Rule Update

21-016 (April 6, 2021)


  DESCRIPTION

* indicates a new version of an existing rule

Deep Packet Inspection Rules:

DNS Client
1010784* - DNSmasq DNSSEC Out Of Bounds Write Vulnerability (CVE-2020-25687)


DNS Server
1010613* - Identified DNS Trojan.Win32.Trickbot.Dns Traffic


Suspicious Client Application Activity
1010741* - Identified HTTP Backdoor Python FreakOut A Runtime Detection


Suspicious Client Ransomware Activity
1010792* - Identified Cobalt Strike Default Self-signed SSL/TLS Certificate
1010597* - Identified HTTP Cobalt Strike Malleable C&C Traffic Response (Office 365 Calendar Profile)
1010596* - Identified HTTP Cobalt Strike Malleable C&C Traffic Response (YouTube Profile)
1010714* - Identified HTTP Trojan-Downloader.Win32.Cometer.bfc C&C Traffic Request
1010617* - Identified TLS Cobalt Strike Beacon (Certificate)


Suspicious Server Ransomware Activity
1010638* - Identified FTP Backdoor.Win32.Qbot.JINX Runtime Detection
1010616* - Identified HTTP Backdoor.Shell.Powertrick.A Runtime Detection
1010608* - Identified HTTP Cobalt Strike Malleable C&C Traffic Request (Amazon Profile)
1010637* - Identified HTTP Cobalt Strike Malleable C&C Traffic Request (Google Safe Browsing Profile)
1010609* - Identified HTTP Cobalt Strike Malleable C&C Traffic Request (Office 365 Calendar Profile)
1010636* - Identified HTTP Cobalt Strike Malleable C&C Traffic Request (Pandora GET Profile)
1010639* - Identified HTTP Cobalt Strike Malleable C&C Traffic Request (Pandora POST Profile)
1010731* - Identified HTTP Redhat Webshell C&C Traffic
1010614* - Identified HTTP Trickbot Data Exfiltration (Card Payment)
1010615* - Identified HTTP Trickbot Data Exfiltration (Network Module)
1010634* - Identified HTTP Trickbot Data Exfiltration - (Application Credentials Grabber)
1010644* - Identified HTTP Trojan-Downloader.Shell.Lightbot.A C&C Traffic Request
1010610* - Identified HTTP Trojan.Win64.BazarTrickbot Traffic
1010611* - Identified HTTP TrojanDownloader.Win64.BazarLoader Traffic
1010607* - Identified TCP Meterpreter Payload


Web Application PHP Based
1010886 - Batflat CMS Remote Code Execution Vulnerability (CVE-2020-35734)


Web Client Common
1010806 - Identified Directory Traversal Attack In HTTP Response Headers


Web Server Common
1010867* - Apache ActiveMQ Web Console Reflected Cross-Site Scripting Vulnerability (CVE-2020-13947)
1010871 - Cisco Data Center Network Manager Arbitrary File Upload Vulnerability (CVE-2019-1620)
1010734* - Identified BumbleBee Webshell Traffic Over HTTP
1010814 - Identified SAP Solution Manager Removal On Host Attempt (ATT&CK T1070.004)


Web Server HTTPS
1010868* - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-27065)
1010870* - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-27065) - 1
1010875* - rConfig 'vendor.crud.php' Arbitrary File Upload Vulnerability (CVE-2020-12255)


Web Server Oracle
1010887 - Identify Oracle Application Server Config Files Access


Windows SMB Server
1010884* - Microsoft Windows RPC Remote Code Execution Vulnerability (CVE-2017-8461)


Integrity Monitoring Rules:

There are no new or updated Integrity Monitoring Rules in this Security Update.


Log Inspection Rules:

There are no new or updated Log Inspection Rules in this Security Update.