Ruleset Update Summary - 2023/06/23 - v10357

Ruleset Updates
1

Summary:

21 new OPEN, 24 new PRO (21 + 3)

Thanks @Jane_0sint

Added rules:

Open:

  • 2008406 - ET MALWARE RemoteSpy.com Upload Detected (malware.rules)
  • 2011719 - ET INFO Win32/Sogou User-Agent (SOGOU_UPDATER) (info.rules)
  • 2020183 - ET INFO DNS Query to .onion proxy Domain (torforall.com) (info.rules)
  • 2020184 - ET INFO DNS Query to .onion proxy Domain (torman2.com) (info.rules)
  • 2020185 - ET INFO DNS Query to .onion proxy Domain (torwoman.com) (info.rules)
  • 2020186 - ET INFO DNS Query to .onion proxy Domain (torroadsters.com) (info.rules)
  • 2020430 - ET INFO DNS Query to .onion proxy Domain (onion.city) (info.rules)
  • 2022332 - ET INFO DNS Query to .onion proxy Domain (onion.link) (info.rules)
  • 2024662 - ET INFO DNS Query to .onion proxy Domain (onion.guide) (info.rules)
  • 2025095 - ET INFO .onion proxy Domain (onion .plus in DNS Lookup) (info.rules)
  • 2025096 - ET INFO DNS Query to .onion proxy Domain (onion .casa in DNS Lookup) (info.rules)
  • 2026561 - ET INFO External Host Creating Docker Container (info.rules)
  • 2031584 - ET INFO External Host Creating Docker Image (info.rules)
  • 2031587 - ET INFO External Host Sending Docker Swarm Join Command (info.rules)
  • 2046634 - ET MALWARE Suspected Blackmoon Related Domain in DNS Lookup (malware.rules)
  • 2046635 - ET MALWARE Suspected Blackmoon Related Activity (GET) (malware.rules)
  • 2046636 - ET MALWARE Suspected Blackmoon Related Activity (Response) (malware.rules)
  • 2046637 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Configuration Request Attempt (malware.rules)
  • 2046638 - ET PHISHING Suspicious IPFS Domain Rewritten with Google Translate (phishing.rules)
  • 2046639 - ET PHISHING Successful BDO Bank Credential Phish 2023-06-23 (phishing.rules)
  • 2046640 - ET MALWARE SocGholish Domain in DNS Lookup (devops .livinginthenowbook .info) (malware.rules)

Pro:

  • 2805776 - ETPRO ADWARE_PUP PowerPack software bundle Downloader.Win32.SwiftCleaner.bd (adware_pup.rules)
  • 2829535 - ETPRO INFO Cloud Storage Service SSL Certificate Observed (pCloud) (info.rules)
  • 2836772 - ETPRO INFO Observed SSL Cert (External IP Address Lookup - ip2location .com) (info.rules)

Disabled and modified rules:

  • 2034910 - ET MOBILE_MALWARE Coper Banking Trojan Related Domain in DNS Lookup (mobile_malware.rules)

Removed rules:

  • 2008406 - ET POLICY RemoteSpy.com Upload Detect (policy.rules)
  • 2011719 - ET POLICY Win32/Sogou User-Agent (SOGOU_UPDATER) (policy.rules)
  • 2020183 - ET POLICY DNS Query to .onion proxy Domain (torforall.com) (policy.rules)
  • 2020184 - ET POLICY DNS Query to .onion proxy Domain (torman2.com) (policy.rules)
  • 2020185 - ET POLICY DNS Query to .onion proxy Domain (torwoman.com) (policy.rules)
  • 2020186 - ET POLICY DNS Query to .onion proxy Domain (torroadsters.com) (policy.rules)
  • 2020430 - ET POLICY DNS Query to .onion proxy Domain (onion.city) (policy.rules)
  • 2022332 - ET POLICY DNS Query to .onion proxy Domain (onion.link) (policy.rules)
  • 2024662 - ET POLICY DNS Query to .onion proxy Domain (onion.guide) (policy.rules)
  • 2025095 - ET POLICY .onion proxy Domain (onion .plus in DNS Lookup) (policy.rules)
  • 2025096 - ET POLICY DNS Query to .onion proxy Domain (onion .casa in DNS Lookup) (policy.rules)
  • 2026561 - ET POLICY External Host Creating Docker Container (policy.rules)
  • 2031584 - ET POLICY External Host Creating Docker Image (policy.rules)
  • 2031587 - ET POLICY External Host Sending Docker Swarm Join Command (policy.rules)
  • 2805776 - ETPRO POLICY PowerPack software bundle Downloader.Win32.SwiftCleaner.bd (policy.rules)
  • 2829535 - ETPRO POLICY Possible ROKRAT SSL Certificate Observed (policy.rules)
  • 2836772 - ETPRO POLICY Observed SSL Cert (External IP Address Lookup - ip2location .com) (policy.rules)