Rule Update
DPIルール他更新情報:20-061(2020年12月8日)
概要
* は既存ルールの新バージョンを示します。
DPI(Deep Packet Inspection) ルール:
DCERPCサービス
1010164* - Identified Possible Ransomware File Extension Create Activity Over Network Share
1007596* - Identified Possible Ransomware File Extension Rename Activity Over Network Share
1007598* - Identified Possible Ransomware File Rename Activity Over Network Share
1010101* - Identified Usage Of PAExec Command Line Tool (ATT&CK T1035)
1006906* - Identified Usage Of PsExec Command Line Tool (ATT&CK T1035)
1010652 - Microsoft Windows SMB2 Server Information Disclosure Vulnerability (CVE-2020-17140)
1010653 - Microsoft Windows SMB2 Server Remote Code Execution Vulnerability (CVE-2020-17096)
1008179* - Restrict File Extensions For Rename Activity Over Network Share
DCERPCサービス - クライアント
1007913* - Identified Possible Ransomware File Extension Rename Activity Over Network Share - Client
1007912* - Identified Possible Ransomware File Rename Activity Over Network Share - Client
DHCPサーバ
1009542* - Microsoft Windows DHCP Server Remote Code Execution Vulnerability (CVE-2019-0626)
データベース Microsoft SQL
1010643 - Microsoft SQL Database Server Possible Login Brute Force Attempt
Dynamics 365 Client Services
1010656 - Microsoft Dynamics 365 Commerce Remote Code Execution Vulnerabilities (CVE-2020-17152 and CVE-2020-17158)
HP Intelligent Management Center (IMC)
1009902* - HPE Intelligent Management Center 'perfSelectTask' Expression Language Injection Vulnerability (CVE-2019-5385)
NFSサーバ
1010605* - Microsoft Windows Network File System NLM RPC Message Information Disclosure Vulnerability (CVE-2020-17056)
Redisサーバ
1009967* - Redis Unauthenticated Code Execution Vulnerability
Remote Desktop Protocol Server
1007969* - Identified Suspicious Remote Desktop Protocol (RDP) Brute Force Attempt (ATT&CK T1110)
1009343* - Identified Too Many SSL Alert Messages In SSLv3 Over RDP (ATT&CK T1032)
アプリケーションに関連する不審な活動(クライアント)
1008946* - Heuristic Detection Of Suspicious Digital Certificate (ATT&CK T1032)
アプリケーションに関連する不審な活動(サーバ)
1001164* - Detected Terminal Services (RDP) Server Traffic
1010647 - Identified HTTP Backdoor.Win32.Cobalt.SMHP C&C Traffic Request
TFTPサーバ
1009365* - Microsoft Windows Deployment Services TFTP Server Remote Code Execution Vulnerability (CVE-2018-8476)
Webアプリケーション 共通
1010648 - Wordpress Woody Ad Snippets Plugin Remote Code Execution Vulnerability (CVE-2019-15858)
Webアプリケーション PHP
1009395* - PHP 'imap_open()' Remote Code Execution Vulnerability (CVE-2018-19518)
1009776 - WordPress Comment Field Remote Code Execution Vulnerability (CVE-2019-9787)
Webクライアント 共通
1010646 - Adobe Acrobat And Reader Use After Free Vulnerability (CVE-2020-24437)
1010645 - Atlassian Confluence Server 'HTML Include And Replace Macro' Plugin Cross Site Scripting Vulnerability (CVE-2019-15053)
1010657 - Microsoft Windows PE File Signature Spoofing Vulnerability (CVE-2020-1599)
Webサーバ Adobe ColdFusion
1009897* - Adobe ColdFusion CFFILE Upload Action Unrestricted File Upload Vulnerability (CVE-2019-7838)
1009387* - Adobe ColdFusion Remote File Upload Vulnerability (CVE-2018-15961)
Webサーバ その他
1010347* - Eclipse Jetty Chunk Length Parsing Integer Overflow Vulnerability (CVE-2017-7657)
1009942* - GNOME 'libsoup' HTTP Chunked Encoding Remote Code Execution Vulnerability (CVE-2017-2885)
1010649 - Microsoft Windows Exchange Memory Corruption Vulnerability (CVE-2020-17144)
Webサーバ Oracle
1010590* - Oracle WebLogic Server Remote Code Execution Vulnerabilities (CVE-2020-14882, CVE-2020-14750 and CVE-2020-14883)
1009806* - Oracle Weblogic Server Remote Code Execution Vulnerability (CVE-2019-2647)
1009898* - Oracle Weblogic Server Remote Code Execution Vulnerability (CVE-2019-2648)
Webサーバ SharePoint
1010655 - Microsoft SharePoint Remote Code Execution Vulnerability (CVE-2020-17121)
Windows SMBサーバ
1009511* - Microsoft Windows SMB Remote Code Execution Vulnerability (CVE-2019-0630)
Zoho ManageEngine
1009399* - Zoho ManageEngine OpManager 'oputilsServlet' Authentication Bypass (CVE-2018-17283)
1009955* - Zoho ManageEngine OpManager Unauthenticated Remote Command Execution Vulnerability (CVE-2019-15106)
変更監視(Integrity Monitoring)ルール:
今回のセキュリティアップデートには、新規の変更監視ルールおよび更新は含まれておりません。
セキュリティログ監視(Log Inspection)ルール:
1003473* - FTP Server - Vsftpd
1002795* - Microsoft Windows Events
1008670* - Microsoft Windows Security Events - 3
1010541* - Netlogon Elevation Of Privilege Vulnerability (Zerologon) (CVE-2020-1472)
DPI(Deep Packet Inspection) ルール:
DCERPCサービス
1010164* - Identified Possible Ransomware File Extension Create Activity Over Network Share
1007596* - Identified Possible Ransomware File Extension Rename Activity Over Network Share
1007598* - Identified Possible Ransomware File Rename Activity Over Network Share
1010101* - Identified Usage Of PAExec Command Line Tool (ATT&CK T1035)
1006906* - Identified Usage Of PsExec Command Line Tool (ATT&CK T1035)
1010652 - Microsoft Windows SMB2 Server Information Disclosure Vulnerability (CVE-2020-17140)
1010653 - Microsoft Windows SMB2 Server Remote Code Execution Vulnerability (CVE-2020-17096)
1008179* - Restrict File Extensions For Rename Activity Over Network Share
DCERPCサービス - クライアント
1007913* - Identified Possible Ransomware File Extension Rename Activity Over Network Share - Client
1007912* - Identified Possible Ransomware File Rename Activity Over Network Share - Client
DHCPサーバ
1009542* - Microsoft Windows DHCP Server Remote Code Execution Vulnerability (CVE-2019-0626)
データベース Microsoft SQL
1010643 - Microsoft SQL Database Server Possible Login Brute Force Attempt
Dynamics 365 Client Services
1010656 - Microsoft Dynamics 365 Commerce Remote Code Execution Vulnerabilities (CVE-2020-17152 and CVE-2020-17158)
HP Intelligent Management Center (IMC)
1009902* - HPE Intelligent Management Center 'perfSelectTask' Expression Language Injection Vulnerability (CVE-2019-5385)
NFSサーバ
1010605* - Microsoft Windows Network File System NLM RPC Message Information Disclosure Vulnerability (CVE-2020-17056)
Redisサーバ
1009967* - Redis Unauthenticated Code Execution Vulnerability
Remote Desktop Protocol Server
1007969* - Identified Suspicious Remote Desktop Protocol (RDP) Brute Force Attempt (ATT&CK T1110)
1009343* - Identified Too Many SSL Alert Messages In SSLv3 Over RDP (ATT&CK T1032)
アプリケーションに関連する不審な活動(クライアント)
1008946* - Heuristic Detection Of Suspicious Digital Certificate (ATT&CK T1032)
アプリケーションに関連する不審な活動(サーバ)
1001164* - Detected Terminal Services (RDP) Server Traffic
1010647 - Identified HTTP Backdoor.Win32.Cobalt.SMHP C&C Traffic Request
TFTPサーバ
1009365* - Microsoft Windows Deployment Services TFTP Server Remote Code Execution Vulnerability (CVE-2018-8476)
Webアプリケーション 共通
1010648 - Wordpress Woody Ad Snippets Plugin Remote Code Execution Vulnerability (CVE-2019-15858)
Webアプリケーション PHP
1009395* - PHP 'imap_open()' Remote Code Execution Vulnerability (CVE-2018-19518)
1009776 - WordPress Comment Field Remote Code Execution Vulnerability (CVE-2019-9787)
Webクライアント 共通
1010646 - Adobe Acrobat And Reader Use After Free Vulnerability (CVE-2020-24437)
1010645 - Atlassian Confluence Server 'HTML Include And Replace Macro' Plugin Cross Site Scripting Vulnerability (CVE-2019-15053)
1010657 - Microsoft Windows PE File Signature Spoofing Vulnerability (CVE-2020-1599)
Webサーバ Adobe ColdFusion
1009897* - Adobe ColdFusion CFFILE Upload Action Unrestricted File Upload Vulnerability (CVE-2019-7838)
1009387* - Adobe ColdFusion Remote File Upload Vulnerability (CVE-2018-15961)
Webサーバ その他
1010347* - Eclipse Jetty Chunk Length Parsing Integer Overflow Vulnerability (CVE-2017-7657)
1009942* - GNOME 'libsoup' HTTP Chunked Encoding Remote Code Execution Vulnerability (CVE-2017-2885)
1010649 - Microsoft Windows Exchange Memory Corruption Vulnerability (CVE-2020-17144)
Webサーバ Oracle
1010590* - Oracle WebLogic Server Remote Code Execution Vulnerabilities (CVE-2020-14882, CVE-2020-14750 and CVE-2020-14883)
1009806* - Oracle Weblogic Server Remote Code Execution Vulnerability (CVE-2019-2647)
1009898* - Oracle Weblogic Server Remote Code Execution Vulnerability (CVE-2019-2648)
Webサーバ SharePoint
1010655 - Microsoft SharePoint Remote Code Execution Vulnerability (CVE-2020-17121)
Windows SMBサーバ
1009511* - Microsoft Windows SMB Remote Code Execution Vulnerability (CVE-2019-0630)
Zoho ManageEngine
1009399* - Zoho ManageEngine OpManager 'oputilsServlet' Authentication Bypass (CVE-2018-17283)
1009955* - Zoho ManageEngine OpManager Unauthenticated Remote Command Execution Vulnerability (CVE-2019-15106)
変更監視(Integrity Monitoring)ルール:
今回のセキュリティアップデートには、新規の変更監視ルールおよび更新は含まれておりません。
セキュリティログ監視(Log Inspection)ルール:
1003473* - FTP Server - Vsftpd
1002795* - Microsoft Windows Events
1008670* - Microsoft Windows Security Events - 3
1010541* - Netlogon Elevation Of Privilege Vulnerability (Zerologon) (CVE-2020-1472)