流量审计规则库

Data.2022.10.26.010234

来源:聚铭网络    发布时间:2022-10-27    浏览次数:
 

升级包下载:SP_005_Data.2022.10.26.010234.zip


【增加规则库详情】

优化以下安全事件:
USER_AGENTS Observed Suspicious UA (NSISDL/1.2 (Mozilla))|主机发起可疑用户代理(NSISDL/1.2 (Mozilla))
POLICY External IP Address Lookup via ifconfig .co|主机发起ifconfig.co地址查询请求
TROJAN ELF/Mirai Variant Momentum User-Agent Observed Inbound|WEB服务器收到Mirai木马用户代理Momentum请求
POLICY External IP Address Lookup via ident .me|主机发起ident.me地址查询请求
POLICY External IP Lookup (whois .pconline .com .cn)|主机发起whois.pconline.com.cn地址查询请求
POLICY Observed External IP Lookup Domain (api.ip .sb in TLS SNI)|主机发起api.ip.sb域名查询请求
POLICY External IP Lookup www.trackip.net|主机发起www.trackip.net地址查询请求
EXPLOIT Microsoft Exchange Pre-Auth Path Confusion M1 (CVE-2021-31207)|服务器遭受Exchange预认证路径绕过攻击
TROJAN W32/WannaCry.Ransomware Killswitch Domain HTTP Request 1|主机的Ransomware勒索病毒发起killswitch域名请求
EXPLOIT Possible SpringCore RCE/Spring4Shell Stage 1 Pattern Set Inbound (CVE-2022-22965)|WEB服务器受到Spring Framework RCE攻击(CVE-2022-22965)设置Pattern
EXPLOIT Possible Spring Cloud Connector RCE Inbound (CVE-2022-22963)|WEB服务器受到Spring Cloud RCE攻击(CVE-2022-22963)
EXPLOIT Possible SpringCore RCE/Spring4Shell Stage 2 Suffix Set Inbound (CVE-2022-22965)|WEB服务器受到Spring Framework RCE攻击(CVE-2022-22965)设置Suffix
EXPLOIT Possible SpringCore RCE/Spring4Shell Stage 3 Directory Set Inbound (CVE-2022-22965)|WEB服务器受到Spring Framework RCE攻击(CVE-2022-22965)设置Directory
EXPLOIT Possible SpringCore RCE/Spring4Shell Stage 4 Prefix Set Inbound (CVE-2022-22965)|WEB服务器受到Spring Framework RCE攻击(CVE-2022-22965)设置Prefix
USER_AGENTS Observed Graftor/LoadMoney Related User-Agent|主机发起Graftor木马的用户代理
USER_AGENTS Observed Graftor/LoadMoney Related User-Agent|主机发起Graftor木马的用户代理
USER_AGENTS Observed Malicious User-Agent (FastInvoice)|主机发起恶意用户代理(FastInvoice)
POLICY Suspicious Request for .bin with Terse Headers|主机发起可疑的.bin请求头
MALWARE pdfspeedup Initial CnC Checkin|主机的pdfspeedup工具初始化登录请求
MALWARE pdfspeedup Keep-Alive|主机的pdfspeedup工具正在使用

删除以下安全事件:
External IP Lookup SSL/TLS Certificate (ifconfig .me)
主机发起可疑用户代理(NSISDL/1.2 (Mozilla))
Quad9 DNS通过TLS证书入站


【影响范围】

1、支持在发布的任何版本上升级
2、升级完成后,设备不会重启。偶现升级后无法返回登录页面。请于升级十分钟后刷新登录页面
3、升级包升级完成后,版本号保持不变,策略库版本更新为Data.2022.10.26.010234

 
 

上一篇:csv_vul_plugins_202210

下一篇:俄罗斯联邦储蓄银行遭遇史上最大规模DDoS攻击