Cisco Talos (VRT) Update for Sourcefire 3D System

* Talos combines our security experts from TRAC, SecApps, and VRT teams.

Date: 2016-10-20

This SRU number: 2016-10-20-001
Previous SRU number: 2016-10-17-001

Applies to:

3D Sensor versions: 5.x
Cisco FireSIGHT Management Center (formerly Defense Center) versions: 5.x

This SEU number: 1559
Previous SEU: 1557

Applies to:

3D Sensor Versions: 4.10
Cisco FireSIGHT Management Center (formerly Defense Center) versions: 4.10

This is the complete list of rules modified in SRU 2016-10-20-001 and SEU 1559.

The format of the file is:

GID - SID - Rule Group - Rule Message - Policy State

The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.

The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.

Note: Unless stated explicitly, the rules are for the series of products listed above.

Updated Rules:

**High Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	16301	BROWSER-IE	Microsoft Internet Explorer HTML DOM invalid DHTML textnode creation attempt	off	off	off
1	19551	MALWARE-OTHER	self-signed SSL certificate with default Internet Widgits Pty Ltd organization name	off	off	drop
1	21108	EXPLOIT-KIT	unknown exploit kit obfuscated landing page	off	off	drop
1	23905	INDICATOR-COMPROMISE	Win.Trojan.DistTrack propagation - execute dropped file	off	off	off
1	23906	INDICATOR-COMPROMISE	Win.Trojan.DistTrack propagation - execute dropped file	off	off	off
1	23907	INDICATOR-COMPROMISE	Win.Trojan.DistTrack propagation - execute dropped file	off	off	off
1	23908	INDICATOR-COMPROMISE	Win.Trojan.DistTrack propagation - execute dropped file	off	off	off
1	23909	INDICATOR-COMPROMISE	Win.Trojan.DistTrack propagation - execute dropped file	off	off	off
1	23910	INDICATOR-COMPROMISE	Win.Trojan.DistTrack propagation - execute dropped file	off	off	off
1	23911	INDICATOR-COMPROMISE	Win.Trojan.DistTrack propagation - execute dropped file	off	off	off
1	23912	INDICATOR-COMPROMISE	Win.Trojan.DistTrack propagation - execute dropped file	off	off	off
1	23913	INDICATOR-COMPROMISE	Win.Trojan.DistTrack propagation - execute dropped file	off	off	off
1	23914	INDICATOR-COMPROMISE	Win.Trojan.DistTrack propagation - execute dropped file	off	off	off
1	23915	INDICATOR-COMPROMISE	Win.Trojan.DistTrack propagation - execute dropped file	off	off	off
1	23916	INDICATOR-COMPROMISE	Win.Trojan.DistTrack propagation - execute dropped file	off	off	off
1	23917	INDICATOR-COMPROMISE	Win.Trojan.DistTrack propagation - execute dropped file	off	off	off
1	23918	INDICATOR-COMPROMISE	Win.Trojan.DistTrack propagation - execute dropped file	off	off	off
1	23919	INDICATOR-COMPROMISE	Win.Trojan.DistTrack propagation - execute dropped file	off	off	off
1	23920	INDICATOR-COMPROMISE	Win.Trojan.DistTrack propagation - execute dropped file	off	off	off
1	23921	INDICATOR-COMPROMISE	Win.Trojan.DistTrack propagation - execute dropped file	off	off	off
1	23922	INDICATOR-COMPROMISE	Win.Trojan.DistTrack propagation - execute dropped file	off	off	off
1	23923	INDICATOR-COMPROMISE	Win.Trojan.DistTrack propagation - execute dropped file	off	off	off
1	23924	INDICATOR-COMPROMISE	Win.Trojan.DistTrack propagation - execute dropped file	off	off	off
1	23925	INDICATOR-COMPROMISE	Win.Trojan.DistTrack propagation - execute dropped file	off	off	off
1	23926	INDICATOR-COMPROMISE	Win.Trojan.DistTrack propagation - execute dropped file	off	off	off
1	23927	INDICATOR-COMPROMISE	Win.Trojan.DistTrack propagation - execute dropped file	off	off	off
1	23928	INDICATOR-COMPROMISE	Win.Trojan.DistTrack propagation - execute dropped file	off	off	off
1	23929	INDICATOR-COMPROMISE	Win.Trojan.DistTrack propagation - execute dropped file	off	off	off
1	23930	INDICATOR-COMPROMISE	Win.Trojan.DistTrack propagation - execute dropped file	off	off	off
1	23931	INDICATOR-COMPROMISE	Win.Trojan.DistTrack propagation - execute dropped file	off	off	off
1	23932	INDICATOR-COMPROMISE	Win.Trojan.DistTrack propagation - execute dropped file	off	off	off
1	23933	INDICATOR-COMPROMISE	Win.Trojan.DistTrack propagation - execute dropped file	off	off	off
1	28069	APP-DETECT	DNS request for potential malware SafeGuard to domain 360.cn	off	off	off
1	28070	APP-DETECT	DNS request for potential malware SafeGuard to domain 360safe.com	off	off	off
1	28071	APP-DETECT	360.cn SafeGuard local HTTP management console access attempt	off	off	off
1	28795	EXPLOIT-KIT	Goon/Infinity exploit kit payload download attempt	off	drop	drop
1	28796	EXPLOIT-KIT	iFRAMEr successful cnt.php redirection	off	alert	alert
1	28797	EXPLOIT-KIT	Multiple exploit kit binkey xored binary download attempt	off	drop	drop
1	29213	INDICATOR-OBFUSCATION	potential math library debugging	off	drop	drop
1	31299	MALWARE-CNC	Win.Trojan.Necurs or Win.Trojan.Locky variant outbound detection	off	off	off
1	40404	BROWSER-IE	Microsoft Internet Explorer eval type confusion attempt	off	off	drop
1	40405	BROWSER-IE	Microsoft Internet Explorer eval type confusion attempt	off	off	drop

**Low Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	23113	INDICATOR-OBFUSCATION	eval gzinflate base64_decode call - likely malicious	off	off	off
1	23114	INDICATOR-OBFUSCATION	GIF header with PHP tags - likely malicious	off	off	off
1	28039	INDICATOR-COMPROMISE	Suspicious .pw dns query	off	off	drop
1	28068	APP-DETECT	360.cn Safeguard runtime outbound communication	off	off	off
1	39362	BLACKLIST	User-Agent known malicious user-agent string - Win.Trojan.Batlopma	off	off	drop
1	39866	INDICATOR-COMPROMISE	Suspicious .ml dns query	off	off	drop
1	39867	INDICATOR-COMPROMISE	Suspicious .tk dns query	off	off	drop
1	40081	BLACKLIST	User-Agent known PUA user-agent string - TopTools100	off	off	drop