Ruleset Update Summary - 2023/04/26 - v10308

rulesbot · April 26, 2023, 8:50pm

Summary:

6 new OPEN, 14 new PRO (6 + 8)

Thanks @nao_sec

Added rules:

Open:

2040353 - ET COINMINER Observed DNS Query to Cryptocurrency Mining Pool Domain (xmr .2miners .com) (coinminer.rules)
2045123 - ET MALWARE Jasmin Ransomware Panel Activity (Response) (malware.rules)
2045203 - ET PHISHING W3LL STORE Phish Kit Landing Page 2023-04-26 (phishing.rules)
2045204 - ET MALWARE Themedata Embedded OLE Object Maldoc Related Domain in DNS Lookup (support-zabbix .com) (malware.rules)
2045205 - ET MALWARE Win32/Spy.Banker.ZZN Variant Checkin (malware.rules)
2045206 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (waterlinesheet .org) (exploit_kit.rules)

Pro:

2854279 - ETPRO PHISHING Generic Phish Landing Page 2023-04-25 (Request) (phishing.rules)
2854280 - ETPRO PHISHING Generic Phish Landing Page 2023-04-25 (Response) (phishing.rules)
2854281 - ETPRO ATTACK_RESPONSE Win32/Agent Tesla CnC Response Inbound (attack_response.rules)
2854282 - ETPRO MALWARE Win32/MathType-Obfs Variant Payload Request (GET) (malware.rules)
2854283 - ETPRO MALWARE Win32/FingerPrint_Disable Loader Payload Request (GET) M1 (malware.rules)
2854284 - ETPRO MALWARE Win32/FingerPrint_Disable Loader Payload Request (GET) M2 (malware.rules)
2854285 - ETPRO ATTACK_RESPONSE Win32/FingerPrint_Disable Loader Payload Inbound (attack_response.rules)
2854286 - ETPRO MALWARE Win32/Spy.Mekotio.GR Data Exfiltration Attempt (malware.rules)

Removed rules:

2025460 - ET INFO NYU Internet HTTP/SSL Census Scan (info.rules)
2040353 - ET INFO Observed DNS Query to Cryptocurrency Mining Pool Domain (xmr .2miners .com) (info.rules)
2045123 - ET INFO Jasmin Ransomware Panel Activity (Response) (info.rules)

felakuti · September 8, 2023, 9:11am

Hi, the rule 2045203 - ET PHISHING W3LL STORE Phish Kit Landing Page 2023-04-26 (phishing.rules) is blocking all URLs that contain /ov in it.

This is bad since there are legit URLs that contain ov. For instance if you install the ovmf package in Ubuntu it’ll be blocked since it’s calling http://us.archive.ubuntu.com/ubuntu/pool/main/e/edk2/ovmf_2022.02-3ubuntu0.22.04.1_all.deb.

I.e. any package that starts with ov will block Ubuntu servers from updating since the entire IP is blocked.

This rule should be modified or deleted entirely.

Here’s the rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS W3LL STORE Phish Kit Landing Page 2023-04-24"; flow:established,to_server; content:"GET"; http_meth
od; content:"/ov"; http_uri; nocase; fast_pattern; pcre:"/\d\//Ui"; reference:md5,587c61ff29e5033527dd0ae79b61bbe7; classtype:trojan-activity; sid:2045173; rev:2; metadata:atta
ck_target Client_Endpoint, created_at 2023_04_24, deployment Perimeter, former_category PHISHING, confidence Medium, signature_severity Major, updated_at 2023_04_26;)

felakuti · September 8, 2023, 7:46pm

Tagging someone on the team for visibility @ishaughnessy, thanks!

ishaughnessy · September 8, 2023, 8:24pm

hey @felakuti, thanks for the tag, we’ve disabled the sig in today’s release and will review it to see there’s anything we can do to fix it up.

Have a great weekend!

Topic	Replies	Views
Ruleset Update Summary - 2023/09/06 - v10411 Ruleset Updates	289	September 6, 2023
Daily Ruleset Update Summary 2022/11/02 Ruleset Updates	277	November 2, 2022
Ruleset Update Summary - 2022/12/19 - v10199 Ruleset Updates	363	December 19, 2022
Ruleset Update Summary - 2022/11/23 - v10180 Ruleset Updates	271	November 23, 2022
Ruleset Update Summary - 2023/12/27 - v10494 Ruleset Updates	284	December 27, 2023