Rule Update

21-006 (February 9, 2021)


* indicates a new version of an existing rule

Deep Packet Inspection Rules:

Apache Zookeeper
1010756 - Apache Zookeeper Denial Of Service Vulnerability (CVE-2017-5637)

DCERPC Services
1007596* - Identified Possible Ransomware File Extension Rename Activity Over Network Share

DNS Client
1010766 - Identified Non Existing DNS Resource Record (RR) Types In DNS Traffic

Directory Server LDAP
1010754 - Microsoft Windows NTLM Elevation Of Privilege Vulnerability Over LDAP (CVE-2019-1040)

1010745* - Memcached 'process_bin_sasl_auth' Integer Overflow Vulnerability (CVE-2016-8706)

Suspicious Client Application Activity
1010770 - Identified UDP Trojan SSHDoor C&C Traffic

Suspicious Client Ransomware Activity
1010767 - Identified HTTP Backdoor Kobalos C&C Traffic

Suspicious Server Ransomware Activity
1010749 - Radmin Server Remote Control Session Setup (ATT&CK T1219)

Web Application Common
1010750* - Zend Framework Deserialization Remote Code Execution Vulnerability (CVE-2021-3007)

Web Client Common
1010760 - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB21-09) - 1
1010765 - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB21-09) - 2
1010757 - Microsoft Windows Denial Of Service Vulnerability (CVE-2006-7210)
1010768 - Microsoft Windows Embedded NTFS '$i30' Attribute Vulnerability
1010758 - Microsoft Windows Group Convertor DLL Hijacking Vulnerability (CVE-2010-3139)

Web Server Apache
1010670* - Apache Struts2 Remote Code Execution Vulnerability (CVE-2020-17530)

Web Server Common
1010737 - CMS Made Simple 'Showtime2' Reflected Cross Site Scripting Vulnerability (CVE-2020-20138)
1010736 - Cisco Data Center Network Manager Authentication Bypass Vulnerability (CVE-2019-15977)
1010762 - Identified Kubernetes API Server LoadBalancer Status Patch Request
1007185* - Java Unserialize Remote Code Execution Vulnerability
1010725* - Pi-Hole Remote Command Execution Vulnerability (CVE-2020-8816)

Web Server HTTPS
1010712* - WordPress 'Contact Form 7' Plugin Arbitrary File Upload Vulnerability (CVE-2020-35489)

Web Server Oracle
1010752* - Oracle Coherence Server T3 Protocol Insecure Deserialization Vulnerability (CVE-2020-14756)

Web Server SharePoint
1010747 - Identified Microsoft SharePoint GetRolesAndPermissionsForSite Request (ATT&CK T1589.002, T1589.003, T1087)
1010746 - Identified Microsoft SharePoint GetUserInfo Request (ATT&CK T1589.002, T1589.003, T1087)
1010764 - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2021-24072)

Integrity Monitoring Rules:

1009626* - Windows Accessibility Features - ImageFileExecution (ATT&CK T1015,T1183)

Log Inspection Rules:

There are no new or updated Log Inspection Rules in this Security Update.