Summary:
22 new OPEN, 23 new PRO (22 + 1)
Thanks @Jane_0sint
Added rules:
Open:
- 2044933 - ET MALWARE RaccoonStealer Admin Console Inbound (malware.rules)
- 2044963 - ET MALWARE Win32/StormKitty CnC Telegram Notification M1 (malware.rules)
- 2044964 - ET MALWARE Win32/StormKitty CnC Telegram Notification M2 (malware.rules)
- 2045000 - ET MALWARE RedLine Stealer - CheckConnect Response (malware.rules)
- 2045001 - ET MALWARE Win32/LeftHook Stealer Browser Extension Config Inbound (malware.rules)
- 2045005 - ET MALWARE Win32/LeftHook Stealer Payload Inbound (malware.rules)
- 2045006 - ET MALWARE Win32/LeftHook Stealer - CnC Response (get_socket) (malware.rules)
- 2049385 - ET EXPLOIT Successful Apache ActiveMQ Remote Code Execution (CVE-2023-46604) (exploit.rules)
- 2049386 - ET WEB_SPECIFIC_APPS Jiecheng Management Information System CWSFinanceCommon SQL injection (web_specific_apps.rules)
- 2049387 - ET ATTACK_RESPONSE Possible /etc/shadow via HTTP M1 (attack_response.rules)
- 2049388 - ET ATTACK_RESPONSE Possible /etc/shadow via HTTP M2 (attack_response.rules)
- 2049389 - ET ATTACK_RESPONSE Possible /etc/shadow via HTTP M3 (attack_response.rules)
- 2049390 - ET ATTACK_RESPONSE Possible /etc/shadow via HTTP M4 (attack_response.rules)
- 2049391 - ET ATTACK_RESPONSE Possible arp command output via HTTP (Linux Style) (attack_response.rules)
- 2049392 - ET ATTACK_RESPONSE Possible arp command output via HTTP (Windows Style) (attack_response.rules)
- 2049393 - ET ATTACK_RESPONSE Possible arp command output via HTTP (MacOS Style) (attack_response.rules)
- 2049394 - ET MALWARE Marai Variant Activity (Inbound) (malware.rules)
- 2049395 - ET INFO Observed DNS Over HTTPS Domain (sundalandia .pp .ua in TLS SNI) (info.rules)
- 2049396 - ET INFO Observed DNS Over HTTPS Domain (paranoia .mydns .network in TLS SNI) (info.rules)
- 2049397 - ET MALWARE [ANY.RUN] Socks5Systemz TCP Backconnect Client Traffic (malware.rules)
- 2049398 - ET MALWARE WebDAV Retrieving .vbs from .url M1 (CVE-2023-36025) (malware.rules)
- 2049399 - ET MALWARE WebDAV Retrieving .vbs from .url M2 (CVE-2023-36025) (malware.rules)
Pro:
- 2855875 - ETPRO MALWARE Suspected TA407 Related Domain in DNS Query (malware.rules)
Disabled and modified rules:
- 2825567 - ETPRO MALWARE Possible Panda Banker DGA Lets Encrypt SSL Cert (malware.rules)
Removed rules:
- 2044933 - ET ATTACK_RESPONSE RaccoonStealer Admin Console Inbound (attack_response.rules)
- 2044963 - ET ATTACK_RESPONSE Win32/StormKitty CnC Telegram Notification M1 (attack_response.rules)
- 2044964 - ET ATTACK_RESPONSE Win32/StormKitty CnC Telegram Notification M2 (attack_response.rules)
- 2045000 - ET ATTACK_RESPONSE RedLine Stealer - CheckConnect Response (attack_response.rules)
- 2045001 - ET ATTACK_RESPONSE Win32/LeftHook Stealer Browser Extension Config Inbound (attack_response.rules)
- 2045005 - ET ATTACK_RESPONSE Win32/LeftHook Stealer Payload Inbound (attack_response.rules)
- 2045006 - ET ATTACK_RESPONSE Win32/LeftHook Stealer - CnC Response (get_socket) (attack_response.rules)