Rule Update
17-001 (January 10, 2017)
DESCRIPTION
* indicates a new version of an existing rule
Deep Packet Inspection Rules:
BIND RNDC
1008099 - ISC BIND rndc Control Channel Denial Of Service Vulnerability (CVE-2016-1285)
DCERPC Services
1007596* - Identified Possible Ransomware File Extension Rename Activity Over Network Share
1008119 - Microsoft Windows Local Security Authority Subsystem Service (LSASS) Denial Of Service Vulnerability (CVE-2017-0004)
DCERPC Services - Client
1007913* - Identified Possible Ransomware File Extension Rename Activity Over Network Share - Client
DNS Client
1008053* - ISC BIND DNAME Answer Handling Denial Of Service Vulnerability (CVE-2016-8864)
1007740* - ISC BIND Multiple DNS Cookies Denial Of Service Vulnerability (CVE-2016-2088)
1008085 - Nginx DNS UDP Packet Handler Crash Denial Of Service Vulnerability (CVE-2016-0742)
DNS Server
1008092 - ISC BIND Assertion Failure Denial Of Service Vulnerability (CVE-2016-2848)
1008105 - PowerDNS Authoritative Server Long Qname Denial Of Service Vulnerability (CVE-2016-5426)
Directory Server LDAP
1007360 - IBM Domino LDAP Server Remote Execution Vulnerability (CVE-2015-0117)
1007932* - Microsoft Windows Remote Code Execution Vulnerability (CVE-2016-3368)
ISC LightWeight DNS Resolver
1008100 - ISC BIND Long Name Query DOS Vulnerability (CVE-2016-2775)
Microsoft Office
1008116 - Microsoft Office Memory Corruption Vulnerability (CVE-2017-0003)
NTP Server Linux
1008040* - NTP AutoKey Malicious Message Multiple Denial Of Service Vulnerabilities
1007383* - NTP Configuration Directive File Overwrite Vulnerability (CVE-2015-7703)
1008086 - NTP Daemon CRYPTO_NAK Denial Of Service Vulnerability (CVE-2016-4957)
1008048* - NTP Mrulist Malicious Query Denial Of Service Vulnerability (CVE-2016-7434)
Novell GroupWise Admin Service
1006822* - Novell Groupwise "poLibMaintenanceFileSave" Security Bypass Vulnerability
SSL Client
1008088 - GnuTLS Libtasn1 ASN.1 DER Infinite Loop Denial Of Service Vulnerability (CVE-2016-4008) - Client
SSL/TLS Server
1008089 - GnuTLS Libtasn1 ASN.1 DER Infinite Loop Denial Of Service Vulnerability (CVE-2016-4008) - Server
Suspicious Client Ransomware Activity
1007704* - Ransomware Network Traffic - 1
Web Application Common
1008050 - ImageMagick Out Of Bounds Array Indexing Denial Of Service Vulnerability (CVE-2016-7799)
1008046 - ImageMagick SGI Coder Out Of Bounds Read Vulnerability (CVE-2016-7101)
Web Application PHP Based
1008096 - Identified Drupal Core system.temporary Information Disclosure Vulnerability
1008118 - Identified Suspicious Upload Of WordPress Plugin
1008038* - PHP GC ZipArchive Class Use After Free Vulnerability (CVE-2016-5773)
Web Client Common
1008049 - ImageMagick Out Of Bounds Array Indexing Denial Of Service Vulnerability (CVE-2016-7799) - 1
1008047 - ImageMagick SGI Coder Out Of Bounds Read Vulnerability (CVE-2016-7101) - 1
1007427* - Microsoft Windows DLL Loading Vulnerabilities Over WebDAV (MS16-014)
1008067* - Microsoft Windows Uniscribe Remote Code Execution Vulnerability (CVE-2016-7274)
Web Server Miscellaneous
1008001* - MongoDB Javascript Injection Collection Enumeration Vulnerability
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
1003802* - Directory Server – Microsoft Windows Active Directory
Deep Packet Inspection Rules:
BIND RNDC
1008099 - ISC BIND rndc Control Channel Denial Of Service Vulnerability (CVE-2016-1285)
DCERPC Services
1007596* - Identified Possible Ransomware File Extension Rename Activity Over Network Share
1008119 - Microsoft Windows Local Security Authority Subsystem Service (LSASS) Denial Of Service Vulnerability (CVE-2017-0004)
DCERPC Services - Client
1007913* - Identified Possible Ransomware File Extension Rename Activity Over Network Share - Client
DNS Client
1008053* - ISC BIND DNAME Answer Handling Denial Of Service Vulnerability (CVE-2016-8864)
1007740* - ISC BIND Multiple DNS Cookies Denial Of Service Vulnerability (CVE-2016-2088)
1008085 - Nginx DNS UDP Packet Handler Crash Denial Of Service Vulnerability (CVE-2016-0742)
DNS Server
1008092 - ISC BIND Assertion Failure Denial Of Service Vulnerability (CVE-2016-2848)
1008105 - PowerDNS Authoritative Server Long Qname Denial Of Service Vulnerability (CVE-2016-5426)
Directory Server LDAP
1007360 - IBM Domino LDAP Server Remote Execution Vulnerability (CVE-2015-0117)
1007932* - Microsoft Windows Remote Code Execution Vulnerability (CVE-2016-3368)
ISC LightWeight DNS Resolver
1008100 - ISC BIND Long Name Query DOS Vulnerability (CVE-2016-2775)
Microsoft Office
1008116 - Microsoft Office Memory Corruption Vulnerability (CVE-2017-0003)
NTP Server Linux
1008040* - NTP AutoKey Malicious Message Multiple Denial Of Service Vulnerabilities
1007383* - NTP Configuration Directive File Overwrite Vulnerability (CVE-2015-7703)
1008086 - NTP Daemon CRYPTO_NAK Denial Of Service Vulnerability (CVE-2016-4957)
1008048* - NTP Mrulist Malicious Query Denial Of Service Vulnerability (CVE-2016-7434)
Novell GroupWise Admin Service
1006822* - Novell Groupwise "poLibMaintenanceFileSave" Security Bypass Vulnerability
SSL Client
1008088 - GnuTLS Libtasn1 ASN.1 DER Infinite Loop Denial Of Service Vulnerability (CVE-2016-4008) - Client
SSL/TLS Server
1008089 - GnuTLS Libtasn1 ASN.1 DER Infinite Loop Denial Of Service Vulnerability (CVE-2016-4008) - Server
Suspicious Client Ransomware Activity
1007704* - Ransomware Network Traffic - 1
Web Application Common
1008050 - ImageMagick Out Of Bounds Array Indexing Denial Of Service Vulnerability (CVE-2016-7799)
1008046 - ImageMagick SGI Coder Out Of Bounds Read Vulnerability (CVE-2016-7101)
Web Application PHP Based
1008096 - Identified Drupal Core system.temporary Information Disclosure Vulnerability
1008118 - Identified Suspicious Upload Of WordPress Plugin
1008038* - PHP GC ZipArchive Class Use After Free Vulnerability (CVE-2016-5773)
Web Client Common
1008049 - ImageMagick Out Of Bounds Array Indexing Denial Of Service Vulnerability (CVE-2016-7799) - 1
1008047 - ImageMagick SGI Coder Out Of Bounds Read Vulnerability (CVE-2016-7101) - 1
1007427* - Microsoft Windows DLL Loading Vulnerabilities Over WebDAV (MS16-014)
1008067* - Microsoft Windows Uniscribe Remote Code Execution Vulnerability (CVE-2016-7274)
Web Server Miscellaneous
1008001* - MongoDB Javascript Injection Collection Enumeration Vulnerability
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
1003802* - Directory Server – Microsoft Windows Active Directory