*** EX RELS 03352 Release *** Total number of signatures: 6002 Description ================================================================== In this signature, we addressed the exploits/vulnerabilities and applications as below: Added 29 rule(s): --------------- 1134166 MALWARE BADRABBIT SMB Activity -2 1134193 SMB Microsoft Windows SMB Server SMBv1 Information Disclosure (CVE-2017-11815) 1134196 FILE Microsoft Windows ATMFD.dll Information Disclosure Vulnerability -1 (CVE-2017-0192) 1134197 FILE Microsoft Windows ATMFD.dll Information Disclosure Vulnerability -2 (CVE-2017-0192) 1134198 FILE Microsoft Office Memory Corruption Vulnerability (CVE-2017-0194) 1134199 WEB-CLIENT Microsoft Internet Explorer Scripting Engine Remote Memory Corruption (CVE-2017-0201) 1134200 WEB-CLIENT Microsoft Edge Remote Memory Corruption Vulnerability (CVE-2017-0205) 1134201 WEB-CLIENT Microsoft Edge DoLoopBodyStart Out of Bounds Read -1 (CVE-2017-11811) 1134202 WEB-CLIENT Microsoft Edge DoLoopBodyStart Out of Bounds Read -2 (CVE-2017-11811) 1134203 WEB WordPress WP Mobile Detector 3.5 Shell Upload -1.1 (EDB-39891) 1134204 EXPLOIT OpenVPN Server and Client mss_fixup_ipv6 Denial of Service (CVE-2017-7508) 1134205 WEB WordPress WP Mobile Detector 3.5 Shell Upload -1.2 (EDB-39891) 1134206 DNS Dnsmasq Lack of Free Denial of Service -1.2 (CVE-2017-14495) 1134207 WEB-CLIENT Microsoft Edge Chakra ParseCatch Type Confusion (CVE-2017-11764) 1134208 EXPLOIT Elastic Elasticsearch ThrowableObjectInputStream Insecure Deserialization (CVE-2015-5377) 1134209 WEB Masscan Scanner Activity 1134210 WEB Sysscan Scanner Activity 1134211 WEB-CLIENT Microsoft Edge Remote Memory Corruption Vulnerability (CVE-2017-0234) 1134212 FILE Microsoft Office Remote Code Execution Vulnerability (CVE-2017-0243) 1134213 FILE Microsoft Windows Kernel Win32k.sys Privilege Escalation Vulnerability (CVE-2017-0246) 1134214 FILE Microsoft Malware Protection Engine Remote Code Execution (CVE-2017-0290) 1134215 FILE Ni LabVIEW Memory Corruption Vulnerability (CVE-2017-2775) 1134216 RPC Oracle Solaris RPC CVE-2017-3623 Heap Buffer Overflow -6 (CVE-2017-3623) 1134217 WEB-CLIENT Flexense DiskPulse Client Import Stack Buffer Overflow -1 1134218 DNS Dnsmasq 2-byte Heap-Based Overflow -1.2 (CVE-2017-14491) 1134219 WEB-CLIENT Flexense DiskPulse Client Import Stack Buffer Overflow -2 1134220 FILE Microsoft Office OLE2Link Remote Code Execution -2 (CVE-2017-0199) 1160724 MEDIA Pandora media via TCP -5 1160728 UPDATE Apple access via TCP -2 Modified 175 rule(s): --------------- 1052009 CA Google Authentication via SSL -1 1053491 UDP port 1 traffic (eg. TCP port service multiplexer) 1053495 UDP port 2 traffic (eg. Management Utility) 1053497 UDP port 5 traffic (eg. Remote Job Entry) 1053500 UDP port 11 traffic (eg. Active Users) 1053502 UDP port 17 traffic (eg. Quote of the Day) 1053503 UDP port 18 traffic (eg. Message Send Protocol) 1053506 UDP port 35 traffic (eg. Any private printer server protocol) 1053510 UDP port 39 traffic (eg. Resource Location Protocol) 1053512 UDP port 41 traffic (eg. Graphics) 1053514 UDP port 42 traffic (eg. ARPA Host Name Server Protocol) 1053517 UDP port 49 traffic (eg. Terminal Access Controller Access-Control System) 1053519 UDP port 52 traffic (eg. XNS) 1053523 UDP port 54 traffic (eg. XNS) 1053525 UDP port 56 traffic (eg. XNS) 1053530 UDP port 69 traffic (eg. Ndmp) 1053537 UDP port 90 traffic (eg. Dnsix) 1053569 UDP port 1900 traffic (eg. SSDP) 1053876 P2P Gnutella-Bearshare login via TCP -1 1060282 MAIL MS Exchange Server POP3 login via TCP -1 1060295 UDP port 104 traffic (eg. ACR/NEMA Digital Imaging and Communications in Medicine) 1060298 UDP port 82 traffic (eg. XeroBank Browser) 1060306 UDP port 111 traffic (eg. Sun Remote) 1060310 UDP port 113 traffic (eg. ident tap Authentication Service) 1060319 UDP port 531 traffic (eg. ICQ/AIM/iChat(Mac)) 1060323 UDP port 694 traffic (eg. Linux-HA High availability Heartbeat) 1060324 UDP port 561 traffic (eg. monitor) 1060336 UDP port 902 traffic (eg. VMWare) 1060339 UDP port 123 traffic (eg. NTP) 1060355 UDP port 153 traffic (eg. Simple Gateway Monitoring Protocol) 1060364 UDP port 177 traffic (eg. XDMCP) 1060366 UDP port 179 traffic (eg. IRC) 1060372 UDP port 213 traffic (eg. IPX) 1060374 UDP port 218 traffic (eg. Message Posting Protocol) 1060380 UDP port 259 traffic (eg. Efficient Short Remote Operations) 1060382 UDP port 264 traffic (eg. Border) 1060386 UDP port 318 traffic (eg. PKIX TSP) 1060388 UDP port 350 traffic (eg. MATIP) 1060390 UDP port 351 traffic (eg. MATIP) 1060396 UDP port 371 traffic (eg. ClearCase albd) 1060400 UDP port 384 traffic (eg. A Remote Network Server System) 1060404 UDP port 389 traffic (eg. LDAP) 1060406 UDP port 401 traffic (eg. UPS Uninterruptible Power Supply) 1060408 UDP port 427 traffic (eg. Service Location Protocol) 1060414 UDP port 444 traffic (eg. Simple Network Paging Protocol ) 1060418 UDP port 623 traffic (eg. ASF-RMCP) 1060420 UDP port 631 traffic (eg. Internet Printing Protocol) 1060424 UDP port 639 traffic (eg. Multicast Source Discovery Protocol) 1060426 UDP port 646 traffic (eg. Label Distribution Protocol) 1060436 TCP port 691 traffic (eg. MS Exchange Server) 1060439 UDP port 699 traffic (eg. Optimized Link State Routing Protocol) 1060450 UDP port 750 traffic (eg. loadav) 1060452 UDP port 751 traffic (eg. pump) 1060454 UDP port 752 traffic (eg. qrh) 1060456 UDP port 753 traffic (eg. Reverse Routing Header) 1060458 UDP port 754 traffic (eg. tell send) 1060460 UDP port 760 traffic (eg. ns) 1060470 UDP port 991 traffic (eg. Netnews Administration System) 1060481 UDP port 500 traffic (eg. ISAKMP) 1060483 UDP port 504 traffic (eg. Citadel) 1060487 UDP port 513 traffic (eg. Who/RWho) 1060491 UDP port 517 traffic (eg. Talk) 1060492 UDP port 518 traffic (eg. NTalk) 1060494 UDP port 520 traffic (eg. Routing Information Protocol) 1060497 UDP port 525 traffic (eg. NTP) 1060499 UDP port 530 traffic (eg. RPC) 1060501 UDP port 533 traffic (eg. Netwall for Emergency Broadcasts) 1060512 UDP port 550 traffic (eg. Who/RWho) 1060726 UDP port 2546 traffic (eg. EVault-Data) 1060733 UDP port 5814 traffic (eg. Hewlett-Packard) 1060746 UDP port 4894 traffic (eg. LysKOM) 1060757 UDP port 2031 traffic (eg. Mobrien-Chat) 1060759 UDP port 1241 traffic (eg. Nessus) 1060761 UDP port 1501 traffic (eg. NetGuard GuardianPro Firewall) 1060764 UDP port 6543 traffic (eg. Paradigm) 1060766 UDP port 2612 traffic (eg. QPasa) 1060776 UDP port 3050 traffic (eg. Gds_db) 1060777 UDP port 9080 traffic (eg. Glrpc) 1060779 UDP port 1524 traffic (eg. Ingreslock) 1060781 UDP port 1972 traffic (eg. InterSystems) 1060794 UDP port 2181 traffic (eg. EForward-document) 1060795 UDP port 8080 traffic (eg. FilePhile) 1060802 UDP port 1547 traffic (eg. Laplink) 1060804 UDP port 3305 traffic (eg. Odette-ftp) 1060806 UDP port 6619 traffic (eg. Odette-ftps) 1060807 UDP port 9000 traffic (eg. UDPCast) 1060810 UDP port 5402 traffic (eg. Mftp) 1060815 UDP port 9898 traffic (eg. MonkeyCom) 1060817 UDP port 9119 traffic (eg. MXit Instant Messenger) 1060819 UDP port 2211 traffic (eg. EMWIN) 1060821 UDP port 9418 traffic (eg. Git) 1060824 UDP port 3386 traffic (eg. GTP 3GPP) 1060827 UDP port 8280 traffic (eg. Apache Synapse) 1060829 UDP port 8243 traffic (eg. Apache Synapse) 1060832 UDP port 5001 traffic (eg. Iperf) 1060834 UDP port 2212 traffic (eg. LeeCO) 1060836 UDP port 5355 traffic (eg. LLMNRsame) 1060839 UDP port 1058 traffic (eg. Nim IBM AIX) 1060841 UDP port 1059 traffic (eg. Nimreg IBM AIX) 1060843 UDP port 2210 traffic (eg. NOAAPORT) 1060848 UDP port 4840 traffic (eg. OPC UA) 1060858 UDP port 2447 traffic (eg. Ovwdb-OpenView) 1060866 UDP port 4093 traffic (eg. PxPlus) 1060868 UDP port 1813 traffic (eg. Radacct RADIUS) 1060871 UDP port 1098 traffic (eg. RMI Activation) 1060873 UDP port 1099 traffic (eg. RMI Registry) 1060880 UDP port 6110 traffic (eg. Softcm HP Softbench) 1060882 UDP port 1198 traffic (eg. CAJO) 1060890 UDP port 3233 traffic (eg. Whisker) 1060903 UDP port 2103 traffic (eg. Athena Zephyr) 1060905 UDP port 2104 traffic (eg. Athena Zephyr) 1060907 UDP port 2105 traffic (eg. Athena Zephyr) 1060909 UDP port 2102 traffic (eg. Athena Zephyr) 1060919 UDP port 1581 traffic (eg. MIL STD) 1060923 UDP port 3483 traffic (eg. Slim Devices) 1060930 UDP port 1167 traffic (eg. Phone) 1060949 UDP port 2223 traffic (eg. Microsoft Office OS X) 1060956 UDP port 1270 traffic (eg. Microsoft System Center) 1060960 UDP port 2220 traffic (eg. NetIQ End3End) 1060962 UDP port 2735 traffic (eg. NetIQ Monitor) 1060964 UDP port 2219 traffic (eg. NetIQ NCAP) 1060973 UDP port 1677 traffic (eg. NOvell GroupWise) 1060975 UDP port 3396 traffic (eg. NOvell NDPS) 1061004 UDP port 1182 traffic (eg. WatchGuard Authentication Access) 1061006 UDP port 6969 traffic (eg. WatchGuard SSLVPN) 1061023 UDP port 3268 traffic (eg. Microsoft Global Catalog) 1061025 UDP port 3269 traffic (eg. Microsoft Global Catalog) 1061029 UDP port 6445 traffic (eg. Sun Grid Engine-Execution) 1061031 UDP port 6444 traffic (eg. Sun Grid Engine-Qmaster) 1061042 UDP port 2301 traffic (eg. Cpq-wbem) 1061056 UDP port 524 traffic (eg. Netware-remote-console) 1061066 UDP port 8888 traffic (eg. NewsEDGE) 1061072 P2P aMule access via TCP -1 1061081 UDP port 6502 traffic (eg. Danware) 1061100 UDP port 8000 traffic (eg. IRDMI) 1061111 UDP port 5421 traffic (eg. NetSupport) 1061114 UDP port 5405 traffic (eg. NetSupport) 1061119 UDP port 4089 traffic (eg. OpenCORE) 1061121 UDP port 2420 traffic (eg. Westell) 1061126 UDP port 4500 traffic (eg. IPSec) 1061129 UDP port 2000 traffic (eg. Cisco SCCP) 1061136 UDP port 3225 traffic (eg. FCIP) 1061139 UDP port 2053 traffic (eg. Lot105) 1061142 P2P Gnutella-Bearshare access via TCP -1 1061152 UDP port 2809 traffic (eg. Corba) 1061156 UDP port 5298 traffic (eg. XMPP) 1061157 P2P BT-BitLord access via TCP -1 1061187 UDP port 2887 traffic (eg. Wlccp) 1061201 P2P eDonkey-eMule access via TCP -1 1061213 P2P FileScope access via TCP -1 1061225 UDP port 5445 traffic (eg. Cisco Unified Video) 1061227 UDP port 1589 traffic (eg. Cisco VQP) 1061270 UDP port 6112 traffic (eg. Dtspcd) 1061272 UDP port 6111 traffic (eg. HP Softbench) 1061275 UDP port 3544 traffic (eg. Teredo) 1061428 P2P Winny access via TCP -1 1061440 UDP port 1140 traffic (eg. AutoNOC) 1061453 UDP port 8400 traffic (eg. Cvp) 1061571 UDP port 2427 traffic (eg. MGCP KpAlive) 1061613 UDP port 5984 traffic (eg. CouchDB) 1061615 UDP port 2073 traffic (eg. DataReel) 1061801 UDP port 10000 traffic (eg. Network Data Management) 1063209 P2P eDonkey-eMule access via TCP -2 1064084 P2P eDonkey-eMule access via UDP -1 1065536 P2P Gnutella-Bearshare access via TCP -2 1068170 P2P eDonkey-eMule access via TCP -3 1080011 SG - P2P Winny access via TCP 1133594 FILE Microsoft Office OLE2Link Remote Code Execution -1 (CVE-2017-0199) 1133898 RPC Oracle Solaris RPC CVE-2017-3623 Heap Buffer Overflow -5 (CVE-2017-3623) 1134057 WEB Netgear ReadyNAS Surveillance Unauthenticated Remote Command Execution 1134067 DNS Dnsmasq 2-byte Heap-Based Overflow -1.1 (CVE-2017-14491) 1134071 DNS Dnsmasq Lack of Free Denial of Service -1.1 (CVE-2017-14495) 1134180 WEB phpMyAdmin setup.php PHP Code Injection (CVE-2009-1151) 1160085 TERMINAL GoToAssist access via SSL -1 1190004 TCP port 4662 traffic (eg. eDonkey-eMule) Deleted 68 rule(s): --------------- 1051873 IM Rediff BOL login via TCP -1 (old rule) 1051874 IM Rediff BOL communicate via TCP -1 (old rule) 1051875 IM Rediff BOL transfer via TCP -1 (old rule) 1051876 IM Rediff BOL media-audio via TCP -1 (old rule) 1051877 IM Rediff BOL communicate via TCP -2 (old rule) 1052034 IM Rediff BOL login via TCP -2 (old rule) 1052607 IM Rediff BOL login via TCP -3 (old rule) 1053271 GAME Realgame login via TCP -1 (old rule) 1053725 IM 9158 login via TCP -1 (old rule) 1056765 EXPLOIT Oracle Business Transaction Management FlashTunnelService Arbitrary File Deletion -1 (old rule) 1056860 EXPLOIT HP Data Protector Media Operations SignInName Parameter Overflow (BID:44381) (old rule) 1056861 SMTP Novell GroupWise Internet Agent Content-Type Buffer Overflow (old rule) 1056882 EXPLOIT HP iNode Management Center iNodeMngChecker.exe Stack Buffer Overflow (old rule) 1056887 EXPLOIT Novell ZENworks Configuration Management Preboot Service Code Execution (BID:39111) (old rule) 1056888 WEB-ACTIVEX Youngzsoft CMailServer CMailCOM ActiveX Control Buffer Overflow (old rule) 1056889 IMAP Novell GroupWise Internet Agent IMAP Service Stack Buffer Overflow (BID:41704) (old rule) 1056902 DB IBM DB2 Universal Database receiveDASMessage Buffer Overflow -1 (old rule) 1056906 SCADA RealFlex RealWin FC_SCRIPT_FCS_STARTPROG Buffer Overflow (old rule) 1056907 DB IBM solidDB solid.exe Authentication Bypass -1 (old rule) 1056910 EXPLOIT Embarcadero InterBase Connect Request Multiple Stack Buffer -2 (old rule) 1056917 SCADA Smart Software Solutions CoDeSys ControlService Stack Buffer Overflow (CVE-2011-5007) (old rule) 1056918 EXPLOIT Sybase Open Server Function Pointer Array Code Execution -1 (BID:48934) (old rule) 1056919 WEB-ACTIVEX Oracle Hyperion Strategic Finance Client TTF16 ActiveX SetDevNames Heap Buffer Overflow -1 (OSVDB-76913) (old rule) 1056921 FTP Freefloat FTP Server Invalid Command Buffer Overflow -1 (BID:48704) (old rule) 1056931 WEB-CLIENT Oracle Java Runtime Environment Insecure File Loading (old rule) 1056932 SMB Oracle Java Runtime Environment Insecure File Loading (old rule) 1056933 SIP Digium Asterisk UDPTL Processing Heap Buffer Overflow -2 (old rule) 1056944 EXPLOIT Sun Java Runtime Environment Abstract (BID-21675) (old rule) 1056983 IMAP MailEnable IMAP Service Invalid Command Buffer Overflow (old rule) 1056986 EXPLOIT Quest Software Big Brother Arbitrary File Deletion and Overwriting -1 (old rule) 1056989 EXPLOIT Quest Software Big Brother Arbitrary File Deletion and Overwriting -4 (old rule) 1056990 SSH Novell NetWare OpenSSH Buffer Overflow -1 (old rule) 1057007 WEB-CLIENT Generic Javascript Obfuscation -9 (old rule) 1057021 WEB HP LoadRunner EmulationAdmin Web Service Directory Traversal -2 (CVE-2013-4837) (old rule) 1057059 EXPLOIT Sybase M-Business Anywhere agSoap.exe Closing Tag Buffer Overflow -1 (old rule) 1057060 FTP Freefloat FTP Server Invalid Command Buffer Overflow -2 (BID:48704) (old rule) 1057063 EXPLOIT Sybase Open Server Function Pointer Array Code Execution -2 (BID-48934) (old rule) 1057074 EXPLOIT Smart Software Solutions CoDeSys Gateway Server Integer Overflow -1 (BID:50849) (old rule) 1057075 WEB-ACTIVEX Rising Online Virus Scanner ActiveX Control Scan() Method Stack Buffer Overflow (BID-38282) (old rule) 1057080 EXPLOIT Sybase Open Server Null Byte Stack Memory Corruption (old rule) 1057083 WEB-ACTIVEX AOL Picture Editor YGPPicEdit.dll ActiveX Buffer Overflow (old rule) 1057087 DOS Cisco CallManager Express Malformed Skinny (old rule) 1057090 EXPLOIT D-Link DAP-1160 Wireless Access Point DCC Protocol Security Bypass Vulnerability -1 (BID:41187) (old rule) 1057091 EXPLOIT D-Link DAP-1160 Wireless Access Point DCC Protocol Security Bypass Vulnerability -2 (BID:41187) (old rule) 1057092 EXPLOIT D-Link DAP-1160 Wireless Access Point DCC Protocol Security Bypass Vulnerability -3 (BID:41187) (old rule) 1061304 FILE Symantec NetBackup access via TCP -1 (old rule) 1063223 IM 9158 login via TCP -2 (old rule) 1063603 IM 9158 login via TCP -3 (old rule) 1063604 IM 9158 login via TCP -4 (old rule) 1064013 MEDIA ADNstream access via TCP -1 (old rule) 1064014 MEDIA ADNstream login via TCP -1 (old rule) 1064070 GAME BnB login via TCP -1 (old rule) 1064079 GAME Realgame login via TCP -2 (old rule) 1064481 GAME BnB login via TCP -2 (old rule) 1064922 WEB ifeng.com access via TCP -1 (old rule) 1064995 WEB Conduit access via TCP -1 (old rule) 1064996 WEB Conduit access via TCP -2 (old rule) 1065488 MEDIA ADNstream media via TCP -1 (old rule) 1066202 MEDIA NicoNico transfer-upload via TCP -1 (old rule) 1066203 MEDIA NicoNico access via TCP -2 (old rule) 1066454 MEDIA ADNstream media via TCP -2 (old rule) 1068314 MEDIA NicoNico access via TCP -4 (old rule) 1069263 MEDIA NicoNico access via TCP -5 (old rule) 1069542 GAME BnB login via TCP -3 (old rule) 1069543 GAME BnB access via UDP -1 (old rule) 1069544 GAME BnB access via UDP -2 (old rule) 1110402 EXPLOIT IBM Lotus Notes MIF Attachment Viewer Buffer Overflow (old rule) 1160556 WEB ifeng.com access via SSL -1 (old rule)