Barracuda Networks Attack Definition Release Notes

Version 1.222 (Release date: 15 Dec 2022)

Updated signatures for possible evasion technique employing JSON syntax, which may result in a successful SQL injection.

Version 1.221 (Release date: 14 Dec 2022)

A possible evasion technique employing JSON syntax, which may result in a successful SQL injection, is addressed.

Version 1.217 (Release date: 25 Aug 2022)

Updated the Barracuda Bot database for bot classification.

Version 1.212 (Release date: 10 Jan 2022)

CVE-2021-21985: Remote File Inclusion pattern updated towards mitigating VMWare vulnerability with rmi protocol

SQL injection strict and medium patterns updated to catch a variant of tautology condition

OS command injection patterns updated to include variants of exec command in the range of UNIX shell commands to detect

A possible false positive due to strict checks on some function substrings, is relaxed

Updated the Barracuda Bot database for bot classification.

Version 1.211 (Release date: 18 Dec 2021)

CVE-2021-44228: Stricter checks for Log4j evasions with substitution and other generic attempts for reconnaissance.

Version 1.210 (Release date: 17 Dec 2021)

CVE-2021-44228: Updated pattern for Log4j vulnerability variant for possible data exfiltration.

Version 1.208 (Release date: 13 Dec 2021)

CVE-2021-44228: Log4j vulnerability remediation

Version 1.203 (Release date: 2 Aug 2021)

Updated the Barracuda Bot database for bot classification.

Version 1.200 (Release date: 14 Jun 2021)

Updated the Barracuda Bot database for bot classification.

Version 1.197 (Release date: 18 Apr 2021)

Updated the Barracuda Bot database for bot classification.

Version 1.195 (Release date: 2 Feb 2021)

Updated the Barracuda Bot database for bot classification.

Version 1.181 (Release date: 22 Oct 2020)

Change to AWS access token checks to prevent false positives

Version 1.180 (Release date: 14 Oct 2020)

Commands curl,wget,python,perl,whoami,pwd,hostname,netstat,ps are included in stricter checks to forbid blind reconnaisance attempts for shell vulnerabilities.

OS command injection enriched with stricter check on access to /etc/ file system.

Updated the Barracuda Bot database for bot classification.

Version 1.178 (Release date: 23 Jul 2020, with firmware)

AWS checks for data theft protection on AWS keys and tokens

Version 1.176 (Release date: 17 Jul 2020)

Updated the Barracuda Bot database for bot classification.

Version 1.175 (Release date: 27 Apr 2020)

Updated the Barracuda Bot database for bot classification.

Version 1.172 (Release date: 20 Jan 2020)

Handling of an issue with advanced analytics in 10.0 and 10.0.1 versions in an enhanced way

Version 1.170 (Release date: 17 Jan 2020)

Handling of an issue with advanced analytics in 10.0 and 10.0.1 versions

Updated the Barracuda Block Listed IP database and the data base for categorizing clients

Version 1.163 (Release date: Sep 24 2019)

Enhanced AWS meta data checks on internal URLs and IPs towards SSRF prevention on AWS environments

Version 1.165 (Release date: firmware based)

Updated Barracuda Block Listed IP database

Version 1.163 (Release date: Sep 24 2019)

Enhanced AWS meta data checks on internal URLs and IPs towards SSRF prevention on AWS environments

Version 1.161 (Release date: Sep 03 2019)

New attack category for client risk based violations added

Version 1.160 (Release date: Aug 19 2019)

AWS metadata instance checks for SSRF prevention

Version 1.157 (Release date: Jul 01 2019)

Fixes to mitigate CVE-2019-11477, CVE-2019-11478, SACK driven vulnerabilities

Updates to the advanced bot signature database

Version 1.153 (Release date: May 02 2019)

SQL command injection enriched with patterns to check for tautologies involving ELT and CHR functions

Updates to the advanced bot signature database

Version 1.150 (Release date: Dec 5 2018)

The database used for categorizing clients (as part of Web Scraping Policy) has been made part of the attackdef.

Version 1.149 (Release date: Jul 3 2018)

The patterns under XSS for on event references, are made stricter to check for the occurence of tag completion characters

The remote file inclusion check is made stricter by dropping the trailing back-slash character from the pattern regex

The attacks as found by BATP scan, are added under the attack category defined for Virus checks and mime type check failures

Version 1.135 (Release date: Sep 22 2017)

The pattern under arbitrary-unix-shell-commands is enhanced to look for the occurences of open paranthesis and pipe characters

The pattern under misc-commands-injections is enhanced to look for exe variants and also reduce false positives with commands like "id" when they occur as a part of URL

The pattern misc-commands-injections-end is added to catch a variant of the commands which may end with no arguments

The misc-commands pattern is changed to look for variants which may atart and end with no arguments

The pattern misc-commands-start is added to catch variants fo OS command injection which start with popular commands but may take more arguments and delimiters to make them potent

Version 1.132 (Release date: Sep 14 2017)

The pattern under sql-tautology-conditions-string-strict for SQL strict check, is enhanced to look for the keyword WHERE

The pattern under sql-tautology-conditions-like-dbcmd-strict is enhanced to look for more tautology conditions like "or null is null", "or true", "or not false"

The pattern under arbitrary-unix-shell-commands for OS Command Injection checks, is made stricter with checks for more meta character delimiters like the + or < or > etc as injections elements and arguments to probable commands

A new pattern called misc-commands-injections is added under OS Command Injection strict checks, to check for occurence of well known unix commands like netcat, dig, host etc as injection arguments occuring along with meta characters like ; or ' and absolute path specifications like /usr/bin/ or /bin/ etc

The pattern "misc-commands" under Os Command Injection strict checks, is enhanced to look for more unix commands like netcat, dig, host etc and also catch evasion attempts using whitespace and tab characters

The apache struts strict checks are enhanced to look for occurence of java.lang.ProcessBuilder string to help catch vulnerabilities like the ones disclosed in CVE-2017-9805

Version 1.120 (Release date: April 19 2017)

Virusdef location is changed. No functional impact

Version 1.116 (Release date: Along with 9.0 firmware)

Updatedef and Virusdefs are moved to different locations

Version 1.112 (Release date: Along with 8.1.1 firmware)

Apache struts vulnerability with method and redirect as vectors is addressed

Arbitrary shell command injections modified with " and ' chars to look for in the arguments

Modified PHP data theft patterns with one more pattern

meta tag is blocked with strict check on the tag ignoring the rest of the attributes

TOR list excluded from attackdef and moved to geoipdef

Dropped %5c as a denied meta char from the list of default denied meta chars

Version 107 (Release date: Mar 2016, with the 8.1 firmware)

Attack descriptions related to web scraping and newer attack ids implemented in 8.1, are added.

Version 1.102 (Release date: 26 Oct 2015)

The first two changes are made with more inputs from the security researcher Dr.-Ing Ashar Javed (@soaj1664ashar)

• The onEvent references are now checked for the new line character at the end to prevent a possible bypass with some browsers [ Pattern(s) changed : onevent-references onevent-references-misc-1 onevent-references-misc-2 onevent-references-misc-3 onevent-references-misc-generic ]
• The closing tag check is made a little stricter to prevent possible bypasses due to browsers being tolerant of the end tag [ Pattern(s) changed : closing-html-tag ]
• The sql comment check is modified to prevent possible false positives [ Pattern(s) changed : sql-comments ]
• The style based XSS checks are relaxed to ensure less false positives [ Pattern(s) changed : xss-style-attr ]

Version 1.100 (Release date: 15 Sep 2015)

The following changes are made with more inputs from the security researcher Dr.-Ing Ashar Javed (@soaj1664ashar)

• A generic OnEvent reference handler added to catch new and any upcoming variants of these html5 event handlers.
• The opening and closing html tag validations as per Cross site scripting strict patterns, are updated to detect meta characters possible interpreted by some IE browsers
• The CSS style related patterns are made more stricter to catch variants which have CSS escaping
• The data URI format related checks are made stricter to prevent evasions using data URI format

Version 1.97 (Release date: 07 Aug 2015)

Credits for the first five changes : Dr.-Ing Ashar Javed (@soaj1664ashar)

• The onevent references to catch onWheel event handler
• meta tag made stricter for cross site scripting attempt detection
• CSS escaping of paranthesis added to the detection in url-references and style attribute based XSS
• data URI encoding made stricter
• Strict XSS checks for tag injections made to detect semi-colons during XSS attempts
• Added the 0x2b character for detecting SQL attempts via tautology conditions

Version 1.95 (Release date: 08 Jul 2015)

• [ Credits : Dr.-Ing Ashar Javed (@soaj1664ashar) ] The onevent references is made a little more stricter to catch a possible bypass with backtick characters
• Preventing obfuscation using some html5 named character references
• Comment obfuscation attempt in script
• Modification to php file inclusion to catch php urls

Version 1.93 (Release date: 25 May 2015)

• [ Credits : Dr.-Ing Ashar Javed (@soaj1664ashar) ] Added few more on event references to look for possible XSS injections. These include : OnSearch, OnShow, OnToggle
• The pattern group names for Microsoft and Oracle errors are changed to increase readability
• Compatibility issues between 8.0 and pre 8.0 versions of firmware and the new attackdef

Version 1.92 (Release date with firmware 8.0)

• Splitting OS Command Injection into multiple other categories
• LDAP injection modified with more stricter checks

Version 1.86 (Release date: 3 April 2015)

• Resolving issues of rollbacks occurred due to wrong db

Version 1.85 (Release date: 26 March 2015)

• IP reputation database updated with TOR node IPs
• LDAP injection made stricter with more attack vector checks

Version 1.83 (Release date: 27 Feb 2015)

• Securing the availability of recovery partition which had issues in serial numbers 591500 to 605556

Version 1.81 (Release date: 06 Jan 2015)

• New ID theft patterns for mySQL and PostGRES errors added

Version 1.80 (Release date: 02 Dec 2014)

• New ID theft patterns for ASP errors added

Version 1.78 (Release date: 25 Sep 2014)

• Fix for CVE-2014-6271 and CVE-2014-7169: OS command injection pattern updated to catch attempts to exploit bash vulnerability with remote code execution

Version 1.77 (Release date: 24 Sep 2014)

• OS command injection strict pattern loosened to avoid false positives involving non alphanumeric characters

Version 1.76 (Release date: 12 Aug 2014)

• Cross site scripting patterns for script tags modified to detect a html encoding for a special character
• A couple of additions to the unsafe tags that are detected.
• Strict patterns for sql detection updated with a variant of the construct which uses "like" or "group" in SQL
• Tautology conditions updated to look for double-quotes in the comparision based constructs
• Directory traversal checks included in default parameter class definitions

Version 1.72 (Release date: 01 May 2014)

• SQL patterns updated for detection of evasions with newline seperators

Version 1.71 (Release date: 20 Mar 2014)

• Including field seperator based attacks using IFS macro in bash, updated os-command-injection

Version 1.65 (Release date: 09 Dec 2013)

• Allowing certain common commands to reduce false positives in command substrings in ASP applications or apps which have base64 encoded values.

Version 1.64

• LDAP injection false positives with cn attribute in 1.61 handled.

Version 1.61

• The SQL medium patterns related to tautology conditions involving "like", "between", "in" and simple string comparisons, are optimized to ensure the digest times get faster.
• New condensed Barracuda Block List IPs shipped with this new definition.

Version 1.60

• Multiple onevent reference additions to XSS injection patterns.
• Enhancements to SQL blind attempts using sleep and other directives, strict patterns modified and medium patterns tightened for effectiveness.
• Fine tuned OS command injections towards SSI, LDAP, PHP injections.
• Defense against Apache struts vulnerability.
• The definitions are not applied automatically. The services should be restarted for the definitions to take effect.

Version 1.58

• Parameters encoded in data URI scheme (rfc2397) are disallowed since they cannot be genuine encodings coming from clients/browsers and are evasion attempts more often than not.
• ”sql-tautology-conditions-simple” and “sql-tautology-conditions-simple-string” are relaxed to avoid false positives in certain cases where the join operators may occur in a regular english word.
• OS Command injection strict is modified to look for the dollar character which may be used to assign values to shell variables like IFS.

Version 1.58

• Compressed versions of Barracuda Block List with right permissions.

Version 1.55

• Compressed versions of Barracuda Block List.

Version 1.52

• Definitions for Barracuda Block List feature in 7.8 and attack information.

Version 1.47

• OS command injection strict pattern check relaxed for URL protection false positives which involve the "/" character.
• sql-tautology made stricter to include single and double quotes as potential obfuscators.

Version 1.46

• Added arbitrary string concatenation attempts in OS Command Injection strict pattern to catch attempts tp split strings in many common languages.
• SELECT usage made stricter in SQL strict pattern checks. Echo dropped from OS command checks due to chances of false positives.

Version 1.44

• Unsafe tag group modified with a couple of more tags. Command injection pattern checks relaxed to ensure less false positives when using commands like ls, lsof, echo, etc.

Version 1.41

• Strict pattern to prevent SQL DOS attempt by injecting sleep commands.

Version 1.40

• Arbitrary injection attempts made a little non strict to ensure less false positives.

Version 1.39

• Evasion attempts added to strict pattern check definitions.

Version 1.38

• Few more strict patterns populated for various categories of attacks.

Version 1.37

• Strict patterns populated for various categories of attacks.

Version 1.34

• SQL tautology conditions made stricter to catch more conditions which may potentially evaluate to true and potentially resulting in DB injection attacks.

Version 1.26

• Cross site scripting patterns enriched with more onevent references as per the new HTML5 specifications in the categories of Window Events, Form Events, Mouse events and Media events.

Version 1.23

• Stricter checks on blind SQL injection patterns which use "char" and "comments".

Version 1.22

• Including "style" pattern in unsafe tags.

Version 1.20

• Few cleanups.

Version 1.17

• Wider range of attack checks for the category "SQL Command Injection".
• XSS attack patterns enhanced with more checks on "onevent" references.

Version 1.16

• Cleaning up virus definitions.

Version 1.14

• SQL comments made stricter.

Version 1.12

• SQL tautology conditions modified to have "not" operations.

Version 1.11

• Enhanced "unsafe-tags" with "meta" tag check for cookie based response splitting attacks.

Version 1.8

• Remote file Inclusion checks for anything with http or https.
• SQL check for "select" constructs made more strict.
• Fix: Added patterns to detect ASPROX kind of attacks. Patterns of type DECLARE @T VARCHAR(255), or EXEC(''), or CAST(0x...).
• Changed remote file inclusion to look for / as a leading character. So /https://x.com/ and https://x.com both shall trigger the attack prevention check.
• Stricter checks for CAST based attacks on SQL databases.