Cisco Talos Update for FireSIGHT Management Center

Date: 2019-06-06

This SRU number: 2019-06-05-003
Previous SRU number: 2019-06-03-001

Applies to:

3D Sensor versions: 5.x / 6.x
Cisco FireSIGHT Management Center versions: 5.x / 6.x

This SEU number: 2028
Previous SEU: 2025

Applies to:

3D Sensor Versions: 4.10
Cisco FireSIGHT Management Center versions: 4.10

This is the complete list of rules added in SRU 2019-06-05-003 and SEU 2028.

The format of the file is:

GID - SID - Rule Group - Rule Message - Policy State

The Policy State refers to each default Cisco Talos policy, Connectivity, Balanced, Security, and Maximum Detection.

The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.

Note: Unless stated explicitly, the rules are for the series of products listed above.

New Rules:

**High Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.	Max.
1	50300	MALWARE-CNC	Win.Trojan.TRITON attack tool outbound connection	off	drop	drop	drop
1	50301	MALWARE-CNC	Win.Trojan.TRITON attack tool outbound connection	off	drop	drop	drop
1	50302	MALWARE-CNC	Win.Trojan.TRITON attack tool outbound connection	off	drop	drop	drop
1	50303	MALWARE-CNC	Win.Trojan.TRITON attack tool outbound connection	off	drop	drop	drop
1	50304	SERVER-WEBAPP	OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt	off	off	drop	drop
1	50305	SERVER-WEBAPP	OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt	off	off	drop	drop
1	50306	SERVER-WEBAPP	OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt	off	off	off	off
1	50307	SERVER-WEBAPP	OpenDreamBox 2.0.0 Plugin WebAdmin command injection attempt	off	off	drop	drop
1	50308	SERVER-WEBAPP	Dell KACE K1000 command injection attempt	off	off	drop	drop
1	50309	SERVER-WEBAPP	Dell KACE K1000 command injection attempt	off	off	drop	drop
1	50310	SERVER-WEBAPP	Dell KACE K1000 command injection attempt	off	off	drop	drop
1	50311	SERVER-WEBAPP	Dell KACE K1000 command injection attempt	off	off	drop	drop
1	50312	SERVER-WEBAPP	HooToo tripMate protocol.csp mac parameter command injection attempt	off	off	drop	drop
1	50313	SERVER-WEBAPP	HooToo tripMate protocol.csp mac parameter command injection attempt	off	off	drop	drop
1	50314	SERVER-WEBAPP	HooToo tripMate protocol.csp mac parameter command injection attempt	off	off	drop	drop
1	50315	SERVER-WEBAPP	HooToo tripMate protocol.csp mac parameter command injection attempt	off	off	drop	drop
1	50316	SERVER-WEBAPP	Asus DSL-N12E_C1 1.1.2.3_345 command injection attempt	off	off	drop	drop
1	50317	SERVER-WEBAPP	Asus DSL-N12E_C1 1.1.2.3_345 command injection attempt	off	off	drop	drop
1	50318	SERVER-WEBAPP	Asus DSL-N12E_C1 1.1.2.3_345 command injection attempt	off	off	drop	drop
1	50319	SERVER-WEBAPP	Asus DSL-N12E_C1 1.1.2.3_345 command injection attempt	off	off	drop	drop
1	50321	SERVER-WEBAPP	MiCasaVerde VeraLite remote code execution attempt	off	off	drop	drop
1	50322	SERVER-WEBAPP	MiCasaVerde VeraLite remote code execution attempt	off	off	drop	drop
1	50323	SERVER-WEBAPP	Crestron AM platform command injection attempt	off	off	drop	drop
1	50324	SERVER-WEBAPP	Crestron AM platform command injection attempt	off	off	drop	drop
1	50325	SERVER-WEBAPP	Crestron AM platform command injection attempt	off	off	drop	drop
1	50326	SERVER-WEBAPP	Crestron AM platform command injection attempt	off	off	drop	drop
1	50327	SERVER-WEBAPP	LG SuperSignEz CMS command injection attempt	off	off	drop	drop
1	50328	SERVER-WEBAPP	LG SuperSignEz CMS command injection attempt	off	off	drop	drop
1	50329	SERVER-WEBAPP	LG SuperSignEz CMS command injection attempt	off	off	drop	drop
1	50330	SERVER-WEBAPP	LG SuperSignEz CMS command injection attempt	off	off	drop	drop
1	50331	SERVER-WEBAPP	Asustor ADM command injection attempt	off	off	drop	drop
1	50332	SERVER-WEBAPP	Asustor ADM command injection attempt	off	off	drop	drop
1	50333	SERVER-WEBAPP	Asustor ADM command injection attempt	off	off	drop	drop
1	50334	SERVER-WEBAPP	Asustor ADM command injection attempt	off	off	drop	drop
3	50335	SERVER-WEBAPP	Cisco Industrial Network Director remote code execution attempt	off	off	drop	drop
1	50336	SERVER-WEBAPP	GoAhead IP Camera set_ftp.cgi command injection attempt	off	drop	drop	drop
1	50337	SERVER-WEBAPP	GoAhead IP Camera set_ftp.cgi command injection attempt	off	drop	drop	drop
1	50338	SERVER-WEBAPP	GoAhead IP Camera set_ftp.cgi command injection attempt	off	drop	drop	drop
1	50339	SERVER-WEBAPP	GoAhead IP Camera set_ftp.cgi command injection attempt	off	drop	drop	drop
1	50340	SERVER-WEBAPP	Schneider Electric U.Motion Builder command injection attempt	off	off	drop	drop
1	50341	SERVER-WEBAPP	Schneider Electric U.Motion Builder command injection attempt	off	off	drop	drop
1	50342	SERVER-WEBAPP	Schneider Electric U.Motion Builder command injection attempt	off	off	drop	drop
1	50343	SERVER-WEBAPP	Schneider Electric U.Motion Builder command injection attempt	off	off	drop	drop
1	50344	SERVER-WEBAPP	VMWare NSX SD-WAN Edge command injection attempt	off	drop	drop	drop
1	50345	SERVER-WEBAPP	VMWare NSX SD-WAN Edge command injection attempt	off	drop	drop	drop
1	50346	SERVER-WEBAPP	VMWare NSX SD-WAN Edge command injection attempt	off	drop	drop	drop
1	50347	SERVER-WEBAPP	VMWare NSX SD-WAN Edge command injection attempt	off	drop	drop	drop

**Medium Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.	Max.
3	50320	SERVER-OTHER	Cisco Unified Communications Manager denial of service attempt	off	off	drop	drop