Cisco Talos (VRT) Update for Sourcefire 3D System

* Talos combines our security experts from TRAC, SecApps, and VRT teams.

This SRU number: 2016-12-21-001
Previous SRU number: 2016-12-19-001

Applies to:

This SEU number: 1589
Previous SEU: 1588

Applies to:

This is the complete list of rules added in SRU 2016-12-21-001 and SEU 1589.

The format of the file is:

GID - SID - Rule Group - Rule Message - Policy State

The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.

The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.

Note: Unless stated explicitly, the rules are for the series of products listed above.

New Rules:

**High Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	41083	BLACKLIST	suspicious .bit dns query	off	drop	drop
1	41084	EXPLOIT-KIT	Sundown Exploit kit landing page obfuscation detected	off	off	drop
3	41085	SERVER-WEBAPP	TRUFFLEHUNTER TALOS-2016-0235 attack attempt	off	off	drop
1	41086	SERVER-WEBAPP	Oracle Opera Property Management System ProcessInfo command injection attempt	off	drop	drop
1	41087	SERVER-WEBAPP	Oracle Opera Property Management System ProcessInfo command injection attempt	off	drop	drop
1	41088	MALWARE-CNC	Win.Trojan.MrWhite out bound communication attempt	off	drop	drop
1	41089	MALWARE-CNC	Win.Trojan.Ostap out bound communication attempt	off	drop	drop
1	41092	EXPLOIT-KIT	Rig Exploit Kit landing page obfuscation detected	off	drop	drop
3	41093	POLICY-OTHER	Docker management traffic detected	off	off	off

**Medium Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	41090	SERVER-OTHER	Rockwell Factorytalk RNADiagReceiver denial of service attempt	off	off	off
1	41091	PROTOCOL-SCADA	Rockwell Controllogix Crash Ethernet attempt	off	off	off

Updated rules can be found at this link.