Summary:
7 new OPEN, 10 new PRO (7 + 3)
Thanks @foxit
Added rules:
Open:
- 2048935 - ET INFO Cisco IOS XE Web Server Auth From Suspicious Username (cisco_support) (CVE-2023-20198) (Outbound) (info.rules)
- 2049001 - ET MALWARE Suspected TA404 SIGNBT Backdoor Activity (POST) (malware.rules)
- 2049002 - ET MALWARE Generic VBS Backdoor Sending Windows Information (POST) (malware.rules)
- 2049003 - ET EXPLOIT_KIT RogueRaticate Domain in DNS Lookup (updateadobeflash .com) (exploit_kit.rules)
- 2049004 - ET EXPLOIT_KIT RogueRaticate Domain in DNS Lookup (alsmgjk-igusj .com) (exploit_kit.rules)
- 2049005 - ET EXPLOIT_KIT RogueRaticate Domain in TLS SNI (updateadobeflash .com) (exploit_kit.rules)
- 2049006 - ET EXPLOIT_KIT RogueRaticate Domain in TLS SNI (alsmgjk-igusj .com) (exploit_kit.rules)
Pro:
- 2855506 - ETPRO EXPLOIT Possible Microsoft SharePoint Deserialization RCE Attempt (CVE-2023-33157) (exploit.rules)
- 2855507 - ETPRO EXPLOIT Possible Microsoft Exchange Deserialization RCE Attempt (CVE-2023-28310) (exploit.rules)
- 2855508 - ETPRO MALWARE Cobalt Strike Related Activity (GET) (malware.rules)
Disabled and modified rules:
- 2012595 - ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field SELECT (web_specific_apps.rules)
- 2012597 - ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field INSERT (web_specific_apps.rules)
- 2012599 - ET WEB_SPECIFIC_APPS mySeatXT SQL Injection Attempt autocomplete.php field ASCII (web_specific_apps.rules)
- 2012601 - ET WEB_SPECIFIC_APPS WordPress Lazyest Gallery Plugin image Parameter Cross Site Scripting Attempt (web_specific_apps.rules)
- 2047063 - ET MALWARE IcedID CnC Domain in DNS Lookup (pireltotus .com) (malware.rules)
- 2843988 - ETPRO PHISHING Successful Wells Fargo Phish 2020-08-12 (phishing.rules)
Removed rules:
- 2048935 - ET HUNTING Cisco IOS XE Web Server Auth From Suspicious Username (cisco_support) (CVE-2023-20198) (Outbound) (hunting.rules)