Cisco Talos (VRT) Update for Sourcefire 3D System

* Talos combines our security experts from TRAC, SecApps, and VRT teams.

Date: 2017-04-11

This SRU number: 2017-04-11-001
Previous SRU number: 2017-04-06-001

Applies to:

3D Sensor versions: 5.x
Cisco FireSIGHGT Management Center (formerly Defense Center) versions: 5.x

This SEU number: 1650
Previous SEU: 1648

Applies to:

3D Sensor Versions: 4.10
Cisco FireSIGHGT Management Center (formerly Defense Center) versions: 4.10

This is the complete list of rules added in SRU 2017-04-11-001 and SEU 1650.

The format of the file is:

GID - SID - Rule Group - Rule Message - Policy State

The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.

The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.

Note: Unless stated explicitly, the rules are for the series of products listed above.

New Rules:

**High Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	42148	FILE-OTHER	Microsoft Windows ATMFD font driver malformed OTF file out-of-bounds memory access attempt	off	drop	drop
1	42149	FILE-OTHER	Microsoft Windows ATMFD font driver malformed OTF file out-of-bounds memory access attempt	off	drop	drop
1	42150	FILE-OTHER	Microsoft Windows ATMFD font driver malformed OTF file out-of-bounds memory access attempt	off	drop	drop
1	42151	FILE-OTHER	Microsoft Windows ATMFD font driver malformed OTF file out-of-bounds memory access attempt	off	drop	drop
1	42152	BROWSER-IE	Microsoft Edge JavaScript string object type confusion attempt	off	drop	drop
1	42153	BROWSER-IE	Microsoft Edge JavaScript string object type confusion attempt	off	drop	drop
1	42154	OS-WINDOWS	Microsoft Windows win32k information disclosure attempt	off	off	drop
1	42155	OS-WINDOWS	Microsoft Windows win32k information disclosure attempt	off	off	drop
1	42156	BROWSER-IE	Microsoft Internet Explorer recordset use after free attempt	off	drop	drop
1	42157	BROWSER-IE	Microsoft Internet Explorer recordset use after free attempt	off	drop	drop
1	42158	OS-WINDOWS	Microsoft Win32k privilege escalation attempt	off	drop	drop
1	42159	OS-WINDOWS	Microsoft Win32k privilege escalation attempt	off	drop	drop
1	42160	SERVER-OTHER	Microsoft LDAP MaxBuffSize buffer overflow attempt	off	drop	drop
1	42161	FILE-OFFICE	Microsoft Office Excel out of bounds memory attempt	off	drop	drop
1	42162	FILE-OFFICE	Microsoft Office Excel out of bounds memory attempt	off	drop	drop
1	42163	FILE-OTHER	Microsoft Office OneNote 2007 dll-load exploit attempt	off	off	off
1	42164	FILE-OTHER	Microsoft Office OneNote 2007 dll-load exploit attempt	off	off	off
1	42165	BROWSER-IE	Microsoft Internet Explorer type confusion vulnerability attempt	off	drop	drop
1	42166	BROWSER-IE	Microsoft Internet Explorer type confusion vulnerability attempt	off	drop	drop
1	42167	FILE-OFFICE	Microsoft Office custom message class security bypass attempt	off	drop	drop
1	42168	FILE-OFFICE	Microsoft Office custom message class security bypass attempt	off	drop	drop
1	42169	BROWSER-IE	Microsoft Internet Explorer classid remote code execution attempt	off	off	off
1	42170	BROWSER-IE	Microsoft Internet Explorer classid remote code execution attempt	off	off	off
1	42171	MALWARE-CNC	Win.Downloader.Agent variant outbound connection	off	drop	drop
1	42172	MALWARE-CNC	Win.Downloader.Agent variant certificate negotiation	off	drop	drop
1	42173	OS-WINDOWS	Microsoft GDI PolyTextOutW out of bounds memory write attempt	off	drop	drop
1	42174	OS-WINDOWS	Microsoft GDI PolyTextOutW out of bounds memory write attempt	off	drop	drop
1	42175	FILE-PDF	Adobe Reader JavaScript API documentToStream use after free attempt	off	drop	drop
1	42176	FILE-PDF	Adobe Reader JavaScript API documentToStream use after free attempt	off	drop	drop
3	42177	FILE-OTHER	TRUFFLEHUNTER TALOS-2017-0310 attack attempt	off	drop	drop
3	42178	FILE-OTHER	TRUFFLEHUNTER TALOS-2017-0310 attack attempt	off	drop	drop
3	42179	FILE-IMAGE	TRUFFLEHUNTER TALOS-2017-2811 attack attempt	off	off	drop
3	42180	FILE-IMAGE	TRUFFLEHUNTER TALOS-2017-2811 attack attempt	off	off	drop
1	42183	BROWSER-IE	Microsoft Edge format rendering type confusion attempt	off	drop	drop
1	42184	BROWSER-IE	Microsoft Edge format rendering type confusion attempt	off	drop	drop
1	42185	OS-WINDOWS	Microsoft Windows WMI DCOM arbitrary .NET serialization code execution attempt	off	drop	drop
1	42186	OS-WINDOWS	Microsoft Windows WMI DCOM arbitrary .NET serialization code execution attempt	off	drop	drop
1	42187	OS-WINDOWS	Microsoft Windows IE ETW Collector Service privilege escalation attempt	off	drop	drop
1	42188	OS-WINDOWS	Microsoft Windows IE ETW Collector Service privilege escalation attempt	off	drop	drop
3	42191	FILE-IMAGE	TRUFFLEHUNTER TALOS-2017-0309 attack attempt	off	off	drop
3	42192	FILE-IMAGE	TRUFFLEHUNTER TALOS-2017-0309 attack attempt	off	off	drop
3	42193	FILE-IMAGE	TRUFFLEHUNTER TALOS-2017-0309 attack attempt	off	off	drop
3	42194	FILE-IMAGE	TRUFFLEHUNTER TALOS-2017-0309 attack attempt	off	off	drop
3	42195	FILE-OTHER	TRUFFLEHUNTER TALOS-2017-0307 attack attempt	off	drop	drop
3	42196	FILE-OTHER	TRUFFLEHUNTER TALOS-2017-0307 attack attempt	off	drop	drop
1	42197	FILE-OFFICE	Microsoft Office mqrt.dll dll-load exploit attempt	off	drop	drop
1	42198	FILE-OFFICE	Microsoft Office mqrt.dll dll-load exploit attempt	off	drop	drop
1	42199	OS-WINDOWS	Microsoft Windows GDI null pointer dereference attempt	off	drop	drop
1	42200	OS-WINDOWS	Microsoft Windows GDI null pointer dereference attempt	off	drop	drop
1	42201	BROWSER-IE	Microsoft Internet Explorer CTreePos type confusion attempt	off	drop	drop
1	42202	FILE-PDF	Adobe Reader JavaScript string from stream memory corruption attempt	off	drop	drop
1	42203	FILE-PDF	Adobe Reader JavaScript string from stream memory corruption attempt	off	drop	drop
1	42204	BROWSER-IE	Microsoft Internet Explorer htmlFile ActiveX control universal XSS attempt	off	drop	drop
1	42205	BROWSER-IE	Microsoft Internet Explorer htmlFile ActiveX control universal XSS attempt	off	drop	drop
1	42206	FILE-FLASH	Adobe Flash Player allocator use-after-free attempt	off	drop	drop
1	42207	FILE-FLASH	Adobe Flash Player allocator use-after-free attempt	off	drop	drop
1	42208	OS-WINDOWS	Microsoft Windows Clipboard Broker privilege escalation vulnerability attempt	off	drop	drop
1	42209	OS-WINDOWS	Microsoft Windows Clipboard Broker privilege escalation vulnerability attempt	off	drop	drop
1	42210	BROWSER-IE	Microsoft Edge xlink type confusion memory corruption attempt	off	drop	drop
1	42211	BROWSER-IE	Microsoft Edge xlink type confusion memory corruption attempt	off	drop	drop
1	42212	FILE-PDF	Adobe Acrobat Reader embedded JPEG 2000 flst heap overflow attempt	off	drop	drop
1	42213	FILE-PDF	Adobe Acrobat Reader embedded JPEG 2000 flst heap overflow attempt	off	drop	drop
1	42214	FILE-FLASH	Adobe Flash Player NetStream use after free attempt	off	drop	drop
1	42215	FILE-FLASH	Adobe Flash Player NetStream use after free attempt	off	drop	drop
1	42216	FILE-OTHER	Adobe Acrobat Reader pcx planes memory corruption attempt	off	off	drop
1	42217	FILE-OTHER	Adobe Acrobat Reader pcx planes memory corruption attempt	off	off	drop
1	42218	FILE-IMAGE	Adobe Acrobat Pro malformed GIF memory corruption attempt	off	drop	drop
1	42219	FILE-IMAGE	Adobe Acrobat Pro malformed TIF memory corruption attempt	off	drop	drop
1	42220	SERVER-WEBAPP	BlueCoat CAS report-email command injection attempt	off	off	drop

**Low Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	42181	DELETED	gyEMoybvxbllnqLg0n4E
1	42182	DELETED	esjQk5MDxNnLLZ57GfDW
1	42189	FILE-OFFICE	RTF objautlink url moniker file download attempt	off	off	drop
1	42190	FILE-OFFICE	RTF objautlink url moniker file download attempt	off	off	drop

Updated Rules:

Updated rules can be found at this link.