Cisco Talos (VRT) Update for Sourcefire 3D System

* Talos combines our security experts from TRAC, SecApps, and VRT teams.

Date: 2017-02-09

This SRU number: 2017-02-09-001
Previous SRU number: 2017-02-06-001

Applies to:

3D Sensor versions: 5.x
Cisco FireSIGHGT Management Center (formerly Defense Center) versions: 5.x

This SEU number: 1613
Previous SEU: 1610

Applies to:

3D Sensor Versions: 4.10
Cisco FireSIGHGT Management Center (formerly Defense Center) versions: 4.10

This is the complete list of rules added in SRU 2017-02-09-001 and SEU 1613.

The format of the file is:

GID - SID - Rule Group - Rule Message - Policy State

The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.

The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.

Note: Unless stated explicitly, the rules are for the series of products listed above.

New Rules:

**High Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	41521	SERVER-WEBAPP	McAfee Virus Scan Linux cross site scripting attempt	off	drop	drop
1	41522	BROWSER-IE	Microsoft Internet Explorer CGeneratedTreeNode object use after free attempt	off	off	off
1	41523	BROWSER-IE	Microsoft Internet Explorer CGeneratedTreeNode object use after free attempt	off	off	off
1	41524	INDICATOR-COMPROMISE	SOCKS5 proxy server method negotiation on non-standard port	off	off	off
1	41525	INDICATOR-COMPROMISE	SOCKS5 proxy inbound connection on non-standard port	off	off	off
1	41526	INDICATOR-COMPROMISE	SOCKS5 proxy inbound connection on non-standard port	off	off	off
1	41527	INDICATOR-COMPROMISE	SOCKS5 proxy inbound connection on non-standard port	off	off	off
1	41528	INDICATOR-COMPROMISE	SOCKS5 proxy inbound connection on non-standard port	off	off	off
1	41529	INDICATOR-COMPROMISE	SOCKS5 proxy inbound connection on non-standard port	off	off	off
1	41530	INDICATOR-COMPROMISE	SOCKS5 proxy inbound connection on non-standard port	off	off	off
1	41531	INDICATOR-COMPROMISE	SOCKS5 proxy inbound connection on non-standard port	off	off	off
1	41532	INDICATOR-COMPROMISE	SOCKS5 proxy inbound connection on non-standard port	off	off	off
1	41533	INDICATOR-COMPROMISE	SOCKS5 proxy inbound connection on non-standard port	off	off	off
1	41534	INDICATOR-COMPROMISE	SOCKS5 proxy server method negotiation on non-standard port	off	off	off
1	41536	SERVER-WEBAPP	ZoneMinder file.php directory traversal attempt	off	off	drop
3	41538	SERVER-WEBAPP	Cisco ASA WebVPN memory corruption attempt	off	drop	drop
1	41539	BLACKLIST	User-Agent known malicious user-agent string - Elite Keylogger	off	drop	drop
1	41540	MALWARE-CNC	Win.Malware.Disttrack variant outbound connection	off	drop	drop
1	41541	SERVER-ORACLE	Oracle reports servlet command execution attempt	off	off	off
1	41542	SERVER-ORACLE	Oracle reports servlet command execution attempt	off	off	off
3	41543	FILE-OFFICE	TRUFFLEHUNTER TALOS-2017-0285 attack attempt	off	off	drop
3	41544	FILE-OFFICE	TRUFFLEHUNTER TALOS-2017-0285 attack attempt	off	off	drop
3	41545	FILE-OFFICE	TRUFFLEHUNTER TALOS-2017-0284 attack attempt	off	off	drop
3	41546	FILE-OFFICE	TRUFFLEHUNTER TALOS-2017-0284 attack attempt	off	off	drop

**Medium Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	41520	SERVER-OTHER	Ge Fanuc Proficy WebView DOS attempt	off	off	drop
1	41535	SERVER-WEBAPP	Broadwin WebAccess DOS attempt	off	off	drop
1	41537	SERVER-OTHER	Siemens WinCC TIA Portal DOS attempt	off	off	off
3	41548	SERVER-OTHER	F5 BIG-IP TLS session ticket implementation uninitialized memory disclosure attempt	off	drop	drop

**Low Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
3	41547	SERVER-OTHER	TLS client hello session resumption detected	off	alert	alert

Updated Rules:

Updated rules can be found at this link.