Rule Update

16-018 (June 14, 2016)


  DESCRIPTION

* indicates a new version of an existing rule

Deep Packet Inspection Rules:

DCERPC Services
1007596* - Identified Possible Ransomware File Extension Rename Activity Over Network Share
1007598* - Identified Possible Ransomware File Rename Activity Over Network Share
1007070* - Remote PWDUMP Through SMBv1 Protocol Detected


Microsoft Office
1007667 - Microsoft Office Information Disclosure Vulnerability (CVE-2016-3234)
1007663 - Microsoft Office Memory Corruption Vulnerability (CVE-2016-0025)
1007666 - Microsoft Office Memory Corruption Vulnerability (CVE-2016-3233)
1007059* - Microsoft Office Remote Code Execution Vulnerability (CVE-2015-2545)


Suspicious Client Application Activity
1007534 - Ransomware Crydap
1007578* - Ransomware CryptFile
1007579* - Ransomware HTTP Request
1007581* - Ransomware Lectool


Suspicious Server Application Activity
1007580* - Ransomware HTTP Request-1
1007582* - Ransomware Lectool-1


Symantec Alert Management System
1003488* - Multiple Symantec Products Intel Common Base Agent Remote Command Execution Vulnerability


Web Application PHP Based
1007272* - PHP SPL ArrayObject Use After Free Vulnerability


Web Client Common
1007638* - Adobe Flash Player Type Confusion Overflow Vulnerability (CVE-2016-4117)
1007563* - Adobe Flash Player Use After Free Vulnerability (CVE-2016-1011)
1005753* - IBM Java Multiple Vulnerabilities
1007644 - Identified Download Of Suspicious SCT File Over HTTP
1007698 - Microsoft Windows ATMFD.DLL Elevation Of Privilege Vulnerability (CVE-2016-3220)
1007668 - Microsoft Windows Graphics Component Information Disclosure Vulnerability (CVE-2016-3216)
1007664 - Microsoft Windows PDF Information Disclosure Vulnerability (CVE-2016-3201)
1007659 - Microsoft Windows PDF Information Disclosure Vulnerability (CVE-2016-3215)
1007486* - Microsoft Windows PDF Library Remote Code Execution Vulnerability (CVE-2016-0117)
1007665 - Microsoft Windows PDF Remote Code Execution Vulnerability (CVE-2016-3203)
1007296 - Oracle Data Quality Trillium Based Set Basic Preview Data Type Remote Code Execution Vulnerability (CVE-2015-4759)


Web Client Internet Explorer/Edge
1007662 - Microsoft Edge Memory Corruption Vulnerability (CVE-2016-3222)
1007661 - Microsoft Edge Scripting Engine Memory Corruption Vulnerability (CVE-2016-3199)
1007660 - Microsoft Edge Security Feature Bypass Vulnerability (CVE-2016-3198)
1007652 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2016-0199)
1007653 - Microsoft Internet Explorer Memory Corruption Vulnerability (CVE-2016-0200)
1007654 - Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2016-3205)
1007655 - Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2016-3206)
1007656 - Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2016-3207)
1007657 - Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2016-3210)


Web Server Common
1000128* - HTTP Protocol Decoding
1007651 - Identified Absence Of Configured CDN/Reverse Proxy HTTP Header


Web Server IIS
1000389* - Microsoft IIS 5.0 .printer ISAPI Extension Buffer Overflow Vulnerability


Windows Services RPC Server DCERPC
1007054* - Remote Schedule Task 'Create' Through SMBv2 Protocol Detected


Integrity Monitoring Rules:

There are no new or updated Integrity Monitoring Rules in this Security Update.


Log Inspection Rules:

1003447* - Web Server - Apache