* Talos combines our security experts from TRAC, SecApps, and VRT teams.
This SRU number: 2017-05-01-002
Previous SRU number: 2017-04-26-001
Applies to:
This SEU number: 1665
Previous SEU: 1663
Applies to:
This is the complete list of rules added in SRU 2017-05-01-002 and SEU 1665.
The format of the file is:
GID - SID - Rule Group - Rule Message - Policy State
The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.
The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.
Note: Unless stated explicitly, the rules are for the series of products listed above.
| GID | SID | Rule Group | Rule Message | Policy State | ||
|---|---|---|---|---|---|---|
| Con. | Bal. | Sec. | ||||
| 1 | 42403 | SERVER-WEBAPP | Trend Micro Threat Discovery Appliance cache_id command injection attempt | off | off | drop |
| 1 | 42404 | SERVER-WEBAPP | Trend Micro Threat Discovery Appliance cache_id command injection attempt | off | off | drop |
| 1 | 42405 | SERVER-WEBAPP | Trend Micro Threat Discovery Appliance cache_id command injection attempt | off | off | drop |
| 1 | 42406 | SERVER-WEBAPP | WePresent WiPG admin backdoor login attempt | off | off | drop |
| 1 | 42407 | SERVER-WEBAPP | WePresent WiPG rdfs.cgi command injection attempt | off | off | drop |
| 1 | 42408 | SERVER-WEBAPP | WePresent WiPG rdfs.cgi command injection attempt | off | off | drop |
| 1 | 42409 | SERVER-WEBAPP | WePresent WiPG rdfs.cgi command injection attempt | off | off | drop |
| 1 | 42410 | SERVER-WEBAPP | WePresent WiPG rdtool backdoor login attempt | off | off | drop |
| 1 | 42411 | SERVER-WEBAPP | WePresent WiPG session id check bypass attempt | off | off | drop |
| 1 | 42414 | FILE-PDF | Adobe PDF JavaScript engine use after free memory corruption attempt | off | off | drop |
| 1 | 42415 | FILE-PDF | Adobe PDF JavaScript engine use after free memory corruption attempt | off | off | drop |
| 1 | 42416 | BROWSER-IE | Microsoft Internet Explorer IE11 memory corruption attempt | off | off | drop |
| 1 | 42417 | BROWSER-IE | Microsoft Internet Explorer IE8 mode menu tag out-of-bounds access attempt | off | off | drop |
| 1 | 42418 | FILE-EXECUTABLE | Win.Trojan.DoubleAgent download attempt | off | off | off |
| 1 | 42419 | FILE-EXECUTABLE | Win.Trojan.DoubleAgent download attempt | off | off | off |
| 1 | 42420 | SERVER-OTHER | HP Operations Agent for NonStop server HEALTH packet parsing stack buffer overflow attempt | off | off | off |
| 1 | 42421 | MALWARE-CNC | Win.Trojan.Cerber variant inbound connection attempt | off | drop | drop |
| 1 | 42424 | POLICY-OTHER | MSSQL CLR permission set to unsafe attempt | off | off | drop |
| 1 | 42425 | MALWARE-CNC | Win.Trojan.ChChes set cookie tag inbound connection | off | drop | drop |
| 1 | 42426 | SERVER-WEBAPP | Phpcms attachment upload SQL injection attempt | off | off | drop |
| 1 | 42427 | SERVER-WEBAPP | Phpcms attachment upload SQL injection attempt | off | off | drop |
| 1 | 42428 | SERVER-WEBAPP | Phpcms attachment upload SQL injection attempt | off | off | drop |
| 1 | 42429 | SERVER-WEBAPP | Phpcms user registration remote file include attempt | off | off | drop |
| 1 | 42430 | SERVER-WEBAPP | Phpcms user registration remote file include attempt | off | off | drop |
| 3 | 42431 | SERVER-WEBAPP | TRUFFLEHUNTER TALOS-2017-0332 attack attempt | off | off | drop |
| GID | SID | Rule Group | Rule Message | Policy State | ||
|---|---|---|---|---|---|---|
| Con. | Bal. | Sec. | ||||
| 1 | 42412 | FILE-OTHER | Adobe Director rcsL chunk parsing denial of service attempt | off | off | off |
| 1 | 42413 | FILE-OTHER | Adobe Director rcsL chunk parsing denial of service attempt | off | off | off |
| 1 | 42422 | FILE-OTHER | Adobe Director rcsL chunk parsing denial of service attempt | off | off | off |
| 1 | 42423 | FILE-OTHER | Adobe Director rcsL chunk parsing denial of service attempt | off | off | off |
Updated rules can be found at this link.