Ruleset Update Summary - 2023/11/15 - v10466

Ruleset Updates
1

Summary:

34 new OPEN, 61 new PRO (34 + 27)

Thanks @foxit, @rapid7

Added rules:

Open:

  • 2049183 - ET INFO DYNAMIC_DNS Query to a *.tcta .com .au Domain (info.rules)
  • 2049184 - ET INFO DYNAMIC_DNS HTTP Request to a *.tcta .com .au Domain (info.rules)
  • 2049185 - ET INFO DYNAMIC_DNS Query to a *.viktor .com .br Domain (info.rules)
  • 2049186 - ET INFO DYNAMIC_DNS HTTP Request to a *.viktor .com .br Domain (info.rules)
  • 2049187 - ET INFO DYNAMIC_DNS Query to a *.princesaleia .cl Domain (info.rules)
  • 2049188 - ET INFO DYNAMIC_DNS HTTP Request to a *.princesaleia .cl Domain (info.rules)
  • 2049189 - ET INFO DYNAMIC_DNS Query to a *.tmxc .ru Domain (info.rules)
  • 2049190 - ET INFO DYNAMIC_DNS HTTP Request to a *.tmxc .ru Domain (info.rules)
  • 2049191 - ET INFO DYNAMIC_DNS Query to a [Redacted - Vulgar] Domain (info.rules)
  • 2049192 - ET INFO DYNAMIC_DNS HTTP Request to a *.hotfuck .org Domain (info.rules)
  • 2049193 - ET INFO DYNAMIC_DNS Query to a *.bisolta .com Domain (info.rules)
  • 2049194 - ET INFO DYNAMIC_DNS HTTP Request to a *.bisolta .com Domain (info.rules)
  • 2049195 - ET INFO DYNAMIC_DNS Query to a *.quilmes .gob .ar Domain (info.rules)
  • 2049196 - ET INFO DYNAMIC_DNS HTTP Request to a *.quilmes .gob .ar Domain (info.rules)
  • 2049197 - ET INFO DYNAMIC_DNS Query to a *.developer .li Domain (info.rules)
  • 2049198 - ET INFO DYNAMIC_DNS HTTP Request to a *.developer .li Domain (info.rules)
  • 2049199 - ET INFO DYNAMIC_DNS Query to a *.cartes .cl Domain (info.rules)
  • 2049200 - ET INFO DYNAMIC_DNS HTTP Request to a *.cartes .cl Domain (info.rules)
  • 2049201 - ET INFO File Hosting Service Domain Domain in DNS Lookup (files .pythonhosted .org) (info.rules)
  • 2049202 - ET INFO Observed File Hosting Service Domain (files .pythonhosted .org in TLS SNI) (info.rules)
  • 2049203 - ET MALWARE Arkei/Vidar/Mars Stealer Variant DLL GET Request M2 (malware.rules)
  • 2049204 - ET HUNTING Suspicious HTTP Server Value in Response (Apache Coyote) (hunting.rules)
  • 2049205 - ET HUNTING Suspicious HTTP Server Value in Response (Apache \r\n) (hunting.rules)
  • 2049206 - ET HUNTING Suspicious HTTP Server Value in Response (Apache.) (hunting.rules)
  • 2049207 - ET HUNTING Suspicious HTTP Server Value in Response (CloudFlare) (hunting.rules)
  • 2049208 - ET HUNTING Suspicious HTTP Header in Response (Expired:) (hunting.rules)
  • 2049209 - ET HUNTING Suspicious HTTP Server Value in Response (ngengx) (hunting.rules)
  • 2049210 - ET HUNTING Suspicious HTTP Server Value in Response (Apache64) (hunting.rules)
  • 2049211 - ET HUNTING Suspicious HTTP Server Value in Response (Microsoft -IIS) (hunting.rules)
  • 2049212 - ET WEB_SPECIFIC_APPS LG Simple Editor Malicious JSP Disguised as BMP Upload Attempt (CVE-2023-40498) (web_specific_apps.rules)
  • 2049213 - ET WEB_SPECIFIC_APPS LG Simple Editor Rename Malicious BMP to JSP Attempt (CVE-2023-40498) (web_specific_apps.rules)
  • 2049214 - ET WEB_SPECIFIC_APPS Zoneminder Create Snapshot Command Injection Attempt (CVE-2023-26035) (web_specific_apps.rules)
  • 2049215 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (risenpeaches .org) (exploit_kit.rules)
  • 2049216 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (risenpeaches .org) (exploit_kit.rules)

Pro:

  • 2855773 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2855774 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2855775 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2855776 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2855777 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2855778 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2855779 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2855780 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2855781 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2855782 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2855783 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2855784 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2855785 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2855786 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2855787 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2855788 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2855789 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2855790 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2855791 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2855792 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2855793 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2855794 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2855795 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2855796 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2855797 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2855798 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2855799 - ETPRO MALWARE Win32/Unknown Stealer Sending System Information via Telegram (POST) (malware.rules)