Cisco Talos (VRT) Update for Sourcefire 3D System

* Talos combines our security experts from TRAC, SecApps, and VRT teams.

Date: 2016-09-16

This SRU number: 2016-09-16-001
Previous SRU number: 2016-09-15-001

Applies to:

This SEU number: 1546
Previous SEU: 1545

Applies to:

This is the complete list of rules added in SRU 2016-09-16-001 and SEU 1546.

The format of the file is:

GID - SID - Rule Group - Rule Message - Policy State

The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.

The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.

Note: Unless stated explicitly, the rules are for the series of products listed above.

New Rules:

High Priority
GIDSIDRule GroupRule MessagePolicy State
Con.Bal.Sec.
140224SERVER-WEBAPPCisco ASA WebVPN auth_handle cross site scripting attemptoffoffdrop
140225SERVER-WEBAPPCisco ASA WebVPN auth_handle cross site scripting attemptoffoffdrop
140226SERVER-WEBAPPCisco ASA WebVPN auth_handle cross site scripting attemptoffoffdrop
140227SERVER-WEBAPPCisco ASA WebVPN auth_handle cross site scripting attemptoffoffdrop
140228SERVER-WEBAPPCisco ASA WebVPN auth_handle cross site scripting attemptoffoffdrop
140229SERVER-WEBAPPCisco ASA WebVPN auth_handle cross site scripting attemptoffoffdrop
140230SERVER-WEBAPPCisco ASA WebVPN auth_handle cross site scripting attemptoffoffdrop
140231SERVER-WEBAPPCisco ASA WebVPN auth_handle cross site scripting attemptoffoffdrop
140232MALWARE-CNCWin.Trojan.Injector external connection attemptoffdropdrop
140233EXPLOIT-KITSundown exploit kit landing page detectedoffdropdrop
140234MALWARE-CNCInstallation Keylogger Osx.Trojan.Mokes ping replyoffdropdrop
140235MALWARE-CNCInstallation Keylogger Osx.Trojan.Mokes ping requestoffoffoff
140236FILE-PDFAdobe Reader embedded font out of bounds memory access attemptoffdropdrop
140237FILE-PDFAdobe Reader embedded font out of bounds memory access attemptoffdropdrop
140238MALWARE-CNCWin.Keylogger.AgentTesla variant outbound connectionoffdropdrop
340240SERVER-WEBAPPCisco WebEx Meetings Server config_dmz remote code execution attemptoffdropdrop
Medium Priority
GIDSIDRule GroupRule MessagePolicy State
Con.Bal.Sec.
140220SERVER-OTHERCisco IOS Group-Prime memory disclosure attemptoffdropdrop
140221SERVER-OTHERCisco IOS Group-Prime MD5 memory disclosure attemptoffdropdrop
140222SERVER-OTHERCisco IOS Group-Prime SHA memory disclosure attemptoffdropdrop
340239SERVER-OTHERCisco WebEx meetings server denial of service attemptoffoffoff

Updated Rules:

Updated rules can be found at this link.