Cisco Talos (VRT) Update for Sourcefire 3D System

* Talos combines our security experts from TRAC, SecApps, and VRT teams.

Date: 2016-05-05

This SRU number: 2016-05-04-001
Previous SRU number: 2016-05-02-001

Applies to:

This SEU number: 1476
Previous SEU: 1475

Applies to:

This is the complete list of rules added in SRU 2016-05-04-001 and SEU 1476.

The format of the file is:

GID - SID - Rule Group - Rule Message - Policy State

The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.

The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.

Note: Unless stated explicitly, the rules are for the series of products listed above.

New Rules:

High Priority
GIDSIDRule GroupRule MessagePolicy State
Con.Bal.Sec.
138680MALWARE-CNCWin.Trojan.Tooka GET attemptoffdropdrop
138681MALWARE-CNCWin.Trojan.Tooka POST attemptoffdropdrop
138682EXPLOIT-KITAngler Exploit Kit email gateoffdropdrop
138683MALWARE-BACKDOORJSP webshell backdoor detectedoffdropdrop
138684MALWARE-BACKDOORJSP webshell backdoor detectedoffdropdrop
138685MALWARE-BACKDOORJSP webshell backdoor detectedoffdropdrop
138686MALWARE-BACKDOORJSP webshell backdoor detectedoffdropdrop
138687MALWARE-BACKDOORJSP webshell backdoor detectedoffdropdrop
138688MALWARE-BACKDOORJSP webshell backdoor detectedoffdropdrop
138689MALWARE-BACKDOORJSP webshell backdoor detectedoffdropdrop
138690MALWARE-BACKDOORJSP webshell backdoor detectedoffdropdrop
138691MALWARE-BACKDOORJSP webshell backdoor detectedoffdropdrop
138692MALWARE-BACKDOORJSP webshell backdoor detectedoffdropdrop
138693MALWARE-BACKDOORJSP webshell backdoor detectedoffdropdrop
138694MALWARE-BACKDOORJSP webshell backdoor detectedoffdropdrop
138695MALWARE-BACKDOORJSP webshell backdoor detectedoffdropdrop
138696MALWARE-BACKDOORJSP webshell backdoor detectedoffdropdrop
138697MALWARE-BACKDOORJSP webshell backdoor detectedoffdropdrop
138698MALWARE-BACKDOORJSP webshell backdoor detectedoffdropdrop
138699MALWARE-BACKDOORJSP webshell backdoor detectedoffdropdrop
138700MALWARE-BACKDOORJSP webshell backdoor detectedoffdropdrop
138701MALWARE-BACKDOORJSP webshell backdoor detectedoffdropdrop
138702MALWARE-BACKDOORJSP webshell backdoor detectedoffdropdrop
138703MALWARE-BACKDOORJSP webshell backdoor detectedoffdropdrop
138704MALWARE-BACKDOORJSP webshell backdoor detectedoffdropdrop
138705MALWARE-BACKDOORJSP webshell backdoor detectedoffdropdrop
138706MALWARE-BACKDOORJSP webshell backdoor detectedoffdropdrop
138707MALWARE-BACKDOORJSP webshell backdoor detectedoffdropdrop
138708MALWARE-BACKDOORJSP webshell backdoor detectedoffdropdrop
138709MALWARE-BACKDOORJSP webshell backdoor detectedoffdropdrop
138710MALWARE-BACKDOORJSP webshell backdoor detectedoffdropdrop
138711MALWARE-BACKDOORJSP webshell backdoor detectedoffdropdrop
138712MALWARE-BACKDOORJSP webshell backdoor detectedoffdropdrop
138713MALWARE-BACKDOORJSP webshell backdoor detectedoffdropdrop
138714MALWARE-BACKDOORJSP webshell backdoor detectedoffdropdrop
138715MALWARE-BACKDOORJSP webshell backdoor detectedoffdropdrop
138716MALWARE-BACKDOORJSP webshell backdoor detectedoffdropdrop
138717MALWARE-BACKDOORJSP webshell backdoor detectedoffdropdrop
138718MALWARE-BACKDOORJSP webshell backdoor detectedoffdropdrop
138719MALWARE-BACKDOORJSP webshell backdoor detectedoffdropdrop
138720SERVER-WEBAPPWordpress Simple Ads Manager SQL injection attemptoffoffoff
138721SERVER-WEBAPPWordpress Simple Ads Manager SQL injection attemptoffoffoff
138722SERVER-WEBAPPWordpress Simple Ads Manager SQL injection attemptoffoffoff
138723SERVER-WEBAPPWordpress Simple Ads Manager SQL injection attemptoffoffoff
138724MALWARE-CNCWin.Trojan.Renegin outbound GET attemptoffdropdrop
138725BLACKLISTDNS request for known malware domain evengtorsdodint.com - Win.Trojan.Poseidonoffdropdrop
138726BLACKLISTDNS request for known malware domain haduseeventsed.com - Win.Trojan.Poseidonoffdropdrop
138727BLACKLISTDNS request for known malware domain nasedrontit.com - Win.Trojan.Poseidonoffdropdrop
138728BLACKLISTDNS request for known malware domain gowasstalpa.com - Win.Trojan.Poseidonoffdropdrop
138729SERVER-OTHERMediabridge Medialink MWN-WAPR300N and Tenda N3 Wireless N150 inbound admin attemptoffdropdrop
138730EXPLOIT-KITNeutrino Exploit Kit Flash exploit download attemptoffoffdrop
138732MALWARE-CNCWin.Trojan.VBDos Runtime Detectionoffdropdrop
138733MALWARE-CNCWin.Trojan.Ransom variant outbound connectionoffdropdrop
338735SERVER-WEBAPPCisco TelePresence XML API authentication bypass attemptoffoffoff
338736SERVER-WEBAPPCisco TelePresence XML API authentication bypass attemptoffoffoff
338737SERVER-WEBAPPCisco TelePresence XML API authentication bypass attemptoffoffoff
338738SERVER-WEBAPPCisco TelePresence XML API authentication bypass attemptoffoffoff
338739SERVER-WEBAPPCisco TelePresence XML API authentication bypass attemptoffoffoff
338740SERVER-WEBAPPCisco TelePresence XML API authentication bypass attemptoffoffoff
338741SERVER-WEBAPPCisco TelePresence XML API authentication bypass attemptoffoffoff
138742FILE-OTHERMicrosoft Office ole object external file loading attemptoffdropdrop
138743FILE-IMAGEImageMagick WWWDecodeDelegate command injection attemptoffdropdrop
138744FILE-IMAGEImageMagick WWWDecodeDelegate command injection attemptoffdropdrop
338745MALWARE-OTHERknown phishing x-mailer attemptoffdropdrop
338746MALWARE-CNCCTFMONv4 beacon attemptoffdropdrop
338747MALWARE-CNCFF-RAT outbound connection attemptoffdropdrop
338748MALWARE-CNCFF-RAT outbound connection attemptoffdropdrop
338749MALWARE-CNCFF-RAT outbound connection attemptoffdropdrop
338750MALWARE-CNCFF-RAT outbound connection attemptoffdropdrop
338751MALWARE-CNCJimini outbound connection attemptoffdropdrop
338752MALWARE-CNCHILIGHT outbound connection attemptoffdropdrop
338753MALWARE-CNC1.php outbound connection attemptoffdropdrop
338754MALWARE-CNCXDOT outbound connection attemptoffdropdrop
338755MALWARE-CNCPlugX outbound connection attemptoffdropdrop
338756MALWARE-CNCPlugX outbound communication attemptoffdropdrop
338757MALWARE-CNCPlugX outbound communication attemptoffdropdrop
338758FILE-FLASHAdobe Flash Player remote code execution attemptoffdropdrop
Medium Priority
GIDSIDRule GroupRule MessagePolicy State
Con.Bal.Sec.
138677INDICATOR-OBFUSCATIONUTF-8 evasion attemptoffoffoff
138678INDICATOR-OBFUSCATIONUTF-8 evasion attemptoffoffoff
138679INDICATOR-OBFUSCATIONnon HTTP 1.1 version with 1.1 headers evasion attemptoffoffoff
138731SERVER-OTHERSquid Proxy range header denial of service attemptoffdropdrop
138734INDICATOR-OBFUSCATIONHTTP header value without key evasion attemptoffoffoff

Updated Rules:

Updated rules can be found at this link.