Cisco Talos Update for FireSIGHT Management Center

Date: 2019-06-13

This SRU number: 2019-06-13-001
Previous SRU number: 2019-06-10-001

Applies to:

3D Sensor versions: 5.x / 6.x
Cisco FireSIGHT Management Center versions: 5.x / 6.x

This SEU number: 2033
Previous SEU: 2031

Applies to:

3D Sensor Versions: 4.10
Cisco FireSIGHT Management Center versions: 4.10

This is the complete list of rules added in SRU 2019-06-13-001 and SEU 2033.

The format of the file is:

GID - SID - Rule Group - Rule Message - Policy State

The Policy State refers to each default Cisco Talos policy, Connectivity, Balanced, Security, and Maximum Detection.

The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.

Note: Unless stated explicitly, the rules are for the series of products listed above.

New Rules:

**High Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.	Max.
1	50416	MALWARE-CNC	Win.Trojan.OceanLotus variant download attempt	off	drop	drop	drop
1	50417	MALWARE-CNC	Win.Trojan.OceanLotus variant download attempt	off	drop	drop	drop
1	50418	MALWARE-CNC	Win.Trojan.OceanLotus variant download attempt	off	drop	drop	drop
1	50419	MALWARE-CNC	Win.Trojan.OceanLotus variant download attempt	off	drop	drop	drop
1	50420	MALWARE-CNC	Win.Trojan.OceanLotus variant download attempt	off	drop	drop	drop
1	50421	MALWARE-CNC	Win.Trojan.OceanLotus variant download attempt	off	drop	drop	drop
1	50422	MALWARE-CNC	Win.Trojan.OceanLotus variant download attempt	off	drop	drop	drop
1	50423	MALWARE-CNC	Win.Trojan.OceanLotus variant download attempt	off	drop	drop	drop
1	50424	MALWARE-CNC	User-Agent known malicious user agent - BURAN - Win.Trojan.Buran	off	drop	drop	drop
1	50425	MALWARE-CNC	Win.Trojan.Buran malicious Buran ransomware download attempt	off	drop	drop	drop
1	50426	MALWARE-CNC	Win.Trojan.Buran malicious Buran ransomware download attempt	off	drop	drop	drop
3	50427	SERVER-WEBAPP	Cisco IOS XE Web UI cross site request forgery attempt	off	off	drop	drop
1	50428	SERVER-WEBAPP	Oracle WebLogic Server authenticated arbitrary JSP file upload attempt	off	off	drop	drop
1	50429	MALWARE-CNC	Andr.Spyware.Reptilicus variant post-compromise outbound connection detected	off	drop	drop	drop
1	50430	MALWARE-CNC	Andr.Spyware.Reptilicus variant post-compromise outbound connection detected	off	drop	drop	drop
1	50431	MALWARE-CNC	Andr.Spyware.Reptilicus variant post-compromise outbound connection detected	off	drop	drop	drop
1	50432	MALWARE-CNC	Andr.Spyware.Reptilicus variant post-compromise outbound connection detected	off	drop	drop	drop
1	50433	MALWARE-CNC	Andr.Spyware.Reptilicus variant post-compromise outbound connection detected	off	drop	drop	drop
1	50434	MALWARE-CNC	Andr.Spyware.Reptilicus variant post-compromise outbound connection detected	off	drop	drop	drop
1	50435	MALWARE-CNC	Andr.Spyware.iSpyoo variant post-compromise outbound connection	off	drop	drop	drop
1	50436	MALWARE-CNC	Andr.Spyware.iSpyoo variant post-compromise outbound connection	off	drop	drop	drop
1	50437	MALWARE-CNC	Andr.Spyware.iSpyoo variant post-compromise outbound connection	off	drop	drop	drop
1	50438	MALWARE-CNC	Andr.Spyware.iSpyoo variant post-compromise outbound connection	off	drop	drop	drop
1	50439	MALWARE-CNC	Andr.Spyware.iSpyoo variant post-compromise outbound connection	off	drop	drop	drop
1	50440	MALWARE-CNC	Win.Malware.Ramnit inbound VERIFY_HOST response	off	drop	drop	drop
1	50441	FILE-IMAGE	Adobe Acrobat TIFF heap buffer overflow attempt	off	off	off	off
1	50442	FILE-IMAGE	Adobe Acrobat TIFF heap buffer overflow attempt	off	off	off	off
1	50443	FILE-IMAGE	Adobe Acrobat TIFF heap buffer overflow attempt	off	off	off	off
1	50444	FILE-IMAGE	Adobe Acrobat TIFF heap buffer overflow attempt	off	off	off	off
1	50445	MALWARE-CNC	Win.Downloader.TeamBot additional payload download attempt	off	drop	drop	drop
1	50446	MALWARE-CNC	Win.Downloader.TeamBot outbound cnc connection	off	drop	drop	drop