Cisco Talos Update for FireSIGHT Management Center

Date: 2018-04-19

This SRU number: 2018-04-18-001
Previous SRU number: 2018-04-16-001

Applies to:

3D Sensor versions: 5.x / 6.x
Cisco FireSIGHT Management Center versions: 5.x / 6.x

This SEU number: 1836
Previous SEU: 1835

Applies to:

3D Sensor Versions: 4.10
Cisco FireSIGHT Management Center versions: 4.10

This is the complete list of rules added in SRU 2018-04-18-001 and SEU 1836.

The format of the file is:

GID - SID - Rule Group - Rule Message - Policy State

The Policy State refers to each default Cisco Talos policy, Connectivity, Balanced, Security, and Maximum Detection.

The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.

Note: Unless stated explicitly, the rules are for the series of products listed above.

New Rules:

**High Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.	Max.
1	46347	SERVER-WEBAPP	MediaWiki index.php rs cross site scripting attempt	off	off	off	off
1	46348	SERVER-WEBAPP	NetIQ Access Manager Identity Server directory traversal attempt	off	drop	drop	drop
1	46349	SERVER-WEBAPP	NetIQ Access Manager Identity Server directory traversal attempt	off	drop	drop	drop
1	46350	SERVER-WEBAPP	NetIQ Access Manager Identity Server directory traversal attempt	off	drop	drop	drop
1	46351	BROWSER-PLUGINS	Mitsubishi EZPcAut220 ActiveX clsid access attempt	off	off	off	off
1	46352	BROWSER-PLUGINS	Mitsubishi EZPcAut220 ActiveX clsid access attempt	off	off	off	off
1	46353	SERVER-WEBAPP	ManageEngine ServiceDesk download-file directory traversal attempt	off	off	off	off
1	46354	SERVER-WEBAPP	ManageEngine ServiceDesk download-file directory traversal attempt	off	off	off	off
1	46355	SERVER-WEBAPP	ManageEngine ServiceDesk download-file directory traversal attempt	off	off	off	off
1	46356	MALWARE-CNC	Andr.Trojan.Wroba outbound connection	off	drop	drop	off
1	46357	MALWARE-CNC	Andr.Trojan.Wroba outbound connection	off	drop	drop	off
1	46358	MALWARE-CNC	Andr.Trojan.Wroba outbound connection	off	drop	drop	off
1	46359	MALWARE-CNC	Andr.Trojan.Wroba outbound connection	off	drop	drop	off
1	46360	MALWARE-CNC	Andr.Trojan.Wroba outbound connection	off	drop	drop	off
1	46361	MALWARE-CNC	Andr.Trojan.Wroba outbound connection	off	drop	drop	off
1	46362	MALWARE-CNC	Andr.Trojan.Wroba outbound connection	off	drop	drop	off
1	46363	MALWARE-CNC	Andr.Trojan.Wroba outbound connection	off	drop	drop	off
1	46364	MALWARE-CNC	Andr.Trojan.Wroba outbound connection	off	drop	drop	off
1	46368	MALWARE-BACKDOOR	JSP Web shell upload attempt	off	off	drop	drop
1	46369	MALWARE-BACKDOOR	JSP Web shell access attempt	off	off	drop	drop
1	46376	SERVER-OTHER	libgd heap-overflow attempt	off	off	drop	drop
1	46377	SERVER-OTHER	libgd heap-overflow attempt	off	off	drop	drop
1	46378	MALWARE-CNC	Win.Trojan.Dropper variant outbound connection	off	drop	drop	drop
1	46379	SERVER-WEBAPP	Afian FileRun SQL injection attempt	off	off	drop	drop
1	46380	SERVER-WEBAPP	Afian FileRun SQL injection attempt	off	off	drop	drop
1	46383	SERVER-OTHER	Micro Focus Operations Orchestration information disclosure attempt	off	off	off	off
1	46384	BROWSER-IE	Internet Explorer URL file remote code execution attempt detected	off	drop	drop	drop
1	46385	BROWSER-IE	Internet Explorer URL file remote code execution attempt detected	off	drop	drop	drop
3	46386	SERVER-WEBAPP	Cisco IOS XE Web UI arbitrary file write attempt	off	off	drop	drop
3	46390	SERVER-WEBAPP	TRUFFLEHUNTER TALOS-2018-0577 attack attempt	off	off	off	off
3	46391	SERVER-WEBAPP	TRUFFLEHUNTER TALOS-2018-0577 attack attempt	off	off	off	off
3	46392	SERVER-WEBAPP	TRUFFLEHUNTER TALOS-2018-0577 attack attempt	off	off	off	off
3	46395	SERVER-WEBAPP	TRUFFLEHUNTER TALOS-2018-0578 attack attempt	off	off	off	off
1	46396	FILE-EXECUTABLE	Win.Ransomware.Rapid download attempt	off	drop	drop	drop
1	46397	FILE-EXECUTABLE	Win.Ransomware.Rapid download attempt	off	drop	drop	drop
1	46398	BROWSER-OTHER	Mozilla Firefox table object integer underflow	off	off	off	off
1	46399	BROWSER-OTHER	Mozilla Firefox table object integer underflow	off	off	off	off

**Medium Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.	Max.
1	46365	PUA-OTHER	CoinHive Miner client detected	off	drop	drop	drop
1	46366	PUA-OTHER	CryptoNight webassembly download attempt	off	drop	drop	off
1	46367	FILE-IDENTIFY	WebAssembly file download detected	off	off	off	off
1	46370	PUA-OTHER	Moonify Miner client detected	off	drop	drop	drop
1	46371	PUA-OTHER	Moonify TLS server hello attempt	off	drop	drop	drop
1	46372	PUA-OTHER	Moonify TLS client hello attempt	off	drop	drop	drop
1	46373	PROTOCOL-OTHER	CLDAP potential reflected distributed denial of service attempt	off	off	off	off
1	46374	PROTOCOL-OTHER	CLDAP potential reflected distributed denial of service attempt	off	off	off	off
1	46375	SERVER-OTHER	DualDesk v20 Proxy.exe long string denial of service attempt	off	off	off	off
1	46382	SERVER-OTHER	Micro Focus Operations Orchestration denial of service attempt	off	off	off	off
1	46387	SERVER-OTHER	Multiple Vendors NTP zero-origin timestamp denial of service attempt	off	off	off	off
3	46388	FILE-OTHER	TRUFFLEHUNTER TALOS-2018-0579 attack attempt	off	off	drop	drop
3	46389	FILE-OTHER	TRUFFLEHUNTER TALOS-2018-0579 attack attempt	off	off	drop	drop
1	46393	FILE-IDENTIFY	WebAssembly file detected	off	off	off	off

**Low Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.	Max.
1	46381	INDICATOR-COMPROMISE	Potential data exfiltration through Google form submission	off	off	off	off
1	46394	FILE-IDENTIFY	WebAssembly file attachment detected	off	off	off	off