Cisco Talos (VRT) Update for Sourcefire 3D System

* Talos combines our security experts from TRAC, SecApps, and VRT teams.

Date: 2016-04-21

This SRU number: 2016-04-21-001
Previous SRU number: 2016-04-18-001

Applies to:

This SEU number: 1470
Previous SEU: 1468

Applies to:

This is the complete list of rules added in SRU 2016-04-21-001 and SEU 1470.

The format of the file is:

GID - SID - Rule Group - Rule Message - Policy State

The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.

The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.

Note: Unless stated explicitly, the rules are for the series of products listed above.

New Rules:

High Priority
GIDSIDRule GroupRule MessagePolicy State
338578SERVER-OTHERTRUFFLEHUNTER TALOS-CAN-0142 attack attemptoffoffoff
138580FILE-OFFICERFT document malformed headeroffdropdrop
138581FILE-OFFICERFT document malformed headeroffdropdrop
138582EXPLOIT-KITNuclear exploit kit landing page detectedoffoffdrop
338583SERVER-OTHERTRUFFLEHUNTER TALOS-CAN-0143 attack attemptoffoffoff
138584MALWARE-CNCWin.Backdoor.DFSCook variant JS dropper outbound connectionoffdropdrop
138585MALWARE-CNCWin.Backdoor.DFSCook variant outbound connection attemptoffdropdrop
138586MALWARE-CNCWin.Backdoor.DFSCook variant outbound connection attemptoffdropdrop
138587MALWARE-CNCWin.Backdoor.DFSCook variant temporary redirect attemptoffdropdrop
138588MALWARE-CNCWin.Backdoor.DFSCook variant outbound connection attemptoffdropdrop
138589EXPLOIT-KITvbscript downloading executable attemptoffoffdrop
138592EXPLOIT-KITNuclear Exploit Kit back end communications attemptoffdropdrop
138593EXPLOIT-KITNuclear Exploit Kit back end communications attemptoffdropdrop
Medium Priority
GIDSIDRule GroupRule MessagePolicy State
138579SERVER-WEBAPPAtvise denial of service attemptoffoffdrop
338590SERVER-OTHERCisco Wireless LAN Controller mDNS denial of service attemptoffoffoff
338591SERVER-WEBAPPCisco WLAN Controller management interface denial of service attemptoffoffoff
138595INDICATOR-OBFUSCATIONInvalid HTTP version evasion attemptoffoffoff
Low Priority
GIDSIDRule GroupRule MessagePolicy State
138594APP-DETECTBloomberg web crawler outbound connectionoffoffoff

Updated Rules:

Updated rules can be found at this link.