Ruleset Update Summary - 2023/11/27 - v10473

Summary:

19 new OPEN, 24 new PRO (19 + 5)

Thanks @cpresearch, @intezerlabs

Added rules:

Open:

• 2049295 - ET EXPLOIT Possible SysAid Traversal Attack (CVE-2023-47246) (exploit.rules)
• 2049296 - ET MALWARE DNS Query to SysJoker Domain (sharing-u-file .com) (malware.rules)
• 2049297 - ET MALWARE DNS Query to SysJoker Domain (filestorage-short .org) (malware.rules)
• 2049298 - ET MALWARE DNS Query to SysJoker Domain (audiosound-visual .com) (malware.rules)
• 2049299 - ET MALWARE SysJoker Host Details Exfil (POST) (malware.rules)
• 2049300 - ET MALWARE SysJoker Successful Command Execution (POST) (malware.rules)
• 2049301 - ET MALWARE SysJoker Bot Configuration Request (POST) (malware.rules)
• 2049302 - ET MALWARE SysJoker Bot Registration (POST) (malware.rules)
• 2049303 - ET MALWARE SysJoker User-Agent Observed (malware.rules)
• 2049304 - ET MALWARE SysJoker User-Agent Observed (malware.rules)
• 2049305 - ET MALWARE SysJoker CnC Checkin (POST) (malware.rules)
• 2049306 - ET MALWARE TA406 Win32/Updog Backdoor Data Exfiltration Attempt (malware.rules)
• 2049307 - ET MALWARE TA406 Win32/Updog CnC Checkin (malware.rules)
• 2049308 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (daddygarages .org) (exploit_kit.rules)
• 2049309 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (daddygarages .org) (exploit_kit.rules)
• 2049310 - ET EXPLOIT_KIT RogueRaticate Domain in DNS Lookup (jagernaut .com) (exploit_kit.rules)
• 2049311 - ET EXPLOIT_KIT RogueRaticate Domain in TLS SNI (jagernaut .com) (exploit_kit.rules)
• 2049312 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (excellentpatterns .com) (exploit_kit.rules)
• 2049313 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (excellentpatterns .com) (exploit_kit.rules)

Pro:

• 2855854 - ETPRO MALWARE Win32/Kaisdet Variant Sending Windows System Information (POST) (malware.rules)
• 2855855 - ETPRO MALWARE Observed SysJoker Domain in TLS SNI (malware.rules)
• 2855856 - ETPRO MALWARE Observed SysJoker Domain in TLS SNI (malware.rules)
• 2855857 - ETPRO MALWARE Observed SysJoker Domain in TLS SNI (malware.rules)
• 2855858 - ETPRO EXPLOIT_KIT Keitaro Set-Cookie Inbound to RogueRaticate (03fe2) (exploit_kit.rules)

Modified inactive rules:

• 2800571 - ETPRO DOS ISC DHCP Server Zero Length Client ID Denial of Service (dos.rules)
• 2803496 - ETPRO DOS ISC DHCP Server Packet Processing Denial of Service (dos.rules)

Disabled and modified rules:

• 2015704 - ET INFO DoSWF Flash Encryption Banner (info.rules)
• 2047633 - ET EXPLOIT_KIT RogueRaticate Domain in DNS Lookup (gstatick .com) (exploit_kit.rules)
• 2047634 - ET EXPLOIT_KIT RogueRaticate Domain in TLS SNI (gstatick .com) (exploit_kit.rules)
• 2048035 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (cristinaamaro .com) (exploit_kit.rules)
• 2048036 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (cristinaamaro .com) (exploit_kit.rules)
• 2048091 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (krafttopia .net) (exploit_kit.rules)
• 2048092 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (krafttopia .net) (exploit_kit.rules)
• 2048111 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (mansaentertainment .com) (exploit_kit.rules)
• 2048112 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (mansaentertainment .com) (exploit_kit.rules)
• 2048113 - ET EXPLOIT_KIT RogueRaticate Domain in DNS Lookup (import19ksnx9ajsn .com) (exploit_kit.rules)
• 2048114 - ET EXPLOIT_KIT RogueRaticate Domain in TLS SNI (import19ksnx9ajsn .com) (exploit_kit.rules)
• 2048115 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .layout .oystergardens .us) (malware.rules)
• 2048116 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .layout .oystergardens .us) (malware.rules)
• 2048122 - ET EXPLOIT_KIT RogueRaticate Domain in DNS Lookup (statistiks-google .com) (exploit_kit.rules)
• 2048123 - ET EXPLOIT_KIT RogueRaticate Domain in TLS SNI (statistiks-google .com) (exploit_kit.rules)
• 2048141 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (cpmmasters .com) (exploit_kit.rules)
• 2048142 - ET EXPLOIT_KIT ZPHP in TLS SNI (cpmmasters .com) (exploit_kit.rules)
• 2048242 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (credit-volta .com) (exploit_kit.rules)
• 2048243 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (aflomusic .com) (exploit_kit.rules)
• 2048244 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (credit-volta .com) (exploit_kit.rules)
• 2048245 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (aflomusic .com) (exploit_kit.rules)
• 2048727 - ET MALWARE IcedID Related Loader Domain in DNS Lookup (malware.rules)
• 2048728 - ET MALWARE Observed IcedID Loader Related Domain in TLS SNI (malware.rules)
• 2048729 - ET MALWARE IcedID Loader Related Domain in DNS Lookup (malware.rules)
• 2048730 - ET MALWARE Observed IcedID Related Loader Domain in TLS SNI (malware.rules)
• 2048731 - ET MALWARE IcedID Loader Related Domain in DNS Lookup (malware.rules)
• 2048732 - ET MALWARE Observed IcedID Loader Related Domain in TLS SNI (malware.rules)
• 2048733 - ET MALWARE IcedID Loader Related Domain in DNS Lookup (malware.rules)
• 2048734 - ET MALWARE Observed IcedID Loader Related Domain in TLS SNI (malware.rules)
• 2048914 - ET INFO Observed DNS Over HTTPS Domain (dns .linkr .ninja in TLS SNI) (info.rules)
• 2048917 - ET INFO Observed DNS Over HTTPS Domain (doh-primary-pool .detoxifypornblocker .com in TLS SNI) (info.rules)
• 2048921 - ET INFO Observed DNS Over HTTPS Domain (us1 .blissdns .net in TLS SNI) (info.rules)
• 2811657 - ETPRO EXPLOIT_KIT SunDown EK Flash June 23 2015 M1 (exploit_kit.rules)
• 2811659 - ETPRO EXPLOIT_KIT SunDown EK Flash June 23 2015 M2 (exploit_kit.rules)
• 2816808 - ETPRO EXPLOIT_KIT RIG EK Flash Exploit Mar 29 2016 (exploit_kit.rules)
• 2827799 - ETPRO EXPLOIT_KIT RIG EK Flash Exploit Sep 05 2017 (FWS) (exploit_kit.rules)
• 2827800 - ETPRO EXPLOIT_KIT RIG EK Flash Exploit Sep 05 2017 (CWS) (exploit_kit.rules)
• 2855515 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
• 2855674 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)