Sourcefire VRT Update for Sourcefire 3D System

Date: 2014-03-20

This SRU number: 2014-03-19-001
Previous SRU number: 2014-03-17-001

Applies to:

This SEU number: 1069
Previous SEU: 1068

Applies to:

This is the complete list of rules added in SRU 2014-03-19-001 and SEU 1069.

The format of the file is:

GID - SID - Rule Group - Rule Message - Policy State

The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.

The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.

Note: Unless stated explicitly, the rules are for the series of products listed above.

New Rules:

High Priority
GIDSIDRule GroupRule MessagePolicy State
Con.Bal.Sec.
130221INDICATOR-SHELLCODEMetasploit linux/x86 reverse_tcp stager transfer attemptoffoffoff
130222INDICATOR-SHELLCODEMetasploit shellcode linux/x86/meterpreter stage transfer attemptoffoffoff
130223INDICATOR-SHELLCODEMetasploit shellcode linux/x86/shell stage transfer attemptoffoffoff
130224INDICATOR-SHELLCODEMetasploit shellcode linux/x86/shell_reverse_tcp single stage transfer attemptoffoffoff
130225INDICATOR-SHELLCODEpossible /bin/sh shellcode transfer attemptoffoffoff
130226INDICATOR-SHELLCODEMetasploit windows/meterpreter stage transfer attemptoffoffoff
130227INDICATOR-SHELLCODEMetasploit windows/reverse_tcp stager transfer attemptoffoffoff
130228INDICATOR-SHELLCODEMetasploit windows/shell stage transfer attemptoffoffoff
130229INDICATOR-SHELLCODEMetasploit windows/shell stage transfer attemptoffoffoff
130230INDICATOR-COMPROMISEsuspicious test for public IP - www.dawhois.comoffdropdrop
130231MALWARE-CNCWin.Trojan.Eybog variant outbound connectionoffdropdrop
130232OS-WINDOWSMicrosoft Anti-Cross Site Scripting library bypass attemptoffoffoff
130233OS-WINDOWSMicrosoft Anti-Cross Site Scripting library bypass attemptoffoffoff
130234MALWARE-CNCWin.Trojan.Eybog variant outbound connectionoffdropdrop

Updated Rules:

Updated rules can be found at this link.