | 42353 | FILE-PDF | TRUFFLEHUNTER TALOS-2017-0319 attack attempt | off | off | off |
| 1 | 42354 | SERVER-WEBAPP | Squirrelmail sendmail delivery parameter injection attempt | off | off | drop |
| 1 | 42355 | SERVER-OTHER | 389-ds-base bind code execution attempt | off | off | drop |
| 1 | 42356 | SERVER-OTHER | 389-ds-base bind code execution attempt | off | off | drop |
| 1 | 42357 | SERVER-OTHER | 389-ds-base bind code execution attempt | off | off | drop |
| 1 | 42358 | SERVER-OTHER | 389-ds-base bind code execution attempt | off | off | drop |
| 1 | 42359 | SERVER-OTHER | 389-ds-base bind code execution attempt | off | off | drop |
| 1 | 42360 | SERVER-OTHER | 389-ds-base bind code execution attempt | off | off | drop |
| 1 | 42361 | SERVER-OTHER | 389-ds-base bind code execution attempt | off | off | drop |
| 1 | 42362 | SERVER-OTHER | 389-ds-base bind code execution attempt | off | off | drop |
| GID | SID | Rule Group | Rule Message | Policy State | ||
|---|---|---|---|---|---|---|
| Con. | Bal. | Sec. | ||||
| 1 | 42338 | OS-WINDOWS | Microsoft Windows SMB large NT RENAME transaction request information leak attempt | off | drop | drop |
| 1 | 42339 | OS-WINDOWS | Microsoft Windows SMB possible leak of kernel heap memory | off | drop | drop |
| 1 | 42340 | OS-WINDOWS | Microsoft Windows SMB anonymous session IPC share access attempt | off | off | drop |
| GID | SID | Rule Group | Rule Message | Policy State | ||
|---|---|---|---|---|---|---|
| Con. | Bal. | Sec. | ||||
| 1 | 42349 | PROTOCOL-SCADA | InduSoft Web Studio CEServer buffer overflow attempt | off | off | off |
| 1 | 42350 | PROTOCOL-SCADA | InduSoft Web Studio CEServer buffer overflow attempt | off | off | off |
| 1 | 42351 | PROTOCOL-SCADA | InduSoft Web Studio CEServer buffer overflow attempt | off | off | off |
| 1 | 42363 | FILE-IDENTIFY | bzip2 compressed file detected | off | off | off |
| 1 | 42364 | FILE-IDENTIFY | bzip2 compressed file detected | off | off | off |
| 1 | 42365 | FILE-IDENTIFY | bzip2 compressed file detected | off | off | off |
| 1 | 42366 | FILE-IDENTIFY | XZ compressed file detected | off | off | off |
| 1 | 42367 | FILE-IDENTIFY | XZ compressed file detected | off | off | off |
| 1 | 42368 | FILE-IDENTIFY | XZ compressed file detected | off | off | off |
| 1 | 42369 | FILE-IDENTIFY | gzip compressed file detected | off | off | off |
| 1 | 42370 | FILE-IDENTIFY | gzip compressed file detected | off | off | off |
| 1 | 42371 | FILE-IDENTIFY | gzip compressed file detected | off | off | off |
| 1 | 42372 | POLICY-OTHER | eicar file detected | off | off | drop |
| 1 | 42373 | POLICY-OTHER | eicar file detected | off | off | off |
| 1 | 42374 | POLICY-OTHER | eicar file detected | off | off | off |
| 1 | 42375 | POLICY-OTHER | eicar file detected | off | off | off |
| 1 | 42376 | POLICY-OTHER | eicar file detected | off | off | off |
Updated rules can be found at this link.