Ruleset Update Summary - 2023/11/20 - v10469

Summary:

20 new OPEN, 22 new PRO (20 + 2)

Thanks Kevin, Ross, @ConvergeTSC, @SentinelOne, @Unit42_Intel


Added rules:

Open:

  • 2049254 - ET INFO F5 BIG-IP - Failed Auth Due To Expired Password (info.rules)
  • 2049255 - ET SCAN LeakIX Inbound User-Agent (scan.rules)
  • 2049256 - ET EXPLOIT F5 BIG-IP iControl REST Authentication Bypass Attempt (CVE-2022-1388) M3 (exploit.rules)
  • 2049257 - ET INFO F5 BIG-IP - Password Reset Attempt - Observed Post CVE-2023-46747 Activity (info.rules)
  • 2049258 - ET INFO F5 BIG-IP - Successful Password Reset Attempt - Observed Post CVE-2023-46747 Activity (info.rules)
  • 2049259 - ET INFO F5 BIG-IP - Command Execution via util/bash (info.rules)
  • 2049260 - ET INFO F5 BIG-IP - Successful Command Execution via util/bash (info.rules)
  • 2049261 - ET INFO File Sharing Service Domain in DNS Lookup (ufile .io) (info.rules)
  • 2049262 - ET INFO Observed External IP Lookup Domain (ufile .io in TLS SNI) (info.rules)
  • 2049263 - ET MALWARE Suspected Malicious JS Loader Activity (GET) (malware.rules)
  • 2049264 - ET MALWARE Turla APT/Kazuar Backdoor CnC Activity (POST) (malware.rules)
  • 2049265 - ET WEB_SPECIFIC_APPS Possible CrushFTP as2-to Anonymous User Rename Attempt (CVE-2023-43177) (web_specific_apps.rules)
  • 2049266 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .novelty .akibacreative .com) (malware.rules)
  • 2049267 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .novelty .akibacreative .com) (malware.rules)
  • 2049268 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (gpksanfrancisco .com) (exploit_kit.rules)
  • 2049269 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (forumsecrets .com) (exploit_kit.rules)
  • 2049270 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (gpksanfrancisco .com) (exploit_kit.rules)
  • 2049271 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (forumsecrets .com) (exploit_kit.rules)
  • 2049272 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (treegreeny .org) (exploit_kit.rules)
  • 2049273 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (treegreeny .org) (exploit_kit.rules)

Pro:

  • 2855832 - ETPRO MALWARE Win32/DecryptedLength Payload Inbound (malware.rules)
  • 2855833 - ETPRO MALWARE Win32/DecryptedLength Key Inbound (malware.rules)