Cisco Talos (VRT) Update for Sourcefire 3D System

* Talos combines our security experts from TRAC, SecApps, and VRT teams.

Date: 2017-01-10

This SRU number: 2017-01-09-001
Previous SRU number: 2017-01-05-001

Applies to:

This SEU number: 1594
Previous SEU: 1593

Applies to:

This is the complete list of rules added in SRU 2017-01-09-001 and SEU 1594.

The format of the file is:

GID - SID - Rule Group - Rule Message - Policy State

The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.

The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.

Note: Unless stated explicitly, the rules are for the series of products listed above.

New Rules:

High Priority
GIDSIDRule GroupRule MessagePolicy State
Con.Bal.Sec.
341137SERVER-OTHERCisco IOS XR command line interface privilege escalation attemptoffoffoff
141138FILE-FLASHAdobe Flash Player display list structure memory corruption attemptoffdropdrop
141139FILE-FLASHAdobe Flash Player display list structure memory corruption attemptoffdropdrop
141140FILE-OFFICEMicrosoft Word Out-of-Bounds Write attemptoffdropdrop
141141FILE-OFFICEMicrosoft Word Out-of-Bounds Write attemptoffdropdrop
141142FILE-PDFAdobe Acrobat animateSyncButton use after free attemptoffdropdrop
141143FILE-PDFAdobe Acrobat animateSyncButton use after free attemptoffdropdrop
141144FILE-IMAGEAdobe Reader malformed app13 marker memory corruption attemptoffoffdrop
141145FILE-IMAGEAdobe Reader malformed app13 marker memory corruption attemptoffoffdrop
141146FILE-IMAGEAdobe Reader malformed app13 marker memory corruption attemptoffoffdrop
141147FILE-IMAGEAdobe Reader malformed app13 marker memory corruption attemptoffoffdrop
141148FILE-IMAGEAdobe Reader malformed app13 marker memory corruption attemptoffoffdrop
141149FILE-IMAGEAdobe Reader malformed app13 marker memory corruption attemptoffoffdrop
141150FILE-PDFAdobe Acrobat Reader JavaScript navigation pane use after free attemptoffdropdrop
141151FILE-PDFAdobe Acrobat Reader JavaScript navigation pane use after free attemptoffdropdrop
141152FILE-PDFAdobe Acrobat Reader Forms Data Format embedded javascript attemptoffdropdrop
141153FILE-PDFAdobe Acrobat Reader Forms Data Format embedded javascript attemptoffdropdrop
141154FILE-PDFAdobe Acrobat Reader malformed CFF global subroutine memory corruption attemptoffoffdrop
141155FILE-PDFAdobe Acrobat Reader malformed CFF global subroutine memory corruption attemptoffoffdrop
141156FILE-FLASHAdobe Flash Player malformed ATF file length heap overflow attemptoffdropdrop
141157FILE-FLASHAdobe Flash Player malformed ATF file length heap overflow attemptoffdropdrop
141158FILE-FLASHAdobe Flash Player visual blend out of bounds read attemptoffdropdrop
141159FILE-FLASHAdobe Flash Player visual blend out of bounds read attemptoffdropdrop
141160FILE-FLASHAcrobat Flash FileReference class use-after-free memory corruption attemptoffdropdrop
141161FILE-FLASHAcrobat Flash FileReference class use-after-free memory corruption attemptoffdropdrop
141162MALWARE-CNCJs.Trojan.Nemucod variant offdropdrop
141163FILE-PDFAdobe Acrobat Reader XSL stylesheet heap overflow attemptoffoffdrop
141164FILE-PDFAdobe Acrobat Reader XSL stylesheet heap overflow attemptoffoffdrop
141165FILE-FLASHAcrobat Flash FileReference class use-after-free memory corruption attemptoffdropdrop
141166FILE-FLASHAcrobat Flash FileReference class use-after-free memory corruption attemptoffdropdrop
141167BLACKLISTDNS request for known malware domain himalayard.de - Win.Trojan.Augustoffdropdrop
141168BLACKLISTDNS request for known malware domain krusingtheworld.de - Win.Trojan.Augustoffdropdrop
141169BLACKLISTDNS request for known malware domain muralegdanskzaspa.eu - Win.Trojan.Augustoffdropdrop
141170BLACKLISTDNS request for known malware domain overstockage.com - Win.Trojan.Augustoffdropdrop
141171BLACKLISTDNS request for known malware domain pg4pszczyna.edu.pl - Win.Trojan.Augustoffdropdrop
141172BLACKLISTDNS request for known malware domain thedragon318.com - Win.Trojan.Augustoffdropdrop
141173MALWARE-CNCWin.Trojan.August variant outbound connection attemptoffdropdrop
141174MALWARE-CNCWin.Trojan.August variant outbound connection attemptoffdropdrop
141175MALWARE-CNCWin.Trojan.August variant outbound connection attemptoffdropdrop
141176MALWARE-CNCWin.Trojan.August variant outbound connection attemptoffdropdrop
141177MALWARE-CNCWin.Trojan.August variant outbound connection attemptoffdropdrop
141178MALWARE-CNCWin.Trojan.August variant outbound connection attemptoffdropdrop
141179MALWARE-CNCWin.Trojan.August variant post compromise download attemptoffdropdrop
141180MALWARE-CNCWin.Trojan.August variant post compromise download attemptoffdropdrop
141181FILE-IMAGEAdobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attemptoffdropdrop
141182FILE-IMAGEAdobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attemptoffdropdrop
141183FILE-IMAGEAdobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attemptoffdropdrop
141184FILE-IMAGEAdobe Acrobat TIFF PhotometricInterpretation heap buffer overflow attemptoffdropdrop
141185POLICY-OTHERSunRPC Portmap GETPORT request detectedoffoffoff
141186POLICY-OTHERSunRPC Portmap GETPORT request detectedoffoffoff
141190POLICY-OTHERAdobe Flash SMTP MIME attachment detectedoffoffoff
141191POLICY-OTHERAdobe Flash SMTP MIME attachment detectedoffoffoff
141192POLICY-OTHERAdobe Flash SMTP MIME attachment detectedoffoffoff
141193FILE-PDFAdobe Acrobat XFA engine stack buffer overflow attemptoffdropdrop
141194FILE-PDFAdobe Acrobat XFA engine stack buffer overflow attemptoffdropdrop
Medium Priority
GIDSIDRule GroupRule MessagePolicy State
Con.Bal.Sec.
141187SERVER-WEBAPPIBM Lotus Domino BOX mailbox information disclosure attemptoffoffoff
141188SERVER-WEBAPPIBM Lotus Domino NSF database information disclosure attemptoffoffoff
141189SERVER-WEBAPPIBM Lotus Domino srvnam.htm information disclosure attemptoffoffoff

Updated Rules:

Updated rules can be found at this link.