Ruleset Update Summary - 2023/11/07 - v10460

Ruleset Updates
1

Summary:

20 new OPEN, 21 new PRO (20 + 1)

Thanks @SI_FalconTeam, @tiresearch1

Added rules:

Open:

  • 2049098 - ET MALWARE Bitter APT Related Domain in DNS Lookup (malware.rules)
  • 2049099 - ET MALWARE Observed Bitter APT Related Domain in TLS SNI (malware.rules)
  • 2049100 - ET INFO Observed DNS Over HTTPS Domain (adg .tshost .no in TLS SNI) (info.rules)
  • 2049101 - ET INFO Observed DNS Over HTTPS Domain (dns .mni .li in TLS SNI) (info.rules)
  • 2049102 - ET INFO Observed DNS Over HTTPS Domain (doh .zln .wtf in TLS SNI) (info.rules)
  • 2049103 - ET EXPLOIT Cisco IOS XE Web Server Implant Check (CVE-2023-20198) M3 (exploit.rules)
  • 2049104 - ET MALWARE Lazarus CnC Domain in DNS Lookup (online-meeting .team) (malware.rules)
  • 2049105 - ET MALWARE Lazarus CnC Domain in DNS Lookup (team-meet .online) (malware.rules)
  • 2049106 - ET MALWARE Lazarus CnC Domain in DNS Lookup (safemeeting .online) (malware.rules)
  • 2049107 - ET MALWARE Lazarus CnC Domain in DNS Lookup (videomeethub .online) (malware.rules)
  • 2049108 - ET MALWARE Observed Lazarus Domain (team-meet .online in TLS SNI) (malware.rules)
  • 2049109 - ET MALWARE Observed Lazarus Domain (videomeethub .online in TLS SNI) (malware.rules)
  • 2049110 - ET MALWARE Observed Lazarus Domain (online-meeting .team in TLS SNI) (malware.rules)
  • 2049111 - ET MALWARE Observed Lazarus Domain (safemeeting .online in TLS SNI) (malware.rules)
  • 2049112 - ET PHISHING Successful Greatness Credential Phish M1 (2023-11-07) (phishing.rules)
  • 2049113 - ET PHISHING Successful Greatness Credential Phish M2 (2023-11-07) (phishing.rules)
  • 2049114 - ET PHISHING Successful Greatness Credential Phish M3 (2023-11-07) (phishing.rules)
  • 2049115 - ET MALWARE Socks5Systemz CnC Checkin M2 (malware.rules)
  • 2049116 - ET MALWARE Socks5SystemZ CnC Checkin Response M1 (malware.rules)
  • 2049117 - ET MALWARE Socks5SystemZ CnC Checkin Response M2 (malware.rules)

Pro:

  • 2855532 - ETPRO INFO Observed Abused CDN Domain in DNS Lookup (info.rules)

Disabled and modified rules:

  • 2034230 - ET MALWARE Win32/JSWORM Ransomware Style Geo IP Check M1 (malware.rules)
  • 2034231 - ET MALWARE Win32/JSWORM Ransomware Style Geo IP Check M2 (malware.rules)