Ruleset Update Summary - 2024/03/26 - v10560

Ruleset Updates
1

Summary:

11 new OPEN, 11 new PRO (11 + 0)

Thanks @BlackLotusLabs, @SecureWithHUMAN

Added rules:

Open:

  • 2012327 - ET HUNTING All Numerical .cn Domain Likely Malware Related (hunting.rules)
  • 2012328 - ET HUNTING All Numerical .ru Domain Lookup Likely Malware Related (hunting.rules)
  • 2051798 - ET MALWARE Residential Proxy Service Domain in DNS Lookup (asocks .com) (malware.rules)
  • 2051799 - ET MALWARE Residential Proxy Service Domain in DNS Lookup (broxy .one) (malware.rules)
  • 2051800 - ET MALWARE Residential Proxy Service Domain (asocks .com) in TLS SNI (malware.rules)
  • 2051801 - ET MALWARE Residential Proxy Service Domain (broxy .one) in TLS SNI (malware.rules)
  • 2051802 - ET MOBILE_MALWARE Android/ProxyLib Related Domain in DNS Lookup (nsignal .net) (mobile_malware.rules)
  • 2051803 - ET MOBILE_MALWARE Android/ProxyLib Related Domain in DNS Lookup (lumiapps .io) (mobile_malware.rules)
  • 2051804 - ET MOBILE_MALWARE Android/ProxyLib Related Domain (nsignal .net) in TLS SNI (mobile_malware.rules)
  • 2051805 - ET MOBILE_MALWARE Android/ProxyLib Related Domain (lumiapps .io) in TLS SNI (mobile_malware.rules)
  • 2051806 - ET MALWARE TheMoon CnC Checkin (malware.rules)

Modified inactive rules:

  • 2015600 - ET MALWARE DNS Query Gauss Domain *.dotnetadvisor.info (malware.rules)
  • 2015721 - ET MALWARE DNS Query to Unknown CnC DGA Domain manymanyd.com 09/20/12 (malware.rules)
  • 2015730 - ET MALWARE DNS Query to Unknown CnC DGA Domain sleeveblouse.com 09/20/12 (malware.rules)
  • 2022372 - ET PHISHING Chrome Extension Phishing DNS Request (phishing.rules)
  • 2023180 - ET PHISHING DNS Query to Ebay Phishing Domain (phishing.rules)
  • 2023677 - ET MALWARE Tofsee DGA (2016-12-15 to 2017-05-04) (malware.rules)
  • 2023873 - ET POLICY DNS Query to Hamas Terrorist Propaganda TV Channel (aqsatv .ps) (policy.rules)
  • 2027759 - ET DNS Query for .co TLD (dns.rules)
  • 2820179 - ETPRO MALWARE CryptXXX Possible Payment Page (malware.rules)

Disabled and modified rules:

  • 2018879 - ET POLICY onion.cab tor2web .onion Proxy domain in SNI (policy.rules)
  • 2020223 - ET MALWARE Known Sinkhole Response abuse.ch (malware.rules)
  • 2020289 - ET MALWARE Possible Dyre SSL Cert Jan 22 2015 (malware.rules)
  • 2020329 - ET MALWARE Unknown Mailer CnC Beacon 2 (malware.rules)
  • 2020372 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC) (malware.rules)
  • 2020493 - ET MALWARE SuperFish Possible SSL Cert Signed By Compromised Root CA (malware.rules)
  • 2020621 - ET MALWARE Trojan.Bayrob Keepalive (malware.rules)
  • 2020622 - ET MALWARE rechnung zip file download (malware.rules)
  • 2050336 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (suezey .com) (exploit_kit.rules)
  • 2050337 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (appboltonik .com) (exploit_kit.rules)
  • 2050338 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (suezey .com) (exploit_kit.rules)
  • 2050339 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (appboltonik .com) (exploit_kit.rules)
  • 2050358 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .colors .usajicgu .com) (malware.rules)
  • 2050359 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .colors .usajicgu .com) (malware.rules)
  • 2050360 - ET EXPLOIT_KIT VexTrio Domain in DNS Lookup (bonustop-price .life) (exploit_kit.rules)
  • 2050361 - ET EXPLOIT_KIT VexTrio Domain in DNS Lookup (allprizeshub .life) (exploit_kit.rules)
  • 2050362 - ET EXPLOIT_KIT VexTrio Domain in DNS Lookup (greatbonushere .top) (exploit_kit.rules)
  • 2050363 - ET EXPLOIT_KIT VexTrio Domain in DNS Lookup (prizes-topwin .life) (exploit_kit.rules)
  • 2050364 - ET EXPLOIT_KIT VexTrio Domain in DNS Lookup (womanflirting .life) (exploit_kit.rules)
  • 2050365 - ET EXPLOIT_KIT VexTrio Domain in DNS Lookup (a .crystalcraft .top) (exploit_kit.rules)
  • 2050366 - ET EXPLOIT_KIT VexTrio Domain in DNS Lookup (logsmetrics .com) (exploit_kit.rules)
  • 2050367 - ET EXPLOIT_KIT VexTrio Domain in DNS Lookup (webdatatrace .com) (exploit_kit.rules)
  • 2050368 - ET EXPLOIT_KIT VexTrio Domain in TLS SNI (bonustop-price .life) (exploit_kit.rules)
  • 2050369 - ET EXPLOIT_KIT VexTrio Domain in TLS SNI (allprizeshub .life) (exploit_kit.rules)
  • 2050370 - ET EXPLOIT_KIT VexTrio Domain in TLS SNI (greatbonushere .top) (exploit_kit.rules)
  • 2050371 - ET EXPLOIT_KIT VexTrio Domain in TLS SNI (prizes-topwin .life) (exploit_kit.rules)
  • 2050372 - ET EXPLOIT_KIT VexTrio Domain in TLS SNI (womanflirting .life) (exploit_kit.rules)
  • 2050373 - ET EXPLOIT_KIT VexTrio Domain in TLS SNI (a .crystalcraft .top) (exploit_kit.rules)
  • 2050374 - ET EXPLOIT_KIT VexTrio Domain in TLS SNI (logsmetrics .com) (exploit_kit.rules)
  • 2050375 - ET EXPLOIT_KIT VexTrio Domain in TLS SNI (webdatatrace .com) (exploit_kit.rules)
  • 2050438 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (climosfevelt .com) (exploit_kit.rules)
  • 2050439 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (climosfevelt .com) (exploit_kit.rules)
  • 2050452 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (ping .cachespace .net) (exploit_kit.rules)
  • 2050453 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (sync .webappclick .net) (exploit_kit.rules)
  • 2050454 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (storage .webfiledata .com) (exploit_kit.rules)
  • 2050461 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (ping .cachespace .net) (exploit_kit.rules)
  • 2050462 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (sync .webappclick .net) (exploit_kit.rules)
  • 2050463 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (storage .webfiledata .com) (exploit_kit.rules)
  • 2050500 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (visitclouds .com) (exploit_kit.rules)
  • 2050501 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (visitclouds .com) (exploit_kit.rules)
  • 2050515 - ET EXPLOIT_KIT VexTrio Domain in DNS Lookup (lookup-domain .com) (exploit_kit.rules)
  • 2050516 - ET EXPLOIT_KIT VexTrio Domain in TLS SNI (lookup-domain .com) (exploit_kit.rules)
  • 2809334 - ETPRO MALWARE VBS/Cechip.A SSH Banner Checkin (malware.rules)
  • 2809427 - ETPRO USER_AGENTS IE 10 on Windows 3.1 (user_agents.rules)
  • 2809539 - ETPRO ADWARE_PUP Adware.Win32.Itva HTTP Request (adware_pup.rules)
  • 2809541 - ETPRO ADWARE_PUP PUP DomainIQ Checkin (adware_pup.rules)
  • 2809564 - ETPRO MALWARE Win32/Zemot Checkin 2 (malware.rules)
  • 2809574 - ETPRO MALWARE Mal/Banker-EV CnC Beacon (malware.rules)
  • 2809606 - ETPRO MALWARE PWS.WIN32/BZUB DNS Query to CNAME related to cyber espionage 1 (malware.rules)
  • 2809607 - ETPRO MALWARE PWS.WIN32/BZUB DNS Query to CNAME related to cyber espionage 2 (malware.rules)
  • 2809608 - ETPRO MALWARE PWS.WIN32/BZUB DNS Query to CNAME related to cyber espionage 3 (malware.rules)
  • 2809628 - ETPRO MALWARE SiR-DoOoM worm CnC Beacon (malware.rules)
  • 2809637 - ETPRO MALWARE Kakfum/COLDSTEEL CnC Beacon 1 (malware.rules)
  • 2809847 - ETPRO MALWARE Generic KeyLogger SMTP CnC Beacon (malware.rules)
  • 2809850 - ETPRO MALWARE Cobalt Strike Covert DNS CnC Channel TXT Lookup (udp) (malware.rules)
  • 2809853 - ETPRO MALWARE Win32/Spy.Banker.PTM Checkin (malware.rules)
  • 2809876 - ETPRO MALWARE Win32/Agent.WPN CnC Beacon User-Agent (malware.rules)
  • 2809878 - ETPRO MALWARE Win32/Necurs Checkin 2 (malware.rules)
  • 2809915 - ETPRO MALWARE KrakenRAT Checkin (malware.rules)
  • 2809926 - ETPRO MALWARE Win32/TrojanProxy.Agent.AU Checkin (malware.rules)
  • 2809984 - ETPRO ADWARE_PUP Win32/Adware.ConvertAd CnC Beacon (adware_pup.rules)
  • 2856484 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Removed rules:

  • 2012327 - ET ADWARE_PUP All Numerical .cn Domain Likely Malware Related (adware_pup.rules)
  • 2012328 - ET ADWARE_PUP All Numerical .ru Domain Lookup Likely Malware Related (adware_pup.rules)
  • 2051716 - ET MALWARE DNS Query to Fenix Botnet Domain (d1kv9jqywn0dfi .cloudfront .net) (malware.rules)
  • 2051734 - ET MALWARE Observed Fenix Botnet Domain (d1kv9jqywn0dfi .cloudfront .net in TLS SNI) (malware.rules)