Rule Update

19-020 (April 16, 2019)


  DESCRIPTION

* indicates a new version of an existing rule

Deep Packet Inspection Rules:

DCERPC Services
1009490* - Block Administrative Share - 1 (ATT&CK T1077,T1105)
1005293* - Prevent Windows Administrator User Login Over SMB (ATT&CK T1077)


DHCP Server
1009542* - Microsoft Windows DHCP Server Remote Code Execution Vulnerability (CVE-2019-0626)


Database PostgreSQL
1009614* - PostgreSQL Authenticated Arbitrary Remote Code Execution Vulnerability (CVE-2019-9193)


Microsoft Office
1009635* - Microsoft Office Multiple Security Vulnerabilities (Dec 2018)


Port Mapper FTP Client
1009558* - Remote File Copy Over FTP (ATT&CK T1105)


Suspicious Server Application Activity
1009549* - Detected Terminal Services (RDP) Server Traffic - 1 (ATT&CK T1015,T1043,T1076)


Trend Micro OfficeScan
1009608* - Trend Micro Apex One And OfficeScan Directory Traversal Vulnerability (CVE-2019-9489)


Web Application Common
1009621 - Identified Directory Traversal Sequence In HTTP Header


Web Application PHP Based
1009617* - WordPress Easy SMTP Plugin Unauthenticated Arbitrary 'wp_options' Import Vulnerability
1009631* - WordPress Social Warfare Unauthenticated Settings Update Vulnerability (CVE-2019-9978)


Web Application Tomcat
1009697 - Apache Tomcat Remote Code Execution Vulnerability (CVE-2019-0232)


Web Client Common
1009555 - Google Chrome Local File Information Disclosure Vulnerability
1005676* - Identified Download Of XML File With External Entity Reference
1009619 - Microsoft Windows GDI Information Disclosure Vulnerability (CVE-2019-0614)


Web Server Common
1005839* - Identified XML External Entity Injection In HTTP Request
1009561* - Kubernetes API Server Denial of Service Vulnerability (CVE-2019-1002100)


Web Server IIS HTTPS
1009641 - Microsoft IIS HTTP/2 Setting Frames Denial Of Service Vulnerability (ADV190005)


Windows Services RPC Client DCERPC
1008477* - Identified Usage Of WMI Execute Methods - Client (ATT&CK T1047)


Windows Services RPC Server DCERPC
1009478* - Identified Remote Service Creation Over DCE/RPC Protocol (ATT&CK T1050)
1009604* - Identified Usage Of WMI Execute Methods - Server - 1 (ATT&CK T1047)
1009480* - Identified WMI Query Over DCE/RPC Protocol (ATT&CK T1005)
1007054* - Remote Schedule Task 'Create' Through SMBv2 Protocol Detected (ATT&CK T1053)
1007053* - Remote Schedule Task 'Delete' Through SMBv2 Protocol Detected (ATT&CK T1053)
1007017* - Remote Schedule Task 'Run' Through SMBv2 Protocol Detected (ATT&CK T1053)


Integrity Monitoring Rules:

1009628 - AppInit DLLs (ATT&CK: T1103)
1009626 - Windows Accessibility Features - ImageFileExecution (ATT&CK: T1015,T1183)


Log Inspection Rules:

There are no new or updated Log Inspection Rules in this Security Update.