Cisco Talos (VRT) Update for Sourcefire 3D System

* Talos combines our security experts from TRAC, SecApps, and VRT teams.

Date: 2015-05-26

This SRU number: 2015-05-26-001
Previous SRU number: 2015-05-20-001

Applies to:

3D Sensor versions: 5.x
Cisco FireSIGHGT Management Center (formerly Defense Center) versions: 5.x

This SEU number: 1300
Previous SEU: 1299

Applies to:

3D Sensor Versions: 4.10
Cisco FireSIGHGT Management Center (formerly Defense Center) versions: 4.10

This is the complete list of rules added in SRU 2015-05-26-001 and SEU 1300.

The format of the file is:

GID - SID - Rule Group - Rule Message - Policy State

The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.

The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.

Note: Unless stated explicitly, the rules are for the series of products listed above.

New Rules:

**High Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	34565	OS-WINDOWS	Microsoft Windows Graphics engine EMF rendering vulnerability	off	off	off
1	34566	FILE-OTHER	Microsoft Windows Font Library file buffer overflow attempt	off	off	drop
1	34567	MALWARE-CNC	MacOS.Trojan.MacVX outbound connection attempt	off	drop	drop
1	34568	SERVER-WEBAPP	Wordpress Gravity Forms gf_page arbitrary file upload attempt	off	off	off
1	34569	SERVER-WEBAPP	Wordpress Creative Contact Form arbitrary PHP file upload attempt	off	off	drop
1	34570	BLACKLIST	DNS request for known malware domain driveake.webcindario.com - Win.Trojan.Zinnemls	off	drop	drop
1	34571	BLACKLIST	DNS request for known malware domain nonobabe.100webspace.net - Win.Trojan.Zinnemls	off	drop	drop
1	34572	MALWARE-CNC	Win.Trojan.Zinnemls variant outbound connection attempt	off	drop	drop
1	34573	FILE-FLASH	Adobe Flash Player BrokerMoveFileEx sandbox escape attempt	drop	drop	drop
1	34574	FILE-FLASH	Adobe Flash Player BrokerMoveFileEx sandbox escape attempt	drop	drop	drop
1	34575	FILE-FLASH	Adobe Flash Player BrokerMoveFileEx sandbox escape attempt	drop	drop	drop
1	34576	FILE-FLASH	Adobe Flash Player BrokerMoveFileEx sandbox escape attempt	drop	drop	drop
1	34581	MALWARE-CNC	Win.Trojan.Mathanuc outbound connection	off	drop	drop
1	34582	FILE-FLASH	Adobe Flash Player invalid BitmapData use after free attempt	off	drop	drop
1	34583	FILE-FLASH	Adobe Flash Player invalid BitmapData use after free attempt	off	drop	drop
1	34584	POLICY-OTHER	Novell ZENworks Configuration Management session id disclosure attempt	off	off	off
1	34585	FILE-FLASH	Adobe Flash Player BrokerMoveFileEx sandbox escape attempt	drop	drop	drop
1	34586	FILE-FLASH	Adobe Flash Player BrokerMoveFileEx sandbox escape attempt	drop	drop	drop
1	34587	FILE-FLASH	Adobe Flash Player BrokerMoveFileEx sandbox escape attempt	drop	drop	drop
1	34588	FILE-FLASH	Adobe Flash Player BrokerMoveFileEx sandbox escape attempt	drop	drop	drop
1	34589	FILE-PDF	Adobe Acrobat Reader stateModel use-after-free attempt	off	drop	drop
1	34590	FILE-PDF	Adobe Acrobat Reader stateModel use-after-free attempt	off	drop	drop
1	34591	FILE-PDF	Adobe Acrobat Reader stateModel use-after-free attempt	off	drop	drop
1	34592	FILE-PDF	Adobe Acrobat Reader stateModel use-after-free attempt	off	drop	drop
1	34593	FILE-PDF	Adobe Acrobat Reader stateModel use-after-free attempt	off	drop	drop
1	34594	FILE-PDF	Adobe Acrobat Reader stateModel use-after-free attempt	off	drop	drop

**Medium Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	34577	FILE-FLASH	Adobe Flash Player uninitialized register memory leak attempt	off	drop	drop
1	34578	FILE-FLASH	Adobe Flash Player uninitialized register memory leak attempt	off	drop	drop
1	34579	FILE-FLASH	Adobe Flash Player uninitialized register memory leak attempt	off	drop	drop
1	34580	FILE-FLASH	Adobe Flash Player uninitialized register memory leak attempt	off	drop	drop

Updated Rules:

Updated rules can be found at this link.