This SRU number: 2019-05-14-001
Previous SRU number: 2019-05-08-001
Applies to:
This SEU number: 2012
Previous SEU: 2010
Applies to:
This is the complete list of rules added in SRU 2019-05-14-001 and SEU 2012.
The format of the file is:
GID - SID - Rule Group - Rule Message - Policy State
The Policy State refers to each default Cisco Talos policy, Connectivity, Balanced, Security, and Maximum Detection.
The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.
Note: Unless stated explicitly, the rules are for the series of products listed above.
| GID | SID | Rule Group | Rule Message | Policy State | |||
|---|---|---|---|---|---|---|---|
| Con. | Bal. | Sec. | Max. | ||||
| 1 | 50065 | MALWARE-CNC | Win.Trojan.Robinhood malicious executable download attempt | off | drop | drop | drop |
| 1 | 50066 | MALWARE-CNC | Win.Trojan.Robinhood malicious executable download attempt | off | drop | drop | drop |
| 1 | 50067 | MALWARE-CNC | Win.Trojan.CrackXTSR variant outbound response attempt | off | drop | drop | drop |
| 1 | 50068 | OS-WINDOWS | Microsoft Windows arbitrary registry access privilege escalation attempt | off | drop | drop | drop |
| 1 | 50069 | OS-WINDOWS | Microsoft Windows arbitrary registry access privilege escalation attempt | off | drop | drop | drop |
| 1 | 50070 | BROWSER-IE | Microsoft Edge memory corruption attempt | off | drop | drop | drop |
| 1 | 50071 | BROWSER-IE | Microsoft Edge memory corruption attempt | off | drop | drop | drop |
| 1 | 50072 | BROWSER-IE | Microsoft Edge memory corruption attempt | off | drop | drop | drop |
| 1 | 50073 | BROWSER-IE | Microsoft Edge memory corruption attempt | off | drop | drop | drop |
| 1 | 50074 | BROWSER-IE | Microsoft Edge memory corruption attempt | off | drop | drop | drop |
| 1 | 50075 | BROWSER-IE | Microsoft Edge memory corruption attempt | off | drop | drop | drop |
| 1 | 50076 | BROWSER-IE | Microsoft Edge memory corruption attempt | off | drop | drop | drop |
| 1 | 50077 | BROWSER-IE | Microsoft Edge memory corruption attempt | off | drop | drop | drop |
| 1 | 50078 | BROWSER-IE | Microsoft Edge memory corruption attempt | off | drop | drop | drop |
| 1 | 50079 | BROWSER-IE | Microsoft Edge memory corruption attempt | off | drop | drop | drop |
| 1 | 50080 | BROWSER-IE | Microsoft Edge memory corruption attempt | off | drop | drop | drop |
| 1 | 50081 | BROWSER-IE | Microsoft Edge memory corruption attempt | off | drop | drop | drop |
| 1 | 50082 | BROWSER-IE | Microsoft Internet Explorer memory corruption attempt | off | drop | drop | drop |
| 1 | 50083 | BROWSER-IE | Microsoft Internet Explorer memory corruption attempt | off | drop | drop | drop |
| 1 | 50084 | OS-WINDOWS | Windows Kernel Registry Virtualization privilege escalation attempt | off | off | drop | drop |
| 1 | 50085 | OS-WINDOWS | Windows Kernel Registry Virtualization privilege escalation attempt | off | off | drop | drop |
| 1 | 50086 | FILE-OFFICE | Microsoft Windows GDI EMR_POLYTEXTOUTW out-of-bounds read attempt | off | off | drop | drop |
| 1 | 50087 | FILE-OFFICE | Microsoft Windows GDI EMR_POLYTEXTOUTW out-of-bounds read attempt | off | off | drop | drop |
| 1 | 50088 | FILE-IMAGE | Microsoft Windows OLE Load Picture remote code execution attempt | off | drop | drop | drop |
| 1 | 50089 | FILE-IMAGE | Microsoft Windows OLE Load Picture remote code execution attempt | off | drop | drop | drop |
| 1 | 50090 | OS-WINDOWS | Microsoft Windows NDIS elevation of privilege attempt | off | off | drop | drop |
| 1 | 50091 | OS-WINDOWS | Microsoft Windows NDIS elevation of privilege attempt | off | off | drop | drop |
| 1 | 50092 | MALWARE-CNC | Win.Trojan.Filensfer connection attempt | off | drop | drop | drop |
| 1 | 50107 | MALWARE-CNC | Win.Trojan.Agent variant outbound cnc connection | off | drop | drop | drop |
| 1 | 50108 | MALWARE-CNC | Win.Trojan.Agent variant outbound cnc connection | off | drop | drop | drop |
| 1 | 50109 | MALWARE-CNC | Win.Trojan.Agent variant outbound cnc connection | off | drop | drop | drop |
| 3 | 50110 | SERVER-WEBAPP | TRUFFLEHUNTER TALOS-2019-0836 attack attempt | off | off | off | drop |
| 1 | 50112 | MALWARE-OTHER | Win.Ransomware.Agent ransom note transfer over SMB | off | drop | drop | drop |
| 1 | 50113 | MALWARE-OTHER | Win.Ransomware.MegaLocker ransom note transfer over SMB | off | drop | drop | drop |
| 3 | 50114 | SERVER-WEBAPP | TRUFFLEHUNTER TALOS-2019-0833 attack attempt | off | off | off | drop |
| 1 | 50115 | OS-WINDOWS | Microsoft Windows Error Reporting elevation of privilege attempt | off | drop | drop | drop |
| 1 | 50116 | OS-WINDOWS | Microsoft Windows Error Reporting elevation of privilege attempt | off | drop | drop | drop |
| 3 | 50117 | SERVER-WEBAPP | Cisco IOS XE Web UI command injection attempt | off | off | drop | drop |
| 3 | 50118 | SERVER-WEBAPP | Cisco IOS XE Web UI command injection attempt | off | off | drop | drop |
| 1 | 50119 | FILE-OTHER | Windows GDI font out-of-bounds read attempt | off | off | drop | drop |
| 1 | 50120 | FILE-OTHER | Windows GDI font out-of-bounds read attempt | off | off | drop | drop |
| 1 | 50121 | OS-WINDOWS | Microsoft Windows TrueType font parsing integer underflow attempt | off | off | drop | drop |
| 1 | 50122 | OS-WINDOWS | Microsoft Windows TrueType font parsing integer underflow attempt | off | off | drop | drop |
| GID | SID | Rule Group | Rule Message | Policy State | |||
|---|---|---|---|---|---|---|---|
| Con. | Bal. | Sec. | Max. | ||||
| 1 | 50093 | INDICATOR-COMPROMISE | Responder poisoner HTTP attack attempt | off | drop | drop | drop |
| 1 | 50094 | INDICATOR-COMPROMISE | Responder poisoner HTTP attack attempt | off | drop | drop | drop |
| 1 | 50095 | INDICATOR-COMPROMISE | Responder poisoner self-signed certificate attempt | off | drop | drop | drop |
| 1 | 50096 | INDICATOR-COMPROMISE | Responder poisoner toolkit download attempt | off | drop | drop | drop |
| 1 | 50097 | INDICATOR-COMPROMISE | Responder poisoner HTTP attack attempt | off | drop | drop | drop |
| 1 | 50098 | INDICATOR-COMPROMISE | Responder poisoner HTTP attack attempt | off | drop | drop | drop |
| 1 | 50099 | INDICATOR-COMPROMISE | Responder poisoner HTTP attack attempt | off | drop | drop | drop |
| 1 | 50100 | INDICATOR-COMPROMISE | Responder poisoner SMTP attack attempt | off | drop | drop | drop |
| 1 | 50101 | INDICATOR-COMPROMISE | Responder poisoner MSSQL attack attempt | off | drop | drop | drop |
| 1 | 50102 | INDICATOR-COMPROMISE | Responder poisoner LDAP attack attempt | off | drop | drop | drop |
| 1 | 50103 | INDICATOR-COMPROMISE | Responder poisoner SMB negotiation attack attempt | off | drop | drop | drop |
| 1 | 50104 | INDICATOR-COMPROMISE | Responder poisoner SMB negotiation attack attempt | off | drop | drop | drop |
| 1 | 50105 | INDICATOR-COMPROMISE | Responder poisoner SMB negotiation attack attempt | off | drop | drop | drop |
| 1 | 50106 | INDICATOR-COMPROMISE | Responder poisoner SMB attack attempt | off | drop | drop | drop |
| 3 | 50111 | SERVER-WEBAPP | TRUFFLEHUNTER TALOS-2019-0839 attack attempt | off | off | off | drop |