Ruleset Update Summary - 2024/02/08 - v10527

Ruleset Updates
1

Summary:

9 new OPEN, 11 new PRO (9 + 2)

Added rules:

Open:

  • 2050769 - ET INFO Observed DNS Over HTTPS Domain (ad .systemfall .ru in TLS SNI) (info.rules)
  • 2050770 - ET INFO Observed DNS Over HTTPS Domain (dns .andersfarms .ltd in TLS SNI) (info.rules)
  • 2050771 - ET INFO Observed DNS Over HTTPS Domain (green2 .jnraptor .net in TLS SNI) (info.rules)
  • 2050772 - ET INFO Observed DNS Over HTTPS Domain (dns .digitaladapt .com in TLS SNI) (info.rules)
  • 2050773 - ET INFO Observed DNS Over HTTPS Domain (dns .wellstsai .com in TLS SNI) (info.rules)
  • 2050774 - ET INFO Observed DNS Over HTTPS Domain (dns .abppro .ru in TLS SNI) (info.rules)
  • 2050775 - ET INFO Observed DNS Over HTTPS Domain (dns .midping .ir in TLS SNI) (info.rules)
  • 2050776 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (visitscloud .com) (exploit_kit.rules)
  • 2050777 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (visitscloud .com) (exploit_kit.rules)

Pro:

  • 2856320 - ETPRO MALWARE Sliver Related CnC Domain in DNS Lookup (malware.rules)
  • 2856321 - ETPRO MALWARE Observed Sliver Related Domain in TLS SNI (malware.rules)

Modified inactive rules:

  • 2001652 - ET P2P JoltID Agent New Code Download (p2p.rules)
  • 2002775 - ET MALWARE Goldun Reporting User Activity (malware.rules)
  • 2002963 - ET MALWARE Generic Spambot-Spyware Access (malware.rules)
  • 2003631 - ET POLICY Centralops.net Probe (policy.rules)
  • 2008047 - ET MALWARE Egspy Infection Report via HTTP (malware.rules)
  • 2009302 - ET POLICY Badongo file download service access (policy.rules)
  • 2009476 - ET SCAN Possible jBroFuzz Fuzzer Detected (scan.rules)
  • 2010119 - ET WEB_SERVER xp_cmdshell Attempt in Cookie (web_server.rules)
  • 2010718 - ET MALWARE Gootkit Checkin User-Agent (Gootkit HTTP Client) (malware.rules)
  • 2010906 - ET USER_AGENTS badly formatted User-Agent string (no closing parenthesis) (user_agents.rules)
  • 2011576 - ET MALWARE nte Binary Download Attempt (multiple malware variants served) (malware.rules)
  • 2012284 - ET MALWARE SpyEye Post_Express_Label ftpgrabber check-in (malware.rules)
  • 2012607 - ET USER_AGENTS Lowercase User-Agent header purporting to be MSIE (user_agents.rules)
  • 2013253 - ET POLICY Yandexbot Request Inbound (policy.rules)
  • 2013487 - ET EXPLOIT Likely Generic Java Exploit Attempt Request for Java to decimal host (exploit.rules)
  • 2013691 - ET EXPLOIT_KIT Unknown Exploit Kit Java requesting malicious JAR (exploit_kit.rules)
  • 2013692 - ET EXPLOIT_KIT Unknown Exploit Kit Java requesting malicious EXE (exploit_kit.rules)
  • 2013766 - ET MALWARE Win32.Swisyn Reporting (malware.rules)
  • 2013799 - ET MALWARE Win32.Trojan.SuspectCRC FakeAV Checkin (malware.rules)
  • 2013821 - ET MALWARE Trojan.Kryptik/proscan.co.kr Checkin (malware.rules)
  • 2013900 - ET MALWARE W32/Yaq Checkin (malware.rules)
  • 2013902 - ET MALWARE Win32.BlackControl Retrieving IP Information (malware.rules)
  • 2013903 - ET MALWARE Suspicious User Agent GetFile (malware.rules)
  • 2013904 - ET MALWARE W32/Rimecud User Agent beat (malware.rules)
  • 2013905 - ET MALWARE Suspicious User Agent banderas (malware.rules)
  • 2013916 - ET EXPLOIT_KIT Incognito Exploit Kit Java request to showthread.php?t= (exploit_kit.rules)
  • 2013951 - ET MALWARE Win32/Rimecud.A User-Agent (needit) (malware.rules)
  • 2013952 - ET MALWARE TR/Rimecud.aksa User-Agent (indy) (malware.rules)
  • 2013953 - ET MALWARE Win32/Rimecud.A User-Agent (counters) (malware.rules)
  • 2013954 - ET MALWARE Win32/Rimecud.A User-Agent (giftz) (malware.rules)
  • 2013963 - ET MALWARE Win32.Sality User-Agent (Internet Explorer 5.01) (malware.rules)
  • 2014003 - ET MALWARE VBKrypt.dytr Checkin (malware.rules)
  • 2014029 - ET MALWARE Agent.UGP!tr/Cryptor/Graftor Dropper Requesting exe (malware.rules)
  • 2014031 - ET EXPLOIT_KIT DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested com.class (exploit_kit.rules)
  • 2014032 - ET EXPLOIT_KIT DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested org.class (exploit_kit.rules)
  • 2014033 - ET EXPLOIT_KIT DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested edu.class (exploit_kit.rules)
  • 2014034 - ET EXPLOIT_KIT DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested net.class (exploit_kit.rules)
  • 2014045 - ET WEB_SERVER Generic Web Server Hashing Collision Attack (web_server.rules)
  • 2014046 - ET WEB_SERVER Generic Web Server Hashing Collision Attack 2 (web_server.rules)
  • 2014049 - ET POLICY Bluecoat Proxy in use (policy.rules)
  • 2014054 - ET WEB_CLIENT User-Agent used in Injection Attempts (web_client.rules)
  • 2014093 - ET MALWARE Downloader.Win32.Nurech Checkin UA (malware.rules)
  • 2014102 - ET POLICY FACEBOOK user id in http_client_body, lookup with Facebook (policy.rules)
  • 2014200 - ET MALWARE Dapato/Cleaman Checkin (malware.rules)
  • 2014315 - ET EXPLOIT_KIT DRIVEBY Incognito libtiff PDF Exploit Requested (exploit_kit.rules)
  • 2014319 - ET EXPLOIT Dadong Java Exploit Requested (exploit.rules)
  • 2014357 - ET MALWARE W32/Kazy Checkin (malware.rules)
  • 2801438 - ETPRO MALWARE Chnsystems.com related trojan checkin 2 (malware.rules)
  • 2803017 - ETPRO MALWARE Backdoor.Win32.Babmote.A Checkin (malware.rules)
  • 2803104 - ETPRO EXPLOIT Long If-Modified-Since Field likely iMatix Xitami or other Remote Buffer Overflow (exploit.rules)
  • 2803353 - ETPRO MALWARE Backdoor.Win32.Murcy.A Checkin (malware.rules)
  • 2803487 - ETPRO MALWARE Genome.cnqp Checkin (malware.rules)
  • 2803489 - ETPRO MALWARE Downloader.JNXM Checkin (malware.rules)
  • 2803773 - ETPRO MALWARE Trojan.Win32.Scar.dycw Checkin (malware.rules)
  • 2803791 - ETPRO MALWARE Win32/Plingky.A Checkin (malware.rules)
  • 2803807 - ETPRO MALWARE Win32/Sefnit.O Checkin (malware.rules)
  • 2803812 - ETPRO MALWARE Win32/Sefnit.K Checkin (malware.rules)
  • 2803834 - ETPRO MALWARE Win32/Isnup.B Checkin (malware.rules)
  • 2803835 - ETPRO MALWARE Generic.Banker.OT.89A60848 Checkin (malware.rules)
  • 2803837 - ETPRO MALWARE Win32.Cycbot-MM Checkin 2 (malware.rules)
  • 2803845 - ETPRO DOS Microsoft Forefront Unified Access Gateway DoS Attempt 1 (dos.rules)
  • 2803846 - ETPRO DOS Microsoft Forefront Unified Access Gateway DoS Attempt 2 (dos.rules)
  • 2803856 - ETPRO MALWARE Trojan.Downloader.JOQI Checkin (malware.rules)
  • 2803860 - ETPRO MALWARE Trojan.Win32.Cossta.pyo Checkin (malware.rules)
  • 2803862 - ETPRO MALWARE Win32/Tiptuf.A Checkin (malware.rules)
  • 2803866 - ETPRO MALWARE Win32/Nosrawec.C Checkin (malware.rules)
  • 2803875 - ETPRO MALWARE Win32/Agent.KA Checkin (malware.rules)
  • 2803881 - ETPRO MALWARE Worm.AutoIt/Renocide.gen!C Checkin (malware.rules)
  • 2803893 - ETPRO MALWARE Trojan-Downloader.Win32.Bagle.eds Checkin (malware.rules)
  • 2803897 - ETPRO MALWARE Possible Sasfis/Atraps.AVWU/AMTU.Proxy Contacting CnC via Yahoo Translate/Babelfish (malware.rules)
  • 2803898 - ETPRO MALWARE Possible Sasfis/Atraps.AVWU/AMTU.Proxy Contacting CnC via Yahoo Translate/Babelfish 2 (malware.rules)
  • 2803899 - ETPRO MALWARE Sasfis/Atraps.AVWU/AMTU.Proxy Contacting CnC via Google Translate (malware.rules)
  • 2803901 - ETPRO MALWARE Sasfis/Atraps.AVWU/AMTU.Proxy Checkin (malware.rules)
  • 2803913 - ETPRO MALWARE Buzus/Graftor Checkin (malware.rules)
  • 2803927 - ETPRO MALWARE Win32/fkfldwrm.A Checkin (malware.rules)
  • 2803933 - ETPRO MALWARE Scar.evje/Fraudtool.AvSoft DDoS Traffic (Munged UA) Inbound (malware.rules)
  • 2803939 - ETPRO MALWARE Scar.evje/Fraudtool.AvSoft DDoS Traffic (Munged UA) Inbound 2 (malware.rules)
  • 2803940 - ETPRO MALWARE Scar.evje/Fraudtool.AvSoft DDoS Traffic (Munged UA) Outbound 2 (malware.rules)
  • 2803941 - ETPRO MALWARE Win32/Bofang.B Checkin (malware.rules)
  • 2803946 - ETPRO MALWARE Win32/VBInject.T Checkin (malware.rules)
  • 2803948 - ETPRO MALWARE Win32/Trafog!rts Checkin (malware.rules)
  • 2803957 - ETPRO MALWARE Trojan.Win32.Scar.ekzu Checkin (malware.rules)
  • 2803960 - ETPRO MALWARE Trojan-PWS.Banker6 Checkin (malware.rules)
  • 2803973 - ETPRO MALWARE Trojan-Banker.Win32.Banker.blvx Checkin (malware.rules)
  • 2803982 - ETPRO MALWARE Win32/Scar.G Checkin (malware.rules)
  • 2803986 - ETPRO MALWARE Win32/Agent.CS Checkin (malware.rules)
  • 2804000 - ETPRO MALWARE Worm.Win32/Skopvel.gen!A Checkin (malware.rules)
  • 2804012 - ETPRO MALWARE TrojanDropper.Win32/Dogrobot.E Checkin 1 (malware.rules)
  • 2804013 - ETPRO MALWARE TrojanDropper.Win32/Dogrobot.E Checkin 2 (malware.rules)
  • 2804015 - ETPRO MALWARE HackTool.Win32.Kiser.aqa INSTALL (malware.rules)
  • 2804021 - ETPRO MALWARE Win32/Tibia.AB Checkin (malware.rules)
  • 2804046 - ETPRO MALWARE Win32/Kryptik.UOM Checkin (malware.rules)
  • 2804048 - ETPRO MALWARE Win32/Malushka.A Checkin (malware.rules)
  • 2804052 - ETPRO MALWARE Win32/Kryptik.UOM Checkin (malware.rules)
  • 2804080 - ETPRO MALWARE Trojan-Dropper.Win32.Injector.uua Checkin (malware.rules)
  • 2804100 - ETPRO MALWARE Trojan.Heur.VP2.nm1@aOacxkoi Checkin (malware.rules)
  • 2804120 - ETPRO MALWARE Banker.Win32.Banker.snph Checkin (malware.rules)
  • 2804122 - ETPRO MALWARE Generic Dropper!dxm!50461342D70E Install (malware.rules)
  • 2804127 - ETPRO MALWARE Trojan.Autoit.F Checkin (malware.rules)
  • 2804163 - ETPRO MALWARE Win32/Banker.XO Checkin (malware.rules)
  • 2804165 - ETPRO MALWARE Yakes/Cryptor Dropper Checkin to load.php (malware.rules)
  • 2804184 - ETPRO MALWARE Win32/Bividon.A Checkin (malware.rules)
  • 2804214 - ETPRO MALWARE Trojan.Win32.Inject.cdbt Checkin (malware.rules)
  • 2804215 - ETPRO MALWARE Trojan.Heur.DP.HGW@aiZGjxg Checkin (malware.rules)
  • 2804229 - ETPRO MALWARE W32.HLLP.Sality Checkin (malware.rules)
  • 2804230 - ETPRO MALWARE TROJ_DLOADE.AGO Checkin (malware.rules)
  • 2804237 - ETPRO MALWARE Win32/Zerok.A Checkin (malware.rules)
  • 2804244 - ETPRO MALWARE Hupigon.GVOY/Xema Checkin (malware.rules)
  • 2804253 - ETPRO MALWARE Zugo Malware Installer Checkin (malware.rules)
  • 2804266 - ETPRO MALWARE Trojan.Win32.Scar.fsah Checkin (malware.rules)
  • 2804267 - ETPRO MALWARE TR/Crypt.XPACK.Gen Checkin (malware.rules)
  • 2804270 - ETPRO MALWARE Trojan-Downloader.Win32.Agent.gyda Checkin (malware.rules)
  • 2804273 - ETPRO MALWARE Win32/Bancos.ACM Checkin (malware.rules)
  • 2804281 - ETPRO MALWARE W32.Harakit Checkin (malware.rules)
  • 2804311 - ETPRO MALWARE Win32/Comroki Checkin (malware.rules)
  • 2804315 - ETPRO MALWARE Trojan-Downloader.Win32.Banload!IK Checkin (malware.rules)
  • 2804322 - ETPRO MALWARE Exploit.Win32/MS08067.gen!A Checkin (malware.rules)
  • 2804404 - ETPRO MALWARE Trojan/Genome.aieg Checkin (malware.rules)
  • 2804418 - ETPRO MALWARE Trojan.Win32.Scar.facd Checkin (malware.rules)
  • 2804448 - ETPRO MALWARE Trojan.Zlob Install (malware.rules)
  • 2804469 - ETPRO MALWARE Win32/Sality.R Checkin (malware.rules)
  • 2804472 - ETPRO MALWARE Trojan.Crypt.Delf.AH Checkin (malware.rules)
  • 2804525 - ETPRO MALWARE Trojan-Dropper.Win32.Dapato.aafb Checkin (malware.rules)
  • 2804527 - ETPRO MALWARE Trojan-Banker.Win32.Banbra.aocj Checkin (malware.rules)
  • 2804528 - ETPRO MALWARE Trojan.Win32.Pasta.oaf Checkin (malware.rules)
  • 2804563 - ETPRO MALWARE Trojan-Downloader.Win32.Banload.bpbw Checkin (malware.rules)
  • 2804564 - ETPRO MALWARE Win32/TrojanDownloader.Banload.QUC Checkin (malware.rules)
  • 2804565 - ETPRO MALWARE TrojanDropper.Win32/Buzus.B Checkin (malware.rules)
  • 2804595 - ETPRO MALWARE Trojan-Downloader.Win32.FraudLoad.xdfp Checkin (malware.rules)
  • 2804596 - ETPRO MALWARE Trojan-Banker.Win32.Banbra.anwx Checkin (malware.rules)
  • 2804629 - ETPRO MALWARE Win32/Banker.VBY Checkin (malware.rules)
  • 2804630 - ETPRO MALWARE Win32/Delf.CM Checkin (malware.rules)
  • 2804653 - ETPRO MALWARE Win32/Rorpian.B Checkin (malware.rules)
  • 2804656 - ETPRO MALWARE Win32/TrojanDownloader.Banload.QOT Checkin (malware.rules)
  • 2804659 - ETPRO MALWARE Variant.Graftor.8567 Checkin (malware.rules)
  • 2804661 - ETPRO MALWARE Win32/Spy.Banker.XAG Checkin (malware.rules)
  • 2804677 - ETPRO MALWARE Trojan-Downloader.BAT.Banload.d Checkin (malware.rules)

Disabled and modified rules:

  • 2017263 - ET MALWARE StealRat Checkin (malware.rules)
  • 2017636 - ET EXPLOIT_KIT Nuclear EK PDF URI Struct (exploit_kit.rules)
  • 2017642 - ET MALWARE Linux/Ssemgrvd sshd Backdoor HTTP CNC 1 (malware.rules)
  • 2017713 - ET MALWARE Taidoor Checkin (malware.rules)
  • 2017903 - ET MALWARE Win32/Urausy.C Checkin 4 (malware.rules)
  • 2047863 - ET MALWARE SocGholish Domain in DNS Lookup (assay .porchlightcommunity .org) (malware.rules)
  • 2047864 - ET MALWARE SocGholish Domain in TLS SNI (assay .porchlightcommunity .org) (malware.rules)
  • 2048139 - ET MALWARE SocGholish Domain in DNS Lookup (cpanel .gtiyeshua .com) (malware.rules)
  • 2048140 - ET MALWARE SocGholish Domain in TLS SNI (cpanel .gtiyeshua .com) (malware.rules)
  • 2048505 - ET MALWARE SocGholish Domain in DNS Lookup (sommelier .peppertreecanyon .com) (malware.rules)
  • 2048506 - ET MALWARE SocGholish Domain in TLS SNI (sommelier .peppertreecanyon .com) (malware.rules)
  • 2806846 - ETPRO MALWARE Stealer sending stolen data via SMTP (malware.rules)
  • 2806862 - ETPRO POLICY Shareman Protocol (policy.rules)
  • 2806920 - ETPRO MALWARE Trojan.Rontokbro Checkin (malware.rules)
  • 2807118 - ETPRO HUNTING SSL server Hello certificate Default Company Ltd CN=google.com (hunting.rules)
  • 2807143 - ETPRO MALWARE Win32.RatTool Checkin (malware.rules)
  • 2807154 - ETPRO MALWARE Win32/Gapz CnC (malware.rules)
  • 2807158 - ETPRO MALWARE Trojan-Ransom.Win32.Blocker.brxp Download (malware.rules)
  • 2807194 - ETPRO MALWARE Win32/Stoberox Checkin (malware.rules)