Rule Update
19-046 (September 10, 2019)
DESCRIPTION
* indicates a new version of an existing rule
Deep Packet Inspection Rules:
Asterisk RTP Protocol
1009953 - Digium Asterisk PJSIP In-Dialog MESSAGE Request Denial-of-Service (CVE-2019-12827)
DCERPC Services
1003292* - Block Conficker.B Worm Incoming Named Pipe Connection
DCERPC Services - Client
1003293* - Block Conficker.B Worm Outgoing Named Pipe Connection
DNS Client
1008203* - DNSMessenger Malware C&C Traffic Over DNS Protocol
HP Intelligent Management Center (IMC)
1009962 - HPE Intelligent Management Center 'IctTableExportToCSVBean' Expression Language Injection Vulnerability (CVE-2019-5370)
1009956 - HPE Intelligent Management Center 'PlatNavigationToBean' URL Expression Language Injection Vulnerability (CVE-2019-5387)
1009902 - HPE Intelligent Management Center 'perfSelectTask' Expression Language Injection Vulnerability (CVE-2019-5385)
1009947* - HPE Intelligent Management Center Multiple Expression Language Injection Vulnerabilities (CVE-2019-11941 and CVE-2019-11943)
HP Intelligent Management Center Dbman
1009959 - HPE Intelligent Management Center 'dbman' Opcode Denial Of Service Vulnerability (CVE-2018-7123)
MS-RDPEUDP2
1009940* - Microsoft Windows RDP Server Information Disclosure Vulnerability (CVE-2019-1224)
1009941* - Microsoft Windows RDP Server Information Disclosure Vulnerability (CVE-2019-1225)
Redis Server
1009949* - Redis Integer Overflow Vulnerability (CVE-2018-11219)
Remote Desktop Protocol Server
1009448* - Microsoft Windows Remote Desktop Protocol (RDP) Brute Force Attempt
SSL Client
1007384* - TLS1.2 Signature Hash Algorithm Downgrade Attack Used In SLOTH - Client
SSL/TLS Server
1007379* - TLS1.2 Signature Hash Algorithm Downgrade Attack Used In SLOTH - Server
Suspicious Server Application Activity
1008492* - Identified SambaShell C&C Traffic
1005910* - Identified ntpd 'monlist' Query Reflected Denial Of Service Attack
Web Application Common
1009594* - Apache httpd 'mod_md' Null Pointer Dereference Vulnerability (CVE-2018-8011)
1009946* - Atlassian JIRA Template Injection Remote Code Execution Vulnerability (CVE-2019-11581)
1006823* - Identified Suspicious Command Injection Attack - 1
1009966 - ImageMagick Out-Of-Bounds Access Vulnerability (CVE-2019-10714) - 1
1002684* - Mass Hack Script Insertion Attack
1002433* - Mass SQL Injection Script Insertion Attack
1002743* - Mass SQL Injection Script Insertion Attack 2
Web Client Common
1009972 - Adobe Flash Player Same Origin Bypass Vulnerability (CVE-2019-8069)
1009973 - Adobe Flash Player Use After Free Vulnerability (CVE-2019-8070)
1004315* - Identified Malicious PDF Document - 3
1004305* - Identified Suspicious Compiled HTML(chm) File
1009965 - ImageMagick Out-Of-Bounds Access Vulnerability (CVE-2019-10714)
1002144* - JavaScript IFRAME Redirect Script Insertion Vulnerability
1002048* - JavaScript Redirect Script Insertion Vulnerability
1003693* - Mass Compromise Using Malicious iFrame
1002519* - Storm Botnet Redirect Script Insertion Vulnerability
Web Server Adobe ColdFusion
1009893* - Adobe ColdFusion CFFILE Upload Action Unrestricted File Upload Vulnerability (CVE-2019-7816)
Web Server Apache
1009963 - Apache httpd 'mod_remoteip' Buffer Overflow Vulnerability (CVE-2019-10097)
Web Server Common
1009889* - Atlassian Crowd Remote Code Execution Vulnerability (CVE-2019-11580)
1007872* - HTTP Proxy Header Injection Vulnerabilities
1000193* - Null Byte Path Traversal Vulnerability
Web Server HTTPS
1009944* - Microsoft Windows HTTP/2 Server Denial Of Service Vulnerability (CVE-2019-9512)
Web Server SharePoint
1009971 - Microsoft SharePoint Multiple Remote Code Execution Vulnerabilities (Sep-2019)
Web Server Squid
1009943* - Squid Proxy HttpHeader 'getAuth' Heap Buffer Overflow Vulnerability (CVE-2019-12527)
Windows Services RPC Server DCERPC
1009604* - Identified Usage Of WMI Execute Methods - Server - 1 (ATT&CK T1047)
Zoho ManageEngine
1009950* - Zoho ManageEngine OpManager Authenticated Code Execution Vulnerability
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update.
Deep Packet Inspection Rules:
Asterisk RTP Protocol
1009953 - Digium Asterisk PJSIP In-Dialog MESSAGE Request Denial-of-Service (CVE-2019-12827)
DCERPC Services
1003292* - Block Conficker.B Worm Incoming Named Pipe Connection
DCERPC Services - Client
1003293* - Block Conficker.B Worm Outgoing Named Pipe Connection
DNS Client
1008203* - DNSMessenger Malware C&C Traffic Over DNS Protocol
HP Intelligent Management Center (IMC)
1009962 - HPE Intelligent Management Center 'IctTableExportToCSVBean' Expression Language Injection Vulnerability (CVE-2019-5370)
1009956 - HPE Intelligent Management Center 'PlatNavigationToBean' URL Expression Language Injection Vulnerability (CVE-2019-5387)
1009902 - HPE Intelligent Management Center 'perfSelectTask' Expression Language Injection Vulnerability (CVE-2019-5385)
1009947* - HPE Intelligent Management Center Multiple Expression Language Injection Vulnerabilities (CVE-2019-11941 and CVE-2019-11943)
HP Intelligent Management Center Dbman
1009959 - HPE Intelligent Management Center 'dbman' Opcode Denial Of Service Vulnerability (CVE-2018-7123)
MS-RDPEUDP2
1009940* - Microsoft Windows RDP Server Information Disclosure Vulnerability (CVE-2019-1224)
1009941* - Microsoft Windows RDP Server Information Disclosure Vulnerability (CVE-2019-1225)
Redis Server
1009949* - Redis Integer Overflow Vulnerability (CVE-2018-11219)
Remote Desktop Protocol Server
1009448* - Microsoft Windows Remote Desktop Protocol (RDP) Brute Force Attempt
SSL Client
1007384* - TLS1.2 Signature Hash Algorithm Downgrade Attack Used In SLOTH - Client
SSL/TLS Server
1007379* - TLS1.2 Signature Hash Algorithm Downgrade Attack Used In SLOTH - Server
Suspicious Server Application Activity
1008492* - Identified SambaShell C&C Traffic
1005910* - Identified ntpd 'monlist' Query Reflected Denial Of Service Attack
Web Application Common
1009594* - Apache httpd 'mod_md' Null Pointer Dereference Vulnerability (CVE-2018-8011)
1009946* - Atlassian JIRA Template Injection Remote Code Execution Vulnerability (CVE-2019-11581)
1006823* - Identified Suspicious Command Injection Attack - 1
1009966 - ImageMagick Out-Of-Bounds Access Vulnerability (CVE-2019-10714) - 1
1002684* - Mass Hack Script Insertion Attack
1002433* - Mass SQL Injection Script Insertion Attack
1002743* - Mass SQL Injection Script Insertion Attack 2
Web Client Common
1009972 - Adobe Flash Player Same Origin Bypass Vulnerability (CVE-2019-8069)
1009973 - Adobe Flash Player Use After Free Vulnerability (CVE-2019-8070)
1004315* - Identified Malicious PDF Document - 3
1004305* - Identified Suspicious Compiled HTML(chm) File
1009965 - ImageMagick Out-Of-Bounds Access Vulnerability (CVE-2019-10714)
1002144* - JavaScript IFRAME Redirect Script Insertion Vulnerability
1002048* - JavaScript Redirect Script Insertion Vulnerability
1003693* - Mass Compromise Using Malicious iFrame
1002519* - Storm Botnet Redirect Script Insertion Vulnerability
Web Server Adobe ColdFusion
1009893* - Adobe ColdFusion CFFILE Upload Action Unrestricted File Upload Vulnerability (CVE-2019-7816)
Web Server Apache
1009963 - Apache httpd 'mod_remoteip' Buffer Overflow Vulnerability (CVE-2019-10097)
Web Server Common
1009889* - Atlassian Crowd Remote Code Execution Vulnerability (CVE-2019-11580)
1007872* - HTTP Proxy Header Injection Vulnerabilities
1000193* - Null Byte Path Traversal Vulnerability
Web Server HTTPS
1009944* - Microsoft Windows HTTP/2 Server Denial Of Service Vulnerability (CVE-2019-9512)
Web Server SharePoint
1009971 - Microsoft SharePoint Multiple Remote Code Execution Vulnerabilities (Sep-2019)
Web Server Squid
1009943* - Squid Proxy HttpHeader 'getAuth' Heap Buffer Overflow Vulnerability (CVE-2019-12527)
Windows Services RPC Server DCERPC
1009604* - Identified Usage Of WMI Execute Methods - Server - 1 (ATT&CK T1047)
Zoho ManageEngine
1009950* - Zoho ManageEngine OpManager Authenticated Code Execution Vulnerability
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update.