Cisco Talos Update for FireSIGHT Management Center

Date: 2019-11-07

This SRU number: 2019-11-06-001
Previous SRU number: 2019-11-04-001

Applies to:

3D Sensor versions: 5.x / 6.x
Cisco FireSIGHT Management Center versions: 5.x / 6.x

This SEU number: 2091
Previous SEU: 2090

Applies to:

3D Sensor Versions: 4.10
Cisco FireSIGHT Management Center versions: 4.10

This is the complete list of rules added in SRU 2019-11-06-001 and SEU 2091.

The format of the file is:

GID - SID - Rule Group - Rule Message - Policy State

The Policy State refers to each default Cisco Talos policy, Connectivity, Balanced, Security, and Maximum Detection.

The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.

Note: Unless stated explicitly, the rules are for the series of products listed above.

New Rules:

**High Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.	Max.
1	52099	SERVER-WEBAPP	Jenkins SCM Git Client plugin command injection attempt	off	off	drop	drop
1	52100	OS-MOBILE	Android Stagefright MP4 buffer overflow attempt	off	off	off	drop
1	52101	OS-MOBILE	Android Stagefright MP4 buffer overflow attempt	off	off	off	drop
3	52102	FILE-OTHER	Cisco Webex Network Recording Player memory corruption attempt	off	off	drop	drop
3	52103	FILE-OTHER	Cisco Webex Network Recording Player memory corruption attempt	off	off	drop	drop
3	52104	FILE-OTHER	Cisco Webex Network Recording Player memory corruption attempt	off	off	drop	drop
3	52105	FILE-OTHER	Cisco Webex Network Recording Player memory corruption attempt	off	off	drop	drop
3	52106	FILE-OTHER	Cisco Webex Network Recording Player memory corruption attempt	off	off	drop	drop
3	52107	FILE-OTHER	Cisco Webex Network Recording Player memory corruption attempt	off	off	drop	drop
3	52108	FILE-OTHER	Cisco Webex Network Recording Player memory corruption attempt	off	off	drop	drop
3	52109	FILE-OTHER	Cisco Webex Network Recording Player memory corruption attempt	off	off	drop	drop
3	52110	FILE-OTHER	Cisco Webex Network Recording Player memory corruption attempt	off	off	drop	drop
3	52111	FILE-OTHER	Cisco Webex Network Recording Player memory corruption attempt	off	off	drop	drop
1	52112	SERVER-WEBAPP	Git client path validation command execution attempt	off	off	off	drop
1	52113	FILE-OTHER	Oracle Outside-In library CorelDRAW parsing integer overflow attempt	off	off	off	drop
1	52114	FILE-OTHER	Oracle Outside-In library CorelDRAW parsing integer overflow attempt	off	off	off	drop
1	52115	INDICATOR-COMPROMISE	Xml.Downloader.PowMet fileless malware variant download attempt	off	drop	drop	drop
1	52116	INDICATOR-COMPROMISE	Win.Downloader.PowMet powershell script download attempt	off	drop	drop	drop
1	52117	INDICATOR-COMPROMISE	Xml.Downloader.PowMet fileless malware variant download attempt	off	drop	drop	drop
1	52118	INDICATOR-COMPROMISE	Win.Downloader.PowMet powershell script download attempt	off	drop	drop	drop
3	52119	SERVER-WEBAPP	Cisco RV Series Routers command injection attempt	off	off	drop	drop
3	52120	SERVER-WEBAPP	Cisco RV Series Routers command injection attempt	off	off	drop	drop
3	52121	SERVER-WEBAPP	Cisco RV Series Routers command injection attempt	off	off	drop	drop
3	52122	SERVER-WEBAPP	Cisco RV Series Routers command injection attempt	off	off	drop	drop
1	52123	SERVER-WEBAPP	PHP FPM env_path_info buffer underflow attempt	off	off	drop	drop
1	52124	FILE-PDF	Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt	off	drop	drop	drop
1	52125	FILE-PDF	Adobe Acrobat Reader and Acrobat TTF SING table parsing remote code execution attempt	off	drop	drop	drop
3	52127	POLICY-OTHER	Cisco Web Security Appliance system setup wizard access detected	off	off	off	off
3	52128	POLICY-OTHER	Cisco Web Security Appliance system setup wizard access detected	off	off	off	off
3	52129	SERVER-WEBAPP	Cisco Prime Infrastructure directory traversal attempt	off	off	drop	drop
1	52130	SERVER-WEBAPP	Apache Struts OGNL expression injection attempt	off	drop	drop	drop
3	52131	SERVER-OTHER	TRUFFLEHUNTER TALOS-2019-0948 attack attempt	off	off	drop	drop
1	52132	FILE-OTHER	Libmspack cabd_sys_read_block off-by-one heap overflow attempt	off	off	off	drop
1	52133	FILE-OTHER	Libmspack cabd_sys_read_block off-by-one heap overflow attempt	off	off	off	drop
1	52134	MALWARE-OTHER	Win.Trojan.Agent variant download attempt	off	drop	drop	drop
1	52135	MALWARE-OTHER	Win.Trojan.Agent variant download attempt	off	drop	drop	drop
1	52136	MALWARE-OTHER	Win.Trojan.Agent variant download attempt	off	drop	drop	drop
1	52137	MALWARE-OTHER	Win.Trojan.Agent variant download attempt	off	drop	drop	drop
1	52138	MALWARE-OTHER	Win.Trojan.Agent variant download attempt	off	drop	drop	drop
1	52139	MALWARE-OTHER	Win.Trojan.Agent variant download attempt	off	drop	drop	drop
1	52140	MALWARE-OTHER	Win.Trojan.Agent variant download attempt	off	drop	drop	drop
1	52141	MALWARE-OTHER	Win.Trojan.Agent variant download attempt	off	drop	drop	drop
1	52142	MALWARE-OTHER	Win.Trojan.Agent variant download attempt	off	drop	drop	drop
1	52143	MALWARE-OTHER	Win.Trojan.Agent variant download attempt	off	drop	drop	drop
1	52144	MALWARE-OTHER	Win.Trojan.Agent variant download attempt	off	drop	drop	drop
1	52145	MALWARE-OTHER	Win.Trojan.Agent variant download attempt	off	drop	drop	drop
1	52146	MALWARE-OTHER	Win.Trojan.Agent variant download attempt	off	drop	drop	drop
1	52147	MALWARE-OTHER	Win.Trojan.Agent variant download attempt	off	drop	drop	drop
1	52148	MALWARE-CNC	Win.Trojan.Agent variant outbound connection	off	drop	drop	drop
1	52149	MALWARE-CNC	Win.Trojan.Agent variant outbound connection	off	drop	drop	drop

**Medium Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.	Max.
3	52126	SERVER-WEBAPP	Cisco Wireless LAN Controller denial of service attempt	off	off	drop	drop