Ruleset Update Summary - 2023/12/04 - v10478

Ruleset Updates
1

Summary:

29 new OPEN, 32 new PRO (29 + 3)

Thanks @Jane_0sint, @naumovax, @filterbaan

Added rules:

Open:

  • 2049442 - ET INFO Observed DNS Over HTTPS Domain (safe .dot .dns .yandex .net in TLS SNI) (info.rules)
  • 2049443 - ET INFO Observed DNS Over HTTPS Domain (family .dot .dns .yandex .net in TLS SNI) (info.rules)
  • 2049444 - ET INFO Observed DNS Over HTTPS Domain (vn .dns .abpvn .com in TLS SNI) (info.rules)
  • 2049445 - ET INFO Observed DNS Over HTTPS Domain (agh .kul-lippek .de in TLS SNI) (info.rules)
  • 2049446 - ET INFO Observed DNS Over HTTPS Domain (agh .workfordemo .co .in in TLS SNI) (info.rules)
  • 2049447 - ET INFO Observed DNS Over HTTPS Domain (common .dot .dns .yandex .net in TLS SNI) (info.rules)
  • 2049448 - ET INFO Observed DNS Over HTTPS Domain (doh .max .net .id in TLS SNI) (info.rules)
  • 2049449 - ET MALWARE Suspected TA453 Related Domain in DNS Lookup (metahelpservice .net) (malware.rules)
  • 2049450 - ET MALWARE Suspected TA453 Related Domain in DNS Lookup (xn–metaspport-v43e .com) (malware.rules)
  • 2049451 - ET MALWARE Suspected TA453 Related Domain in DNS Lookup (metaemailsecurity .net) (malware.rules)
  • 2049452 - ET MALWARE Suspected TA453 Related Domain in DNS Lookup (metasupportmail .co) (malware.rules)
  • 2049453 - ET MALWARE Suspected TA453 Related Domain in DNS Lookup (metasecurityemail .org) (malware.rules)
  • 2049454 - ET MALWARE Suspected TA453 Related Domain in DNS Lookup (metaemailsecurity .com) (malware.rules)
  • 2049455 - ET MALWARE Suspected TA453 Related Domain in DNS Lookup (metasupportmail .com) (malware.rules)
  • 2049456 - ET MALWARE Suspected TA453 Related Domain in DNS Lookup (igsecurity .email) (malware.rules)
  • 2049457 - ET MALWARE Observed Suspected TA453 Related Domain (metahelpservice .net in TLS SNI) (malware.rules)
  • 2049458 - ET MALWARE Observed Suspected TA453 Related Domain (xn–metaspport-v43e .com in TLS SNI) (malware.rules)
  • 2049459 - ET MALWARE Observed Suspected TA453 Related Domain (metaemailsecurity .net in TLS SNI) (malware.rules)
  • 2049460 - ET MALWARE Observed Suspected TA453 Related Domain (metasupportmail .co in TLS SNI) (malware.rules)
  • 2049461 - ET MALWARE Observed Suspected TA453 Related Domain (metasecurityemail .org in TLS SNI) (malware.rules)
  • 2049462 - ET MALWARE Observed Suspected TA453 Related Domain (metaemailsecurity .com in TLS SNI) (malware.rules)
  • 2049463 - ET MALWARE Observed Suspected TA453 Related Domain (metasupportmail .com in TLS SNI) (malware.rules)
  • 2049464 - ET MALWARE Observed Suspected TA453 Related Domain (igsecurity .email in TLS SNI) (malware.rules)
  • 2049465 - ET MALWARE Suspected TA453 Related Domain in DNS Lookup (metasupport .com) (malware.rules)
  • 2049466 - ET MALWARE Observed Suspected TA453 Related Domain (metasupport .com in TLS SNI) (malware.rules)
  • 2049467 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M1 (malware.rules)
  • 2049468 - ET MALWARE [ANY.RUN] Socks5Systemz HTTP C2 Connection M2 (malware.rules)
  • 2049469 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (emperorplan .org) (exploit_kit.rules)
  • 2049470 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (emperorplan .org) (exploit_kit.rules)

Pro:

  • 2855888 - ETPRO MALWARE TA577 Related Activity (POST) (malware.rules)
  • 2855889 - ETPRO MALWARE TA577 Related Filtered Redirect Activity (malware.rules)
  • 2855892 - ETPRO MALWARE Evil Keitaro Set-Cookie Inbound (6e41c) (malware.rules)

Disabled and modified rules:

  • 2019728 - ET WEB_SPECIFIC_APPS Wordpress Slideshow Gallery 1.4.6 - Shell Upload (web_specific_apps.rules)
  • 2047901 - ET MALWARE UAC-0173 Related Domain in DNS Lookup (filetransrediremin .com) (malware.rules)
  • 2047902 - ET MALWARE UAC-0173 Related Domain in DNS Lookup (minijusfil .com) (malware.rules)
  • 2047903 - ET MALWARE Observed UAC-0173 Related Domain (minijusfil .com in TLS SNI) (malware.rules)
  • 2047904 - ET MALWARE Observed UAC-0173 Related Domain (filetransrediremin .com in TLS SNI) (malware.rules)
  • 2810021 - ETPRO WEB_CLIENT VBScript Memory Corruption Vulnerability CVE-2015-0032 (web_client.rules)
  • 2842687 - ETPRO WEB_CLIENT Observed Evil JavaScript Payment Card Skimmer Code Inbound (web_client.rules)