Summary:
11 new OPEN, 12 new PRO (11 + 1)
Thanks @malware_traffic, @Jane_0sint
Added rules:
Open:
- 2048557 - ET WEB_SERVER Generic PHP Webshell Activity (web_server.rules)
- 2048558 - ET MALWARE [ANY.RUN] DarkGate Check-In HTTP Header (POST) (malware.rules)
- 2048559 - ET PHISHING DNS Query to TOAD Domain (300005 .ru) (phishing.rules)
- 2048560 - ET PHISHING DNS Query to TOAD Domain (helpset123 .site) (phishing.rules)
- 2048561 - ET PHISHING Observed TOAD Domain (300005 .ru in TLS SNI) (phishing.rules)
- 2048562 - ET PHISHING Observed TOAD Domain (helpset123 .site in TLS SNI) (phishing.rules)
- 2048563 - ET MALWARE Win32/DarkWatchMan Checkin Activity (POST) M2 (malware.rules)
- 2048564 - ET USER_AGENTS Possible Win32/DarkWatchMan User Agent M2 (user_agents.rules)
- 2048565 - ET USER_AGENTS Possible Win32/DarkWatchMan User Agent M1 (user_agents.rules)
- 2048566 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (climedballon .org) (exploit_kit.rules)
- 2048567 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (climedballon .org) (exploit_kit.rules)
Pro:
- 2855359 - ETPRO INFO PenTesting Related Domain in DNS Lookup (info.rules)
Modified inactive rules:
- 2000006 - ET DOS Cisco Router HTTP DoS (dos.rules)
Disabled and modified rules:
- 2048469 - ET CURRENT_EVENTS Possible Atlassian Confluence CVE-2023-22515 Scan Activity (current_events.rules)
- 2048470 - ET CURRENT_EVENTS Possible Atlassian Confluence CVE-2023-22515 Scan Activity (current_events.rules)