This SRU number: 2020-05-20-001
Previous SRU number: 2020-05-18-001
Applies to:
This SEU number: 2167
Previous SEU: 2166
Applies to:
This is the complete list of rules added in SRU 2020-05-20-001 and SEU 2167.
The format of the file is:
GID - SID - Rule Group - Rule Message - Policy State
The Policy State refers to each default Cisco Talos policy, Connectivity, Balanced, Security, and Maximum Detection.
The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.
Note: Unless stated explicitly, the rules are for the series of products listed above.
| GID | SID | Rule Group | Rule Message | Policy State | |||
|---|---|---|---|---|---|---|---|
| Con. | Bal. | Sec. | Max. | ||||
| 1 | 54013 | MALWARE-OTHER | Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection | off | drop | drop | drop |
| 1 | 54014 | MALWARE-CNC | Win.Malware.Trickbot variant outbound connection | off | drop | drop | drop |
| 1 | 54015 | MALWARE-OTHER | Win.Dropper.Bifrost-7846624-0 download attempt | off | off | drop | drop |
| 1 | 54016 | MALWARE-OTHER | Win.Dropper.Bifrost-7846624-0 download attempt | off | off | drop | drop |
| 1 | 54017 | MALWARE-OTHER | Win.Packed.Dorkbot-7847299-0 download attempt | off | off | off | drop |
| 1 | 54018 | MALWARE-OTHER | Win.Packed.Dorkbot-7847299-0 download attempt | off | off | off | drop |
| 1 | 54019 | MALWARE-CNC | Win.Trojan.ApolloZeus Loader beaconing attempt | off | off | off | drop |
| 1 | 54020 | MALWARE-OTHER | Win.Trojan.Hancitor COVID-19 subject phishing email attempt | off | drop | drop | drop |
| 1 | 54021 | MALWARE-CNC | Win.Trojan.Andariel outbound connection attempt | off | drop | drop | drop |
| 1 | 54022 | SERVER-OTHER | SaltStack authentication bypass attempt | off | off | drop | drop |
| 1 | 54023 | SERVER-OTHER | SaltStack authentication bypass attempt | off | off | drop | drop |
| 3 | 54024 | POLICY-OTHER | Cisco Unified Contact Center Express vulnerable Java RMI class access detected | off | off | off | off |
| 3 | 54025 | POLICY-OTHER | Cisco Unified Contact Center Express vulnerable Java RMI class access detected | off | off | off | off |
| 3 | 54026 | POLICY-OTHER | Cisco Unified Contact Center Express vulnerable Java RMI class access detected | off | off | off | off |
| 3 | 54027 | POLICY-OTHER | Cisco Unified Contact Center Express vulnerable Java RMI class access detected | off | off | off | off |
| 3 | 54028 | INDICATOR-SHELLCODE | Java RMI deserialization exploit attempt | drop | drop | drop | drop |
| 1 | 54029 | MALWARE-CNC | Win.Malware.Rifdoor outbound cnc registration attempt | off | off | drop | drop |
| 1 | 54030 | SERVER-OTHER | SaltStack wheel directory traversal attempt | off | off | drop | drop |
| 1 | 54031 | SERVER-OTHER | SaltStack wheel directory traversal attempt | off | off | drop | drop |
| 1 | 54032 | SERVER-OTHER | SaltStack wheel directory traversal attempt | off | off | drop | drop |
| 1 | 54033 | SERVER-OTHER | SaltStack wheel directory traversal attempt | off | off | drop | drop |
| GID | SID | Rule Group | Rule Message | Policy State | |||
|---|---|---|---|---|---|---|---|
| Con. | Bal. | Sec. | Max. | ||||
| 3 | 54034 | SERVER-OTHER | Cisco Prime Network Registrar denial of service attempt | off | off | drop | drop |