Rule Update

19-043 (August 20, 2019)


  DESCRIPTION

* indicates a new version of an existing rule

Deep Packet Inspection Rules:

Asterisk Server IAX2
1003583* - Asterisk IAX2 Resource Exhaustion Denial Of Service
1003778* - Digium Asterisk IAX2 Call Number Denial Of Service


DCERPC Services
1001852* - Identified Attempt To Brute Force Windows Login Credentials (ATT&CK T1110)


DHCP Failover Protocol Server
1009939 - Microsoft Windows DHCP Server Failover Denial Of Service Vulnerability (CVE-2019-1206)


DNS Client
1003329* - DNS Server Response Validation Vulnerability
1005020* - Detected Too Many DNS Responses With 'No Such Name' Error
1002596* - Generic Malicious DNS Server Detection
1002657* - Identified Too Many DNS Responses


Database MySQL
1005045* - MySQL Database Server Possible Login Brute Force Attempt (ATT&CK T1110)


Database Oracle
1004997* - Detected Too Many Oracle TNS Service Register Requests
1001832* - Oracle Database Server Possible Brute Force Attempt (ATT&CK T1110)


Database PostgreSQL
1000481* - PostgreSQL Encoded String Handling SQL Command Injection


FTP Server Common
1002413* - FTP Server Possible Brute Force Attempt (ATT&CK T1110)


Instant Messenger Applications
1002159* - Skype


Ipswitch WS_FTP Logging Server Daemon
1003789* - Ipswitch FTP Log Server Denial Of Service Vulnerability


MS-RDPEUDP2
1009940 - Microsoft Windows RDP Server Information Disclosure Vulnerability (CVE-2019-1224)
1009941 - Microsoft Windows RDP Server Information Disclosure Vulnerability (CVE-2019-1225)


Mail Client Miscellaneous
1001206* - IBM Lotus Notes Lotus 1-2-3 Work Sheet File Viewer Buffer Overflows
1001174* - IPSwitch IMail Client MIME Type Boundary Variable Buffer Overflow
1004314* - Identified LNK/PIF File Over SMTP
1000207* - Mozilla Thunderbird WYSIWYG Engine Filtering IFRAME JavaScript Execution


Mail Client Outlook
1000482* - Microsoft Outlook Rich Text TNEF Decoding Buffer Overflow
1000904* - Microsoft Outlook VEVENT Remote Code Execution
1000777* - Microsoft Outlook VML Rect Fill Method Buffer Overflow


Mail Client Outlook Express
1003148* - Microsoft Outlook Express Malformed MIME Message Denial Of Service
1003149* - Microsoft Outlook Express Malformed MIME Message DoS


Mail Client Windows
1003319* - Adobe Acrobat And Reader PDF File Handling Remote Code Execution Vulnerability.
1001311* - Adobe Acrobat Mailto PDF File Command Execution Vulnerability.
1001320* - CA Product AV Engine CAB Header Parsing Stack Overflow.
1001204* - IBM Lotus Notes Lotus 1-2-3 Work Sheet File Viewer Buffer Overflows.
1001310* - Microsoft DirectX WAV File Parsing Code Execution Vulnerability.
1000949* - Microsoft OLE Dialog Code Execution.
1001201* - Microsoft Office Jet DataBase Engine MDB File Parsing Buffer Overflow.
1001268* - Microsoft Outlook VML Buffer Overflow.
1001207* - Microsoft PowerPoint Malformed Data Record Code Execution.
1001231* - Microsoft PowerPoint Unspecified Code Execution.
1001232* - Microsoft Publisher Font Parsing Buffer Overflow.
1001004* - Microsoft Windows ANI File Remote Code Execution.
1000244* - Microsoft Windows EOT File Remote code execution vulnerability Client
1001190* - Microsoft Windows Explorer WMF File Denial Of Service.
1001269* - Microsoft Windows Media Format ASF Parsing Remote Code Execution (CVE-2007-0064)
1001270* - Microsoft Windows Media Player MP4 File Stack Overflow.
1000215* - Microsoft Windows PPT File Routing Slip Code Execution
1000973* - Microsoft Windows Vista Windows Mail Local File Execution
1000243* - Microsoft Windows WMF "SETABORTPROC" Code Execution.
1000240* - Microsoft Windows WMF ExtEscape and ExtCreateRegion DoS.
1001227* - Microsoft Word 2000 Unspecified Code Execution.
1001233* - Microsoft Word Code Execution Vulnerability.
1001234* - Microsoft Word Memory Corruption Remote Code Execution.
1001193* - Microsoft Word RTF Documents Parsing Remote Code Execution.
1001376* - Multiple Browser QuickTime Command Execution.
1002444* - Novell GroupWise Client mailto: Scheme Buffer Overflow


Mail Server Common
1000161* - Microsoft Windows EOT File Remote Code Execution Vulnerability
1000162* - Microsoft Windows WMF "SETABORTPROC" Arbitrary Code Execution


Mail Server Exim
1004549* - Exim Crafted Header Remote Code Execution Vulnerability


Mail Server Microsoft Exchange
1000456* - Calendar Remote Code Execution Vulnerability.
1000993* - Microsoft Exchange Malformed iCal Denial of Service
1000614* - Microsoft Exchange Server Outlook Web Access Script Injection Vulnerability
1000467* - Microsoft Exchange TNEF Decoding Buffer Overflow
1002946* - Microsoft Outlook Web Access For Exchange Server 'redir.asp' URI Redirection Vulnerability


Mail Server Miscellaneous
1000429* - E-Post SMTP "AUTH PLAIN" And "AUTH LOGIN" Command Vulnerability
1003512* - Multiple XSS Vulnerabilities In Sun Communications Express


Media Streaming Server RealServer
1003632* - Detected Too Many Malicious Outbound RealNetworks Helix Server RTSP Requests


Microsoft Office
1009854* - Microsoft Excel Remote Code Execution Vulnerability (CVE-2019-1111)
1000213* - Microsoft Excel rtSERIES, rtSIINDEX, BOOLERR Record Chart Parsing Code Execution
1009023* - Microsoft Office Graphics Remote Code Execution Vulnerability (CVE-2018-1028)
1000258* - Microsoft Office XLW File Array Index Out Of Bounds DOS Vulnerability
1009909* - Microsoft Word Remote Code Execution Vulnerability (CVE-2019-1201)


NFS Server
1003401* - Disallow Device Node Creation Over NFS


Novell GroupWise Internet Agent
1003525* - Novell GroupWise Internet Agent SMTP Command Remote Buffer Overflow


Pidgin Instant Messenger
1004013* - Pidgin Multiple Denial Of Service Vulnerabilities


Protocol MSN
1004361* - Windows Live Messenger Animation Remote Denial Of Service


SSL Client
1009915 - Identified WhatsApp Registration (ATT&CK T1102)
1009932 - Telegram Bot API Usage (Used by Telecrypt) (ATT&CK T1102)


SSL Client Applications
1009914 - Identified Github Authentication (ATT&CK T1102)


Unix Telnet
1002414* - Telnet Server Possible Brute Force Attempt (ATT&CK T1110)


VoIP Smart
1000350* - No Content in INVITE Request
1000366* - OPTIONS Method Information Disclosure
1000384* - Unauthorized INVITE and REGISTER Requests


Web Administrator Websense Email Security
1003811* - Websense Email Security And Email Manager 'STEMWADM.EXE' Remote Denial Of Service


Web Application Common
1009911 - Identified Twitter Command & Control Communication (ATT&CK T1102)


Web Application PHP Based
1006607* - Identified Drupal Password Reset Request


Web Application Tomcat
1000638* - Apache Tomcat "Tomcat Manager" Cross-Site Scripting
1000697* - Directory Listing in Apache Tomcat 5.x.x


Web Client Common
1008739* - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB17-36) - 1
1009916 - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB19-41) - 1
1009917 - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB19-41) - 2
1009918 - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB19-41) - 3
1009919 - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB19-41) - 4
1009920 - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB19-41) - 5
1009921 - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB19-41) - 6
1009922 - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB19-41) - 7
1009923 - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB19-41) - 8
1009924 - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB19-41) - 9
1000943* - Detect UPX Packed Executable Download (ATT&CK T1045)
1004596* - Detected Night Dragon Network Communication
1009912 - Detected Vkontakte Site Access Over HTTP (ATT&CK T1102)
1009913 - Identified Pastebin Communication (ATT&CK T1102)
1009483* - Linux APT Remote Code Execution Vulnerability (CVE-2019-3462)
1009851* - Microsoft DirectWrite Information Disclosure Vulnerability (CVE-2019-1093)
1009852* - Microsoft DirectWrite Information Disclosure Vulnerability (CVE-2019-1097)
1009933 - Microsoft Jet Database Engine Remote Code Execution Vulnerability (CVE-2019-1155)
1009934 - Microsoft Jet Database Engine Remote Code Execution Vulnerability (CVE-2019-1156)
1009936 - Microsoft Jet Database Engine Remote Code Execution Vulnerability (CVE-2019-1157)
1009938 - Microsoft Windows 'gdiplus' Font Parsing Out-Of-Bounds Read Information Disclosure Vulnerability (CVE-2019-1154)
1009927 - Microsoft Windows EMF Graphic Out-Of-Bounds Read Information Disclosure Vulnerability (CVE-2019-1143)
1009929 - Microsoft Windows Font Subsetting Library Double Free Remote Code Execution Vulnerability (CVE-2019-1144)
1009928 - Microsoft Windows Font Subsetting Library Out-Of-Bounds Read Information Disclosure Vulnerability (CVE-2019-1148)
1009930 - Microsoft Windows Font Subsetting Library Use-After-Free Remote Code Execution Vulnerability (CVE-2019-1145)
1009765* - Microsoft Windows GDI Information Disclosure Vulnerability (CVE-2018-8472)
1009856* - Microsoft Windows GDI Information Disclosure Vulnerability (CVE-2019-1094)
1009857* - Microsoft Windows GDI Information Disclosure Vulnerability (CVE-2019-1095)
1009858* - Microsoft Windows GDI Information Disclosure Vulnerability (CVE-2019-1098)
1009859* - Microsoft Windows GDI Information Disclosure Vulnerability (CVE-2019-1099)
1009860* - Microsoft Windows GDI Information Disclosure Vulnerability (CVE-2019-1100)
1009861* - Microsoft Windows GDI Information Disclosure Vulnerability (CVE-2019-1101)
1009862* - Microsoft Windows GDI Information Disclosure Vulnerability (CVE-2019-1116)
1009935 - Microsoft Windows GDI Information Disclosure Vulnerability (CVE-2019-1158)
1009926 - Microsoft Windows JET Database Engine Out-Of-Bounds Write Remote Code Execution Vulnerability (CVE-2019-1146)
1009925 - Microsoft Windows JET Database Engine Out-Of-Bounds Write Remote Code Execution Vulnerability (CVE-2019-1147)
1009937 - Microsoft XmlLite Runtime Denial of Service Vulnerability (CVE-2019-1187)


Web Client Internet Explorer/Edge
1005202* - Microsoft Internet Explorer 'cloneNode' Use After Free Vulnerability (CVE-2012-2557)


Web Server HTTPS
1009931 - Identified HTTP/2 Traffic


Web Server IIS
1004409* - Microsoft .NET Framework ASP.NET 'Padding Oracle' Information Disclosure Vulnerability
1003671* - Microsoft ASP.NET Remote Unauthenticated Denial Of Service Vulnerability (CVE-2009-1536)
1000532* - Microsoft IIS 4.0/5.0 Malformed .htr Request Vulnerability
1000439* - Microsoft IIS Source Code Disclosure Vulnerability
1000390* - WEB-IIS .bat/.cmd remote command execution


Integrity Monitoring Rules:

There are no new or updated Integrity Monitoring Rules in this Security Update.


Log Inspection Rules:

There are no new or updated Log Inspection Rules in this Security Update.