Cisco Talos (VRT) Update for Sourcefire 3D System

* Talos combines our security experts from TRAC, SecApps, and VRT teams.

Date: 2015-11-24

This SRU number: 2015-11-23-003
Previous SRU number: 2015-11-18-001

Applies to:

This SEU number: 1388
Previous SEU: 1384

Applies to:

This is the complete list of rules added in SRU 2015-11-23-003 and SEU 1388.

The format of the file is:

GID - SID - Rule Group - Rule Message - Policy State

The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.

The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.

Note: Unless stated explicitly, the rules are for the series of products listed above.

New Rules:

High Priority
GIDSIDRule GroupRule MessagePolicy State
Con.Bal.Sec.
136854FILE-OTHERIDEAL Administration IPJ file handling stack overflow attemptoffoffoff
136855FILE-OTHERWireshark DECT packet dissector overflow attemptoffdropdrop
136856FILE-IMAGEMicrosoft Windows malformed WMF meta escape record memory corruption attemptoffoffoff
136857FILE-OFFICEMicrosoft Office Excel WOpt record memory corruption attemptoffoffoff
136858FILE-FLASHAdobe Flash Player writeExternal type confusion attemptoffdropdrop
136859FILE-FLASHAdobe Flash Player writeExternal type confusion attemptoffdropdrop
136860FILE-FLASHAdobe Flash Player writeExternal type confusion attemptoffdropdrop
136861FILE-FLASHAdobe Flash Player attachsound use-after-free attemptoffdropdrop
136862FILE-FLASHAdobe Flash Player attachsound use-after-free attemptoffdropdrop
136863FILE-FLASHAdobe Flash Player attachsound use-after-free attemptoffdropdrop
136864FILE-FLASHAdobe Flash Player attachsound use-after-free attemptoffdropdrop
136865BROWSER-PLUGINSIDAutomation IDAuto.BarCode ActiveX clsid access attemptoffoffdrop
136866BROWSER-PLUGINS IDAutomation IDAuto.Datamatrix ActiveX clsid access attemptoffoffdrop
136867BROWSER-PLUGINS IDAutomation IDAuto.Datamatrix ActiveX clsid access attemptoffoffdrop
136868BROWSER-PLUGINS IDAutomation IDAuto.BarCode ActiveX clsid access attemptoffoffdrop
136869BROWSER-PLUGINS IDAutomation IDAuto.PDF417 ActiveX clsid access attemptoffoffdrop
136870BROWSER-PLUGINS IDAutomation IDAuto.PDF417 ActiveX clsid access attemptoffoffdrop
136871BROWSER-PLUGINS IDAutomation IDAuto.Aztec ActiveX clsid access attemptoffoffdrop
136872BROWSER-PLUGINS IDAutomation IDAuto.Aztec ActiveX clsid access attemptoffoffdrop
136873FILE-FLASHAdobe Flash Player AS2 ActionCallMethod use-after-free attemptoffdropdrop
136874FILE-FLASHAdobe Flash Player AS2 ActionCallMethod use-after-free attemptoffdropdrop
136875FILE-FLASHAdobe Flash Player atomicCompareAndSwapLength integer overflow attemptoffdropdrop
136876FILE-FLASHAdobe Flash Player atomicCompareAndSwapLength integer overflow attemptoffdropdrop
136878FILE-FLASHAdobe Flash Player SWF buffer overflow attemptoffdropdrop
136879FILE-FLASHAdobe Flash Player SWF buffer overflow attemptoffdropdrop
136880FILE-FLASHAdobe Flash Player byte array uncompress information disclosure attemptdropdropdrop
136881FILE-FLASHAdobe Flash Player byte array uncompress information disclosure attemptdropdropdrop
136882FILE-FLASHAdobe Flash Player byte array uncompress information disclosure attemptdropdropdrop
136883FILE-FLASHAdobe Flash Player byte array uncompress information disclosure attemptdropdropdrop
136884FILE-IMAGEMicrosoft Windows Paint jpeg with malformed SOFx field integer overflow attemptoffoffdrop
136885FILE-PDFAdobe Acrobat font parsing integer overflow attemptoffoffdrop
136886FILE-PDFAdobe Acrobat font parsing integer overflow attemptoffoffdrop
136887POLICY-OTHERself-signed SSL certificate eDellRoot use attemptoffoffoff
Low Priority
GIDSIDRule GroupRule MessagePolicy State
Con.Bal.Sec.
136877NETBIOSDCERPC BrightStor ARCserve corrupt user-supplied memory location attemptoffoffoff

Updated Rules:

Updated rules can be found at this link.