Sourcefire VRT Update for Sourcefire 3D System

Date: 2015-02-26

This SRU number: 2015-02-25-001
Previous SRU number: 2015-02-23-001

Applies to:

3D Sensor versions: 5.x
Defense Center versions: 5.x

This SEU number: 1257
Previous SEU: 1256

Applies to:

3D Sensor Versions: 4.10
Defense Center Versions: 4.10

This is the complete list of rules modified in SRU 2015-02-25-001 and SEU 1257.

The format of the file is:

GID - SID - Rule Group - Rule Message - Policy State

The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.

The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.

Note: Unless stated explicitly, the rules are for the series of products listed above.

Updated Rules:

**High Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	1489	SERVER-WEBAPP	nobody access	off	off	off
1	2180	PUA-P2P	BitTorrent announce request	off	off	off
1	3827	SERVER-WEBAPP	PHP xmlrpc.php post attempt	off	off	off
1	13816	SERVER-WEBAPP	PHP xmlrpc.php command injection attempt	off	off	off
1	13817	SERVER-WEBAPP	PHP xmlrpc.php command injection attempt	off	off	off
1	13818	SERVER-WEBAPP	PHP alternate xmlrpc.php command injection attempt	off	off	off
1	18492	BLACKLIST	DNS request for known malware domain ilo.brenz.pl - Win.Trojan.Ramnit	off	off	off
1	18986	FILE-PDF	Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt	off	off	drop
1	18987	FILE-PDF	Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt	off	off	drop
1	19049	MALWARE-CNC	Win.Trojan.Gigade variant outbound connection	off	off	off
1	19854	DELETED	MALWARE-CNC Win.Trojan.Sality.AM variant outbound connection
1	19855	DELETED	MALWARE-CNC Win.Trojan.Sality.AM variant outbound connection
1	19964	MALWARE-CNC	Win.Trojan.Sality variant outbound connection	off	drop	drop
1	20020	MALWARE-CNC	Win.Trojan.MalwareDoctor variant outbound connection	off	off	off
1	24255	DELETED	MALWARE-CNC Sality logo.gif URLs
1	25019	OS-OTHER	Cisco Nexus OS software command injection attempt	off	off	off
1	25020	OS-OTHER	Cisco Nexus OS software command injection attempt	off	off	off
1	25627	MALWARE-CNC	Win.Trojan.Reventon variant outbound communication	off	drop	drop
1	25809	DELETED	MALWARE-CNC Sality logos.gif URLs
1	26310	SERVER-MYSQL	MySQL/MariaDB Server geometry query linestring object integer overflow attempt	off	off	off
1	27236	SERVER-OTHER	Citrix XenApp password buffer overflow attempt	off	off	off
1	28534	FILE-OTHER	Apple Quicktime TeXML description attribute overflow attempt	off	off	drop
1	28535	FILE-OTHER	Apple Quicktime TeXML description attribute overflow attempt	off	off	drop
1	28536	FILE-OTHER	Apple Quicktime TeXML description attribute overflow attempt	off	off	drop
1	28537	FILE-OTHER	Apple Quicktime TeXML description attribute overflow attempt	off	off	drop
1	29865	MALWARE-CNC	Win.Trojan.Pirminay variant outbound connection	off	drop	drop
1	30073	MALWARE-CNC	Win.Trojan.Kuluoz variant outbound connection	off	drop	drop
1	30288	MALWARE-CNC	Win.Trojan.Glupteba.M initial outbound connection	off	drop	drop
1	30336	MALWARE-CNC	Linux.Trojan.Calfbot outbound connection	off	off	off
1	30483	MALWARE-CNC	Win.Trojan.Zbot/Bublik outbound connection	off	drop	drop
1	30484	MALWARE-CNC	Win.Trojan.Zbot/Bublik outbound connection	off	drop	drop
1	30548	MALWARE-CNC	Win.Trojan.Zeus variant outbound connection	off	drop	drop
1	30566	MALWARE-CNC	Linux.Trojan.Elknot outbound connection	off	off	drop
1	30570	MALWARE-CNC	Linux.Trojan.Elknot outbound connection	off	off	off
1	30900	MALWARE-CNC	Win.Trojan.Tuhao variant outbound connection	off	drop	drop
1	30914	MALWARE-CNC	Win.Trojan.Tuhao variant outbound connection	off	drop	drop
1	30915	MALWARE-CNC	Win.Trojan.SpySmall variant outbound connection	off	drop	drop
1	30919	MALWARE-CNC	Win.Trojan.Bancos variant outbound connection	off	drop	drop
1	30925	MALWARE-CNC	Win.Trojan.Hd backdoor outbound connection	off	off	drop
1	30938	MALWARE-CNC	Linux.Trojan.Roopre outbound connection	off	drop	drop
1	30985	MALWARE-CNC	Win.Trojan.Vonriamt outbound communication	off	drop	drop
1	31020	MALWARE-CNC	Win.Trojan.Bancos variant outbound connection	off	drop	drop
1	31033	MALWARE-CNC	Win.Trojan.Cryptodefence variant outbound connection	off	drop	drop
1	31053	MALWARE-CNC	Win.Trojan.MadnessPro outbound connection	off	drop	drop
1	31070	MALWARE-CNC	Win.Rootkit.Necurs outbound connection	off	drop	drop
1	31084	MALWARE-CNC	Win.Trojan.Zbot variant outbound connection	off	drop	drop
1	31113	MALWARE-CNC	Win.Trojan.Bancos variant outbound connection	off	drop	drop
1	31114	MALWARE-CNC	Win.Trojan.Rfusclient outbound connection	off	drop	drop
1	31223	MALWARE-CNC	Win.Trojan.CryptoWall variant outbound connection	off	drop	drop
1	31240	MALWARE-CNC	Win.Trojan.Dosoloid variant outbound connection	off	drop	drop
1	31241	MALWARE-CNC	Win.Trojan.Dosoloid variant outbound connection	off	drop	drop
1	31242	MALWARE-CNC	Win.Trojan.Utishaf variant outbound connection	off	drop	drop
1	31244	MALWARE-CNC	Win.Trojan.Kuluoz outbound connection	off	off	drop
1	31261	MALWARE-CNC	Win.Trojan.Symmi outbound connection	off	off	off
1	31295	MALWARE-CNC	Win.Trojan.Zusy variant outbound connection	off	drop	drop
1	31303	MALWARE-CNC	Win.Trojan.Hadeki variant outbound connection	off	drop	drop
1	31314	MALWARE-CNC	Win.Trojan.Daikou variant outbound connection	off	drop	drop
1	31315	MALWARE-CNC	Win.Trojan.MSIL variant outbound connection	off	drop	drop
1	31316	MALWARE-CNC	Win.Trojan.Matsnu variant outbound connection	off	drop	drop
1	31317	MALWARE-CNC	Win.Trojan.Orbot variant outbound connection	off	drop	drop
1	31344	MALWARE-CNC	Win.Trojan.Levyatan variant outbound connection	off	drop	drop
1	31355	MALWARE-CNC	Win.Trojan.Bicololo outbound connection	off	drop	drop
1	31450	MALWARE-CNC	Win.Trojan.CryptoWall outbound connection	off	drop	drop
1	31452	MALWARE-CNC	Win.Trojan.Symmi variant outbound connection	off	drop	drop
1	31458	MALWARE-CNC	Win.Trojan.SDBot variant outbound connection	off	drop	drop
1	31527	DELETED	MALWARE-CNC Win.Trojan.Ramnit variant outbound detected
1	31528	DELETED	MALWARE-CNC Win.Trojan.Ramnit variant outbound detected
1	31593	MALWARE-CNC	Andr.Trojan.SMSSend outbound connection	drop	drop	drop
1	31644	MALWARE-CNC	Andr.Trojan.Scarelocker outbound connection	drop	drop	drop
1	31717	MALWARE-CNC	Win.Trojan.Ragua variant outbound connection	off	drop	drop
1	31808	MALWARE-CNC	Linux.Trojan.IptabLex outbound connection	off	drop	drop
1	31820	MALWARE-CNC	Win.Trojan.Darkcomet outbound keepalive signal sent	off	drop	drop
1	31824	MALWARE-CNC	Win.Trojan.Graftor variant outbound connection	off	drop	drop
1	31827	MALWARE-CNC	Win.Trojan.Delf variant outbound connection	off	drop	drop
1	31835	MALWARE-CNC	Win.Trojan.Yesudac variant outbound connection	off	drop	drop
1	31836	MALWARE-CNC	Win.Trojan.MSIL.Seribe variant outbound connection	off	drop	drop
1	31837	MALWARE-CNC	Win.Trojan.Retgate variant outbound connection	off	drop	drop
1	31895	MALWARE-CNC	Win.Trojan.Toupi variant outbound connection	off	drop	drop
1	31896	MALWARE-CNC	Win.Trojan.Magnetor vairant outbound connection	off	drop	drop
1	31907	MALWARE-CNC	Win.Trojan.MSIL.Honerep variant outbound connection	off	drop	drop
1	31911	MALWARE-CNC	Win.Trojan.MSIL.Gareme variant outbound connection	off	drop	drop
1	31924	MALWARE-CNC	Win.Trojan.Symmi variant outbound connection	off	drop	drop
1	31928	MALWARE-CNC	Linux.Trojan.Jynxkit outbound communication	off	drop	drop
1	31941	MALWARE-CNC	Win.Trojan-Downloader.Pedrp variant outbound connection	off	drop	drop
1	31957	MALWARE-CNC	Win.Backdoor.MSIL.Torct variant outbound connection	off	drop	drop
1	31973	MALWARE-CNC	Win.Trojan.Chebri variant outbound connection	off	drop	drop
1	31974	MALWARE-CNC	Win.Trojan.Zegorg variant outbound connection	off	drop	drop
1	32002	MALWARE-CNC	Win.Worm.Zorenium variant outbound connection	off	drop	drop
1	32011	MALWARE-CNC	Linux.Backdoor.Flooder outbound connection	off	drop	drop
1	32012	MALWARE-CNC	Linux.Backdoor.Flooder outbound connection	off	drop	drop
1	32013	MALWARE-CNC	Linux.Worm.Darlloz variant outbound connection	off	drop	drop
1	32015	MALWARE-CNC	Win.Backdoor.Zeus variant outbound connection	off	drop	drop
1	32018	MALWARE-CNC	Win.Backdoor.Hupigon.NYK variant outbound connection	off	drop	drop
1	32020	MALWARE-CNC	Win.Backdoor.Krompt variant outbound connection	off	drop	drop
1	32023	MALWARE-CNC	Win.Trojan.Sinpid variant outbound connection	off	drop	drop
1	32028	MALWARE-CNC	Win.Backdoor.Klabcon variant outbound connection	off	drop	drop
1	32034	MALWARE-CNC	Win.Trojan.Larefervt variant outbound connection	off	drop	drop
1	32035	MALWARE-CNC	Win.Trojan.Boleteiro variant outbound connection	off	drop	drop
1	32036	MALWARE-CNC	Win.Trojan.Somoca vaniant outbound connection	off	drop	drop
1	32037	MALWARE-CNC	Win.Trojan.Somoca vaniant outbound connection	off	drop	drop
1	32040	MALWARE-CNC	Linux.Backdoor.Ganiw variant outbound connection	off	drop	drop
1	32048	MALWARE-CNC	Win.Trojan.Lecpetex variant outbound connection	off	drop	drop
1	32050	MALWARE-CNC	Win.Trojan.MSIL.Larosden variant outbound connection	off	drop	drop
1	32058	MALWARE-CNC	Win.Backdoor.Masatekar variant outbound connection	off	drop	drop
1	32061	MALWARE-CNC	Win.Trojan-Downloader.Nekill variant outbound connection	off	drop	drop
1	32066	MALWARE-CNC	Win.Trojan.Asprox outbound connection	off	drop	drop
1	32067	MALWARE-CNC	Win.Trojan.Asprox outbound connection	off	drop	drop
1	32070	MALWARE-CNC	Win.Trojan.Dalgan variant outbound connection	off	off	off
1	32071	MALWARE-CNC	Win.Backdoor.Zapchast variant outbound connection	off	drop	drop
1	32073	MALWARE-CNC	Win.Trojan.Zemot outbound connection	off	drop	drop
1	32075	MALWARE-CNC	Win.Trojan.Small variant outbound connection	off	drop	drop
1	32086	MALWARE-CNC	Win.Backdoor.Corkow variant outbound connection	off	drop	drop
1	32090	MALWARE-CNC	Win.Trojan.Saaglup variant outbound connection	off	drop	drop
1	32091	MALWARE-CNC	Win.Backdoor.PcertStealer variant outbound connection	off	drop	drop
1	32093	MALWARE-CNC	Win.Trojan.Banker variant outbound connection	off	drop	drop
1	32096	MALWARE-CNC	Win.Trojan.Puver variant outbound connection	off	drop	drop
1	32121	MALWARE-CNC	Win.Trojan.Kryptik variant outbound connection	off	drop	drop
1	32123	MALWARE-CNC	Win.Trojan.Zbot variant outbound connection	off	drop	drop
1	32130	MALWARE-CNC	Win.Trojan.Bancos variant outbound connection	off	drop	drop
1	32195	MALWARE-CNC	Win.Trojan.Palebot variant outbound connection	off	drop	drop
1	32222	MALWARE-CNC	Win.Backdoor.MSIL.Liroospu variant outbound connection	off	drop	drop
1	32225	MALWARE-CNC	Win.Trojan.Cryptowall variant outbound connection	off	drop	drop
1	32293	MALWARE-CNC	Win.Trojan.Acanas variant outbound connection	off	drop	drop
1	32310	MALWARE-CNC	Win.Trojan.Farfi variant outbound connection	off	drop	drop
1	32334	MALWARE-CNC	Win.Trojan.Stantinko variant outbound connection	off	drop	drop
1	32338	MALWARE-CNC	Win.Trojan.Ropest variant outbound connection	off	drop	drop
1	32357	MALWARE-CNC	Win.Trojan.Akaza variant outbound connection	off	drop	drop
1	32367	MALWARE-CNC	Win.Trojan.GameOverZeus variant outbound connection	off	off	drop
1	32372	MALWARE-CNC	Win.Trojan.Drepitt variant outbound connection	off	drop	drop
1	32373	MALWARE-CNC	Win.Trojan.Broonject variant outbound connection	off	drop	drop
1	32374	MALWARE-CNC	Win.Trojan.Androm variant outbound connection	off	drop	drop
1	32379	MALWARE-CNC	Win.Trojan.Baccamun variant outbound connection	off	drop	drop
1	32394	MALWARE-CNC	Win.Trojan.Orcarat variant outbound connection	off	drop	drop
1	32395	MALWARE-CNC	Win.Trojan.Orcarat variant outbound connection	off	drop	drop
1	32396	MALWARE-CNC	Win.Trojan.Orcarat variant outbound connection	off	drop	drop
1	32397	MALWARE-CNC	Win.Trojan.Orcarat variant outbound connection	off	drop	drop
1	32401	MALWARE-CNC	Win.Backdoor.Kivars outbound connection	off	drop	drop
1	32469	MALWARE-CNC	Win.Trojan.Bankeiya outbound connection	off	drop	drop
1	32486	MALWARE-CNC	Win.Backdoor.Exadog outbound connection	off	drop	drop
1	32487	MALWARE-CNC	Win.Backdoor.Exadog variant outbound connection	off	drop	drop
1	32506	MALWARE-CNC	Win.Trojan.Secdeskinf outbound connection	off	drop	drop
1	32510	MALWARE-CNC	Linux.Trojan.PiltabeA outbound connection	off	drop	drop
1	32513	MALWARE-CNC	PCRat variant outbound connection	off	drop	drop
1	32556	MALWARE-CNC	Win.Trojan.Bayoboiz outbound connection	off	drop	drop
1	32557	MALWARE-CNC	Win.Trojan.Bayoboiz outbound connection	off	drop	drop
1	32583	MALWARE-CNC	Win.Trojan.Bayoboiz outbound connection	off	drop	drop
1	32584	MALWARE-CNC	Win.Trojan.Symmi variant outbound connection	off	drop	drop
1	32599	MALWARE-CNC	Win.Backdoor.Mysayad outbound connection	off	drop	drop
1	32604	MALWARE-CNC	Win.Backdoor.Mysayad file wipe attempt	off	drop	drop
1	32605	MALWARE-CNC	Win.Worm.Jenxcus variant outbound connection	off	drop	drop
1	32606	MALWARE-CNC	Win.Worm.Jenxcus variant outbound connection	off	drop	drop
1	32621	MALWARE-CNC	Win.Trojan.Regin outbound connection	off	off	drop
1	32622	MALWARE-CNC	Win.Trojan.Regin outbound connection	off	drop	drop
1	32623	MALWARE-CNC	Win.Trojan.Regin outbound connection	off	drop	drop
1	32624	MALWARE-CNC	Win.Trojan.Regin outbound connection	off	drop	drop
1	32670	MALWARE-CNC	Win.Dropper.Ch variant outbound connection	off	drop	drop
1	32677	MALWARE-CNC	Win.Trojan.Dridex variant outbound connection	off	drop	drop
1	32678	MALWARE-CNC	Win.Trojan.Dridex variant outbound connection	off	drop	drop
1	32770	MALWARE-CNC	Win.Trojan.WOWCheckC Attempted CNC on non-standard HTTP Ports	off	drop	drop
1	32791	MALWARE-CNC	Win.Virus.Ransomlock outbound connection	off	drop	drop
1	32823	MALWARE-CNC	Win.Trojan.Darkhotel outbound connection	off	drop	drop
1	32825	MALWARE-CNC	Win.Trojan.Darkhotel outbound connection	off	drop	drop
1	32852	MALWARE-CNC	Win.Trojan.Poolfiend variant outbound connection	off	drop	drop
1	32853	MALWARE-CNC	Win.Trojan.Poolfiend variant outbound connection	off	drop	drop
1	32892	MALWARE-CNC	Win.Trojan.TorLocker variant outbound connection	off	drop	drop
1	32893	MALWARE-CNC	Win.Trojan.Finforst outbound connection	off	drop	drop
1	32956	MALWARE-CNC	Win.Trojan.Bladabindi variant outbound connection	off	drop	drop
1	32976	MALWARE-CNC	Win.Trojan.Kuluos variant outbound connection	off	drop	drop
1	32977	MALWARE-CNC	Win.Trojan.Kuluos variant outbound connection	off	drop	drop
1	32987	MALWARE-CNC	Win.Trojan.Graftor outbound connection	off	drop	drop
1	32988	MALWARE-CNC	Win.Trojan.Graftor outbound connection	off	drop	drop
1	32989	MALWARE-CNC	Win.Trojan.Graftor outbound connection	off	drop	drop
1	32990	MALWARE-CNC	Win.Trojan.Toopu outbound connection	off	drop	drop
1	33054	MALWARE-CNC	Win.Trojan.Joanap outbound connection	off	off	drop
1	33081	MALWARE-CNC	OnionDuke variant outbound connection	off	drop	drop
1	33084	MALWARE-CNC	Win.Trojan.Tosct variant outbound connection	off	drop	drop
1	33152	MALWARE-CNC	Win.Trojan.Nurjax.A outbound connection	off	drop	drop
1	33153	MALWARE-CNC	Win.Trojan.Heur variant outbound connection	off	drop	drop
1	33200	MALWARE-CNC	Win.Trojan.Pisces variant outbound connection	off	drop	drop
1	33211	MALWARE-CNC	Win.Trojan.Upatre variant outbound connection	off	drop	drop
1	33219	MALWARE-CNC	Win.Trojan.Gamarue variant outbound connection	off	drop	drop
1	33227	MALWARE-CNC	Win.Trojan.HawkEye Keylogger exfiltration attempt - clipboard and screenshot	off	drop	drop
1	33228	MALWARE-CNC	Win.Kovter variant outbound connection	off	drop	drop
1	33282	MALWARE-CNC	Win.Trojan.Upatre variant outbound connection	off	drop	drop
1	33305	MALWARE-CNC	Win.Trojan.Foxy variant outbound connection	off	drop	drop
1	33431	MALWARE-CNC	Cryptowall 3.0 variant outbound connection	off	drop	drop
1	33432	MALWARE-CNC	Cryptowall 3.0 variant outbound connection	off	drop	drop
1	33433	MALWARE-CNC	Cryptowall 3.0 variant outbound connection	off	drop	drop
1	33434	MALWARE-CNC	Cryptowall 3.0 variant outbound connection	off	drop	drop
1	33435	MALWARE-CNC	Cryptowall 3.0 variant outbound connection	off	drop	drop
1	33443	MALWARE-CNC	Win.Trojan.Gefetroe variant outbound connection	off	drop	drop
1	33444	MALWARE-CNC	Win.Trojan.Gefetroe variant outbound connection	off	drop	drop
1	33450	MALWARE-CNC	Win.Trojan.FileEncoder variant outbound connection	off	drop	drop
1	33453	MALWARE-CNC	Win.Trojan.FileEncoder variant outbound connection	off	drop	drop
1	33457	MALWARE-CNC	Win.Trojan.Symmi variant outbound connection	off	drop	drop
1	33547	MALWARE-CNC	Win.Trojan.Turla outbound connection	off	drop	drop

**Medium Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	1145	SERVER-WEBAPP	root access	off	off	off
1	19389	PROTOCOL-VOIP	REGISTER flood	off	off	off
1	21669	PROTOCOL-VOIP	Digium Asterisk expires header denial of service attempt	off	off	off