Ruleset Update Summary - 2023/11/06 - v10458

Summary:

16 new OPEN, 17 new PRO (16 + 1)

Thanks @Unit42_Intel


Added rules:

Open:

  • 2049080 - ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2023-22518 Vulnerable Server Detected M1 Version 1.x-6.x (web_specific_apps.rules)
  • 2049081 - ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2023-22518 Vulnerable Server Detected M2 Version 1.x-6.x (web_specific_apps.rules)
  • 2049082 - ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2023-22518 Vulnerable Server Detected Version 8.x M1 (web_specific_apps.rules)
  • 2049083 - ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2023-22518 Vulnerable Server Detected Version 8.x M2 (web_specific_apps.rules)
  • 2049084 - ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2023-22518 Vulnerable Server Detected Version 7.x M1 (web_specific_apps.rules)
  • 2049085 - ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2023-22518 Vulnerable Server Detected Version 7.x M2 (web_specific_apps.rules)
  • 2049086 - ET MALWARE JS/Z1_Loader Activity (POST) (malware.rules)
  • 2049087 - ET MALWARE Win32/Stealc Style Headers In HTTP POST (malware.rules)
  • 2049088 - ET PHISHING Possible SWAT USA Drop Login Panel (phishing.rules)
  • 2049089 - ET EXPLOIT_KIT Keitaro Set-Cookie Inbound to RogueRaticate (7fcd2) (exploit_kit.rules)
  • 2049090 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (andreeasasser .com) (exploit_kit.rules)
  • 2049091 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (addisonlynch .com) (exploit_kit.rules)
  • 2049092 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (andreeasasser .com) (exploit_kit.rules)
  • 2049093 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (addisonlynch .com) (exploit_kit.rules)
  • 2049094 - ET EXPLOIT_KIT RogueRaticate Domain in DNS Lookup (izikatka0010 .com) (exploit_kit.rules)
  • 2049095 - ET EXPLOIT_KIT RogueRaticate Domain in TLS SNI (izikatka0010 .com) (exploit_kit.rules)

Pro:

  • 2855525 - ETPRO MALWARE Win32/Stealc Host Details Exfil (POST) (malware.rules)

Modified inactive rules:

  • 2048581 - ET CURRENT_EVENTS Possible Atlassian Confluence CVE-2023-22515 Scan Activity - Clone (current_events.rules)