Sourcefire VRT Update for Sourcefire 3D System

Date: 2014-07-24

This SRU number: 2014-07-23-001
Previous SRU number: 2014-07-21-001

Applies to:

3D Sensor versions: 5.x
Defense Center versions: 5.x

This SEU number: 1146
Previous SEU: 1144

Applies to:

3D Sensor Versions: 4.10
Defense Center Versions: 4.10

This is the complete list of rules added in SRU 2014-07-23-001 and SEU 1146.

The format of the file is:

GID - SID - Rule Group - Rule Message - Policy State

The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.

The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.

Note: Unless stated explicitly, the rules are for the series of products listed above.

New Rules:

**High Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	12784	SERVER-OTHER	CA ARCserve LGServer stack buffer overflow attempt	off	off	off
1	12785	SERVER-OTHER	CA ARCserve LGServer stack buffer overflow attempt	off	off	off
1	12786	SERVER-OTHER	CA ARCserve LGServer stack buffer overflow attempt	off	off	off
1	25549	SERVER-OTHER	Novell eDirectory NCP stack buffer overflow attempt	drop	drop	drop
1	25550	SERVER-OTHER	Novell eDirectory NCP stack buffer overflow attempt	drop	drop	drop
1	25589	SERVER-OTHER	libupnp command buffer overflow attempt	drop	drop	drop
1	25601	SERVER-OTHER	libupnp command buffer overflow attempt	drop	drop	drop
1	25612	SERVER-OTHER	libupnp command buffer overflow attempt	drop	drop	drop
1	25617	SERVER-OTHER	libupnp command buffer overflow attempt	drop	drop	drop
1	25618	SERVER-OTHER	libupnp command buffer overflow attempt	drop	drop	drop
1	25619	SERVER-OTHER	libupnp command buffer overflow attempt	drop	drop	drop
1	25620	SERVER-OTHER	libupnp command buffer overflow attempt	drop	drop	drop
1	31497	SERVER-WEBAPP	Oracle Event Processing FileUploadServlet directory traversal attempt	off	drop	drop
1	31498	SERVER-WEBAPP	Oracle Event Processing FileUploadServlet directory traversal attempt	off	drop	drop
1	31499	INDICATOR-COMPROMISE	Liz0ziM php shell download attempt	off	drop	drop
1	31500	INDICATOR-COMPROMISE	Liz0ziM php shell upload attempt	off	drop	drop
1	31501	INDICATOR-COMPROMISE	Liz0ziM php shell command and control attempt	off	drop	drop
1	31502	INDICATOR-COMPROMISE	Liz0ziM php shell command and control attempt	off	drop	drop
1	31503	INDICATOR-COMPROMISE	Liz0ziM php shell download attempt	off	drop	drop
1	31504	BROWSER-IE	Microsoft Internet Explorer outerHTML against incomplete element heap corruption attempt	off	off	drop
1	31505	SERVER-WEBAPP	AlienVault OSSIM av-centerd get_license command injection attempt	drop	drop	drop
1	31506	SERVER-WEBAPP	AlienVault OSSIM av-centerd get_log_line command injection attempt	drop	drop	drop
1	31507	MALWARE-CNC	Win.Trojan.HW32 variant spam attempt	off	drop	drop
1	31508	BLACKLIST	DNS request for known malware domain getsearch.net	off	drop	drop
1	31509	BLACKLIST	DNS request for known malware domain greatfindpage.com	off	drop	drop
1	31510	MALWARE-OTHER	Win.Trojan.Injector outbound traffic	off	drop	drop
1	31511	FILE-JAVA	Oracle Java field bytecode verifier cache code execution attempt	drop	drop	drop
1	31512	FILE-JAVA	Oracle Java field bytecode verifier cache code execution attempt	drop	drop	drop
1	31514	BLACKLIST	DNS request for known malware domain bastelfunboard.ch - Andr.Trojan.Emmental	off	drop	drop
1	31515	BLACKLIST	DNS request for known malware domain oguhtell.ch - Andr.Trojan.Emmental	off	drop	drop
1	31516	BLACKLIST	DNS request for known malware domain security-apps.biz - Andr.Trojan.Emmental	off	drop	drop
1	31517	BLACKLIST	DNS request for known malware domain security-apps.net - Andr.Trojan.Emmental	off	drop	drop
1	31518	BLACKLIST	DNS request for known malware domain tc-zo.ch - Andr.Trojan.Emmental	off	drop	drop
1	31519	FILE-MULTIMEDIA	Adobe Flash pixel bender buffer overflow attempt	off	drop	drop
1	31520	FILE-MULTIMEDIA	Adobe Flash pixel bender buffer overflow attempt	off	drop	drop
1	31521	FILE-MULTIMEDIA	Adobe Flash pixel bender buffer overflow attempt	off	drop	drop
1	31522	FILE-MULTIMEDIA	Adobe Flash pixel bender buffer overflow attempt	off	drop	drop
1	31523	FILE-MULTIMEDIA	Adobe Flash pixel bender buffer overflow attempt	off	drop	drop
1	31524	FILE-MULTIMEDIA	Adobe Flash pixel bender buffer overflow attempt	off	drop	drop

**Medium Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	25664	SERVER-OTHER	MiniUPnPd SSDP request buffer overflow attempt	off	off	off
1	30711	SERVER-OTHER	OpenVPN OpenSSL SSLv3 heartbeat read overrun attempt	off	drop	drop
1	30712	SERVER-OTHER	OpenVPN OpenSSL SSLv3 heartbeat read overrun attempt	off	drop	drop
1	30713	SERVER-OTHER	OpenVPN OpenSSL TLSv1 heartbeat read overrun attempt	off	drop	drop
1	30714	SERVER-OTHER	OpenVPN OpenSSL TLSv1 heartbeat read overrun attempt	off	drop	drop
1	30715	SERVER-OTHER	OpenVPN OpenSSL TLSv1.1 heartbeat read overrun attempt	off	drop	drop
1	30716	SERVER-OTHER	OpenVPN OpenSSL TLSv1.1 heartbeat read overrun attempt	off	drop	drop
1	30717	SERVER-OTHER	OpenVPN OpenSSL TLSv1.2 heartbeat read overrun attempt	off	drop	drop
1	30718	SERVER-OTHER	OpenVPN OpenSSL TLSv1.2 heartbeat read overrun attempt	off	drop	drop
1	30719	SERVER-OTHER	OpenVPN OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt	off	drop	drop
1	30720	SERVER-OTHER	OpenVPN OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt	off	drop	drop
1	30721	SERVER-OTHER	OpenVPN OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt	off	drop	drop
1	30722	SERVER-OTHER	OpenVPN OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt	off	drop	drop
1	30723	SERVER-OTHER	OpenVPN OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt	off	drop	drop
1	30724	SERVER-OTHER	OpenVPN OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt	off	drop	drop
1	30725	SERVER-OTHER	OpenVPN OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt	off	drop	drop
1	30726	SERVER-OTHER	OpenVPN OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt	off	drop	drop
1	30727	SERVER-OTHER	OpenVPN OpenSSL SSLv3 heartbeat read overrun attempt	off	drop	drop
1	30728	SERVER-OTHER	OpenVPN OpenSSL SSLv3 heartbeat read overrun attempt	off	drop	drop
1	30729	SERVER-OTHER	OpenVPN OpenSSL TLSv1 heartbeat read overrun attempt	off	drop	drop
1	30730	SERVER-OTHER	OpenVPN OpenSSL TLSv1 heartbeat read overrun attempt	off	drop	drop
1	30731	SERVER-OTHER	OpenVPN OpenSSL TLSv1.1 heartbeat read overrun attempt	off	drop	drop
1	30732	SERVER-OTHER	OpenVPN OpenSSL TLSv1.1 heartbeat read overrun attempt	off	drop	drop
1	30733	SERVER-OTHER	OpenVPN OpenSSL TLSv1.2 heartbeat read overrun attempt	off	drop	drop
1	30734	SERVER-OTHER	OpenVPN OpenSSL TLSv1.2 heartbeat read overrun attempt	off	drop	drop
1	30735	SERVER-OTHER	OpenVPN OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt	off	drop	drop
1	30736	SERVER-OTHER	OpenVPN OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt	off	drop	drop
1	30737	SERVER-OTHER	OpenVPN OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt	off	drop	drop
1	30738	SERVER-OTHER	OpenVPN OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt	off	drop	drop
1	30739	SERVER-OTHER	OpenVPN OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt	off	drop	drop
1	30740	SERVER-OTHER	OpenVPN OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt	off	drop	drop
1	30741	SERVER-OTHER	OpenVPN OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt	off	drop	drop
1	30742	SERVER-OTHER	OpenVPN OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt	off	drop	drop
1	31513	BROWSER-FIREFOX	Multiple browser pressure function denial of service attempt	off	off	off

Updated Rules:

Updated rules can be found at this link.