Ruleset Update Summary - 2023/10/18 - v10444

Ruleset Updates
1

Summary:

67 new OPEN, 107 new PRO (67 + 40)

Due to a company holiday there will be no rule release Friday, October 20, 2023

Added rules:

Open:

  • 2048585 - ET INFO DYNAMIC_DNS Query to a *.qyiku .com Domain (info.rules)
  • 2048586 - ET INFO DYNAMIC_DNS HTTP Request to a *.qyiku .com Domain (info.rules)
  • 2048587 - ET INFO DYNAMIC_DNS Query to a *.blueshadows .cl Domain (info.rules)
  • 2048588 - ET INFO DYNAMIC_DNS HTTP Request to a *.blueshadows .cl Domain (info.rules)
  • 2048589 - ET INFO DYNAMIC_DNS Query to a *.basewisdom .com Domain (info.rules)
  • 2048590 - ET INFO DYNAMIC_DNS HTTP Request to a *.basewisdom .com Domain (info.rules)
  • 2048591 - ET INFO DYNAMIC_DNS Query to a *.kunglin .com Domain (info.rules)
  • 2048592 - ET INFO DYNAMIC_DNS HTTP Request to a *.kunglin .com Domain (info.rules)
  • 2048593 - ET MALWARE IcedID CnC Domain in DNS Lookup (abegelkunic .com) (malware.rules)
  • 2048594 - ET MALWARE IcedID CnC Domain in DNS Lookup (seedkraproboy .com) (malware.rules)
  • 2048595 - ET MALWARE IcedID CnC Domain in DNS Lookup (maufusjiop .com) (malware.rules)
  • 2048596 - ET MALWARE IcedID CnC Domain in DNS Lookup (joekairbos .com) (malware.rules)
  • 2048597 - ET MALWARE IcedID CnC Domain in DNS Lookup (aptekoagraliy .com) (malware.rules)
  • 2048598 - ET MALWARE Observed IcedID Domain (abegelkunic .com in TLS SNI) (malware.rules)
  • 2048599 - ET INFO Observed DNS Over HTTPS Domain (blackhole .myon .lu in TLS SNI) (info.rules)
  • 2048600 - ET INFO Observed DNS Over HTTPS Domain (doh .ccb-net .it in TLS SNI) (info.rules)
  • 2048601 - ET INFO Observed DNS Over HTTPS Domain (pi1 .node15 .com in TLS SNI) (info.rules)
  • 2048602 - ET INFO Observed DNS Over HTTPS Domain (dnstls .mobik .com in TLS SNI) (info.rules)
  • 2048603 - ET INFO Observed DNS Over HTTPS Domain (dns .b612 .me in TLS SNI) (info.rules)
  • 2048604 - ET INFO Observed DNS Over HTTPS Domain (xray .krnl .eu in TLS SNI) (info.rules)
  • 2048605 - ET INFO Observed DNS Over HTTPS Domain (dns .syaifullah .com in TLS SNI) (info.rules)
  • 2048606 - ET INFO Observed DNS Over HTTPS Domain (doh1 .b-cdn .net in TLS SNI) (info.rules)
  • 2048607 - ET INFO Observed DNS Over HTTPS Domain (doh .futa .gg in TLS SNI) (info.rules)
  • 2048608 - ET INFO Observed DNS Over HTTPS Domain (rayneau .fr in TLS SNI) (info.rules)
  • 2048609 - ET INFO Observed DNS Over HTTPS Domain (dns .kernel-error .de in TLS SNI) (info.rules)
  • 2048610 - ET INFO Observed DNS Over HTTPS Domain (dukun .de in TLS SNI) (info.rules)
  • 2048611 - ET INFO Observed DNS Over HTTPS Domain (mail .data .haus in TLS SNI) (info.rules)
  • 2048612 - ET INFO Observed DNS Over HTTPS Domain (dns .decloudus .com in TLS SNI) (info.rules)
  • 2048613 - ET INFO Observed DNS Over HTTPS Domain (dns .reckoningslug .name in TLS SNI) (info.rules)
  • 2048614 - ET INFO Observed DNS Over HTTPS Domain (dns .vinnyp .xyz in TLS SNI) (info.rules)
  • 2048615 - ET INFO Observed DNS Over HTTPS Domain (dns .emiliyan .com in TLS SNI) (info.rules)
  • 2048616 - ET INFO Observed DNS Over HTTPS Domain (www .c-dns .com in TLS SNI) (info.rules)
  • 2048617 - ET INFO Observed DNS Over HTTPS Domain (dns .startupstack .tech in TLS SNI) (info.rules)
  • 2048618 - ET INFO Observed DNS Over HTTPS Domain (dns .rin .sh in TLS SNI) (info.rules)
  • 2048619 - ET INFO Observed DNS Over HTTPS Domain (dns .silen .org in TLS SNI) (info.rules)
  • 2048620 - ET INFO Observed DNS Over HTTPS Domain (dns .kamilszczepanski .com in TLS SNI) (info.rules)
  • 2048621 - ET INFO Observed DNS Over HTTPS Domain (dns .molinero .dev in TLS SNI) (info.rules)
  • 2048622 - ET INFO Observed DNS Over HTTPS Domain (doh .luigi .nexific .it in TLS SNI) (info.rules)
  • 2048623 - ET INFO Observed DNS Over HTTPS Domain (dns .expert in TLS SNI) (info.rules)
  • 2048624 - ET SCADA [nsacyber/ELITEWOLF] Allen-Bradley/Rockwell Automation Advanced Diagnostics Information Disclosure Attempt - TCP Statistics (scada.rules)
  • 2048625 - ET SCADA [nsacyber/ELITEWOLF] Allen-Bradley/Rockwell Automation Advanced Diagnostics Information Disclosure Attempt - UDP Statistics (scada.rules)
  • 2048626 - ET SCADA [nsacyber/ELITEWOLF] Allen-Bradley/Rockwell Automation System Data Details Information Disclosure Attempt (scada.rules)
  • 2048627 - ET SCADA [nsacyber/ELITEWOLF] Allen-Bradley/Rockwell Automation Advanced Diagnostics Information Disclosure Attempt - IP Routing Data (scada.rules)
  • 2048628 - ET SCADA [nsacyber/ELITEWOLF] Allen-Bradley/Rockwell Automation Advanced Diagnostics Information Disclosure Attempt - General Memory Statistics (scada.rules)
  • 2048629 - ET SCADA [nsacyber/ELITEWOLF] Allen-Bradley/Rockwell Automation Advanced Diagnostics Information Disclosure Attempt - General Heap Memory Statistics (scada.rules)
  • 2048630 - ET SCADA [nsacyber/ELITEWOLF] Allen-Bradley/Rockwell Automation Advanced Diagnostics Information Disclosure Attempt - ICMP Statistics (scada.rules)
  • 2048631 - ET SCADA [nsacyber/ELITEWOLF] Allen-Bradley/Rockwell Automation Advanced Diagnostics Information Disclosure Attempt - IGMP Statistics (scada.rules)
  • 2048632 - ET SCADA [nsacyber/ELITEWOLF] Allen-Bradley/Rockwell Automation Advanced Diagnostics Information Disclosure Attempt - ARP Statistics (scada.rules)
  • 2048633 - ET SCADA [nsacyber/ELITEWOLF] Allen-Bradley/Rockwell Automation Advanced Diagnostics Information Disclosure Attempt - Interface Statistics (scada.rules)
  • 2048634 - ET SCADA [nsacyber/ELITEWOLF] Allen-Bradley/Rockwell Automation Advanced Diagnostics Information Disclosure Attempt - IP Statistics (scada.rules)
  • 2048635 - ET SCADA [nsacyber/ELITEWOLF] Allen-Bradley/Rockwell Automation Possible Unauthorized Access Attempt - Request for radevice.css (scada.rules)
  • 2048636 - ET SCADA [nsacyber/ELITEWOLF] Allen-Bradley/Rockwell Automation Information Disclosure Attempt - System List (scada.rules)
  • 2048637 - ET SCADA [nsacyber/ELITEWOLF] Allen-Bradley/Rockwell Automation Information Disclosure Attempt - Browse Chasis (scada.rules)
  • 2048638 - ET SCADA [nsacyber/ELITEWOLF] Allen-Bradley/Rockwell Automation Information Disclosure Attempt - Chassis Detail Request (scada.rules)
  • 2048639 - ET SCADA [nsacyber/ELITEWOLF] Allen-Bradley/Rockwell Automation Information Disclosure Attempt - Crashdump Display (scada.rules)
  • 2048640 - ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering Laboraties SEL-series Possible Unauthorized Access - Request for home.sel (scada.rules)
  • 2048641 - ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering Laboraties SEL-series Possible Unauthorized Access Attempt - Request for err401.sel (scada.rules)
  • 2048642 - ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering Laboratories SEL-series Possible Unauthorized Access - Request for default.sel (scada.rules)
  • 2048643 - ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering Laboraties SEL-2488 Possible Unauthorized Access Attempt - Request for /scripts/dScripts.sel (scada.rules)
  • 2048644 - ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering Laboraties SEL-2488 Possible Unauthorized Access Attempt - Request for /css/sel.css (scada.rules)
  • 2048645 - ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering Laboratories SEL-series Dropbear SSH Banner - Possible SSH Login attempt (scada.rules)
  • 2048646 - ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering Laboratories SEL-3530-RTAC AcSELerator Firmware Activity (scada.rules)
  • 2048647 - ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering Laboratories SEL-3620 Default X509 Certificate String (scada.rules)
  • 2048648 - ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering Laboratories SEL-3620 Default Cert Subject Common Name (scada.rules)
  • 2048649 - ET SCADA [nsacyber/ELITEWOLF] Schweitzer Engineering Laboratories SEL-3620 Default Cert Issuer Common Name (scada.rules)
  • 2048650 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (dodgesteelbuildings .com) (exploit_kit.rules)
  • 2048651 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (dodgesteelbuildings .com) (exploit_kit.rules)

Pro:

  • 2855367 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2855368 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2855369 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2855370 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2855371 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2855372 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2855373 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2855374 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2855375 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2855376 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2855377 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2855378 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2855379 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2855380 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2855381 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2855382 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2855383 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2855384 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2855385 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2855386 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2855387 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2855388 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2855389 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2855390 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2855391 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2855392 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2855393 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2855394 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2855395 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2855396 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2855397 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2855398 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2855399 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2855400 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2855401 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2855402 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2855403 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2855404 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2855405 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2855408 - ETPRO MALWARE DarkGate CnC Activity (GET) (malware.rules)