Cisco Talos (VRT) Update for Sourcefire 3D System

* Talos combines our security experts from TRAC, SecApps, and VRT teams.

Date: 2017-12-05

This SRU number: 2017-12-04-001
Previous SRU number: 2017-11-30-001

Applies to:

3D Sensor versions: 5.x / 6.x
Cisco FireSIGHGT Management Center (formerly Defense Center) versions: 5.x / 6.x

This SEU number: 1766
Previous SEU: 1765

Applies to:

3D Sensor Versions: 4.10
Cisco FireSIGHGT Management Center (formerly Defense Center) versions: 4.10

This is the complete list of rules added in SRU 2017-12-04-001 and SEU 1766.

The format of the file is:

GID - SID - Rule Group - Rule Message - Policy State

The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.

The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.

Note: Unless stated explicitly, the rules are for the series of products listed above.

New Rules:

**High Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	45083	SERVER-APACHE	Apache Solr RunExecutableListener arbitrary command execution attempt	off	off	drop
1	45084	SERVER-APACHE	Apache Solr xmlparser external doctype or entity expansion attempt	off	off	drop
1	45085	FILE-FLASH	Adobe Flash Player use after free attempt	off	off	off
3	45086	SERVER-WEBAPP	TRUFFLEHUNTER TALOS-2017-0494 attack attempt	off	off	off
3	45087	SERVER-WEBAPP	TRUFFLEHUNTER TALOS-2017-0495 attack attempt	off	off	off
3	45088	SERVER-WEBAPP	TRUFFLEHUNTER TALOS-2017-0502 attack attempt	off	off	drop
3	45089	SERVER-OTHER	TRUFFLEHUNTER TALOS-2017-0501 attack attempt	off	off	drop
1	45090	MALWARE-CNC	Win.Backdoor.StoneDrill server selection outbound connection	off	drop	drop
1	45091	MALWARE-CNC	Win.Backdoor.StoneDrill login outbound connection	off	drop	drop
1	45092	MALWARE-CNC	Win.Backdoor.StoneDrill get commands outbound connection	off	drop	drop
1	45093	SERVER-WEBAPP	Apache Archiva XML server side request forgery attempt	off	off	off
1	45094	SERVER-WEBAPP	MediaWiki arbitrary file write attempt	off	off	drop
1	45095	MALWARE-CNC	Win.Ransomware.Gibon variant outbound connection	off	drop	drop
1	45096	MALWARE-CNC	Win.Ransomware.Gibon variant inbound connection	off	drop	drop
1	45097	MALWARE-CNC	Win.Downloader.SnatchLoader variant inbound connection	off	drop	drop
1	45098	MALWARE-CNC	Win.Downloader.SnatchLoader variant outbound connection	off	drop	drop
1	45099	MALWARE-CNC	Win.Trojan.Syscon variant inbound connection	off	drop	drop
1	45100	MALWARE-CNC	Win.Trojan.Syscon variant outbound connection	off	drop	drop
3	45102	FILE-PDF	TRUFFLEHUNTER TALOS-2017-0505 attack attempt	off	off	drop
3	45103	FILE-PDF	TRUFFLEHUNTER TALOS-2017-0505 attack attempt	off	off	drop
1	45104	MALWARE-CNC	Win.Malware.Recam variant outbound connection	off	off	drop
3	45105	FILE-PDF	TRUFFLEHUNTER TALOS-2017-0504 attack attempt	off	off	drop
3	45106	FILE-PDF	TRUFFLEHUNTER TALOS-2017-0504 attack attempt	off	off	drop

**Medium Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	45082	SERVER-WEBAPP	Ruby on Rails log file manipulation attempt	off	off	off
1	45101	PROTOCOL-SCADA	vxworks rpc credential flavor integer overflow device crash attempt	off	off	off

**Low Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	44867	DELETED	qYHcy2wy7PRGLrt918ZR
1	44868	DELETED	ttP2cWhxHiaW4S7ZGfi6
1	44869	DELETED	rZWXwyJ8bPnkrEyUfMbl
1	44870	DELETED	MzxoBYWaxvjLcsmkxZjK

Updated Rules:

Updated rules can be found at this link.