* Talos combines our security experts from TRAC, SecApps, and VRT teams.
This SRU number: 2017-06-21-001
Previous SRU number: 2017-06-19-001
Applies to:
This SEU number: 1698
Previous SEU: 1697
Applies to:
This is the complete list of rules added in SRU 2017-06-21-001 and SEU 1698.
The format of the file is:
GID - SID - Rule Group - Rule Message - Policy State
The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.
The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.
Note: Unless stated explicitly, the rules are for the series of products listed above.
| GID | SID | Rule Group | Rule Message | Policy State | ||
|---|---|---|---|---|---|---|
| Con. | Bal. | Sec. | ||||
| 1 | 43240 | BROWSER-PLUGINS | Rising Online Virus Scanner ActiveX clsid access attempt | off | off | off |
| 1 | 43241 | BROWSER-PLUGINS | Rising Online Virus Scanner ActiveX clsid access attempt | off | off | off |
| 1 | 43242 | BROWSER-PLUGINS | Rising Online Virus Scanner ActiveX clsid access attempt | off | off | off |
| 1 | 43243 | BROWSER-PLUGINS | Rising Online Virus Scanner ActiveX clsid access attempt | off | off | off |
| 1 | 43244 | SERVER-WEBAPP | Active Calendar showcode.php directory traversal attempt | off | off | off |
| 1 | 43245 | SERVER-WEBAPP | Active Calendar showcode.php directory traversal attempt | off | off | off |
| 1 | 43246 | SERVER-WEBAPP | Active Calendar showcode.php directory traversal attempt | off | off | off |
| 1 | 43248 | MALWARE-CNC | Win.Trojan.VEye2 remote access tool installation | off | drop | drop |
| 1 | 43249 | SERVER-WEBAPP | Nuxeo CMS BatchUploadObject arbitrary JSP file upload attempt | off | off | drop |
| 1 | 43250 | SERVER-WEBAPP | Nuxeo CMS BatchUploadObject directory traversal attempt | off | off | drop |
| 1 | 43251 | SERVER-WEBAPP | Trend Micro InterScan WSA LogSettingHandler command injection attempt | off | off | drop |
| 1 | 43254 | INDICATOR-SHELLCODE | KUSER_SHARED_DATA NtMajorVersion and NtMinorVersion offsets | off | off | off |
| 1 | 43255 | INDICATOR-SHELLCODE | single byte x86 xor decryption routine | off | off | drop |
| 1 | 43256 | INDICATOR-OBFUSCATION | Rig EK fromCharCode offset 33 obfuscated getElementsByTagName call | off | drop | drop |
| 1 | 43257 | SERVER-WEBAPP | CA eHealth command injection command injection attempt | off | off | drop |
| 1 | 43258 | SERVER-WEBAPP | CA eHealth command injection command injection attempt | off | off | drop |
| 1 | 43259 | FILE-OTHER | Hangul Word Processor type confusion attempt | off | off | off |
| 1 | 43260 | FILE-OTHER | Hangul Word Processor type confusion attempt | off | off | off |
| 1 | 43261 | FILE-OTHER | Hangul Word Processor type confusion attempt | off | off | off |
| 1 | 43262 | FILE-OTHER | Hangul Word Processor type confusion attempt | off | off | off |
| 1 | 43263 | FILE-OTHER | Hangul Word Processor type confusion attempt | off | off | off |
| 1 | 43264 | FILE-OTHER | Hangul Word Processor type confusion attempt | off | off | off |
| 1 | 43265 | SERVER-WEBAPP | SERVER-WEBAPP Novell NetIQ Sentinel Server ReportViewServlet directory traversal attempt directory traversal attempt | off | off | off |
| 1 | 43266 | SERVER-WEBAPP | SERVER-WEBAPP Novell NetIQ Sentinel Server ReportViewServlet directory traversal attempt directory traversal attempt | off | off | off |
| 1 | 43267 | SERVER-WEBAPP | SERVER-WEBAPP Novell NetIQ Sentinel Server ReportViewServlet directory traversal attempt directory traversal attempt | off | off | off |
| 1 | 43268 | SERVER-WEBAPP | Squid ESI processing buffer overflow attempt | off | off | off |
| 1 | 43269 | FILE-MULTIMEDIA | Microsoft Windows DirectX directshow wav file overflow attempt | off | off | off |
| 1 | 43270 | FILE-MULTIMEDIA | Microsoft Windows DirectX directshow wav file overflow attempt | off | off | off |
| 3 | 43271 | SERVER-WEBAPP | Cisco Prime Infrastructure XML external entity injection attempt | off | off | drop |
| 1 | 43272 | SERVER-WEBAPP | Advantech WebAccess openWidget directory traversal attempt directory traversal attempt | off | off | drop |
| 1 | 43273 | SERVER-WEBAPP | Advantech WebAccess openWidget directory traversal attempt directory traversal attempt | off | off | drop |
| 1 | 43274 | SERVER-WEBAPP | Advantech WebAccess openWidget directory traversal attempt directory traversal attempt | off | off | drop |
| 1 | 43279 | SERVER-WEBAPP | Advantech WebAccess cross site scripting attempt | off | off | off |
| 1 | 43280 | SERVER-WEBAPP | Advantech WebAccess cross site scripting attempt | off | off | off |
| GID | SID | Rule Group | Rule Message | Policy State | ||
|---|---|---|---|---|---|---|
| Con. | Bal. | Sec. | ||||
| 1 | 43238 | SERVER-WEBAPP | Imatix Xitami web server head processing denial of service attempt | off | off | off |
| 1 | 43239 | PROTOCOL-FTP | WS-FTP REST command overly large file creation attempt | off | off | off |
| 1 | 43247 | SERVER-APACHE | Apache Rave information disclosure attempt | off | off | off |
| 1 | 43252 | PROTOCOL-SCADA | IEC 61850 device connection enumeration attempt | off | off | off |
| 1 | 43253 | PROTOCOL-SCADA | IEC 61850 virtual manufacturing device domain variable enumeration attempt | off | off | off |
| 1 | 43275 | OS-WINDOWS | Microsoft Windows MFT denial of service attempt | off | off | off |
| 1 | 43276 | OS-WINDOWS | Microsoft Windows MFT denial of service attempt | off | off | off |
| 1 | 43277 | OS-WINDOWS | Microsoft Windows MFT denial of service attempt | off | off | off |
| 1 | 43278 | OS-WINDOWS | Microsoft Windows MFT denial of service attempt | off | off | off |