Ruleset Update Summary - 2022/12/13 - v10195

Summary:

110 new OPEN, 110 new PRO (110 + 0)

Thanks @fr0s7_, @James_inthe_box

The Emerging Threats mailing list is migrating to Discourse. Please visit us at https://community.emergingthreats.net

We will announce the mailing list retirement date in the near future.


Added rules:

Open:

  • 2042665 - ET INFO DYNAMIC_DNS Query to a *.stuff-4-sale .us Domain (info.rules)
  • 2042666 - ET INFO DYNAMIC_DNS HTTP Request to a *.stuff-4-sale .us Domain (info.rules)
  • 2042667 - ET INFO DYNAMIC_DNS Query to a *.is-into-games .com Domain (info.rules)
  • 2042668 - ET INFO DYNAMIC_DNS HTTP Request to a *.is-into-games .com Domain (info.rules)
  • 2042669 - ET INFO DYNAMIC_DNS Query to a *.homeunix .org Domain (info.rules)
  • 2042670 - ET INFO DYNAMIC_DNS HTTP Request to a *.homeunix .org Domain (info.rules)
  • 2042671 - ET INFO DYNAMIC_DNS Query to a *.worse-than .tv Domain (info.rules)
  • 2042672 - ET INFO DYNAMIC_DNS HTTP Request to a *.worse-than .tv Domain (info.rules)
  • 2042673 - ET INFO DYNAMIC_DNS Query to a *.is-very-sweet .org Domain (info.rules)
  • 2042674 - ET INFO DYNAMIC_DNS HTTP Request to a *.is-very-sweet .org Domain (info.rules)
  • 2042675 - ET INFO DYNAMIC_DNS Query to a *.at-band-camp .net Domain (info.rules)
  • 2042676 - ET INFO DYNAMIC_DNS HTTP Request to a *.at-band-camp .net Domain (info.rules)
  • 2042677 - ET INFO DYNAMIC_DNS Query to a *.sells-for-less .com Domain (info.rules)
  • 2042678 - ET INFO DYNAMIC_DNS HTTP Request to a *.sells-for-less .com Domain (info.rules)
  • 2042679 - ET INFO DYNAMIC_DNS Query to a *.serveftp .net Domain (info.rules)
  • 2042680 - ET INFO DYNAMIC_DNS HTTP Request to a *.serveftp .net Domain (info.rules)
  • 2042681 - ET INFO DYNAMIC_DNS Query to a *.selfip .org Domain (info.rules)
  • 2042682 - ET INFO DYNAMIC_DNS HTTP Request to a *.selfip .org Domain (info.rules)
  • 2042683 - ET INFO DYNAMIC_DNS Query to a *.is-by .us Domain (info.rules)
  • 2042684 - ET INFO DYNAMIC_DNS HTTP Request to a *.is-by .us Domain (info.rules)
  • 2042685 - ET INFO DYNAMIC_DNS Query to a *.dyndns-at-home .com Domain (info.rules)
  • 2042686 - ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns-at-home .com Domain (info.rules)
  • 2042687 - ET INFO DYNAMIC_DNS Query to a *.dyndns .org Domain (info.rules)
  • 2042688 - ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns .org Domain (info.rules)
  • 2042689 - ET INFO DYNAMIC_DNS Query to a *.dynalias .org Domain (info.rules)
  • 2042690 - ET INFO DYNAMIC_DNS HTTP Request to a *.dynalias .org Domain (info.rules)
  • 2042691 - ET INFO DYNAMIC_DNS Query to a *.dnsdojo .com Domain (info.rules)
  • 2042692 - ET INFO DYNAMIC_DNS HTTP Request to a *.dnsdojo .com Domain (info.rules)
  • 2042693 - ET INFO DYNAMIC_DNS Query to a *.from-co .net Domain (info.rules)
  • 2042694 - ET INFO DYNAMIC_DNS HTTP Request to a *.from-co .net Domain (info.rules)
  • 2042695 - ET INFO DYNAMIC_DNS Query to a *.doomdns .com Domain (info.rules)
  • 2042696 - ET INFO DYNAMIC_DNS HTTP Request to a *.doomdns .com Domain (info.rules)
  • 2042697 - ET INFO DYNAMIC_DNS Query to a *.groks-the .info Domain (info.rules)
  • 2042698 - ET INFO DYNAMIC_DNS HTTP Request to a *.groks-the .info Domain (info.rules)
  • 2042699 - ET INFO DYNAMIC_DNS Query to a *.office-on-the .net Domain (info.rules)
  • 2042700 - ET INFO DYNAMIC_DNS HTTP Request to a *.office-on-the .net Domain (info.rules)
  • 2042701 - ET INFO DYNAMIC_DNS Query to a *.doesntexist .org Domain (info.rules)
  • 2042702 - ET INFO DYNAMIC_DNS HTTP Request to a *.doesntexist .org Domain (info.rules)
  • 2042703 - ET INFO DYNAMIC_DNS Query to a *.dyndns .tv Domain (info.rules)
  • 2042704 - ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns .tv Domain (info.rules)
  • 2042705 - ET INFO DYNAMIC_DNS Query to a *.endofinternet .net Domain (info.rules)
  • 2042706 - ET INFO DYNAMIC_DNS HTTP Request to a *.endofinternet .net Domain (info.rules)
  • 2042707 - ET INFO DYNAMIC_DNS Query to a *.getmyip .com Domain (info.rules)
  • 2042708 - ET INFO DYNAMIC_DNS HTTP Request to a *.getmyip .com Domain (info.rules)
  • 2042709 - ET INFO DYNAMIC_DNS Query to a *.is-a-chef .org Domain (info.rules)
  • 2042710 - ET INFO DYNAMIC_DNS HTTP Request to a *.is-a-chef .org Domain (info.rules)
  • 2042711 - ET INFO DYNAMIC_DNS Query to a *.dynamicdns .biz Domain (info.rules)
  • 2042712 - ET INFO DYNAMIC_DNS Query to a *.freewww .biz Domain (info.rules)
  • 2042713 - ET INFO DYNAMIC_DNS Query to a *.dns1 .us Domain (info.rules)
  • 2042714 - ET INFO DYNAMIC_DNS Query to a *.ddns .mobi Domain (info.rules)
  • 2042715 - ET INFO DYNAMIC_DNS HTTP Request to a *.ddns .mobi Domain (info.rules)
  • 2042716 - ET INFO DYNAMIC_DNS HTTP Request to a *.gr8domain .biz Domain (info.rules)
  • 2042717 - ET INFO DYNAMIC_DNS Query to a *.bigmoney .biz Domain (info.rules)
  • 2042718 - ET INFO DYNAMIC_DNS Query to a *.zyns .com Domain (info.rules)
  • 2042719 - ET INFO DYNAMIC_DNS Query to a *.dns-report .com Domain (info.rules)
  • 2042720 - ET INFO DYNAMIC_DNS Query to a *.otzo .com Domain (info.rules)
  • 2042721 - ET INFO DYNAMIC_DNS Query to a *.freetcp .com Domain (info.rules)
  • 2042722 - ET INFO DYNAMIC_DNS Query to a *.proxydns .com Domain (info.rules)
  • 2042723 - ET INFO DYNAMIC_DNS Query to a *.myddns .com Domain (info.rules)
  • 2042724 - ET INFO DYNAMIC_DNS HTTP Request to a *.myddns .com Domain (info.rules)
  • 2042725 - ET INFO DYNAMIC_DNS HTTP Request to a *.misecure .com Domain (info.rules)
  • 2042726 - ET INFO DYNAMIC_DNS HTTP Request to a *.dns-stuff .com Domain (info.rules)
  • 2042727 - ET INFO DYNAMIC_DNS Query to a *.zzux .com Domain (info.rules)
  • 2042728 - ET INFO DYNAMIC_DNS HTTP Request to a *.dynns .com Domain (info.rules)
  • 2042729 - ET INFO DYNAMIC_DNS HTTP Request to a *.serveblog .net Domain (info.rules)
  • 2042730 - ET INFO DYNAMIC_DNS HTTP Request to a *.net-freaks .com Domain (info.rules)
  • 2042731 - ET INFO DYNAMIC_DNS HTTP Request to a *.myvnc .com Domain (info.rules)
  • 2042732 - ET INFO DYNAMIC_DNS HTTP Request to a *.freedynamicdns .net Domain (info.rules)
  • 2042733 - ET INFO DYNAMIC_DNS HTTP Request to a *.ditchyourip .com Domain (info.rules)
  • 2042734 - ET INFO DYNAMIC_DNS HTTP Request to a *.servehumour .com Domain (info.rules)
  • 2042735 - ET INFO DYNAMIC_DNS HTTP Request to a *.servebeer .com Domain (info.rules)
  • 2042736 - ET INFO DYNAMIC_DNS HTTP Request to a *.mypsx .net Domain (info.rules)
  • 2042737 - ET INFO DYNAMIC_DNS HTTP Request to a *.ufcfan .org Domain (info.rules)
  • 2042738 - ET INFO DYNAMIC_DNS HTTP Request to a *.mmafan .biz Domain (info.rules)
  • 2042739 - ET INFO DYNAMIC_DNS HTTP Request to a *.privatizehealthinsurance .net Domain (info.rules)
  • 2042740 - ET INFO DYNAMIC_DNS Query to a *.gotdns .ch Domain (info.rules)
  • 2042741 - ET INFO DYNAMIC_DNS HTTP Request to a *.gotdns .ch Domain (info.rules)
  • 2042742 - ET INFO DYNAMIC_DNS HTTP Request to a *.read-books .org Domain (info.rules)
  • 2042743 - ET INFO DYNAMIC_DNS HTTP Request to a *.dnsiskinky .com Domain (info.rules)
  • 2042744 - ET INFO DYNAMIC_DNS HTTP Request to a *.mlbfan .org Domain (info.rules)
  • 2042745 - ET INFO DYNAMIC_DNS HTTP Request to a *.myeffect .net Domain (info.rules)
  • 2042746 - ET INFO DYNAMIC_DNS HTTP Request to a *.access .ly Domain (info.rules)
  • 2042747 - ET INFO DYNAMIC_DNS HTTP Request to a *.health-carereform .com Domain (info.rules)
  • 2042748 - ET INFO DYNAMIC_DNS HTTP Request to a *.pgafan .net Domain (info.rules)
  • 2042749 - ET INFO DYNAMIC_DNS HTTP Request to a *.dvrcam .info Domain (info.rules)
  • 2042750 - ET INFO DYNAMIC_DNS HTTP Request to a *.cable-modem .org Domain (info.rules)
  • 2042751 - ET INFO DYNAMIC_DNS HTTP Request to a *.hopto .me Domain (info.rules)
  • 2042752 - ET INFO DYNAMIC_DNS HTTP Request to a *.quicksytes .com Domain (info.rules)
  • 2042753 - ET INFO DYNAMIC_DNS HTTP Request to a *.mydissent .net Domain (info.rules)
  • 2042754 - ET INFO DYNAMIC_DNS HTTP Request to a *.freedynamicdns .org Domain (info.rules)
  • 2042755 - ET INFO DYNAMIC_DNS HTTP Request to a *.hopto .org Domain (info.rules)
  • 2042756 - ET INFO DYNAMIC_DNS HTTP Request to a *.homesecuritypc .com Domain (info.rules)
  • 2042757 - ET INFO DYNAMIC_DNS HTTP Request to a *.myactivedirectory .com Domain (info.rules)
  • 2042758 - ET INFO DYNAMIC_DNS HTTP Request to a *.ciscofreak .com Domain (info.rules)
  • 2042759 - ET INFO DYNAMIC_DNS HTTP Request to a *.pointto .us Domain (info.rules)
  • 2042760 - ET INFO DYNAMIC_DNS HTTP Request to a *.brasilia .me Domain (info.rules)
  • 2042761 - ET INFO DYNAMIC_DNS HTTP Request to a *.damnserver .com Domain (info.rules)
  • 2042762 - ET INFO DYNAMIC_DNS HTTP Request to a *.servemp3 .com Domain (info.rules)
  • 2042763 - ET INFO DYNAMIC_DNS HTTP Request to a *.servecounterstrike .com Domain (info.rules)
  • 2042764 - ET INFO DYNAMIC_DNS HTTP Request to a *.workisboring .com Domain (info.rules)
  • 2042765 - ET INFO localtunnel Tunneling Domain in DNS Lookup (loca .lt) (info.rules)
  • 2042766 - ET INFO localtunnel Tunneling Domain in DNS Lookup (localtunnel .me) (info.rules)
  • 2042767 - ET MALWARE 7ev3n Ransomware Related Activity (GET) (malware.rules)
  • 2042768 - ET MALWARE DOC/TrojanDownloader.Agent.ARJ Payload Request (malware.rules)
  • 2042769 - ET MALWARE PSRansom File Exfiltration (POST) (malware.rules)
  • 2042770 - ET MALWARE Villain C2 Framework HTTP Server Response (malware.rules)
  • 2042771 - ET MALWARE Win32/SocksTroy Session Initiation Attempt M1 (malware.rules)
  • 2042772 - ET MALWARE Win32/SocksTroy Session Initiation Attempt M2 (malware.rules)
  • 2042773 - ET MALWARE SocGholish Domain in DNS Lookup (modernism .designpaw .com) (malware.rules)
  • 2042774 - ET MALWARE SocGholish Domain in DNS Lookup (library .covebooks .com) (malware.rules)

Modified active rules:

  • 2029705 - ET HUNTING Possible COVID-19 Domain in SSL Certificate M1 (hunting.rules)
  • 2029708 - ET HUNTING Suspicious TLS SNI Request for Possible COVID-19 Domain M2 (hunting.rules)
  • 2029710 - ET HUNTING Suspicious Domain Request for Possible COVID-19 Domain M2 (hunting.rules)
  • 2029712 - ET HUNTING Suspicious GET Request with Possible COVID-19 Domain M2 (hunting.rules)
  • 2039078 - ET MALWARE SocGholish Domain in DNS Lookup (premiere .4tosocialbeginners .com) (malware.rules)
  • 2042189 - ET MALWARE Impersoni-fake-ator backdoor CnC Checkin (malware.rules)
  • 2042663 - ET MALWARE Villain C2 Framework HTTP Command Response (malware.rules)
  • 2845553 - ETPRO PHISHING Suspected GoPhish Phishing Landing M1 (phishing.rules)

Disabled and modified rules:

  • 2809148 - ETPRO WEB_CLIENT Microsoft Word RCE (CVE-2014-6333) (web_client.rules)
  • 2809149 - ETPRO WEB_CLIENT Microsoft Word RCE (CVE-2014-6334) (web_client.rules)
  • 2809152 - ETPRO WEB_CLIENT Microsoft Internet Explorer Memory Corruption Vulnerability CVE-2014-6337 (web_client.rules)
  • 2809154 - ETPRO WEB_CLIENT Possible Internet Explorer Cross-domain Information Disclosure CVE-2014-6340 (web_client.rules)
  • 2809158 - ETPRO WEB_CLIENT IE Memory Corruption Vulnerability CVE-2014-6347 (web_client.rules)
  • 2809160 - ETPRO WEB_CLIENT IE Memory Corruption Vulnerability CVE-2014-6347 (web_client.rules)