Rule Update
18-006 (January 23, 2018)
DESCRIPTION
* indicates a new version of an existing rule
Deep Packet Inspection Rules:
DCERPC Services
1003292* - Block Conficker.B++ Worm Incoming Named Pipe Connection
1004807* - Identified SMB Raw Named Pipe In Write Mode
DCERPC Services - Client
1007494* - Adobe Acrobat DLL Loading Arbitrary Code Execution Vulnerability (CVE-2016-1008)
1003293* - Block Conficker.B++ Worm Outgoing Named Pipe Connection
1004373* - Identified Microsoft DLL File Over Network Share
1007426* - Microsoft Windows DLL Loading Vulnerabilities Over Network Share (MS16-014)
Database MySQL
1005063* - Restrict MySQL Database Access
Database Oracle
1004995* - Oracle Database TNS Listener Poison Attack Vulnerability
FTP Server Common
1003784* - FTP Server Restrict Executable File Uploads
1005461* - Identified FTP Connection Without AUTH Command
HP Intelligent Management Center (IMC)
1008806 - HPE Intelligent Management Center FileUploadServlet Directory Traversal Vulnerability (CVE-2017-5794)
HP Intelligent Management Center Dbman
1008790 - HPE Intelligent Management Center dbman Opcode 10012 Use-After-Free Remote Code Execution Vulnerability (CVE-2017-12561)
Mail Server Exim
1008758* - Exim Unix Mailer Multiple Security Vulnerabilities
Microsoft Office
1004853* - Identified Suspicious Microsoft Office Files With Embedded Font
1005615* - Identified Suspicious Usage Of Shellcode In Microsoft Office Files
1004647* - Restrict Microsoft Office File With Embedded SWF
1005158* - Restrict Microsoft Office Files With Embedded SWF - 2
Novell File Reporter (NFR) Agent
1005260* - Novell File Reporter SRS XML Server Request With Path Element Detected
Oracle Tuxedo JOLT
1008845 - Oracle Tuxedo Remote Security Vulnerability (CVE-2017-10269)
Suspicious Client Application Activity
1005067* - Identified Potentially Harmful Client Traffic
1005283* - Identified Potentially Malicious RAT Traffic - I
1005299* - Identified Potentially Malicious RAT Traffic - III
1005300* - Identified Potentially Malicious RAT Traffic - IV
1005473* - Identified Potentially Malicious RAT Traffic - V
Suspicious Server Application Activity
1005090* - Identified Potentially Harmful Server Traffic
Unix SSH
1000798* - Unix OpenSSH sshd Identical Blocks DoS
Web Application Common
1004888* - Restrict Number Of Parameters In HTTP Request
Web Application PHP Based
1005465* - Identified Access To WordPress Sensitive Files
1006021* - Joomla JCE Extension Multiple Vulnerabilities
1000208* - SquirrelMail IMAP Command Injection Vulnerability
1000209* - SquirrelMail SMTP Command Injection Vulnerability
1006432* - WordPress Slider Revolution Responsive/Showbiz Pro Responsive Teaser Multiple Security Bypass Vulnerabilities
Web Client Common
1008833 - Foxit Reader JPEG2000 Out-Of-Bounds Read Information Disclosure Vulnerabilities
1005389* - Identified Suspicious Download Of Executable File Over HTTP
1004900* - Identified Suspicious Microsoft Office Files With Embedded Objects
Web Client Internet Explorer/Edge
1004339* - Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability
Web Server Common
1008724* - Trend Micro SafeSync For Enterprise 'device_id' 'role' Command Injection Vulnerability
1008723* - Trend Micro SafeSync For Enterprise Command Injection Vulnerability
Web Server Miscellaneous
1008673 - IBM Informix Open Admin Tool Heap Buffer Overflow Vulnerability (CVE-2017-1092)
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update.
Deep Packet Inspection Rules:
DCERPC Services
1003292* - Block Conficker.B++ Worm Incoming Named Pipe Connection
1004807* - Identified SMB Raw Named Pipe In Write Mode
DCERPC Services - Client
1007494* - Adobe Acrobat DLL Loading Arbitrary Code Execution Vulnerability (CVE-2016-1008)
1003293* - Block Conficker.B++ Worm Outgoing Named Pipe Connection
1004373* - Identified Microsoft DLL File Over Network Share
1007426* - Microsoft Windows DLL Loading Vulnerabilities Over Network Share (MS16-014)
Database MySQL
1005063* - Restrict MySQL Database Access
Database Oracle
1004995* - Oracle Database TNS Listener Poison Attack Vulnerability
FTP Server Common
1003784* - FTP Server Restrict Executable File Uploads
1005461* - Identified FTP Connection Without AUTH Command
HP Intelligent Management Center (IMC)
1008806 - HPE Intelligent Management Center FileUploadServlet Directory Traversal Vulnerability (CVE-2017-5794)
HP Intelligent Management Center Dbman
1008790 - HPE Intelligent Management Center dbman Opcode 10012 Use-After-Free Remote Code Execution Vulnerability (CVE-2017-12561)
Mail Server Exim
1008758* - Exim Unix Mailer Multiple Security Vulnerabilities
Microsoft Office
1004853* - Identified Suspicious Microsoft Office Files With Embedded Font
1005615* - Identified Suspicious Usage Of Shellcode In Microsoft Office Files
1004647* - Restrict Microsoft Office File With Embedded SWF
1005158* - Restrict Microsoft Office Files With Embedded SWF - 2
Novell File Reporter (NFR) Agent
1005260* - Novell File Reporter SRS XML Server Request With Path Element Detected
Oracle Tuxedo JOLT
1008845 - Oracle Tuxedo Remote Security Vulnerability (CVE-2017-10269)
Suspicious Client Application Activity
1005067* - Identified Potentially Harmful Client Traffic
1005283* - Identified Potentially Malicious RAT Traffic - I
1005299* - Identified Potentially Malicious RAT Traffic - III
1005300* - Identified Potentially Malicious RAT Traffic - IV
1005473* - Identified Potentially Malicious RAT Traffic - V
Suspicious Server Application Activity
1005090* - Identified Potentially Harmful Server Traffic
Unix SSH
1000798* - Unix OpenSSH sshd Identical Blocks DoS
Web Application Common
1004888* - Restrict Number Of Parameters In HTTP Request
Web Application PHP Based
1005465* - Identified Access To WordPress Sensitive Files
1006021* - Joomla JCE Extension Multiple Vulnerabilities
1000208* - SquirrelMail IMAP Command Injection Vulnerability
1000209* - SquirrelMail SMTP Command Injection Vulnerability
1006432* - WordPress Slider Revolution Responsive/Showbiz Pro Responsive Teaser Multiple Security Bypass Vulnerabilities
Web Client Common
1008833 - Foxit Reader JPEG2000 Out-Of-Bounds Read Information Disclosure Vulnerabilities
1005389* - Identified Suspicious Download Of Executable File Over HTTP
1004900* - Identified Suspicious Microsoft Office Files With Embedded Objects
Web Client Internet Explorer/Edge
1004339* - Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability
Web Server Common
1008724* - Trend Micro SafeSync For Enterprise 'device_id' 'role' Command Injection Vulnerability
1008723* - Trend Micro SafeSync For Enterprise Command Injection Vulnerability
Web Server Miscellaneous
1008673 - IBM Informix Open Admin Tool Heap Buffer Overflow Vulnerability (CVE-2017-1092)
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update.