Cisco Talos (VRT) Update for Sourcefire 3D System

* Talos combines our security experts from TRAC, SecApps, and VRT teams.

Date: 2017-11-30

This SRU number: 2017-11-30-001
Previous SRU number: 2017-11-28-002

Applies to:

3D Sensor versions: 5.x / 6.x
Cisco FireSIGHGT Management Center (formerly Defense Center) versions: 5.x / 6.x

This SEU number: 1765
Previous SEU: 1763

Applies to:

3D Sensor Versions: 4.10
Cisco FireSIGHGT Management Center (formerly Defense Center) versions: 4.10

This is the complete list of rules added in SRU 2017-11-30-001 and SEU 1765.

The format of the file is:

GID - SID - Rule Group - Rule Message - Policy State

The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.

The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.

Note: Unless stated explicitly, the rules are for the series of products listed above.

New Rules:

**High Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	45050	MALWARE-CNC	Win.Trojan.IcedId outbound connection attempt	off	drop	drop
1	45051	BLACKLIST	User-Agent known malicious user-agent string - WidgiToolbar	off	drop	drop
1	45052	SERVER-WEBAPP	Wordpress wpdb SQL injection attempt	off	off	drop
1	45053	SERVER-WEBAPP	Wordpress wpdb SQL injection attempt	off	off	drop
1	45054	SERVER-WEBAPP	Wordpress wpdb SQL injection attempt	off	off	drop
1	45055	SERVER-WEBAPP	Wordpress wpdb SQL injection attempt	off	off	drop
1	45056	SERVER-WEBAPP	Wordpress wpdb SQL injection attempt	off	off	drop
1	45057	SERVER-WEBAPP	Wordpress wpdb SQL injection attempt	off	off	drop
1	45058	FILE-OTHER	Microsoft Windows UAC bypass attempt	off	off	off
1	45059	FILE-OTHER	Microsoft Windows UAC bypass attempt	off	off	off
1	45060	SERVER-WEBAPP	pfSense system_groupmanager.php command injection attempt	off	off	drop
1	45061	SERVER-WEBAPP	Wordpress User History plugin cross site scripting attempt	off	off	off
1	45062	MALWARE-CNC	Win.Trojan.Neuron variant inbound service request detected.	off	drop	drop
1	45063	MALWARE-CNC	Win.Trojan.Neuron variant inbound service request detected.	off	drop	drop
1	45064	MALWARE-CNC	Win.Trojan.Neuron variant inbound service request detected.	off	drop	drop
1	45065	MALWARE-CNC	Win.Trojan.Neuron variant inbound service request detected.	off	drop	drop
1	45066	SERVER-WEBAPP	WordPress Duplicator cross site scripting attempt	off	off	drop
1	45067	SERVER-WEBAPP	WordPress Duplicator cross site scripting attempt	off	off	drop
1	45068	SERVER-OTHER	Oracle Identity Manager default login attempt	off	off	off
1	45069	SERVER-SAMBA	Samba write andx command memory leak attempt	off	off	off
1	45070	SERVER-SAMBA	Samba write and close command memory leak attempt	off	off	off
1	45071	SERVER-SAMBA	Samba write and unlock command memory leak attempt	off	off	off
1	45072	SERVER-SAMBA	Samba write command memory leak attempt	off	off	off
1	45074	SERVER-SAMBA	Samba unsigned connections attempt	off	drop	drop
1	45075	SERVER-WEBAPP	WordPress Ultimate Form Builder plugin SQL injection attempt	off	drop	drop
1	45076	SERVER-WEBAPP	WordPress Ultimate Form Builder plugin SQL injection attempt	off	drop	drop
1	45077	SERVER-WEBAPP	WordPress Ultimate Form Builder plugin SQL injection attempt	off	drop	drop
1	45078	SERVER-WEBAPP	TP-Link WR1043ND router cross site request forgery attempt	off	off	off
1	45079	SERVER-WEBAPP	TP-Link WR1043ND router cross site request forgery attempt	off	off	off
1	45080	EXPLOIT-KIT	Sundown/Terror malicious flash file load attempt	off	off	off
1	45081	SERVER-OTHER	Geutebrueck GCore web server buffer overflow attempt	off	off	drop

**Medium Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	45073	SERVER-WEBAPP	Wireless IP Camera WIFICAM information leak attempt	off	off	drop

Updated Rules:

Updated rules can be found at this link.