Rule Update

21-050 (November 16, 2021)


  DESCRIPTION

* indicates a new version of an existing rule

Deep Packet Inspection Rules:

DCERPC Services
1011037 - Identified Remote System Discovery Over SMB - 1 (ATT&CK T1018)
1011027 - Identified Session Enumeration Request Over SMB (ATT&CK T1049)


Microsoft Office
1011208 - Microsoft Access Remote Code Execution Vulnerability (CVE-2021-41368)
1011095* - Microsoft Excel Remote Code Execution Vulnerability (CVE-2021-34501)


SSL Client
1011178 - MD5 Algorithm Vulnerability (CVE-2004-2761)


SolarWinds Network Performance Monitor
1011205 - SolarWinds Orion Patch Manager Insecure Deserialization Vulnerability (CVE-2021-35218)
1011203 - SolarWinds Orion Platform Insecure Deserialization Vulnerability (CVE-2021-35215)


Suspicious Client Ransomware Activity
1010607* - Identified TCP Meterpreter Payload


Web Application Common
1011206 - BillQuick Web Suite SQL Injection Vulnerability (CVE-2021-42258)
1009621* - Identified Directory Traversal Sequence In HTTP Header


Web Application PHP Based
1011013* - WordPress 'Stop Spammers' Plugin Cross-Site Scripting Vulnerability (CVE-2021-24245)


Web Server Common
1010919 - SQL Injection (SQLi) Decoder


Web Server HTTPS
1011207 - Centreon 'generateImage.php' SQL Injection Vulnerability (CVE-2021-37557)
1011212 - F5 BIG-IP and BIG-IQ iControl REST Authentication Bypass Vulnerability (CVE-2021-22986)
1011204 - GitLab Remote Code Execution Vulnerability (CVE-2021-22205)
1011169* - WordPress 'Supsystic Popup' Plugin Cross-Site Scripting Vulnerability (CVE-2021-24275)
1011165* - WordPress 'Woo-Order-Export-Lite' Plugin Reflected Cross-Site Scripting Vulnerability (CVE-2021-24169)


Web Server Nagios
1011199* - Nagios XI Command Injection Vulnerability (CVE-2021-40345)


Integrity Monitoring Rules:

There are no new or updated Integrity Monitoring Rules in this Security Update.


Log Inspection Rules:

1008619* - Application - Docker
1008852* - Auditd
1004488* - Database Server - Microsoft SQL
1003802* - Directory Server - Microsoft Windows Active Directory
1003443* - Mail Server - Postfix
1010595* - Microsoft LDAP Query Execution
1003843* - Microsoft Windows Security Events
1004057* - Microsoft Windows Security Events - 1
1003987* - Microsoft Windows Security Events - 2
1008670* - Microsoft Windows Security Events - 3
1011197 - Microsoft Windows Security Events - 5
1002831* - Unix - Syslog