Cisco Talos (VRT) Update for Sourcefire 3D System

* Talos combines our security experts from TRAC, SecApps, and VRT teams.

Date: 2017-05-09

This SRU number: 2017-05-09-001
Previous SRU number: 2017-05-03-001

Applies to:

3D Sensor versions: 5.x
Cisco FireSIGHGT Management Center (formerly Defense Center) versions: 5.x

This SEU number: 1668
Previous SEU: 1666

Applies to:

3D Sensor Versions: 4.10
Cisco FireSIGHGT Management Center (formerly Defense Center) versions: 4.10

This is the complete list of rules added in SRU 2017-05-09-001 and SEU 1668.

The format of the file is:

GID - SID - Rule Group - Rule Message - Policy State

The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.

The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.

Note: Unless stated explicitly, the rules are for the series of products listed above.

New Rules:

**High Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	42749	BROWSER-IE	Microsoft Edge scripting engine postMessage use after free attempt	off	drop	drop
1	42750	BROWSER-IE	Microsoft Edge scripting engine postMessage use after free attempt	off	drop	drop
1	42751	OS-WINDOWS	Microsoft Windows AFD.sys double fetch race condition attempt	off	drop	drop
1	42752	OS-WINDOWS	Microsoft Windows AFD.sys double fetch race condition attempt	off	drop	drop
1	42753	BROWSER-IE	Microsoft Edge Chakra Core type confusion attempt	off	drop	drop
1	42754	BROWSER-IE	Microsoft Edge Chakra Core type confusion attempt	off	drop	drop
1	42755	FILE-OFFICE	Microsoft Word 2010 Sepx memory corruption attempt	off	drop	drop
1	42756	FILE-OFFICE	Microsoft Word 2010 Sepx memory corruption attempt	off	drop	drop
1	42757	OS-WINDOWS	Microsoft Windows dxgkrnl CreateDriverAllocations null pointer dereference attempt	off	drop	drop
1	42758	OS-WINDOWS	Microsoft Windows dxgkrnl CreateDriverAllocations null pointer dereference attempt	off	drop	drop
1	42759	OS-WINDOWS	Microsoft Windows COM privilege escalation attempt	off	off	drop
1	42760	OS-WINDOWS	Microsoft Windows COM privilege escalation attempt	off	off	drop
1	42761	BROWSER-IE	Microsoft Edge Chakra array unshift heap overflow attempt	off	off	drop
1	42762	BROWSER-IE	Microsoft Edge Chakra array unshift heap overflow attempt	off	off	drop
1	42765	OS-WINDOWS	Microsoft win32k privilege escalation attempt	off	off	drop
1	42766	OS-WINDOWS	Microsoft win32k privilege escalation attempt	off	off	drop
1	42767	OS-WINDOWS	Microsoft Windows DeviceIoControl double fetch race condition attempt	off	drop	drop
1	42768	OS-WINDOWS	Microsoft Windows DeviceIoControl double fetch race condition attempt	off	drop	drop
1	42769	OS-WINDOWS	Microsoft Win32k kernel memory leak attempt	off	drop	drop
1	42770	OS-WINDOWS	Microsoft Win32k kernel memory leak attempt	off	drop	drop
1	42771	OS-WINDOWS	Microsoft Windows GdiGradientFill null pointer dereference attempt	off	drop	drop
1	42772	OS-WINDOWS	Microsoft Windows GdiGradientFill null pointer dereference attempt	off	drop	drop
1	42773	OS-WINDOWS	Microsoft Windows COM privilege escalation attempt	off	off	off
1	42774	OS-WINDOWS	Microsoft Windows COM privilege escalation attempt	off	off	off
1	42775	BROWSER-IE	Microsoft Edge Chakra JIT memory corruption attempt	off	drop	drop
1	42776	BROWSER-IE	Microsoft Edge Chakra JIT memory corruption attempt	off	drop	drop
1	42777	BROWSER-IE	Microsoft Edge scripting engine security bypass css attempt	off	drop	drop
1	42778	BROWSER-IE	Microsoft Edge scripting engine security bypass css attempt	off	drop	drop
1	42779	BROWSER-IE	Microsoft Edge CSS writing mode type confusion attempt	off	drop	drop
1	42780	BROWSER-IE	Microsoft Edge CSS writing mode type confusion attempt	off	drop	drop
1	42781	BROWSER-IE	Microsoft Windows Edge AudioContext use after free attempt	off	drop	drop
1	42782	BROWSER-IE	Microsoft Windows Edge AudioContext use after free attempt	off	drop	drop
1	42783	OS-WINDOWS	Microsoft Windows ntoskrnl information disclosure attempt	off	off	drop
1	42784	OS-WINDOWS	Microsoft Windows ntoskrnl information disclosure attempt	off	off	drop
1	42786	PROTOCOL-SCADA	Moxa unlock function code attempt	off	off	off
1	42787	POLICY-OTHER	Schneider Electric hardcoded FTP login attempt	off	off	drop
1	42788	FILE-PDF	Adobe Reader malformed app13 tag information disclosure attempt	off	off	drop
1	42789	FILE-PDF	Adobe Reader malformed app13 tag information disclosure attempt	off	off	drop
1	42790	FILE-PDF	Adobe Reader invalid object reference use after free attempt	off	drop	drop
1	42791	FILE-PDF	Adobe Reader invalid object reference use after free attempt	off	drop	drop
1	42792	FILE-FLASH	Adobe Flash Player FLV invalid tag buffer overflow attempt	off	drop	drop
1	42793	FILE-FLASH	Adobe Flash Player FLV invalid tag buffer overflow attempt	off	drop	drop
1	42794	FILE-FLASH	Adobe Flash Player beginGradientFill color array out of bounds read attempt	off	drop	drop
1	42795	FILE-FLASH	Adobe Flash Player beginGradientFill color array out of bounds read attempt	off	drop	drop
1	42796	FILE-FLASH	Adobe Flash Player ConvolutionFilter memory corruption attempt	off	drop	drop
1	42797	FILE-FLASH	Adobe Flash Player ConvolutionFilter memory corruption attempt	off	drop	drop
1	42798	BROWSER-IE	Microsoft Edge out of bounds read attempt	off	off	drop
1	42799	BROWSER-IE	Microsoft Edge out of bounds read attempt	off	off	drop
1	42800	FILE-FLASH	Adobe Flash Player ActionPush out of bounds read attempt	off	drop	drop
1	42801	FILE-FLASH	Adobe Flash Player ActionPush out of bounds read attempt	off	drop	drop
1	42802	FILE-PDF	Adobe Acrobat Reader malformed AES key memory corruption attempt	off	drop	drop
1	42803	FILE-PDF	Adobe Acrobat Reader malformed AES key memory corruption attempt	off	drop	drop
1	42804	SERVER-WEBAPP	IntegraXor directory traversal attempt	off	off	off
1	42805	SERVER-WEBAPP	Intel AMT remote administration tool authentication bypass attempt	off	off	drop
1	42806	EXPLOIT-KIT	Rig Exploit Kit URL outbound communication	off	drop	drop
1	42807	FILE-FLASH	Adobe Standalone Flash Player BlendMode memory corruption attempt	off	drop	drop
1	42808	FILE-FLASH	Adobe Standalone Flash Player BlendMode memory corruption attempt	off	drop	drop
1	42809	FILE-FLASH	Adobe Flash Player BitmapData out of bounds memory access attempt	off	drop	drop
1	42810	FILE-FLASH	Adobe Flash Player BitmapData out of bounds memory access attempt	off	drop	drop
1	42811	BROWSER-IE	Microsoft Edge Chakra Engine use-after-free attempt	off	drop	drop
1	42812	BROWSER-IE	Microsoft Edge Chakra Engine use-after-free attempt	off	drop	drop
1	42813	FILE-PDF	Adobe Acrobat Reader malformed URI information disclosure attempt	off	drop	drop
1	42814	FILE-PDF	Adobe Acrobat Reader malformed URI information disclosure attempt	off	drop	drop
1	42815	FILE-FLASH	Adobe Flash Player display object mask use after free attempt	off	drop	drop
1	42816	FILE-FLASH	Adobe Flash Player display object mask use after free attempt	off	drop	drop
1	42817	FILE-FLASH	Adobe Flash Player DisplayObject use after free attempt	off	drop	drop
1	42818	FILE-FLASH	Adobe Flash Player DisplayObject use after free attempt	off	drop	drop
1	42819	SERVER-WEBAPP	WordPress admin password reset attempt	off	off	off
1	42820	OS-WINDOWS	Microsoft Malware Protection Engine type confusion attempt	off	drop	drop
1	42821	OS-WINDOWS	Microsoft Malware Protection Engine type confusion attempt	off	drop	drop

**Medium Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	42763	OS-WINDOWS	Microsoft Windows NtTraceControl information disclosure attempt	off	drop	drop
1	42764	OS-WINDOWS	Microsoft Windows NtTraceControl information disclosure attempt	off	drop	drop
1	42785	INDICATOR-SCAN	DNS version.bind string information disclosure attempt	off	off	drop

Updated Rules:

Updated rules can be found at this link.