Rule Update

20-050 (September 29, 2020)


* indicates a new version of an existing rule

Deep Packet Inspection Rules:

DCERPC Services
1009703* - Identified Domain-Level Permission Groups Discovery Over SMB (ATT&CK T1069)

DNS Server
1010511 - ISC BIND TCP Receive Buffer Length Assertion Denial Of Service Vulnerability (CVE-2020-8620)

Directory Server LDAP
1010433* - Identified Remote System Discovery Over LDAP (ATT&CK T1018)

FTP Server Miscellaneous
1010531 - Vesta Control Panel Authenticated Remote Code Execution Vulnerability (CVE-2020-10808)

Microsoft Office
1010525 - Microsoft Excel Remote Code Execution Vulnerability (CVE-2020-1193)

NodeJS Debugging Protocol
1010497 - NodeJS Debugger Usage Attempt Vulnerability (CVE-2018-12120)

Web Application Common
1010529 - CutePHP CuteNews Remote Code Execution Vulnerability (CVE-2019-11447)
1010334* - Telerik UI For ASP.NET AJAX Insecure Deserialization Vulnerability (CVE-2019-18935)

Web Server Apache
1010461* - Apache Struts2 Remote Code Execution Vulnerability (CVE-2019-0230)

Web Server Common
1010498* - Nagios XI Authenticated Remote Command Execution Vulnerability (CVE-2019-15949)

Web Server HTTPS
1010535 - Anttispi Webshell C&C Traffic
1010534 - MuddyWater Download Request
1010524 - Ptrpmpx Webshell C&C Traffic
1010530 - Ptrpmpx Webshell C&C Traffic - 1

Web Server Miscellaneous
1010516* - Jenkins Amazon EC2 Plugin Cross-Site Request Forgery Vulnerability (CVE-2020-2186)

Web Server Nagios
1010369 - Nagios XI '' Command Injection Vulnerability
1010504* - Nagios XI account 'main.php' Stored Cross-Site Scripting Vulnerability (CVE-2020-10821)

Windows Services RPC Server DCERPC
1010539 - Identified NTLM Brute Force Attempt (ZeroLogon) (CVE-2020-1472)
1010519* - Netlogon Elevation Of Privilege Vulnerability (Zerologon) (CVE-2020-1472)

Integrity Monitoring Rules:

There are no new or updated Integrity Monitoring Rules in this Security Update.

Log Inspection Rules:

There are no new or updated Log Inspection Rules in this Security Update.