Summary:
9 new OPEN, 10 new PRO (9 + 1)
Thanks @suyog41, @Unit42_Intel
Added rules:
Open:
- 2049897 - ET HUNTING Query to IP Check Tool With Minimal Headers (ip .tool .chinaz .com (hunting.rules)
- 2049898 - ET MALWARE Suspected Generic PHP Backdoor Activity M1 (malware.rules)
- 2049899 - ET MALWARE Suspected Generic PHP Backdoor Activity M2 (malware.rules)
- 2049900 - ET MALWARE Generic PHP Backdoor CnC Response (malware.rules)
- 2049901 - ET MALWARE Ducktail APT Style Payload Request (malware.rules)
- 2049902 - ET MALWARE Agrius Group ASPXSpy Webshell Connection Inbound M1 (malware.rules)
- 2049903 - ET MALWARE Agrius Group ASPXSpy Webshell Connection Inbound M2 (malware.rules)
- 2049904 - ET MALWARE Agrius Group Webshell File Upload Attempt (malware.rules)
- 2049905 - ET MALWARE Agrius Group Webshell Command Execution Attempt (malware.rules)
Pro:
- 2856082 - ETPRO MALWARE ZPHP NetSupport RAT Loader (malware.rules)
Modified inactive rules:
- 2009701 - ET DOS DNS BIND 9 Dynamic Update DoS attempt (dos.rules)
Disabled and modified rules:
- 2016463 - ET MALWARE Fake IBM SSL Cert APT1 (malware.rules)
- 2031435 - ET MALWARE AHK.CREDSTEALER.A CnC Exfil (malware.rules)
- 2033659 - ET MALWARE Win32/TrickBot CnC Initial Checkin M2 (malware.rules)
- 2049445 - ET INFO Observed DNS Over HTTPS Domain (agh .kul-lippek .de in TLS SNI) (info.rules)
- 2049446 - ET INFO Observed DNS Over HTTPS Domain (agh .workfordemo .co .in in TLS SNI) (info.rules)
- 2844885 - ETPRO MALWARE Win32/Zpevdo.B Variant CnC Checkin (malware.rules)
- 2844997 - ETPRO MALWARE Observed Possible Zloader CnC SSL Cert Inbound (malware.rules)
- 2845409 - ETPRO MALWARE MSIL/JjnnoBot CnC Checkin (malware.rules)
- 2845410 - ETPRO MALWARE MSIL/JjnnoBot CnC Requesting Command (malware.rules)
- 2845411 - ETPRO MALWARE Unk.MSI.Loader CnC Activity (malware.rules)
- 2845965 - ETPRO MALWARE Win32/Chapak.emqd Stealer Exfiltrating System Information (malware.rules)