Rule Update
21-050 (November 16, 2021)
DESCRIPTION
* indicates a new version of an existing rule
Deep Packet Inspection Rules:
DCERPC Services
1011037 - Identified Remote System Discovery Over SMB - 1 (ATT&CK T1018)
1011027 - Identified Session Enumeration Request Over SMB (ATT&CK T1049)
Microsoft Office
1011208 - Microsoft Access Remote Code Execution Vulnerability (CVE-2021-41368)
1011095* - Microsoft Excel Remote Code Execution Vulnerability (CVE-2021-34501)
SSL Client
1011178 - MD5 Algorithm Vulnerability (CVE-2004-2761)
SolarWinds Network Performance Monitor
1011205 - SolarWinds Orion Patch Manager Insecure Deserialization Vulnerability (CVE-2021-35218)
1011203 - SolarWinds Orion Platform Insecure Deserialization Vulnerability (CVE-2021-35215)
Suspicious Client Ransomware Activity
1010607* - Identified TCP Meterpreter Payload
Web Application Common
1011206 - BillQuick Web Suite SQL Injection Vulnerability (CVE-2021-42258)
1009621* - Identified Directory Traversal Sequence In HTTP Header
Web Application PHP Based
1011013* - WordPress 'Stop Spammers' Plugin Cross-Site Scripting Vulnerability (CVE-2021-24245)
Web Server Common
1010919 - SQL Injection (SQLi) Decoder
Web Server HTTPS
1011207 - Centreon 'generateImage.php' SQL Injection Vulnerability (CVE-2021-37557)
1011212 - F5 BIG-IP and BIG-IQ iControl REST Authentication Bypass Vulnerability (CVE-2021-22986)
1011204 - GitLab Remote Code Execution Vulnerability (CVE-2021-22205)
1011169* - WordPress 'Supsystic Popup' Plugin Cross-Site Scripting Vulnerability (CVE-2021-24275)
1011165* - WordPress 'Woo-Order-Export-Lite' Plugin Reflected Cross-Site Scripting Vulnerability (CVE-2021-24169)
Web Server Nagios
1011199* - Nagios XI Command Injection Vulnerability (CVE-2021-40345)
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
1008619* - Application - Docker
1008852* - Auditd
1004488* - Database Server - Microsoft SQL
1003802* - Directory Server - Microsoft Windows Active Directory
1003443* - Mail Server - Postfix
1010595* - Microsoft LDAP Query Execution
1003843* - Microsoft Windows Security Events
1004057* - Microsoft Windows Security Events - 1
1003987* - Microsoft Windows Security Events - 2
1008670* - Microsoft Windows Security Events - 3
1011197 - Microsoft Windows Security Events - 5
1002831* - Unix - Syslog
Deep Packet Inspection Rules:
DCERPC Services
1011037 - Identified Remote System Discovery Over SMB - 1 (ATT&CK T1018)
1011027 - Identified Session Enumeration Request Over SMB (ATT&CK T1049)
Microsoft Office
1011208 - Microsoft Access Remote Code Execution Vulnerability (CVE-2021-41368)
1011095* - Microsoft Excel Remote Code Execution Vulnerability (CVE-2021-34501)
SSL Client
1011178 - MD5 Algorithm Vulnerability (CVE-2004-2761)
SolarWinds Network Performance Monitor
1011205 - SolarWinds Orion Patch Manager Insecure Deserialization Vulnerability (CVE-2021-35218)
1011203 - SolarWinds Orion Platform Insecure Deserialization Vulnerability (CVE-2021-35215)
Suspicious Client Ransomware Activity
1010607* - Identified TCP Meterpreter Payload
Web Application Common
1011206 - BillQuick Web Suite SQL Injection Vulnerability (CVE-2021-42258)
1009621* - Identified Directory Traversal Sequence In HTTP Header
Web Application PHP Based
1011013* - WordPress 'Stop Spammers' Plugin Cross-Site Scripting Vulnerability (CVE-2021-24245)
Web Server Common
1010919 - SQL Injection (SQLi) Decoder
Web Server HTTPS
1011207 - Centreon 'generateImage.php' SQL Injection Vulnerability (CVE-2021-37557)
1011212 - F5 BIG-IP and BIG-IQ iControl REST Authentication Bypass Vulnerability (CVE-2021-22986)
1011204 - GitLab Remote Code Execution Vulnerability (CVE-2021-22205)
1011169* - WordPress 'Supsystic Popup' Plugin Cross-Site Scripting Vulnerability (CVE-2021-24275)
1011165* - WordPress 'Woo-Order-Export-Lite' Plugin Reflected Cross-Site Scripting Vulnerability (CVE-2021-24169)
Web Server Nagios
1011199* - Nagios XI Command Injection Vulnerability (CVE-2021-40345)
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
1008619* - Application - Docker
1008852* - Auditd
1004488* - Database Server - Microsoft SQL
1003802* - Directory Server - Microsoft Windows Active Directory
1003443* - Mail Server - Postfix
1010595* - Microsoft LDAP Query Execution
1003843* - Microsoft Windows Security Events
1004057* - Microsoft Windows Security Events - 1
1003987* - Microsoft Windows Security Events - 2
1008670* - Microsoft Windows Security Events - 3
1011197 - Microsoft Windows Security Events - 5
1002831* - Unix - Syslog