Ruleset Update Summary - 2024/04/03 - v10566

Summary:

7 new OPEN, 7 new PRO (7 + 0)


Added rules:

Open:

  • 2051908 - ET MALWARE Win32/FireStealer Related Activity M2 (POST) (malware.rules)
  • 2051909 - ET MALWARE Win32/FireStealer Related Server Response (malware.rules)
  • 2051910 - ET MALWARE Arechclient2 Backdoor/SecTopRAT Related Activity (malware.rules)
  • 2051911 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (yappiexpress .com) (exploit_kit.rules)
  • 2051912 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (emonteiroadm .com) (exploit_kit.rules)
  • 2051913 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (yappiexpress .com) (exploit_kit.rules)
  • 2051914 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (emonteiroadm .com) (exploit_kit.rules)

Modified inactive rules:

  • 2019504 - ET MALWARE BlackEnergy SSL Cert (malware.rules)
  • 2019890 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2020104 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Malware CnC) (malware.rules)
  • 2020205 - ET MALWARE Possible Mailer Dropped by Dyre SSL Cert (malware.rules)
  • 2020217 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC) (malware.rules)
  • 2021980 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) (malware.rules)
  • 2021993 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) (malware.rules)
  • 2022004 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) (malware.rules)
  • 2022385 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) (malware.rules)
  • 2022397 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) (malware.rules)
  • 2022489 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) (malware.rules)
  • 2022521 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) (malware.rules)
  • 2022522 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) (malware.rules)
  • 2800008 - ETPRO WEB_SERVER PHP memory_limit Exploit Attempt (web_server.rules)
  • 2809981 - ETPRO MALWARE FakeAV.ATWK SSL Cert (malware.rules)
  • 2810749 - ETPRO MALWARE Win32/Cromptui.C Possible SSL Cert (malware.rules)
  • 2819852 - ETPRO MALWARE Win32/Etumbot.G CnC SSL Certificate Detected (malware.rules)

Disabled and modified rules:

  • 2023423 - ET MALWARE APT28/Sednit SSL Cert (malware.rules)
  • 2023490 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
  • 2023496 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC) (malware.rules)
  • 2023572 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2) (malware.rules)
  • 2023727 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TrickBot CnC) (malware.rules)
  • 2023931 - ET MALWARE APT29 Cache_DLL SSL Cert (malware.rules)
  • 2024361 - ET EXPLOIT_KIT SunDown EK RIP Landing M3 B643 (exploit_kit.rules)
  • 2024845 - ET WEB_CLIENT Tech Support Phone Scam Landing M2 Oct 16 2016 (web_client.rules)
  • 2050550 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (ripnoticebook .com) (exploit_kit.rules)
  • 2050551 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (andiandnoah .com) (exploit_kit.rules)
  • 2050552 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (ghostcitygames .com) (exploit_kit.rules)
  • 2050553 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (ripnoticebook .com) (exploit_kit.rules)
  • 2050554 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (andiandnoah .com) (exploit_kit.rules)
  • 2050555 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (ghostcitygames .com) (exploit_kit.rules)
  • 2050679 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (cdn3-jquery .info) (exploit_kit.rules)
  • 2050680 - ET EXPLOIT_KIT Fake Browser Update Domain in DNS Lookup (telotrace .com) (exploit_kit.rules)
  • 2050681 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (cdn3-jquery .info) (exploit_kit.rules)
  • 2050682 - ET EXPLOIT_KIT Fake Browser Update Domain in TLS SNI (telotrace .com) (exploit_kit.rules)
  • 2822298 - ETPRO MALWARE iSpy/HawkSpy/HawkEye Keylogger PWS Exfil via HTTP (malware.rules)
  • 2822632 - ETPRO MALWARE Unknown PWS Sending Exfil via FTP (malware.rules)
  • 2823044 - ETPRO MALWARE W32.Dreambot Checkin (malware.rules)
  • 2823232 - ETPRO MALWARE Linux/Mr.Black.DDoS Checkin (malware.rules)
  • 2823233 - ETPRO MALWARE Linux/Mr.Black.DDoS Keep-Alive (malware.rules)
  • 2823811 - ETPRO EXPLOIT_KIT DNSChanger EK DNS Reply Adfraud Server 1 Dec 12 2016 (exploit_kit.rules)
  • 2823812 - ETPRO EXPLOIT_KIT DNSChanger EK DNS Reply Adfraud Server 2 Dec 12 2016 (exploit_kit.rules)
  • 2823895 - ETPRO MALWARE Chthonic TCP Domain Lookup 11 (malware.rules)
  • 2823947 - ETPRO MALWARE Chthonic TCP Domain Lookup 12 (malware.rules)
  • 2824072 - ETPRO MALWARE Chthonic TCP Domain Lookup 03 (malware.rules)
  • 2824077 - ETPRO MALWARE Chthonic TCP Domain Lookup 08 (malware.rules)
  • 2824078 - ETPRO MALWARE Chthonic TCP Domain Lookup 09 (malware.rules)
  • 2824079 - ETPRO MALWARE Chthonic TCP Domain Lookup 10 (malware.rules)
  • 2824449 - ETPRO EXPLOIT_KIT GreenFlash SunDown EK Flash Exploit 2017-01-17 (exploit_kit.rules)
  • 2824625 - ETPRO MALWARE Win32.Androm.mgtq DNS Lookup (malware.rules)
  • 2824729 - ETPRO MALWARE MSIL/Unk.Keylogger Checkin via SMTP (malware.rules)
  • 2825096 - ETPRO MALWARE Bladabindi/njRAT Variant CnC Checkin (Mr.motaz) (malware.rules)
  • 2826639 - ETPRO MALWARE Malicious SSL certificate detected (PupyRat) (malware.rules)
  • 2829586 - ETPRO MALWARE Trensil.B Checkin (malware.rules)
  • 2855480 - ETPRO EXPLOIT_KIT WordPress Malicious Admin Creation Domain in DNS Lookup (exploit_kit.rules)
  • 2855481 - ETPRO EXPLOIT_KIT WordPress Malicious Admin Creation Domain in TLS SNI (exploit_kit.rules)
  • 2856494 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)