Cisco Talos (VRT) Update for Sourcefire 3D System

* Talos combines our security experts from TRAC, SecApps, and VRT teams.

Date: 2016-10-27

This SRU number: 2016-10-27-001
Previous SRU number: 2016-10-25-002

Applies to:

This SEU number: 1564
Previous SEU: 1562

Applies to:

This is the complete list of rules added in SRU 2016-10-27-001 and SEU 1564.

The format of the file is:

GID - SID - Rule Group - Rule Message - Policy State

The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.

The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.

Note: Unless stated explicitly, the rules are for the series of products listed above.

New Rules:

High Priority
GIDSIDRule GroupRule MessagePolicy State
Con.Bal.Sec.
140546FILE-PDFAdobe Reader JavaScript API privileged function bypass attemptoffoffdrop
140547FILE-PDFAdobe Reader JavaScript API privileged function bypass attemptoffoffdrop
140548MALWARE-CNCWin.Trojan.Satana ransomware outbound connection attemptoffdropdrop
140549MALWARE-CNCWin.Trojan.CryPy ransomware variant outbound connectionoffdropdrop
140550MALWARE-CNCWin.Trojan.CryPy ransomware variant outbound connectionoffdropdrop
140551MALWARE-CNCWin.Trojan.Dexter Banker variant successful installation report attemptoffdropdrop
140557FILE-PDFAdobe Acrobat Reader malformed object stream memory corruption attemptoffdropdrop
140558FILE-PDFAdobe Acrobat Reader malformed object stream memory corruption attemptoffdropdrop
140559MALWARE-CNCWin.Trojan.iSpy variant outbound connection attemptoffdropdrop
140560OS-LINUXLinux kernel madvise race condition attemptoffdropdrop
140561OS-LINUXLinux kernel madvise race condition attemptoffdropdrop
140562OS-LINUXLinux kernel madvise race condition attemptoffoffoff
140563OS-LINUXLinux kernel madvise race condition attemptoffdropdrop
140564OS-LINUXLinux kernel madvise race condition attemptoffoffoff
140565OS-LINUXLinux kernel madvise race condition attemptoffdropdrop
140566OS-LINUXLinux kernel madvise race condition attemptoffdropdrop
140567MALWARE-CNCknown malicious SSL certificate - Odinaff C&Coffoffdrop
140568INDICATOR-COMPROMISEwsf inside zip potential malicious file download attemptoffoffoff
140569FILE-PDFAdobe Acrobat Reader XFA relayoutPageArea memory corruption attemptoffdropdrop
140570FILE-PDFAdobe Acrobat Reader XFA relayoutPageArea memory corruption attemptoffdropdrop
140571FILE-PDFAdobe Reader corrupt bookmark use after free attemptoffdropdrop
140572FILE-PDFAdobe Reader corrupt bookmark use after free attemptoffdropdrop
140573FILE-PDFAdobe Acrobat Reader XFA resolveNode memory corruption attemptoffdropdrop
140574FILE-PDFAdobe Acrobat Reader XFA resolveNode memory corruption attemptoffdropdrop
140575FILE-PDFAdobe Acrobat Reader XFA excelGroup memory corruption attemptoffdropdrop
140576FILE-PDFAdobe Acrobat Reader XFA excelGroup memory corruption attemptoffdropdrop
140577FILE-PDFAdobe Reader XFA remerge JavaScript use after free attemptoffdropdrop
140578FILE-PDFAdobe Reader XFA remerge JavaScript use after free attemptoffdropdrop
340580POLICY-OTHERCisco Universal Media Services potentially unauthorized API access detectedoffoffoff
Medium Priority
GIDSIDRule GroupRule MessagePolicy State
Con.Bal.Sec.
340552SERVER-OTHERCisco ESA lzw attachment parsing denial of service attemptoffoffdrop
340553SERVER-OTHERCisco ESA uuencode attachment processing exception denial of service attemptoffoffdrop
340554SERVER-OTHERCisco ESA uuencode attachment processing exception denial of service attemptoffoffdrop
140555OS-WINDOWSMicrosoft Windows AHCACHE.SYS remote denial of service attemptoffdropdrop
140556OS-WINDOWSMicrosoft Windows AHCACHE.SYS remote denial of service attemptoffdropdrop
140579SERVER-OTHERISC BIND 9 DNS query overly long name denial of service attemptoffdropdrop

Updated Rules:

Updated rules can be found at this link.