2016 SIEM Content and Parsing Updates - McAfee · January 21, 2016 February 10, 2016 February 16,...

2016 SIEM Content and Parsing Updates

2555555666666677777888999

101010101011111111111212121212131313131314141415151515151516161617171718181818181818

Table of ContentsTable of ContentsSIEM Data Sources

January 21, 2016February 10, 2016February 16, 2016February 26, 2016March 25, 2016June 2, 2016June 8, 2016July 19, 2016August 04, 2016August 11, 2016August 15, 2016September 1, 2016September 2, 2016September 26, 2016October 12, 2016October 13, 2016November 7, 2016November 10, 2016November 11, 2016December 2, 2016

SIEM Custom TypesOctober 13, 2016October 25, 2016

SIEM Parsing RulesJanuary 8, 2015January 12, 2016January 13, 2016January 21, 2016January 22, 2016January 25, 2016January 29, 2016January 29, 2016February 4, 2016February 8, 2016February 10, 2016February 11, 2016February 16, 2016February 17, 2016February 19, 2016February 23, 2016February 24, 2016February 25, 2016February 26, 2016February 29, 2016March 2, 2016March 3, 2016March 7, 2016March 8, 2016March 9, 2016March 11, 2016March 14, 2016March 16, 2016March 17, 2016March 18, 2016March 21, 2016March 24, 2016March 25, 2016March 29, 2016March 30, 2016March 31, 2016April 01, 2016April 04, 2016April 07, 2016April 08, 2016April 21, 2016

2

19191919191919191920202121212121212222222222222323242424242424242425252525252526262626272727272727272828282828282829293030303030303131313131313232

April 26, 2016May 3, 2016May 5, 2016May 5, 2016May 9, 2016May 11, 2016May 16, 2016May 18, 2016May 23, 2016May 24, 2016May 25, 2016May 26, 2016May 27, 2016June 2, 2016June 06, 2016June 08, 2016June 13, 2016June 15, 2016June 17, 2016June 20, 2016June 23, 2016June 28, 2016June 30, 2016July 07, 2016July 08, 2016July 11, 2016July 12, 2016July 13, 2016July 15, 2016July 19, 2016July 22, 2016July 25, 2016August 02, 2016August 04, 2016August 11, 2016August 15, 2016August 22, 2016August 24, 2016September 1, 2016September 2, 2016September 15, 2016September 19, 2016September 23, 2016September 26, 2016October 5, 2016October 12, 2016October 13, 2016October 25, 2016October 28, 2016November 2, 2016November 7, 2016November 9, 2016November 10, 2016November 11, 2016December 2, 2016December 5, 2016December 14, 2016December 15, 2016December 16, 2016

Content PacksFebruary 3, 2016February 4, 2016February 18, 2016April 13, 2016April 18, 2016May 20, 2016May 31, 2016June 2, 2016July 12, 2016August 9, 2016September 15, 2016September 27, 2016September 30, 2016

3

3233333435353739404041

November 2, 2016IPS Rules

January 12, 2016January 14, 2016January 15, 2016February 9, 2016March 8, 2016March 17, 2016March 23, 2016April 13, 2016May 20, 2016

4

January 21, 2016New Data Source

Vendor: SSH Communications SecurityProduct: CryptoAuditorCollector: SyslogParser: ASPDevice ID: 554Version: ESM 9.4.1 and aboveNotes:

February 10, 2016New Data Source

Vendor: IBMProduct: ISS SiteProtector - LEEFCollector: SyslogParser: ASPDevice ID: 555Version: ESM 9.5.0 and aboveNotes: Parses LEEF formatted events received over syslog.

February 16, 2016New Data Source

Vendor: MicrosoftProduct: Internet Authentication Service - Database Compatible FormatCollector: File Pull / SyslogParser: ASPDevice ID: 556Version: ESM 9.5.2 and aboveNotes: Parses database-compatible formatted log files. Parsed events use signature IDs associated with data source ID 407.

February 26, 2016Modified Data Source

Vendor: OracleProduct: Oracle Audit - SQL Pull (ASP)Collector: SQLParser: ASPDevice ID: 470Version: ESM 9.4.2 and aboveNotes: Updated to support pulling Audit events from Oracle 12c.

New Data SourceVendor: PrevotyProduct: PrevotyCollector: SyslogParser: ASPDevice ID: 557Version: ESM 9.5.1 and aboveNotes: Syslog support requires the use of Log4j on Prevoty.

March 25, 2016New Data Source

Vendor: WurldtechProduct: OpShieldCollector: SyslogParser: ASPDevice ID: 558Version: ESM 9.4.1 and aboveNotes:

SIEM Data Sources

5

June 2, 2016New Data Source

Vendor: IntersetProduct: IntersetCollector: SyslogParser: ASPDevice ID: 560Version: ESM 9.5.1 and aboveNotes:Requires Interset version 4.1 or greater.

June 8, 2016New Data Source

Vendor: GlobalscapeProduct: Globalscape EFT Collector: MEFParser: ASPDevice ID: 561Version: ESM 9.4.1 and above.Notes:

New Data SourceVendor: Blue CoatProduct: ReporterCollector: FileParser: ASPDevice ID: 562Version: ESM 9.5.0 and above.Notes: Added support for Blue Coat Reporter 9.5.1 Cloud Access logs.

July 19, 2016New Data Source

Vendor: PhishMeProduct: PhishMe IntelligenceCollector: SyslogParser: ASPDevice ID: 563Version: ESM 9.5.0 and above.

August 04, 2016New Data Source

Vendor: MalwarebytesProduct: Breach RemediationCollector: SyslogParser: ASPDevice ID: 564Version: ESM 9.5.0 and aboveNotes: CEF format is supported.

August 11, 2016New Data Source

Vendor: MalwarebytesProduct: Management ConsoleCollector: SyslogParser: ASPDevice ID: 565Version: ESM 9.5.0 and aboveNotes:Management Console version 1.7, part of Malwarebytes Enterprise Endpoint Security, sends security events generated by Malwarebytes Anti-Malware and Malwarebytes Anti-Exploit running on managed endpoints. CEF formatted syslog is supported by ESM.

August 15, 2016New Data Sources

Vendor: CyberArkProduct: Privilaged Threat AnalyticsCollector: SyslogParser: ASPDevice ID: 566Version: ESM 9.5.0 and aboveNotes: CEF format is supported from PTA version 3.1

September 1, 2016New Data Sources

Vendor: Skyhigh NetworksProduct: Cloud Security PlatformCollector: SyslogParser: ASPDevice ID: 567Version: ESM 9.5.1 and aboveNotes: Requires Skyhigh Enterprise Connector. CEF format is supported. Skyhigh version 2.2 and above is supported by ESM.

Vendor: NiaraProduct: NiaraCollector: SyslogParser: ASPDevice ID: 568Version: ESM 9.5.0 and aboveNotes: Niara version 1.5 and above is supported by ESM.

6

Vendor: TrapX SecurityProduct: DeceptionGridCollector: SyslogParser: ASPDevice ID: 569Version: ESM 9.5.0 and aboveNotes:

September 2, 2016New Data Sources

Vendor: Attivo NetworksProduct: BOTsinkCollector: SyslogParser: ASPDevice ID: 570Version: ESM 9.5.0 and aboveNotes: Requires BOTsink version 3.3 or above.

Vendor: PhishMeProduct: PhishMe TriageCollector: SyslogParser: ASPDevice ID: 571Version: ESM 9.5.1 and above.Notes:

September 26, 2016Updated Data Sources

Vendor: McAfeeProduct: ePolicy Orchestrator (SiteAdvisor)Collector: SQLParser: ASPDevice ID: 357Version: ESM 9.4.1 and aboveNotes: The SQL configuration was updated to report the HostName and HostIP fields belonging to the host running the SiteAdvisor client.

October 12, 2016New Data Sources

Vendor: FortscaleProduct: Fortscale UEBACollector: SyslogParser: ASPDevice ID: 572Version: ESM 9.5.0 and aboveNotes:

October 13, 2016New Data Source

Vendor: ThreatConnectProduct: ThreatConnect Threat Intelligence PlatformCollector: SyslogParser: ASPDevice ID: 573Version: ESM 9.5.0 and aboveNotes:

November 7, 2016New Data Sources

Vendor: McAfeeProduct: Endpoint Security Platform (ePO)Collector: SQLParser: ASPDevice ID: 574Version: ESM 9.5.0 and aboveNotes: Data source coupled with ePO.

Vendor: McAfeeProduct: Endpoint Security Firewall (ePO)Collector: SQLParser: ASPDevice ID: 575Version: ESM 9.5.0 and aboveNotes: Data source coupled with ePO.

Vendor: McAfeeProduct: Endpoint Security Threat Prevention (ePO)Collector: SQLParser: ASPDevice ID: 576Version: ESM 9.5.0 and aboveNotes: Data source coupled with ePO.

Vendor: McAfeeProduct: Endpoint Security Web Control (ePO)Collector: SQLParser: ASPDevice ID: 577

7

Device ID: 577Version: ESM 9.5.0 and aboveNotes: Data source coupled with ePO.

November 10, 2016Updated Data Sources

Vendor: OracleProduct: Oracle Audit - SQL Pull (ASP)Collector: SQLParser: ASPDevice ID: 470Version: ESM 9.4.2 and aboveNotes: The SQL configuration was updated to pull Unified Audit events from version 12c when mixed mode reporting is disabled and UnifiedAuditing is specifically enabled.

November 11, 2016Updated Data Sources

Vendor: McAfeeProduct: ePolicy Orchestrator (HIPS)Collector: SQLParser: ASPDevice ID: 357Version: ESM 9.4.1 and aboveNotes: The SQL configuration was updated to collect the Local Port and Remote Port fields from the HIPS tables in ePO.

December 2, 2016Updated Data Sources

Vendor: SymantecProduct: Critical System Protection - SQL Pull (ASP)Collector: SQLParser: ASPDevice ID: 103Version: ESM 9.6.0 and aboveNotes: The SQL configuration was updated to collect events from newer versions of Data Center Security including version 6.7. The datasource name was also updated to Data Center Security (CSP) - SQL Pull.

8

October 13, 2016New Custom Types

Field Name: Device_ConfidenceData Type: Unsigned IntegerEvent Field: 24Indexed: YesESM Version: 9.2.0 and above

October 25, 2016New Custom Types

Field Name: Total_BytesData Type: AccumulatorEvent Field: 3Indexed: YesESM Version: 9.2.0 and above

SIEM Custom Types

9

January 8, 2015Modified Rules

Vendor: McAfeeData Source: Advanced Threat DefenseAffected Versions: ESM 9.4.0 and aboveParsing rules 43-263051360, 43-2630513700, and 43-263051410 were updated to map the Object GUID and Correlation ID from the log to theObject_GUID and Instance_GUID fields in the ESM.

Vendor: McAfeeData Source: Advanced Threat DefenseAffected Versions: ESM 9.4.1 and aboveData Source rules 525-3186621865, 525-3768867276, 525-3260456963, 525-2089798990, 525-2353735580, and 525-2242864416 were added to theAdvanced Threat Defense rule set.

January 12, 2016New Rules

Vendor: Juniper NetworksData Source: JUNOS Router (ASP)Affected Versions: ESM 9.4.0 and aboveParsing rules 1068405 and 1068406 were added to the JUNOS Router (ASP) rule set.

Vendor: MicrosoftData Source: Windows Event Log - WMIAffected Versions: ESM 9.4.2 and aboveParsing rules 43-402000130, 43-403000000, 43-404000030, 43-405005020, 43-405005010, 43-406133970, 43-407009000, 43-407010660, 43-408100000, 43-409245760, 43-410002580, 43-411006540, 43-412050500, 43-412058550, and 43-412092020 were added to the Windows Event Log -WMI rule set.


Vendor: VormetricData Source: Data Security (ASP)Affected Versions: ESM 9.4.0 and aboveParsing rule 1055606 was updated to add key to Registry_Key, and faked usernames to User_Nickname. Also updated normilization.

New RulesVendor: MicrosoftData Source: Windows Event Log - WMIAffected Versions: ESM 9.5.0 and aboveParsing rule 43-413000000 was created to the Windows Event Log - WMI rule set to parse events from Vasco Identikey authentication server.


Vendor: MicrosoftData Source: Microsoft Event Log - WMIAffected Versions: ESM 9.4.0 and aboveParsing rule 43-294011160 was updated to map the filename to the Filename field in the ESM.

Vendor: FortinetData Source: FortiGate UTMAffected Versions: ESM 9.4.0 and aboveParsing rules 1067976 and 1067977 were updated to include edit in the action map.

Vendor: CiscoData Source: IOS IPS (SDEE protocol)Affected Versions: ESM 9.5.1 and aboveParsing rule 1067511 was updated to map the CVE reference from the log to the Vulnerability_References field in the ESM.

New RulesVendor: SSH Communications SecurityData Source: CryptoAuditorAffected Versions: ESM 9.4.1 and aboveParsing rule 1068487 was added to the CryptoAuditor rule set.

SIEM Parsing Rules

10


Vendor: McAfeeData Source: Network Security Manager (ASP)Affected Versions: ESM 9.3.0 and aboveData source rule messages were updated to reflect changes made by the McAfee NSM.


Vendor: Microsoft Data Source: Windows Event Log - WMIAffected Versions: ESM 9.4.2 and aboveParsing rule 43-265010850 was added to the Windows Event Log - WMI rule set to parse event 1085 from the Microsoft-Windows-GroupPolicysource.

Modified RulesVendor: Microsoft Data Source: Forefront Threat Management Gateway / ISA Server -W3C (ASP)Affected Versions: ESM 9.2.0 and aboveParsing rule 1034545 was updated to account for optional ports at the end of source and destination IP's. Added Denied to action map action from the logto the Event Subtype field in the ESM.


Vendor: Cisco Data Source: MerakiAffected Versions: ESM 9.4.1 and aboveParsing rules 1068487 through 1068491 were added to the Meraki rule set.


Vendor: Microsoft Data Source: Windows Event Log - WMIAffected Versions: ESM 9.4.0 and aboveParsing rules 43-216070220, 43-216070230, 43-216070240, 43-216070260, 43-216070310, 43-216070320, 43-216070330, and 43-216070340 wereupdated to parse and capture the service name into ESM field Service_Name where they used to parse into Application. The rules also parse thefollowing additional data from the logs: error code into ESM field Status, event count into ESM field Count, device action into ESM field Device_Action,and time for corrective actions into ESM field Response_Time.

Vendor:F5 NetworksData Source: BIG-IP Application Security Manager (ASP)Affected Versions: ESM 9.2.0 and aboveParsing rules 1056805, 1056806, 1036218, 1036219 and 1036220 were updated to parse the PID from the logs.

Vendor:F5 Networks Data Source: BIG-IP Local Traffic Manager - LTM (ASP)Affected Versions: ESM 9.2.0 and aboveParsing rules 1067701, 1012944, 1012946, 1012945, 1067702, and 1012948 were updated to parse the PID from the logs into ESM field PID. Rule1012948 was also updated to capture the instance guid from the logs into ESM field instance_GUID for ESM versions 9.4.1 and above

Vendor: FortinetData Source: FortiGate UTM - Space delimited (ASP)Affected Versions: ESM 9.4.0 and aboveParsing rule 1064618 was updated to parse changes made to the event in newer versions of FortiGate UTM

New RulesVendor: Cisco Data Source: PIX/ASA/FWSM (ASP)Affected Versions: ESM 9.2.0 and aboveParsing rules 1068492 through 1068499 were added to the Cisco PIX/ASA/FWSM rule set.

Vendor: Cisco Data Source: PIX/ASA/FWSM (ASP)Affected Versions: ESM 9.2.0 and aboveParsing rules 1068492 through 1068499 were added to the Cisco PIX/ASA/FWSM rule set.

Vendor:F5 NetworksData Source: BIG-IP Local Traffic Manager (ASP)Affected Versions: ESM 9.2.0 and aboveParsing rules 1068500 through 1068547 were added to the BIG-IP Local Traffic Manager (ASP) rule set.

Vendor: FortinetData Source: FortiGate UTM - Space delimited (ASP)Affected Versions: ESM 9.4.0 and aboveParsing rules 1068548 and 1068549 were added to the FortiGate UTM rule set.

February 4, 2016New Rules

Vendor: MicrosoftData Source: Windows Event Log - WMIAffected Versions: ESM 9.4.1 and aboveParsing rules were added to the Windows Event Log - WMI rule set to support Terminal Services and Remote Desktop Services events.

Modified RulesVendor: MicrosoftData Source: Windows Event Log - WMI

11

Affected Versions: ESM 9.1.0 and aboveParsing rules 43-323002020, 43-323003030, and 43-323003040 have updated normalization from Authentication -> User Account to Network Access ->Connection/Session. Parsing rules 43-323005300, 43-323005310, 43-323005320, and 43-323005330 have updated normalization from Authentication ->Login to Application -> Configuration Status.


Vendor: CiscoData Source: PIX/ASA/FWSM - ASPAffected Versions: ESM 9.4.1 and aboveParsing rules 1068550 through 1068555 were added to the PIX/ASA/FWSM - ASP rule set.

Modified RulesVendor: CiscoData Source: IOS (ASP)Affected Versions: ESM 9.1.0 and aboveMultiple rules were updated to modify the parsing of the data and time from Cisco events.

February 10, 2016Modified Rules

Vendor: CheckpointData Source: Checkpoint - ASPAffected Versions: ESM 9.3.0 and aboveParsing rules were updated to prioritize an IPV4 address to capture into the ESM field NAT_Details.NAT_Address, when it exists in the logs.

Vendor: Enterasys NetworksData Source: Enterasys Network Access Control (ASP)Affected Versions: ESM 9.2.0 and aboveParsing rule 1016999 was modified to account for new format for the State field in the logs.

New RulesVendor: IBMData Source: ISS SiteProtector - LEEFAffected Versions: ESM 9.5.0 and aboveParsing rule 1068601 was added to the ISS SiteProtector - LEEF rule set.


Vendor: SourceFireData Source: FireSIGHT Management Console - eStreamerAffected Versions: ESM 9.5.0 and aboveParsing rules 1051818, 1056620, 1056621, 1056622, and 1056623 were updated to handle logs where no source IP is present.

Vendor: MicrosoftData Source: SharePoint (ASP)Affected Versions: ESM 9.2.0 and aboveParsing rules 1026507 through 1026648 were updated to to enhance hostname parsing.

New RulesVendor: MicrosoftData Source: SharePoint (ASP)Affected Versions: ESM 9.4.0 and aboveParsing rules 1068603, 1068604, and 1068605 were added to the SharePoint (ASP) rule set.


Vendor: MicrosoftData Source: Internet Authentication Service - Formatted (ASP)Affected Versions: ESM 9.5.2 and aboveParsing rule 1034046 was updated to map the Nas ID, Nas IP, Client-IP-Address, Framed IP Address, Called Station ID, Calling Station ID, Class Data,and Computer Name fields in the log to the External Device Name, Device IP, Source IP, Destination MAC, Source MAC, Destination IP, andDestination Host fields in the ESM. The Messages and Signature ID's have been updated to reflect the packet type and reason code from the logs.

Vendor: MicrosoftData Source: Internet Authentication Service - XML (ASP)Affected Versions: ESM 9.5.2 and aboveParsing rule 1031688 was updated to map the Nas ID, Nas IP, Client-IP-Address, Framed IP Address, Called Station ID, Calling Station ID, Class Data,and Computer Name fields in the log to the External Device Name, Device IP, Source IP, Destination MAC, Source MAC, Destination IP, andDestination Host fields in the ESM. The Messages and Signature ID's have been updated to reflect the packet type and reason code from the logs.

New RulesVendor: MicrosoftData Source: Internet Authentication Service - Database Compatible FormatAffected Versions: ESM 9.5.2 and aboveParsing rule 1068606 was added to the Internet Authentication Service - Database Compatible Format rule set.


Vendor: McAfeeData Source: Network Security Manager (ASP)Affected Versions: ESM 9.2.0 and above1566 Data Source Rules were added to the Network Security Manager (ASP) rule set.

12


Vendor: Juniper NetworksData Source: Juniper Secure Access / MAG (ASP)Affected Versions: ESM 8.2.0 and aboveParsing rule 1008031 was updated to account for a spelling error in the Secure Access log, and will match on either Occured or Occurred.


Vendor: McAfeeData Source: Network Security Manager (ASP)Affected Versions: ESM 9.2.0 and aboveAdded new data source rules: 305-4219029, 305-4528462, 305-4528531, 305-4528532, 305-4528533, 305-4528534, 305-4528535, 305-4528536, 305-4528537, 305-4528538, 305-4528539, 305-4528541, 305-4528542, 305-4528543, 305-4528544, 305-4528545, 305-4528546, 305-4528547, 305-4526718, 305-4527546, 305-4528549, 305-4528548, 305-4576105, 305-4206723, 305-4206724, 305-4206725, 305-4206726, 305-4206727, 305-4206728, 305-4206717, 305-4223213, 305-4528384, 305-4528416, 305-4528431, 305-4528512, 305-4211033, 305-4215039, 305-4219028, 305-4440236, 305-4440237, 305-4527993, 305-4528099, 305-4528202, 305-4528334, 305-4528338, 305-4528339, 305-4528340, 305-4528341, 305-4528355, 305-4528399, 305-4528413, 305-4567061, 305-4576107, 305-4677737, 305-4739464, 305-4739604, 305-4739612, 305-4739613, 305-4739697, 305-4739701, 305-4739708, 305-4739709, 305-4739711, 305-4739739, 305-4739740, 305-4739763, 305-4739787, 305-4739788, 305-4739800, 305-4739805, 305-4739807, 305-4739808, 305-4739823, 305-4739830, 305-4528342, 305-4528343, 305-4528344, 305-4528368, 305-4528376, 305-4528377, 305-4528378, 305-4528379, 305-4528381, 305-4528382, 305-4528383, 305-4528393, 305-4528394, 305-4528395, 305-4528397, 305-4528398, 305-4528411, 305-4528412, 305-4528414, 305-4528417, 305-4528418, 305-4528420, 305-4528421, 305-4528430, 305-4528433, 305-4528434, 305-4528435, 305-4528459, 305-4528461, 305-4571255, 305-4571256, and 305-4735896 to the McAfee Network SecurityManager (ASP) data source

Modified RulesVendor: McAfeeData Source: Network Security Manager (ASP)Affected Versions: ESM 9.2.0 and aboveUpdated the normalization for data source rules: 305-4528507, 305-4528508, 305-4528509, 305-4528510, 305-4528514, 305-4528515, 305-4528516,305-4528517, 305-4528519, 305-4528520, 305-4528525, 305-4528526, 305-4528527, 305-4528528, 305-4528529, 305-4528530, 305-4528550, 305-4528551, 305-4528552, 305-4528553, 305-4528554, 305-4528555, 305-4528556, 305-4528557, 305-4528558, 305-4528559, 305-4528560, 305-4528561, 305-4528562, 305-4528563, 305-4528564, 305-4528565, 305-4528567, 305-4528568, 305-4528570, 305-4528571, 305-4528572, 305-4528573, 305-4528574, 305-4528575, 305-4528576, 305-4528578, and 305-4735171 for the McAfee Network Security Manager (ASP) data source


Vendor: RioReyData Source: DDOS ProtectionAffected Versions: ESM 9.4.0 and aboveParsing rule 1068607 was added to the RioRey DDOS Protection rule set.

Modified RulesVendor: MicrosoftData Source: Windows Event Log - WMIAffected Versions: ESM 9.2.0 and aboveParsing rules 43-263046970, 43-263047680, 43-263047690, 43-263047700, 43-263047710, and 43-263047720 were updated to map Service Name andFile Name from the logs to Service_Name and Filename in the ESM. In some cases Service Name from the logs was mapped to Application in theESM.

February 25, 2016Modifed Rules

Vendor: CiscoData Source: IOS (ASP)Affected Versions: ESM 9.2.0 and aboveParsing rule 1052665 was updated with a severity value of 10 and will parse Source IP, Source Port, Destination IP, Destination Port, and Protocol fromthe logs to Source IP, Source Port, Destination IP, Destination Port and Protocol in the ESM.


Vendor: CiscoData Source: NX-OS (ASP)Affected Versions: ESM 9.4.0 and aboveParsing rules 1068608 through 1068610 were added to the Cisco NX-OS (ASP) rule set.

Vendor: Cooper Power SystemsData Source: Cybectec RTU (ASP)Affected Versions: ESM 9.4.0 and aboveParsing rule 1068611 was added to the Cooper Power Systems Cybectec RTU (ASP) rule set.

Vendor: PrevotyData Source: PrevotyAffected Versions: ESM 9.5.1 and aboveParsing rules 1068612 through 1068615 were added to the Prevoty rule set.

Modified RulesVendor: Cooper Power SystemsData Source: Cybectec RTU (ASP)Affected Versions: ESM 9.2.0 and aboveParsing rule 1021971 was updated to support the Console service in addition to Log and Maintenance on the Cooper Power Systems Cybectec RTU(ASP) rule set.

Vendor: McAfeeData Source: McAfee Host Data Loss Prevention (ePO)Affected Versions: ESM 9.2.0 and aboveParsing rules 1050406, 1039681, and 1039682 were updated to include the product family name of Data Loss Prevention in the adsid map and regularexpression matches.

13

expression matches.


Vendor: InterSect AllianceData Source: Snare for Windows (ASP)Affected Versions: ESM 9.2.0 and aboveParsing rule 1011177 was updated to map the Subject Account Name, New Logon Account Name, New Logon Logon ID, Subject Logon ID, New LogonSecurity ID, New Logon Account Domain, Package Name, Failure Reason, and Failure Information Satus from the log, to the Destination Username,Source Username, Source_Logon_ID, Destination_Logon_ID, Security_ID, Domain, Version, Message_Text, and Status fields in the ESM. Thechanges were made to improve reporting for event IDs 4624, 4625, 4675, 4648, 4634, 4647, 4649, 4778, 4779, 4800, 4801, 4802, 4803, 5378, 5632,4672 and 4694.

March 2, 2016Modified Rules

Vendor: WebsenseData Source: Websense - CEF, Key Value Pair (ASP)Affected Versions: ESM 9.2.0 and aboveParsing rules 1042178, 1042179, were updated to include the following additional categories: '220 : Security:Compromised Websites', '221 : ExtendedProtection:Newly Registered Websites', '222 : Collaboration - Office', '223 : Collaboration - Office:Office - Mail', '224 : Collaboration - Office:Office - Drive','225 : Collaboration - Office:Office - Documents', '226 : Collaboration - Office:Office - Apps', '227 : Information Technology:Web Analytics', '228 :Information Technology:Web and Email Marketing'. Rule 1055661 was updated to enhance auto learning for the Websense - CEF, Key Value Pair(ASP) data source.

Vendor: WebsenseData Source: Websense Enterprise - SQL Pull (ASP)Affected Versions: ESM 9.2.0 and aboveParsing rules 1042178, 1042179, and 1018095 were updated to include the following additional categories: '220 : Security:Compromised Websites', '221 :Extended Protection:Newly Registered Websites', '222 : Collaboration - Office', '223 : Collaboration - Office:Office - Mail', '224 : Collaboration -Office:Office - Drive', '225 : Collaboration - Office:Office - Documents', '226 : Collaboration - Office:Office - Apps', '227 : Information Technology:WebAnalytics', '228 : Information Technology:Web and Email Marketing' for the Websense Enterprise - SQL Pull (ASP) data source.

Vendor: WebsenseData Source: Websense Enterprise - SQL Pull (ASP)Affected Versions: ESM 9.2.0 and aboveNormalization was updated for Data Source Rules 1029, 1030, 1031, 1035, 1037, 1040, 1041, 1052, 1053, 1054, 1057, 1060, 1061, 1293, 1296, 1310,1313, 1537, 1553, 2179658656, and 2546160569 for the Websense Enterprise - SQL Pull (ASP) data source.

Vendor: LOGbinder Data Source: LOGbinder (ASP) Affected Versions: ESM 9.2.0 and aboveParsing rules 1055294, 1055300, 1055306, 1055307, 1055308, 1055310, 1055311, 1055312, 1055314, 1055316, 1055318, 1055319, 1055320,1055322, 1055327, 1055328, 1055331, 1055337, 1055338, 1055340, 1055341, 1055342, 1055343, 1055344, 1055347, 1055352, 1055353, 1055355,1055356, 1055357, 1055361, 1055362, 1055363, 1055367, 1055368, 1055369, 1055370, 1055371, 1055372, 1055373, 1055374, 1055375, 1055376,1055377, 1055378, 1055379, 1055380, 1055381, 1055382, 1055384, 1055387, 1055389, 1055392, 1055394, 1055395, 1055397, 1055399, 1055402,1055403, 1055404, 1055409, 1055410, 1055411, 1055415, 1055416, 1055417, 1055418, 1055419, 1055420, 1055421, 1055422, 1055423, 1055434,1055435, 1055436, 1055438, 1055439, 1055441, 1055442, 1055443, 1055445, 1055446, 1055447, 1055448, 1055450, 1055451, 1055452, 1055453,1055454, 1055455, 1055456, 1055457, 1055458, 1055459, 1055460, 1055461, 1055462, 1055463, 1055464, 1055465, 1055466, 1055467, 1055468,1055469, 1055470, 1055471, 1055472, 1055473, 1055474, 1055475, 1055476, 1055477, 1055478, 1055479, 1055480, 1055481, 1055482, 1055483,1055484, 1055485, 1055486, 1055487, 1055488, 1055489, 1055490, 1055491, 1055492, 1055493, 1055494, 1055495, 1055496, 1055497, 1055498,1055499, 1055500, 1055501, 1055502, 1055503, 1055504, 1055505, 1055506, 1055507, 1055508, 1055509, 1055510, 1055511, 1055512, 1055513,1055514, 1055515, 1055516, 1055517, 1055518, 1055519, 1055520, 1055521, 1055522, 1055523, 1055524, 1055525, 1055526, 1055527, 1055528,1055529, 1055530, 1055531, 1055532, 1055533, 1055534, 1055535, 1055536, 1055537, 1055538, 1055539, 1055540, 1055541, 1055556, 1055557,1055558, 1055559, 1055560, 1055561, 1055562, 1055568, 1055569, and 1055570 were updated to map the Statement from the log to theSQL_Statement field in the ESM. Parsing rules 1055306 through 1055308, 1055369 through 1055378, 1055402 through 1055404, 1055409, and1055415 through 1055421 were updated to map the Target Object Type from the log to the Object_Type field in the ESM. Parsing rules 1055353,1055369, 1055370, 1055371, 1055373, 1055374, 1055375, 1055376, 1055377, 1055378, 1055382, 1055384, 1055387, 1055389, 1055392, 1055394,1055397, 1055399, 1055402, 1055403, 1055404, 1055409, 1055410, 1055411, 1055415, 1055416, 1055417, 1055418, 1055419, 1055420, 1055421,1055422, 1055423, 1055434 through 1055436, 1055441 through 1055443, 1055445 through 1055448, and 1055450 were updated to map the TargetObject Name from the log to the Object field in the ESM.


Vendor: FortinetData Source: FortiManager (ASP)Affected Versions: ESM 9.2.0 and aboveParsing rules 1037921 through 1038258, and 1064559 through 1064562 were updated to improve parsing username.

Vendor: KasperskyData Source: Administration Kit - SQL Pull (ASP)Affected Versions: ESM 9.2.1 and aboveParsing rule 1048681 was updated to to capture Threat Name from the logs into Threat Name in the ESM.

Vendor: MicrosoftData Source: Windows Event Log - WMIAffected Versions: ESM 9.2.0 and aboveParsing rule 43-263047810 was updated to parse Old Account Name and New Account Name from the logs into Old Value and New Value in the ESM.

March 7, 2016 14


Vendor: LOGbinderData Source: LOGbinder (ASP)Affected Versions: ESM 9.4.0 and aboveParsing rules 1068616 through 1068618, were added to the LOGbinder - LOGbinder (ASP) data source.


Vendor: Palo Alto NetworksData Source: Palo Alto Firewalls (ASP)Affected Versions: ESM 9.2.0 and aboveParsing rules 1010436 and 1012909 were updated to map the Threat_ID and Threat_Severity from the logs to the Incident_ID and Object fieldsrespectively in the ESM.

March 9, 2016New Rules

Vendor: Cooper Power SystemsData Source: Cybectec RTU (ASP)Affected Versions: ESM 9.4.0 and aboveParsing rule 1068643 was added to the Cybectec RTU (ASP) data source.

Modified RulesVendor: CitrixData Source: NetScaler (ASP)Affected Versions: ESM 9.2.0 and aboveParsing rules 1009227, 1009228, 1009232, 1009233, 1009234, 1009235, 1009236, 1009237, 1009245, 1009246, 1009247, 1009262, 1009268,1009273, 1009274, 1009275, 1009289, 1009290, 1009291, 1009292, 1009293, 1009294, 1009295, 1009296, 1009297, 1009299, 1009301, 1009305,1009311, 1009312, 1009313, 1009314, 1018019, 1018020, 1021461, 1021516, 1025795, 1055649, 1055651, 1055652, 1055653, 1055654, 1055655,1055656, 1055657, 1055658, 1056391, 1056392, 1056741, 1056742, 1056743, 1056744, 1056755, 1056756, 1056758 were updated to enhancenormalization for Cybectec RTU (ASP) data source.

Modified RulesVendor: RioReyData Source: DDOS ProtectionAffected Versions: ESM 9.4.0 and aboveParsing rule 1068607 was updated to map zone from the logs into Destination_Zone and Source_Zone on the ESM. Rule message has also beenupdated to show full context of event.


Vendor: LOGbinderData Source: LOGbinder (ASP)Affected Versions: ESM 9.2.0 and aboveParsing rules 1068644 through 1068670 were added to the LOGbinder (ASP) data source.

Modified RulesVendor: LOGbinderData Source: LOGbinder (ASP)Affected Versions: ESM 9.2.0 and aboveParsing rules 1054664 through 1054676 were updated to account for updated log formats, updated rules also map Performed Logon Type, Item Subject,and Mailbox GUID from the logs into Logon_Type, Subject, and Instance_GUID in the ESM for the LOGbinder (ASP) data source.

Vendor: IBMData Source: ISS SiteProtector - SQL PullAffected Versions: ESM 9.4.0 and aboveUpdated parsing rule 1067566 to map blocked from the logs to Action in the ESM for the ISS SiteProtector - SQL Pull data source.


Vendor: CiscoData Source: IOS IPS (SDEE protocol)Affected Versions: ESM 9.5.1 and aboveUpdated parsing rule 1067511 to capture sd:originator/cid:appName, cid:alertDetails, cid:riskRatingValue, sd:signature/@cid:type, sd:signature/@id,cid:os/@type, sd:signature/marsCategory, sd:attacker/sd:addr/@cid:locality, and sd:target/sd:addr/@cid:locality from the logs to application,Message_Text, Reputation, Threat_Category, Incident_ID, objectname, Threat_Name, Source_Zone, and Destination_Zone in the ESM for theIOS IPS (SDEE protocol) data source.


Vendor: ProofpointData Source: Messaging Security Gateway (ASP)Affected Versions: ESM 9.2.0 and aboveParsing rules 1068671 through 1068746 were added to the Messaging Security Gateway (ASP) data source.

Vendor: CiscoData Source: Wireless Lan Controller (ASP)Affected Versions: ESM 9.2.0 and aboveParsing rules 1068747 through 1068768 were added to the Wireless Lan Controller (ASP) data source.

15

Modified RulesVendor: ProofpointData Source: Messaging Security Gateway (ASP)Affected Versions: ESM 9.2.0 and aboveUpdated parsing rules 1012996, 1012997, 1013001, 1013002, 1013004, 1013005, 1013007, 1013008, 1013010, 1013012, 1013013, 1013015, 1013016through 1013018, 1013020, 1013021, 1013022, 1017001, 1017003 through 1017008, 1013006, 1017009, 1013014, 1013009, 1012956, 1012957through 1012994, 1013003, 1017010, 1012998, 1012999, 1013000, 1013011, and 1017002 to enhance application captures and improve reporting forthe Messaging Security Gateway (ASP) data source.

Vendor: UNIXData Source: Linux (ASP)Affected Versions: ESM 9.2.0 and aboveUpdated parsing rules 1036635, 1022474, 1046862, 1064496, 1042160, 1022471, 1047402, 1022502, 1022487, 1042177, and 1022483 to enhanceparsing and reporting for the Linux (ASP) data source.


Vendor: UNIXData Source: Linux (ASP)Affected Versions: ESM 9.4.0 and aboveParsing rules 1012094 and 1064621 were updated to map the DNS Type from the logs into the DNS_Type field in the ESM. The normalization wasupdated from System -> Misc System Event to Network Access -> DNS.

Vendor: MicrosoftData Source: Windows DNS (ASP)Affected Versions: ESM 9.4.0 and aboveParsing rules 1013184 through 1013355 and 1064201 through 1064204 were updated to map the DNS Type from the logs into the DNS_Type field in theESM. The normalization was updated from System -> Misc System Event to Network Access -> DNS.


Vendor: SourceFireData Source: FireSIGHT Management Console - eStreamerAffected Versions: ESM 9.5.0 and aboveParsing rules 1056622 and 1056623 were updated to map the Device ID.Name from the log, when present, to the Sensor_Name field in the ESM.

Vendor: Cooper Power SystemsData Source: Cybectec RTU (ASP)Affected Versions: ESM 9.4.0 and aboveParsing rules 1021982, 1021979, 1068611, and 1021969 were updated to enhance parsing for the Cybectec RTU (ASP) data source.

Vendor: CiscoData Source: IOS (ASP)Affected Versions: ESM 9.4.0 and aboveParsing rule 1009087, and 1050278 were updated to enhance parsing and action reporting for the IOS (ASP) data source. Rule 1050278 has beenenhanced to parse source ip and destination ip from the logs into Source IP and Destination IP and the normalization has been updated fromSuspicious Activity -> Protocol Anomaly -> TCP Protocol Anomaly to Suspicious Activity -> Invalid Command or Data .

New RulesVendor: SourceFireData Source: FireSIGHT Management Console - eStreamerAffected Versions: ESM 9.5.2 and aboveParsing rules 1068777 through 1068781 were added to the FireSIGHT Management Console - eStreamer rule set.

Vendor: Cooper Power SystemsData Source: Cybectec RTU (ASP)Affected Versions: ESM 9.4.0 and aboveParsing rules 1068782 through 1068783 were added to the Cybectec RTU (ASP) data source.

Vendor: CiscoData Source: IOS (ASP)Affected Versions: ESM 9.4.0 and aboveParsing rules 1068784 through 1068791 were added to the IOS (ASP) data source.


Vendor: McAfeeData Source: Network Security Manager (ASP)Affected Versions: ESM 9.2.0 and aboveParsing rule 1051797 was updated to enhance parsing, the rule will now capture URI referrer, CLI command, Login ID, IP, and Port from the logs intoURL, Command, Source IP, and Source Port in the ESM, for the Network Security Manager (ASP) data source.

New RulesVendor: McAfeeData Source: Network Security Manager (ASP)Affected Versions: ESM 9.2.0 and aboveData Source rule 503-3938051225 was added to the Network Security Manager (ASP) data source.

16


Vendor: UnixData Source: Linux (ASP)Affected Versions: ESM 9.2.0 and aboveParsing rules 1006195 - 1006199, 1006222 - 1006224, 1006236, 1006243, 1006244, 1011074, 1011075, 1011077, 1012093 - 1012097, 1012100 -1012103, 1016062, 1027593 - 1027595, 1037313 - 1037315, 1037882, and 1064621 were updated to account for IPv6 addresses. Parsing rules1006195 - 1006199, 1006224, and 1006243 were updated to remove setting the message from the log text. The updates were made to rules parsingBIND events.

Vendor: McAfeeData Source: ePolicy Orchestrator (ASP)Affected Versions: ESM 9.2.0 and aboveParsing rule 1039683 was updated to map siem_severity as the primary capture and ThreatSeverity as the secondary capture for the Severity field in theESM.

Vendor: EnforciveData Source: Cross-Platform AuditAffected Versions: ESM 9.4.1 and aboveParsing rule 1068804 was added to the Cross-Platform Audit data source.


Vendor: WurldtechData Source: OpShieldAffected Versions: ESM 9.4.1 and aboveParsing rules 1068805 through 1068825 were added to the OpShield rule set.

Vendor: Reversing LabsData Source: N1000Affected Versions: ESM 9.5.0 and aboveParsing rules 1068826 through 1068828 and 1068830 were added to the N1000 parsing ruleset.

Vendor: UNIXData Source: Linux (ASP)Affected Versions: ESM 9.5.0 and aboveParsing rules 1068829 has been added to the Linux ruleset.


Vendor: CiscoData Source: PIX/ASA/FWSM (ASP)Affected Versions: ESM 9.4.0 and aboveUpdated parsing rules 1015389, 610122704, 1014561 through 1014562, 1014604, 610121919, 1014179, 1014180, 1014826, 1014931, 1015269,1014925, 1014631, 1014759, 1015380, 1014952, 1014484, and 1014086 through 1014090 to improve Normalization and enhance parsing for thePIX/ASA/FWSM (ASP) data source. Parsing Rules 1014086-1014090, 1014179, 1014180, 1014484, 1014604, 1014631, 1014759, 1014826, 1014925,1014931, 1014952, 1015269, 1015380, and 1015389 were updated to map Destination IP, Source IP, Hostname, Shun List, Username, Interface,Destination Interface, and Device Type from the logs to Destination IP, Source IP, Hostname, Objectname, Source Username, Interface, DestinationInterface, and External Device Type in the ESM.

Vendor: McAfeeData Source: Network Security Manager (ASP)Affected Versions: ESM 9.2.0 and aboveEnhanced Normalizations for data source rules 305-4528638, 305-4739739, 305-4206719, 305-4206721, 305-4206722, 305-4206731, 305-4206733,305-4206735, 305-4206736, 305-4206737, 305-4206738, 305-4206739, 305-4206740, 305-4206741, 305-4211034, 305-4211037, 305-4223214, 305-4223217, 305-4227177, 305-4235330, 305-4309015, 305-4333579, 305-4423709, 305-4440238, 305-4526200, 305-4527128, 305-4527140, 305-4527563, 305-4528001, 305-4528252, 305-4528335, 305-4528380, 305-4528396, 305-4528419, 305-4528423, 305-4528429, 305-4528432, 305-4528463, 305-4528464, 305-4528466, 305-4528467, 305-4528468, 305-4528470, 305-4528472, 305-4528475, 305-4528476, 305-4528498, 305-4528499, 305-4528501, 305-4528502, 305-4528503, 305-4528504, 305-4528505, 305-4528511, 305-4528524, 305-4528579, 305-4528580, 305-4528581, 305-4528582, 305-4528583, 305-4528584, 305-4528585, 305-4528586, 305-4528587, 305-4528590, 305-4528591, 305-4528592, 305-4528593, 305-4528594, 305-4528595, 305-4528596, 305-4528597, 305-4528598, 305-4528599, 305-4528600, 305-4528601, 305-4528602, 305-4528633, 305-4528634, 305-4528635, 305-4528636, 305-4528637, 305-4528639, 305-4528640, 305-4528641, 305-4528642, 305-4528643, 305-4528644, 305-4528645, 305-4528646, 305-4528647, 305-4528648, 305-4528649, 305-4528650, 305-4528651, 305-4528652, 305-4528653, 305-4554767, 305-4567071, 305-4571257, 305-4571258, 305-4571260, 305-4571261, 305-4571262, 305-4571263, 305-4571264, 305-4571265, 305-4571266, 305-4575466, 305-4576075, 305-4576109, 305-4576112, 305-4576113, 305-4576114, 305-4576116, 305-4576121, 305-4576122, 305-4677739, 305-4685828, 305-4735883, 305-4735884, 305-4735887, 305-4735888, 305-4735892, 305-4739703, 305-4739801, 305-4739802, 305-4739803, 305-4739804, 305-4747340, 305-4751632, 305-4206742, 305-4528603, 305-4528604, 305-4528605, 305-4528606, 305-4528607, 305-4528608, 305-4528609, 305-4528610, 305-4528612, 305-4528613, 305-4528614, 305-4528615, 305-4528616, 305-4528617, 305-4528618, 305-4528619, 305-4528620, 305-4528621, 305-4528622, 305-4528623, 305-4528624, 305-4528625, 305-4528626, 305-4528627, 305-4528628, 305-4528629, 305-4528630, 305-4528631, 305-4528632, 305-4528638 for the Network Security Manager (ASP) data source.

Vendor: CitrixData Source: NetScaler (ASP)Affected Versions: ESM 8.4.0 and aboveParsing rules 1009230, 1025795, 1009231, 1009234, 1009299, 1021515, and 1055649 were updated to remove time captures. Event times are nowderived from the syslog header.

17


Vendor: ArubaData Source: Aruba OSAffected Versions: ESM 9.2.0 and aboveUpdated rules 170-41260374, 170-32025424, 170-41260484, 170-53040394, 170-53040404, 170-53040414, 170-65011384, 170-65011394, 170-65030294, 170-65030784 to enhance parsing for the Aruba OS data source.


Vendor: MicrosoftData Source: Windows Event Log - WMIAffected Versions: ESM 9.4.1 and aboveParsing rules 43-429010000, 43-429010010, and 43-429010060 were added to the Windows Event Log - WMI data source

Modified RulesVendor: McAfeeData Source: EWS v5 / Email Gateway Original Format - Legacy - (ASP)Affected Versions: ESM 9.2.0 and aboveUpdated parsing rule 1027962 to capture all attachments listed in the logs the logs into File_Path in the ESM, for the EWS v5 / Email Gateway OriginalFormat - Legacy - (ASP) data source.

April 01, 2016Modified Rules

Vendor: CiscoData Source: NX-OS (ASP)Affected Versions: ESM 9.4.0 and aboveParsing rules 1018245, 1018246, 1018248, 1018255 through 1018262, 1018267, 1018269, 1018273 through 1018275, 1018282, 1018284, 1018286,1018287, 1018295, 1018297 through 1018300, 1018304, 1018305, 1018334, 1018357, 1018386, 1018392 through 1018400, 1018418, 1018423 through1018425, 1018436, 1018444, 1018445, 1018459, 1018479 through 1018487, 1018489 through 1018588, 1018601, 1018602, 1018607 through 1018609,1018611, 1018613, 1018614, 1018617 through 1018620, 1018667 through 1018674, 1018676 through 1018680, 1018683, 1018684, 1018686 through1018692, 1018696, 1018697, 1018704 through 1018706, 1018709, 1018712 through 1018725, 1019037 through 1019040, 1026218, 1026222 through1026300, 1067867, 1067868, and 1067880 were updated to enhance parsing. The rules in this data source had been parsing Interface and Port from thelogs into Object in the ESM, they will now parse Interface and Port from the logs into Interface in the ESM for the NX-OS (ASP) data source.

April 04, 2016New Rules

Vendor: Raz-Lee SecurityData Source: iSecurity Suite (ASP)Affected Versions: ESM 9.4.0 and aboveParsing rules 1068831 through 1068856 were added to the iSecurity Suite (ASP) data source.

Modified RulesVendor: Raz-Lee SecurityData Source: iSecurity Suite (ASP)Affected Versions: ESM 9.4.0 and aboveParsing rules 1049233 through 1049251 were updated to enhance parsing, the rules were also updated to map Job, Job Type, Document, and MsgIDfrom the logs into Mainframe_Job_Name, Job_Type, Filename, and Message_ID in the ESM for the iSecurity Suite (ASP) data source.


Vendor: Good TechnologyData Source: Good Mobile Control (ASP)Affected Versions: ESM 9.2.0 and aboveParsing rules 1048295, 1048260, 1048242, and 1048243 were updated to enhance parsing for the Good Mobile Control (ASP) data source.


Vendor: EnforciveData Source: Cross-Platform AuditAffected Versions: ESM 9.4.1 and aboveUpdated parsing rule 1068804 to map Event Status, Application, Action, Destination Process, and Message from the logs into Event Subtype,Application, Command, Target_Process_Name, and Signature_Name in the ESM, for the Cross-Platform Audit data source.

Vendor: McAfeeData Source: Advanced Threat DefenseAffected Versions: ESM 9.4.1 and aboveParsing rule 1056389 was updated to enhance parsing for the Advanced Threat Defense data source.

Vendor: VormetricData Source: Data Security (ASP)Affected Versions: ESM 9.4.0 and aboveParsing rule 1055606 was updated to enhance parsing for the Data Security (ASP) data source.


Vendor: Palo Alto NetworksData Source: Palo Alto Firewalls (ASP)Affected Versions: ESM 9.1.0 and aboveUpdated parsing rules 1046703 and 1046704 to account for parenthesis in rule messages for the Palo Alto Firewalls (ASP) data source.

18


Vendor: MicrosoftData Source: Windows Event Log - WMIAffected Versions: ESM 9.4.1 and aboveParsing rules 43-359055000, 43-359055010, 43-359055020, 43-359055040, 43-359055050, 43-359055060, 43-359055070, 43-359055080, 43-359055090, 43-359055100, 43-359055110, 43-359070500, 43-359070510, 43-359070520, 43-359070530, 43-359070540, 43-359070550, 43-359070560, 43-359070620, and 43-359075000 were added to the Windows Event Log - WMI rule set.

May 3, 2016Modified Rules

Vendor: McAfeeData Source: ePolicy Orchestrator (ASP)Affected Versions: ESM 9.2.0 and aboveParsing rules 1039683 and 1050406 was updated to map ThreatSeverity as the primary capture and siem_severity as the secondary capture for theSeverity field in the ESM. Also, the mapping for the Severity values has been enhanced.


Vendor: FortinetData Source: FortiGate UTM - Space Delimited - (ASP)Affected Versions: ESM 9.2.0 and aboveParsing rules 1025149, 1025629, 1025630, 1025631, 1025632, 1025633, 1025635, 1025641, 1025647, 1025648, 1025650, 1025651, 1025652,1025653, 1064249, 1064250, 1064251, 1064252, 1064253, 1064254, 1064352, and 1064397 were updated to map status as the primary capture andaction as the secondary capture for the Event Subtype field in the ESM.


Vendor: FortinetData Source: FortiGate UTM - Comma Delimited - (ASP)Affected Versions: ESM 9.2.0 and aboveParsing rules 1011282, 1011398, 1011399, 1011400, 1011448, 1011449, 1011450, and 1011451 were updated to map status as the primary capture andaction as the secondary capture for the Event Subtype field in the ESM.


Vendor: FortinetData Source: FortiGate UTM - Space Delimited - (ASP)Affected Versions: ESM 9.2.0 and aboveParsing rule 1025149 was updated to add timeout to the action map.

Vendor: ProofpointData Source: Messaging Security Gateway (ASP)Affected Versions: ESM 8.4.0 and aboveUpdated parsing rules 1012985, 1068726, 616020656, 1013013, 1068682, 1068720, 611071521, 1022487, 1047028, 1022474, 1042160, 1022464,611071502, 1022472, and 611071510 to reduce the possibility of overlapping rules for the Messaging Security Gateway (ASP) data source.


Vendor: MicrosoftData Source: Windows Event Log - WMIAffected Versions: ESM 9.4.0 and aboveUpdated parsing rule 43-159332050 for the Windows Event Log - WMI data source to enhance Domain and Hostname Parsing.


Vendor: SourceFireData Source: FireSIGHT Management Console - eStreamerAffected Versions: ESM 9.5.2 and aboveParsing rules 1068778 and 1068780 were updated to account for minor changes in the log format. The Threat_Name field mapping was removed as itno longer matches the context of the event.


Vendor: TufinData Source: SecureTrack (ASP)Affected Versions: ESM 9.4.0 and aboveUpdated parsing rules 1050338 through 1050382 for the SecureTrack (ASP) data source with new versions to enhance action mapping, supportadditional time formats, and improve normalization and severity.

May 23, 2016New Rules

19

Vendor: MicrosoftData Source: Windows Event Log - WMIAffected Versions: ESM 9.4.2 and aboveParsing rules 43-412040000 through 43-412040120, 43-412040140 through 43-412040160, 43-412040190 through 43-412040400, 43-412040420through 43-412040990, 43-412041030 through 43-412041050, 43-412041170, 43-412041210 through 43-412042170, 43-412042500 through 43-412042740, 43-412044000 through 43-412045310, 43-412045700 through 43-412046110, 43-412047000 through 43-412047020, 43-412047660, 43-412048000 through 43-412048260, 43-412048500 through 43-412048590, 43-412049990, 43-412050050, 43-412050060, 43-412050080 through 43-412050110, 43-412050190 through 43-412050300, 43-412050320, 43-412050360 through 43-412050380, 43-412050410 through 43-412050460, 43-412050490 through 43-412050530, 43-412052030 through 43-412052060, 43-412052110, 43-412053580, 43-412055010 through 43-412055130, 43-412055190, 43-412055200 through 43-412055220, 43-412055240 through 43-412055290, 43-412056000 through 43-412056360, 43-412056380 through43-412056600, 43-412057000, 43-412057010, 43-412057490, through 43-412057580, 43-412058050 through 43-412058300, 43-412058320 through 43-412058450, 43-412058470 through 43-412058590, 43-412058620 through 43-412058890, 43-412058900 through 43-412058980, 43-412059000 through43-412059500, 43-412059600 through 43-412059720, 43-412060040, 43-412060050, 43-412060150, 43-412060250, 43-412060260, 43-412060350, 43-412060370, 43-412060470 through 43-412060530, 43-412060640, 43-412060880 through 43-412060920, 43-412061000, 43-412061030, 43-412061070, 43-412061090, 43-412061100, 43-412061120, 43-412061140, 43-412061150, 43-412061180 through 43-412061220, 43-412061250, 43-412061340 through 43-412061480, 43-412061500 through 43-412061540, 43-412061580 through 43-412061660, 43-412061720 through 43-412061750,43-412061770, 43-412061790, 43-412061800, 43-412061820 through 43-412061840, 43-412061870, 43-412061880, 43-412061900 through 43-412061930, 43-412061960, 43-412062070, 43-412062080, 43-412062090, 43-412062120, 43-412062180, 43-412062240, 43-412062300 through 43-412062450, 43-412062510 through 43-412062610, 43-412062630, 43-412062660, 43-412062710, 43-412062720, 43-412062760, 43-412062770, 43-412066660, 43-412067080 through 43-412067100, 43-412067670, 43-412067740, 43-412067820, 43-412069010 through 43-412069150, 43-412069880, 43-412069890, 43-412069920 through 43-412070020, 43-412070050, 43-412070060, 43-412070080, 43-412070100 through 43-412070310, 43-412070410, 43-412070420, 43-412070440, 43-412070470, 43-412070480, 43-412070530 through 43-412070560, 43-412070590through 43-412070690, 43-412070720 through 43-412070990, 43-412071040 through 43-412072120, 43-412072140 through 43-412072170, 43-412072190 through 43-412072380, 43-412072490, 43-412072500, 43-412072530 through 43-412072550, 43-412072570 through 43-412072640, 43-412072760, 43-412073050 through 43-412073080, 43-412073100, 43-412073150, 43-412073160, 43-412073200, 43-412073270, 43-412074320through 43-412074350, 43-412074590 through 43-412074690, 43-412074720, 43-412074770, 43-412074840, 43-412074850, 43-412076010 through 43-412076090, 43-412076120, 43-412076220 through 43-412076270, 43-412077010 through 43-412077260, 43-412077510 through 43-412077620, 43-412077700 through 43-412077810, 43-412077830 through 43-412078100, 43-412078800 through 43-412078860, 43-412078900 through 43-412078950,43-412079010, 43-412079030, 43-412079040, 43-412079050, 43-412079070 through 43-412079370, 43-412079430, 43-412079530 through 43-412079650, 43-412079680 through 43-412079700, 43-412079850 through 43-412079900, 43-412080010 through 43-412080120, 43-412080140 through43-412082270, 43-412082290 through 43-412082440, 43-412082660, 43-412082760, 43-412082780, 43-412082800, 43-412082820, 43-412082840, 43-412082870 through 43-412082890, 43-412082910, 43-412082940 through 43-412083220, 43-412083230 through 43-412083250, 43-412083300 through43-412083550, 43-412083670, 43-412083680, 43-412083700 through 43-412083830, 43-412083900 through 43-412083980, 43-412084010 through 43-412084780, 43-412084800 through 43-412085200, 43-412085490 through 43-412085700, 43-412086010 through 43-412086970, 43-412087010 through43-412087980, 43-412088010 through 43-412088470, 43-412088500 through 43-412088570, 43-412088740 through 43-412088760, 43-412089010through 43-412089060, 43-412089190, 43-412089340 through 43-412089370, 43-412090010 through 43-412090040, 43-412091810 through 43-412091900, 43-412091950 through 43-412091970, 43-412092010 through 43-412092480, 43-412092550, 43-412092590, 43-412092620, 43-412092700through 43-412092730, 43-412093010, 43-412093020, 43-412094010 through 43-412094510, 43-412094530, 43-412094550 through 43-412094570, 43-412094650, 43-412094660, 43-412094690, 43-412094870 through 43-412094960, 43-412094980 through 43-412095580, 43-412095600 through 43-412095660, 43-412095720 through 43-412095990, 43-412096010 through 43-412096080, 43-412096100 through 43-412096990, 43-412097090, 43-412097100 through 43-412097710, 43-412099130 through 43-412099150, 43-412099200 through 43-412099550, 43-412099900 through 43-412099920,and 43-412099990 were added to the Windows Event Log - WMI rule set.

Modified RulesVendor: MicrosoftData Source: Windows Event Log - WMIAffected Versions: ESM 9.4.2 and aboveParsing rules 43-412050500, 43-412058550, and 43-412092020 were modified for the Windows Event Log - WMI rule set.


Vendor: CiscoData Source: PIX/ASA/FWSM (ASP)Affected Versions: ESM 9.4.0 and aboveUpdated parsing rule 1015120 for the PIX/ASA/FWSM (ASP) data source to enhance Source IP parsing.


Vendor: McAfeeData Source: Web Gateway (ASP)Affected Versions: ESM 9.4.0 and aboveParsing rules 1068944 through 1068979 were added to parse Audit events from the Web Gateway (ASP) data source.

Modified RulesVendor: CiscoData Source: PIX/ASA/FWSM (ASP)Affected Versions: ESM 9.4.0 and aboveUpdated parsing rule 1015106 for the PIX/ASA/FWSM (ASP) data source to enhance Source IP and Destination IP parsing.

20


Vendor: CiscoData Source: PIX/ASA/FWSM (ASP)Affected Versions: ESM 9.4.0 and aboveUpdated parsing rule 1014962 for the PIX/ASA/FWSM (ASP) data source map Source IP from the log into Source IP in the ESM.


Vendor: Palo Alto NetworksData Source: Palo Alto Firewalls (ASP)Affected Versions: ESM 9.4.1 and aboveAdded parsing rule 1068980 Palo Alto Firewalls (ASP) data source.

Modified RulesVendor: Palo Alto NetworksData Source: Palo Alto Firewalls (ASP)Affected Versions: ESM 9.2.0 and aboveUpdated parsing rules 1010432 through 1010433, 1010436, 1010441, 1012903, 1012906, 1012909, 1012912, 1042252, and 1042253 for the Palo AltoFirewalls (ASP) data source to enhance parsing.

June 2, 2016New Rules

Vendor:Interset Data Source: IntersetAffected Versions: ESM 9.5.1 and aboveAdded support for the Interset data source.

Modified RulesVendor: MicrosoftData Source: Windows Event Log - WMIAffected Versions: ESM 9.4.1 and aboveParsing rules 43-263051500, 43-263051510, 43-263051520, 43-263051530, 43-263051560, and 43-263051570 were updated to map the direction fromthe log, to the Direction field in the ESM.

Vendor: MicrosoftData Source: Windows Event Log - WMIAffected Versions: ESM 9.5.0 and above301 Parsing rules were added to the Windows Event Log - WMI data source to parse events from HealthService and OpsMgr SDK Service.


Vendor: UNIXData Source: Linux (ASP)Affected Versions: ESM 9.4.0 and aboveParsing rule 1068985, 1068986, and 1068987 was added to the Linux (ASP) data source.

Modified RulesVendor: UNIXData Source: Linux (ASP)Affected Versions: ESM 9.2.0 and aboveUpdated parsing rules 1024835, 1024836, 1037338, 1047096, 1006257, 1009704, 1012451, 1033961, 1033962 through 1033964, 1054512, 1050462,1037336, 1037334, 1037379, 1037383, 1046255, 1047003, 1047078, 1047125, 1009719, 1054659, 1055789, and 1055920 for the Linux (ASP) datasource to enhance parsing. Parsing rules 1047158, 1037340, and 1047365 have been deprecated.


Vendor: GlobalscapeData Source: Globalscape EFT Affected Versions: ESM 9.4.1 and aboveAdded support for the Globalscape EFT data source. Parsing rule 1068988 was added to the Globalscape EFT data source.

Vendor: SafeNetData Source: Hardware Security Modules (ASP)Affected Versions: ESM 9.4.1 and aboveParsing rule 1068989 was added to the Hardware Security Modules (ASP) data source.

Vendor: Blue CoatData Source: Reporter Affected Versions: ESM 9.5.0 and aboveAdded support for the Reporter data source. Parsing rule 1068990 was added to the Reporter data source.

Modified Rules

Vendor: SafeNetData Source: Hardware Security Modules (ASP)Affected Versions: ESM 9.4.1 and aboveUpdated parsing rules 1009151 through 1009153, 1009315, 1009316 through 1009323, 1009325, and 1009326 for the Hardware Security Modules(ASP) data source.

June 13, 2016Modified Rules

Vendor: CiscoData Source: IOS (ASP)Affected Versions: ESM 9.1.0 and aboveParsing rules 1029460, 1029315, and 1029316 for the IOS (ASP) data source to enhance parsing.

21

Vendor: CiscoData Source: IOS (ASP)Affected Versions: ESM 9.4.0 and aboveParsing rules 1029315 and 1029315, have been updated to parse Command from the logs into Message_Text in the ESM, they had previously parsedCommand into Object. The parsing rules have also been updated to capture Event-ID from the logs into External_EventID in the ESM.

Vendor: RiverbedData Source: SteelheadAffected Versions: ESM 9.2.0 and aboveParsing rules 1016489, 1016488, and 1016487 were updated to appropriately parse user names from the logs. Rules 1016489 and 1016488 were alsoupdated to set the subtype to stop rather than modify and remove.


Vendor: CyberArkData Source: Privileged Identity Management Suite - CEF (ASP)Affected Versions: ESM 9.4.0 and aboveParsing rule 1036485 was updated to map the time stamp from the log, to the firsttime and lasttime fields in the ESM.


Vendor: CiscoData Source: IOS (ASP)Affected Versions: ESM 9.1.0 and aboveParsing rule 1009360 was updated to map the user, source IP, and destination port from the log, to the User Name, Source IP, and Destination Portfields in the ESM.


Vendor: MicrosoftData Source: Windows Event Log - WMIAffected Versions: ESM 9.1.0 and aboveParsing rules 43-325000040, 43-325000050, and 43-325000080 were added to the Windows Event Log - WMI rule set.

Modified RulesVendor: MicrosoftData Source: Windows Event Log - WMIAffected Versions: ESM 9.2.1 and aboveParsing rule 43-325000010 was updated to parse User, ResultSize, and EmailAddresses from the logs into Source_UserID, Request_Type and Mail_IDin the ESM, for the Windows Event Log - WMI data source.



Modified RulesVendor: MicrosoftData Source: Windows Event Log - WMIAffected Versions: ESM 9.2.0 and aboveUpdated parsing rules 43-211006241, 43-211006421, 43-211006420, 43-211006450, 43-211006460, 43-211006461, 43-263047200, 43-263047380, and43-263047420 for the Windows Event Log - WMI data source to enhance parsing of User Account Control and Password Last Set to display in humanreadable-format in the ESM. Updated normalization for rule 43-211006450.


Vendor: SourceFireData Source: FireSIGHT Management Console - eStreamerAffected Versions: ESM 9.5.0 and aboveUpdated parsing rules 1056653 through 1056655, 1056622, 1056623, 1056660, 1056663, 1056667, 1056668, 1056670 through 1056673, and 1068777through 1068780 to map the User Name from the eStreamer logs to the Username field in the ESM. This update is to accommodate changes made tothese record types in eStreamer version 6.


Vendor: VMwareData Source: VMware (ASP)Affected Versions: ESM 9.5.0 and aboveParsing rules 1068992 through 1069071 were added to the VMware (ASP) data source.

Modified RulesVendor: VMwareData Source: VMware (ASP)Affected Versions: ESM 9.2.0 and aboveUpdated parsing rules 1051853, 1026195, 1026172, 1026175, 1026179, 1026164, 1017120, 1026212, 1026156, 1026152, 1017095, 1026147, and1009704 for the VMware (ASP) data source to enhance parsing.

22

Vendor: UNIXData Source: Linux (ASP)Affected Versions: ESM 9.2.0 and aboveUpdated parsing rule 1054547 for the Linux (ASP) data source to capture File from the logs into Filename in the ESM. Parsing rule 1025057 was alsoupdated to enhance parsing and will now map Result and Process from the logs into the Reason and Process_Name fields in the ESM.

July 07, 2016Modified Rules

Vendor: FortinetData Source: FortiMailAffected Versions: ESM 9.4.0 and aboveUpdated parsing rules 1063873, 1063991, and 1063992 through 1063994 for the FortiMail data source to enhance parsing.

Vendor: FortinetData Source: FortiWeb Web Application Firewall (ASP)Affected Versions: ESM 9.2.0 and aboveUpdated parsing rule 1025489 for the FortiWeb Web Application Firewall (ASP) data source to enhance parsing.

Vendor: Global Technology AssociatesData Source: GNAT Box (ASP)Affected Versions: ESM 9.2.0 and aboveUpdated parsing rule 1012655 for the GNAT Box (ASP) data source to enhance parsing.

Vendor: KEMP TechnologiesData Source: LoadMaster (ASP)Affected Versions: ESM 9.2.0 and aboveUpdated parsing rule 1019843 for the LoadMaster (ASP) data source to enhance parsing.

Vendor: Nortel NetworksData Source: Contivity VPN (ASP)Affected Versions: ESM 9.4.0 and aboveUpdated parsing rule 1056264 for the Contivity VPN (ASP) data source to enhance parsing.

Vendor: VMwareData Source: VMware (ASP)Affected Versions: ESM 9.2.0 and aboveUpdated parsing rule 1026166 for the VMware (ASP) data source to enhance parsing.

Vendor: Cooper Power SystemsData Source: Yukon IED Manager Suite (ASP)Affected Versions: ESM 9.2.0 and aboveUpdated parsing rule 1022282 for the Yukon IED Manager Suite (ASP) data source to enhance parsing.

Vendor: FreeRADIUSData Source: FreeRADIUS (ASP)Affected Versions: ESM 9.2.0 and aboveUpdated parsing rules 1010334 through 1010335 for the FreeRADIUS (ASP) data source to enhance parsing.

Vendor: Nortel NetworksData Source: VPN Gateway 3050 (ASP)Affected Versions: ESM 9.2.0 and aboveUpdated parsing rules 1011578 through 1011579 for the VPN Gateway 3050 (ASP) data source to enhance parsing.

Vendor: Blue CoatData Source: Director (ASP)Affected Versions: ESM 9.2.0 and aboveUpdated parsing rule 1047667 for the Director (ASP) data source to enhance parsing.

July 08, 2016New Rules

Vendor: Juniper NetworksData Source: JUNOS Router (ASP)Affected Versions: ESM 9.4.0 and aboveParsing rules 1069074 through 1069085 were added to the JUNOS Router (ASP) data source.

Vendor: Juniper NetworksData Source: JUNOS - Structured-Data Format (ASP)Affected Versions: ESM 9.4.0 and aboveParsing rules 1069076 through 1069079 and 1069081 through 1069085 were added to the JUNOS - Structured-Data Format (ASP) data source.

Vendor: CiscoData Source: PIX/ASA/FWSM (ASP)Affected Versions: ESM 9.4.0 and aboveParsing rules 1069086 and 1069087 were added to the PIX/ASA/FWSM (ASP) data source.

Modified RulesVendor: CiscoData Source: PIX/ASA/FWSM (ASP)Affected Versions: ESM 9.4.0 and aboveParsing rules 1014132, 1014133, 1014138, 1014172, 1014173, 1014219, 1014253, 1014254, 1014258, 1014304, 1014307, 1014308, 1014366,1014380 through 1014386, 1014431 through 1014433, 1014435, 1014437, 1014498, 1014534, 1014599, 1014603, 1014604, 1014688, 1014703,1014710, 1014711, 1014713, 1014827, 1014828, 1014891, 1014914, 1015100, 1015101, 1015102, 1015104, 1015105 through 1015111, 1015126,1015161, 1015448, 1015450, 1015673, 1015678, 1046702, and 1047465 through 1047466 were updated to set the protocol field in the ESM. datasource.

23


Vendor: ArubaData Source: Aruba OSAffected Versions: ESM 9.2.0 and aboveUpdated rules 170-41260054, 170-41260334, 170-41260354, 170-41260364, 170-41260384, 170-41260454, 170-41260474, 170-41260484, 170-41260524, 170-41260534, 170-41260544, 170-41260654, 170-41260664, 170-41260694, 170-41260714, 170-41260754, 170-41261094, and 170-41260874 to enhance parsing for the Aruba OS data source.


Vendor: Barracuda NetworksData Source: Web Application Firewall (ASP)Affected Versions: ESM 9.2.0 and aboveParsing rules 1036900, and 1036901 have been updated to parse Application Layer Protocol from the logs into Application_Layer_Protocol in theESM, for the Web Application Firewall (ASP) data source. The normalization for rule 1036901 has been updated to Network Access from SystemStatus.


Vendor: McAfeeData Source: Host Data Loss Prevention (ePO)Affected Versions: ESM 9.4.1 and aboveData source rules 359-19100 through 359-19137, 359-19170, 359-19171, 359-19175 through 359-19179, 359-19181 through 359-19189 have beenadded to the Host Data Loss Prevention (ePO) data source.

Modified RulesVendor: UNIXData Source: Linux (ASP)Affected Versions: ESM 9.2.0 and aboveUpdated parsing rules 1025057 and 1006274 to enhance parsing and to capture Process name from the logs into Process_Name in the ESM, for theLinux (ASP) data source.

Vendor: UNIXData Source: Linux (ASP)Affected Versions: ESM 9.2.0 and aboveUpdated parsing rules with additional contents 1054574, 1054561, 1047127, 1006270, 1054576, 1054591, 1054591, 1054581, 1006269, 1054564,1006272, 1047125, 1054572, 1054559, 1006257, 1054566, 1054578, 1047129, 1054555, 1054570, 1054567, 1054586, 1054584, 1047128, 1006268,1054562, 1054590, 1047022, 1054545, 1054589, 1054575, 1006273, 1054582, 1047126, 1054556, 1054568, 1054565, 1054579, 1054587, 1054554,1054580, 1054571, 1054585, 1054583, 1068985, 1054552, and 1054573 for the Linux (ASP) data source. Normalization for parsing rules 1006269 and1006268 has been changed from Misc Application Event to Authentication. Normalization for parsing rule 1006272 has been changed from MiscApplication Event to Connection/Session. Normalization for rule 1054589 has been changed from Application Status to Connection/Session. Theregular expressions for parsing rules 1047127, 1054566, 1054562, 1054582, and 1054568 have been updated to match style used in other rules. Theparsing logic is unchanged.


Vendor: CitrixData Source: NetScaler (ASP)Affected Versions: ESM 9.4.1 and aboveParsing rules 1069088 and 1069089 were added to the NetScaler (ASP) data source.


Vendor: PhishMeData Source: PhishMe IntelligenceAffected Versions: ESM 9.5.0 and aboveParsing rule 1069090 was added to the PhishMe Intelligence data source.



July 25, 2016Updated Rules

Vendor: McAfeeData Source: Network DLP Monitor (ASP)Affected Versions: ESM 9.4.0 and aboveThe regular expressions for parsing rule 1035971 were updated to improve matching and parsing where CEF keys contained equals signs in the value.

August 02, 2016New Rules

Vendor: CiscoData Source: PIX/ASA/FWSM (ASP)Affected Versions: ESM 9.4.1 and aboveParsing rule 1069092 was added to the PIX/ASA/FWSM (ASP) rule set to cover CX module events.

Vendor: MicrosoftData Source: Windows Eventlog - WMIAffected Versions: ESM 9.4.1 and aboveParsing rules 43-432004110 and 43-432005160 were added to the Windows Eventlog - WMI rule set to cover AD FS Auditing events.

24

August 04, 2016Modified Rules

Vendor: UNIXData Source:Linux (ASP)Affected Versions: ESM 9.4.0 and aboveUpdated message parsing for rule 1047301 and 1047312 in the Linux (ASP) data source.

New RulesVendor: McAfeeData Source: Network Security Manager (ASP)Affected Versions: ESM 9.2.0 and aboveData Source rules 305-4529091, 305-4529092, 305-4529073, 305-4529090, 305-4529088, 305-4529078, 305-4529122, 305-4529075, 305-4529081,305-4529089, 305-4529121, 305-4529077, 305-4529101, 305-4529102, 305-4529082, 305-4529103, 305-4529083, 305-4529084, 305-4529105, 305-4529104, 305-4529093, 305-4529094, 305-4529095, 305-4529096, 305-4529079, and 305-4529076 were added to the NSM rule set.

Vendor: MalwarebytesData Source: Breach RemediationAffected Versions: ESM 9.5.0 and aboveParsing rule 1069093 and data source rules 564-3017354735, 564-2790178439, 564-2790178440, 564-3995890617, 564-2150188648, 564-2409809493,564-2151493679, 564-2122020773, 564-3384294373, and 564-3094096311 were added to the Breach Remediation data source.


Vendor: MalwarebytesData Source: Management ConsoleAffected Versions: ESM 9.5.0 and aboveParsing rule 1069094 was added to the Management Console rule set.


Vendor: CyberArkData Source: Privileged Threat AnalyticsAffected Versions: ESM 9.5.0 and aboveParsing rule 1069095 and data source rules 566-21, 566-22, 566-23, 566-24, and 566-25 were added to the Privileged Threat Analytics rule set.


Vendor: Juniper NetworksData Source: NetScreen / IDP (ASP)Affected Versions: ESM 9.4.1 and aboveParsing rule 1069096 was added to the NetScreen / IDP (ASP) data source.

Modified RulesVendor: Forcepoint/WebsenseData Source:Cloud Web SecurityAffected Versions: ESM 9.4.0 and aboveUpdated parsing rule 1056610 for the Cloud Web Security data source to accommodate vendor change.

Vendor: Forcepoint/WebsenseData Source:Websense - CEF, Key Value PairAffected Versions: ESM 9.4.0 and aboveUpdated parsing rules 1055660 and 1055661 for the Websense - CEF, Key Value Pair data source to accommodate vendor change.

Vendor: Forcepoint/WebsenseData Source:Websense EnterpriseAffected Versions: ESM 9.4.0 and aboveUpdated parsing rules 1042178 and 1042179 for the Websense Enterprise data source to accommodate vendor change.

Vendor: CiscoData Source:PIX/ASA/FWSM (ASP)Affected Versions: ESM 9.4.0 and aboveUpdated normalization and enhanced parsing for rule 1014593 for the PIX/ASA/FWSM (ASP) data source.


Vendor: MicrosoftData Source: Windows EventLog - WMIAffected Versions: ESM 9.5.0 and aboveData Source rules 43-433000010, 43-433000020, 43-433000030, 43-433000040, 43-433000050, 43-433000060, 43-433000070, 43-433000080, 43-433001000, 43-433001010, 43-433001020, 43-433001030, 43-433001040, 43-433001050, 43-433001060, 43-433001950, 43-433002000, 43-433003000, 43-433004000, 43-433004010, 43-433004020, 43-433004030, 43-433005000, 43-433005010, 43-433005020, 43-433006000, 43-433006010, 43-433007000, and 43-433008000 were added to the Windows EventLog - WMI rule set to enhance PowerShell event parsing.

September 1, 2016New Rules

Vendor: Skyhigh NetworksData Source: Cloud Security PlatformAffected Versions: ESM 9.5.1 and aboveParsing rule 1069097 was added to the Cloud Security Platform data source.

Vendor: NiaraData Source: NiaraAffected Versions: ESM 9.5.0 and aboveParsing rule 1069098 was added to the Niara rule set.

25

Vendor: TrapXData Source: DeceptionGridAffected Versions: ESM 9.5.0 and aboveParsing rules 1069099 through 1069101 were added to the DeceptionGrid rule set.

Modified Rules

Vendor: McAfeeData Source:Next Generation Firewall - Stonesoft (ASP)Affected Versions: ESM 9.4.0 and aboveUpdated parsing rule 1036002 to match logs where the vendor is displayed as Forcepoint.

September 2, 2016New Rules

Vendor: Attivo NetworksData Source: BOTsinkAffected Versions: ESM 9.5.0 and aboveParsing rule 1069102 was added to the BOTsink rule set.

Vendor: PhishMeData Source: PhishMe TriageAffected Versions: ESM 9.5.1 and aboveParsing rule 1069103 was added to the PhishMe Triage data source.

Modified RulesVendor: UnixData Source: Linux (ASP)Affected Versions: ESM 9.1.0 and aboveThe regular expression for parsing rule 1025057 was updated to improve matching for logs that were previously unparsed. Duplicate rule 1054475 wasdeprecated.

Vendor: STEALTHbitsData Source: StealthINTERCEPTAffected Versions: ESM 9.4.0 and aboveParsing rules 1056566 through 1056571 were updated to handle an additional time format in the log.

September 15, 2016Modified Rules

Vendor: Aruba NetworksData Source: ClearPass (ASP)Affected Versions: ESM 9.5.1 and aboveParsing rules 1046107 and 1046108 were updated to prevent them from matching CEF formatted logs.

New RulesVendor: Aruba NetworksData Source: ClearPass (ASP)Affected Versions: ESM 9.5.1 and aboveParsing rules 1069104 through 1069107 were added to the ClearPass (ASP) rule set to parse specific CEF formatted logs.

Vendor: Aruba NetworksData Source: ClearPass (ASP)Affected Versions: ESM 9.5.1 and aboveData source rules 465-3172836525, 465-2670855048, 465-3105812804, 465-3112560060, 465-2964857595, 465-2062101402, 465-2934321378, 465-2755150032, 465-3733475255, 465-2141708101, 465-3504859385, 465-2566107805, 465-3568337151, 465-3152996588, 465-2321965288, 465-2205290893, 465-2848710351, 465-2750466264, 465-2860277828, 465-2124826802, 465-3333703049, 465-2007291433, 465-2113144658, 465-2108181927, 465-2828310543, 465-3029497000, 465-3478111534, 465-2345778352, 465-3213445169, 465-2265868490, 465-2178993584, 465-2481318708, 465-2540546969, 465-3323529474, 465-2359259948, 465-2886342946, 465-2681363744, 465-3808383751, 465-3794678124, 465-3284048573, 465-2185649474, 465-2993316923, 465-3208138604, 465-2202995122, 465-2336894523, 465-2940786301, 465-2932630954, 465-2802186261, 465-2514278658, 465-3183157313, 465-3790252838, 465-3503934525, 465-3589338436, 465-2000038971, 465-2905675119, 465-2041046925, 465-3280552083, 465-2453212473, 465-3920211009, 465-3781375127, 465-3085941001, 465-2966634593, and 465-2613872364 wereadded to the ClearPass (ASP) rule set.


Vendor: VMwareData Source:AirWatchAffected Versions: ESM 9.4.0 and aboveUpdated parsing rule 1068362 through 1068367 for the AirWatch data source were updated to map the Event Source from the log to the Object_Typefield in the ESM.

Vendor: UNIXData Source:Linux (ASP)Affected Versions: ESM 9.4.0 and aboveUpdated the regular expression for parsing rule 1054512 to minimize the chance of it matching unintended logs. Updated rule 1006259 and set the actionto failure instead of error. Updated rule 1006255 to capture the hostname from the rhost field in the log, when its value is a hostname instead of an IPaddress, and mapped it to the hostname field in the ESM.


Vendor: MicrosoftData Source:Windows Event Log - WMIAffected Versions: ESM 9.4.0 and aboveUpdated rule 43-263047690 for the Windows Event Log - WMI data source to retain the Event Subtype sent by Windows.

26


Vendor: McAfeeData Source: ePolicy Orchestrator (SiteAdvisor)Affected Versions: ESM 9.4.1 and aboveParsing rule 1047503 was updated. The regular expression matches for action and severity were updated. The action and severity maps were updatedto include more values. Additional regular expressions were added to map the HostName, HostIP, Rating, and ContentFuncGroup fields from the log tothe Hostname, Source IP, Status, and URL_Category fields in the ESM. The mapping for ReasonType to Category was updated to prepend theListType if the Reason is list.

Vendor: Bit9Data Source: Bit9 Security Platform / Parity Suite (ASP)Affected Versions: ESM 9.4.0 and aboveThe regular expressions for parsing rules 1036235 through 1036241, 1036247, 1036250, 1036256, 1036290 through 1036292, 1036360, 1036446,1036469, and 1036470 were updated to match various versions of the logs.

October 5, 2016Modified Rules

Vendor: McAfeeData Source: Network Security Manager - SQL Pull (ASP)Affected Versions: ESM 9.6.0 and aboveParsing rules 1034529, 1067507, 1067508, 1067509, and 1067510 were updated to better handle event reporting for environments running multiplestand-alone installations of NSM. Events reported in ESM for Standard NSM Signatures will have an ESM signature ID based on NSM's Attack ID.Events reported in ESM for User Defined NSM Signatures will have an ESM signature ID calculated based on NSM's signature name. ESM rule nameshave been updated to include L7 for rules that parse Layer 7 information if it is present. Field mappings were added for the Attack ID Reference and RuleSet Type fields from the log to the Message_ID and Event_Class fields within ESM. Rules 1067507 and 1067510 were modified to map the NetBIOSAction and FTP Action fields from the log to the Request_Type field in ESM.

New RulesVendor: McAfeeData Source: Network Security Manager - SQL Pull (ASP)Affected Versions: ESM 9.6.0 and aboveParsing rule 1069108 was added to the Network Security Manager - SQL Pull (ASP) rule set.

October 12, 2016New Rules

Vendor: FortscaleData Source: Fortscale UEBAAffected Versions: ESM 9.5.0 and aboveParsing rule 1069109 was added to the Fortscale UEBA rule set.

Modified RulesVendor: Check PointData Source:Check Point (ASP)Affected Versions: ESM 9.4.0 and aboveUpdated parsing rule 1047557, and 1047556 for the Check Point (ASP) data source.

October 13, 2016New Rules

Vendor: ThreatConnectData Source: ThreatConnect Threat Intelligence PlatformAffected Versions: ESM 9.5.0 and aboveParsing rule 1069110 was created to the ThreatConnect Threat Intelligence Platform rule set.

Vendor: MicrosoftData Source: Windows Event Log - WMIAffected Versions: ESM 9.4.1 and aboveParsing rules 43-432002990,43-432003070,43-432003240,43-432004030,43-432004040,43-432004100,43-432004120,43-432004130,43-432004310,43-432005000,43-432005010,43-432005100,43-432010220,43-432010230,43-432010240,43-432011020,43-432001110,43-432001430,43-432001560,43-432001570,43-432001980,43-432002000,43-432002070,43-432002090,43-432002220,43-432002240,43-432002300,43-432002450,43-432002520,43-432003250,43-432003420,43-432003640,43-432003860,43-432003890,43-432003910,43-432003960,43-432003990,43-432004220,43-432005010,43-432010000 were added to the Windows Event Log - WMI rule set to parse events from AD FS and AD FS Auditing Events.


Vendor: CiscoData Source:IOS IPS (SDEE protocol)Affected Versions: ESM 9.4.0 and aboveUpdated parsing rule 1067511 for the IOS IPS (SDEE protocol) data source.

Vendor: Check PointData Source:Check Point (ASP)Affected Versions: ESM 9.4.0 and aboveAdded Bytes_Sent, Bytes_Received, and Total_Bytes to parsing rule 1047552 through 1047558 for the Check Point (ASP) data source.


Vendor: Blue CoatData Source: Reporter Affected Versions: ESM 9.5.0 and aboveParsing rule 1068990 was updated to match the new Cloud Access Log format changed in Reporter version 6.8.1.63.

November 2, 2016Modified Rules

Vendor: Juniper NetworksData Source: Juniper Secure Access/MAG (ASP)Affected Versions: ESM 9.4.0 and aboveUpdated parsing rule 1057102 for the Juniper Secure Access/MAG (ASP) data source.

27

Vendor: McAfeeData Source:Next Generation Firewall - Stonesoft (ASP)Affected Versions: ESM 9.4.0 and aboveUpdated parsing rule 1036002 for the Next Generation Firewall - Stonesoft (ASP) data source.


Vendor: McAfeeData Source: ePolicy Orchestrator (ASP)Affected Versions: ESM 9.5.0 and aboveParsing rules 1039681 and 1039682 were updated to map Endpoint Security events reported in ePO to the Endpoint Security data sources on SIEM.


Vendor: WebsenseData Source: Websense - CEF, Key Value Pair (ASP)Affected Versions: ESM 9.4.0 and aboveUpdated the parsing rules 1042183 and 1042179 for the Websense - CEF, Key Value Pair (ASP) data source.

New RulesVendor: WebsenseData Source: Websense - CEF, Key Value Pair (ASP)Affedted Versions: ESM 9.4.1 and aboveParsing rule 1069111, was added to the Websense - CEF, Key Value Pair (ASP) data source.

November 10, 2016New Rules

Vendor: OracleData Source: Oracle Audit - SQL Pull (ASP)Affected Versions: ESM 9.4.2 and aboveParsing rule 1069112 was added to the Oracle Audit - SQL Pull (ASP) rule set to parse events specifically collected from the Unified Audit Trail.

Modified RulesVendor: OracleData Source: Oracle Audit (ASP)Affected Versions: ESM 9.2.1 and aboveParsing rule 1047589 was updated to map additional messages for DECLARE, BEGIN, and CONNECT which were added in Oracle Unified Auditing.

Vendor: OracleData Source: Oracle Audit - XML File Pull (ASP)Affected Versions: ESM 9.2.1 and aboveParsing rule 1054452 was updated to map additional messages for DECLARE, BEGIN, and CONNECT which were added in Oracle Unified Auditing.


Vendor: McAfeeData Source: ePolicy Orchestrator (ASP)Affected Versions: ESM 9.4.1 and aboveParsing rule 1039683 was updated to map the LocalPort and RemotePort from the HIPS log, to the Source Port and Destination Port fields in the ESM.

December 2, 2016Modified Rules

Vendor: ThreatConnectData Source: ThreatConnect Threat Intelligence PlatformAffected Versions: ESM 9.5.0 and aboveParsing rule 1069110 was updated to map the IP Indicator field from the log to the Destination IP field in the ESM, allowing the indicator to be optionallyappended to an IP Watchlist.


Vendor: InfobloxData Source: NIOSAffected Versions: ESM 9.5.0 and aboveParsing rules 1016575, 1016598, 1016703, 1016706, 1016733, 1046074, 1046075, 1046076 and 1064622 were updated to account for optional items inthe log header, and to parse IPv6 addresses from the logs.

Vendor: SymantecData Source: Endpoint Protection (ASP)Affected Versions: ESM 9.4.1 and aboveParsing rules 1049062 and 1064406 through 1064409 were updated to map the parameter field from the log to the Destination_Filename field in theESM.

Vendor: FortscaleData Source: Fortscale UEBAAffected Versions: ESM 9.5.0 and aboveParsing rule 1069109 was updated to map the AlertID from the URL in the log, to the External_SessionID field in the ESM.


Vendor: F5 NetworksData Source: BIG-IP Application Security Manager - CEF (ASP)Affected Versions: ESM 9.4.0 and aboveParsing rule 1037454 was updated to account for a potentially blank device version field in the CEF header.

28

Vendor: Trend MicroData Source: Deep Discovery - CEF (ASP)Affected Versions: ESM 9.2.0 and aboveThe message for data source rule 473-200120 was updated from Blacklist Change to Deny List Updated to reflect the current event description.

Vendor: MicrosoftData Source:Internet Information Services - FTP (ASP)Affected Versions: ESM 9.2.0 and aboveUpdated parsing rule 1029035 to account for IPv6 addresses.

Vendor: MicrosoftData Source:Internet Information Services (ASP)Affected Versions: ESM 9.2.0 and aboveUpdated parsing rules 1046244 and 1046245 to account for IPv6 addresses.

Vendor: MicrosoftData Source:Internet Information Services - SMTP (ASP)Affected Versions: ESM 9.2.0 and aboveUpdated parsing rule 1056295 to account for IPv6 addresses.


Vendor: McAfeeData Source: McAfee VirusScan EnterpriseAffected Versions: ESM 9.5.0 and aboveParsing rule 1051893 was updated to map just the file name, excluding the path, from the TargetFileName field in the log, to the Filename field in theESM.

Vendor: McAfeeData Source: MOVE AntiVirus (ePO)Affected Versions: ESM 9.5.0 and aboveParsing rules 1039681 and 1039682 were updated to map the new MOVE product family names, enabling the events to be listed under the MOVE datasource instead of the parent ePO data source


Vendor: PostfixData Source:Postfix (ASP)Affected Versions: ESM 9.5.0 and aboveParsing rules 1012357, 1012358, 1012359, 1012361, 1012362, 1012363, 1012365, 1012367, 1012368, 1012369, 1012371, 1012372, 1012373,1012391, 1012394, 1012409, 1012414, 1012440, 1012441, 1012443, 1012444, 1012445, 1016125, 1016126, 1016127, 1016128, 1016129, 1017710,1017728, 1033738, 1033759, 1033777, 1033778, 1033779, 1033780, 1033781, 1033782, and 1033783 were updated to map the Queue ID from the logto the Mail_ID field in the ESM. Rules 1012359 and 1012391 were updated to map the message-ID from the log to the Message_ID field instead of theObject field in ESM. Rules 1012357, 1012367, 1012368, 1012369, 1012371, 1012372, 1012373, 1012409, 1012443, 1012444, and 1012445 wereupdated to account for queue ids containing underscores in the logs. Rules 1012357, 1012367, 1012368, 1012369, 1012371, 1012372, 1012373, and1012409 were updated to map the SMTP response code from the log to the Response_Code field instead the Command field in ESM. The content forparsing rule 1012359 was updated to account for different queue manager process names.

29

February 3, 2016Updated Content Packs

Content Pack Name:Windows Authentication Content PackContent Pack Version: 1.2.0Updates in this version:- Added view, "Windows Accounts Created", to monitor newly created accounts- Updated filter on correlation rule "Windows Authentication - Admin Logon From Non-Company Geolocation on Vista-2008 or Later"Affected Version: ESM 9.5.0 and aboveUse this content pack to:- Monitor Microsoft Windows authentication events.- Identify actionable intelligence within a network on correlated Windows-specific events.

February 4, 2016New Content Packs

Content Pack Name:Windows Content PackContent Pack Version: 1.0.0Affected Version: ESM 9.5.0 and aboveUse this content pack to:- Monitor Windows system errors and events.

Updated Content PacksContent Pack Name:Domain Policy Content PackContent Pack Version: 1.3.0Updates in this version:- Added view to monitor for group policy errors.Affected Version: ESM 9.5.0 and aboveUse this content pack to:- Track changes related to Microsoft Windows policy in your environment.

February 18, 2016Updated Content Packs

Content Pack Name:Recon Content PackContent Pack Version: 1.3.0Updates in this version:- Added rule to monitor stealth scan activity.Affected Version: ESM 9.5.0 and aboveUse this content pack to:- Monitor possible reconnaissance events, such as network sweeps and unusual use of specific protocols from external sources.

April 13, 2016New Content Packs

Content Pack Name:Vormetric Content PackContent Pack Version: 1.0.0Affected Version: ESM 9.5.0 and aboveUse this content pack to:- Monitor Vormetric events and provide metrics to investigate key events from external sources.

April 18, 2016Updated Content Packs

Content Pack Name:Database Content PackContent Pack Version: 1.2.0Affected Version: ESM 9.5.0 and aboveUpdates in this version:- Updated rules and reports.Use this content pack to:- Monitor database authentication events.- Monitor successful and potential database exploit activity.- Monitor SQL events by language type.- Monitor general database events.

Content Packs

30

May 20, 2016Updated Content Packs

Content Pack Name:Windows Content PackContent Pack Version: 1.1.0Affected Version: ESM 9.5.0 and aboveUpdates in this version:- Added correlation rules, views, and alarms to monitor application crashes and external media usage.Use this content pack to:- Monitor failed Windows system errors.- Monitor service errors in Windows.- Monitor application crashes and hangs.- Monitor system blue screens caused by applications.

Content Pack Name:Exfiltration Content PackContent Pack Version: 1.2.0Affected Version: ESM 9.5.0Updates in this version:- Updated all components interacting with the High Value Hosts watchlist.Use this content pack to:- Monitor methods of network uploads used for data exfiltration.- Detect tampering of confidential data.- Detect leakage of digital information via printing physical copies.- Analyze suspicious user behavior and their access to specific resources, gauging how often they access sensitive resources on the network.

Content Pack Name:Exfiltration Content PackContent Pack Version: 2.1.0Affected Version: ESM 9.5.1 and aboveUpdates in this version:- Updated all components interacting with the High Value Hosts watchlist.Use this content pack to:- Monitor methods of network uploads used for data exfiltration.- Detect tampering of confidential data.- Detect leakage of digital information via printing physical copies.- Analyze suspicious user behavior and their access to specific resources, gauging how often they access sensitive resources on the network.

May 31, 2016Updated Content Packs

Content Pack Name:Windows Content PackContent Pack Version: 1.2.0Affected Version: ESM 9.5.0 and aboveUpdates in this version:- Added correlation rules and views to monitor Windows Applocker events.Use this content pack to:- Monitor failed Windows system errors.- Monitor service errors in Windows.- Monitor application crashes and hangs.- Monitor system blue screens caused by applications.- Monitor Applocker events.

June 2, 2016New Content Packs

Content Pack Name: Interset Content PackContent Pack Version: 1.0.0Affected Version: ESM 9.5.0 and aboveUse this content pack to:- Monitor Interset User Story events.

July 12, 2016Updated Content Packs

Content Pack Name:Malware Content PackContent Pack Version: 2.0.0Affected Version: ESM 9.5.1 and aboveUse this content pack to:- Track known infections and malware-related events and their visual representation in the views.- A logical workflow for reviewing malware events including: who is triggering these events, which threats are triggering these events, which resources arebeing compromised and which corporate locations are being affected.- Insight into trending malware infections in specific zones or geolocations. This allows for swift action to perform security assessments.

August 9, 2016Updated Content Packs

Content Pack Name:Authentication Content PackContent Pack Version: 1.2.0Affected Version: ESM 9.5.0 and aboveUse this content pack to:- Monitor authentication events.- View failed and successful logons, as well as specific administrator logons.- Track system default privileged user names.

September 15, 2016New Content Packs

Content Pack Name:Aruba Content PackContent Pack Version: 1.0.0Affected Version: ESM 9.5.0 and aboveUse this content pack to:- This content pack helps monitor Aruba events.

31

September 27, 2016Updated Content Packs

Content Pack Name:Windows Content PackContent Pack Version: 1.3.0 - Added Windows PowerShell Activity view.Affected Version: ESM 9.5.0 and aboveUse this content pack to:- Monitor Windows system errors and events.

September 30, 2016New Content Packs

Content Pack Name:PhishMe Content PackContent Pack Version: 1.0.0Affected Version: ESM 9.5.0 and aboveUse this content pack to:- This content pack helps monitor PhishMe events.

November 2, 2016New Content Packs

Content Pack Name:ThreatConnect Content PackContent Pack Version: 1.0.0Affected Version: ESM 9.5.0 and aboveUse this content pack to:- This content pack helps monitor ThreatConnect events.

32


Microsoft Scripting Engine CVE-2016-0002 Memory Corruption VulnerabilityRule 1068368 was added to the Microsoft category in the BASE rule set. The default usage was set to Alert. A remote code execution vulnerability existsin the way that the VBScript engine renders when handling objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a waythat an attacker could execute arbitrary code in the context of the current user. In a web-based attack scenario, an attacker could host a specially craftedwebsite that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embedan ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine. The attacker couldalso take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could containspecially crafted content that could exploit the vulnerability. An attacker who successfully exploited the vulnerability could gain the same user rights as thecurrent user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of anaffected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Microsoft Edge CVE-2016-0003 Memory Corruption VulnerabilityRule 1068369 was added to the Microsoft category in the BASE rule set. The default usage was set to Alert. A remote code execution vulnerability existswhen Microsoft Edge improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could executearbitrary code in the context of the current user. An attacker could host a specially crafted website that is designed to exploit the vulnerability throughMicrosoft Edge, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that acceptor host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attackerwould have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically byway of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. An attacker who successfullyexploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attackerwho successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data;or create new accounts with full user rights. The update addresses the vulnerability by modifying how Microsoft Edge handles objects in memory.

Microsoft Office CVE-2016-0012 ASLR Bypass VulnerabilityRules 1068370 through 1068371 were added to the Microsoft category in the BASE rule set. The default usage was set to Alert. A security featurebypass exists when Microsoft Office fails to use the Address Space Layout Randomization (ASLR) security feature, allowing an attacker to more reliablypredict the memory offsets of specific instructions in a given call stack. An attacker who successfully exploited it could bypass the Address Space LayoutRandomization (ASLR) security feature, which helps protect users from a broad class of vulnerabilities. The security feature bypass by itself does notallow arbitrary code execution. However, an attacker could use this ASLR bypass in conjunction with another vulnerability, such as a remote codeexecution vulnerability, to more reliably run arbitrary code on a target system. In a web-browsing scenario, successful exploitation of the ASLR bypassrequires a user to be logged on and running an affected version of Microsoft Office. The user would then need to browse to a malicious site. Therefore,any systems where a web browser is used frequently, such as workstations or terminal servers, are at the most risk from this ASLR bypass. Servers couldbe at more risk if administrators allow users to browse and read email on servers. However, best practices strongly discourage allowing this. The updateaddresses the ASLR bypass by helping to ensure that affected versions of Microsoft Office properly implement the ASLR security feature.

MS Windows CVE-2016-0014 feclient.dll Insecure Library Loading Elevation of PrivilegeRules 1068372 through 1068376 were added to the Microsoft category in the BASE rule set. The default usage was set to Alert,Block,Reset. An elevationof privilege vulnerability exists when Windows improperly validates input before loading dynamic link library (DLL) files. An attacker who successfullyexploited the vulnerability could elevate their privileges on a targeted system. To exploit the vulnerability, an attacker would first have to log on to thetarget system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control over an affected system.

Microsoft DirectShow CVE-2016-0015 Heap Corruption Remote Code Execution VulnerabilityRules 1068377 through 1068378 were added to the Microsoft category in the BASE rule set. The default usage was set to Alert,Block,Reset. A remotecode execution vulnerability exists when DirectShow improperly validates user input. An attacker who successfully exploited this vulnerability could causearbitrary code to execute in the context of the current user. If a user is logged on with administrative user rights, an attacker could take complete control ofthe affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whoseaccounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. For anattack to be successful, this vulnerability requires that a user open a specially crafted file. In an email attack scenario, an attacker could exploit thevulnerability by sending a specially crafted link to the user and by convincing the user to open it. The security update addresses the vulnerability bymodifying how DirectShow validates user input. Microsoft received information about the vulnerability through coordinated vulnerability disclosure. Whenthis security bulletin was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers.

Microsoft CVE-2016-0016 DLL Loading Remote Code Execution VulnerabilityRules 1068379 through 1068387 were added to the Microsoft category in the BASE rule set. The default usage was set to Alert,Block,Reset. A remotecode execution vulnerability exists when Windows improperly validates input before loading dynamic link library (DLL) files. An attacker who successfullyexploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; orcreate new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted thanusers who operate with administrative user rights. To exploit the vulnerability, an attacker would first have to log on to the target system and then run aspecially crafted application.

Microsoft CVE-2016-0018 DLL Loading Remote Code Execution VulnerabilityRules 1068388 through 1068394 were added to the Microsoft category in the BASE rule set. The default usage was set to Alert,Block,Reset. A remotecode execution vulnerability exists when Windows improperly validates input before loading dynamic link library (DLL) files. An attacker who successfullyexploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; orcreate new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted thanusers who operate with administrative user rights. To exploit the vulnerability, an attacker would first have to log on to the target system and then run a

IPS Rules

33

users who operate with administrative user rights. To exploit the vulnerability, an attacker would first have to log on to the target system and then run aspecially crafted application.

Microsoft MAPI CVE-2016-0020 mapi32x.dll Insecure Library Loading Code ExecutionRules 1068395 through 1068399 were added to the Microsoft category in the BASE rule set. The default usage was set to Alert,Block,Reset. An elevationof privilege vulnerability exists when Windows improperly validates input before loading dynamic link library (DLL) files. An attacker who successfullyexploited the vulnerability could elevate their privileges on a targeted system. To exploit the vulnerability, an attacker would first have to log on to thetarget system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control over an affected system.

Microsoft Edge Scripting Engine CVE-2016-0024 Memory Corruption VulnerabilityRule 1068400 was added to the Microsoft category in the BASE rule set. The default usage was set to Alert. A remote code execution vulnerability existsin the way that the Chakra JavaScript engine renders when handling objects in memory in Microsoft Edge. The vulnerability could corrupt memory in sucha way that an attacker could execute arbitrary code in the context of the current user. In a web-based attack scenario, an attacker could host a speciallycrafted website that is designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. An attacker could alsoembed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the Edge rendering engine. Theattacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websitescould contain specially crafted content that could exploit the vulnerability. An attacker who successfully exploited the vulnerability could gain the same userrights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could takecontrol of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Microsoft .NET Framework CVE-2016-0033 Stack Overflow DoS VulnerabilityRules 1068401 through 1068404 were added to the Microsoft category in the BASE rule set. The default usage was set to Alert. A denial of servicevulnerability exists when .NET Framework improperly handles certain extensible stylesheet language transformations (XSLT). An attacker whosuccessfully exploited this vulnerability could cause the server to consistently crash with uncatchable exception errors (stack overflow). To exploit thevulnerability, an attacker would insert specially crafted XSLT into a client-side XML web part, causing the server to recursively compile XSLT transforms.The security update addresses the vulnerability by correcting how .NET Framework handles XSLT.


Microsoft Office CTaskSymbol Use After FreeRule 1068407 was added to the Microsoft category in the BASE rule set. The default usage was set to Alert,Block,Reset. A Use-After-Free vulnerabilityhas been reported in Microsoft Office. The vulnerability is due to improper handling of a CTaskSymbol object in memory when parsing a specially craftedOffice document that loads certain ActiveX controls. Remote, unauthenticated attackers could exploit this vulnerability by enticing a target user to open aspecially crafted Office file. Successful exploitation allows the attacker to execute arbitrary code in the context of the current user.

CoDeSys Gateway Server Opcode 0x3ef Heap Buffer OverflowRule 1068408 was added to the CoDeSys category in the BASE rule set. The default usage was set to Alert,Block,Reset. A heap buffer overflowvulnerability exists in 3S Smart Software CoDeSys. The vulnerability is due to insufficient input validation when parsing requests with opcode 0x3ef. Aremote unauthenticated attacker could exploit this vulnerability by sending a crafted request message to the vulnerable service. Successful exploitationcould result in code execution in the security context of the process. Unsuccessful attack attempts could cause the affected service to terminateabnormally, causing a denial of service (DoS) condition.

Unitronics VisiLogic OPLC TeeCommander ChartLink ActiveX Control Memory CorruptionRules 1068409 through 1068410 were added to the Unitronics category in the BASE rule set. The default usage was set to Alert. A memory corruptionvulnerability exists in Unitronics VisiLogic OPLC. The vulnerability is due to untrusted pointer dereference on the ChartLink parameter of theTeeChart.TeeCommander ActiveX control. A remote attacker could exploit this vulnerability by enticing a vulnerable user to open a crafted web page.Successful exploitation could lead to code execution in the context of the target user.

Unitronics UniDownloader and VisiLogic OPLC IDE IPWorksSSL.HTTPS Memory CorruptionRules 1068411 through 1068412 were added to the Unitronics category in the BASE rule set. The default usage was set to Alert. A memory corruptionvulnerability exists in Unitronics, VisiLogic OPLC IDE and UniDownloader. The vulnerability is due to untrusted pointer dereference on the SSLCertHandleparameter of the IPWorksSSL.HTTPS ActiveX control. A remote attacker could exploit this vulnerability by enticing a vulnerable user to open a craftedweb page. Successful exploitation could lead to code execution in the context of the target user.

OpenSSL RSA PSS Absent Mask Generation Parameter Denial of ServiceRules 1068413 through 1068414 were added to the OpenSSL category in the BASE rule set. The default usage was set to Alert,Block,Reset. A denial-of-service vulnerability exists in OpenSSL. The vulnerability is due to a NULL pointer dereference when an OpenSSL application receives and processes acrafted certificate containing an invalid RSA PSS parameter. A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted clientcertificate to a vulnerable server application that requests it. Successful exploitation will cause the server application to crash, resulting in a denial-of-service condition.

Schneider Electric ProClima F1BookView CopyAll Memory CorruptionRules 1068415 through 1068416 were added to the Schneider category in the BASE rule set. The default usage was set to Alert,Block,Reset. A memorycorruption vulnerability has been reported in Schneider Electric ProClima. The vulnerability is due to a flaw in the CopyAll() method of the F1BookViewActiveX control, in which a user-supplied integer is interpreted as a memory address. A remote, unauthenticated attacker could exploit this vulnerability byenticing a victim user to browse to a malicious Web page. Successful exploitation could lead to arbitrary code execution under context of the user.

ManageEngine Desktop Central FileUploadServlet connectionId Arbitrary File UploadRule 1068417 was added to the ManageEngine category in the BASE rule set. The default usage was set to Alert,Block,Reset. An arbitrary file uploadvulnerability has been reported in ManageEngine Desktop Central. The vulnerability is due to a failure to sanitize connectionId HTTP parameter within theFileUploadServlet servlet. A remote, unauthenticated attacker could exploit this vulnerability by crafting a malicious file and uploading it onto the targetsystem. Successful exploitation would allow the attacker to execute code in SYSTEM context.

Samba LDAP Server libldb Infinite Loop Denial of ServiceRule 1068418 was added to the Samba category in the BASE rule set. The default usage was set to Alert. A denial-of-service vulnerability has beenreported in the Samba LDAP server. The vulnerability is due to a error in processing certain LDAP requests by the libldb library used by the Sambadaemon. A remote, authenticated attacker could exploit this vulnerability by sending malicious packets to cause the samba daemon to becomeunresponsive. Successful exploitation could lead to a denial-of-service and exhaustion of CPU resources.

Unitronics VisiLogic OPLC TeeChart ActiveX RemoveSeries Out of Bounds Array IndexingRules 1068419 through 1068420 were added to the Unitronics category in the BASE rule set. The default usage was set to Alert,Block,Reset. An out ofbounds array indexing vulnerability exists in Unitronics VisiLogic OPLC. The vulnerability is due to use of user supplied value to calculate array index inthe RemoveSeries method of the TeeChart.TChart ActiveX control. A remote attacker could exploit this vulnerability by enticing a vulnerable user to opena crafted web page. Successful exploitation could lead to code execution in the context of the target user.

34


MIT Kerberos 5 build_principal_va Denial of ServiceRules 1068421 through 1068432 were added to the MIT category in the BASE rule set. The default usage was set to Alert,Block,Reset. A denial-of-service vulnerability exists in the MIT Kerberos 5. The vulnerability occurs in build_principal_va() when a realm name containing a NULL byte is received:a buffer of only up to the NULL byte is allocated whereas the complete ASN.1 length of the realm name is used as the length of the buffer. This can leadto memory access violation. A remote, authenticated attacker can exploit this vulnerability by sending a malicious TGS message to the target server.Successful exploitation will cause the vulnerable process to terminate.

Samsung SmartViewer STWAxConfig Memory CorruptionRules 1068433 through 1068435 were added to the Samsung category in the BASE rule set. The default usage was set to Alert. A memory corruptionvulnerability exists in Samsung SmartViewer, specifically, the DVRSetupSave method in the STWAxConfig ActiveX control. The vulnerability is due tountrusted pointer dereference. A remote attacker may exploit this vulnerability by enticing a victim to visit a maliciously crafted page. Successfulexploitation could lead to execution of arbitrary code under the security context of the process.

Apache ActiveMQ Shutdown Command Denial of ServiceRule 1068436 was added to the Apache category in the BASE rule set. The default usage was set to Alert,Block,Reset. A denial of service vulnerabilityexists in Apache ActiveMQ. The vulnerability is due to missing authentication for the undocumented shutdown command. A remote, unauthenticatedattacker may exploit this vulnerability by sending crafted packets to the server. Successful exploitation could lead to a denial of service condition.

IBM WebSphere Application Server Commons-Collections Library Remote Code ExecutionRules 1068437 through 1068445 were added to the IBM category in the BASE rule set. The default usage was set to Alert. A remote code executionvulnerability has been reported in IBM WebSphere Application Server. The vulnerability is due deserialization of untrusted data while having thevulnerable version of Apache Commons-Collections library in the code path. A remote, unauthenticated attacker can exploit this vulnerability by sending aspecially crafted serialized object. Successful exploitation can result in arbitrary code execution in the security context of the System user.

PowerDNS Authoritative Server DNS Packet Processing Denial of ServiceRules 1068446 through 1068447 were added to the PowerDNS category in the BASE rule set. The default usage was set to Alert,Block,Reset. A denial-of-service vulnerability exists in PowerDNS Authoritative Server. The vulnerability is due to an input validation error in PowerDNS while processing craftedDNS packets. A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted DNS packet to the target application. Asuccessful attack could lead to system crash resulting in a denial of service condition.

Kaspersky Internet Security HTTPS Inspection Insecure Certificate ValidationRules 1068448 through 1068450 were added to the Kaspersky category in the BASE rule set. The default usage was set to Alert,Block,Reset. A codeexecution vulnerability has been reported in Kaspersky Internet Security. This vulnerability is due to improper validation of a temporary certificate name.Specifically, Kaspersky does not sanitize the Common Name attribute of the X.509 certificates before creating a temporary certificate. A remote,unauthenticated attacker can exploit these vulnerabilities by sending the user a crafted certificate which is then scanned by the vulnerable anti-virus tovalidate the certificate. Successful exploitation leads to a directory traversal situation and can be result in a code execution.

Oracle WebLogic Server Commons-Collections Library Insecure DeserializationRules 1068451 through 1068459 were added to the Oracle category in the BASE rule set. The default usage was set to Alert. An insecure deserializationvulnerability has been reported in Oracle WebLogic Server. This vulnerability is due to deseralization of untrusted data while having the vulnerable versionof Apache Commons-Collections library in the code path. A remote, unauthenticated attacker can exploit this vulnerability by sending a request messagethat contains a specially crafted serialized object. Successful exploitation can result in arbitrary code execution in the security context of the System user.

Jenkins CI Server Commons-Collections Library Insecure DeserializationRules 1068460 through 1068468 were added to the Jenkins category in the BASE rule set. The default usage was set to Alert. An insecuredeserialization vulnerability has been reported in Jenkins CI Server. This vulnerability is due to deserialization of untrusted data while having thevulnerable version of Apache Commons-Collections library in the code path. A remote, unauthenticated attacker can exploit this vulnerability by sending aspecially crafted serialized object. Successful exploitation can result in arbitrary code execution in the security context of the System user.

Autodesk Design Review GIF GlobalColorTable DataSubBlock Buffer OverflowRules 1068469 through 1068472 were added to the Autodesk category in the BASE rule set. The default usage was set to Alert,Block,Reset. A heapbuffer overflow vulnerability exists in Autodesk Design Review. The vulnerability is due to an error when processing GlobalColorTable flag andDataSubBlock size fields inside a GIF file. In order to exploit the vulnerability, the remote attacker needs to entice the target user to open a malicious fileusing the vulnerable application. Successful exploitation would allow the attacker to execute arbitrary code.

Schneider Electric ProClima F1BookView AttachToSS Memory CorruptionRules 1068473 through 1068474 were added to the Schneider category in the BASE rule set. The default usage was set to Alert,Block,Reset. A memorycorruption vulnerability has been reported in Schneider Electric ProClima. The vulnerability is due to a flaw in the AttachToSS() method of theF1BookView ActiveX control, in which a user-supplied integer is interpreted as a memory address. A remote, unauthenticated attacker could exploit thisvulnerability by enticing a victim to browse to a malicious web page. Successful exploitation could lead to arbitrary code execution under context of theuser.

Apache Subversion svn Protocol Parser Integer OverflowRules 1068475 through 1068478 were added to the Apache category in the BASE rule set. The default usage was set to Alert,Block,Reset. An integeroverflow vulnerability exists in Apache Subversion. The vulnerability is due to a flaw in the svn:// protocol parser. A remote, unauthenticated attacker couldexploit this vulnerability by sending crafted requests that will be processed by the svnserve svn:// protocol. Successful exploitation could allow the attackerto cause a denial-of-service or execute arbitrary code under context of the targeted process.

ISC BIND db.c Assertion Failure Denial of ServiceRules 1068479 through 1068486 were added to the ISC category in the BASE rule set. The default usage was set to Alert,Block,Reset. A denial-of-service vulnerability has been reported in BIND. The vulnerability is due to improper parsing of incoming responses, allowing malformed records to beaccepted by BIND when they should not be accepted. A remote, unauthenticated attacker could exploit this vulnerability against DNS servers that performrecursive queries by crafting responses with an improper class attribute. Successful exploitation could lead to denial-of-service.


Microsoft Office CVE-2016-0022 Memory Corruption VulnerabilityRules 1068556 through 1068557 were added to the Microsoft category in the BASE rule set. The default usage was set to Alert,Block,Reset. A remotecode execution vulnerability exists in Microsoft Office software when the Office software fails to properly handle objects in memory. An attacker whosuccessfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative userrights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accountswith full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate withadministrative user rights. Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Officesoftware. In an email attack scenario an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to

35

software. In an email attack scenario an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user toopen the file. In a web-based attack scenario an attacker could host a website (or leverage a compromised website that accepts or hosts user-providedcontent) that contains a specially crafted file that is designed to exploit the vulnerability. An attacker would have no way to force users to visit the website.Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or Instant Messenger message, and thenconvince them to open the specially crafted file.

Microsoft .NET CVE-2016-0033 Stack Overflow DoS VulnerabilityRules 1068558 through 1068559 were added to the Microsoft category in the BASE rule set. The default usage was set to Alert,Block,Reset. A securityfeature bypass vulnerability for Microsoft Edge exists as a result of how exceptions are handled when dispatching certain window messages, allowing anattacker to probe the layout of the address space and thereby bypassing Address Space Layout Randomization (ASLR). By itself, the ASLR bypassvulnerability does not allow arbitrary code execution. However, an attacker could use the ASLR bypass vulnerability in conjunction with anothervulnerability, such as a remote code execution vulnerability, to run arbitrary code on a target system. Successful exploitation of the ASLR bypassvulnerability requires a user to be logged on and running an affected version of Microsoft Edge. The user would then need to browse to a malicious site.

Windows CVE-2016-0041 DLL Loading Remote Code Execution VulnerabilityRules 1068560 through 1068573 were added to the Windows category in the BASE rule set. The default usage was set to Alert,Block,Reset. A remotecode execution vulnerability exists when Windows improperly validates input before loading dynamic link library (DLL) files. An attacker who successfullyexploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; orcreate new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted thanusers who operate with administrative user rights. To exploit the vulnerability, an attacker would first have to log on to the target system and then run aspecially crafted application.

MS Windows CVE-2016-0042 DLL Loading Remote Code Execution VulnerabilityRules 1068574 through 1068589 were added to the Microsoft category in the BASE rule set. The default usage was set to Alert,Block,Reset. A remotecode execution vulnerability exists when Windows improperly validates input before loading dynamic link library (DLL) files. An attacker who successfullyexploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create newaccounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users whooperate with administrative user rights. To exploit the vulnerability, an attacker would first have to log on to the target system and then run a speciallycrafted application.

Microsoft Office CVE-2016-0053 Memory Corruption VulnerabilityRules 1068590 through 1068591 were added to the Microsoft category in the BASE rule set. The default usage was set to Alert,Block,Reset. A remotecode execution vulnerability exists in Microsoft Office software when the Office software fails to properly handle objects in memory. An attacker whosuccessfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative userrights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accountswith full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate withadministrative user rights. Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Officesoftware. In an email attack scenario an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user toopen the file. In a web-based attack scenario an attacker could host a website (or leverage a compromised website that accepts or hosts user-providedcontent) that contains a specially crafted file that is designed to exploit the vulnerability. An attacker would have no way to force users to visit the website.Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or Instant Messenger message, and thenconvince them to open the specially crafted file.

IE CVE-2016-0060 Memory Corruption VulnerabilityRule 1068592 was added to the Internet_Explorer category in the BASE rule set. The default usage was set to Alert. A remote code executionvulnerability exists when Internet Explorer improperly accesses objects in memory. This vulnerability could corrupt memory in such a way that an attackercould execute arbitrary code in the context of the current user. An attacker could host a specially crafted website that is designed to exploit thisvulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websitesand websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In allcases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince usersto take action, typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. Anattacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on withadministrative user rights, an attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then installprograms; view, change, or delete data; or create new accounts with full user rights.

IE CVE-2016-0061 Memory Corruption VulnerabilityRules 1068593 through 1068594 were added to the Internet_Explorer category in the BASE rule set. The default usage was set to Alert. A remote codeexecution vulnerability exists when Internet Explorer improperly accesses objects in memory. This vulnerability could corrupt memory in such a way thatan attacker could execute arbitrary code in the context of the current user. An attacker could host a specially crafted website that is designed to exploit thisvulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websitesand websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In allcases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince usersto take action, typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. Anattacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on withadministrative user rights, an attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then installprograms; view, change, or delete data; or create new accounts with full user rights.

IE CVE-2016-0063 Memory Corruption VulnerabilityRules 1068595 through 1068598 were added to the Internet_Explorer category in the BASE rule set. The default usage was set to Alert. A remote codeexecution vulnerability exists when Internet Explorer improperly accesses objects in memory. This vulnerability could corrupt memory in such a way thatan attacker could execute arbitrary code in the context of the current user. An attacker could host a specially crafted website that is designed to exploit thisvulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websitesand websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In allcases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince usersto take action, typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. Anattacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on withadministrative user rights, an attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then installprograms; view, change, or delete data; or create new accounts with full user rights.

36


IE CVE-2016-0068 Elevation of PrivilegeRule 1068600 was added to the Internet_Explorer category in the BASE rule set. The default usage was set to Alert. An elevation of privilege vulnerabilityexists when Internet Explorer does not properly enforce cross-domain policies, which could allow an attacker to access information from one domain andinject it into another domain. In a web-based attack scenario, an attacker could host a website that is used to attempt to exploit the vulnerability. Inaddition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit thevulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would haveto convince users to take action. For example, an attacker could trick users into clicking a link that takes them to the attacker's site. An attacker whosuccessfully exploited the vulnerability could elevate privileges in affected versions of Internet Explorer. The vulnerability alone do not allow arbitrary codeto be run. However, the vulnerability could be used in conjunction with another vulnerability (for example, a remote code execution vulnerability) that couldtake advantage of the elevated privileges when running arbitrary code. For example, an attacker could exploit another vulnerability to run arbitrary codethrough Internet Explorer, but due to the context in which processes are launched by Internet Explorer, the code might be restricted to run at a lowintegrity level (very limited permissions). However, an attacker could, in turn, exploit this vulnerability to cause the arbitrary code to run at a mediumintegrity level (permissions of the current user).


Microsoft Office CVE-2016-0021 Memory Corruption Vulnerability - ExcelRules 1068619 through 1068622 were added to the Microsoft category in the BASE rule set. The default usage was set to Alert,Block,Reset. A remotecode execution vulnerability exists in Microsoft Office software when the Office software fails to properly handle objects in memory. An attacker whosuccessfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative userrights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accountswith full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate withadministrative user rights. Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Officesoftware. Note that the Preview Pane is not an attack vector for this vulnerability. In an email attack scenario an attacker could exploit the vulnerability bysending the specially crafted file to the user and convincing the user to open the file. In a web-based attack scenario an attacker could host a website (orleverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit thevulnerability. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typicallyby way of an enticement in an email or Instant Messenger message, and then convince them to open the specially crafted file.

Windows Media Player CVE-2016-0098 Parsing Remote Code Execution VulnerabilityRule 1068623 was added to the Windows category in the BASE rule set. The default usage was set to Alert,Block,Reset. A vulnerability exists inMicrosoft Windows. The vulnerability could allow remote code execution if a user opens specially crafted media content that is hosted on a website. Anattacker could host media content on a website or send an attachment in an email and then convince user to open it. An attacker who successfullyexploited this vulnerability could take control of an affected system remotely. Users whose accounts are configured to have fewer user rights on thesystem could be less impacted than users who operate with administrative user rights.

Microsoft Browser CVE-2016-0102 Memory Corruption VulnerabilityRule 1068624 was added to the Microsoft category in the BASE rule set. The default usage was set to Alert,Block,Reset. A remote code executionvulnerability exists when Microsoft Edge improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attackercould execute arbitrary code in the context of the current user. An attacker could host a specially crafted website that is designed to exploit thevulnerability through Microsoft Edge, and then convince a user to view the website. The attacker could also take advantage of compromised websites andwebsites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In all cases,however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to takeaction, typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. Anattacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrativeuser rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view,change, or delete data; or create new accounts with full user rights.


37

Microsoft Browser CVE-2016-0105 Memory Corruption VulnerabilityRule 1068626 was added to the Microsoft category in the BASE rule set. The default usage was set to Alert,Block,Reset. A remote code executionvulnerability exists when Internet Explorer improperly accesses objects in memory. This vulnerability could corrupt memory in such a way that an attackercould execute arbitrary code in the context of the current user. An attacker could host a specially crafted website that is designed to exploit thisvulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websitesand websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In allcases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince usersto take action, typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. Anattacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on withadministrative user rights, an attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then installprograms; view, change, or delete data; or create new accounts with full user rights.

IE CVE-2016-0106 Memory Corruption VulnerabilityRule 1068627 was added to the Internet_Explorer category in the BASE rule set. The default usage was set to Alert,Block,Reset. A remote codeexecution vulnerability exists when Internet Explorer improperly accesses objects in memory. This vulnerability could corrupt memory in such a way thatan attacker could execute arbitrary code in the context of the current user. An attacker could host a specially crafted website that is designed to exploit thisvulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websitesand websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In allcases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince usersto take action, typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. Anattacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on withadministrative user rights, an attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then installprograms; view, change, or delete data; or create new accounts with full user rights.



Microsoft Browser CVE-2016-0109 Memory Corruption VulnerabilityRule 1068630 was added to the Microsoft category in the BASE rule set. The default usage was set to Alert,Block,Reset. A remote code executionvulnerability exists when Internet Explorer improperly accesses objects in memory. This vulnerability could corrupt memory in such a way that an attackercould execute arbitrary code in the context of the current user. An attacker could host a specially crafted website that is designed to exploit thisvulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websitesand websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In allcases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince usersto take action, typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. Anattacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on withadministrative user rights, an attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then installprograms; view, change, or delete data; or create new accounts with full user rights.

Microsoft Browser CVE-2016-0110 Memory Corruption VulnerabilityRule 1068631 was added to the Microsoft category in the BASE rule set. The default usage was set to Alert. A remote code execution vulnerability existswhen Internet Explorer improperly accesses objects in memory. This vulnerability could corrupt memory in such a way that an attacker could executearbitrary code in the context of the current user. An attacker could host a specially crafted website that is designed to exploit this vulnerability throughInternet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites thataccept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In all cases, however, anattacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action,typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. An attacker whosuccessfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights,an attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, ordelete data; or create new accounts with full user rights.

38

Microsoft Browser CVE-2016-0111 Memory Corruption VulnerabilityRule 1068632 was added to the Microsoft category in the BASE rule set. The default usage was set to Alert. A remote code execution vulnerability existswhen Internet Explorer improperly accesses objects in memory. This vulnerability could corrupt memory in such a way that an attacker could executearbitrary code in the context of the current user. An attacker could host a specially crafted website that is designed to exploit this vulnerability throughInternet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites thataccept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In all cases, however, anattacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action,typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. An attacker whosuccessfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights,an attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, ordelete data; or create new accounts with full user rights.




Microsoft Edge CVE-2016-0123 Memory Corruption VulnerabilityRule 1068636 was added to the Microsoft category in the BASE rule set. The default usage was set to Alert,Block,Reset. A remote code executionvulnerability exists when Microsoft Edge improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attackercould execute arbitrary code in the context of the current user. An attacker could host a specially crafted website that is designed to exploit thevulnerability through Microsoft Edge, and then convince a user to view the website. The attacker could also take advantage of compromised websites andwebsites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In all cases,however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to takeaction, typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. Anattacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrativeuser rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view,change, or delete data; or create new accounts with full user rights.

Microsoft Edge CVE-2016-0124 Memory Corruption VulnerabilityRule 1068637 was added to the Microsoft category in the BASE rule set. The default usage was set to Alert,Block,Reset. A remote code executionvulnerability exists when Microsoft Edge improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attackercould execute arbitrary code in the context of the current user. An attacker could host a specially crafted website that is designed to exploit thevulnerability through Microsoft Edge, and then convince a user to view the website. The attacker could also take advantage of compromised websites andwebsites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In all cases,however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to takeaction, typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. Anattacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrativeuser rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view,change, or delete data; or create new accounts with full user rights.

Adobe Reader CVE-2016-1008 updaternotifications.dll Insecure Library Loading Code Execution - WebDAVRules 1068638 through 1068642 were added to the Adobe category in the BASE rule set. The default usage was set to Alert,Block,Reset. Thisvulnerability is an instance of a code injection vulnerability, in particular when an application dynamically loads a dynamic-link library without specifying afully qualified path name, Windows attempts to locate the DLL by searching a well-defined set of directories, one of the elements of that is the currentdocument directory. In this case, the current SMB share directory may contain a malicious DLL, that has special meaning for Acrobat.


SSLv2 Session Negotiation - Server HelloRules 1068769 through 1068777 were added to the SSLv2 category in the BASE rule set. The default usage was set to Alert. DROWN is a serious39

Rules 1068769 through 1068777 were added to the SSLv2 category in the BASE rule set. The default usage was set to Alert. DROWN is a seriousvulnerability that affects HTTPS and other services that rely on SSL and TLS, some of the essential cryptographic protocols for Internet security. Theseprotocols allow everyone on the Internet to browse the web, use email, shop online, and send instant messages without third-parties being able to readthe communication. DROWN allows attackers to break the encryption and read or steal sensitive communications, including passwords, credit cardnumbers, trade secrets, or financial data. Attackers can gain any communication between users and the server. This typically includes, but is not limitedto, usernames and passwords, credit card numbers, emails, instant messages, and sensitive documents. Under some common scenarios, an attackercan also impersonate a secure website and intercept or change the content the user sees.


MS Windows OLE CVE-2016-0092 Remote Code Execution CFBRules 1068792 through 1068797 were added to the Microsoft category in the BASE rule set. The default usage was set to Alert. A code executionvulnerability exists in Microsoft Windows OLE. The vulnerability is due to improper validation of user input. A remote attacker can exploit this vulnerabilityby enticing the target user to open a specially crafted web page, an email message, or a document containing an OLE object. Successful exploitationcould lead to arbitrary code execution in the security context of the target user.

MS Windows OLE CVE-2016-0091 Remote Code Execution CFBRules 1068798 through 1068803 were added to the Microsoft category in the BASE rule set. The default usage was set to Alert. A code executionvulnerability exists in Microsoft Windows OLE. The vulnerability is due to improper validation of user input. A remote attacker can exploit this vulnerabilityby enticing the target user to open a specially crafted web page, an email message, or a document containing an OLE object. Successful exploitationcould lead to arbitrary code execution in the security context of the target user.


Microsoft Office CVE-2016-0127 Memory Corruption VulnerabilityRule 1068857 was added to the Microsoft category in the BASE rule set. The default usage was set to Alert,Block,Reset. A remote code executionvulnerability exists in Microsoft Office software when the Office software fails to properly handle objects in memory. An attacker who successfullyexploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, anattacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with fulluser rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate withadministrative user rights. Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Officesoftware. Note that where the severity is indicated as Critical in the Affected Software and Vulnerability Severity Ratings table, the Preview Pane is anattack vector for CVE-2016-0127. In an email attack scenario an attacker could exploit the vulnerability by sending the specially crafted file to the user andconvincing the user to open the file. In a web-based attack scenario an attacker could host a website (or leverage a compromised website that accepts orhosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. An attacker would have no way to force usersto visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or Instant Messengermessage, and then convince them to open the specially crafted file.

Microsoft MSXML 3.0 CVE-2016-0147 Remote Code Execution VulnerabilityRules 1068858 through 1068859 were added to the Microsoft category in the BASE rule set. The default usage was set to Alert. A remote code executionvulnerability exists when the Microsoft XML Core Services (MSXML) parser processes user input. An attacker who successfully exploited the vulnerabilitycould run malicious code remotely to take control of the user's system. To exploit the vulnerability, an attacker could host a specially-crafted website thatis designed to invoke MSXML through Internet Explorer. However, an attacker would have no way to force a user to visit such a website. Instead, anattacker would typically have to convince a user to either click a link in an email message or a link in an Instant Messenger request that would then takethe user to the website. When the user's browser parses the XML content, an attacker could run malicious code remotely to take control of the user'ssystem.

Microsoft .NET Framework CVE-2016-0148 Remote Code Execution Vulnerability asciiRules 1068860 through 1068861 were added to the Microsoft category in the BASE rule set. The default usage was set to Alert,Block,Reset. A remotecode execution vulnerability exists when the .NET Framework fails to properly validate input before loading libraries. An attacker who successfullyexploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create newaccounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users whooperate with administrative user rights. To exploit the vulnerability, an attacker would first need to have access to the local system and have the ability toexecute a malicious application.

Microsoft Browser CVE-2016-0154 Memory Corruption VulnerabilityRules 1068862 through 1068863 were added to the Microsoft category in the BASE rule set. The default usage was set to Alert,Block,Reset. A remotecode execution vulnerability exists when Internet Explorer improperly accesses objects in memory. This vulnerability could corrupt memory in such a waythat an attacker could execute arbitrary code in the context of the current user. An attacker could host a specially crafted website that is designed toexploit this vulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromisedwebsites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability.In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convinceusers to take action, typically by way of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent throughemail. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the current user is logged on withadministrative user rights, an attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then installprograms; view, change, or delete data; or create new accounts with full user rights.

Microsoft Edge CVE-2016-0155 Memory Corruption VulnerabilityRule 1068864 was added to the Microsoft category in the BASE rule set. The default usage was set to Alert. A remote code execution vulnerability existswhen Microsoft Edge improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could executearbitrary code in the context of the current user. An attacker could host a specially crafted website that is designed to exploit the vulnerability throughMicrosoft Edge, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that acceptor host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attackerwould have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically byway of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. An attacker who successfullyexploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attackerwho successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data;or create new accounts with full user rights.

Microsoft Edge CVE-2016-0156 Memory Corruption VulnerabilityRule 1068865 was added to the Microsoft category in the BASE rule set. The default usage was set to Alert. A remote code execution vulnerability existswhen Microsoft Edge improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could executearbitrary code in the context of the current user. An attacker could host a specially crafted website that is designed to exploit the vulnerability throughMicrosoft Edge, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that acceptor host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attackerwould have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically byway of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. An attacker who successfullyexploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attackerwho successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data;or create new accounts with full user rights. 40

or create new accounts with full user rights.

Microsoft Edge CVE-2016-0157 Memory Corruption VulnerabilityRule 1068866 was added to the Microsoft category in the BASE rule set. The default usage was set to Alert. A remote code execution vulnerability existswhen Microsoft Edge improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could executearbitrary code in the context of the current user. An attacker could host a specially crafted website that is designed to exploit the vulnerability throughMicrosoft Edge, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that acceptor host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability. In all cases, however, an attackerwould have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action, typically byway of enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. An attacker who successfullyexploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attackerwho successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data;or create new accounts with full user rights.

Microsoft Edge CVE-2016-0158 Memory Corruption VulnerabilityRule 1068867 was added to the Microsoft category in the BASE rule set. The default usage was set to Alert,Block,Reset. An elevation of privilegevulnerability exists when Microsoft Edge does not properly enforce cross-domain policies, which could allow an attacker to access information from onedomain and inject it into another domain. In a web-based attack scenario, an attacker could host a website in an attempt to exploit the vulnerability. Inaddition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit thevulnerability. However, in all cases an attacker could not force a user to view the attacker-controlled content. Instead, an attacker would have to convincea user to take action. For example, an attacker could trick a user into clicking a link that takes the user to the attacker's site. An attacker who successfullyexploited this vulnerability could elevate privileges in affected versions of Microsoft Edge. The vulnerability by itself does not allow arbitrary code to berun. However, the vulnerability could be used in conjunction with another vulnerability (for example, a remote code execution vulnerability) that could takeadvantage of the elevated privileges when running arbitrary code. For example, an attacker could exploit another vulnerability to run arbitrary codethrough Microsoft Edge, but due to the context in which processes are launched by Microsoft Edge, the code might be restricted to run at a low integritylevel (very limited permissions). However, an attacker could, in turn, exploit this vulnerability to cause the arbitrary code to run at a medium integrity level(the permissions of the current user).


IE CVE-2016-0160 DLL Loading Code Execution - WebDAVRules 1068869 through 1068873 were added to the Internet_Explorer category in the BASE rule set. The default usage was set to Alert,Block,Reset. Aremote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. This vulnerability could corrupt memory insuch a way that an attacker could execute arbitrary code in the context of the current user. An attacker could host a specially crafted website that isdesigned to exploit this vulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage ofcompromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploitthe vulnerability. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker wouldhave to convince users to take action, typically by way of enticement in an email or Instant Messenger message, or by getting them to open anattachment sent through email. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. If the currentuser is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take control of an affected system. Anattacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Microsoft Edge CVE-2016-0161 Elevation of Privilege VulnerabilityRule 1068874 was added to the Microsoft category in the BASE rule set. The default usage was set to Alert. An elevation of privilege vulnerability existswhen Microsoft Edge does not properly validate JavaScript under specific conditions, potentially allowing a script to be run with elevated privileges. In aweb-based attack scenario, an attacker could host a website in an attempt to exploit this vulnerability. In addition, compromised websites and websitesthat accept or host user-provided content could contain specially crafted content that could exploit the vulnerability. However, in all cases an attackerwould have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to take action. For example,an attacker could trick users into clicking a link that takes them to the attacker's site. An attacker who successfully exploited the vulnerability could elevateprivileges in affected versions of Microsoft Edge. An attacker could then leverage these privileges with another vulnerability to run arbitrary code withmedium integrity level privileges (permissions of the current user). This vulnerability by itself does not allow arbitrary code to be run. However, thisvulnerability could be used in conjunction with another vulnerability (for example, a remote code execution vulnerability) that could take advantage of theelevated privileges when running arbitrary code. For example, an attacker could exploit another vulnerability to run arbitrary code through Microsoft Edge,but because of the context in which processes are launched by Internet Explorer, the code might be restricted to run at a low integrity level (very limitedpermissions). However, an attacker could, in turn, exploit this vulnerability to cause the arbitrary code to run at a medium integrity level (permissions of thecurrent user).


Adobe Flash oleacc.dll Insecure Library Loading Code Execution - WebDAVRules 1068876 through 1068935 were added to the Adobe category in the BASE rule set. The default usage was set to Alert,Block,Reset. Adobe Flashloads external code via Dynamic Link Libraries (DLLs). Malicious code can be planted using a DLL with the same name as the one Flash normally uses.Flash will look in the through a set of predefined directories, one of which is the installation directory.


Microsoft Graphics Component CVE-2016-0168 Information Disclosure Vulnerability ANSIRules 1068936 through 1068937 were added to the Microsoft category in the BASE rule set. The default usage was set to Alert,Block,Reset. Aninformation disclosure vulnerability exists when the Windows GDI component improperly discloses contents of its memory. An attacker who successfully

41

exploited the vulnerability could obtain information to further compromise the user's system. There are multiple ways an attacker could exploit thevulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage.

Microsoft Scripting Engine CVE-2016-0187 Memory Corruption VulnerabilityRule 1068938 was added to the Microsoft category in the BASE rule set. The default usage was set to Alert. A remote code execution vulnerability existsin the way that the VBScript engine renders when handling objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a waythat an attacker could execute arbitrary code in the context of the current user. In a web-based attack scenario, an attacker could host a specially craftedwebsite that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embedan ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine. The attacker couldalso take advantage of compromised websites, and websites that accept or host user-provided content or advertisements. These websites could containspecially crafted content that could exploit the vulnerability. An attacker who successfully exploited the vulnerability could gain the same user rights as thecurrent user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of anaffected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

IE CVE-2016-0189 Scripting Engine Memory Corruption VulnerabilityRule 1068939 was added to the Internet_Explorer category in the BASE rule set. The default usage was set to Alert. A remote code executionvulnerability exists in the way that the VBScript engine renders when handling objects in memory in Internet Explorer. The vulnerability could corruptmemory in such a way that an attacker could execute arbitrary code in the context of the current user. In a web-based attack scenario, an attacker couldhost a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. Anattacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE renderingengine. The attacker could also take advantage of compromised websites, and websites that accept or host user-provided content or advertisements.These websites could contain specially crafted content that could exploit the vulnerability. An attacker who successfully exploited the vulnerability couldgain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited thevulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts withfull user rights.

Microsoft Edge CVE-2016-0191 Memory Corruption VulnerabilityRule 1068940 was added to the Microsoft category in the BASE rule set. The default usage was set to Alert. A remote code execution vulnerability existsin the way that the Chakra JavaScript engine renders when handling objects in memory in Microsoft Edge. The vulnerability could corrupt memory in sucha way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gainthe same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited thevulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts withfull user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability throughMicrosoft Edge and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in anapplication or Microsoft Office document that hosts the Edge rendering engine. The attacker could also take advantage of compromised websites, andwebsites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit thevulnerability.

Microsoft Browser CVE-2016-0192 Memory Corruption VulnerabilityRules 1068941 through 1068942 were added to the Microsoft category in the BASE rule set. The default usage was set to Alert. A remote code executionvulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attackercould execute arbitrary code in the context of the current user. An attacker could host a specially crafted website that is designed to exploit thevulnerability through Internet Explorer, and then convince a user to view the website. The attacker could also take advantage of compromised websites, orwebsites that accept or host user-generated content or advertisements, by adding specially crafted content that could exploit the vulnerability. In all cases,however, an attacker would have no way to force users to view the attacker-controlled content. Instead, an attacker would have to convince users to takeaction, typically by an enticement in an email or Instant Messenger message, or by getting them to open an attachment sent through email. An attackerwho successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative userrights, the attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accountswith full user rights.

Microsoft Scripting Engine CVE-2016-0193 Memory Corruption VulnerabilityRule 1068943 was added to the Microsoft category in the BASE rule set. The default usage was set to Alert. A remote code execution vulnerability existsin the way that the Chakra JavaScript engine renders when handling objects in memory in Microsoft Edge. The vulnerability could corrupt memory in sucha way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gainthe same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited thevulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts withfull user rights. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability throughMicrosoft Edge and then convince a user to view the website. An attacker could also embed an ActiveX control marked "safe for initialization" in anapplication or Microsoft Office document that hosts the Edge rendering engine. The attacker could also take advantage of compromised websites, andwebsites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit thevulnerability.

42

2821 Mission College BoulevardSanta Clara, CA 95054888 847 8766www.intelsecurity.com

The information in this document is provided only for educational purposes and for the convenience of McAfee customers. Theinformation contained herein is subject to change without notice, and is provided "AS IS" without guarantee or warranty as tothe accuracy or applicability of the information to any specific situation or circumstance.

McAfee and the McAfee logo are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the United States andother countries. Other marks and brands may be claimed as the property of others. The product plans, specifications anddescriptions herein are provided for information only and subject to change without notice, and are provided without warrantyof any kind, express or implied. Copyright © 2015 McAfee, Inc.

Date post:	22-May-2020
Category:	Documents
Upload:	others
View:	3 times
Download:	0 times