Cisco Talos (VRT) Update for Sourcefire 3D System

* Talos combines our security experts from TRAC, SecApps, and VRT teams.

Date: 2017-04-27

This SRU number: 2017-04-26-001
Previous SRU number: 2017-04-25-003

Applies to:

3D Sensor versions: 5.x
Cisco FireSIGHGT Management Center (formerly Defense Center) versions: 5.x

This SEU number: 1663
Previous SEU: 1662

Applies to:

3D Sensor Versions: 4.10
Cisco FireSIGHGT Management Center (formerly Defense Center) versions: 4.10

This is the complete list of rules added in SRU 2017-04-26-001 and SEU 1663.

The format of the file is:

GID - SID - Rule Group - Rule Message - Policy State

The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.

The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.

Note: Unless stated explicitly, the rules are for the series of products listed above.

New Rules:

**High Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	42377	FILE-PDF	Adobe Acrobat Reader dll injection sandbox escape	off	off	off
1	42378	SERVER-OTHER	Yealink VoIP phone remote code execution attempt	off	off	off
1	42379	SERVER-WEBAPP	OpenCart directory traversal attempt	off	off	off
1	42380	SERVER-WEBAPP	OpenCart directory traversal attempt	off	off	off
1	42381	SERVER-WEBAPP	OpenCart directory traversal attempt	off	off	off
1	42382	SERVER-WEBAPP	Trend Micro Threat Discovery Appliance detected_potential_files.cgi command injection attempt	off	off	drop
1	42383	SERVER-WEBAPP	Trend Micro Threat Discovery Appliance detected_potential_files.cgi command injection attempt	off	off	drop
1	42384	SERVER-WEBAPP	Trend Micro Threat Discovery Appliance detected_potential_files.cgi command injection attempt	off	off	drop
1	42385	MALWARE-CNC	Win.Trojan.Moonwind outbound communication	off	drop	drop
1	42386	MALWARE-CNC	Win.Trojan.Mikcer variant outbound connection attempt	off	drop	drop
1	42387	SERVER-WEBAPP	DataRate SCADA directory traversal attempt	off	off	off
1	42388	SERVER-WEBAPP	DataRate SCADA directory traversal attempt	off	off	off
1	42390	MALWARE-CNC	Win.Trojan.Moarider variant outbound connection attempt	off	drop	drop
1	42391	MALWARE-CNC	Win.Trojan.Moarider variant outbound connection attempt	off	drop	drop
1	42392	SERVER-WEBAPP	Yealink VoIP phone directory traversal attempt	off	off	drop
1	42393	SERVER-WEBAPP	Yealink VoIP phone directory traversal attempt	off	off	drop
1	42394	SERVER-WEBAPP	Yealink VoIP phone directory traversal attempt	off	off	drop
1	42395	MALWARE-CNC	Win.Trojan.Oddjob outbound connection	off	drop	drop
1	42396	EXPLOIT-KIT	Blacole inbound malformed pdf download attempt	off	off	drop
1	42397	EXPLOIT-KIT	Blacole inbound malformed pdf download attempt	off	off	drop
1	42398	MALWARE-CNC	Win.Trojan.RedLeaves outbound connection attempt	off	drop	drop
3	42399	FILE-PDF	TRUFFLEHUNTER TALOS-2017-0323 attack attempt	off	off	off
3	42400	FILE-PDF	TRUFFLEHUNTER TALOS-2017-0323 attack attempt	off	off	off
1	42402	SERVER-WEBAPP	multiple product command injection attempt	off	off	off

**Medium Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	42401	SERVER-WEBAPP	multiple product version scan attempt	off	off	off

**Low Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	42389	BROWSER-IE	Microsoft Internet Explorer uninitialized or deleted object access attempt	off	off	off

Updated Rules:

Updated rules can be found at this link.