Cisco Talos (VRT) Update for Sourcefire 3D System

* Talos combines our security experts from TRAC, SecApps, and VRT teams.

Date: 2015-07-30

This SRU number: 2015-07-29-001
Previous SRU number: 2015-07-27-001

Applies to:

This SEU number: 1327
Previous SEU: 1326

Applies to:

This is the complete list of rules added in SRU 2015-07-29-001 and SEU 1327.

The format of the file is:

GID - SID - Rule Group - Rule Message - Policy State

The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.

The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.

Note: Unless stated explicitly, the rules are for the series of products listed above.

New Rules:

High Priority
GIDSIDRule GroupRule MessagePolicy State
Con.Bal.Sec.
135384MALWARE-BACKDOORWin.Backdoor.Nicabown variant outbound connectionoffdropdrop
135385MALWARE-CNCWin.Trojan.MSIL-Pwsfcbk SQL connectionoffdropdrop
135386MALWARE-CNCWin.Trojan.Bedep initial outbound connection attemptoffdropdrop
135387MALWARE-CNCWin.Trojan.Andromeda initial outbound connection attemptoffdropdrop
135388MALWARE-CNCWin.Trojan.Andromeda download requestoffdropdrop
135389BLACKLISTDNS request for known malware domain poletaute.org - Win.Trojan.TorrentLocker/Teeracoffdropdrop
135390BLACKLISTDNS request for known malware domain golemerix.com - Win.Trojan.TorrentLocker/Teeracoffdropdrop
135391BLACKLISTDNS request for known malware domain bokepros.net - Win.Trojan.TorrentLocker/Teeracoffdropdrop
135392BLACKLISTDNS request for known malware domain loawelis.org - Win.Trojan.TorrentLocker/Teeracoffdropoff
135393MALWARE-CNCWin.Trojan.TorrentLocker/Teerac self-signed certificateoffdropdrop
135394MALWARE-CNCWin.Trojan.TorrentLocker/Teerac payment page requestoffdropdrop
135395BROWSER-PLUGINSOracle Data Quality DateTimeWrapper onchange untrusted pointer dereference attemptoffoffoff
135396BROWSER-PLUGINSOracle Data Quality DateTimeWrapper onchange untrusted pointer dereference attemptoffoffoff
135397BROWSER-PLUGINSOracle Data Quality DateTimeWrapper onchange untrusted pointer dereference attemptoffoffoff
135398BROWSER-PLUGINSOracle Data Quality DateTimeWrapper onchange untrusted pointer dereference attemptoffoffoff
135399SERVER-WEBAPPWordPress MailChimp Subscribe Forms PHP Code Execution command injection attemptoffoffoff
135400MALWARE-CNCWin.Trojan.Inexsmar variant outbound connectionoffdropdrop
135401BROWSER-PLUGINSOracle Data Quality Postcard PreviewInt onclose untrusted pointer dereference attemptoffoffoff
135402BROWSER-PLUGINSOracle Data Quality Postcard PreviewInt onclose untrusted pointer dereference attemptoffoffoff
135403BROWSER-PLUGINSOracle Data Quality Postcard PreviewInt onclose untrusted pointer dereference attemptoffoffoff
135404BROWSER-PLUGINSOracle Data Quality Postcard PreviewInt onclose untrusted pointer dereference attemptoffoffoff
135405SERVER-OTHERHP Release Control authenticated privilege escalation attemptoffoffoff
135407FILE-PDFAdobe Reader setItems use-after-free attemptdropdropdrop
135408FILE-PDFAdobe Reader setItems use-after-free attemptdropdropdrop
135409FILE-PDFAdobe Reader setItems use-after-free attemptdropdropdrop
135410FILE-PDFAdobe Reader setItems use-after-free attemptdropdropdrop
135411BROWSER-CHROMEGoogle Chrome XSSAuditor Policy ByPass command injection attemptoffoffoff
135412BROWSER-CHROMEGoogle Chrome XSSAuditor Policy ByPass command injection attemptoffoffoff
135413FILE-MULTIMEDIAApple iLife iPhoto Photocast XML format string code injection attemptoffoffoff
135414FILE-MULTIMEDIAApple iLife iPhoto Photocast XML format string code injection attemptoffoffoff
135415MALWARE-CNCWin.Trojan.Sakurel outbound connectionoffdropdrop
135416MALWARE-CNCWin.Trojan.Mivast outbound connectionoffdropdrop
Medium Priority
GIDSIDRule GroupRule MessagePolicy State
Con.Bal.Sec.
135406SERVER-APACHEApache HTTP Server mod_status heap buffer overflow attemptoffoffoff

Updated Rules:

Updated rules can be found at this link.