Ruleset Update Summary - 2023/11/30 - v10476

Ruleset Updates
1

Summary:

16 new OPEN, 16 new PRO (16 + 0)

Thanks @cpresearch, @TalosSecurity

Added rules:

Open:

  • 2049400 - ET WEB_SERVER /etc/passwd Detected in URI (web_server.rules)
  • 2049401 - ET WEB_SERVER /etc/hosts Detected in URI (web_server.rules)
  • 2049402 - ET WEB_SERVER .bash_history Detected in URI (web_server.rules)
  • 2049403 - ET ATTACK_RESPONSE Possible hosts File Output via HTTP (Windows Style) (attack_response.rules)
  • 2049404 - ET ATTACK_RESPONSE Possible hosts File Output via HTTP (Linux Style) (attack_response.rules)
  • 2049405 - ET WEB_SERVER Simple JSP WebShell Landing Page (web_server.rules)
  • 2049406 - ET WEB_SERVER vonloesch JSP File Browser (web_server.rules)
  • 2049407 - ET MALWARE ToddyCat APT Related CurCore Activity (POST) (malware.rules)
  • 2049408 - ET MALWARE JynxLoaderV2 CnC Checkin (malware.rules)
  • 2049409 - ET MALWARE SugarGh0st RAT CnC Checkin (malware.rules)
  • 2049410 - ET MALWARE SugarGh0st RAT Domain in DNS Lookup (login .drive-google-com .tk) (malware.rules)
  • 2049411 - ET MALWARE SugarGh0st RAT Domain in DNS Lookup (account .drive-google-com .tk) (malware.rules)
  • 2049412 - ET MALWARE SocGholish Domain in DNS Lookup (dashboard .renovationsruth .com) (malware.rules)
  • 2049413 - ET MALWARE SocGholish Domain in TLS SNI (dashboard .renovationsruth .com) (malware.rules)
  • 2049414 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (paradoxmarine .com) (exploit_kit.rules)
  • 2049415 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (paradoxmarine .com) (exploit_kit.rules)

Modified inactive rules:

  • 2048044 - ET PHISHING [TW] Tycoon Phishkit Domain Observed (codecrafterspro .com) (phishing.rules)
  • 2048045 - ET PHISHING [TW] Tycoon Phishkit Domain Observed (codecrafters .su) (phishing.rules)
  • 2048046 - ET PHISHING [TW] Tycoon Phishkit Domain Observed (devcraftingsolutions .com) (phishing.rules)
  • 2048047 - ET PHISHING [TW] Tycoon Phishkit Domain (devcraftingsolutions .com in TLS SNI) (phishing.rules)
  • 2048048 - ET PHISHING [TW] Tycoon Phishkit Domain (codecrafterspro .com in TLS SNI) (phishing.rules)

Disabled and modified rules:

  • 2045875 - ET MALWARE SocGholish Domain in DNS Lookup (enterprise .alliantlaw .us) (malware.rules)
  • 2046946 - ET MALWARE SocGholish Domain in TLS SNI (content .garretttrails .org) (malware.rules)
  • 2048368 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (nilselsholz .com) (exploit_kit.rules)
  • 2048369 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (nilselsholz .com) (exploit_kit.rules)