Ruleset Update Summary - 2023/12/07 - v10481

Summary:

9 new OPEN, 12 new PRO (9 + 3)

Thanks @GreyNoiseIO, @ambionics


Added rules:

Open:

  • 2049614 - ET EXPLOIT ownCloud Information Disclosure Attempt (CVE-2023-41093) (exploit.rules)
  • 2049615 - ET EXPLOIT Successful ownCloud Information Disclosure Attempt (CVE-2023-41093) M1 (exploit.rules)
  • 2049616 - ET EXPLOIT Successful ownCloud Information Disclosure Attempt (CVE-2023-41093) M2 (exploit.rules)
  • 2049617 - ET EXPLOIT ownCloud Remote Improper Authentication Attempt (CVE-2023-49105) (exploit.rules)
  • 2049618 - ET EXPLOIT Successful ownCloud Remote Improper Authentication Attempt (CVE-2023-49105) (exploit.rules)
  • 2049619 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (perfilcovid .com) (exploit_kit.rules)
  • 2049620 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (jokergame1 .com) (exploit_kit.rules)
  • 2049621 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (perfilcovid .com) (exploit_kit.rules)
  • 2049622 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (jokergame1 .com) (exploit_kit.rules)

Pro:

  • 2855905 - ETPRO MALWARE Win32/Apocalypse RAT CnC Checkin (checkcmd) (malware.rules)
  • 2855906 - ETPRO MALWARE Win32/Apocalypse RAT CnC Checkin (checkcmd) - Acknowledgement (malware.rules)
  • 2855907 - ETPRO MALWARE Win32/Apocalyse RAT Recovery.dat Retrieval Response (malware.rules)

Disabled and modified rules:

  • 2049098 - ET MALWARE Bitter APT Related Domain in DNS Lookup (malware.rules)
  • 2049099 - ET MALWARE Observed Bitter APT Related Domain in TLS SNI (malware.rules)
  • 2049101 - ET INFO Observed DNS Over HTTPS Domain (dns .mni .li in TLS SNI) (info.rules)
  • 2049102 - ET INFO Observed DNS Over HTTPS Domain (doh .zln .wtf in TLS SNI) (info.rules)