Rule Update
21-039 (August 31, 2021)
DESCRIPTION
* indicates a new version of an existing rule
Deep Packet Inspection Rules:
DCERPC Services
1011105* - Identified File Deletion From SMB Share (ATT&CK T1070.004)
DNS Server
1011102 - PowerDNS Authoritative Server Denial of Service Vulnerability (CVE-2021-36754)
Java RMI
1011078* - Atlassian Jira and Jira Service Management Data Center Insecure Deserialization Vulnerability (CVE-2020-36239)
Remote Login Applications
1004364* - TeamViewer (ATT&CK T1219)
Web Application Common
1011108 - GitStack Remote Code Execution Vulnerability (CVE-2018-5955) - 1
1011101 - MODX Revolution Remote Code Execution Vulnerability (CVE-2018-1000207)
1009310* - Microsoft Exchange Server SSRF Vulnerability (CVE-2018-16793)
1011103 - PHPUnit Remote Code Execution Vulnerability (CVE-2017-9841)
Web Client Common
1011049* - Google Chrome V8 Type Confusion Vulnerability (CVE-2021-30551)
1010207* - Microsoft Windows Multiple Type1 Font Parsing Remote Code Execution Vulnerabilities (CVE-2020-1020 and CVE-2020-0938)
Web Server Miscellaneous
1011099* - Jenkins 'Selenium HTML report' Plugin XML External Entity Injection Vulnerability (CVE-2021-21672)
Web Server Oracle
1011096* - Oracle WebLogic Server Remote Code Execution Vulnerability (CVE-2021-2394)
Integrity Monitoring Rules:
1002900* - Application - 3CDaemon
1002998* - Application - ARCserve Backup
1002851* - Application - Apache HTTP Server
1002853* - Application - Apache Tomcat
1003364* - Application - Exim
1003200* - Application - IBM DB2
1003077* - Application - IBM Lotus Domino
1003263* - Application - IBM Tivoli Directory Server
1003363* - Application - IPSwitch iMail
1003241* - Application - Ingres Database Server
1009060* - Application - Kubernetes Cluster master
1009434* - Application - Kubernetes Cluster node
1003039* - Application - MDaemon Email Server
1003040* - Application - MailEnable
1003092* - Application - Merak Mail Server
1003063* - Application - Microsoft Exchange
1002910* - Application - Microsoft IIS
1002999* - Application - Microsoft SQL Server
1003000* - Application - MySQL
1002914* - Application - NettermFTP
1003102* - Application - Novell eDirectory
1003090* - Application - Oracle Database Server
1003105* - Application - PostgreSQL
1003380* - Application - Squid Proxy
1003139* - Application - Sun ONE Application Server
1003142* - Application - Sun ONE Directory Server
1010055* - Application - Trend Micro ApexOne Server
1003019* - Application - Trend Micro Deep Security Agent / Relay
1003020* - Application - Trend Micro Deep Security Manager
1003744* - Application - Trend Micro OfficeScan Server
1003087* - Application - Trend Micro OfficeScan client
1003131* - Application - VMware Server
1002898* - Application - WS_FTP
1003403* - Application - WU-FTPD
1002849* - Application - WarFTPD
1003391* - Application - vsftpd
1011070* - Linux/Unix - SSH authorized_keys file modified - non-root users (ATT&CK T1563.001, T1021.004, T1098.004)
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update.
Deep Packet Inspection Rules:
DCERPC Services
1011105* - Identified File Deletion From SMB Share (ATT&CK T1070.004)
DNS Server
1011102 - PowerDNS Authoritative Server Denial of Service Vulnerability (CVE-2021-36754)
Java RMI
1011078* - Atlassian Jira and Jira Service Management Data Center Insecure Deserialization Vulnerability (CVE-2020-36239)
Remote Login Applications
1004364* - TeamViewer (ATT&CK T1219)
Web Application Common
1011108 - GitStack Remote Code Execution Vulnerability (CVE-2018-5955) - 1
1011101 - MODX Revolution Remote Code Execution Vulnerability (CVE-2018-1000207)
1009310* - Microsoft Exchange Server SSRF Vulnerability (CVE-2018-16793)
1011103 - PHPUnit Remote Code Execution Vulnerability (CVE-2017-9841)
Web Client Common
1011049* - Google Chrome V8 Type Confusion Vulnerability (CVE-2021-30551)
1010207* - Microsoft Windows Multiple Type1 Font Parsing Remote Code Execution Vulnerabilities (CVE-2020-1020 and CVE-2020-0938)
Web Server Miscellaneous
1011099* - Jenkins 'Selenium HTML report' Plugin XML External Entity Injection Vulnerability (CVE-2021-21672)
Web Server Oracle
1011096* - Oracle WebLogic Server Remote Code Execution Vulnerability (CVE-2021-2394)
Integrity Monitoring Rules:
1002900* - Application - 3CDaemon
1002998* - Application - ARCserve Backup
1002851* - Application - Apache HTTP Server
1002853* - Application - Apache Tomcat
1003364* - Application - Exim
1003200* - Application - IBM DB2
1003077* - Application - IBM Lotus Domino
1003263* - Application - IBM Tivoli Directory Server
1003363* - Application - IPSwitch iMail
1003241* - Application - Ingres Database Server
1009060* - Application - Kubernetes Cluster master
1009434* - Application - Kubernetes Cluster node
1003039* - Application - MDaemon Email Server
1003040* - Application - MailEnable
1003092* - Application - Merak Mail Server
1003063* - Application - Microsoft Exchange
1002910* - Application - Microsoft IIS
1002999* - Application - Microsoft SQL Server
1003000* - Application - MySQL
1002914* - Application - NettermFTP
1003102* - Application - Novell eDirectory
1003090* - Application - Oracle Database Server
1003105* - Application - PostgreSQL
1003380* - Application - Squid Proxy
1003139* - Application - Sun ONE Application Server
1003142* - Application - Sun ONE Directory Server
1010055* - Application - Trend Micro ApexOne Server
1003019* - Application - Trend Micro Deep Security Agent / Relay
1003020* - Application - Trend Micro Deep Security Manager
1003744* - Application - Trend Micro OfficeScan Server
1003087* - Application - Trend Micro OfficeScan client
1003131* - Application - VMware Server
1002898* - Application - WS_FTP
1003403* - Application - WU-FTPD
1002849* - Application - WarFTPD
1003391* - Application - vsftpd
1011070* - Linux/Unix - SSH authorized_keys file modified - non-root users (ATT&CK T1563.001, T1021.004, T1098.004)
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update.