Rule Update

20-034 (July 21, 2020)


  DESCRIPTION

* indicates a new version of an existing rule

Deep Packet Inspection Rules:

DCERPC Services
1007021* - Remote Registry Access Through SMBv2 Protocol Detected (ATT&CK T1012)


DCERPC Services - Client
1004373* - Identified DLL Side Loading Attempt Over Network Share (ATT&CK T1073)
1010106* - Identified Downloading Of PowerShell Scripts Through SMB Share (ATT&CK T1086)


DNS Client
1010352 - Data Exfiltration Over DNS (Response) Protocol (ATT&CK T1048)


LDAP Client
1009112 - PHP LDAP 'ldap_get_dn' Denial Of Service Vulnerability (CVE-2018-10548)


SAP NetWeaver Java Application Server
1010409 - Identified SAP NetWeaver AS JAVA Authentication Attempt
1010413 - SAP NetWeaver AS JAVA Directory Traversal Vulnerability (CVE-2020-6286)


Web Application Common
1010344 - ThinkPHP Remote Code Exection Vulnerability (CVE-2019-9082)


Web Application PHP Based
1010375 - WordPress 10Web Photo Gallery Plugin SQL Injection Vulnerability


Web Application Ruby Based
1010411 - Ruby On Rails Remote Code Execution Vulnerability (CVE-2020-8163)


Web Server Apache
1010400 - Apache Httpd Mod Rewrite Open Redirects Vulnerability (CVE-2019-10098)


Web Server Common
1006540* - Enable X-Forwarded-For HTTP Header Logging
1010388* - F5 BIG-IP TMUI Remote Code Execution Vulnerability (CVE-2020-5902)
1000473* - Parameter Name Length Restriction


Windows Remote Management
1009894* - Powershell Remote Command Execution Via WinRM - HTTP (Request) (ATT&CK T1028)
1010048* - WinRM Service Detected & Powershell RCE Over HTTP (ATT&CK T1028)


ZeroMQ Message Transport Protocol (ZMTP)
1010265* - SaltStack Salt Authorization Weakness Vulnerability (CVE-2020-11651)


Integrity Monitoring Rules:

1008271* - Application - Docker


Log Inspection Rules:

1008852* - Auditd
1010390 - Microsoft Windows User Logon Events