Ruleset Update Summary - 2024/01/05 - v10500

Ruleset Updates
1

Summary:

13 new OPEN, 25 new PRO (13 + 12)

Thanks @dzonerzy, @AttackerKb

Added rules:

Open:

  • 2049915 - ET MALWARE Observed Lumma Stealer Related Domain in TLS SNI (referralpublicationjk .pw) (malware.rules)
  • 2049916 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (referralpublicationjk .pw) (malware.rules)
  • 2049917 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (playerweighmailydailew .pw) (malware.rules)
  • 2049918 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (latetemporarynuance .pw) (malware.rules)
  • 2049919 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (blastechohackopeower .pw) (malware.rules)
  • 2049920 - ET MALWARE Observed Lumma Stealer Related Domain (latetemporarynuance .pw in TLS SNI) (malware.rules)
  • 2049921 - ET MALWARE Observed Lumma Stealer Related Domain (playerweighmailydailew .pw in TLS SNI) (malware.rules)
  • 2049922 - ET MALWARE Observed Lumma Stealer Related Domain (blastechohackopeower .pw in TLS SNI) (malware.rules)
  • 2049923 - ET EXPLOIT Inbound Setup Message from SMTP Smuggling Tool (exploit.rules)
  • 2049924 - ET EXPLOIT Inbound Smuggling Message from SMTP Smuggling Tool M1 (exploit.rules)
  • 2049925 - ET EXPLOIT Inbound Smuggling Message from SMTP Smuggling Tool M2 (exploit.rules)
  • 2049926 - ET WEB_SPECIFIC_APPS GL.iNet Authentication Bypass/SQL Injection attempt (CVE-2023-50919) (web_specific_apps.rules)
  • 2049927 - ET WEB_SPECIFIC_APPS GL.iNet add_user API Request - Backdoor root User Attempt (web_specific_apps.rules)

Pro:

  • 2856084 - ETPRO WEB_SERVER Suspected Neo-reGeorg Tunnel Activity M1 (web_server.rules)
  • 2856085 - ETPRO WEB_SERVER Suspected Neo-reGeorg Tunnel Activity M2 (web_server.rules)
  • 2856086 - ETPRO WEB_SERVER Suspected Neo-reGeorg Tunnel Activity M3 (web_server.rules)
  • 2856087 - ETPRO WEB_SERVER Suspected Neo-reGeorg Tunnel Activity M4 (web_server.rules)
  • 2856088 - ETPRO WEB_SERVER Suspected Neo-reGeorg Tunnel Activity M5 (web_server.rules)
  • 2856089 - ETPRO WEB_SERVER Suspected Neo-reGeorg Tunnel Activity M6 (web_server.rules)
  • 2856090 - ETPRO WEB_SERVER Suspected Neo-reGeorg Tunnel Activity M7 (web_server.rules)
  • 2856091 - ETPRO WEB_SERVER Suspected Neo-reGeorg Tunnel Activity M8 (web_server.rules)
  • 2856092 - ETPRO WEB_SERVER Suspected Neo-reGeorg Tunnel Activity M9 (web_server.rules)
  • 2856093 - ETPRO WEB_SERVER Suspected Neo-reGeorg Tunnel Activity M10 (web_server.rules)
  • 2856094 - ETPRO MALWARE Rezlt RDP Grabber - RDP Detected (malware.rules)
  • 2856095 - ETPRO MALWARE Rezlt RDP Grabber - Exfil (malware.rules)

Disabled and modified rules:

  • 2032764 - ET EXPLOIT_KIT Observed BottleEK Domain in DNS Lookup 2021-04-15 (exploit_kit.rules)
  • 2032937 - ET MALWARE Unk.CoinMiner Loader Checkin (malware.rules)
  • 2033033 - ET MALWARE BazaLoader CnC Activity (malware.rules)
  • 2033216 - ET PHISHING Observed Possible Phishing Landing Page 2021-06-29 (phishing.rules)
  • 2848217 - ETPRO MALWARE Unk.MalDoc CnC Exfil (malware.rules)
  • 2848280 - ETPRO MALWARE Unk.Shellcode Loader Inbound (malware.rules)
  • 2848345 - ETPRO MALWARE MSIL/NM.Stealer CnC Data Exfil (malware.rules)
  • 2848373 - ETPRO MALWARE MSIL/HELLRAZOR Stealer CnC Exfil (malware.rules)
  • 2848416 - ETPRO MALWARE Avalon Stealer Variant CnC Exfil (malware.rules)
  • 2848808 - ETPRO MALWARE ZiggyStealer CnC Activity (malware.rules)