Ruleset Update Summary - 2023/11/03 - v10457

rulesbot · November 3, 2023, 9:12pm

Summary:

23 new OPEN, 23 new PRO (23 + 0)

Thanks @Unit42_Intel, @praetorianlabs, @pdiscoveryio

Added rules:

Open:

2049057 - ET EXPLOIT F5 BIG-IP - Unauthenticated RCE via AJP Smuggling Request (CVE-2023-46747) (exploit.rules)
2049058 - ET EXPLOIT F5 BIG-IP - Unauthenticated RCE via AJP Smuggling Request - User Creation (CVE-2023-46747) (exploit.rules)
2049059 - ET EXPLOIT F5 BIG-IP - Unauthenticated RCE via AJP Smuggling Request - User Deletion (CVE-2023-46747) (exploit.rules)
2049060 - ET MALWARE Suspected RisePro TCP Heartbeat Packet (malware.rules)
2049061 - ET INFO Observed DNS Over HTTPS Domain (1a .ns .ozer .im in TLS SNI) (info.rules)
2049062 - ET MALWARE Suspected Higaisa APT Related Domain in DNS Lookup (insightinteriors .im) (malware.rules)
2049063 - ET INFO Observed DNS Query to *.ngrok Domain (ngrok .pizza) (info.rules)
2049064 - ET MALWARE DNS Query to IcedID Domain (asleytomafa .com) (malware.rules)
2049065 - ET MALWARE DNS Query to IcedID Domain (manjuskploman .com) (malware.rules)
2049066 - ET MALWARE DNS Query to IcedID Domain (brojizuza .com) (malware.rules)
2049067 - ET MALWARE DNS Query to IcedID Domain (grafielucho .com) (malware.rules)
2049068 - ET MALWARE DNS Query to IcedID Domain (qousahaff .com) (malware.rules)
2049069 - ET MALWARE Observed IcedID Domain (asleytomafa .com in TLS SNI) (malware.rules)
2049070 - ET MALWARE Observed IcedID Domain (manjuskploman .com in TLS SNI) (malware.rules)
2049071 - ET MALWARE Observed IcedID Domain (brojizuza .com in TLS SNI) (malware.rules)
2049072 - ET MALWARE Observed IcedID Domain (grafielucho .com in TLS SNI) (malware.rules)
2049073 - ET MALWARE Observed IcedID Domain (qousahaff .com in TLS SNI) (malware.rules)
2049074 - ET MALWARE NodeStealer CnC Activity from Downloaded Archive (GET) (malware.rules)
2049075 - ET PHISHING SWAT USA Drop Login Panel (phishing.rules)
2049076 - ET EXPLOIT_KIT ClearFake Fingerprinting Domain in DNS Lookup (stats-tracked .com) (exploit_kit.rules)
2049077 - ET EXPLOIT_KIT ClearFake Fingerprinting Domain in TLS SNI (stats-tracked .com) (exploit_kit.rules)
2049078 - ET EXPLOIT_KIT RogueRaticate Domain in DNS Lookup (koolstoredeluxe .com) (exploit_kit.rules)
2049079 - ET EXPLOIT_KIT RogueRaticate Domain in TLS SNI (koolstoredeluxe .com) (exploit_kit.rules)

Disabled and modified rules:

2039488 - ET INFO Faelix DNS Over HTTPS Certificate Inbound (info.rules)
2844703 - ETPRO INFO Observed DNS over HTTPS Domain in TLS SNI (doh .dns .sb) (info.rules)

Topic	Replies	Views
Ruleset Update Summary - 2023/11/20 - v10469 Ruleset Updates	394	November 20, 2023
Ruleset Update Summary - 2023/05/11 - v10321 Ruleset Updates	233	May 11, 2023
Ruleset Update Summary - 2023/05/03 - v10315 Ruleset Updates	368	May 3, 2023
Ruleset Update Summary - 2023/07/25 - v10379 Ruleset Updates	288	July 25, 2023
Ruleset Update Summary - 2023/09/01 - v10408 Ruleset Updates	334	September 1, 2023

Ruleset Update Summary - 2023/11/03 - v10457

Summary:

Added rules:

Open:

Disabled and modified rules:

Related topics