Rule Update
25-015 (April 15, 2025)
DESCRIPTION
* indicates a new version of an existing rule
Deep Packet Inspection Rules:
DCERPC Services
1007596* - Identified Possible Ransomware File Extension Rename Activity Over Network Share
DCERPC Services - Client
1004930* - Adobe Flash Player Remote Security Bypass Vulnerability Over Network Share (CVE-2012-0756)
DHCP Server
1001173* - ISC DHCPD Server Remote Stack Corruption Vulnerability
DNS Client
1002988* - Multiple Vendors libspf2 DNS TXT Record Parsing Buffer Overflow
Database MySQL
1005045* - MySQL Database Server Possible Login Brute Force Attempt (ATT&CK T1110)
Database Oracle
1000407* - Oracle Database Server Buffer Overflow In Interval And Timestamp Functions
1000840* - Oracle Database Server Generic SQL Injection Detection
Gogs
1012331 - Gogs Path Traversal Vulnerability (CVE-2024-55947)
SSL/TLS Server
1006293* - Detected SSLv3 Request (ATT&CK T1573.002)
1006297* - Identified CBC Based Cipher Suite In SSLv3 Response (ATT&CK T1573.002)
Suspicious Client Application Activity
1010770* - Identified UDP Trojan SSHDoor C&C Traffic
Suspicious Client Ransomware Activity
1010767* - Identified HTTP Backdoor Kobalos C&C Traffic
Wazuh
1012332 - Wazuh Insecure Deserialization Vulnerability (CVE-2025-24016)
Web Application Common
1012333 - Microsoft .NET Framework Information Disclosure Vulnerability (CVE-2024-29059)
1010344* - ThinkPHP Remote Code Execution Vulnerability (CVE-2019-9082 and CVE-2018-20062)
Web Application PHP Based
1012337 - GLPI SQL Injection Vulnerability (CVE-2025-24799)
1012341 - LibreNMS Stored Cross-Site Scripting Vulnerability (CVE-2025-23200)
1012265* - WordPress 'White Label CMS' Plugin Reflected Cross-Site Scripting Vulnerability (CVE-2022-0422)
Web Application Ruby Based
1005350* - Ruby On Rails JSON Parser Remote Code Execution Vulnerability
1005331* - Ruby On Rails XML Processor YAML Deserialization DoS
Web Server Common
1009889* - Atlassian Crowd Remote Code Execution Vulnerability (CVE-2019-11580)
1006241* - Restrict Content-Length Header Value
Web Server HTTPS
1006741* - Identified SSL/TLS Diffie-Hellman Key Exchange Using Weak Parameters Server (ATT&CK T1573.002)
1006562* - Identified Usage Of TLS/SSL EXPORT Cipher Suite In Request (ATT&CK T1573.002)
Web Server IIS
1004409* - Microsoft .NET Framework ASP.NET 'Padding Oracle' Information Disclosure Vulnerability
Web Server IIS HTTPS
1006357* - Microsoft Schannel Remote Code Execution Vulnerability (CVE-2014-6321) - 1
Web Server Miscellaneous
1006744* - Jetty Httpd HttpParser Memory Information Disclosure Vulnerability (CVE-2015-2080)
Web Server RealVNC
1008557* - RealVNC NULL Authentication Mode Bypass Vulnerability (CVE-2006-2369)
Windows SMB Server
1012318 - Identified Possible Ransomware File Rename Activity Over Network Share - 1
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update.
Deep Packet Inspection Rules:
DCERPC Services
1007596* - Identified Possible Ransomware File Extension Rename Activity Over Network Share
DCERPC Services - Client
1004930* - Adobe Flash Player Remote Security Bypass Vulnerability Over Network Share (CVE-2012-0756)
DHCP Server
1001173* - ISC DHCPD Server Remote Stack Corruption Vulnerability
DNS Client
1002988* - Multiple Vendors libspf2 DNS TXT Record Parsing Buffer Overflow
Database MySQL
1005045* - MySQL Database Server Possible Login Brute Force Attempt (ATT&CK T1110)
Database Oracle
1000407* - Oracle Database Server Buffer Overflow In Interval And Timestamp Functions
1000840* - Oracle Database Server Generic SQL Injection Detection
Gogs
1012331 - Gogs Path Traversal Vulnerability (CVE-2024-55947)
SSL/TLS Server
1006293* - Detected SSLv3 Request (ATT&CK T1573.002)
1006297* - Identified CBC Based Cipher Suite In SSLv3 Response (ATT&CK T1573.002)
Suspicious Client Application Activity
1010770* - Identified UDP Trojan SSHDoor C&C Traffic
Suspicious Client Ransomware Activity
1010767* - Identified HTTP Backdoor Kobalos C&C Traffic
Wazuh
1012332 - Wazuh Insecure Deserialization Vulnerability (CVE-2025-24016)
Web Application Common
1012333 - Microsoft .NET Framework Information Disclosure Vulnerability (CVE-2024-29059)
1010344* - ThinkPHP Remote Code Execution Vulnerability (CVE-2019-9082 and CVE-2018-20062)
Web Application PHP Based
1012337 - GLPI SQL Injection Vulnerability (CVE-2025-24799)
1012341 - LibreNMS Stored Cross-Site Scripting Vulnerability (CVE-2025-23200)
1012265* - WordPress 'White Label CMS' Plugin Reflected Cross-Site Scripting Vulnerability (CVE-2022-0422)
Web Application Ruby Based
1005350* - Ruby On Rails JSON Parser Remote Code Execution Vulnerability
1005331* - Ruby On Rails XML Processor YAML Deserialization DoS
Web Server Common
1009889* - Atlassian Crowd Remote Code Execution Vulnerability (CVE-2019-11580)
1006241* - Restrict Content-Length Header Value
Web Server HTTPS
1006741* - Identified SSL/TLS Diffie-Hellman Key Exchange Using Weak Parameters Server (ATT&CK T1573.002)
1006562* - Identified Usage Of TLS/SSL EXPORT Cipher Suite In Request (ATT&CK T1573.002)
Web Server IIS
1004409* - Microsoft .NET Framework ASP.NET 'Padding Oracle' Information Disclosure Vulnerability
Web Server IIS HTTPS
1006357* - Microsoft Schannel Remote Code Execution Vulnerability (CVE-2014-6321) - 1
Web Server Miscellaneous
1006744* - Jetty Httpd HttpParser Memory Information Disclosure Vulnerability (CVE-2015-2080)
Web Server RealVNC
1008557* - RealVNC NULL Authentication Mode Bypass Vulnerability (CVE-2006-2369)
Windows SMB Server
1012318 - Identified Possible Ransomware File Rename Activity Over Network Share - 1
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update.
Featured Stories
Unveiling AI Agent Vulnerabilities Part V: Securing LLM ServicesTo conclude our series on agentic AI, this article examines emerging vulnerabilities that threaten AI agents, focusing on providing proactive security recommendations on areas such as code execution, data exfiltration, and database access.Read more
Unveiling AI Agent Vulnerabilities Part IV: Database Access VulnerabilitiesHow can attackers exploit weaknesses in database-enabled AI agents? This research explores how SQL generation vulnerabilities, stored prompt injection, and vector store poisoning can be weaponized by attackers for fraudulent activities.Read more
The Mirage of AI Programming: Hallucinations and Code IntegrityThe adoption of large language models (LLMs) and Generative Pre-trained Transformers (GPTs), such as ChatGPT, by leading firms like Microsoft, Nuance, Mix and Google CCAI Insights, drives the industry towards a series of transformative changes. As the use of these new technologies becomes prevalent, it is important to understand their key behavior, advantages, and the risks they present.Read more
Open RAN: Attack of the xAppsThis article discusses two O-RAN vulnerabilities that attackers can exploit. One vulnerability stems from insufficient access control, and the other arises from faulty message handlingRead more