Summary:
16 new OPEN, 16 new PRO (16 + 0)
Thanks @cpresearch, @TalosSecurity
Added rules:
Open:
- 2049400 - ET WEB_SERVER /etc/passwd Detected in URI (web_server.rules)
- 2049401 - ET WEB_SERVER /etc/hosts Detected in URI (web_server.rules)
- 2049402 - ET WEB_SERVER .bash_history Detected in URI (web_server.rules)
- 2049403 - ET ATTACK_RESPONSE Possible hosts File Output via HTTP (Windows Style) (attack_response.rules)
- 2049404 - ET ATTACK_RESPONSE Possible hosts File Output via HTTP (Linux Style) (attack_response.rules)
- 2049405 - ET WEB_SERVER Simple JSP WebShell Landing Page (web_server.rules)
- 2049406 - ET WEB_SERVER vonloesch JSP File Browser (web_server.rules)
- 2049407 - ET MALWARE ToddyCat APT Related CurCore Activity (POST) (malware.rules)
- 2049408 - ET MALWARE JynxLoaderV2 CnC Checkin (malware.rules)
- 2049409 - ET MALWARE SugarGh0st RAT CnC Checkin (malware.rules)
- 2049410 - ET MALWARE SugarGh0st RAT Domain in DNS Lookup (login .drive-google-com .tk) (malware.rules)
- 2049411 - ET MALWARE SugarGh0st RAT Domain in DNS Lookup (account .drive-google-com .tk) (malware.rules)
- 2049412 - ET MALWARE SocGholish Domain in DNS Lookup (dashboard .renovationsruth .com) (malware.rules)
- 2049413 - ET MALWARE SocGholish Domain in TLS SNI (dashboard .renovationsruth .com) (malware.rules)
- 2049414 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (paradoxmarine .com) (exploit_kit.rules)
- 2049415 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (paradoxmarine .com) (exploit_kit.rules)
Modified inactive rules:
- 2048044 - ET PHISHING [TW] Tycoon Phishkit Domain Observed (codecrafterspro .com) (phishing.rules)
- 2048045 - ET PHISHING [TW] Tycoon Phishkit Domain Observed (codecrafters .su) (phishing.rules)
- 2048046 - ET PHISHING [TW] Tycoon Phishkit Domain Observed (devcraftingsolutions .com) (phishing.rules)
- 2048047 - ET PHISHING [TW] Tycoon Phishkit Domain (devcraftingsolutions .com in TLS SNI) (phishing.rules)
- 2048048 - ET PHISHING [TW] Tycoon Phishkit Domain (codecrafterspro .com in TLS SNI) (phishing.rules)
Disabled and modified rules:
- 2045875 - ET MALWARE SocGholish Domain in DNS Lookup (enterprise .alliantlaw .us) (malware.rules)
- 2046946 - ET MALWARE SocGholish Domain in TLS SNI (content .garretttrails .org) (malware.rules)
- 2048368 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (nilselsholz .com) (exploit_kit.rules)
- 2048369 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (nilselsholz .com) (exploit_kit.rules)