Cisco Talos (VRT) Update for Sourcefire 3D System

* Talos combines our security experts from TRAC, SecApps, and VRT teams.

Date: 2017-11-28

This SRU number: 2017-11-28-002
Previous SRU number: 2017-11-20-002

Applies to:

This SEU number: 1763
Previous SEU: 1760

Applies to:

This is the complete list of rules added in SRU 2017-11-28-002 and SEU 1763.

The format of the file is:

GID - SID - Rule Group - Rule Message - Policy State

The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.

The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.

Note: Unless stated explicitly, the rules are for the series of products listed above.

New Rules:

High Priority
GIDSIDRule GroupRule MessagePolicy State
Con.Bal.Sec.
144991BROWSER-FIREFOXMozilla products CSS rendering out-of-bounds array write attemptoffoffoff
144992SERVER-WEBAPPManageEngine ServiceDesk Plus policy bypass attemptoffoffoff
144993SERVER-WEBAPPManageEngine ServiceDesk Plus policy bypass attemptoffoffoff
144994SERVER-WEBAPPManageEngine ServiceDesk Plus policy bypass attemptoffoffoff
144995SERVER-WEBAPPManageEngine ServiceDesk Plus policy bypass attemptoffoffoff
144996SERVER-WEBAPPManageEngine ServiceDesk Plus policy bypass attemptoffoffoff
144997MALWARE-CNCLegend irc bot cnc attemptoffalertdrop
144998MALWARE-CNCLegend irc bot cnc attemptoffalertdrop
144999SERVER-WEBAPPRuby on Rails file inclusion attemptoffoffoff
145000SERVER-WEBAPPRuby on Rails file inclusion attemptoffoffoff
145002FILE-OTHERJackson databind deserialization remote code execution attemptoffoffdrop
145003FILE-OTHERJackson databind deserialization remote code execution attemptoffoffdrop
145004FILE-OTHERJackson databind deserialization remote code execution attemptoffoffdrop
145005FILE-OTHERJackson databind deserialization remote code execution attemptoffoffdrop
145006FILE-OTHERJackson databind deserialization remote code execution attemptoffoffdrop
145007FILE-OTHERJackson databind deserialization remote code execution attemptoffoffdrop
145008FILE-OTHERJackson databind deserialization remote code execution attemptoffoffdrop
145009FILE-OTHERJackson databind deserialization remote code execution attemptoffoffdrop
145010FILE-OTHERJackson databind deserialization remote code execution attemptoffoffdrop
145011FILE-OTHERJackson databind deserialization remote code execution attemptoffoffdrop
145012FILE-OTHERJackson databind deserialization remote code execution attemptoffoffdrop
145013FILE-OTHERJackson databind deserialization remote code execution attemptoffoffdrop
145014FILE-OTHERJackson databind deserialization remote code execution attemptoffoffdrop
145015FILE-OTHERJackson databind deserialization remote code execution attemptoffoffdrop
145016FILE-OTHERJackson databind deserialization remote code execution attemptoffoffdrop
345017FILE-IMAGETRUFFLEHUNTER TALOS-2017-0497 attack attemptoffoffdrop
345018FILE-IMAGETRUFFLEHUNTER TALOS-2017-0497 attack attemptoffoffdrop
345019FILE-IMAGETRUFFLEHUNTER TALOS-2017-0490 attack attemptoffoffdrop
345020FILE-IMAGETRUFFLEHUNTER TALOS-2017-0490 attack attemptoffoffdrop
345021FILE-IMAGETRUFFLEHUNTER TALOS-2017-0491 attack attemptoffoffdrop
345022FILE-IMAGETRUFFLEHUNTER TALOS-2017-0491 attack attemptoffoffdrop
145023FILE-PDFAdobe Acrobat out of bound read exploitation attemptoffoffoff
145024FILE-PDFAdobe Acrobat out of bound read exploitation attemptoffoffoff
345025FILE-IMAGETRUFFLEHUNTER TALOS-2017-0489 attack attemptoffoffdrop
345026FILE-IMAGETRUFFLEHUNTER TALOS-2017-0489 attack attemptoffoffdrop
145027FILE-PDFAdobe Acrobat out of bound read exploitation attemptoffoffoff
145028FILE-PDFAdobe Acrobat out of bound read exploitation attemptoffoffoff
145031FILE-OTHERAdobe Acrobat JPEG2000 out of bounds buffer overflow attemptoffoffdrop
145032FILE-OTHERAdobe Acrobat JPEG2000 out of bounds buffer overflow attemptoffoffdrop
345033FILE-IMAGETRUFFLEHUNTER TALOS-2017-0488 attack attemptoffoffdrop
345034FILE-IMAGETRUFFLEHUNTER TALOS-2017-0488 attack attemptoffoffdrop
145035FILE-PDFAdobe Acrobat Reader Annotation use after free attemptoffdropdrop
145036FILE-PDFAdobe Acrobat Reader Annotation use after free attemptoffdropdrop
145037SERVER-WEBAPPJoomla LDAP authentication plugin information disclosure exploitation attemptoffoffdrop
145038SERVER-WEBAPPJoomla LDAP authentication plugin information disclosure exploitation attemptoffoffdrop
145039SERVER-WEBAPPJoomla LDAP authentication plugin information disclosure exploitation attemptoffoffdrop
145040FILE-PDFAdobe Acrobat Reader Annotation use after free attemptoffoffdrop
145041FILE-PDFAdobe Acrobat Reader Annotation use after free attemptoffdropdrop
145042BROWSER-OTHERAdobe Acrobat Pro WebCapture information disclosure attemptoffoffoff
145043BROWSER-OTHERAdobe Acrobat Pro WebCapture information disclosure attemptoffoffoff
145044FILE-PDFAdobe Reader out of bounds memory access violation attemptoffoffdrop
145045FILE-PDFAdobe Reader out of bounds memory access violation attemptoffoffdrop
145046SERVER-OTHERExim malformed BDAT code execution attemptoffdropdrop
345047FILE-IMAGETRUFFLEHUNTER TALOS-2017-0499 attack attemptoffoffdrop
345048FILE-IMAGETRUFFLEHUNTER TALOS-2017-0499 attack attemptoffoffdrop
Medium Priority
GIDSIDRule GroupRule MessagePolicy State
Con.Bal.Sec.
145001SERVER-WEBAPPNetgear WNR2000 information leak attemptoffoffdrop
345049SERVER-WEBAPPTRUFFLEHUNTER TALOS-2017-0492 attack attemptoffoffoff
Low Priority
GIDSIDRule GroupRule MessagePolicy State
Con.Bal.Sec.
145029FILE-PDFJPEG2000 image coding style default information disclosure attemptoffoffoff
145030FILE-PDFJPEG2000 image coding style default information disclosure attemptoffoffoff

Updated Rules:

Updated rules can be found at this link.