Cisco Talos (VRT) Update for Sourcefire 3D System

* Talos combines our security experts from TRAC, SecApps, and VRT teams.

Date: 2016-11-03

This SRU number: 2016-11-02-001
Previous SRU number: 2016-11-01-001

Applies to:

3D Sensor versions: 5.x
Cisco FireSIGHGT Management Center (formerly Defense Center) versions: 5.x

This SEU number: 1567
Previous SEU: 1566

Applies to:

3D Sensor Versions: 4.10
Cisco FireSIGHGT Management Center (formerly Defense Center) versions: 4.10

This is the complete list of rules added in SRU 2016-11-02-001 and SEU 1567.

The format of the file is:

GID - SID - Rule Group - Rule Message - Policy State

The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.

The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.

Note: Unless stated explicitly, the rules are for the series of products listed above.

New Rules:

**High Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	40613	SERVER-WEBAPP	Oracle Application Testing Suite authentication bypass attempt	off	off	off
1	40614	SERVER-WEBAPP	Oracle Application Testing Suite authentication bypass attempt	off	off	off
1	40615	SERVER-WEBAPP	Oracle Application Testing Suite authentication bypass attempt	off	off	off
1	40616	SERVER-WEBAPP	Oracle Application Testing Suite authentication bypass attempt	off	off	off
1	40617	SERVER-WEBAPP	Oracle Application Testing Suite authentication bypass attempt	off	off	off
1	40618	FILE-PDF	Adobe Reader XML Metadata memory corruption attempt	off	drop	drop
1	40619	FILE-PDF	Adobe Reader XML Metadata memory corruption attempt	off	drop	drop
1	40620	FILE-OFFICE	Microsoft Office RTF WRAssembly CLSID ASLR bypass download attempt	off	off	drop
1	40621	FILE-OFFICE	Microsoft Office RTF WRLoader ASLR bypass download attempt	off	off	drop
1	40622	FILE-OFFICE	Microsoft Office RTF WRLoader CLSID ASLR bypass download attempt	off	off	drop
1	40623	FILE-OFFICE	Microsoft Office RTF hex encoded WRLoader ASLR bypass download attempt	off	off	drop
1	40624	FILE-OFFICE	Microsoft Office RTF hex encoded wrLoader ASLR bypass download attempt	off	off	drop
1	40625	FILE-OFFICE	Microsoft Office RTF WRAssembly CLSID ASLR bypass download attempt	off	off	drop
1	40626	FILE-OFFICE	Microsoft Office RTF WRLoader ASLR bypass download attempt	off	off	drop
1	40627	FILE-OFFICE	Microsoft Office RTF WRLoader CLSID ASLR bypass download attempt	off	off	drop
1	40628	FILE-OFFICE	Microsoft Office RTF hex encoded WRAsembly ASLR bypass download attempt	off	off	drop
1	40629	FILE-OFFICE	Microsoft Office RTF hex encoded WRAssembly ASLR bypass download attempt	off	off	drop
1	40630	FILE-OFFICE	Microsoft Office RTF hex encoded WRLoader ASLR bypass download attempt	off	off	drop
1	40631	FILE-OFFICE	Microsoft Office RTF hex encoded wrLoader ASLR bypass download attempt	off	off	drop
1	40632	FILE-OFFICE	Microsoft Office RTF hex encoded WRAssembly CLSID ASLR bypass download attempt	off	off	drop
1	40633	FILE-OFFICE	Microsoft Office RTF hex encoded WRLoader CLSID ASLR bypass download attempt	off	off	drop
1	40634	FILE-OFFICE	Microsoft Office RTF hex encoded WRAssembly CLSID ASLR bypass download attempt	off	off	drop
1	40635	FILE-OFFICE	Microsoft Office RTF hex encoded WRLoader CLSID ASLR bypass download attempt	off	off	drop
3	40637	POLICY-OTHER	TL1 ACT-USER login detected	off	off	off
3	40638	PROTOCOL-VOIP	Cisco Meeting Server SIP SDP media description buffer overflow attempt	off	off	drop
1	40639	FILE-PDF	Adobe Acrobat Reader XFA addInstance use after free attempt	off	drop	drop
1	40640	FILE-PDF	Adobe Acrobat Reader XFA addInstance use after free attempt	off	drop	drop

**Medium Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
3	40636	POLICY-OTHER	Cisco Prime Home API insecure SSO authentication detected	off	off	off

Updated Rules:

Updated rules can be found at this link.