Cisco Talos Update for FireSIGHT Management Center

Date: 2020-07-23

This SRU number: 2020-07-22-001
Previous SRU number: 2020-07-20-001

Applies to:

This SEU number: 2189
Previous SEU: 2188

Applies to:

This is the complete list of rules added in SRU 2020-07-22-001 and SEU 2189.

The format of the file is:

GID - SID - Rule Group - Rule Message - Policy State

The Policy State refers to each default Cisco Talos policy, Connectivity, Balanced, Security, and Maximum Detection.

The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.

Note: Unless stated explicitly, the rules are for the series of products listed above.

New Rules:

High Priority
GIDSIDRule GroupRule MessagePolicy State
Con.Bal.Sec.Max.
154594MALWARE-OTHERWin.Dropper.Ap0calypseRAT-8992619-0 download attemptoffoffoffdrop
154595MALWARE-OTHERWin.Dropper.Ap0calypseRAT-8992619-0 download attemptoffoffoffdrop
154596SERVER-WEBAPPWordPress bbPress plugin unauthenticated privilege escalation attemptoffoffdropdrop
154597SERVER-WEBAPPWordPress bbPress plugin unauthenticated privilege escalation attemptoffoffdropdrop
354598SERVER-WEBAPPCisco ASA directory traversal attemptoffoffdropdrop
354599SERVER-WEBAPPCisco ASA directory traversal attemptoffoffdropdrop
354600SERVER-WEBAPPCisco ASA directory traversal attemptoffoffdropdrop
354601SERVER-WEBAPPCisco ASA directory traversal attemptoffoffdropdrop
154602SERVER-WEBAPPLaravel Framework PendingCommand arbitrary command execution attemptoffoffdropdrop
154603SERVER-WEBAPPLaravel Framework PendingCommand arbitrary command execution attemptoffoffdropdrop
154604MALWARE-OTHERWin.Dropper.Dorkbot-8975168-0 download attemptoffoffdropdrop
154605MALWARE-OTHERWin.Dropper.Dorkbot-8975168-0 download attemptoffoffdropdrop
354606SERVER-WEBAPPTRUFFLEHUNTER TALOS-2020-1126 attack attemptoffoffdropdrop
354607SERVER-WEBAPPTRUFFLEHUNTER TALOS-2020-1126 attack attemptoffoffdropdrop
354608SERVER-WEBAPPTRUFFLEHUNTER TALOS-2020-1126 attack attemptoffoffdropdrop
154609SERVER-OTHERHummingbird InetD LPD buffer overflow attemptoffoffoffdrop
154610MALWARE-CNCWin.Trojan.Prometei variant outbound connectionoffdropdropdrop
154611MALWARE-CNCWin.Trojan.Prometei variant outbound connectionoffdropdropdrop
154612MALWARE-CNCWin.Trojan.Prometei variant outbound connectionoffdropdropdrop
154617SERVER-WEBAPPGeoVision Door Access Control hidden url access attemptoffdropdropdrop
154618FILE-OTHERMicrosoft .NET API XPS file parsing remote code execution attemptoffoffdropdrop
154619FILE-OTHERMicrosoft .NET API XPS file parsing remote code execution attemptoffoffdropdrop
154620FILE-OFFICEMicrosoft Office Equation Editor stack buffer overflow attemptoffoffdropdrop
154621FILE-OFFICEMicrosoft Office Equation Editor stack buffer overflow attemptoffoffdropdrop
154622BROWSER-CHROMEGoogle Chrome ReadableStream out of bounds read attemptoffoffdropdrop
154623BROWSER-CHROMEGoogle Chrome ReadableStream out of bounds read attemptoffoffdropdrop
154624BROWSER-CHROMEGoogle Chrome blink webaudio module use after free attemptoffoffdropdrop
154625BROWSER-CHROMEGoogle Chrome blink webaudio module use after free attemptoffoffdropdrop
154626MALWARE-CNCVbs.Trojan.Dridex variant payload outbound download attemptoffdropdropdrop
154627MALWARE-CNCVbs.Trojan.Dridex variant payload inbound download attemptoffdropdropdrop
154628MALWARE-CNCVbs.Trojan.Dridex variant payload inbound download attemptoffdropdropdrop
154629SERVER-WEBAPPMicrosoft Windows .NET API XML unsafe deserialization attemptoffoffdropdrop
Medium Priority
GIDSIDRule GroupRule MessagePolicy State
Con.Bal.Sec.Max.
154613SERVER-OTHERZoom client spoofed chat message attemptoffoffdropdrop
154614SERVER-OTHERZoom client unauthorized user kick attemptoffoffdropdrop
154615SERVER-OTHERZoom client unauthorized screen control attemptoffoffdropdrop
154616SERVER-OTHERZoom client unauthorized conference termination attemptoffoffdropdrop
154630PROTOCOL-DNSBIND DNS server TSIG denial of service attemptoffoffdropdrop