Rule Update
21-003 (January 19, 2021)
DESCRIPTION
* indicates a new version of an existing rule
Deep Packet Inspection Rules:
CA ARCserve D2D Administration Interface
1010699 - Arcserve D2D External Entity Injection Vulnerability (CVE-2020-27858)
DNS Server
1010633* - Identified DNS Trojan.Linux.Anchor.A Traffic
1010632* - Identified DNS Trojan.Win64.Anchor.A Traffic
Directory Server LDAP
1010301* - Samba LDAP Server Denial Of Service Vulnerability (CVE-2020-10704)
Suspicious Client Ransomware Activity
1010597* - Identified HTTP Cobalt Strike Malleable C&C Traffic Response (Office 365 Calendar Profile)
1010596* - Identified HTTP Cobalt Strike Malleable C&C Traffic Response (YouTube Profile)
1010617* - Identified TLS Cobalt Strike Beacon (Certificate)
Suspicious Server Ransomware Activity
1010638* - Identified FTP Backdoor.Win32.Qbot.JINX Runtime Detection
Trend Micro OfficeScan
1010708* - Trend Micro OfficeScan Multiple Information Disclosure Vulnerabilities (CVE-2020-28582 and CVE-2020-28583)
Web Application Common
1000552* - Generic Cross Site Scripting(XSS) Prevention
1010727 - Mongo-Express Remote Code Execution Vulnerability (CVE-2019-10758)
Web Application Tomcat
1010688* - Apache Tomcat Remote Code Execution Vulnerability (CVE-2017-12617)
Web Client Common
1009779* - Microsoft Windows Multiple Security Vulnerabilities (June-2019)
1010716 - XStream Library Insecure Deserialization Vulnerability (CVE-2020-26217)
Web Server Apache
1010400* - Apache Httpd Mod Rewrite Open Redirects Vulnerability (CVE-2019-10098)
1010670* - Apache Struts2 Remote Code Execution Vulnerability (CVE-2020-17530)
Web Server Common
1010734 - Identified BumbleBee Webshell Traffic Over HTTP
1010477* - Java Unserialize Remote Code Execution Vulnerability - 1
Web Server HTTPS
1010718 - Joomla CMS 'mod_random_image' Stored Cross-Site Scripting Vulnerability (CVE-2020-15696)
1009968* - Multiple HTTP/2 Server Denial Of Service Vulnerability (CVE-2019-9513)
1009998* - Multiple HTTP/2 Server Denial Of Service Vulnerability (CVE-2019-9511)
1009944* - Multiple HTTP/2 Server Denial Of Service Vulnerability (CVE-2019-9512)
1010712 - WordPress 'Contact Form 7' Plugin Arbitrary File Upload Vulnerability (CVE-2020-35489)
Web Server Miscellaneous
1010662* - Atlassian Jira Information Disclosure Vulnerability (CVE-2020-14181)
1010679 - SolarWinds Network Performance Monitor 'ExportToPDF' Information Disclosure Vulnerability (CVE-2020-27870)
1010678 - SolarWinds Network Performance Monitor 'VulnerabilitySettings' Directory Traversal Vulnerability (CVE-2020-27871)
1010677 - SolarWinds Network Performance Monitor 'WriteToFile' SQL Injection Vulnerability (CVE-2020-27869)
1010717* - SolarWinds Orion Platform Authentication Bypass Vulnerability (CVE-2020-10148)
Web Server Nagios
1010696* - Nagios XI SNMP Trap SQL Injection Vulnerability
Web Server RealVNC
1010726 - LibVNCServer Denial Of Service Vulnerability (CVE-2020-25708)
Web Server SharePoint
1010702* - Microsoft SharePoint Authenticated Remote Code Execution Vulnerability (CVE-2021-1707)
1010707* - Microsoft SharePoint Remote Code Execution Vulnerability (CVE-2020-0971)
Webmin
1010704* - Webmin Arbitrary Remote Command Execution Vulnerability (CVE-2020-35606)
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update.
Deep Packet Inspection Rules:
CA ARCserve D2D Administration Interface
1010699 - Arcserve D2D External Entity Injection Vulnerability (CVE-2020-27858)
DNS Server
1010633* - Identified DNS Trojan.Linux.Anchor.A Traffic
1010632* - Identified DNS Trojan.Win64.Anchor.A Traffic
Directory Server LDAP
1010301* - Samba LDAP Server Denial Of Service Vulnerability (CVE-2020-10704)
Suspicious Client Ransomware Activity
1010597* - Identified HTTP Cobalt Strike Malleable C&C Traffic Response (Office 365 Calendar Profile)
1010596* - Identified HTTP Cobalt Strike Malleable C&C Traffic Response (YouTube Profile)
1010617* - Identified TLS Cobalt Strike Beacon (Certificate)
Suspicious Server Ransomware Activity
1010638* - Identified FTP Backdoor.Win32.Qbot.JINX Runtime Detection
Trend Micro OfficeScan
1010708* - Trend Micro OfficeScan Multiple Information Disclosure Vulnerabilities (CVE-2020-28582 and CVE-2020-28583)
Web Application Common
1000552* - Generic Cross Site Scripting(XSS) Prevention
1010727 - Mongo-Express Remote Code Execution Vulnerability (CVE-2019-10758)
Web Application Tomcat
1010688* - Apache Tomcat Remote Code Execution Vulnerability (CVE-2017-12617)
Web Client Common
1009779* - Microsoft Windows Multiple Security Vulnerabilities (June-2019)
1010716 - XStream Library Insecure Deserialization Vulnerability (CVE-2020-26217)
Web Server Apache
1010400* - Apache Httpd Mod Rewrite Open Redirects Vulnerability (CVE-2019-10098)
1010670* - Apache Struts2 Remote Code Execution Vulnerability (CVE-2020-17530)
Web Server Common
1010734 - Identified BumbleBee Webshell Traffic Over HTTP
1010477* - Java Unserialize Remote Code Execution Vulnerability - 1
Web Server HTTPS
1010718 - Joomla CMS 'mod_random_image' Stored Cross-Site Scripting Vulnerability (CVE-2020-15696)
1009968* - Multiple HTTP/2 Server Denial Of Service Vulnerability (CVE-2019-9513)
1009998* - Multiple HTTP/2 Server Denial Of Service Vulnerability (CVE-2019-9511)
1009944* - Multiple HTTP/2 Server Denial Of Service Vulnerability (CVE-2019-9512)
1010712 - WordPress 'Contact Form 7' Plugin Arbitrary File Upload Vulnerability (CVE-2020-35489)
Web Server Miscellaneous
1010662* - Atlassian Jira Information Disclosure Vulnerability (CVE-2020-14181)
1010679 - SolarWinds Network Performance Monitor 'ExportToPDF' Information Disclosure Vulnerability (CVE-2020-27870)
1010678 - SolarWinds Network Performance Monitor 'VulnerabilitySettings' Directory Traversal Vulnerability (CVE-2020-27871)
1010677 - SolarWinds Network Performance Monitor 'WriteToFile' SQL Injection Vulnerability (CVE-2020-27869)
1010717* - SolarWinds Orion Platform Authentication Bypass Vulnerability (CVE-2020-10148)
Web Server Nagios
1010696* - Nagios XI SNMP Trap SQL Injection Vulnerability
Web Server RealVNC
1010726 - LibVNCServer Denial Of Service Vulnerability (CVE-2020-25708)
Web Server SharePoint
1010702* - Microsoft SharePoint Authenticated Remote Code Execution Vulnerability (CVE-2021-1707)
1010707* - Microsoft SharePoint Remote Code Execution Vulnerability (CVE-2020-0971)
Webmin
1010704* - Webmin Arbitrary Remote Command Execution Vulnerability (CVE-2020-35606)
Integrity Monitoring Rules:
There are no new or updated Integrity Monitoring Rules in this Security Update.
Log Inspection Rules:
There are no new or updated Log Inspection Rules in this Security Update.