概要

* は既存ルールの新バージョンを示します。

DPI(Deep Packet Inspection) ルール:

DCERPCサービス
1007134* - Batch File Uploaded On Network Share (ATT&CK T1021.002, T1204.002)
1007064* - Executable File Uploaded On System32 Folder Through SMB Share (ATT&CK T1021.002, T1204.002)
1007114* - Portable Executable File Uploaded On SMB Share (ATT&CK T1021.002, T1204.002)
1007020* - Remote CreateService Request Detected Through SMBv1 Protocol (ATT&CK T1543.003)
1007035* - Remote DeleteService Request Through SMBv1 Detected (ATT&CK T1543.003)
1007069* - Remote Service Execution Through SMBv1 Detected (ATT&CK T1569.002)


DNSクライアント
1002988* - Multiple Vendors libspf2 DNS TXT Record Parsing Buffer Overflow


File Sharing Applications
1007608* - Amazon Cloud Drive (ATT&CK T1102.002, T1567.002)
1007605* - BOX (ATT&CK T1102.002, T1567.002)
1004707* - Dropbox (ATT&CK T1102.002, T1567.002)
1002472* - FTP Client (ATT&CK T1048.003, T1071.002)
1007463* - Microsoft OneDrive (ATT&CK T1102.002, T1567.002)


Instant Messenger Applications
1002103* - AOL Instant Messenger (ATT&CK T1102.002)
1004663* - IP Messenger (ATT&CK T1102.002)
1002507* - Jabber (ATT&CK T1102.002)
1003067* - MSN Instant Message URL Blocker (ATT&CK T1102.002)
1002162* - MSN Messenger (ATT&CK T1102.002)
1002462* - MSN Messenger File Transfers (ATT&CK T1102.002)
1004941* - QQ Messenger (ATT&CK T1102.002)


Mail Client Applications
1001112* - SMTP Client (ATT&CK T1071.003)


Remote Login Applications
1002508* - RDP (ATT&CK T1021.001)


SSLクライアント
1006561* - Identified Usage Of TLS/SSL EXPORT Cipher Suite In Response (ATT&CK T1573.002)


SSL/TLSサーバ
1006293* - Detected SSLv3 Request (ATT&CK T1573.002)
1006297* - Identified CBC Based Cipher Suite In SSLv3 Response (ATT&CK T1573.002)
1006311* - Identified Too Many SSL Alert Messages In SSLv3 Traffic (ATT&CK T1573.002)


アプリケーションに関連する不審な活動(クライアント)
1001162* - Detected HTTP Client Traffic (ATT&CK T1071.001)
1005324* - Detected SSLv2 Response (ATT&CK T1573.002)
1005401* - Identified Suspicious HTTP Traffic (ATT&CK T1071.001)


アプリケーションに関連する不審な活動(サーバ)
1003594* - Detected SSL/TLS Server Traffic (ATT&CK T1573.002)
1005321* - Detected SSLv2 Request (ATT&CK T1573.002)
1002378* - Detected Virtual Network Computing (VNC) Server Traffic (ATT&CK T1021.005)


Trend Micro OfficeScan
1011057 - Trend Micro Multiple Products Arbitrary File Upload Vulnerability (CVE-2021-36741)


Webアプリケーション 共通
1011047* - WordPress 'Modern Events Calendar' Plugin Remote Code Execution Vulnerability (CVE-2021-24145)
1011056* - WordPress 'SP Project & Document Manager' Plugin Remote Code Execution Vulnerability (CVE-2021-24347)
1011038* - Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability (CVE-2021-20081)


Webアプリケーション PHP
1011045 - WordPress 'Modern Events Calendar Lite' Plugin Improper Access Control Vulnerability (CVE-2021-24146)


Webクライアント 共通
1011032* - Adobe Acrobat And Reader Multiple Security Vulnerabilities (APSB21-51)
1009407* - Detected Suspicious DLL Side Loading Attempt Over WebDAV (ATT&CK T1574.002)
1006442* - Identified Suspicious Obfuscated JavaScript - 2 (ATT&CK T1203, T1001)
1011054* - Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-31206)
1011065 - Microsoft Windows MSHTML Platform Remote Code Execution Vulnerability (CVE-2021-33742)
1004302* - Microsoft Windows Shortcut Remote Code Execution


Webサーバ 共通
1007213* - Disallow Upload Of A Class File (ATT&CK T1190)
1007212* - Disallow Upload Of An Archive File (ATT&CK T1190)


Webサーバ HTTPS
1006741* - Identified SSL/TLS Diffie-Hellman Key Exchange Using Weak Parameters Server (ATT&CK T1573.002)
1011050* - Microsoft Exchange Server Elevation of Privilege Vulnerability (CVE-2021-34523)
1011072 - Microsoft Exchange Server Security Feature Bypass Vulnerability (CVE-2021-31207)
1011046 - rConfig 'vendor.crud.php' Arbitrary File Upload Vulnerability


Webサーバ SharePoint
1011051* - Microsoft SharePoint Server Remote Code Execution Vulnerability (CVE-2021-34520)


Zoho ManageEngine
1011062 - Zoho ManageEngine Applications Manager Cross Site Scripting Vulnerability (CVE-2021-31813)


Zoho ManageEngine ADSelfService Plus
1011064 - Zoho ManageEngine ADSelfService Plus Remote Code Execution Vulnerability (CVE-2021-28958)


変更監視(Integrity Monitoring)ルール:

1009643* - Linux/Unix - bash command history cleared (ATT&CK T1059.004)


セキュリティログ監視(Log Inspection)ルール:

今回のセキュリティアップデートには、新規のセキュリティログ監視ルールおよび更新は含まれておりません。