Cisco Talos (VRT) Update for Sourcefire 3D System

* Talos combines our security experts from TRAC, SecApps, and VRT teams.

Date: 2017-11-14

This SRU number: 2017-11-13-001
Previous SRU number: 2017-11-09-001

Applies to:

3D Sensor versions: 5.x
Cisco FireSIGHGT Management Center (formerly Defense Center) versions: 5.x

This SEU number: 1757
Previous SEU: 1756

Applies to:

3D Sensor Versions: 4.10
Cisco FireSIGHGT Management Center (formerly Defense Center) versions: 4.10

This is the complete list of rules added in SRU 2017-11-13-001 and SEU 1757.

The format of the file is:

GID - SID - Rule Group - Rule Message - Policy State

The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.

The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.

Note: Unless stated explicitly, the rules are for the series of products listed above.

New Rules:

**High Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	44809	BROWSER-IE	Microsoft Edge postMessage use after free attempt	off	drop	drop
1	44810	BROWSER-IE	Microsoft Edge postMessage use after free attempt	off	drop	drop
1	44811	BROWSER-IE	Microsoft Edge scripting engine type confusion attempt	off	drop	drop
1	44812	BROWSER-IE	Microsoft Edge scripting engine type confusion attempt	off	drop	drop
1	44813	BROWSER-IE	Microsoft Edge Chakra Closure use after free attempt	off	drop	drop
1	44814	BROWSER-IE	Microsoft Edge Chakra Closure use after free attempt	off	drop	drop
1	44815	BROWSER-IE	Microsoft Edge use after free attempt	off	off	drop
1	44816	BROWSER-IE	Microsoft Edge use after free attempt	off	off	drop
1	44817	BROWSER-IE	Microsoft Edge custom property memory corruption attempt	off	drop	drop
1	44818	BROWSER-IE	Microsoft Edge custom property memory corruption attempt	off	drop	drop
1	44819	BROWSER-IE	Microsoft Edge array use after free attempt	off	drop	drop
1	44820	BROWSER-IE	Microsoft Edge array use after free attempt	off	drop	drop
1	44821	FILE-OFFICE	Microsoft Excel use after free vulnerability exploit attempt	off	off	drop
1	44822	FILE-OFFICE	Microsoft Excel use after free vulnerability exploit attempt	off	off	drop
1	44823	BROWSER-IE	Microsoft Internet Explorer VBScript Join out of bounds memory access attempt	off	off	off
1	44824	BROWSER-IE	Microsoft Internet Explorer VBScript Join out of bounds memory access attempt	off	off	off
1	44825	OS-WINDOWS	Microsoft Edge out of bounds write attempt	off	off	off
1	44826	OS-WINDOWS	Microsoft Edge out of bounds write attempt	off	off	off
1	44827	BROWSER-IE	Microsoft Edge scripting engine memory corruption attempt	off	drop	drop
1	44828	BROWSER-IE	Microsoft Edge scripting engine memory corruption attempt	off	drop	drop
1	44829	BROWSER-IE	Microsoft Internet Explorer array memory corruption attempt	off	drop	drop
1	44830	BROWSER-IE	Microsoft Internet Explorer array memory corruption attempt	off	drop	drop
1	44831	BROWSER-IE	Microsoft Edge memory corruption exploitation attempt	off	drop	drop
1	44832	BROWSER-IE	Microsoft Edge memory corruption exploitation attempt	off	drop	drop
1	44833	OS-WINDOWS	Microsoft Windows win32k.sys use after free attempt	off	drop	drop
1	44834	OS-WINDOWS	Microsoft Windows win32k.sys use after free attempt	off	drop	drop
3	44835	SERVER-WEBAPP	TRUFFLEHUNTER TALOS-2017-0472 attack attempt	off	off	drop
3	44836	SERVER-WEBAPP	TRUFFLEHUNTER TALOS-2017-0472 attack attempt	off	off	drop
3	44837	SERVER-WEBAPP	TRUFFLEHUNTER TALOS-2017-0472 attack attempt	off	off	drop
1	44838	FILE-OFFICE	Microsoft Word RTF memory corruption attempt	off	off	off
1	44839	FILE-OFFICE	Microsoft Word RTF memory corruption attempt	off	off	off
3	44840	SERVER-WEBAPP	TRUFFLEHUNTER TALOS-2017-0473 attack attempt	off	off	drop
3	44841	SERVER-WEBAPP	TRUFFLEHUNTER TALOS-2017-0473 attack attempt	off	off	drop
3	44842	SERVER-WEBAPP	TRUFFLEHUNTER TALOS-2017-0473 attack attempt	off	off	drop
1	44843	BROWSER-IE	Microsoft Edge Uint8Array memory corruption attempt	off	off	off
1	44844	BROWSER-IE	Microsoft Edge Uint8Array memory corruption attempt	off	off	off
1	44845	BROWSER-IE	Microsoft Edge heap overflow attempt	off	drop	drop
1	44846	BROWSER-IE	Microsoft Edge heap overflow attempt	off	drop	drop
3	44847	SERVER-WEBAPP	TRUFFLEHUNTER TALOS-2017-0482 attack attempt	off	off	drop
3	44848	SERVER-WEBAPP	TRUFFLEHUNTER TALOS-2017-0482 attack attempt	off	off	drop
3	44849	SERVER-WEBAPP	TRUFFLEHUNTER TALOS-2017-0482 attack attempt	off	off	drop
3	44850	SERVER-WEBAPP	TRUFFLEHUNTER TALOS-2017-0477 attack attempt	off	off	drop
3	44851	SERVER-WEBAPP	TRUFFLEHUNTER TALOS-2017-0477 attack attempt	off	off	drop
3	44852	SERVER-WEBAPP	TRUFFLEHUNTER TALOS-2017-0477 attack attempt	off	off	drop
1	44853	FILE-PDF	Adobe Acrobat Reader malformed TTF buffer over-read attempt	off	off	drop
1	44854	FILE-PDF	Adobe Acrobat Reader malformed TTF buffer over-read attempt	off	off	drop
3	44855	POLICY-OTHER	TRUFFLEHUNTER TALOS-2017-0480 attack attempt	off	off	off
1	44856	FILE-PDF	Adobe Acrobat Reader XI JavaScript annotation use after free attempt	off	drop	drop
1	44857	FILE-PDF	Adobe Acrobat Reader XI JavaScript annotation use after free attempt	off	drop	drop
1	44859	FILE-OTHER	Adobe Acrobat Pro PNG file buffer over-read vulnerability attempt	off	off	drop
1	44860	FILE-OTHER	Adobe Acrobat Pro PNG file buffer over-read vulnerability attempt	off	off	drop
1	44861	FILE-IMAGE	Adobe Acrobat Pro malformed CommentExtension attempt	off	drop	drop
1	44862	FILE-IMAGE	Adobe Acrobat Pro malformed CommentExtension attempt	off	drop	drop
3	44863	SERVER-WEBAPP	TRUFFLEHUNTER TALOS-2017-0483 attack attempt	off	off	drop

**Medium Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	44808	INDICATOR-COMPROMISE	Apache HTTP Server possible mod_dav.c remote denial of service vulnerability attempt	off	off	off
3	44858	SERVER-WEBAPP	TRUFFLEHUNTER TALOS-2017-0474 attack attempt	off	off	drop

Updated Rules:

Updated rules can be found at this link.