Rule Update

20-057 (November 10, 2020)


  DESCRIPTION

* indicates a new version of an existing rule

Deep Packet Inspection Rules:

DCERPC Services - Client
1010594 - Google Chrome FreeType Font File Buffer Overflow Vulnerability Over SMB (CVE-2020-15999)


Directory Server LDAP
1010433* - Identified Remote System Discovery Over LDAP (ATT&CK T1018, T1033)


NFS Server
1010604 - Microsoft Windows Network File System Remote Code Execution Vulnerability (CVE-2020-17051)
1010605 - Microsoft Windows Network File System Remote Code Execution Vulnerability (CVE-2020-17056)


OpenSSL Client
1006546* - OpenSSL ECDHE Downgrade Vulnerability (CVE-2014-3572)


Port Mapper RPC
1010606 - Identified Out-Of-Sync RPCSEC_GSS_CONTINUE_INIT RPC Message


Suspicious Client Application Activity
1010364* - Identified Reverse Shell Communication Over HTTPS - 2 (ATT&CK T1071)
1010365* - Identified Reverse Shell Communication Over HTTPS - 3 (ATT&CK T1071)


Web Application Common
1010592 - Zoho ManageEngine ServiceDesk Plus Cross Site Scripting Vulnerabilities (CVE-2019-12538 and CVE-2019-12542)
1010593 - Zoho ManageEngine ServiceDesk Plus Cross Site Scripting Vulnerability (CVE-2019-12543)


Web Application PHP Based
1010564 - Joomla Arbitrary File Upload Vulnerability (CVE-2020-23972)


Web Client Common
1010603 - Adobe Acrobat Pro DC FDF Object Use After Free Vulnerability (CVE-2020-24430)
1010600 - Adobe Acrobat Pro DC URL Out Of Bounds Read Vulnerability (CVE-2020-24435)
1010599 - Microsoft Windows Kernel Elevation Of Privilege Vulnerability (CVE-2020-17087)


Web Client Internet Explorer/Edge
1010602 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2020-17053)
1010601 - Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2020-17052)


Web Server Common
1010099 - Elastic Kibana Timelion Prototype Pollution Vulnerability (CVE-2019-7609)


Web Server Miscellaneous
1010580 - Spring Security OAuth Open Redirect Vulnerability (CVE-2019-3778)


Web Server Oracle
1010590* - Oracle WebLogic Server Remote Code Execution Vulnerabilities (CVE-2020-14882 and CVE-2020-14750)


Integrity Monitoring Rules:

There are no new or updated Integrity Monitoring Rules in this Security Update.


Log Inspection Rules:

1008852* - Auditd
1010489* - Auditd - Mitre ATT&CK TA0003: Persistence
1010528* - Auditd - Mitre ATT&CK TA0004: Privilege Escalation
1010558* - Auditd - Mitre ATT&CK TA0005: Defense Evasion
1010536* - Auditd - Mitre ATT&CK TA0006: Credential Access
1010465* - Auditd - Mitre ATT&CK TA0007: Discovery
1010582* - Auditd - Mitre ATT&CK TA0008: Lateral Movement
1003987* - Microsoft Windows Security Events - 2