Cisco Talos (VRT) Update for Sourcefire 3D System

* Talos combines our security experts from TRAC, SecApps, and VRT teams.

Date: 2017-12-05

This SRU number: 2017-12-04-001
Previous SRU number: 2017-11-30-001

Applies to:

This SEU number: 1766
Previous SEU: 1765

Applies to:

This is the complete list of rules modified in SRU 2017-12-04-001 and SEU 1766.

The format of the file is:

GID - SID - Rule Group - Rule Message - Policy State

The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.

The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.

Note: Unless stated explicitly, the rules are for the series of products listed above.

Updated Rules:

High Priority
GIDSIDRule GroupRule MessagePolicy State
Con.Bal.Sec.
128410MALWARE-CNCWin.Trojan.CoinMiner variant outbound connectionoffdropdrop
128411MALWARE-CNCWin.Trojan.CoinMiner variant outbound connectionoffdropdrop
129895MALWARE-CNCWin.Trojan.Pyteconte variant outbound connectionoffdropdrop
129955SERVER-WEBAPPWordPress Quick-Post Widget GET request using Body cross-site scriptingoffoffoff
130251MALWARE-CNCWin.Trojan.Mumawow outbound connectionoffdropdrop
130259MALWARE-CNCWin.Trojan.Zeus variant outbound connectionoffoffdrop
131262MALWARE-CNCWin.Worm.VBNA variant outbound connectionoffdropdrop
131834MALWARE-CNCWin.Trojan-Downloader.Delorado variant outbound connectionoffdropdrop
132016MALWARE-CNCWin.Trojan.MSIL.Menteni variant outbound connectionoffdropdrop
132129MALWARE-CNCWin.Trojan.Downloader variant outbound connectionoffdropdrop
132824MALWARE-CNCWin.Trojan.Darkhotel variant outbound connectionoffdropdrop
133594MALWARE-CNCWin.Trojan.Upatre variant outbound connectionoffdropdrop
134596MALWARE-CNCWin.Trojan.Atrax variant outbound connectionoffdropdrop
134597MALWARE-CNCWin.Trojan.Atrax variant outbound connectionoffdropdrop
134862MALWARE-CNCWin.Trojan.Wheelsof variant outbound connectionoffdropdrop
134863MALWARE-CNCWin.Trojan.Wheelsof variant outbound connectionoffdropdrop
134870MALWARE-CNCWin.Trojan.Logreaz variant outbound connectionoffdropdrop
134871MALWARE-CNCWin.Trojan.Logreaz variant outbound connectionoffoffdrop
134887MALWARE-CNCWin.Trojan.Sojax variant outbound connectionoffdropdrop
134888MALWARE-CNCWin.Trojan.Sojax variant outbound connectionoffdropdrop
134932MALWARE-CNCWin.Trojan.Shindo outbound connectionoffdropdrop
134957MALWARE-CNCWin.Trojan.Sysmain outbound connectionoffdropdrop
134963MALWARE-CNCWin.Trojan.Threebyte outbound connectionoffdropdrop
134998MALWARE-CNCWin.Trojan.Bossabot outbound connectionoffdropdrop
135035MALWARE-CNCWin.Trojan.Taleretzbj outbound connectionoffoffoff
135080MALWARE-CNCWin.Trojan.Tenbus outbound connectionoffdropdrop
135081MALWARE-CNCWin.Trojan.Tenbus outbound connectionoffdropdrop
135082MALWARE-CNCBackdoor.Linux.Qenerek outbound connectionoffdropdrop
135083MALWARE-CNCWin.Trojan.Regiskazi outbound connectionoffdropdrop
136497MALWARE-CNCWin.Trojan.Hangman.A outbound connectionoffdropdrop
139835FILE-OFFICEMicrosoft Office Word malformed jpeg memory corruption attemptoffdropdrop
139836FILE-OFFICEMicrosoft Office Word malformed jpeg memory corruption attemptoffdropdrop
139920MALWARE-CNCNeutrino outbound connectionoffoffdrop
139921MALWARE-CNCNeutrino outbound connectionoffoffdrop
139931MALWARE-CNCWin.Trojan.BlackEnergy outbound connectionoffoffdrop
140058SERVER-WEBAPPWordPress Quick-Post Widget GET request using Body cross-site scriptingoffoffoff
140067MALWARE-CNCWin.Trojan.Fareit outbound connectionoffdropdrop
140252MALWARE-CNCWin.Perseus variant outbound connectionoffdropdrop
140281FILE-OFFICEMicrosoft Office Wordpad font conversion buffer overflow attemptoffoffoff
140282FILE-OFFICEMicrosoft Office Wordpad font conversion buffer overflow attemptoffoffoff
140289MALWARE-CNCWin.Trojan.Philadelphia variant initial outbound connectionoffdropdrop
140290MALWARE-CNCWin.Trojan.Philadelphia variant status update outbound connectionoffdropdrop
140306FILE-OFFICEMicrosoft Office Word document containing VBA project entry detectedoffoffoff
140307FILE-OFFICEMicrosoft Office Word document containing VBA project entry detectedoffoffoff
140368FILE-OFFICEMicrosoft Office Word RTF file parsing buffer overflow attemptoffdropdrop
140369FILE-OFFICEMicrosoft Office Word RTF file parsing buffer overflow attemptoffdropdrop
140527MALWARE-CNCWin.Trojan.Locky variant outbound connectionoffdropdrop
140541MALWARE-CNCWin.Trojan.Satana ransomware outbound connectionoffdropdrop
140548MALWARE-CNCWin.Trojan.Satana ransomware outbound connectionoffdropdrop
140559MALWARE-CNCWin.Trojan.iSpy variant outbound connectionoffdropdrop
140679FILE-OFFICEMicrosoft Office Word wwlib out of bounds read attemptoffdropdrop
140680FILE-OFFICEMicrosoft Office Word wwlib out of bounds read attemptoffdropdrop
140701FILE-OFFICEMicrosoft Office Word out of bounds memory read attemptoffdropdrop
140702FILE-OFFICEMicrosoft Office Word out of bounds memory read attemptoffdropdrop
140816MALWARE-CNCWin.Trojan.Locky variant outbound connectionoffdropdrop
140831MALWARE-CNCWin.Backdoor.Houdini variant initial outbound connectionoffdropdrop
140910MALWARE-CNCWin.Trojan.Locky variant outbound connectionoffdropdrop
140911MALWARE-CNCWin.Rootkit.Sednit variant outbound connectionoffdropdrop
141045FILE-FLASHAdobe Flash Player TextField setter use after free attemptoffoffoff
141046FILE-FLASHAdobe Flash Player TextField setter use after free attemptoffoffoff
141140FILE-OFFICEMicrosoft Office Word Out-of-Bounds Write attemptoffdropdrop
141141FILE-OFFICEMicrosoft Office Word Out-of-Bounds Write attemptoffdropdrop
141173MALWARE-CNCWin.Trojan.August variant outbound connectionoffdropdrop
141174MALWARE-CNCWin.Trojan.August variant outbound connectionoffdropdrop
141175MALWARE-CNCWin.Trojan.August variant outbound connectionoffdropdrop
141176MALWARE-CNCWin.Trojan.August variant outbound connectionoffdropdrop
141177MALWARE-CNCWin.Trojan.August variant outbound connectionoffdropdrop
141178MALWARE-CNCWin.Trojan.August variant outbound connectionoffdropdrop
141331MALWARE-CNCWin.Trojan.Scudy outbound connectionoffdropdrop
141334MALWARE-CNCWin.Trojan.Locky variant outbound connectionoffdropdrop
141335MALWARE-CNCWin.Trojan.Locky variant outbound connectionoffdropdrop
141336MALWARE-CNCAndr.Trojan.Sysch variant outbound connectionoffdropdrop
141337MALWARE-CNCAndr.Trojan.Sysch variant outbound connectionoffdropdrop
141424MALWARE-CNCWin.Trojan.Cerber outbound connectionoffdropdrop
141442MALWARE-CNCWin.Ransomware.X-Mas outbound connectionoffdropdrop
141443MALWARE-CNCWin.Ransomware.X-Mas variant keylogger outbound connectionoffdropdrop
141444MALWARE-CNCWin.Ransomware.X-Mas variant keylogger outbound connectionoffdropdrop
141657MALWARE-CNCWin.Trojan.MagicHound variant outbound connectionoffdropdrop
141964FILE-OFFICEMicrosoft Office Word 2010 use-after-free memory corruption vulnerability attemptoffoffdrop
141965FILE-OFFICEMicrosoft Office Word 2010 use-after-free memory corruption vulnerability attemptoffoffdrop
142021MALWARE-CNCAndr.Trojan.Agent variant outbound connectionoffdropdrop
142022MALWARE-CNCAndr.Trojan.Agent variant outbound connectionoffdropdrop
142023MALWARE-CNCAndr.Trojan.Agent variant outbound connectionoffdropdrop
142024MALWARE-CNCAndr.Trojan.Agent variant outbound connectionoffdropdrop
142025MALWARE-CNCAndr.Trojan.Agent variant outbound connectionoffdropdrop
142026MALWARE-CNCAndr.Trojan.Agent variant outbound connectionoffdropdrop
142027MALWARE-CNCAndr.Trojan.Agent variant outbound connectionoffdropdrop
142031MALWARE-CNCAndr.Trojan.Agent variant outbound connectionoffdropdrop
142079MALWARE-CNCWin.Trojan.Jenxcus outbound connection with unique User-Agentoffdropdrop
142080MALWARE-CNCWin.Trojan.Jenxcus outbound connection with unique User-Agentoffdropdrop
142083MALWARE-CNCWin.Trojan.Downeks variant initial outbound connectionoffdropdrop
142126MALWARE-CNCWin.Trojan.Acronym variant outbound connectionoffdropdrop
142225MALWARE-CNCWin.Trojan.RedLeaves outbound connectionoffdropdrop
142233MALWARE-CNCWin.Trojan.Mikcer variant outbound connectionoffdropdrop
142243MALWARE-CNCWin.Downloader.Dimnie file download attemptoffdropdrop
142302MALWARE-CNCWin.Trojan.Kuaibu outbound connectionoffdropdrop
142348MALWARE-CNCWin.Trojan.QQPass variant outbound connectionoffdropdrop
142385MALWARE-CNCWin.Trojan.Moonwind outbound connectionoffdropdrop
142386MALWARE-CNCWin.Trojan.Mikcer variant outbound connectionoffdropdrop
142390MALWARE-CNCWin.Trojan.Moarider variant outbound connectionoffdropdrop
142391MALWARE-CNCWin.Trojan.Moarider variant outbound connectionoffdropdrop
142398MALWARE-CNCWin.Trojan.RedLeaves outbound connectionoffdropdrop
142447MALWARE-CNCWin.Trojan.Batlopma variant outbound connectionoffdropdrop
142452MALWARE-CNCWin.Trojan.Frethog variant outbound connectionoffdropdrop
142755FILE-OFFICEMicrosoft Office Word 2010 Sepx memory corruption attemptoffdropdrop
142756FILE-OFFICEMicrosoft Office Word 2010 Sepx memory corruption attemptoffdropdrop
142880MALWARE-CNCDeputy Dog implant outbound connectionoffdropdrop
142881MALWARE-CNCDeputy Dog implant outbound connectionoffdropdrop
142882MALWARE-CNCZoxPNG initial outbound connectionoffdropdrop
142883MALWARE-CNCZoxPNG initial outbound connectionoffdropdrop
142884MALWARE-CNCWin.Trojan.MadMax implant outbound connectionoffdropdrop
142892MALWARE-CNCLinux.Trojan.SpikeA outbound connectionoffdropdrop
142899MALWARE-CNCJaff ransomware outbound connectionoffdropdrop
142925MALWARE-CNCJs.Keylogger.Scanbox outbound connectionoffdropdrop
142926MALWARE-CNCJs.Keylogger.Scanbox outbound connectionoffdropdrop
142929MALWARE-CNCWin.Trojan.Niramdat variant initial outbound connectionoffdropdrop
142945MALWARE-CNCWin.Trojan.Adylkuzz variant initial outbound connectionoffdropdrop
142996MALWARE-CNCWin.Trojan.Adylkuzz variant initial outbound connectionoffdropdrop
142997MALWARE-CNCWin.Trojan.Adylkuzz variant initial outbound connectionoffdropdrop
143049MALWARE-CNCWin.Trojan.Gasonen variant outbound connectionoffdropdrop
143129MALWARE-CNCWin.Trojan.Kabob outbound connectionoffdropdrop
143159FILE-OFFICEMicrosoft Office Word 2016 use after free attemptoffdropdrop
143160FILE-OFFICEMicrosoft Office Word 2016 use after free attemptoffdropdrop
143171FILE-OFFICEMicrosoft Office Word malformed jpeg remote code execution attemptoffoffdrop
143172FILE-OFFICEMicrosoft Office Word malformed jpeg remote code execution attemptoffoffdrop
143457MALWARE-CNCWin.Trojan.Eorezo variant outbound connectionoffdropdrop
143523MALWARE-CNCWin.Trojan.Donvibs variant outbound connectionoffdropdrop
143524MALWARE-CNCWin.Trojan.Donvibs variant outbound connectionoffdropdrop
143597MALWARE-CNCWin.Trojan.BlackEnergy outbound connectionoffoffoff
143930MALWARE-CNCWin.Malware.GamKer variant outbound connectionoffdropdrop
143985MALWARE-CNCWin.Trojan.Rortiem outbound connectionoffdropdrop
144211MALWARE-CNCWin.Trojan.Tarayt outbound connectionoffdropdrop
144212MALWARE-CNCWin.Trojan.Tarayt outbound connectionoffdropdrop
144313MALWARE-CNCWin.Downloader.Razy variant outbound connectionoffdropdrop
144316MALWARE-CNCWin.Trojan.Ellell variant outbound connectionoffdropdrop
144396MALWARE-CNCWin.Trojan.KediRAT outbound connectionoffdropdrop
144569MALWARE-CNCWin.Trojan.Fareit variant outbound connectionoffdropdrop
144570MALWARE-CNCWin.Trojan.Fareit variant outbound connectionoffdropdrop
144585FILE-OFFICEMicrosoft Office Word docx object type confusion attemptoffoffoff
144586FILE-OFFICEMicrosoft Office Word docx object type confusion attemptoffoffoff
144619MALWARE-CNCAndroid Red Alert Trojan outbound connectionoffdropdrop
144620MALWARE-CNCAndroid Red Alert Trojan outbound connectionoffdropdrop
144621MALWARE-CNCAndroid Red Alert Trojan outbound connectionoffdropdrop
144622MALWARE-CNCAndroid Red Alert Trojan outbound connectionoffdropdrop
144659MALWARE-CNCWin.Trojan.Wraut variant outbound connectionoffdropdrop
144689MALWARE-CNCWin.Trojan.Gen variant outbound connectionoffdropdrop
144787MALWARE-CNCWin.Trojan.Godzilla outbound connectionoffdropdrop
144788MALWARE-CNCWin.Trojan.Nymaim variant outbound connectionoffdropdrop
144789MALWARE-CNCWin.Trojan.Nymaim variant outbound connectionoffdropdrop
144791MALWARE-CNCWin.Trojan.Retadup variant outbound connectionoffdropdrop
144797MALWARE-CNCWin.Trojan.Shadowpad DNS TXT encrypted outbound connectionoffdropdrop
144798MALWARE-CNCWin.Trojan.Shadowpad DNS TXT encrypted outbound connectionoffdropdrop
144799MALWARE-CNCWin.Trojan.Shadowpad DNS TXT encrypted outbound connectionoffdropdrop
144800MALWARE-CNCWin.Trojan.Shadowpad DNS TXT encrypted outbound connectionoffdropdrop
144801MALWARE-CNCWin.Trojan.Shadowpad DNS TXT encrypted outbound connectionoffdropdrop
144802MALWARE-CNCWin.Trojan.Shadowpad DNS TXT encrypted outbound connectionoffdropdrop
144803MALWARE-CNCWin.Trojan.Shadowpad DNS TXT encrypted outbound connectionoffdropdrop
144804MALWARE-CNCWin.Trojan.Shadowpad DNS TXT encrypted outbound connectionoffdropdrop
144805MALWARE-CNCWin.Trojan.Shadowpad DNS TXT encrypted outbound connectionoffdropdrop
144806MALWARE-CNCWin.Trojan.Shadowpad DNS TXT encrypted outbound connectionoffdropdrop
144807MALWARE-CNCWin.Trojan.Shadowpad DNS TXT encrypted outbound connectionoffdropdrop
144821FILE-OFFICEMicrosoft Office Excel use after free vulnerability exploit attemptoffoffdrop
144822FILE-OFFICEMicrosoft Office Excel use after free vulnerability exploit attemptoffoffdrop
144838FILE-OFFICEMicrosoft Office Word RTF memory corruption attemptoffoffoff
144839FILE-OFFICEMicrosoft Office Word RTF memory corruption attemptoffoffoff
144895MALWARE-CNCWin.Trojan.CoinMiner inbound connection detectedoffdropdrop
144896MALWARE-CNCWin.Trojan.CoinMiner outbound connectionoffdropdrop
144897MALWARE-CNCWin.Trojan.CoinMiner outbound connectionoffdropdrop
144898MALWARE-CNCWin.Trojan.CoinMiner outbound connectionoffdropdrop
144899MALWARE-CNCWin.Trojan.CoinMiner inbound connection detectedoffdropdrop
144921SERVER-WEBAPPManageEngine Applications Manager manageApplications.do SQL injection attemptoffoffdrop
144922SERVER-WEBAPPManageEngine Applications Manager manageApplications.do SQL injection attemptoffoffdrop
144972MALWARE-CNCWin.Trojan.Ramnit variant outbound connectionoffdropdrop
144973MALWARE-CNCWin.Trojan.Ramnit variant outbound connectionoffdropdrop
144975MALWARE-CNCPhp.Dropper.Mayhem variant outbound connectionoffdropdrop
145050MALWARE-CNCWin.Trojan.IcedId outbound connectionoffdropdrop
145062MALWARE-CNCWin.Trojan.Neuron variant inbound service request detectedoffdropdrop
145063MALWARE-CNCWin.Trojan.Neuron variant inbound service request detectedoffdropdrop
145064MALWARE-CNCWin.Trojan.Neuron variant inbound service request detectedoffdropdrop
145065MALWARE-CNCWin.Trojan.Neuron variant inbound service request detectedoffdropdrop
145074SERVER-SAMBASamba unsigned connections attemptoffdropdrop
Medium Priority
GIDSIDRule GroupRule MessagePolicy State
Con.Bal.Sec.
345049SERVER-WEBAPPTRUFFLEHUNTER TALOS-2017-0493 attack attemptoffoffoff