Cisco Talos (VRT) Update for Sourcefire 3D System

* Talos combines our security experts from TRAC, SecApps, and VRT teams.

Date: 2017-03-23

This SRU number: 2017-03-22-001
Previous SRU number: 2017-03-20-001

Applies to:

This SEU number: 1633
Previous SEU: 1631

Applies to:

This is the complete list of rules added in SRU 2017-03-22-001 and SEU 1633.

The format of the file is:

GID - SID - Rule Group - Rule Message - Policy State

The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.

The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.

Note: Unless stated explicitly, the rules are for the series of products listed above.

New Rules:

High Priority
GIDSIDRule GroupRule MessagePolicy State
Con.Bal.Sec.
341909SERVER-OTHERCisco Software Cluster Management Protocol remote code execution attemptdropdropdrop
341910SERVER-OTHERCisco Software Cluster Management Protocol remote code execution attemptdropdropdrop
142049SERVER-WEBAPPdnaLIMS viewAppletFsa.cgi directory traversal attemptoffoffoff
142050SERVER-WEBAPPdnaLIMS viewAppletFsa.cgi directory traversal attemptoffoffoff
142052FILE-FLASHAdobe Flash Player Primetime TVSDK memory corruption attemptoffdropdrop
142053FILE-FLASHAdobe Flash Player Primetime TVSDK memory corruption attemptoffdropdrop
142054PROTOCOL-SCADAMoxa get SNMP read string attemptoffoffoff
142055PROTOCOL-SCADAMoxa password retrieval attemptoffoffoff
142056PROTOCOL-SCADAMoxa password retrieval attemptoffoffoff
142057PROTOCOL-SCADAMoxa unlock function code attemptoffoffoff
142058PROTOCOL-SCADAMoxa unlock function code attemptoffoffoff
142059MALWARE-CNCWin.Ransomware.Sage variant outbound connectionoffdropdrop
342061SERVER-WEBAPPCisco IOS XE webui software upgrade command injection attemptoffoffdrop
142064SERVER-OTHERkaskad SCADA daserver heap overflow exploitation attemptoffoffoff
142065SERVER-OTHERkaskad SCADA daserver heap overflow exploitation attemptoffoffoff
142066SERVER-WEBAPPWordpress plugin arbitrary file deletion attemptoffoffoff
142067POLICY-OTHERAviosys IP Power 9258 W2 management.asp information disclosureoffoffoff
142068POLICY-OTHERAviosys IP Power 9258 W2 default login attemptoffoffoff
342069SERVER-OTHERCisco IOS XE DHCP vendor class identifier format string exploit attemptoffoffoff
142072SERVER-WEBAPPAultware pwStore denial of service attemptoffoffoff
Medium Priority
GIDSIDRule GroupRule MessagePolicy State
Con.Bal.Sec.
342051SERVER-OTHERCisco IOS autonomic networking discovery denial of service attemptoffoffdrop
342060SERVER-OTHERCisco IOS DHCP client dummy XID denial of service attemptoffoffoff
142062SERVER-WEBAPPxArrow heap corruption exploitation attemptoffoffoff
142063SERVER-WEBAPPxArrow null pointer denial of service exploitation attemptoffoffoff
342070SERVER-OTHERCisco IOS L2TP invalid message digest AVP denial of service attemptoffoffoff
342071SERVER-WEBAPPCisco IOS XE webui denial of service attemptoffoffoff

Updated Rules:

Updated rules can be found at this link.