Ruleset Update Summary - 2024/04/01 - v10564

rulesbot · April 1, 2024, 7:36pm

Summary:

18 new OPEN, 20 new PRO (18 + 2)

Added rules:

Open:

2051870 - ET HUNTING Possible External IP Check (hunting.rules)
2051871 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (directorryversionyju .shop) (malware.rules)
2051872 - ET MALWARE Observed Lumma Stealer Related Domain (directorryversionyju .shop in TLS SNI) (malware.rules)
2051873 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (respectpitchadopwo .shop) (malware.rules)
2051874 - ET MALWARE Observed Lumma Stealer Related Domain (respectpitchadopwo .shop in TLS SNI) (malware.rules)
2051875 - ET INFO Observed DNS Over HTTPS Domain (dns .doh .best in TLS SNI) (info.rules)
2051876 - ET INFO Observed DNS Over HTTPS Domain (truta .org in TLS SNI) (info.rules)
2051877 - ET INFO Observed DNS Over HTTPS Domain (dns .spirio .fr in TLS SNI) (info.rules)
2051878 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (discovus .com) (exploit_kit.rules)
2051879 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (mtlaikins .com) (exploit_kit.rules)
2051880 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (arquivisticalocal .com) (exploit_kit.rules)
2051881 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (discovus .com) (exploit_kit.rules)
2051882 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (mtlaikins .com) (exploit_kit.rules)
2051883 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (arquivisticalocal .com) (exploit_kit.rules)
2051884 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (apifetchmethod .com) (exploit_kit.rules)
2051885 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (apifetchmethod .com) (exploit_kit.rules)
2051886 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .schedule .golfballnutz .com) (malware.rules)
2051887 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .schedule .golfballnutz .com) (malware.rules)

Pro:

2856565 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2856566 - ETPRO MALWARE TA582 Domain in HTTP HOST (malware.rules)

Disabled and modified rules:

2019851 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
2019852 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
2019853 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
2019854 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
2019855 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
2019856 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
2019857 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
2019858 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
2019859 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
2019860 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
2019861 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
2019862 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
2019863 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
2019864 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
2019865 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
2019866 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
2019867 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
2019868 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
2019869 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
2019870 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
2019871 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
2020292 - ET MALWARE Generic DNS Query for Suspicious CryptoWall (crpt) Domains (malware.rules)
2020713 - ET MALWARE 9002 RAT C&C DNS request (malware.rules)
2047881 - ET MALWARE TA409 Related DNS Lookup (navercorp .ru) (malware.rules)
2047882 - ET MALWARE Observed TA409 Related Domain (navercorp .ru in TLS SNI) (malware.rules)
2049877 - ET MALWARE Observed Lumma Stealer Related Domain (carstirgapcheatdeposwte .pw in TLS SNI) (malware.rules)
2049878 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (recessionconceptjetwe .pw) (malware.rules)
2049881 - ET MALWARE Observed Lumma Stealer Related Domain (opposesicknessopw .pw in TLS SNI) (malware.rules)
2803777 - ETPRO ADWARE_PUP Numerical .pdl Domain Likely Malware Related (adware_pup.rules)
2803778 - ETPRO ADWARE_PUP Numerical .pf Domain Likely Malware Related (adware_pup.rules)
2809575 - ETPRO MALWARE Potential PlugX DNS Command and Control via TXT queries (malware.rules)
2810142 - ETPRO MALWARE Win32/Vobfus.EK C&C DNS request (malware.rules)
2810143 - ETPRO MALWARE Win32/Vobfus.EK C&C DNS request (malware.rules)
2810145 - ETPRO MALWARE Win32/Vobfus.EK C&C DNS request (malware.rules)
2810701 - ETPRO MALWARE Likely Win32/Obvod.H DNS Lookup (malware.rules)
2839439 - ETPRO MALWARE Observed Mirai Variant UA (system_file/2.0) (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/03/25 - v10559 Ruleset Updates	177	March 25, 2024
Ruleset Update Summary - 2024/02/05 - v10524 Ruleset Updates	336	February 5, 2024
Ruleset Update Summary - 2024/04/30 - v10586 Ruleset Updates	60	April 30, 2024
Ruleset Update Summary - 2024/02/09 - v10528 Ruleset Updates	375	February 9, 2024
Ruleset Update Summary - 2024/01/08 - v10501 Ruleset Updates	438	January 8, 2024

Ruleset Update Summary - 2024/04/01 - v10564

Summary:

Added rules:

Open:

Pro:

Disabled and modified rules:

Related Topics