Ruleset Update Summary - 2023/10/05 - v10433

Ruleset Updates
1

Summary:

9 new OPEN, 9 new PRO (9 + 0)

Thanks @naumovax

Added rules:

Open:

  • 2048460 - ET EXPLOIT JetBrains TeamCity Auth Bypass Attempt (CVE-2023-42793) (exploit.rules)
  • 2048461 - ET EXPLOIT JetBrains TeamCity Auth Bypass Successful Attempt (CVE-2023-42793) (exploit.rules)
  • 2048462 - ET MALWARE LNK/Sherlock Stealer Host Process List Exfil (POST) (malware.rules)
  • 2048463 - ET MALWARE LNK/Sherlock Stealer Payload Inbound (malware.rules)
  • 2048464 - ET FTP Vulnerable WS_FTP Version in FTP Banner Response (CVE-2023-40044) (ftp.rules)
  • 2048465 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (fablane .com) (exploit_kit.rules)
  • 2048466 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (residencialcasabrasileira .com) (exploit_kit.rules)
  • 2048467 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (fablane .com) (exploit_kit.rules)
  • 2048468 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (residencialcasabrasileira .com) (exploit_kit.rules)

Disabled and modified rules:

  • 2036243 - ET MALWARE MSIL/Crimson CnC Server Command (info) M3 (malware.rules)
  • 2037795 - ET MALWARE APT29/CloakedUrsa Related Domain in DNS Lookup (crossfity .com) (malware.rules)
  • 2037796 - ET MALWARE APT29/CloakedUrsa Related Domain in DNS Lookup (techspaceinfo .com) (malware.rules)
  • 2038760 - ET MALWARE Observed DNS Query to EvilProxy Domain (pua75npooc4ekrkkppdglaleftn5mi2hxsunz5uuup6uxqmen4deepyd .onion) (malware.rules)
  • 2038761 - ET MALWARE Observed DNS Query to EvilProxy Domain (top-cyber .club) (malware.rules)
  • 2038839 - ET MALWARE Observed DNS Query to Default Brute Ratel C2 Domain (evasionlabs .com) (malware.rules)
  • 2038863 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (newsforward .quest) (current_events.rules)
  • 2038864 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (polussuo .com) (current_events.rules)
  • 2038866 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (antivirusphonenumber .org) (current_events.rules)
  • 2038867 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (a-techsolutions .us) (current_events.rules)
  • 2038869 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (newsagent .quest) (current_events.rules)
  • 2038870 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (humaantouch .com) (current_events.rules)
  • 2038871 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (mvpconsultant .us) (current_events.rules)
  • 2038872 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (comsecurityessentials .support) (current_events.rules)
  • 2038873 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (everyavenuetravel .site) (current_events.rules)
  • 2038874 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (hardwarecloseout .com) (current_events.rules)
  • 2038875 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (netsecurity-essential .com) (current_events.rules)
  • 2038876 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (weeklylive .info) (current_events.rules)
  • 2038877 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (foddylearn .com) (current_events.rules)
  • 2038878 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (decfurnish .com) (current_events.rules)
  • 2038879 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (glamorousfeeds .com) (current_events.rules)
  • 2038880 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (issat .us) (current_events.rules)
  • 2038881 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (trendingonfeed .com) (current_events.rules)
  • 2038882 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (aksconsulting .us) (current_events.rules)
  • 2038883 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (feedsonbudget .com) (current_events.rules)
  • 2038884 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (tissatweb .us) (current_events.rules)
  • 2038885 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (viralonspot .com) (current_events.rules)
  • 2038886 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (furnitureshopone .us) (current_events.rules)
  • 2038887 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (printertechnicahelp .com) (current_events.rules)
  • 2038888 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (mainlytrendy .com) (current_events.rules)
  • 2038889 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (globalnews .cloud) (current_events.rules)
  • 2038890 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (thespeedoflite .com) (current_events.rules)
  • 2038891 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (quickbooktechnicalsupport .org) (current_events.rules)
  • 2038892 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (financialtrending .com) (current_events.rules)
  • 2038893 - ET CURRENT_EVENTS Observed DNS Query to Known Malvertising Domain (tissat .us) (current_events.rules)
  • 2046894 - ET MALWARE DNS Query for IcedID Domain (filtaferamoza .com) (malware.rules)
  • 2046895 - ET MALWARE DNS Query for IcedID Domain (autokamertos .com) (malware.rules)
  • 2046898 - ET MALWARE DNS Query for IcedID Domain (lohmotarufos .com) (malware.rules)
  • 2046902 - ET MALWARE Observed IcedID Domain (autokamertos .com in TLS SNI) (malware.rules)
  • 2047450 - ET PHISHING TOAD Domain in DNS Lookup (cashapphelp07 .us) (phishing.rules)
  • 2047906 - ET MALWARE TA444 CnC Domain in DNS Lookup (datasend .fun) (malware.rules)
  • 2047907 - ET MALWARE TA444 CnC Domain in DNS Lookup (cryptowave .capital) (malware.rules)
  • 2047908 - ET MALWARE TA444 CnC Domain in DNS Lookup (trustmeeting .online) (malware.rules)
  • 2047909 - ET MALWARE TA444 CnC Domain in DNS Lookup (ubi-safemeeting .online) (malware.rules)
  • 2047910 - ET MALWARE TA444 CnC Domain in DNS Lookup (video-meet .xyz) (malware.rules)
  • 2047911 - ET MALWARE TA444 CnC Domain in DNS Lookup (ubi-safemeeting .live) (malware.rules)
  • 2047912 - ET MALWARE TA444 CnC Domain in DNS Lookup (internal-meeting .online) (malware.rules)
  • 2047913 - ET MALWARE Observed TA444 Domain (trustmeeting .online in TLS SNI) (malware.rules)
  • 2047914 - ET MALWARE Observed TA444 Domain (ubi-safemeeting .live in TLS SNI) (malware.rules)
  • 2047915 - ET MALWARE Observed TA444 Domain (video-meet .xyz in TLS SNI) (malware.rules)
  • 2047916 - ET MALWARE Observed TA444 Domain (internal-meeting .online in TLS SNI) (malware.rules)
  • 2047917 - ET MALWARE Observed TA444 Domain (ubi-safemeeting .online in TLS SNI) (malware.rules)
  • 2047918 - ET MALWARE Observed TA444 Domain (cryptowave .capital in TLS SNI) (malware.rules)
  • 2047919 - ET MALWARE Observed TA444 Domain (datasend .fun in TLS SNI) (malware.rules)
  • 2855032 - ETPRO PHISHING Phishing Domain in DNS Lookup (phishing.rules)
  • 2855033 - ETPRO MALWARE Observed Phishing Domain in TLS SNI (malware.rules)