Ruleset Update Summary - 2023/12/12 - v10484

Ruleset Updates
1

Summary:

43 new OPEN, 43 new PRO (43 + 0)

Thanks @ViriBack, @talossecurity

Added rules:

Open:

  • 2049637 - ET WEB_SPECIFIC_APPS Atlassian Bitbucket CVE-2022-1471 Vulnerable Server Detected Version 7.17.x - 7.21.15 (web_specific_apps.rules)
  • 2049638 - ET WEB_SPECIFIC_APPS Atlassian Bitbucket CVE-2022-1471 Vulnerable Server Detected Version 8.0 - 8.12.0 (web_specific_apps.rules)
  • 2049639 - ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2022-1471 Vulnerable Server Detected Version 6.13.x - 6.15.x M1 (web_specific_apps.rules)
  • 2049640 - ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2022-1471 Vulnerable Server Detected Version 6.13.x - 6.15.x M2 (web_specific_apps.rules)
  • 2049641 - ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2022-1471 Vulnerable Server Detected Version 7.x M1 (web_specific_apps.rules)
  • 2049642 - ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2022-1471 Vulnerable Server Detected Version 7.x M2 (web_specific_apps.rules)
  • 2049643 - ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2022-1471 Vulnerable Server Detected Version 8.0 - 8.3 M1 (web_specific_apps.rules)
  • 2049644 - ET WEB_SPECIFIC_APPS Atlassian Confluence CVE-2022-1471 Vulnerable Server Detected Version 8.0 - 8.3 M2 (web_specific_apps.rules)
  • 2049645 - ET WEB_SPECIFIC_APPS Atlassian Jira CVE-2022-1471 Vulnerable Server Detected Version 9.4 - 9.11.1 M1 (web_specific_apps.rules)
  • 2049646 - ET WEB_SPECIFIC_APPS Atlassian Jira CVE-2022-1471 Vulnerable Server Detected Version 9.4 - 9.11.1 M2 (web_specific_apps.rules)
  • 2049647 - ET HUNTING curl in DNS TXT Response (hunting.rules)
  • 2049648 - ET HUNTING wget in DNS TXT Response (hunting.rules)
  • 2049649 - ET HUNTING PDF extension in DNS TXT Response (hunting.rules)
  • 2049650 - ET HUNTING EXE extension in DNS TXT Response (hunting.rules)
  • 2049651 - ET MALWARE Void Rabisu Related Loader Activity (GET) (malware.rules)
  • 2049652 - ET MALWARE TA430/Andariel APT Related CnC Domain in DNS Lookup (tech .micrsofts .com) (malware.rules)
  • 2049653 - ET MALWARE Observed TA430/Andariel APT Related Domain (tech .micrsofts .com in TLS SNI) (malware.rules)
  • 2049654 - ET MALWARE TA430/Andariel APT Related CnC Domain in DNS Lookup (tech .micrsofts .tech) (malware.rules)
  • 2049655 - ET MALWARE Observed TA430/Andariel APT Related Domain (tech .micrsofts .tech in TLS SNI) (malware.rules)
  • 2049656 - ET MALWARE TA430/Andariel APT Related DLRAT Activity (POST) (malware.rules)
  • 2049657 - ET MALWARE JynxLoaderV2 CnC Server Command (NOTASK) (malware.rules)
  • 2049658 - ET MALWARE JynxLoaderV2 CnC Command (INSTALL) (malware.rules)
  • 2049659 - ET MALWARE Encoded JinxV2DEV User-Agent Observed (4a696e785632444556) (malware.rules)
  • 2049660 - ET MALWARE jynxLoaderV2 CnC Activity (Outbound) (malware.rules)
  • 2049661 - ET MALWARE jynxLoaderV2 CnC Activity (Inbound) (malware.rules)
  • 2049662 - ET PHISHING Generic Phish Landing Page 2023-12-12 (phishing.rules)
  • 2049663 - ET WEB_SPECIFIC_APPS pfSense CE 2.7.0 Stored Cross Site Script Attempt - Firewall Logs Dynamic View (CVE-2023-42325) (web_specific_apps.rules)
  • 2049664 - ET WEB_SPECIFIC_APPS pfSense CE 2.7.0 gfif Parameter Remote Code Execution Attempt (CVE-2023-42326) M1 (web_specific_apps.rules)
  • 2049665 - ET WEB_SPECIFIC_APPS pfSense CE 2.7.0 gfif Parameter Remote Code Execution Attempt (CVE-2023-42326) M2 (web_specific_apps.rules)
  • 2049666 - ET WEB_SPECIFIC_APPS pfSense CE 2.7.0 Stored Cross Site Script Attempt - getservicesproviders.php connection parameter (CVE-2023-42327) (web_specific_apps.rules)
  • 2049667 - ET WEB_SPECIFIC_APPS Apache Struts2 uploadFileName Directory Traversal Attempt (CVE-2023-50164) M1 (web_specific_apps.rules)
  • 2049668 - ET WEB_SPECIFIC_APPS Apache Struts2 uploadFileName Directory Traversal Attempt (CVE-2023-50164) M2 (web_specific_apps.rules)
  • 2049669 - ET WEB_SPECIFIC_APPS Apache Struts2 Possible uploadFileName Directory Traversal Attempt (CVE-2023-50164) - uploadFileName Parameter M1 (web_specific_apps.rules)
  • 2049670 - ET WEB_SPECIFIC_APPS Apache Struts2 Possible uploadFileName Directory Traversal Attempt (CVE-2023-50164) - uploadFileName Parameter M2 (web_specific_apps.rules)
  • 2049671 - ET EXPLOIT_KIT RogueRaticate Domain in DNS Lookup (kokokakalala .com) (exploit_kit.rules)
  • 2049672 - ET EXPLOIT_KIT RogueRaticate Domain in TLS SNI (kokokakalala .com) (exploit_kit.rules)
  • 2049673 - ET EXPLOIT_KIT Keitaro Set-Cookie Inbound to RogueRaticate (17923) (exploit_kit.rules)
  • 2049674 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (mitchvandenborn .com) (exploit_kit.rules)
  • 2049675 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (mindsnatchers .com) (exploit_kit.rules)
  • 2049676 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (mitchvandenborn .com) (exploit_kit.rules)
  • 2049677 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (mindsnatchers .com) (exploit_kit.rules)
  • 2049678 - ET INFO URL Shortener Service Domain in DNS Lookup (bulkurlshortener .com) (info.rules)
  • 2049679 - ET INFO URL Shortener Service Domain in TLS SNI (bulkurlshortener .com) (info.rules)

Disabled and modified rules:

  • 2024606 - ET EXPLOIT_KIT Disdain EK URI Struct Aug 23 2017 M1 (exploit_kit.rules)
  • 2024607 - ET EXPLOIT_KIT Disdain EK URI Struct Aug 23 2017 M2 (exploit_kit.rules)
  • 2024612 - ET EXPLOIT_KIT Disdain EK Landing Aug 23 2017 (exploit_kit.rules)
  • 2024699 - ET ADWARE_PUP [PTsecurity] Adware/Rukometa(LoadMoney) Fake PNG File (adware_pup.rules)
  • 2043032 - ET MALWARE Observed Glupteba CnC Domain (getyourgift .life in TLS SNI) (malware.rules)
  • 2043034 - ET MALWARE Observed Glupteba CnC Domain (tmetres .com in TLS SNI) (malware.rules)
  • 2043036 - ET MALWARE Observed Glupteba CnC Domain (limeprime .com in TLS SNI) (malware.rules)
  • 2043037 - ET MALWARE Observed Glupteba CnC Domain (zaoshanghao .su in TLS SNI) (malware.rules)
  • 2043042 - ET MALWARE Observed Glupteba CnC Domain (mastiakele .icu in TLS SNI) (malware.rules)
  • 2043044 - ET MALWARE Observed Glupteba CnC Domain (mastiakele .xyz in TLS SNI) (malware.rules)
  • 2043047 - ET MALWARE Observed Glupteba CnC Domain (mastiakele .cyou in TLS SNI) (malware.rules)
  • 2043048 - ET MALWARE Observed Glupteba CnC Domain (duniadekho .bar in TLS SNI) (malware.rules)
  • 2049178 - ET PHISHING Possible Generic Credential Phish with Obfuscated Javascript (phishing.rules)
  • 2827399 - ETPRO MALWARE MSIL/Murlox Stealer CnC Checkin (malware.rules)
  • 2827509 - ETPRO MALWARE Win32/Downloader.Banload.YAZ CnC Activity (malware.rules)
  • 2827565 - ETPRO MALWARE Win32/LockCrypt Ransomware CnC Checkin (malware.rules)
  • 2828128 - ETPRO MALWARE MSIL/Unk.Stealer Exfil via FTP M2 (malware.rules)
  • 2828166 - ETPRO MALWARE Evil TeamViewer Controller CnC Activity 2 (malware.rules)