Cisco Talos (VRT) Update for Sourcefire 3D System

* Talos combines our security experts from TRAC, SecApps, and VRT teams.

Date: 2017-03-21

This SRU number: 2017-03-20-001
Previous SRU number: 2017-03-15-001

Applies to:

This SEU number: 1631
Previous SEU: 1630

Applies to:

This is the complete list of rules added in SRU 2017-03-20-001 and SEU 1631.

The format of the file is:

GID - SID - Rule Group - Rule Message - Policy State

The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.

The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.

Note: Unless stated explicitly, the rules are for the series of products listed above.

New Rules:

High Priority
GIDSIDRule GroupRule MessagePolicy State
Con.Bal.Sec.
142018EXPLOIT-KITExploit Kit EITest Gate redirection attempt detectedoffoffdrop
142019BLACKLISTUser-Agent known malicious user-agent string - Andr.Trojan.Agentoffdropdrop
142020BLACKLISTUser-Agent known malicious user-agent string - Andr.Trojan.Agentoffdropdrop
142021MALWARE-CNCAndr.Trojan.Agent variant outbound connection attemptoffdropdrop
142022MALWARE-CNCAndr.Trojan.Agent variant outbound connection attemptoffdropdrop
142023MALWARE-CNCAndr.Trojan.Agent variant outbound connection attemptoffdropdrop
142024MALWARE-CNCAndr.Trojan.Agent variant outbound connection attemptoffdropdrop
142025MALWARE-CNCAndr.Trojan.Agent variant outbound connection attemptoffdropdrop
142026MALWARE-CNCAndr.Trojan.Agent variant outbound connection attemptoffdropdrop
142027MALWARE-CNCAndr.Trojan.Agent variant outbound connection attemptoffdropdrop
142028MALWARE-CNCAndr.Trojan.Agent variant file download attemptoffdropdrop
142029MALWARE-CNCAndr.Trojan.Agent variant file download attemptoffdropdrop
142030MALWARE-CNCAndr.Trojan.Agent variant file download attemptoffdropdrop
142031MALWARE-CNCAndr.Trojan.Agent variant outbound connection attemptoffdropdrop
142032BROWSER-IEMicrosoft Internet Explorer DataView use-after-free attemptoffdropdrop
142033BROWSER-IEMicrosoft Internet Explorer DataView use-after-free attemptoffdropdrop
142034BROWSER-IEMicrosoft Internet Explorer DataView use-after-free attemptoffdropdrop
142035BROWSER-IEMicrosoft Internet Explorer DataView use-after-free attemptoffdropdrop
142036BROWSER-IEMicrosoft Internet Explorer DataView use-after-free attemptoffdropdrop
142037BROWSER-IEMicrosoft Internet Explorer DataView use-after-free attemptoffdropdrop
142038BROWSER-IEMicrosoft Internet Explorer DataView use-after-free attemptoffdropdrop
142039BROWSER-IEMicrosoft Internet Explorer DataView use-after-free attemptoffdropdrop
142040BROWSER-IEMicrosoft Edge proxy object type confusion attemptoffoffdrop
142041BROWSER-IEMicrosoft Edge proxy object type confusion attemptoffdropdrop
142043SERVER-WEBAPPWordPress embedded URL video cross site scripting attemptoffoffoff
142044FILE-FLASHAdobe Flash Player custom object garbage collection use after freeoffdropdrop
142045FILE-FLASHAdobe Flash Player custom object garbage collection use after freeoffdropdrop
142046FILE-FLASHAdobe Flash Player custom object garbage collection use after freeoffdropdrop
142047FILE-FLASHAdobe Flash Player custom object garbage collection use after freeoffdropdrop
142048SERVER-WEBAPPdnaLIMS sysAdmin.cgi arbitrary command execution attemptoffdropdrop
Medium Priority
GIDSIDRule GroupRule MessagePolicy State
Con.Bal.Sec.
142016PROTOCOL-SCADAMoxa discovery packet information disclosure attemptoffdropdrop
142017INDICATOR-OBFUSCATIONGzip encoded HTTP response with no Content-Length or chunked Transfer-Encoding headeroffoffoff
142042SERVER-WEBAPPWordpress Press-This cross site request forgery attemptoffoffoff

Updated Rules:

Updated rules can be found at this link.