Ruleset Update Summary - 2024/03/25 - v10559

Ruleset Updates
1

Summary:

26 new OPEN, 28 new PRO (26 + 2)

Added rules:

Open:

  • 2051772 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (prematuresolvehumoew .shop) (malware.rules)
  • 2051773 - ET MALWARE Observed Lumma Stealer Related Domain (prematuresolvehumoew .shop in TLS SNI) (malware.rules)
  • 2051774 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (spokespersonunjuriwo .shop) (malware.rules)
  • 2051775 - ET MALWARE Observed Lumma Stealer Related Domain (spokespersonunjuriwo .shop in TLS SNI) (malware.rules)
  • 2051776 - ET INFO Observed DNS Over HTTPS Domain (doh .abraservice .xyz in TLS SNI) (info.rules)
  • 2051777 - ET INFO Observed DNS Over HTTPS Domain (agent .frankutils .xyz in TLS SNI) (info.rules)
  • 2051778 - ET INFO Observed DNS Over HTTPS Domain (dns .ipty .de in TLS SNI) (info.rules)
  • 2051779 - ET INFO Observed DNS Over HTTPS Domain (dns .r9x .cc in TLS SNI) (info.rules)
  • 2051780 - ET INFO Observed DNS Over HTTPS Domain (adguard .jakinet .id in TLS SNI) (info.rules)
  • 2051781 - ET INFO Observed DNS Over HTTPS Domain (dns1 .saferbfc .org in TLS SNI) (info.rules)
  • 2051782 - ET MALWARE Win32/Bumblebee Loader Related Download Activity (GET) (malware.rules)
  • 2051783 - ET MALWARE Python Typo Squatting Domain in DNS Lookup (files .pypihosted .org) (malware.rules)
  • 2051784 - ET MALWARE Python Typosquatting Domain (files .pypihosted .org) in TLS SNI (malware.rules)
  • 2051785 - ET EXPLOIT Possible Uniview IPC2322lb updatecpld Restricted Shell Bypass Attempt (exploit.rules)
  • 2051786 - ET EXPLOIT Uniview IPC2322lb Authentication Bypass Attempt - RSA Public Key Parameter Retrieval (exploit.rules)
  • 2051787 - ET EXPLOIT Possible Uniview IPC2322lb Authentication Bypass Attempt - Admin Password Reset Attempt (exploit.rules)
  • 2051788 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .catching .fishingrealinvestments .com) (malware.rules)
  • 2051789 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .catching .fishingrealinvestments .com) (malware.rules)
  • 2051790 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (apistoragecache .com) (exploit_kit.rules)
  • 2051791 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (apistoragecache .com) (exploit_kit.rules)
  • 2051792 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (jsluna .com) (exploit_kit.rules)
  • 2051793 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (jsluna .com) (exploit_kit.rules)
  • 2051794 - ET EXPLOIT_KIT TA569 Middleware Domain in DNS Lookup (lyddemper .com) (exploit_kit.rules)
  • 2051795 - ET EXPLOIT_KIT TA569 Middleware Domain in TLS SNI (lyddemper .com) (exploit_kit.rules)
  • 2051796 - ET MALWARE SocGholish Domain in DNS Lookup (camps .topgunnbaseball .com) (malware.rules)
  • 2051797 - ET MALWARE SocGholish Domain in TLS SNI (camps .topgunnbaseball .com) (malware.rules)

Pro:

  • 2856552 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2856553 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Modified inactive rules:

  • 2007673 - ET MALWARE E-Jihad 3.0 DNS Activity TCP (1) (malware.rules)
  • 2007674 - ET MALWARE E-Jihad 3.0 DNS Activity TCP (2) (malware.rules)
  • 2007675 - ET MALWARE E-Jihad 3.0 DNS Activity TCP (3) (malware.rules)
  • 2007676 - ET MALWARE E-Jihad 3.0 DNS Activity TCP (4) (malware.rules)
  • 2007677 - ET MALWARE E-Jihad 3.0 DNS Activity TCP (5) (malware.rules)
  • 2007678 - ET MALWARE E-Jihad 3.0 DNS Activity UDP (1) (malware.rules)
  • 2007679 - ET MALWARE E-Jihad 3.0 DNS Activity UDP (2) (malware.rules)
  • 2007680 - ET MALWARE E-Jihad 3.0 DNS Activity UDP (3) (malware.rules)
  • 2007681 - ET MALWARE E-Jihad 3.0 DNS Activity UDP (4) (malware.rules)
  • 2007682 - ET MALWARE E-Jihad 3.0 DNS Activity UDP (5) (malware.rules)
  • 2012284 - ET MALWARE SpyEye Post_Express_Label ftpgrabber check-in (malware.rules)
  • 2015719 - ET MALWARE DNS Query to Unknown CnC DGA Domain palauone.com 09/20/12 (malware.rules)
  • 2015720 - ET MALWARE DNS Query to Unknown CnC DGA Domain traindiscover.com 09/20/12 (malware.rules)
  • 2015721 - ET MALWARE DNS Query to Unknown CnC DGA Domain manymanyd.com 09/20/12 (malware.rules)
  • 2015722 - ET MALWARE DNS Query to Unknown CnC DGA Domain whatandwhyeh.com 09/20/12 (malware.rules)
  • 2015728 - ET MALWARE DNS Query to Unknown CnC DGA Domain bktwenty.com 09/20/12 (malware.rules)
  • 2016662 - ET P2P Possible Bittorrent Activity - Multiple DNS Queries For tracker hosts (p2p.rules)
  • 2800514 - ETPRO WEB_CLIENT IBM Informix Client SDK NFX File Processing Stack Buffer Overflow (web_client.rules)
  • 2803494 - ETPRO MALWARE Common Downloader POST Header Pattern POST ACtHUCo data= (malware.rules)
  • 2803681 - ETPRO MALWARE Trojan.Win32.Syswrt.dvd Checkin 1 (malware.rules)
  • 2805176 - ETPRO MALWARE Backdoor.Zemra Checkin (malware.rules)
  • 2806836 - ETPRO MALWARE zbot-variant fetching instagram data to send spam (malware.rules)
  • 2811608 - ETPRO MALWARE Upatre Common URI Struct Jun 19 2015 (malware.rules)
  • 2815214 - ETPRO EXPLOIT_KIT Possible Nuclear EK Payload Dec 06 2015 (exploit_kit.rules)
  • 2820645 - ETPRO EXPLOIT Novell eDirectory NDS Server Host Header Overflow (CVE-2006-5478) (exploit.rules)
  • 2826134 - ETPRO EXPLOIT_KIT Astrum EK Activity M2 Apr 26 2017 (exploit_kit.rules)

Disabled and modified rules:

  • 2001808 - ET P2P LimeWire P2P Traffic (p2p.rules)
  • 2016283 - ET WEB_SPECIFIC_APPS Openconstructor CMS keyword Parameter Cross Site Scripting Attempt (web_specific_apps.rules)
  • 2016337 - ET WEB_SPECIFIC_APPS WordPress Chocolate WP Theme src Cross Site Scripting Attempt (web_specific_apps.rules)
  • 2033218 - ET PHISHING Observed Possible Phishing 2021-06-29 (phishing.rules)
  • 2049838 - ET MALWARE Observed Lumma Stealer Related Domain (agedelayglacierwe .pw in TLS SNI) (malware.rules)
  • 2049839 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (agedelayglacierwe .pw) (malware.rules)
  • 2049842 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (chincenterblandwka .pw) (malware.rules)
  • 2049843 - ET MALWARE Observed Lumma Stealer Related Domain (chincenterblandwka .pw in TLS SNI) (malware.rules)
  • 2049844 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (neighborhoodfeelsa .fun) (malware.rules)
  • 2049845 - ET MALWARE Observed Lumma Stealer Related Domain (neighborhoodfeelsa .fun in TLS SNI) (malware.rules)
  • 2803795 - ETPRO MALWARE Worm.Win32.Ackantta.B via SMTP flowbit set 1 (malware.rules)
  • 2803797 - ETPRO MALWARE Worm.Win32.Ackantta.B via SMTP flowbit set 2 (malware.rules)
  • 2803799 - ETPRO MALWARE Worm.Win32.Ackantta.B via SMTP flowbit set 3 (malware.rules)
  • 2804508 - ETPRO WEB_CLIENT Microsoft .NET Framework System.Uri.ReCreateParts method remote code execution - SET (web_client.rules)
  • 2805372 - ETPRO INFO Google Detection page unusual traffic from computer network (info.rules)
  • 2805493 - ETPRO ADWARE_PUP AdWare.Win32.DirectDown.A Install (adware_pup.rules)
  • 2805628 - ETPRO ADWARE_PUP Adware-Fenomen Install (adware_pup.rules)
  • 2805629 - ETPRO POLICY TornTV data download starter (policy.rules)
  • 2809252 - ETPRO MALWARE W32/Tepfer.InfoStealer Dropping Files (malware.rules)
  • 2811461 - ETPRO MALWARE Worm.Win32.Ackantta.B spreading via SMTP - SET 4 (malware.rules)