<!DOCTYPE html> <html> <head> <title>New Rules</title> <style> html, body { font-family:"Helvetica", sans-serif; font-size:80%; } h3 { margin-top:2em; } h4 { margin-bottom:.25em; } h4 span { font-weight:normal; } p { margin:.25em 0; } a { color:red; } .notice { border:1px dotted #777; margin:1em; } </style> </head> <body> <h1>Cisco Talos (VRT) Update for Sourcefire 3D System</h1> <p>* Talos combines our security experts from TRAC, SecApps, and VRT teams.</p> <h3>Date: 2016-03-23</h3> <p>This SRU number: 2016-03-23-001<br> Previous SRU number: 2016-03-21-001 </p> <p> Applies to: <ul> <li>3D Sensor versions: 5.x <li>Cisco FireSIGHGT Management Center (formerly Defense Center) versions: 5.x </ul> <p> This SEU number: 1454<br> Previous SEU: 1453 </p> <p> Applies to: <ul> <li>3D Sensor Versions: 4.10 <li>Cisco FireSIGHGT Management Center (formerly Defense Center) versions: 4.10 </ul> <p>This is the complete list of rules added in SRU 2016-03-23-001 and SEU 1454.</p> <p>The format of the file is:</p> <p><b>GID - SID - Rule Group - Rule Message - Policy State</b></p> <p>The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.</p> <p>The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.</p> <p><b>Note:</b> Unless stated explicitly, the rules are for the series of products listed above.</p> <h2>New Rules:</h2> <table> <colgroup> <col span="2" width="50"> <col span="1" width="150"> <col span="1" width="250"> <col span="4" width="50"> </colgroup> <caption><b>High Priority</b></caption> <thead> <tr><th rowspan="2">GID</th><th rowspan="2">SID</th><th rowspan="2">Rule Group</th><th rowspan="2">Rule Message</th><th colspan="3">Policy State</th></tr> <tr><th>Con.</th><th>Bal.</th><th>Sec.</th></tr> </thead> <tbody> <tr><td>1</td><td>37934</td><td>PROTOCOL-FTP</td><td>Computer Associates eTrust Secure Content Manager LIST stack overflow attempt</td><td>off</td><td>off</td><td>off</td></tr> <tr><td>3</td><td>38289</td><td>FILE-PDF</td><td>TRUFFLEHUNTER TALOS-CAN-0098 attack attempt</td><td>off</td><td>off</td><td>off</td></tr> <tr><td>3</td><td>38290</td><td>FILE-PDF</td><td>TRUFFLEHUNTER TALOS-CAN-0098 attack attempt</td><td>off</td><td>off</td><td>off</td></tr> <tr><td>3</td><td>38293</td><td>FILE-OTHER</td><td>TRUFFLEHUNTER TALOS-CAN-0094 attack attempt</td><td>off</td><td>off</td><td>off</td></tr> <tr><td>3</td><td>38294</td><td>FILE-OTHER</td><td>TRUFFLEHUNTER TALOS-CAN-0094 attack attempt</td><td>off</td><td>off</td><td>off</td></tr> <tr><td>3</td><td>38295</td><td>FILE-OTHER</td><td>TRUFFLEHUNTER TALOS-CAN-0094 attack attempt</td><td>off</td><td>off</td><td>off</td></tr> <tr><td>3</td><td>38296</td><td>FILE-OTHER</td><td>TRUFFLEHUNTER TALOS-CAN-0094 attack attempt</td><td>off</td><td>off</td><td>off</td></tr> <tr><td>1</td><td>38297</td><td>BLACKLIST</td><td>DNS request for known malware domain agent.wizztrakys.com - SpywareJarl</td><td>off</td><td>drop</td><td>drop</td></tr> <tr><td>1</td><td>38298</td><td>BLACKLIST</td><td>DNS request for known malware domain dl.auhazard.com - SpywareJarl</td><td>off</td><td>drop</td><td>drop</td></tr> <tr><td>1</td><td>38299</td><td>BLACKLIST</td><td>DNS request for known malware domain dl.wizzuniquify.com - SpywareJarl</td><td>off</td><td>drop</td><td>drop</td></tr> <tr><td>1</td><td>38300</td><td>BLACKLIST</td><td>DNS request for known malware domain wizzmonetize-factory-windows.wizzdevs.com - SpywareJarl</td><td>off</td><td>drop</td><td>drop</td></tr> <tr><td>1</td><td>38301</td><td>BLACKLIST</td><td>DNS request for known malware domain www.csdimonetize.com - SpywareJarl</td><td>off</td><td>drop</td><td>drop</td></tr> <tr><td>1</td><td>38303</td><td>SERVER-WEBAPP</td><td>Bonita BPM themeResource directory traversal attempt</td><td>off</td><td>off</td><td>drop</td></tr> <tr><td>1</td><td>38304</td><td>BLACKLIST</td><td>User-Agent known malicious user-agent string - JexBoss</td><td>off</td><td>drop</td><td>drop</td></tr> <tr><td>1</td><td>38305</td><td>EXPLOIT-KIT</td><td>Angler Gate redirect attempt</td><td>off</td><td>drop</td><td>drop</td></tr> <tr><td>1</td><td>38308</td><td>BROWSER-IE</td><td>Microsoft Internet Explorer VBScript engine use after free attempt</td><td>off</td><td>drop</td><td>drop</td></tr> <tr><td>1</td><td>38309</td><td>BROWSER-IE</td><td>Microsoft Internet Explorer VBScript engine use after free attempt</td><td>off</td><td>drop</td><td>drop</td></tr> <tr><td>1</td><td>38310</td><td>FILE-FLASH</td><td>Adobe Flash Player integer underflow attempt</td><td>off</td><td>drop</td><td>drop</td></tr> <tr><td>1</td><td>38311</td><td>FILE-FLASH</td><td>Adobe Flash Player integer underflow attempt</td><td>off</td><td>drop</td><td>drop</td></tr> <tr><td>1</td><td>38312</td><td>SERVER-OTHER</td><td>Redis lua script integer overflow attempt</td><td>off</td><td>drop</td><td>drop</td></tr> <tr><td>1</td><td>38313</td><td>SERVER-OTHER</td><td>Redis lua script integer overflow attempt</td><td>off</td><td>drop</td><td>drop</td></tr> <tr><td>1</td><td>38314</td><td>SERVER-WEBAPP</td><td>Borland AccuRev Reprise License Server directory traversal attempt</td><td>off</td><td>off</td><td>off</td></tr> <tr><td>1</td><td>38315</td><td>SERVER-WEBAPP</td><td>Borland AccuRev Reprise License Server directory traversal attempt</td><td>off</td><td>off</td><td>off</td></tr> <tr><td>1</td><td>38316</td><td>SERVER-WEBAPP</td><td>Borland AccuRev Reprise License Server directory traversal attempt</td><td>off</td><td>off</td><td>off</td></tr> <tr><td>1</td><td>38317</td><td>FILE-OTHER</td><td>Microsoft Edge Chakra JavaScript engine out of bounds read attempt</td><td>off</td><td>drop</td><td>drop</td></tr> <tr><td>1</td><td>38318</td><td>FILE-OTHER</td><td>Microsoft Edge Chakra JavaScript engine out of bounds read attempt</td><td>off</td><td>drop</td><td>drop</td></tr> <tr><td>3</td><td>38323</td><td>FILE-OTHER</td><td>TRUFFLEHUNTER TALOS-CAN-0093 attack attempt</td><td>off</td><td>off</td><td>off</td></tr> <tr><td>3</td><td>38324</td><td>FILE-OTHER</td><td>TRUFFLEHUNTER TALOS-CAN-0093 attack attempt</td><td>off</td><td>off</td><td>off</td></tr> <tr><td>3</td><td>38325</td><td>FILE-OTHER</td><td>TRUFFLEHUNTER TALOS-CAN-0093 attack attempt</td><td>off</td><td>off</td><td>off</td></tr> <tr><td>3</td><td>38326</td><td>FILE-OTHER</td><td>TRUFFLEHUNTER TALOS-CAN-0093 attack attempt</td><td>off</td><td>off</td><td>off</td></tr> </tbody> </table> <table> <colgroup> <col span="2" width="50"> <col span="1" width="150"> <col span="1" width="250"> <col span="4" width="50"> </colgroup> <caption><b>Medium Priority</b></caption> <thead> <tr><th rowspan="2">GID</th><th rowspan="2">SID</th><th rowspan="2">Rule Group</th><th rowspan="2">Rule Message</th><th colspan="3">Policy State</th></tr> <tr><th>Con.</th><th>Bal.</th><th>Sec.</th></tr> </thead> <tbody> <tr><td>3</td><td>38302</td><td>SERVER-OTHER</td><td>Cisco IOS DHCPv6 relay denial of service attempt</td><td>off</td><td>off</td><td>off</td></tr> </tbody> </table> <table> <colgroup> <col span="2" width="50"> <col span="1" width="150"> <col span="1" width="250"> <col span="4" width="50"> </colgroup> <caption><b>Low Priority</b></caption> <thead> <tr><th rowspan="2">GID</th><th rowspan="2">SID</th><th rowspan="2">Rule Group</th><th rowspan="2">Rule Message</th><th colspan="3">Policy State</th></tr> <tr><th>Con.</th><th>Bal.</th><th>Sec.</th></tr> </thead> <tbody> <tr><td>1</td><td>38291</td><td>FILE-IDENTIFY</td><td>UDF file magic detected</td><td>off</td><td>off</td><td>off</td></tr> <tr><td>1</td><td>38292</td><td>FILE-IDENTIFY</td><td>UDF file magic detected</td><td>off</td><td>off</td><td>off</td></tr> <tr><td>1</td><td>38306</td><td>FILE-IDENTIFY</td><td>DMG com.apple.decmpfs file magic detected</td><td>off</td><td>off</td><td>off</td></tr> <tr><td>1</td><td>38307</td><td>FILE-IDENTIFY</td><td>DMG com.apple.decmpfs file magic detected</td><td>off</td><td>off</td><td>off</td></tr> <tr><td>1</td><td>38319</td><td>NETBIOS</td><td>SMB winreg named pipe creation attempt</td><td>off</td><td>off</td><td>off</td></tr> <tr><td>1</td><td>38320</td><td>NETBIOS</td><td>SMB srvsvc named pipe creation attempt</td><td>off</td><td>off</td><td>off</td></tr> <tr><td>1</td><td>38321</td><td>NETBIOS</td><td>SMB svcctl named pipe creation attempt</td><td>off</td><td>off</td><td>off</td></tr> <tr><td>1</td><td>38322</td><td>NETBIOS</td><td>SMB samr named pipe creation attempt</td><td>off</td><td>off</td><td>off</td></tr> <tr><td>1</td><td>38327</td><td>MALWARE-BACKDOOR</td><td>ReGeorg proxy read attempt</td><td>off</td><td>drop</td><td>drop</td></tr> <tr><td>1</td><td>38328</td><td>MALWARE-BACKDOOR</td><td>ReGeorg socks proxy connection attempt</td><td>off</td><td>drop</td><td>drop</td></tr> <tr><td>1</td><td>38329</td><td>MALWARE-BACKDOOR</td><td>ReGeorg socks proxy initial connection attempt</td><td>off</td><td>drop</td><td>drop</td></tr> </tbody> </table> <h2>Updated Rules:</h2> <p>Updated rules can be found at <a href="/supplemental/sf-rules-2016-03-23-mod.html">this link.</a></p> </body> </html>