Ruleset Update Summary - 2024/03/04 - v10544

Ruleset Updates
1

Summary:

26 new OPEN, 28 new PRO (26 + 2)

Thanks @spamhaus, @g0njxa

Added rules:

Open:

  • 2051442 - ET INFO Observed DNS Over HTTPS Domain (doh .phdns4 .lonet .org in TLS SNI) (info.rules)
  • 2051443 - ET INFO Observed DNS Over HTTPS Domain (doh .phdns2 .lonet .org in TLS SNI) (info.rules)
  • 2051444 - ET INFO Observed DNS Over HTTPS Domain (doh .phdns1 .lonet .org in TLS SNI) (info.rules)
  • 2051445 - ET INFO Observed DNS Over HTTPS Domain (doh .phdns5 .lonet .org in TLS SNI) (info.rules)
  • 2051446 - ET INFO Observed DNS Over HTTPS Domain (paulo .nom .za in TLS SNI) (info.rules)
  • 2051447 - ET MALWARE Win32/ObserverStealer CnC Activity M2 (Check-in) (malware.rules)
  • 2051448 - ET MALWARE Win32/ObserverStealer CnC Activity M2 (System Information) (malware.rules)
  • 2051449 - ET MALWARE Win32/ObserverStealer CnC Activity M2 (Screenshot) (malware.rules)
  • 2051450 - ET MALWARE Win32/ObserverStealer Sending Browser Related Information (Google) (malware.rules)
  • 2051451 - ET MALWARE Win32/ObserverStealer Sending Browser Related Information (Firefox) (malware.rules)
  • 2051452 - ET MALWARE Win32/ObserverStealer Sending System Related Information (Thunderbird) (malware.rules)
  • 2051453 - ET MALWARE Win32/ObserverStealer Sending System Related Information (malware.rules)
  • 2051454 - ET MALWARE Win32/ObserverStealer Related Activity (POST) (malware.rules)
  • 2051455 - ET MALWARE SmartLoader CnC Exfil (screen.bmp) (malware.rules)
  • 2051456 - ET MALWARE SmartLoader CnC Activity (malware.rules)
  • 2051457 - ET MALWARE Xehook Stealer CnC Checkin (malware.rules)
  • 2051458 - ET MALWARE Xehook Stealer CnC Checkin - Server Response (malware.rules)
  • 2051459 - ET MALWARE Xehook Stealer Data Exfiltration Attempt (malware.rules)
  • 2051460 - ET MALWARE Xehook stealer CnC Domain in DNS Lookup (trecube .com) (malware.rules)
  • 2051461 - ET MALWARE Observed Xehook Stealer Domain (trecube .com) in TLS SNI (malware.rules)
  • 2051462 - ET MALWARE Xehook Stealer CnC Domain in DNS Lookup (nc1337 .online) (malware.rules)
  • 2051463 - ET MALWARE Observed Xehook Stealer Domain (nc1337 .online) in TLS SNI (malware.rules)
  • 2051464 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .aus .mimico-cooperative .org) (malware.rules)
  • 2051465 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .aus .mimico-cooperative .org) (malware.rules)
  • 2051466 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (briefscala .com) (exploit_kit.rules)
  • 2051467 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (briefscala .com) (exploit_kit.rules)

Pro:

  • 2856426 - ETPRO WEB_CLIENT Evil Keitaro Set-Cookie Inbound (0c9c8) (web_client.rules)
  • 2856427 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Enabled and modified rules:

  • 2000932 - ET ADWARE_PUP Keenvalue Update Engine (adware_pup.rules)
  • 2001444 - ET ADWARE_PUP Overpro Spyware Bundle Install (adware_pup.rules)

Modified inactive rules:

  • 2000025 - ET ADWARE_PUP Gator Cookie (adware_pup.rules)
  • 2000367 - ET ADWARE_PUP Binet (set_pix) (adware_pup.rules)
  • 2000371 - ET ADWARE_PUP Binet (randreco.exe) (adware_pup.rules)
  • 2000466 - ET ADWARE_PUP User-Agent (iexplore) (adware_pup.rules)
  • 2000931 - ET ADWARE_PUP Comet Systems Spyware Traffic (adware_pup.rules)
  • 2001013 - ET ADWARE_PUP Fun Web Products SmileyCentral (adware_pup.rules)
  • 2001225 - ET ADWARE_PUP Statblaster Receiving New configuration (update) (adware_pup.rules)
  • 2001453 - ET ADWARE_PUP Couponage Download (adware_pup.rules)
  • 2001454 - ET ADWARE_PUP Couponage Configure (adware_pup.rules)
  • 2001456 - ET ADWARE_PUP ContextPanel Reporting (adware_pup.rules)
  • 2001460 - ET ADWARE_PUP Sexmaniack Install Tracking (adware_pup.rules)
  • 2001464 - ET ADWARE_PUP Xpire.info Multiple Spyware Installs (3) (adware_pup.rules)
  • 2001489 - ET ADWARE_PUP Spygalaxy.ws Spyware Checkin (adware_pup.rules)
  • 2001491 - ET ADWARE_PUP Xpire.info Spyware Checkin (adware_pup.rules)
  • 2001501 - ET ADWARE_PUP Clickspring.net Spyware Reporting (adware_pup.rules)
  • 2001503 - ET ADWARE_PUP Medialoads.com Spyware Config (adware_pup.rules)
  • 2001507 - ET ADWARE_PUP Medialoads.com Spyware Identifying Country of Origin (adware_pup.rules)
  • 2001509 - ET ADWARE_PUP Medialoads.com Spyware Reporting (register.cgi) (adware_pup.rules)
  • 2001520 - ET ADWARE_PUP Spywaremover Activity (adware_pup.rules)
  • 2001522 - ET ADWARE_PUP SpywareLabs Application Install (adware_pup.rules)
  • 2001526 - ET ADWARE_PUP Virtumonde Spyware Code Download bkinst.exe (adware_pup.rules)
  • 2001537 - ET ADWARE_PUP Spyspotter.com Access (adware_pup.rules)
  • 2001586 - ET ADWARE_PUP MarketScore.com Spyware Proxied Traffic (mitmproxy agent) (adware_pup.rules)
  • 2001650 - ET ADWARE_PUP Search Scout Related Spyware (content) (adware_pup.rules)
  • 2001653 - ET ADWARE_PUP Search Scout Related Spyware (results) (adware_pup.rules)
  • 2001656 - ET ADWARE_PUP GlobalPhon.com Dialer (adware_pup.rules)
  • 2001658 - ET ADWARE_PUP Comet Systems Spyware Reporting (adware_pup.rules)
  • 2001659 - ET ADWARE_PUP GlobalPhon.com Dialer (no_pop) (adware_pup.rules)
  • 2001660 - ET ADWARE_PUP GlobalPhon.com Dialer (add_ocx) (adware_pup.rules)
  • 2001666 - ET ADWARE_PUP Metarewards Spyware Activity (adware_pup.rules)
  • 2001678 - ET ADWARE_PUP Webhancer Agent Activity (adware_pup.rules)
  • 2001683 - ET ADWARE_PUP Windows executable sent when remote host claims to send an image (adware_pup.rules)
  • 2001701 - ET ADWARE_PUP Windupdates.com Spyware Loggin Data (adware_pup.rules)
  • 2001744 - ET ADWARE_PUP Searchmiracle.com Spyware Install (install) (adware_pup.rules)
  • 2001793 - ET ADWARE_PUP Incredisearch.com Spyware Ping (adware_pup.rules)
  • 2001794 - ET ADWARE_PUP Incredisearch.com Spyware Activity (adware_pup.rules)
  • 2001947 - ET ADWARE_PUP Zenotecnico Adware (adware_pup.rules)
  • 2002169 - ET ADWARE_PUP iWon Spyware (iWonSearchAssistant) (adware_pup.rules)
  • 2002394 - ET ADWARE_PUP Adwave/MarketScore User-Agent (WTA) (adware_pup.rules)
  • 2002404 - ET ADWARE_PUP Movies-etc User-Agent (IOInstall) (adware_pup.rules)
  • 2002736 - ET ADWARE_PUP Trafficsector.com Spyware Install (adware_pup.rules)
  • 2002740 - ET ADWARE_PUP adservs.com Spyware (adware_pup.rules)
  • 2002766 - ET ADWARE_PUP Corpsespyware.net BlackList - pcpeek (adware_pup.rules)
  • 2002767 - ET ADWARE_PUP Corpsespyware.net Distribution - bos.biz (adware_pup.rules)
  • 2002769 - ET ADWARE_PUP Corpsespyware.net Distribution - studiolacase (adware_pup.rules)
  • 2002805 - ET ADWARE_PUP Spyaxe Spyware DB Version Check (adware_pup.rules)
  • 2002806 - ET ADWARE_PUP Spyaxe Spyware Checkin (adware_pup.rules)
  • 2002836 - ET ADWARE_PUP MyWebSearch Toolbar Traffic (bar config download) (adware_pup.rules)
  • 2002933 - ET ADWARE_PUP CWS Spy-Sheriff.com Infeced Buy Page Request (adware_pup.rules)
  • 2002948 - ET POLICY External Windows Update in Progress (policy.rules)
  • 2002988 - ET ADWARE_PUP Possible Spambot Checking in to Spam (adware_pup.rules)
  • 2002990 - ET ADWARE_PUP Possible Spambot Pulling IP List to Spam (adware_pup.rules)
  • 2003058 - ET ADWARE_PUP 180solutions (Zango) Spyware Installer Download (adware_pup.rules)
  • 2003202 - ET ADWARE_PUP Thespyguard.com Spyware Update Check (adware_pup.rules)
  • 2003203 - ET ADWARE_PUP Hitvirus Fake AV Install (adware_pup.rules)
  • 2003204 - ET ADWARE_PUP Thespyguard.com Spyware Updating (adware_pup.rules)
  • 2003205 - ET ADWARE_PUP User-Agent (Informer from RBC) (adware_pup.rules)
  • 2003211 - ET ADWARE_PUP Best-targeted-traffic.com Spyware Ping (adware_pup.rules)
  • 2003217 - ET ADWARE_PUP 180solutions (Zango) Spyware Installer Config 2 (adware_pup.rules)
  • 2003218 - ET ADWARE_PUP Conduit Connect Toolbar Message Download(Many report to be benign) (adware_pup.rules)
  • 2003221 - ET ADWARE_PUP MySearchNow.com Spyware (adware_pup.rules)
  • 2003222 - ET ADWARE_PUP MyWebSearch Toolbar Receiving Config 2 (adware_pup.rules)
  • 2003251 - ET ADWARE_PUP SpySheriff Intial Phone Home (adware_pup.rules)
  • 2003253 - ET ADWARE_PUP MarketScore Spyware Uploading Data (adware_pup.rules)
  • 2003304 - ET ADWARE_PUP Effectivebrands.com Spyware Checkin (adware_pup.rules)
  • 2003336 - ET ADWARE_PUP AntiVermins.com Fake Antispyware Package User-Agent (AntiVerminser) (adware_pup.rules)
  • 2003345 - ET ADWARE_PUP User-Agent (Download UBAgent) - lop.com and other spyware (adware_pup.rules)
  • 2003360 - ET ADWARE_PUP Effectivebrands.com Spyware Checkin 2 (adware_pup.rules)
  • 2003365 - ET ADWARE_PUP Hotbar Zango Toolbar Spyware User Agent (ZangoToolbar ) (adware_pup.rules)
  • 2003389 - ET ADWARE_PUP WhenUClick.com Application Version Check (adware_pup.rules)
  • 2003399 - ET ADWARE_PUP Spyhealer Fake Anti-Spyware Install User-Agent (SpyHealer) (adware_pup.rules)
  • 2003416 - ET ADWARE_PUP Epilot.com Spyware Reporting Clicks (adware_pup.rules)
  • 2003429 - ET ADWARE_PUP xxxtoolbar.com Spyware Install User-Agent (adware_pup.rules)
  • 2003441 - ET ADWARE_PUP Webbuying.net Spyware Install User-Agent (wbi_v0.90) (adware_pup.rules)
  • 2003463 - ET ADWARE_PUP Suspicious User-Agent (Toolbar) Possibly Malware/Spyware (adware_pup.rules)
  • 2003513 - ET HUNTING Suspicious Mozilla User-Agent typo (MOzilla/4.0) (hunting.rules)
  • 2003525 - ET ADWARE_PUP Supergames.aavalue.com Spyware (adware_pup.rules)
  • 2003529 - ET ADWARE_PUP Msgplus.net Spyware/Adware User-Agent (MsgPlus3) (adware_pup.rules)
  • 2003531 - ET ADWARE_PUP Antivermins.com Spyware/Adware User-Agent (AntiVermeans) (adware_pup.rules)
  • 2003533 - ET ADWARE_PUP Sytes.net Related Spyware Reporting (adware_pup.rules)
  • 2003541 - ET ADWARE_PUP Bravesentry.com Fake Antispyware Updating (adware_pup.rules)
  • 2003543 - ET ADWARE_PUP Winfixmaster.com Fake Anti-Spyware Install (adware_pup.rules)
  • 2003567 - ET ADWARE_PUP Winsoftware.com Fake AV User-Agent (DNS Extractor) (adware_pup.rules)
  • 2003569 - ET ADWARE_PUP Evidencenuker.com Fake AV/Anti-Spyware User-Agent (EVNUKER) (adware_pup.rules)
  • 2003585 - ET ADWARE_PUP Trojan User-Agent (Windows Updates Manager) (adware_pup.rules)
  • 2003588 - ET ADWARE_PUP Worm.Pyks HTTP C&C Traffic User-Agent (skw00001) (adware_pup.rules)
  • 2003598 - ET MALWARE Diazom Trojan User-Agent in Use (cv_v2.0.1) (malware.rules)
  • 2003606 - ET ADWARE_PUP Alexa Spyware Reporting URL Visited (adware_pup.rules)
  • 2003611 - ET ADWARE_PUP Malwarealarm.com Fake AV/AntiSpyware Updating (adware_pup.rules)
  • 2003612 - ET ADWARE_PUP Malwarealarm.com Fake AV/AntiSpyware Download (adware_pup.rules)
  • 2003619 - ET ADWARE_PUP Alexa Spyware Redirecting User (adware_pup.rules)
  • 2003644 - ET ADWARE_PUP Generic.Malware.dld User-Agent (Sickloader) (adware_pup.rules)
  • 2003652 - ET ADWARE_PUP CoolStreaming Toolbar (Conduit related) User-Agent (Coolstreaming Tool-Bar) (adware_pup.rules)
  • 2003931 - ET MALWARE Banker.Delf User-Agent (Varlok_11000) (malware.rules)
  • 2006386 - ET ADWARE_PUP Deepdo.com Toolbar/Spyware User Agent (DeepdoUpdate) (adware_pup.rules)
  • 2006429 - ET ADWARE_PUP Karine.co.kr Related Spyware User Agent (chk Profile) (adware_pup.rules)
  • 2007570 - ET ADWARE_PUP User-Agent (Dummy) (adware_pup.rules)
  • 2007575 - ET ADWARE_PUP User-Agent (AntiSpyware) - Likely 2squared.com related (adware_pup.rules)
  • 2007601 - ET ADWARE_PUP Advertisementserver.com Spyware Initial Checkin (adware_pup.rules)
  • 2007602 - ET ADWARE_PUP Advertisementserver.com Spyware Checkin (adware_pup.rules)
  • 2007628 - ET POLICY Hyves Inbox Access (policy.rules)
  • 2007629 - ET POLICY Hyves Message Access (policy.rules)
  • 2007630 - ET POLICY Hyves Compose Message (policy.rules)
  • 2007631 - ET POLICY Hyves Message Submit (policy.rules)
  • 2007690 - ET ADWARE_PUP IEDefender (iedefender.com) Fake Antispyware User Agent (IEDefender 2.1) (adware_pup.rules)
  • 2007744 - ET ADWARE_PUP Guard-Center.com Fake AntiVirus Post-Install Checkin (adware_pup.rules)
  • 2007759 - ET ADWARE_PUP Alfaantivirus.com Fake Anti-Virus User-Agent (IM Download) (adware_pup.rules)
  • 2007772 - ET ADWARE_PUP User-Agent (Internet Explorer (compatible)) (adware_pup.rules)
  • 2007808 - ET USER_AGENTS Cashpoint.com Related checkin User-Agent (inetinst) (user_agents.rules)
  • 2007809 - ET ADWARE_PUP Doctorvaccine.co.kr Related Spyware-User Agent (ers) (adware_pup.rules)
  • 2007810 - ET USER_AGENTS Cashpoint.com Related checkin User-Agent (okcpmgr) (user_agents.rules)
  • 2007855 - ET ADWARE_PUP OneStepSearch Host Activity (adware_pup.rules)
  • 2007899 - ET ADWARE_PUP User-Agent (HTTP_CONNECT) (adware_pup.rules)
  • 2007935 - ET ADWARE_PUP Geopia.com Fake Anti-Spyware/AV User-Agent (fs3update) (adware_pup.rules)
  • 2007938 - ET ADWARE_PUP Geopia.com Fake Anti-Spyware/AV User-Agent (fian3manager) (adware_pup.rules)
  • 2007946 - ET ADWARE_PUP User-Agent (popup) (adware_pup.rules)
  • 2007947 - ET ADWARE_PUP Nguide.co.kr Fake Security Tool User-Agent (nguideup) (adware_pup.rules)
  • 2007958 - ET ADWARE_PUP Msconfig.co.kr Related User Agent (BACKMAN) (adware_pup.rules)
  • 2007959 - ET ADWARE_PUP Msconfig.co.kr Related User-Agent (GLOBALx) (adware_pup.rules)
  • 2007977 - ET ADWARE_PUP Dokterfix.com Fake AV User-Agent (Magic NetInstaller) (adware_pup.rules)
  • 2007993 - ET ADWARE_PUP User-Agent (2 spaces) (adware_pup.rules)
  • 2007995 - ET ADWARE_PUP Vaccine-program.co.kr Related Spyware Checkin (adware_pup.rules)
  • 2008000 - ET ADWARE_PUP Easydownloadsoft.com Fake Anti-Virus User-Agent (IM Downloader) (adware_pup.rules)
  • 2008066 - ET ADWARE_PUP Blank User-Agent (descriptor but no string) (adware_pup.rules)
  • 2008074 - ET MALWARE Banload User-Agent Detected (WebUpdate) (malware.rules)
  • 2008142 - ET USER_AGENTS Vapsup User-Agent (doshowmeanad loader v2.1) (user_agents.rules)
  • 2008145 - ET ADWARE_PUP Speed-runner.com Fake Speed Test User-Agent (SRInstaller) (adware_pup.rules)
  • 2008146 - ET ADWARE_PUP Speed-runner.com Fake Speed Test User-Agent (SpeedRunner) (adware_pup.rules)
  • 2008149 - ET ADWARE_PUP 360safe.com related Fake Security Product Update (KillerSet) (adware_pup.rules)
  • 2008150 - ET ADWARE_PUP Avsystemcare.com Fake AV User-Agent (LocusSoftware NetInstaller) (adware_pup.rules)
  • 2008151 - ET ADWARE_PUP Speed-runner.com Fake Speed Test User-Agent (SRRecover) (adware_pup.rules)
  • 2008180 - ET ADWARE_PUP V-Clean.com Fake AV Checkin (adware_pup.rules)
  • 2008190 - ET ADWARE_PUP WinButler User-Agent (WinButler) (adware_pup.rules)
  • 2008197 - ET ADWARE_PUP Winxdefender.com Fake AV Package Post Install Checkin (adware_pup.rules)
  • 2008198 - ET ADWARE_PUP Pcclear.co.kr/Pcclear.com Fake AV User-Agent (PCClearPlus) (adware_pup.rules)
  • 2008202 - ET ADWARE_PUP UbrenQuatroRusDldr Downloader User-Agent (UbrenQuatroRusDldr 096044) (adware_pup.rules)
  • 2008203 - ET ADWARE_PUP BndVeano4GetDownldr Downloader User-Agent (BndVeano4GetDownldr) (adware_pup.rules)
  • 2008204 - ET ADWARE_PUP yeps.co.kr Related User-Agent (ISecu) (adware_pup.rules)
  • 2008205 - ET ADWARE_PUP yeps.co.kr Related User-Agent (ISUpd) (adware_pup.rules)
  • 2008375 - ET ADWARE_PUP Gooochi Related Spyware Ad pull (adware_pup.rules)
  • 2008425 - ET ADWARE_PUP Advert-network.com Related Spyware Checking for Updates (adware_pup.rules)
  • 2008474 - ET ADWARE_PUP Adware.Look2Me Activity (adware_pup.rules)
  • 2008484 - ET ADWARE_PUP Cleancop.co.kr Fake AV User-Agent (CleancopUpdate) (adware_pup.rules)
  • 2008485 - ET ADWARE_PUP Searchtool.co.kr Fake Product User-Agent (searchtoolup) (adware_pup.rules)
  • 2008608 - ET USER_AGENTS WinFixer Trojan Related User-Agent (ElectroSun) (user_agents.rules)
  • 2008647 - ET ADWARE_PUP Internet-antivirus.com Related Fake AV User-Agent (Update Internet Antivirus) (adware_pup.rules)
  • 2008656 - ET ADWARE_PUP AV2010 Rogue Security Application User-Agent (AV2010) (adware_pup.rules)
  • 2008742 - ET ADWARE_PUP Admoke/Adload.AFB!tr.dldr Checkin (adware_pup.rules)
  • 2008743 - ET ADWARE_PUP User-Agent (bdsclk) - Possible Admoke Admware (adware_pup.rules)
  • 2008894 - ET ADWARE_PUP Popupblockade.com Spyware Related User-Agent (PopupBlockade/1.63.0.2/Reg) (adware_pup.rules)
  • 2008915 - ET ADWARE_PUP MySideSearch.com Spyware Install (adware_pup.rules)
  • 2009021 - ET ADWARE_PUP User-Agent (IE_6.0) (adware_pup.rules)
  • 2009091 - ET ADWARE_PUP Adware/Spyware Trymedia.com EXE download (adware_pup.rules)
  • 2009111 - ET ADWARE_PUP User-Agent (get_site1) (adware_pup.rules)
  • 2009124 - ET ADWARE_PUP User-Agent (GETJOB) (adware_pup.rules)
  • 2009150 - ET ADWARE_PUP Viruskill.co.kr Fake AV User-Agent Detected (virus_kill) (adware_pup.rules)
  • 2009234 - ET ADWARE_PUP Adware-Mirar Reporting (BAR) (adware_pup.rules)
  • 2009289 - ET ADWARE_PUP No-ad.co.kr Fake AV Related User-Agent (U2Clean) (adware_pup.rules)
  • 2009297 - ET MALWARE Boaxxe HTTP POST Checkin (malware.rules)
  • 2009438 - ET ADWARE_PUP User-Agent (Mozilla/4.8 ru) (adware_pup.rules)
  • 2009439 - ET ADWARE_PUP User-Agent (HelpSrvc) (adware_pup.rules)
  • 2009685 - ET MALWARE Unkown Trojan User-Agent (5.1 …) (malware.rules)
  • 2009765 - ET ADWARE_PUP Pivim Multibar User-Agent (Pivim Multibar) (adware_pup.rules)
  • 2009785 - ET ADWARE_PUP QVOD Related Spyware/Malware User-Agent (Qvod) (adware_pup.rules)
  • 2009796 - ET ADWARE_PUP FakeAV Windows Protection Suite/ReleaseXP.exe User-Agent (Releasexp) (adware_pup.rules)
  • 2009995 - ET ADWARE_PUP User-Agent (ONANDON) (adware_pup.rules)
  • 2010218 - ET ADWARE_PUP Win32/InternetAntivirus User-Agent (Internet Antivirus Pro) (adware_pup.rules)
  • 2010333 - ET ADWARE_PUP User-Agent (CrazyBro) (adware_pup.rules)
  • 2010337 - ET MALWARE FakeAV Reporting - POST often to resolution|borders.php (malware.rules)
  • 2010346 - ET MALWARE Ultimate HAckerz Team User-Agent (Made by UltimateHackerzTeam) - Likely Trojan Report (malware.rules)
  • 2010500 - ET ADWARE_PUP Executable purporting to be .txt file with no Referer - Likely Malware (adware_pup.rules)
  • 2010501 - ET ADWARE_PUP Executable purporting to be .cfg file with no Referer - Likely Malware (adware_pup.rules)
  • 2010904 - ET ADWARE_PUP Fake Mozilla User-Agent (Mozilla/0.xx) Inbound (adware_pup.rules)
  • 2011087 - ET ADWARE_PUP User-Agent (gomtour) (adware_pup.rules)
  • 2011101 - ET ADWARE_PUP Recuva User-Agent (OpenPage) - likely trojan dropper (adware_pup.rules)
  • 2011105 - ET ADWARE_PUP User-Agent (i-scan) (adware_pup.rules)
  • 2011123 - ET ADWARE_PUP User-Agent (Yodao Desktop Dict) (adware_pup.rules)
  • 2011229 - ET ADWARE_PUP User-Agent (Suggestion) (adware_pup.rules)
  • 2011293 - ET USER_AGENTS Suspicious User Agent (GabPath) (user_agents.rules)
  • 2011297 - ET ADWARE_PUP User-Agent (KRMAK) Butterfly Bot download (adware_pup.rules)
  • 2011517 - ET ADWARE_PUP Inbound AlphaServer User-Agent (Powered By 64-Bit Alpha Processor) (adware_pup.rules)
  • 2011518 - ET ADWARE_PUP Outbound AlphaServer User-Agent (Powered By 64-Bit Alpha Processor) (adware_pup.rules)
  • 2011679 - ET ADWARE_PUP User-Agent (dbcount) (adware_pup.rules)
  • 2011691 - ET ADWARE_PUP Hotbar Agent User-Agent (PinballCorp) (adware_pup.rules)
  • 2011718 - ET ADWARE_PUP User-Agent (RangeCheck/0.1) (adware_pup.rules)
  • 2011938 - ET ADWARE_PUP CryptMEN HTTP library purporting to be MSIE to PHP HTTP 1.0 (adware_pup.rules)
  • 2011939 - ET ADWARE_PUP CryptMEN HTTP library purporting to be MSIE to PHP HTTP 1.1 (adware_pup.rules)
  • 2012172 - ET ADWARE_PUP User-Agent (mrgud) (adware_pup.rules)
  • 2012228 - ET ADWARE_PUP Suspicious Russian Content-Language Ru Which May Be Malware Related (adware_pup.rules)
  • 2012229 - ET ADWARE_PUP Suspicious Chinese Content-Language zh-cn Which May be Malware Related (adware_pup.rules)
  • 2012536 - ET ADWARE_PUP Mozilla 3.0 and Indy Library User-Agent Likely Hostile (adware_pup.rules)
  • 2012804 - ET ADWARE_PUP Possible Windows executable sent ASCII-hex-encoded (adware_pup.rules)
  • 2013349 - ET MALWARE Connectivity Check of Unknown Origin 1 (malware.rules)
  • 2013350 - ET MALWARE Connectivity Check of Unknown Origin 2 (malware.rules)
  • 2013405 - ET ADWARE_PUP W32/Baigoo User Agent (adware_pup.rules)
  • 2013725 - ET USER_AGENTS Win32/OnLineGames User-Agent (Revolution Win32) (user_agents.rules)
  • 2013729 - ET ADWARE_PUP Adware/Helpexpress User Agent HXLogOnly (adware_pup.rules)
  • 2013901 - ET MALWARE Suspicious User Agent GeneralDownloadApplication (malware.rules)
  • 2013999 - ET ADWARE_PUP W32/Adware.Ibryte User-Agent (ic Windows NT 5.1 MSIE 6.0 Firefox/ Def) (adware_pup.rules)
  • 2014105 - ET MALWARE Zeus Bot GET to Google checking Internet connectivity using proxy (malware.rules)
  • 2014117 - ET ADWARE_PUP Win32/SmartTab PUP Install Activity (adware_pup.rules)
  • 2014120 - ET ADWARE_PUP Win32/Eorezo-B Adware Checkin (adware_pup.rules)
  • 2014135 - ET MALWARE Zeus/Reveton checkin to /images.rar (malware.rules)
  • 2014183 - ET ADWARE_PUP Malicious ad_track.php file Reporting (adware_pup.rules)
  • 2014347 - ET MALWARE Peed Checkin (malware.rules)
  • 2014403 - ET ADWARE_PUP W32/PaPaPaEdge.Adware/Gambling Poker-Edge Checkin (adware_pup.rules)
  • 2014584 - ET ADWARE_PUP Win32/Pdfjsc.XD Related Checkin (microsoft_predator_client header field) (adware_pup.rules)
  • 2014606 - ET ADWARE_PUP W32/GameVance User-Agent (aw v3) (adware_pup.rules)
  • 2014798 - ET ADWARE_PUP PCMightyMax Agent PCMM.Installer (adware_pup.rules)
  • 2014929 - ET CURRENT_EVENTS Request to .in FakeAV Campaign June 19 2012 exe or zip (current_events.rules)
  • 2015018 - ET ADWARE_PUP W32/OnlineGames User Agent loadMM (adware_pup.rules)
  • 2015604 - ET EXPLOIT_KIT DRIVEBY SPL - Java Exploit Requested .jar Naming Pattern (exploit_kit.rules)
  • 2015689 - ET EXPLOIT_KIT DRIVEBY NeoSploit - Java Exploit Requested (exploit_kit.rules)
  • 2015690 - ET EXPLOIT_KIT NeoSploit - Obfuscated Payload Requested (exploit_kit.rules)
  • 2015758 - ET EXPLOIT_KIT g01pack Exploit Kit Landing Page (2) (exploit_kit.rules)
  • 2015818 - ET EXPLOIT_KIT g01pack Exploit Kit .homeip. Landing Page (exploit_kit.rules)
  • 2015819 - ET EXPLOIT_KIT g01pack Exploit Kit .homelinux. Landing Page (exploit_kit.rules)
  • 2015874 - ET MALWARE Known Reveton Domain HTTP whatwillber.com (malware.rules)
  • 2015928 - ET EXPLOIT_KIT RedKit Exploit Kit Java Request to Recent jar (1) (exploit_kit.rules)
  • 2015929 - ET EXPLOIT_KIT RedKit Exploit Kit Java Request to Recent jar (2) (exploit_kit.rules)
  • 2015939 - ET EXPLOIT_KIT g01pack Exploit Kit .blogsite. Landing Page (exploit_kit.rules)
  • 2015950 - ET EXPLOIT_KIT Propack Payload Request (exploit_kit.rules)
  • 2015981 - ET EXPLOIT_KIT Zuponcic Hostile Jar (exploit_kit.rules)
  • 2016787 - ET EXPLOIT_KIT Sakura - Payload Downloaded (exploit_kit.rules)
  • 2017039 - ET EXPLOIT_KIT X20 EK Payload Download (exploit_kit.rules)
  • 2017092 - ET EXPLOIT_KIT CritX/SafePack/FlashPack Jar Download Jul 01 2013 (exploit_kit.rules)
  • 2017093 - ET EXPLOIT_KIT CritX/SafePack/FlashPack EXE Download Jul 01 2013 (exploit_kit.rules)
  • 2017153 - ET EXPLOIT_KIT FlimKit JNLP URI Struct (exploit_kit.rules)
  • 2017299 - ET EXPLOIT_KIT X20 EK Download Aug 07 2013 (exploit_kit.rules)
  • 2017518 - ET MALWARE Worm.VBS.ayr CnC command (/iam-ready) (malware.rules)
  • 2017613 - ET EXPLOIT_KIT Possible Magnitude EK (formerly Popads) IE Exploit with IE UA Oct 16 2013 (exploit_kit.rules)
  • 2017718 - ET MALWARE Trojan.BlackRev Botnet Login Request CnC Beacon (malware.rules)
  • 2017982 - ET HUNTING Suspicious User-Agent 100 non-printable char (hunting.rules)
  • 2018099 - ET ADWARE_PUP W32/Safekeeper.Adware CnC Beacon (adware_pup.rules)
  • 2018344 - ET CURRENT_EVENTS Hikvision DVR Synology Recon Scan Checkin (current_events.rules)
  • 2018386 - ET MALWARE cryptodefense Checkin (malware.rules)
  • 2018394 - ET MALWARE Common Upatre Header Structure (malware.rules)
  • 2018458 - ET ADWARE_PUP DomainIQ Check-in (adware_pup.rules)
  • 2018481 - ET MALWARE Trojan.Win32.Webprefix checkin (malware.rules)
  • 2018533 - ET MOBILE_MALWARE Android.Adware.Wapsx.A (mobile_malware.rules)
  • 2018928 - ET MALWARE Unknown Trojan Dropped By Archie.EK (malware.rules)
  • 2019210 - ET EXPLOIT_KIT DRIVEBY Nuclear EK PDF (exploit_kit.rules)
  • 2019226 - ET EXPLOIT_KIT DRIVEBY Nuclear EK 2013-3918 (exploit_kit.rules)
  • 2019359 - ET EXPLOIT_KIT Nuclear EK Payload URI Struct Oct 5 2014 (exploit_kit.rules)
  • 2019676 - ET EXPLOIT_KIT Nuclear EK Payload URI Struct Nov 07 2014 (exploit_kit.rules)
  • 2019679 - ET MALWARE Archie EK Payload Checkin POST (malware.rules)
  • 2019789 - ET MALWARE HTTP Request to a *.cvredirect.no-ip.net domain - CoinLocker Domain (malware.rules)
  • 2019791 - ET MALWARE HTTP Request to a *.cvredirect.ddns.net domain - CoinLocker Domain (malware.rules)
  • 2019894 - ET EXPLOIT_KIT Probable malicious download from e-mail link /1.php (exploit_kit.rules)
  • 2019917 - ET EXPLOIT_KIT Nuclear EK SilverLight Exploit (exploit_kit.rules)
  • 2020070 - ET MALWARE Unknown Dropped by RIG EK (malware.rules)
  • 2020159 - ET WEB_CLIENT Upatre Redirector Jan 9 2015 (web_client.rules)
  • 2020212 - ET WEB_CLIENT Upatre Redirector IE Requesting Payload Jan 19 2015 (web_client.rules)
  • 2020311 - ET EXPLOIT_KIT DRIVEBY Nuclear EK SWF M2 (exploit_kit.rules)
  • 2020312 - ET EXPLOIT_KIT DRIVEBY Nuclear EK SWF M2 (exploit_kit.rules)
  • 2020317 - ET EXPLOIT_KIT DRIVEBY Nuclear EK SilverLight M2 (exploit_kit.rules)
  • 2020328 - ET MALWARE Possible Dridex Campaign Download Jan 28 2015 (malware.rules)
  • 2020340 - ET MALWARE f0xy Checkin (malware.rules)
  • 2020392 - ET EXPLOIT_KIT KaiXin Secondary Landing Page (exploit_kit.rules)
  • 2020422 - ET ADWARE_PUP MultiPlug.J Checkin (adware_pup.rules)
  • 2020570 - ET EXPLOIT_KIT KaiXin Secondary Landing Page (exploit_kit.rules)
  • 2020654 - ET MALWARE Banker Boleto Fraud JS_BROBAN.SM Checkin 1 (malware.rules)
  • 2020655 - ET MALWARE Banker Boleto Fraud JS_BROBAN.SM Checkin 2 (malware.rules)
  • 2020707 - ET MALWARE VaultCrypt Uploading Files (malware.rules)
  • 2020719 - ET EXPLOIT_KIT Possible HanJuan Landing March 20 2015 (exploit_kit.rules)
  • 2020758 - ET MALWARE VBA Office Document Dridex Binary Download User-Agent (malware.rules)
  • 2020806 - ET MALWARE VBA Office Document Dridex Binary Download User-Agent 2 (malware.rules)
  • 2020837 - ET MALWARE Malicious Doc Download EXE Primer (flowbits set) (malware.rules)
  • 2020841 - ET EXPLOIT_KIT Nuclear EK Landing Apr 03 2015 (exploit_kit.rules)
  • 2020842 - ET EXPLOIT_KIT Nuclear EK Landing Apr 03 2015 (exploit_kit.rules)
  • 2020860 - ET MALWARE Malicious Office Doc CnC Beacon (malware.rules)
  • 2020865 - ET EXPLOIT_KIT Nuclear EK Landing Apr 08 2015 (exploit_kit.rules)
  • 2020895 - ET EXPLOIT_KIT Magnitude Flash Exploit (IE) M2 (exploit_kit.rules)
  • 2020983 - ET EXPLOIT_KIT Fiesta EK Java Exploit Apr 23 2015 (exploit_kit.rules)
  • 2021037 - ET EXPLOIT_KIT CottonCastle/Niteris EK Payload April 29 2015 (exploit_kit.rules)
  • 2021042 - ET EXPLOIT_KIT CottonCastle/Niteris EK Exploit Struct April 30 2015 (exploit_kit.rules)
  • 2021219 - ET EXPLOIT_KIT KaiXin Secondary Landing Jun 09 2015 (exploit_kit.rules)
  • 2021308 - ET EXPLOIT_KIT CottonCastle/Niteris EK Payload June 19 2015 (exploit_kit.rules)
  • 2021309 - ET EXPLOIT_KIT CottonCastle/Niteris EK Flash Exploit URI Struct June 19 2015 (exploit_kit.rules)
  • 2021366 - ET WEB_CLIENT Fake AV Phone Scam Stylesheet June 26 2015 (web_client.rules)
  • 2021368 - ET WEB_CLIENT Fake AV Phone Scam Landing June 26 2015 M6 (web_client.rules)
  • 2021435 - ET EXPLOIT_KIT Evil Redirector Leading to EK Jul 17 (exploit_kit.rules)
  • 2021508 - ET CURRENT_EVENTS NullHole URI Struct Jul 22 2015 M3 (current_events.rules)
  • 2021571 - ET MALWARE Sakula/Mivast RAT CnC Beacon 8 (malware.rules)
  • 2021607 - ET MALWARE Potential W32/Dridex Alphanumeric Download Pattern (malware.rules)
  • 2021620 - ET EXPLOIT_KIT Nuclear EK Exploit URI Struct Aug 12 (exploit_kit.rules)
  • 2021698 - ET EXPLOIT_KIT Possible Magnitude EK Landing URI Struct Aug 21 2015 (exploit_kit.rules)
  • 2021764 - ET EXPLOIT_KIT Possible Spartan EK Secondary Flash Exploit DL M2 (exploit_kit.rules)
  • 2021787 - ET EXPLOIT_KIT Unknown Malicious Second Stage Download URI Struct Sept 15 2015 (exploit_kit.rules)
  • 2021967 - ET WEB_CLIENT Fake Virus Phone Scam Redirector Oct 19 M1 (web_client.rules)
  • 2021968 - ET WEB_CLIENT Fake Virus Phone Scam Redirector Oct 19 M2 (web_client.rules)
  • 2022010 - ET WEB_CLIENT Fake AV Phone Scam Landing Oct 29 (web_client.rules)
  • 2022031 - ET WEB_CLIENT Fake Virus Phone Scam JS Landing Nov 4 (web_client.rules)
  • 2022032 - ET WEB_CLIENT Fake Virus Phone Scam GET Nov 4 (web_client.rules)
  • 2022040 - ET EXPLOIT_KIT Evil Redirector Leadking to EK Nov 2015 (exploit_kit.rules)
  • 2022147 - ET MALWARE Matryoshka CnC Beacon 2 (malware.rules)
  • 2022304 - ET EXPLOIT_KIT Evil Redirect Leading to EK Dec 22 2015 (Proxy Filtering) (exploit_kit.rules)
  • 2022339 - ET MALWARE Dridex Download 6th Jan 2016 Flowbit (malware.rules)
  • 2022340 - ET MALWARE W32/Dridex Binary Download 6th Jan 2016 (malware.rules)
  • 2022410 - ET WEB_CLIENT Chrome Tech Support Scam Landing Jan 26 2016 (web_client.rules)
  • 2022465 - ET EXPLOIT_KIT Evil Redirector Leading to EK (Known Evil Keitaro TDS) (exploit_kit.rules)
  • 2022528 - ET WEB_CLIENT Fake Hard Drive Delete Scam Landing Feb 16 M4 (web_client.rules)
  • 2022530 - ET WEB_CLIENT Fake Virus Phone Scam Landing Feb 17 (web_client.rules)
  • 2022602 - ET WEB_CLIENT Microsoft Fake Support Phone Scam Mar 7 (web_client.rules)
  • 2022604 - ET PHISHING Successful Enom Phish Mar 08 2016 (phishing.rules)
  • 2022619 - ET WEB_CLIENT Fake AV Phone Scam Landing Mar 15 (web_client.rules)
  • 2022649 - ET WEB_CLIENT Fake AV Phone Scam Mar 23 (web_client.rules)
  • 2022802 - ET WEB_CLIENT Microsoft Fake Support Phone Scam May 10 (web_client.rules)
  • 2022855 - ET WEB_CLIENT Tech Support Phone Scam Landing M3 Jun 3 (web_client.rules)
  • 2022856 - ET WEB_CLIENT Tech Support Phone Scam Landing M1 Jun 3 (web_client.rules)
  • 2022857 - ET WEB_CLIENT Tech Support Phone Scam Landing M2 Jun 3 (web_client.rules)
  • 2022905 - ET PHISHING Suspicious Hidden Javascript Redirect - Possible Phishing Jun 17 (phishing.rules)
  • 2022926 - ET WEB_CLIENT Tech Support Phone Scam Landing Jun 29 M2 (web_client.rules)
  • 2022928 - ET WEB_CLIENT Tech Support Phone Scam Landing Jun 29 M4 (web_client.rules)
  • 2022942 - ET MALWARE Possible Malicous Macro DL EXE Jul 01 2016 (exe generic custom headers) (malware.rules)
  • 2022974 - ET HUNTING Suspicious SMTP Settings in XLS - Possible Phishing Document (hunting.rules)
  • 2023036 - ET EXPLOIT_KIT EITest Flash Redirect Aug 09 2016 (exploit_kit.rules)
  • 2023039 - ET WEB_CLIENT Tech Support Phone Scam Landing Aug 10 M3 (web_client.rules)
  • 2023080 - ET WEB_CLIENT Fake Mobile Virus Scam M2 Aug 18 2016 (web_client.rules)
  • 2023239 - ET WEB_CLIENT Microsoft Tech Support Scam M3 Sept 15 2016 (web_client.rules)
  • 2023249 - ET EXPLOIT_KIT Possible EITest Flash Redirect Sep 19 2016 (exploit_kit.rules)
  • 2023288 - ET MALWARE BleedingLife EK CVE-2014-6332 Exploit (malware.rules)
  • 2023289 - ET MALWARE BleedingLife EK CVE-2016-0189 Exploit (malware.rules)
  • 2023315 - ET MALWARE Possible Locky AlphaNum Downloader Oct 3 2016 (malware.rules)
  • 2023316 - ET MALWARE Possible Locky AlphaNum Downloader Oct 3 2016 (malware.rules)
  • 2023557 - ET PHISHING XBOOMBER Paypal Phishing Landing Nov 28 2016 (phishing.rules)
  • 2023594 - ET MALWARE JS/WSF Downloader Dec 08 2016 (malware.rules)
  • 2023745 - ET EXPLOIT_KIT EITest SocEng Inject Jan 15 2017 EXE Download (exploit_kit.rules)
  • 2023769 - ET MALWARE Possible Unknown Trojan Checkin Jan 26 2017 (malware.rules)
  • 2023869 - ET WEB_CLIENT Fake AV Phone Scam Landing Feb 2 (web_client.rules)
  • 2024198 - ET EXPLOIT_KIT EITest SocENG Payload DL (exploit_kit.rules)
  • 2024270 - ET MALWARE Kazuar CnC Beacon (malware.rules)
  • 2024299 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 2 (malware.rules)
  • 2024301 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 4 (malware.rules)
  • 2024302 - ET MALWARE W32/WannaCry.Ransomware Killswitch Domain HTTP Request 5 (malware.rules)
  • 2024767 - ET CURRENT_EVENTS Possible Locky Payload DL Sept 26 2017 M1 (current_events.rules)
  • 2024768 - ET CURRENT_EVENTS Possible Locky Payload DL Sept 26 2017 M2 (current_events.rules)
  • 2024864 - ET MALWARE Possible Winnti-related Destination (malware.rules)
  • 2026462 - ET CURRENT_EVENTS Possible Locky Payload DL Sept 26 2017 M4 (current_events.rules)
  • 2801209 - ETPRO ADWARE_PUP Generic Trojan with ludilo UA (adware_pup.rules)
  • 2801247 - ETPRO ADWARE_PUP Zango Spyware Install Checkin (adware_pup.rules)
  • 2801273 - ETPRO ADWARE_PUP Gabpath.com Toolbar Tracker Update (adware_pup.rules)
  • 2801338 - ETPRO ADWARE_PUP RogueSoftware.Win32.McAVG2011 Checkin (adware_pup.rules)
  • 2801396 - ETPRO ADWARE_PUP Hotbar Checkin and Report (adware_pup.rules)
  • 2801418 - ETPRO ADWARE_PUP RogueSoftware.Win32.AVGAntivirus2011 Checkin 1 (adware_pup.rules)
  • 2801419 - ETPRO ADWARE_PUP RogueSoftware.Win32.AVGAntivirus2011 Checkin 2 (adware_pup.rules)
  • 2801425 - ETPRO ADWARE_PUP Adware.Win32.OpenCandy Checkin 2 (adware_pup.rules)
  • 2802100 - ETPRO ADWARE_PUP Zango Toolbar User-Agent (BAR) (adware_pup.rules)
  • 2802960 - ETPRO MALWARE Win32.SpyEye.cuk Checkin flowbit SET (malware.rules)
  • 2803211 - ETPRO ADWARE_PUP AdWare.Win32.AdMedia Checkin (adware_pup.rules)
  • 2803323 - ETPRO ADWARE_PUP GabPath Adware User-Agent (Minoral) (adware_pup.rules)
  • 2803427 - ETPRO MALWARE Common Trojan Header Pattern Accept with double slash (malware.rules)
  • 2803432 - ETPRO ADWARE_PUP Adware Torangcomz or Related Install Checkin (adware_pup.rules)
  • 2803590 - ETPRO ADWARE_PUP Adware Win32/Webnexus Checkin (adware_pup.rules)
  • 2803598 - ETPRO ADWARE_PUP Zugo Spyware Related Searchbar Installer (LogiaInstaller) (adware_pup.rules)
  • 2803650 - ETPRO ADWARE_PUP Adware Win32/Oneday.B Checkin (adware_pup.rules)
  • 2803813 - ETPRO MALWARE Win32/Rimod Checkin (malware.rules)
  • 2803824 - ETPRO MALWARE Trojan.Generic.KDV.274800 Checkin (malware.rules)
  • 2803870 - ETPRO ADWARE_PUP Adware/Win32.Gamevance.hfco Install (adware_pup.rules)
  • 2803984 - ETPRO ADWARE_PUP Adware.SponsorKeyword Install (adware_pup.rules)
  • 2804093 - ETPRO ADWARE_PUP FakeAlert!grb Install (adware_pup.rules)
  • 2804094 - ETPRO ADWARE_PUP AdWare.Win32.SideTab.n Install (adware_pup.rules)
  • 2804222 - ETPRO MALWARE Win32/Scar.L Checkin (malware.rules)
  • 2804263 - ETPRO MALWARE Win32/Karagany.A Checkin (malware.rules)
  • 2804321 - ETPRO ADWARE_PUP Adware DL.Fosniw!lhp5vDLfRus Checkin (adware_pup.rules)
  • 2804386 - ETPRO ADWARE_PUP Variant.Adware.Gabpath.2 Checkin (adware_pup.rules)
  • 2804407 - ETPRO ADWARE_PUP Adware.Relevant.BH Install (adware_pup.rules)
  • 2804409 - ETPRO MALWARE Variant.Kazy.51230 Checkin (malware.rules)
  • 2804458 - ETPRO ADWARE_PUP Win32/Adware.Kraddare.CZ Checkin (adware_pup.rules)
  • 2804504 - ETPRO ADWARE_PUP rogue anti-spyware Soft-Cop (adware_pup.rules)
  • 2804542 - ETPRO ADWARE_PUP Generic.KDV.71846 INSTALL (adware_pup.rules)
  • 2804568 - ETPRO ADWARE_PUP Adware.Downware.193 Checkin (adware_pup.rules)
  • 2804572 - ETPRO MALWARE Win32/Bucriv.B Checkin (malware.rules)
  • 2804599 - ETPRO ADWARE_PUP Win32/Adware.Kraddare.DB Install (adware_pup.rules)
  • 2804612 - ETPRO ADWARE_PUP Win32/Adware.WindowsLiveProtect.A Checkin (adware_pup.rules)
  • 2804624 - ETPRO ADWARE_PUP W32/WhiteSmoke.AY Install (adware_pup.rules)
  • 2804678 - ETPRO ADWARE_PUP Spyware.Known_Bad_Sites Install (adware_pup.rules)
  • 2804725 - ETPRO ADWARE_PUP Adware.GreenIO Checkin (adware_pup.rules)
  • 2804757 - ETPRO ADWARE_PUP Adware/Kikin.A Checkin (adware_pup.rules)
  • 2805019 - ETPRO ADWARE_PUP Adware.CasinoClient Checkin (adware_pup.rules)
  • 2805232 - ETPRO MALWARE Trojan.Win32.Meredrop request (malware.rules)
  • 2805253 - ETPRO ADWARE_PUP Win32/Adware.Kraddare.W Checkin (adware_pup.rules)
  • 2805275 - ETPRO ADWARE_PUP Win32/Adware.Hebogo Checkin (adware_pup.rules)
  • 2805284 - ETPRO ADWARE_PUP Win32/Pelfpoi.M Checkin (adware_pup.rules)
  • 2805285 - ETPRO ADWARE_PUP PUP/Win32.Micropop Checkin (adware_pup.rules)
  • 2805407 - ETPRO ADWARE_PUP Adware/SnapDo Install (adware_pup.rules)
  • 2805546 - ETPRO ADWARE_PUP Adware.Win32.Facetheme Checkin (adware_pup.rules)
  • 2805558 - ETPRO ADWARE_PUP SmartTools Checkin (adware_pup.rules)
  • 2805633 - ETPRO ADWARE_PUP AdWare.Win32.Kwsearchguide!IK Install (adware_pup.rules)
  • 2805635 - ETPRO ADWARE_PUP Adware.DirectDownloader Checkin (adware_pup.rules)
  • 2805648 - ETPRO ADWARE_PUP Adware.MWS Checkin (adware_pup.rules)
  • 2805662 - ETPRO ADWARE_PUP Unknown Malware Checkin (adware_pup.rules)
  • 2805668 - ETPRO ADWARE_PUP Generic PUP.x!vi!1B41AF78BF55 Checkin (adware_pup.rules)
  • 2805745 - ETPRO ADWARE_PUP Adware.Kraddare!11iB0o+IEDU CnC 2 (adware_pup.rules)
  • 2805750 - ETPRO ADWARE_PUP Adware.Agent.FJ Checkin (adware_pup.rules)
  • 2805780 - ETPRO ADWARE_PUP AdWare.Win32.KSG.vl Checkin (adware_pup.rules)
  • 2805813 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.GingerMaster.a Checkin 4 (mobile_malware.rules)
  • 2805855 - ETPRO ADWARE_PUP Porn-Dialer.Win32.Agent.a / DIAL_RAS.IQ Checkin (adware_pup.rules)
  • 2806330 - ETPRO MOBILE_MALWARE Spy.AndroidOS.Zitmo.a Checkin (mobile_malware.rules)
  • 2807150 - ETPRO ADWARE_PUP Security Cleaner Pro FakeAV Checkin (adware_pup.rules)
  • 2807797 - ETPRO MALWARE Trojan-Dropper.Win32.Dorifel.ahba Checkin (malware.rules)
  • 2808249 - ETPRO MALWARE Win32/Gablrub Checkin (malware.rules)
  • 2808569 - ETPRO MALWARE Win32/Zbot angryflo.ru GET Aug 14 2014 (malware.rules)
  • 2808572 - ETPRO ADWARE_PUP Win32/AdWare.Laban.G Checkin (adware_pup.rules)
  • 2808734 - ETPRO ADWARE_PUP PUA.DNWRandomHack Checkin (adware_pup.rules)
  • 2808890 - ETPRO MOBILE_MALWARE Android.Trojan.SMSSend.CH Checkin (mobile_malware.rules)
  • 2809795 - ETPRO EXPLOIT_KIT Possible Magnitude exploit payload contype check Feb 12 2015 (exploit_kit.rules)
  • 2809908 - ETPRO WEB_CLIENT Evil Redirector Leading to EK Feb 28 2015 (web_client.rules)
  • 2810169 - ETPRO MALWARE Win32/TrojanDownloader.Blocrypt Conn Check (malware.rules)
  • 2810480 - ETPRO DOS Slowloris HTTP Traffic Inbound (dos.rules)
  • 2810602 - ETPRO MALWARE Unknown Banker .dat file download 2 (malware.rules)
  • 2810851 - ETPRO MALWARE Win32/TrojanDownloader.Banload.VOG Retrieving compressed PE set (malware.rules)
  • 2810880 - ETPRO EXPLOIT_KIT Nuclear EK Landing April 30 2015 M1 (exploit_kit.rules)
  • 2810881 - ETPRO EXPLOIT_KIT Nuclear EK Landing April 30 2015 M2 (exploit_kit.rules)
  • 2810882 - ETPRO EXPLOIT_KIT Nuclear EK Landing April 30 2015 M3 (exploit_kit.rules)
  • 2811144 - ETPRO MALWARE WORM.VBS/JENXCUS.DN Checkin (malware.rules)
  • 2811213 - ETPRO MALWARE Trojan/Win32.Banload Config Download Response (malware.rules)
  • 2811225 - ETPRO MALWARE Win32/TrojanDownloader.Banload.VOG Retrieving compressed PE set (ZIP) (malware.rules)
  • 2811492 - ETPRO EXPLOIT_KIT Possible HanJuan EK Secondary Flash File June 15 2015 (exploit_kit.rules)
  • 2811668 - ETPRO MALWARE Pirpi Variant CnC Beacon (malware.rules)
  • 2812062 - ETPRO WEB_CLIENT Adfraud Redirector (web_client.rules)
  • 2812124 - ETPRO ADWARE_PUP Win32/Adware.FileTour Variant PUP - IE Redirect (adware_pup.rules)
  • 2812171 - ETPRO MALWARE Win32/QQpass.gen!E Activity (malware.rules)
  • 2812185 - ETPRO PHISHING Possible Successful Bank of America Phish M1 Jul 27 2015 (phishing.rules)
  • 2812198 - ETPRO EXPLOIT_KIT Magnitude EK SilverLight Exploit Jul 28 2015 M1 (exploit_kit.rules)
  • 2812409 - ETPRO MALWARE Win32/Venik HTTP CnC Beacon Response 2 (malware.rules)
  • 2812528 - ETPRO MALWARE Win32/Misdat.A CnC Checkin (malware.rules)
  • 2812979 - ETPRO MALWARE Win32/Neshta.A Checkin (malware.rules)
  • 2814000 - ETPRO MALWARE Win32/TrojanDownloader.Banload Retrieving compressed PE set (ZIP) (malware.rules)
  • 2814084 - ETPRO PHISHING Successful Chase Phish M3 Sept 24 2015 (phishing.rules)
  • 2814086 - ETPRO PHISHING Successful Chase Phish M5 Sept 24 2015 (phishing.rules)
  • 2814162 - ETPRO EXPLOIT_KIT Possible Nuclear EK Landing Sep 30 2015 M1 (exploit_kit.rules)
  • 2814168 - ETPRO EXPLOIT_KIT Nuclear EK Landing URI Struct Sep 30 2015 (exploit_kit.rules)
  • 2814239 - ETPRO MALWARE Win32/InfoStealer.Banload Variant Retrieving Payload (malware.rules)
  • 2814385 - ETPRO MALWARE Win32/Nivdort!acf CnC Beacon (malware.rules)
  • 2814767 - ETPRO EXPLOIT_KIT Possible Nuclear EK Flash Exploit M4 (exploit_kit.rules)
  • 2814887 - ETPRO MALWARE Bookworm CnC Beacon 4 (malware.rules)
  • 2815121 - ETPRO MALWARE Win32/HydraCrypt CnC Beacon 4 (malware.rules)
  • 2815133 - ETPRO EXPLOIT_KIT Possible Nuclear EK Flash Exploit Nov 30 2015 IE (exploit_kit.rules)
  • 2815151 - ETPRO PHISHING Anonisma Phishing CSS Nov 30 M2 (phishing.rules)
  • 2815282 - ETPRO ADWARE_PUP W32/Unk Reporting PUP Installs (adware_pup.rules)
  • 2815484 - ETPRO EXPLOIT_KIT Nuclear EK Flash Exploit URI struct Dec 27 2015 (exploit_kit.rules)
  • 2815804 - ETPRO EXPLOIT_KIT Possible Nuclear EK Landing URI Struct Jan 14 M1 (exploit_kit.rules)
  • 2815825 - ETPRO EXPLOIT_KIT Possible Nuclear EK Flash URI Struct Jan 14 M1 (Unset) (exploit_kit.rules)
  • 2815826 - ETPRO EXPLOIT_KIT Possible Nuclear EK Flash URI Struct Jan 14 M3 (exploit_kit.rules)
  • 2815867 - ETPRO MALWARE MSIL/Gurim.A Downloader Request (malware.rules)
  • 2815942 - ETPRO MALWARE W32/Nymaim Checkin 3 (malware.rules)
  • 2815952 - ETPRO PHISHING Successful Suntrust Bank Phish Jan 25 M3 (phishing.rules)
  • 2815980 - ETPRO PHISHING Possible Phishing Landing via Moonfruit M1 Jan 26 2016 (phishing.rules)
  • 2816067 - ETPRO EXPLOIT_KIT Nuclear EK Flash Version PostBack T2 Feb 03 2016 (exploit_kit.rules)
  • 2816120 - ETPRO PHISHING DHL Phish Landing Feb 08 2016 (phishing.rules)
  • 2816389 - ETPRO WEB_CLIENT Evil Redirector Leading to EK EITest Feb 25 (web_client.rules)
  • 2816438 - ETPRO WEB_CLIENT Possible Evil Redirector Leading to EK EITest Feb 29 (web_client.rules)
  • 2816440 - ETPRO MALWARE Unknown Bot CnC Checkin (malware.rules)
  • 2816612 - ETPRO PHISHING Successful American Express Phish Mar 10 2016 (phishing.rules)
  • 2816720 - ETPRO MOBILE_MALWARE Android/AdDisplay.Kuguo.V Checkin (mobile_malware.rules)
  • 2816909 - ETPRO EXPLOIT_KIT Possible Nuclear EK Flash URI Struct Apr 05 M1 (exploit_kit.rules)
  • 2816910 - ETPRO EXPLOIT_KIT Possible Nuclear EK Flash URI Struct Apr 05 M1 (exploit_kit.rules)
  • 2816918 - ETPRO PHISHING Microsoft Antimalware Phishing Landing Apr 5 (phishing.rules)
  • 2819647 - ETPRO EXPLOIT_KIT Possible SunDown/Xer EK Payload Apr 08 M1 (exploit_kit.rules)
  • 2819668 - ETPRO MALWARE Unknown Checkin (malware.rules)
  • 2819670 - ETPRO MALWARE Unknown Keylogger Checkin (malware.rules)
  • 2819790 - ETPRO MALWARE Ransomware/Coverton Checkin 2 (malware.rules)
  • 2819880 - ETPRO EXPLOIT_KIT Nuclear EK Flash Version IE PostBack M1 Apr 20 2016 (exploit_kit.rules)
  • 2819953 - ETPRO MALWARE Ransomware TrueCrypter CnC Beacon (malware.rules)
  • 2820349 - ETPRO MALWARE APT.Danti Variant CnC Beacon (malware.rules)
  • 2820372 - ETPRO PHISHING Suspicious Domain - Possible Phishing Redirect May 26 (phishing.rules)
  • 2820396 - ETPRO MALWARE Helminth Checkin (malware.rules)
  • 2820404 - ETPRO EXPLOIT_KIT Possible KaiXin EK Common Flash Exploit URI Constructn May 31 2016 (exploit_kit.rules)
  • 2820562 - ETPRO WEB_CLIENT Possible Evil Redirector Leading to EK EITest Jun 10 2016 (web_client.rules)
  • 2820780 - ETPRO MALWARE APT SWC Redirected Request June 21 2016 (malware.rules)
  • 2820840 - ETPRO EXPLOIT_KIT SunDown EK Flash Exploit M2 June 20 2016 (exploit_kit.rules)
  • 2820893 - ETPRO EXPLOIT_KIT Sednit EK PluginDetect Post back June 27 2016 (exploit_kit.rules)
  • 2821156 - ETPRO EXPLOIT_KIT Likely Magnitude EK Flash Exploit Struct Jul 13 2016 T1 (exploit_kit.rules)
  • 2821211 - ETPRO MALWARE Unknown CnC Beacon Checkin Sending Info (malware.rules)
  • 2821652 - ETPRO PHISHING Webform Submitted via webnode.fr - Possible Successful Phish Aug 15 2016 (phishing.rules)
  • 2821706 - ETPRO PHISHING Docusign Phishing Landing Aug 17 2016 (phishing.rules)
  • 2821774 - ETPRO MALWARE Alma Locker CnC Beacon (malware.rules)
  • 2821850 - ETPRO PHISHING Successful Google Drive Phish M1 Aug 25 2016 (phishing.rules)
  • 2821856 - ETPRO MALWARE Win32/Fantom Ransomware Checkin (malware.rules)
  • 2821903 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.kz CnC Beacon (mobile_malware.rules)
  • 2822042 - ETPRO PHISHING Paypal Phishing Landing Sept 8 2016 (phishing.rules)
  • 2822212 - ETPRO EXPLOIT_KIT Astrum EK Flash Exploit URI Struct (exploit_kit.rules)
  • 2822217 - ETPRO EXPLOIT_KIT Astrum EK Payload Download (exploit_kit.rules)
  • 2822442 - ETPRO PHISHING Multibank Phishing Landing/Redirect (NL) M1 2016-10-06 (phishing.rules)
  • 2822443 - ETPRO PHISHING SNS Bank Phishing Landing/Redirect (NL) M1 2016-10-06 (phishing.rules)
  • 2822444 - ETPRO PHISHING SNS Bank Phishing Landing/Redirect/ (NL) M2 2016-10-06 (phishing.rules)
  • 2822445 - ETPRO PHISHING ASN/Regio Bank Phishing Landing/Redirect (NL) M1 2016-10-06 (phishing.rules)
  • 2822446 - ETPRO PHISHING ASN/Regio Bank Phishing Landing/Redirect (NL) M2 2016-10-06 (phishing.rules)
  • 2822447 - ETPRO PHISHING Multibank Phishing Landing/Redirect (NL) M2 2016-10-06 (phishing.rules)
  • 2822683 - ETPRO MALWARE MSIL/Exotic Ransomware Image Request (malware.rules)
  • 2822935 - ETPRO PHISHING Paypal Phishing Landing M2 Oct 26 2016 (phishing.rules)
  • 2822979 - ETPRO EXPLOIT_KIT Possible Bizarro SunDown Payload (exploit_kit.rules)
  • 2823170 - ETPRO MALWARE MalDoc Requesting Payload Nov 08 (malware.rules)
  • 2823194 - ETPRO MALWARE Win32/Enigma Ransomware Requesting Payload (malware.rules)
  • 2823253 - ETPRO MALWARE MalDoc Requesting Payload Nov 14 2016 (malware.rules)
  • 2823269 - ETPRO PHISHING Successful Personalized Realtor.com Phish Nov 15 2016 (phishing.rules)
  • 2823332 - ETPRO EXPLOIT_KIT Evil iframe Redirect to EK Nov 17 2016 (exploit_kit.rules)
  • 2823519 - ETPRO MALWARE MSIL.VindowsLocker Ransomware Checkin via Pastebin (malware.rules)
  • 2823672 - ETPRO MALWARE LatentBot HTTP POST CnC (malware.rules)
  • 2823854 - ETPRO EXPLOIT_KIT SunDown EK Landing Dec 13 2016 (exploit_kit.rules)
  • 2823858 - ETPRO MALWARE W32.Shigo Ransomware Checkin (malware.rules)
  • 2823930 - ETPRO ADWARE_PUP MSIL/TrojanDownloader.AdLoad.AZ Activity (adware_pup.rules)
  • 2824050 - ETPRO EXPLOIT_KIT SunDown EK Landing Dec 27 2016 (exploit_kit.rules)
  • 2824186 - ETPRO MALWARE fs0ciety Bot CnC Activity (malware.rules)
  • 2824191 - ETPRO EXPLOIT_KIT SunDown EK Landing Jan 04 2016 (exploit_kit.rules)
  • 2824257 - ETPRO MALWARE MM Core Retrieving Payload (malware.rules)
  • 2824341 - ETPRO PHISHING Successful Paypal Phish M3 Jan 10 2017 (phishing.rules)
  • 2824427 - ETPRO EXPLOIT_KIT Possible SunDownEK Payload Jan 13 2017 (exploit_kit.rules)
  • 2824435 - ETPRO PHISHING Successful Santander Bank Phish M2 Jan 13 2017 (phishing.rules)
  • 2824550 - ETPRO EXPLOIT_KIT SunDown EK Landing Jan 20 2016 M1 (exploit_kit.rules)
  • 2824589 - ETPRO MALWARE Zyklon Botnet IP Check (malware.rules)
  • 2824617 - ETPRO MALWARE Greenbug Ismdoor Checkin (malware.rules)
  • 2824639 - ETPRO MALWARE Win32/CryptFile2 Ransomware OS Check Response (malware.rules)
  • 2824713 - ETPRO PHISHING Successful Turbotax Phish Jan 31 2017 (phishing.rules)
  • 2825136 - ETPRO PHISHING Successful Generic Phish Feb 24 2017 (phishing.rules)
  • 2825226 - ETPRO MALWARE Helminth/Oilrig CnC Beacon 2 (malware.rules)
  • 2825698 - ETPRO MALWARE MSIL/Downloader Downloading NetwireRAT (malware.rules)
  • 2826158 - ETPRO PHISHING Successful Amazon Phish via JS Form in PDF Apr 27 2017 (phishing.rules)
  • 2827260 - ETPRO MALWARE MalDoc Retrieving Payload July 20 2017 M2 (malware.rules)
  • 2827264 - ETPRO MALWARE MSIL/CoinMiner.WS Variant CnC Checkin (malware.rules)
  • 2827505 - ETPRO MALWARE Locky Payload DL 2017-08-11 (malware.rules)
  • 2827665 - ETPRO WEB_CLIENT SocEng DL Landing Page Aug 25 2017 (web_client.rules)
  • 2827760 - ETPRO WEB_CLIENT FakeAV/TechSupport Scam Aug 30 2017 (web_client.rules)
  • 2828206 - ETPRO MALWARE APT.Vemics CnC Beacon (malware.rules)
  • 2828275 - ETPRO PHISHING Anonisma Phishing CSS M3 Oct 12 2017 (phishing.rules)
  • 2828314 - ETPRO MALWARE Magniber Ransomware Checkin 1 (malware.rules)
  • 2828315 - ETPRO MALWARE Magniber Ransomware Checkin 2 (malware.rules)
  • 2828316 - ETPRO MALWARE Orz JavaScript Backdoor Sending Password to CnC (malware.rules)
  • 2828343 - ETPRO MALWARE MalDoc Checkin Oct 2017 (malware.rules)
  • 2828426 - ETPRO MALWARE JS/Locky Downloader Checkin (malware.rules)
  • 2829670 - ETPRO PHISHING Successful USAA Phish 2018-02-14 M4 (phishing.rules)
  • 2830245 - ETPRO POLICY Request for CSS File Returning Executable (policy.rules)
  • 2832589 - ETPRO PHISHING Successful Booking.com Phish 2018-09-13 M1 (phishing.rules)

Disabled and modified rules:

  • 2046150 - ET MALWARE [ANY.RUN] Win32/ObserverStealer CnC Activity (Screenshot) (malware.rules)
  • 2046151 - ET MALWARE [ANY.RUN] Win32/ObserverStealer CnC Activity (System Information) (malware.rules)
  • 2046152 - ET MALWARE [ANY.RUN] Win32/ObserverStealer CnC Activity (Check-in) (malware.rules)
  • 2049444 - ET INFO Observed DNS Over HTTPS Domain (vn .dns .abpvn .com in TLS SNI) (info.rules)
  • 2049449 - ET MALWARE Suspected TA453 Related Domain in DNS Lookup (metahelpservice .net) (malware.rules)
  • 2049450 - ET MALWARE Suspected TA453 Related Domain in DNS Lookup (xn–metaspport-v43e .com) (malware.rules)
  • 2049451 - ET MALWARE Suspected TA453 Related Domain in DNS Lookup (metaemailsecurity .net) (malware.rules)
  • 2049452 - ET MALWARE Suspected TA453 Related Domain in DNS Lookup (metasupportmail .co) (malware.rules)
  • 2049453 - ET MALWARE Suspected TA453 Related Domain in DNS Lookup (metasecurityemail .org) (malware.rules)
  • 2049454 - ET MALWARE Suspected TA453 Related Domain in DNS Lookup (metaemailsecurity .com) (malware.rules)
  • 2049455 - ET MALWARE Suspected TA453 Related Domain in DNS Lookup (metasupportmail .com) (malware.rules)
  • 2049456 - ET MALWARE Suspected TA453 Related Domain in DNS Lookup (igsecurity .email) (malware.rules)
  • 2049457 - ET MALWARE Observed Suspected TA453 Related Domain (metahelpservice .net in TLS SNI) (malware.rules)
  • 2049458 - ET MALWARE Observed Suspected TA453 Related Domain (xn–metaspport-v43e .com in TLS SNI) (malware.rules)
  • 2049459 - ET MALWARE Observed Suspected TA453 Related Domain (metaemailsecurity .net in TLS SNI) (malware.rules)
  • 2049460 - ET MALWARE Observed Suspected TA453 Related Domain (metasupportmail .co in TLS SNI) (malware.rules)
  • 2049461 - ET MALWARE Observed Suspected TA453 Related Domain (metasecurityemail .org in TLS SNI) (malware.rules)
  • 2049462 - ET MALWARE Observed Suspected TA453 Related Domain (metaemailsecurity .com in TLS SNI) (malware.rules)
  • 2049463 - ET MALWARE Observed Suspected TA453 Related Domain (metasupportmail .com in TLS SNI) (malware.rules)
  • 2049464 - ET MALWARE Observed Suspected TA453 Related Domain (igsecurity .email in TLS SNI) (malware.rules)