Cisco Talos (VRT) Update for Sourcefire 3D System

* Talos combines our security experts from TRAC, SecApps, and VRT teams.

Date: 2016-08-04

This SRU number: 2016-08-03-001
Previous SRU number: 2016-08-01-001

Applies to:

This SEU number: 1522
Previous SEU: 1521

Applies to:

This is the complete list of rules added in SRU 2016-08-03-001 and SEU 1522.

The format of the file is:

GID - SID - Rule Group - Rule Message - Policy State

The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.

The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.

Note: Unless stated explicitly, the rules are for the series of products listed above.

New Rules:

High Priority
GIDSIDRule GroupRule MessagePolicy State
Con.Bal.Sec.
139779FILE-OTHERUbisoft Heroes of Might and Magic III .h3m map file buffer overflow attemptoffoffoff
139780FILE-OTHERUbisoft Heroes of Might and Magic III .h3m map file buffer overflow attemptoffoffoff
139781FILE-OTHERUbisoft Heroes of Might and Magic III .h3m map file buffer overflow attemptoffoffoff
139782BLACKLISTDNS request for known malware domain file.anyoffice.info - Win.Trojan.Lientchtpoffdropdrop
139783BLACKLISTDNS request for known malware domain tech.decipherment.net - Win.Trojan.Lientchtpoffdropdrop
139784BLACKLISTDNS request for known malware domain yejia.blackbeny.com - Win.Trojan.Lientchtpoffdropdrop
139785MALWARE-CNCWin.Trojan.Qarallax initial outbound connectionoffdropdrop
139786PUA-ADWAREWin.Dowadmin.Adware outbound connection detectedoffoffoff
139787PUA-ADWAREWin.Dowadmin.Adware outbound connection detectedoffoffoff
139788FILE-FLASHAdobe Flash Player AS2 TextField gridFitType use after free attemptoffdropdrop
139789FILE-FLASHAdobe Flash Player AS2 TextField gridFitType use after free attemptoffdropdrop
339790SERVER-WEBAPPCisco RV180 VPN Router platform.cgi command injection attemptoffoffdrop
339791SERVER-WEBAPPCisco RV180 VPN Router platform.cgi command injection attemptoffoffdrop
339792SERVER-WEBAPPCisco RV180 VPN Router platform.cgi command injection attemptoffoffdrop
339793SERVER-WEBAPPCisco RV180 VPN Router platform.cgi directory traversal attemptoffoffdrop
339794SERVER-WEBAPPCisco RV180 VPN Router platform.cgi directory traversal attemptoffoffdrop
339795SERVER-WEBAPPCisco RV Series Routers insecure guest account login attemptoffoffoff
139798FILE-PDFAdobe Acrobat Reader raster image memory corruption attemptoffdropdrop
139799FILE-PDFAdobe Acrobat Reader raster image memory corruption attemptoffdropdrop
139800MALWARE-CNCWin.Trojan.Hancitor variant outbound connectionoffdropdrop
139801MALWARE-CNCWin.Trojan.Spyrat variant outbound connectionoffdropdrop
139802EXPLOIT-KITNeutrino Exploit Kit Flash exploit download attemptoffoffdrop
139803MALWARE-OTHERWin.Adware.Dlhelper outbound connection detectedoffdropdrop
139804MALWARE-OTHERWin.Adware.Dlhelper outbound connection detectedoffdropdrop
139805MALWARE-OTHERWin.Adware.Dlhelper outbound connection detectedoffdropdrop
139806MALWARE-OTHERWin.Adware.Dlhelper outbound connection detectedoffdropdrop
Medium Priority
GIDSIDRule GroupRule MessagePolicy State
Con.Bal.Sec.
339796PROTOCOL-VOIPCisco Unified Communications Manager null pointer dereference attemptoffoffoff
339797PROTOCOL-VOIPCisco Unified Communications Manager null pointer dereference attemptoffoffoff
Low Priority
GIDSIDRule GroupRule MessagePolicy State
Con.Bal.Sec.
139776FILE-IDENTIFYHeroes of Might and Magic III map file attachment detectedoffoffoff
139777FILE-IDENTIFYHeroes of Might and Magic III map file attachment detectedoffoffoff
139778FILE-IDENTIFYHeroes of Might and Magic III map file download requestoffoffoff

Updated Rules:

Updated rules can be found at this link.