Cisco Talos (VRT) Update for Sourcefire 3D System

* Talos combines our security experts from TRAC, SecApps, and VRT teams.

Date: 2016-02-04

This SRU number: 2016-02-04-001
Previous SRU number: 2016-02-01-001

Applies to:

3D Sensor versions: 5.x
Cisco FireSIGHGT Management Center (formerly Defense Center) versions: 5.x

This SEU number: 1418
Previous SEU: 1416

Applies to:

3D Sensor Versions: 4.10
Cisco FireSIGHGT Management Center (formerly Defense Center) versions: 4.10

This is the complete list of rules added in SRU 2016-02-04-001 and SEU 1418.

The format of the file is:

GID - SID - Rule Group - Rule Message - Policy State

The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.

The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.

Note: Unless stated explicitly, the rules are for the series of products listed above.

New Rules:

**High Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	37528	EXPLOIT-KIT	Nuclear exploit kit outbound uri request attempt	off	drop	drop
1	37529	EXPLOIT-KIT	Nuclear exploit kit iframe injection attempt	off	drop	drop
1	37534	MALWARE-CNC	Win.Trojan.Sality variant outbound connection	off	drop	drop
1	37535	MALWARE-CNC	Win.Trojan.Derusbi outbound connection	off	off	drop
1	37536	MALWARE-CNC	Win.Trojan.Derusbi outbound connection	off	off	drop
1	37537	BROWSER-PLUGINS	Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt	off	off	drop
1	37538	BROWSER-PLUGINS	Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt	off	off	drop
1	37539	BROWSER-PLUGINS	Siemens Solid Edge WebPartHelper ActiveX clsid access attempt	off	off	drop
1	37540	BROWSER-PLUGINS	Siemens Solid Edge WebPartHelper ActiveX clsid access attempt	off	off	drop
1	37541	BROWSER-PLUGINS	Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt	off	off	drop
1	37542	BROWSER-PLUGINS	Siemens Solid Edge SEListCtrlX ActiveX clsid access attempt	off	off	drop
1	37543	BROWSER-PLUGINS	Siemens Solid Edge WebPartHelper ActiveX clsid access attempt	off	off	drop
1	37544	BROWSER-PLUGINS	Siemens Solid Edge WebPartHelper ActiveX clsid access attempt	off	off	drop
1	37545	POLICY-OTHER	Netcore/Netis firmware hard-coded backdoor account access attempt	off	off	off
1	37547	SERVER-WEBAPP	eClinicalWorks portalUserService.jsp SQL injection attempt	off	off	drop
1	37548	EXPLOIT-KIT	Malicious iFrame redirection injection attempt	off	drop	drop
1	37549	EXPLOIT-KIT	Malicious iFrame injection outbound URI request attempt	off	off	drop
1	37550	EXPLOIT-KIT	Nuclear landing page detected	off	drop	drop
1	37551	EXPLOIT-KIT	Nuclear landing page detected	off	drop	drop

**Medium Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	37530	FILE-PDF	Adobe Acrobat Reader pdfshell preview mode - possible denial of service attempt	off	drop	drop
1	37531	FILE-PDF	Adobe Acrobat Reader pdfshell preview mode - possible denial of service attempt	off	drop	drop
1	37532	FILE-PDF	Adobe Acrobat Reader pdfshell preview mode - possible denial of service attempt	off	drop	drop
1	37533	FILE-PDF	Adobe Acrobat Reader pdfshell preview mode - possible denial of service attempt	off	drop	drop

**Low Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	37546	SERVER-OTHER	Veritas NetBackup Volume Manager connection attempt	off	off	off

Updated Rules:

Updated rules can be found at this link.