Cisco Talos (VRT) Update for Sourcefire 3D System

* Talos combines our security experts from TRAC, SecApps, and VRT teams.

Date: 2016-11-22

This SRU number: 2016-11-21-002
Previous SRU number: 2016-11-16-001

Applies to:

3D Sensor versions: 5.x
Cisco FireSIGHT Management Center (formerly Defense Center) versions: 5.x

This SEU number: 1577
Previous SEU: 1574

Applies to:

3D Sensor Versions: 4.10
Cisco FireSIGHT Management Center (formerly Defense Center) versions: 4.10

This is the complete list of rules modified in SRU 2016-11-21-002 and SEU 1577.

The format of the file is:

GID - SID - Rule Group - Rule Message - Policy State

The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.

The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.

Note: Unless stated explicitly, the rules are for the series of products listed above.

Updated Rules:

**High Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	21080	BROWSER-PLUGINS	Microsoft Windows Scripting Host Shell ActiveX function call access	off	off	off
1	24015	MALWARE-CNC	Win.Trojan.Magania variant outbound connection	off	drop	drop
1	24792	BLACKLIST	User-Agent known malicious user-agent - Google page	off	drop	drop
1	34826	DELETED	BLACKLIST DNS request for known malware domain cifss.org - Win.Trojan.Cozybear
1	38841	BROWSER-IE	Microsoft Internet Explorer VBScript toString redim array use after free attempt	off	drop	drop
1	38842	BROWSER-IE	Microsoft Internet Explorer VBScript toString redim array use after free attempt	off	drop	drop
1	39402	FILE-OTHER	Symantec Antivirus ALPkOldFormatDecompressor out of bounds read attempt	off	drop	drop
1	39403	FILE-OTHER	Symantec Antivirus ALPkOldFormatDecompressor out of bounds read attempt	off	drop	drop
1	39680	BROWSER-IE	Microsoft Internet Explorer VBScript toString redim array use after free attempt	off	drop	drop
1	39681	BROWSER-IE	Microsoft Internet Explorer VBScript toString redim array use after free attempt	off	drop	drop
1	40223	MALWARE-CNC	Win.Trojan.Injector external connection attempt	off	drop	drop
1	40385	BROWSER-IE	Microsoft Internet Explorer vbscript variable type confusion attempt	off	drop	drop
1	40386	BROWSER-IE	Microsoft Internet Explorer vbscript variable type confusion attempt	off	drop	drop
1	40753	EXPLOIT-KIT	Rig exploit kit outbound communication	off	drop	drop
3	40803	FILE-OTHER	TRUFFLEHUNTER TALOS-CAN-0179 attack attempt	off	drop	drop
3	40804	FILE-OTHER	TRUFFLEHUNTER TALOS-CAN-0179 attack attempt	off	drop	drop

**Medium Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	19176	SERVER-WEBAPP	cookiejacking attempt	off	off	off
1	19177	SERVER-WEBAPP	cookiejacking attempt	off	off	off
1	19678	SERVER-OTHER	multiple products blacknurse ICMP denial of service attempt	off	off	off
3	33053	OS-WINDOWS	Microsoft RADIUS Server invalid access-request username denial of service attempt	off	off	drop
1	35424	DELETED	SERVER-OTHER ISC BIND TKEY Query denial of service attempt
1	35425	DELETED	SERVER-OTHER ISC BIND TKEY Query denial of service attempt
1	40765	DELETED	SERVER-OTHER Multiple products ICMP denial of service attempt

**Low Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	402	PROTOCOL-ICMP	destination unreachable port unreachable packet detected	off	off	off