Cisco Talos (VRT) Update for Sourcefire 3D System

* Talos combines our security experts from TRAC, SecApps, and VRT teams.

Date: 2017-04-13

This SRU number: 2017-04-13-002
Previous SRU number: 2017-04-11-001

Applies to:

3D Sensor versions: 5.x
Cisco FireSIGHGT Management Center (formerly Defense Center) versions: 5.x

This SEU number: 1653
Previous SEU: 1650

Applies to:

3D Sensor Versions: 4.10
Cisco FireSIGHGT Management Center (formerly Defense Center) versions: 4.10

This is the complete list of rules added in SRU 2017-04-13-002 and SEU 1653.

The format of the file is:

GID - SID - Rule Group - Rule Message - Policy State

The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.

The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.

Note: Unless stated explicitly, the rules are for the series of products listed above.

New Rules:

**High Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	42221	SERVER-WEBAPP	Moxa private key disclosure attempt	off	drop	drop
1	42224	SERVER-OTHER	Moxa MX-AOPC XML external entity injection attempt	off	off	off
1	42225	MALWARE-CNC	Win.Trojan.RedLeaves outbound connection attempt	off	drop	drop
1	42226	OS-SOLARIS	Solaris RPC XDR overflow code execution attempt	off	off	off
1	42228	MALWARE-CNC	Win.Trojan.DocumentCrypt variant outbound connection	off	drop	drop
1	42231	FILE-OFFICE	RTF url moniker COM file download attempt	off	off	off
1	42232	SERVER-OTHER	TopSec Firewall cookie header command injection attempt	off	drop	drop
1	42233	MALWARE-CNC	Win.Trojan.Mikcer variant outbound connection attempt	off	drop	drop
1	42234	SERVER-WEBAPP	QNAP NAS authLogin.cgi command injection attempt	off	off	drop
1	42236	SERVER-WEBAPP	QNAP NAS userConfig.cgi command injection attempt	off	off	drop
1	42237	SERVER-WEBAPP	QNAP NAS userConfig.cgi command injection attempt	off	off	drop
1	42238	SERVER-WEBAPP	QNAP NAS userConfig.cgi command injection attempt	off	off	drop
1	42239	SERVER-WEBAPP	QNAP NAS utilRequest.cgi command injection attempt	off	off	drop
1	42240	SERVER-WEBAPP	QNAP NAS utilRequest.cgi command injection attempt	off	off	drop
1	42241	SERVER-WEBAPP	QNAP NAS utilRequest.cgi command injection attempt	off	off	drop
1	42242	MALWARE-CNC	Win.Downloader.Dimnie file download attempt	off	drop	drop
1	42243	MALWARE-CNC	Win.Downloader.Dimnie file download attempt	off	drop	drop
3	42244	SERVER-WEBAPP	TRUFFLEHUNTER TALOS-2017-0315 attack attempt	off	off	drop
3	42245	SERVER-WEBAPP	TRUFFLEHUNTER TALOS-2017-0315 attack attempt	off	off	drop
3	42246	SERVER-WEBAPP	TRUFFLEHUNTER TALOS-2017-0315 attack attempt	off	off	drop
3	42247	SERVER-WEBAPP	TRUFFLEHUNTER TALOS-2017-0315 attack attempt	off	off	drop

**Medium Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	42222	SERVER-WEBAPP	Moxa MX Studio login page denial of service attempt	off	drop	drop
1	42227	SERVER-OTHER	NTP Config Unpeer denial of service attempt	off	off	off
1	42235	SERVER-OTHER	NTP malformed config request denial of service attempt	off	off	drop

**Low Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	42223	FILE-IDENTIFY	AOP file download request	off	off	off
1	42229	INDICATOR-COMPROMISE	RTF url moniker COM file download attempt	off	off	off
1	42230	INDICATOR-COMPROMISE	RTF url moniker COM file download attempt	off	off	off

Updated Rules:

Updated rules can be found at this link.