Cisco Talos Update for FireSIGHT Management Center

Date: 2019-08-29

This SRU number: 2019-08-29-001
Previous SRU number: 2019-08-26-001

Applies to:

3D Sensor versions: 5.x / 6.x
Cisco FireSIGHT Management Center versions: 5.x / 6.x

This SEU number: 2061
Previous SEU: 2059

Applies to:

3D Sensor Versions: 4.10
Cisco FireSIGHT Management Center versions: 4.10

This is the complete list of rules added in SRU 2019-08-29-001 and SEU 2061.

The format of the file is:

GID - SID - Rule Group - Rule Message - Policy State

The Policy State refers to each default Cisco Talos policy, Connectivity, Balanced, Security, and Maximum Detection.

The default passive policy state is the same as the Balanced policy state with the exception of alert being used instead of drop.

Note: Unless stated explicitly, the rules are for the series of products listed above.

New Rules:

**High Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.	Max.
1	51309	MALWARE-CNC	Win.Trojan.Pistacchietto variant outbound connection	off	drop	drop	drop
1	51310	FILE-OFFICE	Microsoft Excel ExternSheet record remote code execution attempt	off	off	off	drop
1	51311	FILE-OFFICE	Microsoft Excel ExternSheet record remote code execution attempt	off	off	off	drop
1	51312	SERVER-WEBAPP	WSO2 Carbon persistent cross site scripting attempt	off	off	off	drop
1	51313	FILE-OFFICE	Microsoft Office Excel invalid FRTWrapper record integer underflow attempt	off	off	off	drop
1	51314	FILE-OFFICE	Microsoft Office Excel invalid FRTWrapper record integer underflow attempt	off	off	off	drop
1	51315	SERVER-WEBAPP	Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt	off	off	drop	drop
1	51316	SERVER-WEBAPP	Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt	off	off	drop	drop
1	51317	SERVER-WEBAPP	Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt	off	off	drop	drop
1	51318	SERVER-WEBAPP	Atlassian Jira ContactAdministrators and SendBulkMail template injection remote code execution attempt	off	off	drop	drop
1	51320	MALWARE-CNC	Win.Trojan.BlackMoon variant outbound connection	off	drop	drop	drop
1	51326	FILE-OFFICE	Microsoft Office Excel DBQueryExt record memory corruption attempt	off	off	off	drop
3	51331	SERVER-WEBAPP	TRUFFLEHUNTER TALOS-2019-0888 attack attempt	off	off	off	off
3	51332	SERVER-WEBAPP	TRUFFLEHUNTER TALOS-2019-0888 attack attempt	off	off	off	off
1	51335	BROWSER-IE	Microsoft Edge scripting engine uninitialized pointers memory corruption attempt	off	off	off	drop
1	51336	BROWSER-IE	Microsoft Edge scripting engine uninitialized pointers memory corruption attempt	off	off	off	drop
1	51337	MALWARE-CNC	User-Agent known malicious user-agent string - Extenbro	off	drop	drop	drop
1	51339	INDICATOR-SCAN	Trend Micro Threat Discovery Appliance logon.cgi authentication attempt	off	off	off	drop
1	51340	SERVER-WEBAPP	Trend Micro Threat Discovery Appliance dlp_policy_upload.cgi arbitrary file download attempt	off	off	off	drop
1	51341	MALWARE-CNC	User-Agent known malicious user-agent string - Nemty	off	drop	drop	drop
1	51342	MALWARE-CNC	User-Agent known malicious user-agent string - Nemty	off	drop	drop	drop
1	51360	MALWARE-CNC	Win.Ransomware.LooCipher variant outbound connection	off	drop	drop	drop
1	51361	MALWARE-OTHER	Win.Ransomware.LooCipher variant download attempt	off	drop	drop	drop
1	51362	MALWARE-OTHER	Win.Ransomware.LooCipher variant download attempt	off	drop	drop	drop
1	51363	FILE-OFFICE	Microsoft Office Excel TXO and OBJ records parsing stack memory corruption attempt	off	off	off	drop
1	51364	FILE-OFFICE	Microsoft Office Excel TXO and OBJ records parsing stack memory corruption attempt	off	off	off	drop
1	51368	MALWARE-OTHER	Win.Backdoor.Agent inbound request attempt	off	drop	drop	drop
3	51369	OS-WINDOWS	Microsoft Windows RDP DecompressUnchopper integer overflow attempt	drop	drop	drop	drop

**Medium Priority**
GID	SID	Rule Group	Rule Message	Policy State
GID	SID	Rule Group	Rule Message	Con.	Bal.	Sec.	Max.
1	51227	SERVER-OTHER	FreeRADIUS DHCP string options integer underflow attempt	off	off	off	drop
1	51228	SERVER-OTHER	FreeRADIUS DHCP string options integer underflow attempt	off	off	off	drop
1	51229	SERVER-OTHER	FreeRADIUS DHCP string options integer underflow attempt	off	off	off	drop
1	51230	SERVER-OTHER	FreeRADIUS DHCP string options integer underflow attempt	off	off	off	drop
1	51231	SERVER-OTHER	FreeRADIUS DHCP string options integer underflow attempt	off	off	off	drop
1	51232	SERVER-OTHER	FreeRADIUS DHCP string options integer underflow attempt	off	off	off	drop
1	51233	SERVER-OTHER	FreeRADIUS DHCP string options integer underflow attempt	off	off	off	drop
1	51319	SERVER-OTHER	Mosca MQTT broker regular expression denial of service attempt	off	off	off	drop
1	51321	SERVER-WEBAPP	SAP Internet Transaction Server information disclosure attempt	off	off	off	drop
1	51322	SERVER-WEBAPP	SAP Internet Transaction Server information disclosure attempt	off	off	off	drop
1	51323	SERVER-WEBAPP	SAP Internet Transaction Server information disclosure attempt	off	off	off	drop
1	51324	SERVER-WEBAPP	SAP Internet Transaction Server information disclosure attempt	off	off	off	drop
1	51325	SERVER-WEBAPP	SAP Internet Transaction Server information disclosure attempt	off	off	off	drop
1	51327	OS-OTHER	Intel x64 side-channel analysis information leak attempt	off	off	drop	drop
1	51328	OS-OTHER	Intel x64 side-channel analysis information leak attempt	off	off	drop	drop
1	51329	OS-OTHER	Intel x64 side-channel analysis information leak attempt	off	off	drop	drop
1	51330	OS-OTHER	Intel x64 side-channel analysis information leak attempt	off	off	drop	drop
1	51333	SERVER-OTHER	OpenSSL TLS record tampering denial of service attempt	off	off	off	drop
1	51334	SERVER-OTHER	OpenSSL TLS record tampering denial of service attempt	off	off	off	drop
1	51338	PROTOCOL-TELNET	TippingPoint IPS hostname disclosure attempt	off	off	off	drop
1	51343	SERVER-OTHER	OpenSSL TLS anomalous non-zero length session ticket in client hello	off	off	off	drop
1	51344	SERVER-OTHER	OpenSSL TLS anomalous non-zero length session ticket in client hello	off	off	off	drop
1	51345	SERVER-OTHER	OpenSSL TLS anomalous non-zero length session ticket in client hello	off	off	off	drop
1	51346	SERVER-OTHER	OpenSSL TLS anomalous non-zero length session ticket in client hello	off	off	off	drop
1	51347	SERVER-OTHER	OpenSSL TLS anomalous ascii session ticket	off	off	off	drop
1	51348	SERVER-OTHER	OpenSSL TLS anomalous ascii session ticket	off	off	off	drop
1	51349	SERVER-OTHER	OpenSSL TLS anomalous ascii session ticket	off	off	off	drop
1	51350	SERVER-OTHER	OpenSSL TLS anomalous ascii session ticket	off	off	off	drop
1	51351	SERVER-OTHER	OpenSSL TLS anomalous ascii client session ticket	off	off	off	drop
1	51352	SERVER-OTHER	OpenSSL TLS anomalous ascii client session ticket	off	off	off	drop
1	51353	SERVER-OTHER	OpenSSL TLS anomalous ascii client session ticket	off	off	off	drop
1	51354	SERVER-OTHER	OpenSSL TLS anomalous ascii client session ticket	off	off	off	drop
3	51355	SERVER-WEBAPP	Cisco IOS XE REST API information disclosure attempt	off	drop	drop	drop
1	51356	SERVER-OTHER	OpenSSL DTLS duplicate record denial of service attempt	off	off	off	drop
1	51357	SERVER-OTHER	OpenSSL DTLS duplicate record denial of service attempt	off	off	off	drop
1	51358	SERVER-OTHER	OpenSSL DTLS duplicate record denial of service attempt	off	off	off	drop
1	51359	SERVER-OTHER	OpenSSL DTLS duplicate record denial of service attempt	off	off	off	drop
3	51365	SERVER-WEBAPP	Cisco NX-OS Software NX-API denial of service attempt	off	off	off	drop
3	51366	SERVER-WEBAPP	Cisco NX-OS Software NX-API denial of service attempt	off	off	off	drop
3	51367	SERVER-WEBAPP	Cisco NX-OS Software NX-API denial of service attempt	off	off	off	drop