Ruleset Update Summary - 2024/04/01 - v10564

Summary:

18 new OPEN, 20 new PRO (18 + 2)


Added rules:

Open:

  • 2051870 - ET HUNTING Possible External IP Check (hunting.rules)
  • 2051871 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (directorryversionyju .shop) (malware.rules)
  • 2051872 - ET MALWARE Observed Lumma Stealer Related Domain (directorryversionyju .shop in TLS SNI) (malware.rules)
  • 2051873 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (respectpitchadopwo .shop) (malware.rules)
  • 2051874 - ET MALWARE Observed Lumma Stealer Related Domain (respectpitchadopwo .shop in TLS SNI) (malware.rules)
  • 2051875 - ET INFO Observed DNS Over HTTPS Domain (dns .doh .best in TLS SNI) (info.rules)
  • 2051876 - ET INFO Observed DNS Over HTTPS Domain (truta .org in TLS SNI) (info.rules)
  • 2051877 - ET INFO Observed DNS Over HTTPS Domain (dns .spirio .fr in TLS SNI) (info.rules)
  • 2051878 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (discovus .com) (exploit_kit.rules)
  • 2051879 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (mtlaikins .com) (exploit_kit.rules)
  • 2051880 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (arquivisticalocal .com) (exploit_kit.rules)
  • 2051881 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (discovus .com) (exploit_kit.rules)
  • 2051882 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (mtlaikins .com) (exploit_kit.rules)
  • 2051883 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (arquivisticalocal .com) (exploit_kit.rules)
  • 2051884 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (apifetchmethod .com) (exploit_kit.rules)
  • 2051885 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (apifetchmethod .com) (exploit_kit.rules)
  • 2051886 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .schedule .golfballnutz .com) (malware.rules)
  • 2051887 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .schedule .golfballnutz .com) (malware.rules)

Pro:

  • 2856565 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2856566 - ETPRO MALWARE TA582 Domain in HTTP HOST (malware.rules)

Disabled and modified rules:

  • 2019851 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
  • 2019852 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
  • 2019853 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
  • 2019854 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
  • 2019855 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
  • 2019856 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
  • 2019857 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
  • 2019858 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
  • 2019859 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
  • 2019860 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
  • 2019861 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
  • 2019862 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
  • 2019863 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
  • 2019864 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
  • 2019865 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
  • 2019866 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
  • 2019867 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
  • 2019868 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
  • 2019869 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
  • 2019870 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
  • 2019871 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
  • 2020292 - ET MALWARE Generic DNS Query for Suspicious CryptoWall (crpt) Domains (malware.rules)
  • 2020713 - ET MALWARE 9002 RAT C&C DNS request (malware.rules)
  • 2047881 - ET MALWARE TA409 Related DNS Lookup (navercorp .ru) (malware.rules)
  • 2047882 - ET MALWARE Observed TA409 Related Domain (navercorp .ru in TLS SNI) (malware.rules)
  • 2049877 - ET MALWARE Observed Lumma Stealer Related Domain (carstirgapcheatdeposwte .pw in TLS SNI) (malware.rules)
  • 2049878 - ET MALWARE Lumma Stealer Related Domain in DNS Lookup (recessionconceptjetwe .pw) (malware.rules)
  • 2049881 - ET MALWARE Observed Lumma Stealer Related Domain (opposesicknessopw .pw in TLS SNI) (malware.rules)
  • 2803777 - ETPRO ADWARE_PUP Numerical .pdl Domain Likely Malware Related (adware_pup.rules)
  • 2803778 - ETPRO ADWARE_PUP Numerical .pf Domain Likely Malware Related (adware_pup.rules)
  • 2809575 - ETPRO MALWARE Potential PlugX DNS Command and Control via TXT queries (malware.rules)
  • 2810142 - ETPRO MALWARE Win32/Vobfus.EK C&C DNS request (malware.rules)
  • 2810143 - ETPRO MALWARE Win32/Vobfus.EK C&C DNS request (malware.rules)
  • 2810145 - ETPRO MALWARE Win32/Vobfus.EK C&C DNS request (malware.rules)
  • 2810701 - ETPRO MALWARE Likely Win32/Obvod.H DNS Lookup (malware.rules)
  • 2839439 - ETPRO MALWARE Observed Mirai Variant UA (system_file/2.0) (malware.rules)