Cisco Talos (VRT) Update for Sourcefire 3D System

* Talos combines our security experts from TRAC, SecApps, and VRT teams.

Date: 2016-05-05

This SRU number: 2016-05-04-001
Previous SRU number: 2016-05-02-001

Applies to:

3D Sensor versions: 5.x
Cisco FireSIGHGT Management Center (formerly Defense Center) versions: 5.x

This SEU number: 1476
Previous SEU: 1475

Applies to:

3D Sensor Versions: 4.10
Cisco FireSIGHGT Management Center (formerly Defense Center) versions: 4.10

This is the complete list of rules added in SRU 2016-05-04-001 and SEU 1476.

The format of the file is:

GID - SID - Rule Group - Rule Message - Policy State

The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.

The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.

Note: Unless stated explicitly, the rules are for the series of products listed above.

New Rules:

**High Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	38680	MALWARE-CNC	Win.Trojan.Tooka GET attempt	off	drop	drop
1	38681	MALWARE-CNC	Win.Trojan.Tooka POST attempt	off	drop	drop
1	38682	EXPLOIT-KIT	Angler Exploit Kit email gate	off	drop	drop
1	38683	MALWARE-BACKDOOR	JSP webshell backdoor detected	off	drop	drop
1	38684	MALWARE-BACKDOOR	JSP webshell backdoor detected	off	drop	drop
1	38685	MALWARE-BACKDOOR	JSP webshell backdoor detected	off	drop	drop
1	38686	MALWARE-BACKDOOR	JSP webshell backdoor detected	off	drop	drop
1	38687	MALWARE-BACKDOOR	JSP webshell backdoor detected	off	drop	drop
1	38688	MALWARE-BACKDOOR	JSP webshell backdoor detected	off	drop	drop
1	38689	MALWARE-BACKDOOR	JSP webshell backdoor detected	off	drop	drop
1	38690	MALWARE-BACKDOOR	JSP webshell backdoor detected	off	drop	drop
1	38691	MALWARE-BACKDOOR	JSP webshell backdoor detected	off	drop	drop
1	38692	MALWARE-BACKDOOR	JSP webshell backdoor detected	off	drop	drop
1	38693	MALWARE-BACKDOOR	JSP webshell backdoor detected	off	drop	drop
1	38694	MALWARE-BACKDOOR	JSP webshell backdoor detected	off	drop	drop
1	38695	MALWARE-BACKDOOR	JSP webshell backdoor detected	off	drop	drop
1	38696	MALWARE-BACKDOOR	JSP webshell backdoor detected	off	drop	drop
1	38697	MALWARE-BACKDOOR	JSP webshell backdoor detected	off	drop	drop
1	38698	MALWARE-BACKDOOR	JSP webshell backdoor detected	off	drop	drop
1	38699	MALWARE-BACKDOOR	JSP webshell backdoor detected	off	drop	drop
1	38700	MALWARE-BACKDOOR	JSP webshell backdoor detected	off	drop	drop
1	38701	MALWARE-BACKDOOR	JSP webshell backdoor detected	off	drop	drop
1	38702	MALWARE-BACKDOOR	JSP webshell backdoor detected	off	drop	drop
1	38703	MALWARE-BACKDOOR	JSP webshell backdoor detected	off	drop	drop
1	38704	MALWARE-BACKDOOR	JSP webshell backdoor detected	off	drop	drop
1	38705	MALWARE-BACKDOOR	JSP webshell backdoor detected	off	drop	drop
1	38706	MALWARE-BACKDOOR	JSP webshell backdoor detected	off	drop	drop
1	38707	MALWARE-BACKDOOR	JSP webshell backdoor detected	off	drop	drop
1	38708	MALWARE-BACKDOOR	JSP webshell backdoor detected	off	drop	drop
1	38709	MALWARE-BACKDOOR	JSP webshell backdoor detected	off	drop	drop
1	38710	MALWARE-BACKDOOR	JSP webshell backdoor detected	off	drop	drop
1	38711	MALWARE-BACKDOOR	JSP webshell backdoor detected	off	drop	drop
1	38712	MALWARE-BACKDOOR	JSP webshell backdoor detected	off	drop	drop
1	38713	MALWARE-BACKDOOR	JSP webshell backdoor detected	off	drop	drop
1	38714	MALWARE-BACKDOOR	JSP webshell backdoor detected	off	drop	drop
1	38715	MALWARE-BACKDOOR	JSP webshell backdoor detected	off	drop	drop
1	38716	MALWARE-BACKDOOR	JSP webshell backdoor detected	off	drop	drop
1	38717	MALWARE-BACKDOOR	JSP webshell backdoor detected	off	drop	drop
1	38718	MALWARE-BACKDOOR	JSP webshell backdoor detected	off	drop	drop
1	38719	MALWARE-BACKDOOR	JSP webshell backdoor detected	off	drop	drop
1	38720	SERVER-WEBAPP	Wordpress Simple Ads Manager SQL injection attempt	off	off	off
1	38721	SERVER-WEBAPP	Wordpress Simple Ads Manager SQL injection attempt	off	off	off
1	38722	SERVER-WEBAPP	Wordpress Simple Ads Manager SQL injection attempt	off	off	off
1	38723	SERVER-WEBAPP	Wordpress Simple Ads Manager SQL injection attempt	off	off	off
1	38724	MALWARE-CNC	Win.Trojan.Renegin outbound GET attempt	off	drop	drop
1	38725	BLACKLIST	DNS request for known malware domain evengtorsdodint.com - Win.Trojan.Poseidon	off	drop	drop
1	38726	BLACKLIST	DNS request for known malware domain haduseeventsed.com - Win.Trojan.Poseidon	off	drop	drop
1	38727	BLACKLIST	DNS request for known malware domain nasedrontit.com - Win.Trojan.Poseidon	off	drop	drop
1	38728	BLACKLIST	DNS request for known malware domain gowasstalpa.com - Win.Trojan.Poseidon	off	drop	drop
1	38729	SERVER-OTHER	Mediabridge Medialink MWN-WAPR300N and Tenda N3 Wireless N150 inbound admin attempt	off	drop	drop
1	38730	EXPLOIT-KIT	Neutrino Exploit Kit Flash exploit download attempt	off	off	drop
1	38732	MALWARE-CNC	Win.Trojan.VBDos Runtime Detection	off	drop	drop
1	38733	MALWARE-CNC	Win.Trojan.Ransom variant outbound connection	off	drop	drop
3	38735	SERVER-WEBAPP	Cisco TelePresence XML API authentication bypass attempt	off	off	off
3	38736	SERVER-WEBAPP	Cisco TelePresence XML API authentication bypass attempt	off	off	off
3	38737	SERVER-WEBAPP	Cisco TelePresence XML API authentication bypass attempt	off	off	off
3	38738	SERVER-WEBAPP	Cisco TelePresence XML API authentication bypass attempt	off	off	off
3	38739	SERVER-WEBAPP	Cisco TelePresence XML API authentication bypass attempt	off	off	off
3	38740	SERVER-WEBAPP	Cisco TelePresence XML API authentication bypass attempt	off	off	off
3	38741	SERVER-WEBAPP	Cisco TelePresence XML API authentication bypass attempt	off	off	off
1	38742	FILE-OTHER	Microsoft Office ole object external file loading attempt	off	drop	drop
1	38743	FILE-IMAGE	ImageMagick WWWDecodeDelegate command injection attempt	off	drop	drop
1	38744	FILE-IMAGE	ImageMagick WWWDecodeDelegate command injection attempt	off	drop	drop
3	38745	MALWARE-OTHER	known phishing x-mailer attempt	off	drop	drop
3	38746	MALWARE-CNC	CTFMONv4 beacon attempt	off	drop	drop
3	38747	MALWARE-CNC	FF-RAT outbound connection attempt	off	drop	drop
3	38748	MALWARE-CNC	FF-RAT outbound connection attempt	off	drop	drop
3	38749	MALWARE-CNC	FF-RAT outbound connection attempt	off	drop	drop
3	38750	MALWARE-CNC	FF-RAT outbound connection attempt	off	drop	drop
3	38751	MALWARE-CNC	Jimini outbound connection attempt	off	drop	drop
3	38752	MALWARE-CNC	HILIGHT outbound connection attempt	off	drop	drop
3	38753	MALWARE-CNC	1.php outbound connection attempt	off	drop	drop
3	38754	MALWARE-CNC	XDOT outbound connection attempt	off	drop	drop
3	38755	MALWARE-CNC	PlugX outbound connection attempt	off	drop	drop
3	38756	MALWARE-CNC	PlugX outbound communication attempt	off	drop	drop
3	38757	MALWARE-CNC	PlugX outbound communication attempt	off	drop	drop
3	38758	FILE-FLASH	Adobe Flash Player remote code execution attempt	off	drop	drop

**Medium Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	38677	INDICATOR-OBFUSCATION	UTF-8 evasion attempt	off	off	off
1	38678	INDICATOR-OBFUSCATION	UTF-8 evasion attempt	off	off	off
1	38679	INDICATOR-OBFUSCATION	non HTTP 1.1 version with 1.1 headers evasion attempt	off	off	off
1	38731	SERVER-OTHER	Squid Proxy range header denial of service attempt	off	drop	drop
1	38734	INDICATOR-OBFUSCATION	HTTP header value without key evasion attempt	off	off	off

Updated Rules:

Updated rules can be found at this link.