Release notes for update package 1531-5242

This update package improves the detection capabilities of the Forcepoint LLM system.

RELEASE DATE:	Monday November 28, 2022
MD5 CHECKSUM:	4ec57e006d5f3b48d6134190f2140d39
SHA1 CHECKSUM:	6c88f899b85f2e93f0f6d76219818cdb15bab8b8
SHA256 CHECKSUM:	4195ec3860a759f8725c86f7280b5d89e0497cc4a72b20fd8fd2e7c657ff5828

UPDATE CRITICALITY: MODERATE

Jump to: Detected Attacks Other Changes

DETECTED ATTACKS

Updated detected attacks:

HTTP Normalized Request-Line

Risk

Vulnerability/Situation

References

Related Fingerprint

Situation Type

Change Description

High

Huawei-Router-HG532-Arbitrary-Command-Execution

CVE-2017-17215

HTTP_CRL-Huawei-Router-HG532-Arbitrary-Command-Execution

Suspected Compromise

Description has changed

Attacker: connection_destination->connection_source

Victim: connection_source->connection_destination

High

F5-iControl-Rest-Unauthenticated-RCE-CVE-2022-1388

CVE-2022-1388

HTTP_CRL-F5-iControl-Rest-Unauthenticated-RCE-CVE-2022-1388

Suspected Compromise

Fingerprint regexp changed

LIST OF OTHER CHANGES:

Updated objects:

Type	Name	Changes
IPList	TOR exit nodes IP Address List
IPList	Amazon AMAZON
IPList	Google Servers
IPList	TOR relay nodes IP Address List
IPList	Botnet IP Address List
IPList	Malicious Site IP Address List
IPList	Amazon AMAZON ap-south-1
Protocol Agent	H323
Protocol Agent	Oracle
Protocol Agent	Services in firewall
Protocol Agent	Shell
Protocol Agent	SSM TCP Proxy
Protocol Agent	SSM UDP Proxy
Protocol Agent	SSM HTTP Proxy
Protocol Agent	SSM SSH Proxy
Protocol Agent	Ethernet
Protocol Agent	Protocol Identification
Protocol Agent	QUIC
Protocol Agent	IPv4
Protocol Agent	IPv6
Protocol Agent	IPv6 Encapsulation
Protocol Agent	IPv4 Encapsulation
Protocol Agent	TCP
Protocol Agent	UDP
Protocol Agent	ICMP
Protocol Agent	GRE
Protocol Agent	IP Tunnel
Protocol Agent	unknown TCP
Protocol Agent	HTTP
Protocol Agent	FTP
Protocol Agent	SSH
Protocol Agent	SMTP
Protocol Agent	DNS
Protocol Agent	SIP
Protocol Agent	HTTP with SSM TCP Proxy
Protocol Agent	SSM FTP Proxy
Protocol Agent	SSH with SSM TCP Proxy
Protocol Agent	HTTP with SSM HTTP Proxy
Protocol Agent	SSM DNS Proxy (TCP)
Protocol Agent	SSM DNS Proxy (UDP)
Protocol Agent	unknown UDP
Protocol Agent	BOOTP
Protocol Agent	Sunrpc (UDP)
Protocol Agent	SNMP (UDP)
Protocol Agent	TFTP
Protocol Agent	MSSQL (UDP)
Protocol Agent	LDAP (UDP)
Protocol Agent	CCSO (UDP)
Protocol Agent	MSRPC (UDP)
Protocol Agent	NETBIOS (UDP)
Protocol Agent	NTP
Protocol Agent	GTP (TCP)
Protocol Agent	X11
Protocol Agent	FINGER
Protocol Agent	CVSP
Protocol Agent	Sunrpc (TCP)
Protocol Agent	NETBIOS (TCP)
Protocol Agent	SMB
Protocol Agent	TELNET
Protocol Agent	MSSQL (TCP)
Protocol Agent	HTTPS
Protocol Agent	HTTP8080
Protocol Agent	IMAP
Protocol Agent	NNTP
Protocol Agent	SNMP (TCP)
Protocol Agent	WINS
Protocol Agent	BitKeeper
Protocol Agent	Subversion
Protocol Agent	MYSQL
Protocol Agent	PRINTER
Protocol Agent	PPTP
Protocol Agent	LDAP (TCP)
Protocol Agent	CCSO (TCP)
Protocol Agent	GTP (UDP)
Protocol Agent	IDENT
Protocol Agent	IMAPS
Protocol Agent	POP3S
Protocol Agent	MSRPC (TCP)
Protocol Agent	POP3
Protocol Agent	Rlogin
Protocol Agent	TLS
Protocol Agent	WINS (UDP)
Protocol Agent	FP_CIS
Protocol Agent	Modbus
Protocol Agent	SRP
Protocol Agent	RFB
Protocol Agent	ARCserve
Protocol Agent	McAfee
Protocol Agent	OPC UA Binary
Protocol Agent	OPC UA TCP
Protocol Agent	DNP3 (TCP)
Protocol Agent	DNP3 (UDP)
Protocol Agent	MGCP
Protocol Agent	SCCP
Protocol Agent	RTSP
Protocol Agent	HTTPS with SSM TCP Proxy
Protocol Agent	SSM TFTP Proxy
Situation Context	Any TCP Client Stream
Situation Context	Any TCP Server Stream
Situation Context	Any UDP Packet
Situation Context	UDP Packet Unknown
Situation Context	Application Context
Situation Context	TLS Match
Situation Context	Local Correlation
Situation Context	HTTP Client Stream
Situation Context	HTTP Server Stream
Situation Context	FTP Client Stream
Situation Context	FTP Server Stream
Situation Context	SSH TCP Client Stream
Situation Context	SSH TCP Server Stream
Situation Context	Telnet TCP Client Stream
Situation Context	Telnet TCP Server Stream
Situation Context	SMTP Client Stream
Situation Context	SMTP TCP Server Stream
Situation Context	WINS TCP Client Stream
Situation Context	WINS TCP Server Stream
Situation Context	DNS UDP Client Message
Situation Context	DNS UDP Server Message
Situation Context	Finger Client Stream
Situation Context	Finger Server Stream
Situation Context	TCP NetBIOS Client Stream
Situation Context	TCP NetBIOS Server Stream
Situation Context	TCP MSRPC Client Stream
Situation Context	TCP MSRPC Server Stream
Situation Context	IMAP Client Stream
Situation Context	IMAP Server Stream
Situation Context	File Name
Situation Context	HTTPS Client Stream
Situation Context	HTTPS Server Stream
Situation Context	TCP SMB Client Stream
Situation Context	TCP SMB Server Stream
Situation Context	TCP Printer Client Stream
Situation Context	TCP Printer Server Stream
Situation Context	TCP MSSQL Client Stream
Situation Context	TCP MSSQL Server Stream
Situation Context	TCP PPTP Client Stream
Situation Context	TCP PPTP Server Stream
Situation Context	CVSP Client Stream
Situation Context	CVSP Server Stream
Situation Context	TCP MySQL Client Stream
Situation Context	TCP MySQL Server Stream
Situation Context	TCP NNTP Client Stream
Situation Context	TCP NNTP Server Stream
Situation Context	HTTP Proxy Client Stream
Situation Context	HTTP Proxy Server Stream
Situation Context	DNS TCP Client Stream
Situation Context	DNS TCP Server Stream
Situation Context	BOOTP Client Stream
Situation Context	BOOTP Server Stream
Situation Context	UDP MSRPC Client Stream
Situation Context	UDP MSRPC Server Stream
Situation Context	SNMP TCP Client Stream
Situation Context	SNMP TCP Server Stream
Situation Context	UDP MSSQL Client Stream
Situation Context	UDP MSSQL Server Stream
Situation Context	TCP Client Stream Unknown
Situation Context	TCP Server Stream Unknown
Situation Context	Internet Key Exchange
Situation Context	X11 TCP Client Stream
Situation Context	X11 TCP Server Stream
Situation Context	FTP Download Stream
Situation Context	FTP Upload Stream
Situation Context	Connection Allowed
Situation Context	Connection Discarded
Situation Context	Connection Refused
Situation Context	Connection Closed
Situation Context	Connection Closed Abnormally
Situation Context	Connection Queued
Situation Context	IPSEC
Situation Context	HTTP Request URI
Situation Context	E-Mail Header Stream
Situation Context	SSH Client Version
Situation Context	SSH Client Version Comment
Situation Context	E-Mail Body Stream
Situation Context	SMTP Client Command Stream
Situation Context	Protocol Identification
Situation Context	Node ID conflict
Situation Context	Log spool corruption detected
Situation Context	Log spool is becoming full
Situation Context	TLS Domain
Situation Context	Log alert
Situation Context	VPN alert
Situation Context	HTTP Request Header Line
Situation Context	HTTP Reply Header Line
Situation Context	HTTP Status Line
Situation Context	FTP Reply Length Limit
Situation Context	FTP MIC Argument Length Limit
Situation Context	FTP HELP Argument Length Limit
Situation Context	FTP Reply Line Length Limit
Situation Context	FTP SITE Argument Length Limit
Situation Context	FTP AUTH Argument Length Limit
Situation Context	FTP ADAT Argument Length Limit
Situation Context	FTP CONF Argument Length Limit
Situation Context	FTP ENC Argument Length Limit
Situation Context	FTP LANG Argument Length Limit
Situation Context	FTP CLNT Argument Length Limit
Situation Context	FTP EPRT Argument Length Limit
Situation Context	FTP OPTS Argument Length Limit
Situation Context	FTP LPRT Argument Length Limit
Situation Context	FTP ESTP Argument Length Limit
Situation Context	FTP REST Marker Length Limit
Situation Context	FTP PBSZ Argument Size Limit
Situation Context	FTP pathname Length Limit
Situation Context	FTP Username Length Limit
Situation Context	FTP Password Length Limit
Situation Context	FTP Account Length Limit
Situation Context	FTP Lone LF As CRLF
Situation Context	FTP Pipeline Length Limit
Situation Context	FTP Synchronization Lost
Situation Context	FTP Directory Listing Stream
Situation Context	FTP ALLO Argument Size Limit
Situation Context	SMTP E-mail Relaying Check
Situation Context	SMTP Recipients Count Limit
Situation Context	E-Mail Header Field Length Limit
Situation Context	E-Mail Header Length Limit
Situation Context	E-Mail Header Fields Count Limit
Situation Context	E-Mail MIME Parameter Parts Count Limit
Situation Context	E-Mail MIME Subtype Name Length Limit
Situation Context	E-Mail Mime Parameter Name Length Limit
Situation Context	IP Option Detection
Situation Context	Count
Situation Context	DNS Client Hostname Over Limit
Situation Context	DNS Client Name Over Limit
Situation Context	DNS Client UDP Payload Limit
Situation Context	DNS Client UDP Payload By OPT Limit
Situation Context	DNS Server Hostname Length Limit
Situation Context	DNS Server Name Length Limit
Situation Context	DNS Server UDP Payload Limit
Situation Context	DNS Server UDP Payload By OPT Limit
Situation Context	Sequence
Situation Context	Compress
Situation Context	Group
Situation Context	Match
Situation Context	ULS Send
Situation Context	TCP Receive
Situation Context	Copy
Situation Context	SSHv1 Host Key Length Limits
Situation Context	SSHv1 Server Key Length Limits
Situation Context	HTTP2 Frame Header
Situation Context	HTTP URL
Situation Context	SSH Server Version Comment
Situation Context	SSH Server Version
Situation Context	SSH Client Crypto Bit Ratio
Situation Context	SSH Server Crypto Bit Ratio
Situation Context	HTTP2 HEADERS
Situation Context	HTTP Host
Situation Context	HTTP2 PRIORITY
Situation Context	SOHO Firewall Situations
Situation Context	Authentication Server situations
Situation Context	QUIC
Situation Context	HTTP2 RST_STREAM
Situation Context	Connection_Progress
Situation Context	Connection_Interface_Changed
Situation Context	Archive Member Situation
Situation Context	HTTP2 SETTINGS
Situation Context	HTTP2 PUSH_PROMISE
Situation Context	HTTP2 PING
Situation Context	HTTP Server Header Name Length Limit
Situation Context	HTTP Client Header Name Length Limit
Situation Context	HTTP2 GOAWAY
Situation Context	HTTP2 WINDOW_UPDATE
Situation Context	HTTP2 CONTINUATION
Situation Context	HTTP2 HPACK
Situation Context	HTTP2 PADDING
Situation Context	ANY Common Stream
Situation Context	Context for HTTP URL logging
Situation Context	ICMP Echo Length Limit
Situation Context	ICMP Length Limit
Situation Context	An Ethernet frame was received
Situation Context	A not allowed Ethernet frame was received
Situation Context	An IP datagram was received
Situation Context	A not allowed IP datagram was received
Situation Context	BitKeeper Server Stream
Situation Context	CCSO TCP Server Stream
Situation Context	POP3 Server Stream
Situation Context	CCSO TCP Client Stream
Situation Context	POP3 Client Stream
Situation Context	IDENT Client Stream
Situation Context	IDENT Server Stream
Situation Context	LDAP Server Stream
Situation Context	LDAP Client Stream
Situation Context	TCP RPC EPM Client Stream
Situation Context	Subversion TCP Server Stream
Situation Context	Subversion TCP Client Stream
Situation Context	TCP Timeout Connection Dropped
Situation Context	TCP Timeout FIN
Situation Context	TCP Timeout Idle
Situation Context	TCP Timeout Data Transfer
Situation Context	TCP Option Detection
Situation Context	TCP Timeout Auto Establishment
Situation Context	TCP Timeout SYN-ACK
Situation Context	TCP Timeout SYN
Situation Context	TCP Timeout TIME-WAIT
Situation Context	BitKeeper Client Stream
Situation Context	TCP RPC EPM Server Stream
Situation Context	SIP stream
Situation Context	License exceeded
Situation Context	Tester situation
Situation Context	Cluster protocol situation
Situation Context	Sensor engine situation
Situation Context	HTTP without parameters
Situation Context	UDP without parameters
Situation Context	CCSO UDP Client Stream
Situation Context	UDP LDAP Client Stream
Situation Context	UDP NetBIOS Client Stream
Situation Context	UDP RCP EPM Client Stream
Situation Context	SNMP UDP Client Stream
Situation Context	TFTP Client Stream
Situation Context	CCSO UDP Server Stream
Situation Context	UDP LDAP Server Stream
Situation Context	UDP NetBIOS Server Stream
Situation Context	UDP RCP EPM Server Stream
Situation Context	SNMP UDP Server Stream
Situation Context	TFTP Server Stream
Situation Context	TCP without parameters
Situation Context	SSH without parameters
Situation Context	SMTP without parameters
Situation Context	Scan detection without parameters
Situation Context	IP without parameters
Situation Context	ICMP without parameters
Situation Context	FTP without parameters
Situation Context	DNS without parameters
Situation Context	SIP without parameters
Situation Context	Engine situations
Situation Context	UDP DoS detected
Situation Context	UDP DoS events
Situation Context	TCP DoS events
Situation Context	TCP synflood detection (SYN-ACK timeout based detection)
Situation Context	TCP synflood detection (SYN-timeout method)
Situation Context	MSRPC Client Payload Stream
Situation Context	SMB without parameters
Situation Context	SMB Client Named Pipe Stream
Situation Context	NETBIOS without parameters
Situation Context	MSRPC UDP Request Stream
Situation Context	MSRPC without parameters
Situation Context	Rlogin Client Stream
Situation Context	Rlogin Server Stream
Situation Context	TFTP without parameters
Situation Context	HTTP Normalized Request-Line
Situation Context	HTTP Chunk Header
Situation Context	SIP TCP Client Stream
Situation Context	SIP TCP Server Stream
Situation Context	SIP UDP Client Stream
Situation Context	SIP UDP Server Stream
Situation Context	SMB File Read Stream
Situation Context	SMB File Write Stream
Situation Context	SMB Client Header Stream
Situation Context	Oracle TNS Server Stream
Situation Context	Oracle TNS Client Stream
Situation Context	H.323 Server Stream
Situation Context	H.323 Client Stream
Situation Context	Shell (cmd) Server Stream
Situation Context	Shell (cmd) Client Stream
Situation Context	Non-ratebased DoS attacks
Situation Context	RTP UDP Packet
Situation Context	RTCP UDP Packet
Situation Context	Ethernet without parameters
Situation Context	TLS Client Stream
Situation Context	TLS Server Stream
Situation Context	TLS without parameters
Situation Context	Shell (cmd) Stderr Stream
Situation Context	Shell (cmd) without parameters
Situation Context	ASN.1 without parameters
Situation Context	POP3 without parameters
Situation Context	E-mail without parameters
Situation Context	IMAP without parameters
Situation Context	GRE Length Limit
Situation Context	GRE without parameters
Situation Context	IPv6 without parameters
Situation Context	Raw File Stream
Situation Context	Text File Stream
Situation Context	Other Binary File Stream
Situation Context	PDF File Stream
Situation Context	OLE File Stream
Situation Context	Flash File Stream
Situation Context	File Stream Redirection
Situation Context	HTTP Server Header Stream
Situation Context	JPEG File Stream
Situation Context	PNG File Stream
Situation Context	GIF File Stream
Situation Context	RTF File Stream
Situation Context	RIFF File Stream
Situation Context	Identified Text File Stream
Situation Context	MPEG File Stream
Situation Context	Zip File Stream
Situation Context	Executable File Stream
Situation Context	TCP Handshake Not Seen
Situation Context	TCP Future Acknowledgement Number
Situation Context	TCP Timeout for SYN-RST
Situation Context	TCP Timeout REMOVE_SOON WAIT
Situation Context	DXL without parameters
Situation Context	GAM without parameters
Situation Context	Self Test without parameters
Situation Context	Archive type identification from member names
Situation Context	SSM Context
Situation Context	SMB Server Header Stream
Situation Context	TCP GTP Server Stream
Situation Context	TCP GTP Client Stream
Situation Context	UDP GTP Server Stream
Situation Context	UDP GTP Client Stream
Situation Context	GTP without parameters
Situation Context	Botnet CnC without parameters
Situation Context	TCP DataLength Stream
Situation Context	UDP DataLength Stream
Situation Context	RTSP TCP Client Stream
Situation Context	RTSP TCP Server Stream
Situation Context	RTSP without parameters
Situation Context	ICMP Request Stream
Situation Context	ICMP Response Stream
Situation Context	File decompression without parameters
Situation Context	TLS Domain Name Stream
Situation Context	TLS SNI Stream
Situation Context	MSRPC Bind or Alter Context with multiple interfaces
Situation Context	Modbus TCP without parameters
Situation Context	Generic IPv6 Fingerprinting Stream
Situation Context	Generic IP Protocol Identification Stream
Situation Context	Generic IPv6 Identification Stream
Situation Context	Generic IP Fingerprinting Stream
Situation Context	Modbus TCP Client PDU Stream
Situation Context	Modbus TCP Server PDU Stream
Situation Context	TCP Client SYN Header Fingerprinting Stream
Situation Context	TCP Server SYN Header Fingerprinting Stream
Situation Context	TCP Unsupported Options Stream
Situation Context	HTTP2
Situation Context	WebSocket Client Stream
Situation Context	WebSocket Server Stream
Situation Context	SSH client encrypting algorithms
Situation Context	SSH client message authentication (MAC) algorithms
Situation Context	SSH client key exchange algorithms
Situation Context	SSH server message authentication (MAC) algorithms
Situation Context	SSH server encrypting algorithms
Situation Context	SSH server key exchange algorithms
Situation Context	SSH server host key algorithms
Situation Context	SSH client host key algorithms
Situation Context	SRP Client Stream
Situation Context	SRP Server Stream
Situation Context	E-Mail Undecoded Quoted-Printable Stream
Situation Context	E-Mail Undecoded Base64 Stream
Situation Context	RFB Client Stream
Situation Context	RFB Server Stream
Situation Context	RFB without parameters
Situation Context	HTTP MSIE Server Stream
Situation Context	HTTP non-MSIE Server Stream
Situation Context	HTTP Proxy Server Stream for MSIE
Situation Context	HTTP Proxy Server Stream for non-MSIE
Situation Context	Anti-Malware
Situation Context	EIA
Situation Context	MLC
Situation Context	McAfee E-Business Server Administration Server Stream
Situation Context	ECA
Situation Context	DLP
Situation Context	Log Moderation
Situation Context	User Response without parameters
Situation Context	SCCP without parameters
Situation Context	MGCP without parameters
Situation Context	File Filtering
Situation Context	GTI
Situation Context	Sandbox
Situation Context	Firewall Events
Situation Context	Telnet TCP Client Terminal Stream
Situation Context	Telnet TCP Client Command Stream
Situation Context	Telnet TCP Client Single Command Stream
Situation Context	Telnet TCP Server Terminal Stream
Situation Context	Telnet TCP Server Command Stream
Situation Context	Telnet TCP Server Single Command Stream
Situation Context	ARCserve Backup Client Stream
Situation Context	ARCserve Backup Server Stream
Situation Context	McAfee E-Business Server Administration Client Stream
Situation Context	TCP_Window_Shrinked
Situation Context	HTTP Server Chunk Header
Situation Context	UDP NTP Stream
Situation Context	TCP Too Many Initial Window Segments
Situation Context	TCP Too Many Initial Window Bytes
Situation Context	HTTP Non-specific Protocol Upgrade Server Stream
Situation Context	HTTP Non-specific Protocol Upgrade Client Stream
Situation Context	HTTP ThreatSeeker Category
Situation Context	ProtoId TCP Client Stream
Situation Context	ProtoId TCP Server Stream
Situation Context	ProtoId UDP Client Message
Situation Context	ProtoId UDP Server Message
Situation Context	ProtoId without parameters
Situation Context	Dynamic-Routing
Situation Context	OPC UA TCP Normalized Request
Situation Context	OPC UA TCP Normalized Response
Situation Context	OPC UA TCP without parameters
Situation Context	OPC UA TCP Request Message
Situation Context	OPC UA TCP Response Message
Situation Context	OPC UA Binary Request Stream
Situation Context	OPC UA Binary Response Stream
Situation Context	OPC UA Binary without parameters
Situation Context	DNP3 (TCP) raw response
Situation Context	DNP3 (TCP) raw request
Situation Context	DNP3 (UDP) raw response
Situation Context	DNP3 (UDP) raw request
Situation Context	DNP3 (TCP) application response
Situation Context	DNP3 (TCP) application request
Situation Context	DNP3 (UDP) application request
Situation Context	DNP3 (UDP) application response
Situation Context	DNP3 without parameters
Situation Context	Cryptkeys operation
Situation Context	EI Correlation
Situation Context	EI Signer Checksum
Situation Context	EI Version Stream
Situation Context	EI Product Name
Situation Context	EI Binary Checksum
Situation Context	EI Binary Name
Situation Context	EI Signer Name
Situation Context	IP list ID for source address
Situation Context	IP list ID for destination address
Situation Context	IP list ID for source or destination address
Situation Context	File MD5 hash
Situation Context	File SHA1 hash
Situation Context	ECA Binary SHA256 Checksum
Situation Context	ECA Binary SHA512 Checksum
Situation Context	ECA OS Name
Situation Context	ECA OS Extra Information
Situation Context	ECA OS Correlation
Situation Context	TLS Client Hello JA3 Hash
Situation Context	File SHA256 hash
Situation Context	File Type
Situation Context	URL whitelist
Situation Context	URL Application Context
Situation Context	URL Whitelist Application Context
Situation Context	MGCP Server Stream
Situation Context	SCCP Client Stream
Situation Context	SCCP Server Stream
Situation Context	MGCP Client Stream
Situation Context	DNS Host Rewriting
Situation Context	DNS Host Resolution
SSLVPNZipfile	default-skin_6.1.zip

DISCLAIMER AND COPYRIGHT

Copyright © 2022 Forcepoint
Forcepoint and the FORCEPOINT logo are trademarks of Forcepoint.

All other trademarks used in this document are the property of their respective owners.

Every effort has been made to ensure the accuracy of this document. However, Forcepoint makes no warranties with respect to this documentation and disclaims any implied warranties of merchantability and fitness for a particular purpose. Forcepoint shall not be liable for any error or for incidental or consequential damages in connection with the furnishing, performance, or use of this manual or the examples herein. The information in this documentation is subject to change without notice.