Ruleset Update Summary - 2023/08/24 - v10402

Ruleset Updates
1

Summary:

13 new OPEN, 20 new PRO (13 + 7)

Thanks @Jane_0sint, @talossecurity

Added rules:

Open:

  • 2047718 - ET INFO External IP Lookup Domain (iplogger .com in TLS SNI) (info.rules)
  • 2047719 - ET INFO External IP Lookup Domain (iplogger .com in DNS lookup) (info.rules)
  • 2047720 - ET INFO Abused Confluence/Jira External Sharing Site in DNS Lookup (external-share .com) (info.rules)
  • 2047721 - ET INFO Abused Confluence/Jira External Sharing Site (external-share .com in TLS SNI) (info.rules)
  • 2047722 - ET MALWARE Commonly Abused Domain in DNS Lookup (gk-stst .ru) (malware.rules)
  • 2047723 - ET MALWARE [ANY.RUN] Mekotio Banking Trojan TCP Request (malware.rules)
  • 2047724 - ET CURRENT_EVENTS Abused Domain Delivering Malicious Payloads in DNS Lookup (one-click .cc) (current_events.rules)
  • 2047725 - ET CURRENT_EVENTS Abused Domain Delivering Malicious Payloads in DNS Lookup (freeclickr .com) (current_events.rules)
  • 2047726 - ET MALWARE Suspected CollectionRAT Related Activity (GET) (malware.rules)
  • 2047727 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (polyfieldgallery .com) (exploit_kit.rules)
  • 2047728 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (polyfieldgallery .com) (exploit_kit.rules)
  • 2047729 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (seosuccesslab .com) (exploit_kit.rules)
  • 2047730 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (seosuccesslab .com) (exploit_kit.rules)

Pro:

  • 2855173 - ETPRO INFO Referer Obfuscation/Hiding Service in DNS Lookup (href .li) (info.rules)
  • 2855174 - ETPRO INFO Referer Obfuscation/Hiding Service Domain (href .li in TLS SNI) (info.rules)
  • 2855175 - ETPRO MALWARE Observed DNS Query to TA444 Domain (malware.rules)
  • 2855176 - ETPRO MALWARE Observed DNS Query to TA444 Domain (malware.rules)
  • 2855177 - ETPRO MALWARE Observed TA444 Domain in TLS SNI (malware.rules)
  • 2855178 - ETPRO MALWARE Observed TA444 Domain in TLS SNI (malware.rules)
  • 2855179 - ETPRO MALWARE Win32/CosmicRust TA444 CnC Activity (GET) (malware.rules)

Removed rules:

  • 2827133 - ETPRO POLICY External IP Lookup Domain (iplogger .com in DNS lookup) (policy.rules)
  • 2828488 - ETPRO POLICY External IP Lookup Domain (iplogger .com in TLS SNI) (policy.rules)