Cisco Talos (VRT) Update for Sourcefire 3D System

* Talos combines our security experts from TRAC, SecApps, and VRT teams.

Date: 2017-04-18

This SRU number: 2017-04-19-001
Previous SRU number: 2017-04-15-001

Applies to:

3D Sensor versions: 5.x
Cisco FireSIGHGT Management Center (formerly Defense Center) versions: 5.x

This SEU number: 1658
Previous SEU: 1654

Applies to:

3D Sensor Versions: 4.10
Cisco FireSIGHGT Management Center (formerly Defense Center) versions: 4.10

This is the complete list of rules added in SRU 2017-04-19-001 and SEU 1658.

The format of the file is:

GID - SID - Rule Group - Rule Message - Policy State

The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.

The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.

Note: Unless stated explicitly, the rules are for the series of products listed above.

New Rules:

**High Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
3	42263	FILE-OTHER	TRUFFLEHUNTER TALOS-2017-0318 attack attempt	off	off	off
3	42264	FILE-OTHER	TRUFFLEHUNTER TALOS-2017-0318 attack attempt	off	off	off
3	42265	FILE-OTHER	TRUFFLEHUNTER TALOS-2017-0318 attack attempt	off	off	off
3	42266	FILE-OTHER	TRUFFLEHUNTER TALOS-2017-0318 attack attempt	off	off	off
3	42267	FILE-OTHER	TRUFFLEHUNTER TALOS-2017-0318 attack attempt	off	off	off
3	42268	FILE-OTHER	TRUFFLEHUNTER TALOS-2017-0318 attack attempt	off	off	off
3	42269	FILE-OTHER	TRUFFLEHUNTER TALOS-2017-0318 attack attempt	off	off	off
3	42270	FILE-OTHER	TRUFFLEHUNTER TALOS-2017-0318 attack attempt	off	off	off
3	42271	FILE-OTHER	TRUFFLEHUNTER TALOS-2017-0318 attack attempt	off	off	off
3	42272	FILE-OTHER	TRUFFLEHUNTER TALOS-2017-0318 attack attempt	off	off	off
3	42273	FILE-PDF	TRUFFLEHUNTER TALOS-2017-0311 attack attempt	off	off	drop
3	42274	FILE-PDF	TRUFFLEHUNTER TALOS-2017-0311 attack attempt	off	off	drop
1	42275	FILE-PDF	Adobe Reader JPEG2000 pclr tag out of bounds read attempt	off	drop	drop
1	42276	FILE-PDF	Adobe Reader JPEG2000 pclr tag out of bounds read attempt	off	drop	drop
3	42277	FILE-OTHER	TRUFFLEHUNTER TALOS-2017-0317 attack attempt	off	off	off
3	42278	FILE-OTHER	TRUFFLEHUNTER TALOS-2017-0317 attack attempt	off	off	off
1	42279	FILE-OTHER	Adobe Acrobat RARfsClientNP.dll dll-load exploit attempt	off	off	off
1	42280	FILE-OTHER	Adobe Acrobat RARfsClientNP.dll dll-load exploit attempt	off	off	off
1	42281	OS-SOLARIS	Solaris catflap telnet remote code execution attempt	off	off	off
1	42282	OS-SOLARIS	Solaris catflap telnet remote code execution attempt	off	off	off
1	42283	OS-SOLARIS	Solaris catflap telnet remote code execution attempt	off	off	off
1	42285	FILE-PDF	Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt	off	off	drop
1	42286	FILE-PDF	Adobe Acrobat Reader malformed JP2K codestream out of bounds read attempt	off	off	drop
1	42287	DELETED	FILE-PDF Adobe Acrobat Reader malformed URI information disclosure attempt
1	42288	DELETED	FILE-PDF Adobe Acrobat Reader malformed URI information disclosure attempt
3	42290	SERVER-WEBAPP	TRUFFLEHUNTER TALOS-2017-0316 attack attempt	off	off	drop
1	42291	SERVER-WEBAPP	AlienVault OSSIM API get_host_fqdn host_ip command injection attempt	off	off	drop

**Medium Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	42284	PROTOCOL-SCADA	3S CoDeSys Gateway Server DOS attempt	off	off	off
1	42289	INDICATOR-SCAN	PHP info leak attempt	off	off	off

**Low Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	42257	FILE-IDENTIFY	ISO file magic detected	off	off	off
1	42258	FILE-IDENTIFY	ISO file attachment detected	off	off	off
1	42259	FILE-IDENTIFY	ISO file attachment detected	off	off	off
1	42260	FILE-IDENTIFY	ISO file attachment detected	off	off	off
1	42261	FILE-IDENTIFY	ISO file magic detected	off	off	off
1	42262	FILE-IDENTIFY	ISO file download request	off	off	off

Updated Rules:

Updated rules can be found at this link.