Rule Update
20-039 (August 11, 2020)
DESCRIPTION
* indicates a new version of an existing rule
Deep Packet Inspection Rules:
ActiveMQ OpenWire
1010428 - Apache ActiveMQ Unsafe Deserialization Vulnerability (CVE-2015-5254)
DCERPC Services
1010426 - Identified Domain-Level Account Discovery Over SMB (ATT&CK T1087)
1009703* - Identified Domain-Level Permission Groups Discovery Over SMB (ATT&CK T1069)
1010430 - Identified Remote System Discovery Over SMB (ATT&CK T1018)
Directory Server LDAP
1010433 - Identified Remote System Discovery Over LDAP (ATT&CK T1018)
1010350* - VMware vCenter Server Access Control Bypass Vulnerability (CVE-2020-3952)
HP Intelligent Management Center (IMC)
1010425* - Apache OFBiz Cross-Site Scripting Vulnerability (CVE-2020-1943)
1009947* - HPE Intelligent Management Center Various Expression Language Injection Vulnerabilities
Port Mapper Windows
1001033* - Windows Port Mapper Decoder
Suspicious Server Ransomware Activity
1010438 - Ransomware Foxware
Unix SSH
1005748* - Multiple SSH Connections Detected (ATT&CK T1498.001, T1110)
Web Application Common
1000552* - Generic Cross Site Scripting(XSS) Prevention
1005402* - Identified Suspicious User Agent In HTTP Request
1010199* - Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability (CVE-2020-0618)
1010423* - Primetek Primefaces Remote Code Execution Vulnerability (CVE-2017-1000486)
Web Client Common
1010435 - FFmpeg Heap-based Buffer Overflow Vulnerability (CVE-2020-12284)
1004715* - HTTP Web Client Decoding
1010436 - LibTIFF LZWDecode Null Pointer Dereference Vulnerability (CVE-2018-18661)
1010446 - Microsoft Windows 'hevcdecoder_store' HEIC File Parsing Out-Of-Bounds Read Vulnerability (ZDI-20-906)
Web Client Internet Explorer/Edge
1010442 - Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2020-1567)
1010441 - Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2020-1380)
1010439 - Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2020-1570)
Web Server Common
1010178* - Cisco Data Center Network Manager Directory Traversal Vulnerability (CVE-2019-15981)
1010443 - rConfig 'Devicemgmt.php' Cross-Site Scripting Vulnerability (CVE-2020-12256)
Windows Services RPC Server DCERPC
1010431 - Identified Remote System Discovery Over LSARPC (ATT&CK T1018)
ZohoCorp ManageEngine Desktop Central
1010407 - Zoho ManageEngine Desktop Central AppDependency Arbitrary File Write Vulnerability (CVE-2020-10859)
1010197* - Zoho ManageEngine Desktop Central Remote Code Execution Vulnerability (CVE-2020-10189)
Integrity Monitoring Rules:
1003019* - Trend Micro Deep Security Agent / Relay
Log Inspection Rules:
1002828* - Application - Secure Shell Daemon (SSHD)
1008852* - Auditd
1002815* - Authentication Module - Unix Pluggable Authentication Module
Deep Packet Inspection Rules:
ActiveMQ OpenWire
1010428 - Apache ActiveMQ Unsafe Deserialization Vulnerability (CVE-2015-5254)
DCERPC Services
1010426 - Identified Domain-Level Account Discovery Over SMB (ATT&CK T1087)
1009703* - Identified Domain-Level Permission Groups Discovery Over SMB (ATT&CK T1069)
1010430 - Identified Remote System Discovery Over SMB (ATT&CK T1018)
Directory Server LDAP
1010433 - Identified Remote System Discovery Over LDAP (ATT&CK T1018)
1010350* - VMware vCenter Server Access Control Bypass Vulnerability (CVE-2020-3952)
HP Intelligent Management Center (IMC)
1010425* - Apache OFBiz Cross-Site Scripting Vulnerability (CVE-2020-1943)
1009947* - HPE Intelligent Management Center Various Expression Language Injection Vulnerabilities
Port Mapper Windows
1001033* - Windows Port Mapper Decoder
Suspicious Server Ransomware Activity
1010438 - Ransomware Foxware
Unix SSH
1005748* - Multiple SSH Connections Detected (ATT&CK T1498.001, T1110)
Web Application Common
1000552* - Generic Cross Site Scripting(XSS) Prevention
1005402* - Identified Suspicious User Agent In HTTP Request
1010199* - Microsoft SQL Server Reporting Services Remote Code Execution Vulnerability (CVE-2020-0618)
1010423* - Primetek Primefaces Remote Code Execution Vulnerability (CVE-2017-1000486)
Web Client Common
1010435 - FFmpeg Heap-based Buffer Overflow Vulnerability (CVE-2020-12284)
1004715* - HTTP Web Client Decoding
1010436 - LibTIFF LZWDecode Null Pointer Dereference Vulnerability (CVE-2018-18661)
1010446 - Microsoft Windows 'hevcdecoder_store' HEIC File Parsing Out-Of-Bounds Read Vulnerability (ZDI-20-906)
Web Client Internet Explorer/Edge
1010442 - Microsoft Internet Explorer Remote Code Execution Vulnerability (CVE-2020-1567)
1010441 - Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2020-1380)
1010439 - Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability (CVE-2020-1570)
Web Server Common
1010178* - Cisco Data Center Network Manager Directory Traversal Vulnerability (CVE-2019-15981)
1010443 - rConfig 'Devicemgmt.php' Cross-Site Scripting Vulnerability (CVE-2020-12256)
Windows Services RPC Server DCERPC
1010431 - Identified Remote System Discovery Over LSARPC (ATT&CK T1018)
ZohoCorp ManageEngine Desktop Central
1010407 - Zoho ManageEngine Desktop Central AppDependency Arbitrary File Write Vulnerability (CVE-2020-10859)
1010197* - Zoho ManageEngine Desktop Central Remote Code Execution Vulnerability (CVE-2020-10189)
Integrity Monitoring Rules:
1003019* - Trend Micro Deep Security Agent / Relay
Log Inspection Rules:
1002828* - Application - Secure Shell Daemon (SSHD)
1008852* - Auditd
1002815* - Authentication Module - Unix Pluggable Authentication Module
Featured Stories
Unveiling AI Agent Vulnerabilities Part V: Securing LLM ServicesTo conclude our series on agentic AI, this article examines emerging vulnerabilities that threaten AI agents, focusing on providing proactive security recommendations on areas such as code execution, data exfiltration, and database access.Read more
Unveiling AI Agent Vulnerabilities Part IV: Database Access VulnerabilitiesHow can attackers exploit weaknesses in database-enabled AI agents? This research explores how SQL generation vulnerabilities, stored prompt injection, and vector store poisoning can be weaponized by attackers for fraudulent activities.Read more
The Mirage of AI Programming: Hallucinations and Code IntegrityThe adoption of large language models (LLMs) and Generative Pre-trained Transformers (GPTs), such as ChatGPT, by leading firms like Microsoft, Nuance, Mix and Google CCAI Insights, drives the industry towards a series of transformative changes. As the use of these new technologies becomes prevalent, it is important to understand their key behavior, advantages, and the risks they present.Read more
Open RAN: Attack of the xAppsThis article discusses two O-RAN vulnerabilities that attackers can exploit. One vulnerability stems from insufficient access control, and the other arises from faulty message handlingRead more