Cisco Talos (VRT) Update for Sourcefire 3D System

* Talos combines our security experts from TRAC, SecApps, and VRT teams.

Date: 2017-12-12

This SRU number: 2017-12-12-001
Previous SRU number: 2017-12-06-001

Applies to:

3D Sensor versions: 5.x / 6.x
Cisco FireSIGHGT Management Center (formerly Defense Center) versions: 5.x / 6.x

This SEU number: 1769
Previous SEU: 1767

Applies to:

3D Sensor Versions: 4.10
Cisco FireSIGHGT Management Center (formerly Defense Center) versions: 4.10

This is the complete list of rules added in SRU 2017-12-12-001 and SEU 1769.

The format of the file is:

GID - SID - Rule Group - Rule Message - Policy State

The Policy State refers to each default Sourcefire policy, Connectivity, Balanced and Security.

The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.

Note: Unless stated explicitly, the rules are for the series of products listed above.

New Rules:

**High Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	45121	BROWSER-IE	Microsoft Internet Explorer use after free attempt	off	drop	drop
1	45122	BROWSER-IE	Microsoft Internet Explorer use after free attempt	off	drop	drop
1	45123	FILE-OFFICE	Microsoft Office Excel malformed spreadsheet use-after-free attempt	off	drop	drop
1	45124	FILE-OFFICE	Microsoft Office Excel malformed spreadsheet use-after-free attempt	off	drop	drop
1	45128	BROWSER-IE	Microsoft Edge defineGetter type confusion attempt	off	drop	drop
1	45129	BROWSER-IE	Microsoft Edge defineGetter type confusion attempt	off	drop	drop
1	45130	OS-WINDOWS	Microsoft Windows RRAS service arbitrary pointer dereference attempt	off	drop	drop
1	45131	OS-WINDOWS	Microsoft Windows RRAS service arbitrary pointer dereference attempt	off	drop	drop
1	45132	FILE-OFFICE	Microsoft Office Equation Editor object stack buffer overflow attempt	off	drop	drop
1	45133	FILE-OFFICE	Microsoft Office Equation Editor object stack buffer overflow attempt	off	drop	drop
1	45134	FILE-OFFICE	Microsoft Office Equation Editor object stack buffer overflow attempt	off	drop	drop
1	45135	FILE-OFFICE	Microsoft Office Equation Editor object stack buffer overflow attempt	off	drop	drop
1	45136	INDICATOR-COMPROMISE	Metasploit PowerShell CLI Download and Run attempt	off	drop	drop
1	45137	INDICATOR-COMPROMISE	Metasploit run hidden powershell attempt	off	drop	drop
1	45138	BROWSER-IE	Microsoft Internet Explorer scripting engine memory corruption attempt	off	drop	drop
1	45139	BROWSER-IE	Microsoft Internet Explorer scripting engine memory corruption attempt	off	drop	drop
1	45140	BROWSER-IE	Microsoft Edge Chakra RegExp engine memory corruption attempt	off	drop	drop
1	45141	BROWSER-IE	Microsoft Edge Chakra RegExp engine memory corruption attempt	off	drop	drop
1	45142	BROWSER-IE	Microsoft Edge Array type confusion attempt	off	drop	drop
1	45143	BROWSER-IE	Microsoft Edge Array type confusion attempt	off	drop	drop
1	45144	BROWSER-IE	Microsoft Internet Explorer scripting engine memory corruption attempt	off	drop	drop
1	45145	BROWSER-IE	Microsoft Internet Explorer scripting engine memory corruption attempt	off	drop	drop
1	45148	BROWSER-IE	Microsoft Internet Explorer Array out of bounds write attempt	off	drop	drop
1	45149	BROWSER-IE	Microsoft Internet Explorer Array out of bounds write attempt	off	drop	drop
1	45150	BROWSER-IE	Microsoft Edge JsSetCurrentContext out of bounds read attempt	off	drop	drop
1	45151	BROWSER-IE	Microsoft Edge JsSetCurrentContext out of bounds read attempt	off	drop	drop
1	45152	INDICATOR-COMPROMISE	Microsoft MsMpEng shrink compressed zip code execution attempt	off	off	off
1	45153	INDICATOR-COMPROMISE	Microsoft MsMpEng shrink compressed zip code execution attempt	off	off	off
1	45154	BROWSER-IE	Microsoft Internet Explorer dynamic style update memory corruption attempt	off	off	off
1	45155	BROWSER-IE	Microsoft Internet Explorer out of bounds read attempt	off	off	drop
1	45156	BROWSER-IE	Microsoft Internet Explorer out of bounds read attempt	off	off	drop
3	45158	FILE-PDF	TRUFFLEHUNTER TALOS-2017-0506 attack attempt	off	off	drop
3	45159	FILE-PDF	TRUFFLEHUNTER TALOS-2017-0506 attack attempt	off	off	drop
1	45160	BROWSER-IE	Microsoft Edge null pointer dereference attempt	off	off	drop
1	45161	BROWSER-IE	Microsoft Edge null pointer dereference attempt	off	off	drop
1	45162	BROWSER-IE	Microsoft Edge memory corruption attempt	off	drop	drop
1	45163	BROWSER-IE	Microsoft Edge memory corruption attempt	off	drop	drop
1	45167	BROWSER-IE	Microsoft Edge memory corruption attempt	off	drop	drop
1	45168	BROWSER-IE	Microsoft Edge memory corruption attempt	off	drop	drop
1	45169	BROWSER-IE	Microsoft Edge array type confusion attempt	off	drop	drop
1	45170	BROWSER-IE	Microsoft Edge array type confusion attempt	off	drop	drop

**Medium Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
3	45120	SERVER-OTHER	Cisco Application Control Engine padding oracle attack attempt	off	off	off
1	45125	FILE-OTHER	Adobe Shockwave newModel memory disclosure attempt	off	off	off
1	45126	FILE-OTHER	Adobe Shockwave newModel memory disclosure attempt	off	off	off
1	45127	BROWSER-FIREFOX	Mozilla SSL certificate spoofing attempt	off	off	off
1	45157	SERVER-OTHER	SSDP M-SEARCH ssdp-all potential amplified distributed denial-of-service attempt	off	off	off
1	45164	POLICY-OTHER	RPC Portmapper version 3 dump request attempt	off	off	off
1	45165	POLICY-OTHER	RPC Portmapper version 2 dump request attempt	off	off	off
1	45166	POLICY-OTHER	RPC Portmapper getstat request attempt	off	off	off

**Low Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.
1	45146	BROWSER-IE	Microsoft Internet Explorer scripting engine memory corruption attempt	off	drop	drop
1	45147	BROWSER-IE	Microsoft Internet Explorer scripting engine memory corruption attempt	off	drop	drop