Ruleset Update Summary - 2023/10/04 - v10432

Summary:

73 new OPEN, 74 new PRO (73 + 1)

Thanks @1ZRR4H, @banthisguy9349, @PRODAFT, @zscaler


Added rules:

Open:

  • 2048387 - ET INFO Simplenote Notes Taking App Domain in DNS Lookkup (app .simplenote .com) (info.rules)
  • 2048388 - ET INFO Simplenote Notes Taking App Domain (app .simplenote .com in TLS SNI) (info.rules)
  • 2048389 - ET EXPLOIT Suspected Exim External Auth Overflow (CVE-2023-4115) set (exploit.rules)
  • 2048390 - ET EXPLOIT Suspected Exim External Auth Overflow (CVE-2023-4115) (exploit.rules)
  • 2048391 - ET MALWARE Win32/Lumma Stealer Data Exfiltration in URI (GET) (malware.rules)
  • 2048392 - ET MALWARE Observed BlackDolphin Ransomware Builder Cookie (malware.rules)
  • 2048393 - ET MALWARE BlackDolphin Ransomware Builder Landing Page M2 (malware.rules)
  • 2048394 - ET MALWARE BlackDolphin Ransomware Builder Landing Page M3 (malware.rules)
  • 2048395 - ET MALWARE BlackDolphin Ransomware Builder Landing Page M4 (malware.rules)
  • 2048396 - ET MALWARE BlackDolphin Ransomware Builder Landing Page M1 (malware.rules)
  • 2048397 - ET MALWARE BunnyLoader - Initial CnC Checkin (malware.rules)
  • 2048398 - ET MALWARE BunnyLoader Initial CnC Checkin Response (malware.rules)
  • 2048399 - ET MALWARE BunnyLoader CnC Checkin - Retrieve Tasking (malware.rules)
  • 2048400 - ET MALWARE BunnyLoader CnC Tasking Response (malware.rules)
  • 2048401 - ET MALWARE BunnyLoader CnC Checkin - Echoer (malware.rules)
  • 2048402 - ET MALWARE BunnyLoader CnC Checkin - Heartbeat (malware.rules)
  • 2048403 - ET MALWARE BunnyLoader Heartbeat Acknowledgement (malware.rules)
  • 2048404 - ET MALWARE BunnyLoader CnC Checkin - ResultCMD (malware.rules)
  • 2048405 - ET MALWARE BunnyLoader Data Exfiltration Attempt (malware.rules)
  • 2048406 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (doh .syshero .org) (info.rules)
  • 2048407 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (1 .dns .noridev .moe) (info.rules)
  • 2048408 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (dns .telekom .de) (info.rules)
  • 2048409 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (doh .phdns5 .lonet .org) (info.rules)
  • 2048410 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (doh-02 .spectrum .com) (info.rules)
  • 2048411 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (dns .tls-data .de) (info.rules)
  • 2048412 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (dns .ipv6dns .com) (info.rules)
  • 2048413 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (adguard .mrmartian .co) (info.rules)
  • 2048414 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (dns .t53 .de) (info.rules)
  • 2048415 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (wikimedia-dns .org) (info.rules)
  • 2048416 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (dns .switch .ch) (info.rules)
  • 2048417 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (doh .lv) (info.rules)
  • 2048418 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (doh .ibr .cs .tu-bs .de) (info.rules)
  • 2048419 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (8888 .google) (info.rules)
  • 2048420 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (doh .phdns3 .lonet .org) (info.rules)
  • 2048421 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (snoke .meganerd .nl) (info.rules)
  • 2048422 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (masters-of-cloud .de) (info.rules)
  • 2048423 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (doh-01 .spectrum .com) (info.rules)
  • 2048424 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (dns .bitdefender .net) (info.rules)
  • 2048425 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (qlf-doh .inria .fr) (info.rules)
  • 2048426 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (resolver .noaddns .com) (info.rules)
  • 2048427 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (dns .froth .zone) (info.rules)
  • 2048428 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (jp .tiarap .org) (info.rules)
  • 2048429 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (dns .belnet .be) (info.rules)
  • 2048430 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (doh .tiarap .org) (info.rules)
  • 2048431 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (dns .hinet .net) (info.rules)
  • 2048432 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (doh .phdns1 .lonet .org) (info.rules)
  • 2048433 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (abel .waringer-atg .de) (info.rules)
  • 2048434 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (cdn .0ms .dev) (info.rules)
  • 2048435 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (doh .nic .lv) (info.rules)
  • 2048436 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (doh .datahata .by) (info.rules)
  • 2048437 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (eu1 .dns .lavate .ch) (info.rules)
  • 2048438 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (yarp .lefolgoc .net) (info.rules)
  • 2048439 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (awan .ftp .sh) (info.rules)
  • 2048440 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (doh .phdns2 .lonet .org) (info.rules)
  • 2048441 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (adguard .kantinyoyok .xyz) (info.rules)
  • 2048442 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (doh .phdns4 .lonet .org) (info.rules)
  • 2048443 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (dns .dnswarden .com) (info.rules)
  • 2048444 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (resolver .r0cket .net) (info.rules)
  • 2048445 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (doh .disconnect .app) (info.rules)
  • 2048446 - ET INFO Observed DNS over HTTPS Domain in TLS SNI ( * .dns .mullvad .net) (info.rules)
  • 2048447 - ET INFO Observed DNS over HTTPS Domain in TLS SNI (* .dnscry .pt) (info.rules)
  • 2048448 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (amazonascash .com) (exploit_kit.rules)
  • 2048449 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (profille-cex-io .com) (exploit_kit.rules)
  • 2048450 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (raloco .com) (exploit_kit.rules)
  • 2048451 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (amazonascash .com) (exploit_kit.rules)
  • 2048452 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (profille-cex-io .com) (exploit_kit.rules)
  • 2048453 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (raloco .com) (exploit_kit.rules)
  • 2048454 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (christopherchabannes .com) (exploit_kit.rules)
  • 2048455 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (onlinecasinopinup .xyz) (exploit_kit.rules)
  • 2048456 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (s127581-statspixel .com) (exploit_kit.rules)
  • 2048457 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (christopherchabannes .com) (exploit_kit.rules)
  • 2048458 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (onlinecasinopinup .xyz) (exploit_kit.rules)
  • 2048459 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (s127581-statspixel .com) (exploit_kit.rules)

Pro:

  • 2855319 - ETPRO EXPLOIT_KIT Fake Browser Update Browser Identification Page (exploit_kit.rules)

Disabled and modified rules:

  • 2035721 - ET MALWARE Observed DNS Query to POWERPLANT Domain (malware.rules)
  • 2035722 - ET MALWARE Observed DNS Query to POWERPLANT Domain (malware.rules)
  • 2035723 - ET MALWARE Observed DNS Query to POWERPLANT Domain (malware.rules)
  • 2035724 - ET MALWARE Observed DNS Query to POWERPLANT Domain (malware.rules)
  • 2035725 - ET MALWARE Observed DNS Query to POWERPLANT Domain (malware.rules)
  • 2035726 - ET MALWARE Observed DNS Query to POWERPLANT Domain (malware.rules)
  • 2035727 - ET MALWARE Observed DNS Query to POWERPLANT Domain (malware.rules)
  • 2035728 - ET MALWARE Observed DNS Query to POWERPLANT Domain (malware.rules)
  • 2046237 - ET MALWARE SocGholish Domain in DNS Lookup (mentoring .yogayield .net) (malware.rules)
  • 2046629 - ET MALWARE SocGholish Domain in DNS Lookup (described .moraver .com) (malware.rules)
  • 2046632 - ET MALWARE SocGholish Domain in DNS Lookup (brands .shopperstreets .com) (malware.rules)
  • 2046665 - ET MALWARE SocGholish Domain in DNS Lookup (marathon .teachmemoney .net) (malware.rules)
  • 2046670 - ET MALWARE SocGholish Domain in DNS Lookup (sandwiches .tropipackfood .com) (malware.rules)
  • 2046699 - ET MALWARE SocGholish Domain in DNS Lookup (editions .seattlemysterylovers .com) (malware.rules)
  • 2046868 - ET MALWARE SocGholish Domain in TLS SNI (x64 .nvize .com) (malware.rules)
  • 2047727 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (polyfieldgallery .com) (exploit_kit.rules)
  • 2047728 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (polyfieldgallery .com) (exploit_kit.rules)
  • 2047729 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (seosuccesslab .com) (exploit_kit.rules)
  • 2047730 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (seosuccesslab .com) (exploit_kit.rules)
  • 2047805 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (martinreamask .com) (exploit_kit.rules)
  • 2047806 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (seyishalom .com) (exploit_kit.rules)
  • 2047807 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (martinreamask .com) (exploit_kit.rules)
  • 2047808 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (seyishalom .com) (exploit_kit.rules)
  • 2047816 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (phimnhanh .info) (exploit_kit.rules)
  • 2047817 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (phimnhanh .info) (exploit_kit.rules)
  • 2854911 - ETPRO EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (exploit_kit.rules)
  • 2854914 - ETPRO EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (exploit_kit.rules)