Rule Update

21-041 (September 14, 2021)


  DESCRIPTION

* indicates a new version of an existing rule

Deep Packet Inspection Rules:

Web Application Common
1011124 - Ghostscript Remote Code Execution Vulnerability (Sep 2021)


Web Client Common
1009440* - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB18-41) - 4
1011129 - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB21-55) - 1
1011127 - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB21-55) - 2
1011130 - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB21-55) - 3
1011128 - Adobe Acrobat And Reader Type Confusion Vulnerability (CVE-2021-39841)
1011125 - Ghostscript Remote Code Execution Vulnerability (Sep 2021) - 1


Web Server Common
1011109* - Nagios XI 'Switch.inc.php' Command Injection Vulnerability (CVE-2021-37344)
1011113 - Nagios XI Remote Command Injection Vulnerability (CVE-2021-37346)


Web Server Miscellaneous
1011117* - Atlassian Confluence Server Remote Code Execution Vulnerability (CVE-2021-26084)


Web Server Oracle
1011083 - Oracle Business Intelligence 'BIRemotingServlet' Insecure Deserialization Vulnerability (CVE-2021-2456)
1011086 - Oracle Business Intelligence 'Scheduler' Remote Code Execution Vulnerability (CVE-2021-2391)
1011084 - Oracle Business Intelligence 'UpdateConnectionServlet' Remote Code Execution Vulnerability (CVE-2021-2396)
1011085* - Oracle Business Intelligence Arbitrary File Upload Vulnerability (CVE-2021-2392)
1011081* - Oracle Business Intelligence Publisher XML External Entity Injection Vulnerability (CVE-2021-2401)


Integrity Monitoring Rules:

1005711* - Application - Apache Hadoop
1003388* - Application - CacheFS
1008271* - Application - Docker
1003166* - Application - IBM WebSphere Application Server
1003333* - Application - Kerberos
1003381* - Application - Mailman
1003339* - Application - NFS
1003360* - Application - Network Information Server
1003370* - Application - OpenSSL
1003167* - Application - Oracle Bea WebLogic Server
1003374* - Application - PHP
1003359* - Application - Portmapper
1003375* - Application - Postfix
1003334* - Application - Samba
1003386* - Application - VNC Server
1003385* - Application - Xorg-x / XFree86 / Xfree86 / Xorg-x11
1007295* - Application - chrony
1003338* - Application - mountd
1003361* - Application - rstatd
1003372* - Application - telnetd
1003357* - Application - vixie-cron
1002788* - Microsoft Windows - 'ActiveX Compatibility' registry keys modified (ATT&CK T1112)
1002773* - Microsoft Windows - 'Hosts' file modified
1009626* - Microsoft Windows - Accessibility features registry keys or files modified (ATT&CK T1546.008, T1546.012)
1005195* - Microsoft Windows - Attributes of log file modified (ATT&CK T1222.001, T1070)
1002767* - Microsoft Windows - Attributes of system32 directory modified
1003367* - Microsoft Windows - DHCP server files directory and service modified (ATT&CK T1036.003, T1222.001)
1002869* - Microsoft Windows - DNS Server (ATT&CK T1584.002, T1554)
1002783* - Microsoft Windows - Default Debugger changed
1002780* - Microsoft Windows - Installed software attributes modified (ATT&CK T1195.002, T1554)
1002786* - Microsoft Windows - Microsoft hotfixes registry keys modified (ATT&CK T1112)
1002775* - Microsoft Windows - Network configuration files modified
1002787* - Microsoft Windows - Registry values of event log modified (ATT&CK T1562.002, T1070.001)
1002778* - Microsoft Windows - System .dll or .exe files modified (ATT&CK T1036.003, T1222.001)
1002777* - Microsoft Windows - System configuration file modified
1003517* - Microsoft Windows - System driver files modified
1006076* - Microsoft Windows - Task scheduler entries modified (ATT&CK T1053.005)
1008257* - Microsoft Windows - USB storage device detected (ATT&CK T1092, T1052.001)
1006803* - TMTR-0001: Suspicious Files Detected In Operating System Directories (ATT&CK T1560.001)
1006802* - TMTR-0003: Suspicious Files Detected In Operating System Directories (ATT&CK T1560.001)
1006805* - TMTR-0009: Suspicious Files Detected In System Folder (ATT&CK T1560.001)
1006804* - TMTR-0010: Suspicious Files Detected In System Folder (ATT&CK T1560.001)
1006658* - TMTR-0012: Suspicious Files Detected In Temporary Directories (ATT&CK T1560.001)
1006677* - TMTR-0013: Suspicious Files Detected In Windows Folder (ATT&CK T1560.001)
1006683* - TMTR-0016: Suspicious Running Processes Detected (ATT&CK T1560.001)
1007210* - TMTR-0018: Suspicious Files Detected In User Profile Directory (ATT&CK T1560.001)
1007216* - TMTR-0021: Suspicious Files Detected In System Drive (ATT&CK T1560.001)
1007217* - TMTR-0022: Suspicious Files Detected In Recycle Bin (ATT&CK T1560.001)
1008684* - Threat - BADRABBIT
1005041* - Threat - Suspicious Microsoft Windows Files Detected
1005042* - Threat - Suspicious Microsoft Windows Registry Entries Detected
1006544* - Threat - Suspicious Microsoft Windows Superfish Detected
1008385* - Threat - WannaCry
1010855* - Vulnerability - Microsoft Exchange - HAFNIUM Targeted Vulnerabilities
1010266* - Vulnerability - SaltStack Vulnerabilities Exploitation Detected
1010138* - Vulnerability - Trend Micro Apex One And OfficeScan Directory Traversal Vulnerability (CVE-2019-9489)
1010515* - Vulnerability - Trend Micro ServerProtect For Linux Command Execution Vulnerability (CVE-2020-24561)


Log Inspection Rules:

1008852* - Auditd
1010558* - Auditd - Mitre ATT&CK TA0005: Defense Evasion
1010002* - Microsoft PowerShell Command Execution (ATT&CK T1059.001)
1003843* - Microsoft Windows Security Events
1004057* - Microsoft Windows Security Events - 1
1008670* - Microsoft Windows Security Events - 3