Ruleset Update Summary - 2023/11/03 - v10457

Summary:

23 new OPEN, 23 new PRO (23 + 0)

Thanks @Unit42_Intel, @praetorianlabs, @pdiscoveryio


Added rules:

Open:

  • 2049057 - ET EXPLOIT F5 BIG-IP - Unauthenticated RCE via AJP Smuggling Request (CVE-2023-46747) (exploit.rules)
  • 2049058 - ET EXPLOIT F5 BIG-IP - Unauthenticated RCE via AJP Smuggling Request - User Creation (CVE-2023-46747) (exploit.rules)
  • 2049059 - ET EXPLOIT F5 BIG-IP - Unauthenticated RCE via AJP Smuggling Request - User Deletion (CVE-2023-46747) (exploit.rules)
  • 2049060 - ET MALWARE Suspected RisePro TCP Heartbeat Packet (malware.rules)
  • 2049061 - ET INFO Observed DNS Over HTTPS Domain (1a .ns .ozer .im in TLS SNI) (info.rules)
  • 2049062 - ET MALWARE Suspected Higaisa APT Related Domain in DNS Lookup (insightinteriors .im) (malware.rules)
  • 2049063 - ET INFO Observed DNS Query to *.ngrok Domain (ngrok .pizza) (info.rules)
  • 2049064 - ET MALWARE DNS Query to IcedID Domain (asleytomafa .com) (malware.rules)
  • 2049065 - ET MALWARE DNS Query to IcedID Domain (manjuskploman .com) (malware.rules)
  • 2049066 - ET MALWARE DNS Query to IcedID Domain (brojizuza .com) (malware.rules)
  • 2049067 - ET MALWARE DNS Query to IcedID Domain (grafielucho .com) (malware.rules)
  • 2049068 - ET MALWARE DNS Query to IcedID Domain (qousahaff .com) (malware.rules)
  • 2049069 - ET MALWARE Observed IcedID Domain (asleytomafa .com in TLS SNI) (malware.rules)
  • 2049070 - ET MALWARE Observed IcedID Domain (manjuskploman .com in TLS SNI) (malware.rules)
  • 2049071 - ET MALWARE Observed IcedID Domain (brojizuza .com in TLS SNI) (malware.rules)
  • 2049072 - ET MALWARE Observed IcedID Domain (grafielucho .com in TLS SNI) (malware.rules)
  • 2049073 - ET MALWARE Observed IcedID Domain (qousahaff .com in TLS SNI) (malware.rules)
  • 2049074 - ET MALWARE NodeStealer CnC Activity from Downloaded Archive (GET) (malware.rules)
  • 2049075 - ET PHISHING SWAT USA Drop Login Panel (phishing.rules)
  • 2049076 - ET EXPLOIT_KIT ClearFake Fingerprinting Domain in DNS Lookup (stats-tracked .com) (exploit_kit.rules)
  • 2049077 - ET EXPLOIT_KIT ClearFake Fingerprinting Domain in TLS SNI (stats-tracked .com) (exploit_kit.rules)
  • 2049078 - ET EXPLOIT_KIT RogueRaticate Domain in DNS Lookup (koolstoredeluxe .com) (exploit_kit.rules)
  • 2049079 - ET EXPLOIT_KIT RogueRaticate Domain in TLS SNI (koolstoredeluxe .com) (exploit_kit.rules)

Disabled and modified rules:

  • 2039488 - ET INFO Faelix DNS Over HTTPS Certificate Inbound (info.rules)
  • 2844703 - ETPRO INFO Observed DNS over HTTPS Domain in TLS SNI (doh .dns .sb) (info.rules)