* Talos combines our security experts from TRAC, SecApps, and VRT teams.
This SRU number: 2018-02-26-001
Previous SRU number: 2018-02-22-001
Applies to:
This SEU number: 1804
Previous SEU: 1803
Applies to:
This is the complete list of rules modified in SRU 2018-02-26-001 and SEU 1804.
The format of the file is:
GID - SID - Rule Group - Rule Message - Policy State
The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.
The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.
Note: Unless stated explicitly, the rules are for the series of products listed above.
| GID | SID | Rule Group | Rule Message | Policy State | ||
|---|---|---|---|---|---|---|
| Con. | Bal. | Sec. | ||||
| 1 | 10113 | MALWARE-CNC | Win.Trojan.Peacomm command and control propagation detected | off | alert | alert |
| 1 | 10114 | MALWARE-CNC | Win.Trojan.Peacomm command and control propagation detected | off | alert | alert |
| 1 | 10184 | MALWARE-BACKDOOR | wow 23 runtime detection | off | off | off |
| 1 | 16271 | MALWARE-CNC | Win.Trojan.TDSS.1.Gen keepalive detection | off | off | off |
| 1 | 19029 | MALWARE-CNC | Win.Trojan.PcClient.AI variant outbound connection | off | off | off |
| 1 | 19123 | MALWARE-CNC | Dropper Win.Trojan.Cefyns.A variant outbound connection | off | off | off |
| 1 | 19471 | POLICY-OTHER | dnstunnel v0.5 outbound traffic detected | off | off | off |
| 1 | 20120 | OS-WINDOWS | Microsoft Windows WINS internal communications on network exploit attempt | off | off | off |
| 1 | 20233 | MALWARE-CNC | Win.Trojan.Virut variant outbound connection | off | off | off |
| 1 | 21544 | MALWARE-CNC | Possible host infection - excessive DNS queries for .eu | off | off | off |
| 1 | 21545 | MALWARE-CNC | Possible host infection - excessive DNS queries for .ru | off | off | off |
| 1 | 21546 | MALWARE-CNC | Possible host infection - excessive DNS queries for .cn | off | off | off |
| 1 | 23115 | SERVER-MYSQL | MySQL/MariaDB client authentication bypass attempt | off | off | off |
| 1 | 23381 | MALWARE-BACKDOOR | Win.Trojan.Thoper.C runtime detection | off | off | off |
| 1 | 24265 | MALWARE-OTHER | Malicious UA detected on non-standard port | off | drop | drop |
| 1 | 25907 | SERVER-WEBAPP | PHPmyadmin brute force login attempt - User-Agent User-Agent | off | off | off |
| 1 | 27240 | SERVER-OTHER | multiple vendors IPMI RAKP username brute force attempt | off | off | off |
| 1 | 27536 | APP-DETECT | TCP over DNS response attempt | off | off | off |
| 1 | 27540 | APP-DETECT | OzymanDNS dns tunneling up attempt | off | off | off |
| 1 | 27541 | APP-DETECT | OzymanDNS dns tunneling down attempt | off | off | off |
| 1 | 27669 | APP-DETECT | Heyoka outbound communication attempt | off | off | off |
| 1 | 27700 | APP-DETECT | NSTX DNS tunnel outbound connection attempt | off | off | off |
| 1 | 27929 | APP-DETECT | Splashtop communication attempt | off | off | off |
| 1 | 28005 | MALWARE-CNC | Win.Trojan.Kuluoz outbound command | off | drop | drop |
| 1 | 28849 | SERVER-WEBAPP | WordPress XMLRPC potential port-scan attempt | off | off | off |
| 1 | 2923 | NETBIOS | SMB repeated logon failure | off | off | off |
| 1 | 2924 | NETBIOS | SMB-DS repeated logon failure | off | off | off |
| 1 | 30802 | PROTOCOL-SCADA | Yokogawa CENTUM CS 3000 bkclogserv buffer overflow attempt | off | drop | drop |
| 1 | 3152 | SQL | sa brute force failed login attempt | off | off | off |
| 1 | 31814 | MALWARE-CNC | Win.Trojan.Darkcomet outbound keepalive signal sent | off | off | off |
| 1 | 3273 | SQL | sa brute force failed login unicode attempt | off | off | off |
| 1 | 33429 | POLICY-OTHER | Microsoft Windows SMB potential group policy fallback exploit attempt | off | off | off |
| 1 | 35029 | MALWARE-CNC | Win.Keylogger.Lotronc variant outbound connection | off | drop | drop |
| 1 | 36379 | POLICY-OTHER | dnstunnel v0.5 outbound traffic detected | off | off | off |
| 1 | 36454 | SERVER-OTHER | multiple products WinExec function remote code execution attempt | off | off | off |
| 1 | 37891 | INDICATOR-OBFUSCATION | DNS tunneling attempt | off | off | off |
| 1 | 37892 | INDICATOR-OBFUSCATION | DNS tunneling attempt | off | off | off |
| 1 | 38514 | MALWARE-CNC | Win.Trojan.Sweeper outbound connection | off | drop | drop |
| 1 | 38515 | MALWARE-CNC | Win.Trojan.Sweeper outbound connection | off | drop | drop |
| 1 | 38516 | MALWARE-CNC | Win.Trojan.Sweeper outbound connection | off | drop | drop |
| 1 | 40063 | OS-LINUX | Linux Kernel Challenge ACK provocation attempt | off | off | off |
| 1 | 40340 | MALWARE-CNC | Win.Trojan.Cry variant outbound connection | off | drop | drop |
| 1 | 40883 | SERVER-WEBAPP | WordPress XMLRPC pingback ddos attempt | off | drop | drop |
| 1 | 41920 | SERVER-WEBAPP | McAfee Virus Scan Linux authentication token brute force attempt | off | off | off |
| 1 | 42133 | SERVER-APACHE | Apache mod_session_crypto padding oracle brute force attempt | off | off | off |
| 1 | 42451 | SERVER-WEBAPP | MCA Sistemas ScadaBR index.php brute force login attempt | off | off | off |
| 1 | 44434 | SERVER-APACHE | Apache HTTP Server possible OPTIONS method memory leak attempt | off | off | off |
| 1 | 44651 | NETBIOS | SMB NTLMSSP authentication brute force attempt | off | off | off |
| 1 | 4984 | SQL | sa brute force failed login unicode attempt | off | off | off |
| GID | SID | Rule Group | Rule Message | Policy State | ||
|---|---|---|---|---|---|---|
| Con. | Bal. | Sec. | ||||
| 1 | 12002 | PROTOCOL-VOIP | BYE flood | off | off | off |
| 1 | 12003 | PROTOCOL-VOIP | CANCEL flood | off | off | off |
| 1 | 12004 | PROTOCOL-VOIP | INVITE message Content-Length header size of zero | off | off | off |
| 1 | 15522 | SERVER-OTHER | Active Directory invalid OID denial of service attempt | off | off | off |
| 1 | 15578 | MALWARE-TOOLS | Slowloris http DoS tool | off | off | off |
| 1 | 19318 | MALWARE-OTHER | Dos.Tool.LOIC UDP default U dun goofed attack | off | off | off |
| 1 | 19319 | MALWARE-OTHER | Dos.Tool.LOIC TCP default U dun goofed attack | off | off | off |
| 1 | 19389 | PROTOCOL-VOIP | REGISTER flood | off | off | off |
| 1 | 19869 | MALWARE-TOOLS | Anonymous PHP RefRef DoS tool | off | off | off |
| 1 | 20138 | SERVER-OTHER | Nortel Networks Multiple UNIStim VoIP Products Remote Eavesdrop Attempt | off | off | off |
| 1 | 20212 | SERVER-OTHER | SSL CBC encryption mode weakness brute force attempt | off | off | off |
| 1 | 20393 | PROTOCOL-VOIP | BYE flood | off | off | off |
| 1 | 20394 | PROTOCOL-VOIP | CANCEL flood | off | off | off |
| 1 | 20395 | PROTOCOL-VOIP | REGISTER flood | off | off | off |
| 1 | 20396 | PROTOCOL-VOIP | INVITE flood attempt | off | off | off |
| 1 | 20397 | PROTOCOL-VOIP | INVITE flood | off | off | off |
| 1 | 20421 | PROTOCOL-VOIP | INVITE message Content-Length header size of zero | off | off | off |
| 1 | 20436 | MALWARE-TOOLS | THC SSL renegotiation DOS attempt | off | off | off |
| 1 | 20437 | MALWARE-TOOLS | THC SSL renegotiation DOS attempt | off | off | off |
| 1 | 20438 | MALWARE-TOOLS | THC SSL renegotiation DOS attempt | off | off | off |
| 1 | 20439 | MALWARE-TOOLS | THC SSL renegotiation DOS attempt | off | off | off |
| 1 | 21092 | MALWARE-TOOLS | JavaScript LOIC attack | off | drop | drop |
| 1 | 21445 | SERVER-OTHER | vsFTPd denial of service attempt | off | off | off |
| 1 | 21513 | MALWARE-TOOLS | HOIC http denial of service attack | off | drop | drop |
| 1 | 21608 | PROTOCOL-VOIP | Digium Asterisk IAX2 call number denial of service | off | off | off |
| 1 | 21817 | PROTOCOL-DNS | excessive queries of type ANY - potential DoS | off | off | off |
| 1 | 2273 | PROTOCOL-IMAP | login brute force attempt | off | off | off |
| 1 | 2274 | PROTOCOL-POP | login brute force attempt | off | off | off |
| 1 | 2275 | SERVER-MAIL | AUTH LOGON brute force attempt | off | off | off |
| 1 | 22953 | MALWARE-TOOLS | Hulk denial of service attempt | off | off | off |
| 1 | 23360 | SERVER-IIS | tilde character file name discovery attempt | off | off | off |
| 1 | 23998 | SERVER-OTHER | DHCP discover broadcast flood attempt | off | off | off |
| 1 | 24395 | MALWARE-OTHER | itsoknoproblembro TCP flood | off | off | off |
| 1 | 24396 | MALWARE-OTHER | itsoknoproblembro UDP flood | off | off | off |
| 1 | 24908 | SERVER-MYSQL | Oracle MySQL user enumeration attempt | off | off | off |
| 1 | 25101 | SERVER-OTHER | Cisco IOS syslog message flood denial of service attempt | off | off | off |
| 1 | 2523 | SERVER-OTHER | BGP spoofed connection reset attempt | off | off | off |
| 1 | 25825 | SERVER-OTHER | TLSv1.0 plaintext recovery attempt | off | off | off |
| 1 | 25826 | SERVER-OTHER | TLSv1.1 plaintext recovery attempt | off | off | off |
| 1 | 25827 | SERVER-OTHER | TLSv1.2 plaintext recovery attempt | off | off | off |
| 1 | 25828 | SERVER-OTHER | SSLv3 plaintext recovery attempt | off | off | off |
| 1 | 26321 | NETBIOS | SMB named pipe bruteforce attempt | off | off | off |
| 1 | 26557 | SERVER-WEBAPP | Wordpress brute-force login attempt | off | off | off |
| 1 | 26645 | SERVER-OTHER | SSL TLS deflate compression weakness brute force attempt | off | off | off |
| 1 | 26759 | SERVER-OTHER | MIT Kerberos libkdb_ldap principal name handling denial of service attempt | off | off | off |
| 1 | 26981 | SERVER-WEBAPP | WordPress login denial of service attempt | off | off | off |
| 1 | 27225 | SERVER-OTHER | Adobe ColdFusion JRun error page getWriter denial of service attempt | off | off | off |
| 1 | 27899 | PROTOCOL-VOIP | Possible SIP OPTIONS service information gathering attempt | off | off | off |
| 1 | 27900 | PROTOCOL-VOIP | Excessive number of SIP 4xx responses potential user or password guessing attempt | off | off | off |
| 1 | 27901 | PROTOCOL-VOIP | Ghost call attack attempt | off | off | off |
| 1 | 27902 | PROTOCOL-VOIP | Possible SIP OPTIONS service information gathering attempt | off | off | off |
| 1 | 27903 | PROTOCOL-VOIP | Ghost call attack attempt | off | off | off |
| 1 | 27904 | PROTOCOL-VOIP | Excessive number of SIP 4xx responses potential user or password guessing attempt | off | off | off |
| 1 | 27938 | PROTOCOL-DNS | IPv6 host name enumeration | off | off | off |
| 1 | 28532 | MALWARE-TOOLS | PyLoris http DoS tool | off | off | off |
| 1 | 29362 | SERVER-OTHER | Novell NetWare AFP denial of service attempt | off | off | off |
| 1 | 29393 | SERVER-OTHER | ntp monlist denial of service attempt | off | off | off |
| 1 | 29715 | SERVER-IIS | Microsoft Windows ASP .NET denial of service attempt | off | off | off |
| 1 | 30339 | SERVER-OTHER | Cisco Catalyst telnet memory leak denial of service attempt | off | off | off |
| 1 | 30510 | SERVER-OTHER | OpenSSL SSLv3 heartbeat read overrun attempt | off | drop | drop |
| 1 | 30511 | SERVER-OTHER | OpenSSL TLSv1 heartbeat read overrun attempt | off | drop | drop |
| 1 | 30512 | SERVER-OTHER | OpenSSL TLSv1.1 heartbeat read overrun attempt | off | drop | drop |
| 1 | 30513 | SERVER-OTHER | OpenSSL TLSv1.2 heartbeat read overrun attempt | off | drop | drop |
| 1 | 30711 | SERVER-OTHER | OpenVPN OpenSSL SSLv3 heartbeat read overrun attempt | off | drop | drop |
| 1 | 30712 | SERVER-OTHER | OpenVPN OpenSSL SSLv3 heartbeat read overrun attempt | off | drop | drop |
| 1 | 30713 | SERVER-OTHER | OpenVPN OpenSSL TLSv1 heartbeat read overrun attempt | off | drop | drop |
| 1 | 30714 | SERVER-OTHER | OpenVPN OpenSSL TLSv1 heartbeat read overrun attempt | off | drop | drop |
| 1 | 30715 | SERVER-OTHER | OpenVPN OpenSSL TLSv1.1 heartbeat read overrun attempt | off | drop | drop |
| 1 | 30716 | SERVER-OTHER | OpenVPN OpenSSL TLSv1.1 heartbeat read overrun attempt | off | drop | drop |
| 1 | 30717 | SERVER-OTHER | OpenVPN OpenSSL TLSv1.2 heartbeat read overrun attempt | off | drop | drop |
| 1 | 30718 | SERVER-OTHER | OpenVPN OpenSSL TLSv1.2 heartbeat read overrun attempt | off | drop | drop |
| 1 | 30727 | SERVER-OTHER | OpenVPN OpenSSL SSLv3 heartbeat read overrun attempt | off | drop | drop |
| 1 | 30728 | SERVER-OTHER | OpenVPN OpenSSL SSLv3 heartbeat read overrun attempt | off | drop | drop |
| 1 | 30729 | SERVER-OTHER | OpenVPN OpenSSL TLSv1 heartbeat read overrun attempt | off | drop | drop |
| 1 | 30730 | SERVER-OTHER | OpenVPN OpenSSL TLSv1 heartbeat read overrun attempt | off | drop | drop |
| 1 | 30731 | SERVER-OTHER | OpenVPN OpenSSL TLSv1.1 heartbeat read overrun attempt | off | drop | drop |
| 1 | 30732 | SERVER-OTHER | OpenVPN OpenSSL TLSv1.1 heartbeat read overrun attempt | off | drop | drop |
| 1 | 30733 | SERVER-OTHER | OpenVPN OpenSSL TLSv1.2 heartbeat read overrun attempt | off | drop | drop |
| 1 | 30734 | SERVER-OTHER | OpenVPN OpenSSL TLSv1.2 heartbeat read overrun attempt | off | drop | drop |
| 1 | 31082 | SERVER-OTHER | Vino VNC multiple client authentication denial of service attempt | off | off | off |
| 1 | 31180 | SERVER-OTHER | OpenSSL DTLS handshake recursion denial of service attempt | off | off | off |
| 1 | 31181 | SERVER-OTHER | OpenSSL DTLS handshake recursion denial of service attempt | off | off | off |
| 1 | 31304 | SERVER-WEBAPP | PocketPAD brute-force login attempt | off | off | off |
| 1 | 32204 | SERVER-OTHER | SSLv3 POODLE CBC padding brute force attempt | off | off | off |
| 1 | 32205 | SERVER-OTHER | SSLv3 POODLE CBC padding brute force attempt | off | off | off |
| 1 | 32381 | SERVER-OTHER | OpenSSL DTLS SRTP extension parsing denial-of-service attempt | off | off | off |
| 1 | 32382 | SERVER-OTHER | OpenSSL DTLS SRTP extension parsing denial-of-service attempt | off | off | off |
| 1 | 32465 | SERVER-OTHER | OpenSSL TLS large number of session tickets sent - possible dos attempt | off | off | off |
| 1 | 32466 | SERVER-OTHER | OpenSSL TLS large number of session tickets sent - possible dos attempt | off | off | off |
| 1 | 32467 | SERVER-OTHER | OpenSSL TLS large number of session tickets sent - possible dos attempt | off | off | off |
| 1 | 32468 | SERVER-OTHER | OpenSSL TLS large number of session tickets sent - possible dos attempt | off | off | off |
| 1 | 32647 | SERVER-MYSQL | Oracle MySQL Server InnoDB Memcached plugin resource exhaustion attempt | off | off | off |
| 1 | 32648 | SERVER-MYSQL | Oracle MySQL Server InnoDB Memcached plugin resource exhaustion attempt | off | off | off |
| 1 | 32649 | SERVER-MYSQL | Oracle MySQL Server InnoDB Memcached plugin resource exhaustion attempt | off | off | off |
| 1 | 32650 | SERVER-MYSQL | Oracle MySQL Server InnoDB Memcached plugin resource exhaustion attempt | off | off | off |
| 1 | 32651 | SERVER-MYSQL | Oracle MySQL Server InnoDB Memcached plugin resource exhaustion attempt | off | off | off |
| 1 | 32755 | SERVER-OTHER | TLSv1.0 POODLE CBC padding brute force attempt | off | off | off |
| 1 | 32756 | SERVER-OTHER | TLSv1.1 POODLE CBC padding brute force attempt | off | off | off |
| 1 | 32757 | SERVER-OTHER | TLSv1.2 POODLE CBC padding brute force attempt | off | off | off |
| 1 | 32758 | SERVER-OTHER | TLSv1.0 POODLE CBC padding brute force attempt | off | off | off |
| 1 | 32759 | SERVER-OTHER | TLSv1.1 POODLE CBC padding brute force attempt | off | off | off |
| 1 | 32760 | SERVER-OTHER | TLSv1.2 POODLE CBC padding brute force attempt | off | off | off |
| 1 | 32952 | SERVER-WEBAPP | iCloud Apple ID brute-force login attempt | off | off | off |
| 1 | 33583 | PROTOCOL-DNS | ISC BIND recursive resolver resource consumption denial of service attempt | off | off | off |
| 1 | 33654 | SERVER-OTHER | OpenSSH maxstartup threshold connection exhaustion denial of service attempt | off | off | off |
| 1 | 34112 | SERVER-OTHER | NTP mode 6 REQ_NONCE denial of service attempt | off | off | off |
| 1 | 34114 | SERVER-OTHER | NTP mode 6 UNSETTRAP denial of service attempt | off | off | off |
| 1 | 34213 | SERVER-WEBAPP | WordPress overly large password class-phpass.php denial of service attempt | off | off | off |
| 1 | 34288 | SERVER-OTHER | Windows iSCSI target login request Denial of Service attempt | off | off | off |
| 1 | 34306 | SERVER-WEBAPP | Subversion HTTP excessive REPORT requests denial of service attempt | off | off | off |
| 1 | 34475 | SERVER-WEBAPP | Wordpress username enumeration attempt | off | off | off |
| 1 | 35406 | SERVER-APACHE | Apache HTTP Server mod_status heap buffer overflow attempt | off | off | off |
| 1 | 3542 | SQL | SA brute force login attempt | off | off | off |
| 1 | 3543 | SQL | SA brute force login attempt TDS v7/8 | off | off | off |
| 1 | 36194 | POLICY-OTHER | BitTorrent distributed reflected denial-of-service attempt | off | off | off |
| 1 | 36493 | SERVER-OTHER | Squid snmphandleUDP off-by-one buffer overflow attempt | off | off | off |
| 1 | 38622 | SERVER-OTHER | ISC BIND malformed control channel authentication message denial of service attempt | off | off | off |
| 1 | 42893 | SERVER-WEBAPP | Eaton VURemote denial of service attempt | off | off | off |
| 1 | 43227 | PROTOCOL-SCADA | IEC 104 force off denial of service attempt | off | off | off |
| 1 | 43228 | PROTOCOL-SCADA | IEC 104 force on denial of service attempt | off | off | off |
| 1 | 43252 | PROTOCOL-SCADA | IEC 61850 device connection enumeration attempt | off | off | off |
| 1 | 43253 | PROTOCOL-SCADA | IEC 61850 virtual manufacturing device domain variable enumeration attempt | off | off | off |
| 1 | 43846 | SERVER-OTHER | ISC BIND malformed control channel authentication message denial of service attempt | off | off | off |
| 1 | 43928 | PROTOCOL-OTHER | NETBIOS Session Service header length field denial of service attempt | off | off | off |
| 1 | 45157 | SERVER-OTHER | SSDP M-SEARCH ssdp-all potential amplified distributed denial-of-service attempt | off | off | off |
| 1 | 45164 | POLICY-OTHER | RPC Portmapper version 3 dump request attempt | off | off | off |
| 1 | 45165 | POLICY-OTHER | RPC Portmapper version 2 dump request attempt | off | off | off |
| 1 | 45166 | POLICY-OTHER | RPC Portmapper getstat request attempt | off | off | off |
| 1 | 45499 | SERVER-OTHER | ISC DHCPD remote denial of service attempt | off | off | off |
| 1 | 45568 | SERVER-SAMBA | Samba LDAP Server libldb denial of service attempt | off | off | off |
| 1 | 45577 | PROTOCOL-VOIP | Mr.SIP invite request denial of service attempt | off | off | off |
| 1 | 45578 | PROTOCOL-VOIP | Mr.SIP options request denial of service attempt | off | off | off |
| 1 | 45579 | PROTOCOL-VOIP | Mr.SIP subscribe request denial of service attempt | off | off | off |
| 1 | 45580 | PROTOCOL-VOIP | Mr.SIP invite request denial of service attempt | off | off | off |
| 1 | 45581 | PROTOCOL-VOIP | Mr.SIP options request denial of service attempt | off | off | off |
| 1 | 45582 | PROTOCOL-VOIP | Mr.SIP subscribe request denial of service attempt | off | off | off |
| 1 | 9622 | SERVER-OTHER | Spiffit UDP denial of service attempt | off | off | off |
| GID | SID | Rule Group | Rule Message | Policy State | ||
|---|---|---|---|---|---|---|
| Con. | Bal. | Sec. | ||||
| 1 | 15259 | PROTOCOL-DNS | DNS root query traffic amplification attempt | off | off | off |
| 1 | 15260 | PROTOCOL-DNS | DNS root query response traffic amplification attempt | off | off | off |
| 1 | 15414 | PROTOCOL-SCADA | OMRON-FINS program area protect clear brute force attempt | off | off | off |
| 1 | 20398 | PROTOCOL-VOIP | Response code 420 Bad Extension response flood | off | off | off |
| 1 | 20399 | PROTOCOL-VOIP | Response code 420 Bad Extension response flood | off | off | off |
| 1 | 20400 | PROTOCOL-VOIP | Response code 415 Unsupported Media Type response flood | off | off | off |
| 1 | 20401 | PROTOCOL-VOIP | Response code 415 Unsupported Media Type response flood | off | off | off |
| 1 | 20402 | PROTOCOL-VOIP | Response code 405 Method Not Allowed response flood | off | off | off |
| 1 | 20403 | PROTOCOL-VOIP | Response code 405 Method Not Allowed response flood | off | off | off |
| 1 | 21232 | SERVER-OTHER | Remote Desktop Protocol brute force attempt | off | off | off |
| 1 | 21262 | OS-WINDOWS | DCERPC ISystemActivate flood attempt | off | off | off |
| 1 | 29314 | PROTOCOL-SCADA | Modbus function scan | off | off | off |
| 1 | 29315 | PROTOCOL-SCADA | Modbus list scan | off | off | off |
| 1 | 29316 | PROTOCOL-SCADA | Modbus value scan | off | off | off |
| 1 | 41060 | PROTOCOL-SCADA | IEC 104 List directory | off | off | off |