Ruleset Update Summary - 2023/08/31 - v10407

Ruleset Updates
1

Summary:

3 new OPEN, 6 new PRO (3 + 3)

Thanks @travisbgreen

Added rules:

Open:

  • 2047862 - ET WEB_SPECIFIC_APPS Openfire Authentication Bypass With RCE (CVE-2023-32315) (web_specific_apps.rules)
  • 2047863 - ET MALWARE SocGholish Domain in DNS Lookup (assay .porchlightcommunity .org) (malware.rules)
  • 2047864 - ET MALWARE SocGholish Domain in TLS SNI (assay .porchlightcommunity .org) (malware.rules)

Pro:

  • 2855192 - ETPRO MALWARE GuLoader Encoded Binary Request M2 (malware.rules)
  • 2855193 - ETPRO PHISHING Obuf Related Phish Activity (POST) (phishing.rules)
  • 2855197 - ETPRO MALWARE MSIL/TrojanDownloader.Agent_AGen.AYM Variant CnC Checkin (GET) (malware.rules)

Disabled and modified rules:

  • 2045675 - ET MALWARE SocGholish Domain in DNS Lookup (product .sammyhallam .com) (malware.rules)
  • 2045676 - ET MALWARE SocGholish Domain in DNS Lookup (games .iglesiaelarca .org) (malware.rules)
  • 2045679 - ET MALWARE SocGholish Domain in DNS Lookup (books .friendsofthefolsomlibrary .org) (malware.rules)
  • 2045813 - ET MALWARE SocGholish Domain in DNS Lookup (commercial .tedgorka .com) (malware.rules)
  • 2045816 - ET MALWARE SocGholish Domain in DNS Lookup (round .macayafoundation .org) (malware.rules)
  • 2045818 - ET MALWARE SocGholish Domain in DNS Lookup (friends .foflib .org) (malware.rules)
  • 2045819 - ET MALWARE SocGholish Domain in DNS Lookup (training .defcon1 .us) (malware.rules)
  • 2045820 - ET MALWARE SocGholish Domain in DNS Lookup (assist .cabinetelcea .com) (malware.rules)
  • 2046173 - ET MALWARE SocGholish Domain in DNS Lookup (portable .nodirtyelectricity .com) (malware.rules)
  • 2046947 - ET MALWARE SocGholish Domain in TLS SNI (creativity .kinchcorp .com) (malware.rules)
  • 2854909 - ETPRO EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (exploit_kit.rules)
  • 2854910 - ETPRO EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (exploit_kit.rules)
  • 2854912 - ETPRO EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (exploit_kit.rules)
  • 2854913 - ETPRO EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (exploit_kit.rules)