Cisco Talos Update for FireSIGHT Management Center

Date: 2020-06-04

This SRU number: 2020-06-03-001
Previous SRU number: 2020-06-01-001

Applies to:

3D Sensor versions: 5.x / 6.x
Cisco FireSIGHT Management Center versions: 5.x / 6.x

This SEU number: 2171
Previous SEU: 2170

Applies to:

3D Sensor Versions: 4.10
Cisco FireSIGHT Management Center versions: 4.10

This is the complete list of rules added in SRU 2020-06-03-001 and SEU 2171.

The format of the file is:

GID - SID - Rule Group - Rule Message - Policy State

The Policy State refers to each default Cisco Talos policy, Connectivity, Balanced, Security, and Maximum Detection.

The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.

Note: Unless stated explicitly, the rules are for the series of products listed above.

New Rules:

**High Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.	Max.
3	53497	SERVER-WEBAPP	Cisco IOS XE Web UI command injection attempt	off	off	drop	drop
3	53498	SERVER-WEBAPP	Cisco IOS XE Web UI file upload directory traversal attempt	off	off	drop	drop
3	53499	SERVER-WEBAPP	Cisco IOS XE Web UI file upload remote code execution attempt	off	off	drop	drop
3	53500	SERVER-WEBAPP	Cisco IOS XE Web UI file upload remote code execution attempt	off	off	drop	drop
3	53501	SERVER-WEBAPP	Cisco IOS XE Web UI command injection attempt	off	off	drop	drop
3	53502	SERVER-WEBAPP	Cisco IOS XE Web UI command injection attempt	off	off	drop	drop
3	53503	SERVER-WEBAPP	Cisco IOS XE Web UI command injection attempt	off	off	drop	drop
3	53504	FILE-OTHER	TAR file directory traversal attempt	off	off	off	drop
1	54145	MALWARE-OTHER	Win.Trojan.Ursnif malicious outbound connection attempt - gravity generated detection	off	drop	drop	drop
1	54146	MALWARE-OTHER	Win.Worm.Dorkbot-7993070-0 download attempt	off	off	drop	drop
1	54147	MALWARE-OTHER	Win.Worm.Dorkbot-7993070-0 download attempt	off	off	drop	drop
1	54148	MALWARE-OTHER	Win.Trojan.Vobfus-7994999-0 download attempt	off	off	drop	drop
1	54149	MALWARE-OTHER	Win.Trojan.Vobfus-7994999-0 download attempt	off	off	drop	drop
1	54150	MALWARE-OTHER	Win.Adware.Hao123 outbound connection attempt	off	drop	drop	drop
1	54151	MALWARE-OTHER	Win.Adware.Hao123 outbound connection attempt	off	drop	drop	drop
1	54152	MALWARE-OTHER	Win.Adware.Hao123 outbound connection attempt	off	drop	drop	drop
1	54153	MALWARE-OTHER	Win.Trojan.Turla malicious executable download attempt	off	off	drop	drop
1	54154	MALWARE-OTHER	Win.Trojan.Turla malicious executable download attempt	off	off	drop	drop
3	54155	SERVER-OTHER	Cisco IOx Application Environment external VDS control message attempt	off	off	off	drop
1	54157	SERVER-OTHER	VMWare Directory Service authentication bypass attempt	off	off	drop	drop
3	54161	POLICY-OTHER	Cisco IOx token service access detected	off	off	off	off
1	54162	SERVER-WEBAPP	Apache Tomcat FileStore directory traversal attempt	off	drop	drop	drop

**Medium Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.	Max.
3	54158	PROTOCOL-OTHER	Cisco IOS XE NetFlow packet parsing denial of service attempt	off	off	drop	drop
3	54159	SERVER-OTHER	Cisco IOS IKE2 invalid port denial of service attempt	off	off	drop	drop
3	54160	SERVER-OTHER	Cisco IOS IKE2 invalid port denial of service attempt	off	off	drop	drop
3	54163	PROTOCOL-VOIP	Cisco IOS malformed SIP Via header denial of service attempt	off	off	off	drop
3	54164	PROTOCOL-VOIP	Cisco IOS malformed SIP Via header denial of service attempt	off	off	off	drop

**Low Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.	Max.
1	54156	POLICY-OTHER	LDAP bind success	off	off	drop	drop