Cisco Talos (VRT) Update for Sourcefire 3D System

* Talos combines our security experts from TRAC, SecApps, and VRT teams.

Date: 2017-01-10

This SRU number: 2017-01-09-001
Previous SRU number: 2017-01-05-001

Applies to:

3D Sensor versions: 5.x
Cisco FireSIGHT Management Center (formerly Defense Center) versions: 5.x

This SEU number: 1594
Previous SEU: 1593

Applies to:

3D Sensor Versions: 4.10
Cisco FireSIGHT Management Center (formerly Defense Center) versions: 4.10

This is the complete list of rules modified in SRU 2017-01-09-001 and SEU 1594.

The format of the file is:

GID - SID - Rule Group - Rule Message - Policy State

The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.

The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.

Note: Unless stated explicitly, the rules are for the series of products listed above.

Updated Rules:

**High Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	17549	BROWSER-IE	Microsoft Internet Explorer Error Handling Code Execution	off	off	off
3	24973	NETBIOS	SMB Trans2 FIND_FIRST2 response file name length overflow attempt	off	off	drop
1	26021	FILE-PDF	Adobe Acrobat Reader XML Java used in app.setTimeOut	off	drop	drop
1	28240	SERVER-WEBAPP	D-Link DIR-100 User-Agent backdoor access attempt	off	off	drop
1	33419	BROWSER-IE	Microsoft Internet Explorer CTreePos use after free attempt	off	drop	drop
1	33420	BROWSER-IE	Microsoft Internet Explorer CTreePos use after free attempt	off	drop	drop
1	34479	FILE-EXECUTABLE	Adobe Flash Player Internet Explorer broker process directory traversal attempt	off	off	off
1	34480	FILE-EXECUTABLE	Adobe Flash Player Internet Explorer broker process directory traversal attempt	off	off	off
1	36873	FILE-FLASH	Adobe Flash Player AS2 ActionCallMethod use-after-free attempt	off	drop	drop
1	36874	FILE-FLASH	Adobe Flash Player AS2 ActionCallMethod use-after-free attempt	off	drop	drop
1	37009	BROWSER-IE	Microsoft Internet Explorer TextBlock object use after free attempt	off	drop	drop
1	37010	BROWSER-IE	Microsoft Internet Explorer TextBlock object use after free attempt	off	drop	drop
1	37069	FILE-FLASH	Adobe Flash Player object Filters type confusion use after free attempt	off	drop	drop
1	37070	FILE-FLASH	Adobe Flash Player object Filters type confusion use after free attempt	off	drop	drop
1	38081	BROWSER-IE	Microsoft Internet Explorer SetItem use after free attempt	off	drop	drop
1	38082	BROWSER-IE	Microsoft Internet Explorer SetItem use after free attempt	off	drop	drop
1	38225	FILE-FLASH	Adobe Flash Player invalid FLV header out of bounds write attempt	off	off	drop
1	38226	FILE-FLASH	Adobe Flash Player invalid FLV header out of bounds write attempt	off	off	drop
3	38323	FILE-OTHER	TRUFFLEHUNTER TALOS-CAN-0093 attack attempt	off	off	off
3	38324	FILE-OTHER	TRUFFLEHUNTER TALOS-CAN-0093 attack attempt	off	off	off
1	38507	BROWSER-IE	Microsoft Internet Explorer ConvertStringFromUnicodeEx out of bounds write attempt	off	drop	drop
1	38508	BROWSER-IE	Microsoft Internet Explorer ConvertStringFromUnicodeEx out of bounds write attempt	off	drop	drop
1	38980	FILE-PDF	Adobe Acrobat Reader malformed FlateDecode stream use after free attempt	off	drop	drop
1	38981	FILE-PDF	Adobe Acrobat Reader malformed FlateDecode stream use after free attempt	off	drop	drop
1	39100	FILE-PDF	Adobe Reader Universal 3D engine out of bounds memory access violation attempt	off	off	drop
1	39101	FILE-PDF	Adobe Reader Universal 3D engine out of bounds memory access violation attempt	off	off	drop
1	39131	FILE-PDF	Adobe Acrobat Reader Acroform engine memory corruption attempt	off	drop	drop
1	39132	FILE-PDF	Adobe Acrobat Reader Acroform engine memory corruption attempt	off	drop	drop
1	39308	FILE-FLASH	Adobe Flash Player malformed ATF file length load buffer overflow attempt	off	drop	drop
1	39309	FILE-FLASH	Adobe Flash Player malformed ATF file length load buffer overflow attempt	off	drop	drop
1	39318	FILE-FLASH	Adobe Flash Player ShimOpportunityGenerator out of bounds memory access attempt	off	drop	drop
1	39319	FILE-FLASH	Adobe Flash Player ShimOpportunityGenerator out of bounds memory access attempt	off	drop	drop
1	39656	FILE-FLASH	Adobe Flash Player JPEG handling memory corruption attempt	off	drop	drop
1	39657	FILE-FLASH	Adobe Flash Player JPEG handling memory corruption attempt	off	drop	drop
1	39658	FILE-FLASH	Adobe Flash Player Transform getter use after free attempt	off	drop	drop
1	39659	FILE-FLASH	Adobe Flash Player Transform getter use after free attempt	off	drop	drop
1	39703	FILE-PDF	Adobe Flash Player ActionScript setFocus use after free attempt	off	drop	drop
1	39704	FILE-PDF	Adobe Flash Player ActionScript setFocus use after free attempt	off	drop	drop
1	40431	FILE-PDF	Adobe Acrobat Reader XML Java used in app.setTimeOut	off	drop	drop
3	40934	FILE-EXECUTABLE	TRUFFLEHUNTER TALOS-2016-0217 attack attempt	off	drop	drop
3	40935	FILE-EXECUTABLE	TRUFFLEHUNTER TALOS-2016-0217 attack attempt	off	drop	drop

**Medium Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	38810	FILE-OFFICE	Microsoft Office wwlib out of bounds memory access attempt	off	off	drop
1	38811	FILE-OFFICE	Microsoft Office wwlib out of bounds memory access attempt	off	off	drop
1	38812	FILE-OFFICE	Microsoft Office wwlib out of bounds memory access attempt	off	off	drop
1	38813	FILE-OFFICE	Microsoft Office wwlib out of bounds memory access attempt	off	off	drop
1	38814	FILE-OFFICE	Microsoft Office wwlib out of bounds memory access attempt	off	off	drop
1	38815	FILE-OFFICE	Microsoft Office wwlib out of bounds memory access attempt	off	off	drop
1	40759	OS-WINDOWS	Microsoft Windows LSASS GSS-API DER decoding null pointer dereference attempt	off	off	drop