Cisco Talos (VRT) Update for Sourcefire 3D System

* Talos combines our security experts from TRAC, SecApps, and VRT teams.

Date: 2015-05-26

This SRU number: 2015-05-26-001
Previous SRU number: 2015-05-20-001

Applies to:

3D Sensor versions: 5.x
Cisco FireSIGHT Management Center (formerly Defense Center) versions: 5.x

This SEU number: 1300
Previous SEU: 1299

Applies to:

3D Sensor Versions: 4.10
Cisco FireSIGHT Management Center (formerly Defense Center) versions: 4.10

This is the complete list of rules modified in SRU 2015-05-26-001 and SEU 1300.

The format of the file is:

GID - SID - Rule Group - Rule Message - Policy State

The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.

The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.

Note: Unless stated explicitly, the rules are for the series of products listed above.

Updated Rules:

**High Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	15729	FILE-FLASH	Possible Adobe Flash Player ActionScript byte_array heap spray attempt	off	off	off
1	17618	OS-WINDOWS	Microsoft Windows Graphics engine EMF rendering vulnerability	off	off	off
1	18388	BLACKLIST	User-Agent known malicious user-agent string RookIE/1.0	off	drop	drop
1	18968	FILE-FLASH	Adobe Flash Player ActionScript3 stack integer overflow attempt	off	drop	drop
1	19262	FILE-FLASH	Adobe Flash Player ActionScript float index array memory corruption	drop	drop	drop
1	19263	FILE-FLASH	Adobe Flash Player ActionScript float index array memory corruption	drop	drop	drop
1	19264	FILE-FLASH	Adobe Flash Player ActionScript float index array memory corruption	drop	drop	drop
1	19688	FILE-FLASH	Adobe Flash Player ActionScript BitmapData buffer overflow attempt	drop	drop	drop
1	19690	FILE-FLASH	Adobe Flash Player ActionScript duplicateDoorInputArguments stack overwrite	drop	drop	drop
1	19691	FILE-FLASH	Adobe Flash Player ActionScript File reference buffer overflow attempt	drop	drop	drop
1	20031	FILE-FLASH	Adobe Flash Player ActionScript float index array memory corruption	drop	drop	drop
1	20767	FILE-FLASH	Adobe Flash Player ActionScript float index array memory corruption	drop	drop	drop
1	20777	FILE-FLASH	Adobe Flash Player ActionScript float index array memory corruption attempt	drop	drop	drop
1	21457	FILE-FLASH	Adobe Flash Player ActionScript float index array memory corruption	drop	drop	drop
1	21458	FILE-FLASH	Adobe Flash Player ActionScript float index array memory corruption	off	drop	drop
1	21533	FILE-FLASH	Adobe Flash Player ActionScript Stage3D null dereference attempt	drop	drop	drop
1	21534	FILE-FLASH	Adobe Flash Player ActionScript Matrix3D.copyRawDataFrom buffer overflow attempt	drop	drop	drop
1	21535	FILE-FLASH	Adobe Flash Player ActionScript Matrix3D.copyRawDataFrom buffer overflow attempt	drop	drop	drop
1	21536	FILE-FLASH	Adobe Flash Player ActionScript Stage3D null dereference attempt	drop	drop	drop
1	23996	FILE-FLASH	Adobe Flash Player ActionScript float index array memory corruption attempt	drop	drop	drop
1	23997	FILE-FLASH	Adobe Flash Player ActionScript float index array memory corruption attempt	off	drop	drop
1	26172	FILE-FLASH	Adobe Flash Player sortOn heap overflow attempt	drop	drop	drop
1	26173	FILE-FLASH	Adobe Flash Player sortOn heap overflow attempt	off	drop	drop
1	27267	FILE-FLASH	Adobe Flash Player ActionScript user-supplied PCM resampling integer overflow attempt	drop	drop	drop
1	27268	FILE-FLASH	Adobe Flash Player ActionScript user-supplied PCM resampling integer overflow attempt	off	drop	drop
1	28703	FILE-FLASH	Adobe Flash Player ActionScript float index array memory corruption attempt	off	drop	drop
1	28704	FILE-FLASH	Adobe Flash Player ActionScript float index array memory corruption attempt	off	drop	drop
1	29524	FILE-FLASH	Adobe Flash Player loadPCMFromByteArray bad sample count attempt	off	off	off
1	29525	FILE-FLASH	Adobe Flash Player loadPCMFromByteArray bad sample count attempt	off	off	off
1	29902	FILE-PDF	Adobe Acrobat Reader invalid JPEG stream double free attempt	off	drop	drop
1	29903	FILE-PDF	Adobe Acrobat Reader invalid JPEG stream double free attempt	off	drop	drop
1	31284	FILE-FLASH	Adobe Flash Player Microsoft Internet Explorer sandbox escape attempt	drop	drop	drop
1	33773	OS-WINDOWS	Microsoft Windows CmpGetVirtualizationID race condition user impersonation attempt	off	drop	drop
1	33774	OS-WINDOWS	Microsoft Windows CmpGetVirtualizationID race condition user impersonation attempt	off	drop	drop
1	33777	SERVER-OTHER	SSL export grade ciphersuite server negotiation attempt	off	off	drop
1	33778	SERVER-OTHER	SSL export grade ciphersuite server negotiation attempt	off	off	drop
1	33779	SERVER-OTHER	SSL request for export grade ciphersuite attempt	off	off	drop
1	33780	SERVER-OTHER	SSL export grade ciphersuite server negotiation attempt	off	off	drop
1	33781	SERVER-OTHER	SSL export grade ciphersuite server negotiation attempt	off	off	drop
1	33782	SERVER-OTHER	SSL export grade ciphersuite server negotiation attempt	off	off	drop
1	33783	SERVER-OTHER	SSL export grade ciphersuite server negotiation attempt	off	off	drop
1	33784	SERVER-OTHER	SSL export grade ciphersuite server negotiation attempt	off	off	drop
1	33785	SERVER-OTHER	SSL request for export grade ciphersuite attempt	off	off	drop
1	33786	SERVER-OTHER	SSL request for export grade ciphersuite attempt	off	off	drop
1	33787	SERVER-OTHER	SSL request for export grade ciphersuite attempt	off	off	drop
1	33788	SERVER-OTHER	SSL request for export grade ciphersuite attempt	off	off	drop
1	33789	SERVER-OTHER	SSL request for export grade ciphersuite attempt	off	off	drop
1	33790	SERVER-OTHER	SSL request for export grade ciphersuite attempt	off	off	drop
1	33791	SERVER-OTHER	SSL request for export grade ciphersuite attempt	off	off	drop
1	33792	SERVER-OTHER	SSL request for export grade ciphersuite attempt	off	off	drop
1	33793	SERVER-OTHER	SSL request for export grade ciphersuite attempt	off	off	drop
1	33794	SERVER-OTHER	SSL export grade ciphersuite server negotiation attempt	off	off	drop
1	33795	SERVER-OTHER	SSL export grade ciphersuite server negotiation attempt	off	off	drop
1	33796	SERVER-OTHER	SSL export grade ciphersuite server negotiation attempt	off	off	drop
1	33797	SERVER-OTHER	SSL export grade ciphersuite server negotiation attempt	off	off	drop
1	33798	SERVER-OTHER	SSL export grade ciphersuite server negotiation attempt	off	off	drop
1	33799	SERVER-OTHER	SSL export grade ciphersuite server negotiation attempt	off	off	drop
1	33800	SERVER-OTHER	SSL export grade ciphersuite server negotiation attempt	off	off	drop
1	33801	SERVER-OTHER	SSL request for export grade ciphersuite attempt	off	off	drop
1	33802	SERVER-OTHER	SSL request for export grade ciphersuite attempt	off	off	drop
1	33803	SERVER-OTHER	SSL request for export grade ciphersuite attempt	off	off	drop
1	33804	SERVER-OTHER	SSL request for export grade ciphersuite attempt	off	off	drop
1	33805	SERVER-OTHER	SSL request for export grade ciphersuite attempt	off	off	drop
1	33806	SERVER-OTHER	SSL request for export grade ciphersuite attempt	off	off	drop
1	34074	BROWSER-IE	Microsoft Internet Explorer TextData object use after free attempt	off	drop	drop
1	34075	BROWSER-IE	Microsoft Internet Explorer TextData object use after free attempt	off	drop	drop
1	34147	FILE-FLASH	Adobe Flash Player ConvolutionFilter heap information disclosure attempt	off	drop	drop
1	34148	FILE-FLASH	Adobe Flash Player ConvolutionFilter heap information disclosure attempt	off	drop	drop
1	34149	FILE-FLASH	Adobe Flash Player ConvolutionFilter heap information disclosure attempt	off	drop	drop
1	34150	FILE-FLASH	Adobe Flash Player ConvolutionFilter heap information disclosure attempt	off	drop	drop
1	34528	FILE-PDF	Adobe Acrobat Reader AVDoc use-after-free attempt	off	drop	drop
1	34529	FILE-PDF	Adobe Acrobat Reader AVDoc use-after-free attempt	off	drop	drop
1	34546	FILE-PDF	Adobe Acrobat Reader PCR null pointer dereference attempt	off	drop	drop
1	34547	FILE-PDF	Adobe Acrobat Reader PCR null pointer dereference attempt	off	drop	drop
1	34550	FILE-PDF	Adobe Acrobat Reader JavaScript API trustPropagatorFunction execution bypass attempt	off	drop	drop
1	34551	FILE-PDF	Adobe Acrobat Reader JavaScript API trustPropagatorFunction execution bypass attempt	off	drop	drop
1	34557	FILE-PDF	Adobe Acrobat Reader embedded JavaScript remote code execution attempt	off	drop	drop
1	34558	FILE-PDF	Adobe Acrobat Reader embedded JavaScript remote code execution attempt	off	drop	drop

**Medium Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	7513	MALWARE-OTHER	Keylogger watchdog runtime detection - init connection	off	off	off
1	7514	MALWARE-OTHER	Keylogger watchdog runtime detection - send out info to server periodically	off	off	off
1	7515	MALWARE-OTHER	Keylogger watchdog runtime detection - remote monitoring	off	off	off
1	19689	FILE-FLASH	Adobe Flash Player ActionScript dynamic calculation double-free attempt	drop	drop	drop
1	21653	FILE-FLASH	Adobe Flash Player ActionScript getURL target null reference attempt	alert	alert	drop
1	29835	FILE-FLASH	Adobe Flash Player ActionScript bytecode object type confusion information disclosure attempt	drop	drop	drop
1	29836	FILE-FLASH	Adobe Flash Player ActionScript bytecode object type confusion information disclosure attempt	off	drop	drop

**Low Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	20269	FILE-IDENTIFY	FON font file download request	off	off	off