Ruleset Update Summary - 2024/04/08 - v10570

Ruleset Updates
1

Summary:

11 new OPEN, 19 new PRO (11 + 8)

Thanks @DeepInstinctSec

Added rules:

Open:

  • 2051950 - ET INFO Anonymous File Sharing Service Domain in DNS Lookup (info.rules)
  • 2051951 - ET INFO Observed Anonymous File Sharing Service Domain in TLS SNI (info.rules)
  • 2051952 - ET MALWARE MuddyWater APT Related CnC Domain in DNS Lookup (googleonlinee .com) (malware.rules)
  • 2051953 - ET MALWARE Observed MuddyWater APT Related Domain (googleonlinee .com in TLS SNI) (malware.rules)
  • 2051954 - ET INFO Observed DNS Over HTTPS Domain (voyage-s01 .cloudku .technology in TLS SNI) (info.rules)
  • 2051955 - ET WEB_SPECIFIC_APPS D-Link NAS devices Backdoor Account Access and Command Injection Attempt (CVE-2024-3273) (web_specific_apps.rules)
  • 2051956 - ET WEB_SPECIFIC_APPS Gambio E-Commerce Suite Deserialization of Untrusted Data (CVE-2024-23759) (web_specific_apps.rules)
  • 2051957 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (fairfurryfriends .com) (exploit_kit.rules)
  • 2051958 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (fairfurryfriends .com) (exploit_kit.rules)
  • 2051959 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .pool .hjdeboer .com) (malware.rules)
  • 2051960 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .schedule .golfballnutz .com) (malware.rules)

Pro:

  • 2856578 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2856579 - ETPRO MALWARE TA582 Domain in HTTP HOST (malware.rules)
  • 2856580 - ETPRO MALWARE CleanupLoader CnC Domain in DNS Lookup (malware.rules)
  • 2856581 - ETPRO MALWARE CleanupLoader CnC Domain in DNS Lookup (malware.rules)
  • 2856582 - ETPRO MALWARE CleanupLoader CnC Domain in DNS Lookup (malware.rules)
  • 2856583 - ETPRO MALWARE CleanupLoader CnC Domain in DNS Lookup (malware.rules)
  • 2856584 - ETPRO MALWARE CleanupLoader CnC Domain in DNS Lookup (malware.rules)
  • 2856585 - ETPRO MALWARE CleanupLoader CnC Domain in DNS Lookup (malware.rules)

Modified inactive rules:

  • 2014759 - ET MALWARE Trojan.BAT.Qhost Response from Controller (malware.rules)
  • 2015653 - ET MALWARE Rogue.Win32/Winwebsec Install (malware.rules)
  • 2018973 - ET MALWARE Possible Dyre SSL Cert Aug 20 2014 D1 (malware.rules)
  • 2018974 - ET MALWARE Possible Dyre SSL Cert Aug 20 2014 D2 (malware.rules)
  • 2019069 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2019104 - ET MALWARE Possible Dyre SSL Cert Sept 3 2014 (malware.rules)
  • 2019108 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2019109 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2019120 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2019121 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Upatre C2) (malware.rules)
  • 2019122 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2019135 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2019147 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2019148 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2019150 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2019152 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2019173 - ET MALWARE Possible Dyre SSL Cert Sept 15 2014 (malware.rules)
  • 2019178 - ET MALWARE Possible Dyre SSL Cert Sept 16 2014 (malware.rules)
  • 2019200 - ET MALWARE Possible Dyre SSL Cert Sept 19 2014 (malware.rules)
  • 2019205 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2019213 - ET MALWARE Possible Dyre SSL Cert Sept 22 2014 (malware.rules)
  • 2019225 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (UPATRE CnC) (malware.rules)
  • 2019275 - ET MALWARE Possible Dyre SSL Cert Sept 26 2014 (malware.rules)
  • 2019276 - ET MALWARE Possible Dyre SSL Cert Sept 26 2014 (malware.rules)
  • 2019305 - ET MALWARE Dyre SSL Cert 1 (malware.rules)
  • 2019306 - ET MALWARE Dyre SSL Cert 2 (malware.rules)
  • 2019307 - ET MALWARE Dyre SSL Cert 3 (malware.rules)
  • 2019317 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (UPATRE CnC) (malware.rules)
  • 2019319 - ET MALWARE Possible Dyre SSL Cert Sept 30 2014 (malware.rules)
  • 2019320 - ET MALWARE Possible Dyre SSL Cert Sept 30 2014 (malware.rules)
  • 2019328 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2019329 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2019330 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (UPATRE CnC) (malware.rules)
  • 2019342 - ET MALWARE Possible Dyre SSL Cert Oct 3 2014 (malware.rules)
  • 2019360 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2019361 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2019413 - ET MALWARE Possible Dyre SSL Cert Oct 15 2014 (malware.rules)
  • 2019419 - ET MALWARE Possible Dyre SSL Cert Oct 15 2014 (malware.rules)
  • 2019477 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC) (malware.rules)
  • 2019493 - ET MALWARE Possible Dyre SSL Cert Oct 22 2014 (malware.rules)
  • 2019494 - ET MALWARE Possible Dyre SSL Cert Oct 22 2014 (malware.rules)
  • 2019495 - ET MALWARE Possible Dyre SSL Cert Oct 22 2014 (malware.rules)
  • 2019520 - ET MALWARE Possible Dyre SSL Cert Oct 27 2014 (malware.rules)
  • 2019521 - ET MALWARE Possible Dyre SSL Cert Oct 27 2014 (malware.rules)
  • 2019522 - ET MALWARE Possible Dyre SSL Cert Oct 27 2014 (malware.rules)
  • 2019523 - ET MALWARE Possible Dyre SSL Cert Oct 27 2014 (malware.rules)
  • 2019603 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2019604 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2019648 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC) (malware.rules)
  • 2019649 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC) (malware.rules)
  • 2019651 - ET MALWARE Possible Dyre SSL Cert Nov 05 2014 (malware.rules)
  • 2019670 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC) (malware.rules)
  • 2019671 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC) (malware.rules)
  • 2019691 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC) (malware.rules)
  • 2019699 - ET MALWARE Possible Dyre SSL Cert Nov 11 2014 (malware.rules)
  • 2019700 - ET MALWARE Possible Dyre SSL Cert Nov 11 2014 (malware.rules)
  • 2019701 - ET MALWARE Possible Dyre SSL Cert Nov 11 2014 (malware.rules)
  • 2019702 - ET MALWARE Possible Dyre SSL Cert Nov 11 2014 (malware.rules)
  • 2019703 - ET MALWARE Possible Dyre SSL Cert Nov 11 2014 (malware.rules)
  • 2019705 - ET MALWARE Possible Dyre SSL Cert Nov 12 2014 (malware.rules)
  • 2019719 - ET MALWARE Possible Dyre SSL Cert Nov 17 2014 (malware.rules)
  • 2019813 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Hesperbot CnC) (malware.rules)
  • 2019814 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2019815 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2020149 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2020187 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2020218 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC) (malware.rules)
  • 2020219 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2020220 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2020242 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC) (malware.rules)
  • 2020313 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2020314 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2020322 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2020331 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2020625 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC) (malware.rules)
  • 2020843 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2020961 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2021014 - ET MALWARE TorrentLocker SSL Cert (malware.rules)
  • 2021087 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC) (malware.rules)
  • 2021109 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC) (malware.rules)
  • 2021121 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2021411 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Spy.Shiz CnC) (malware.rules)
  • 2021546 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC) (malware.rules)
  • 2021636 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC) (malware.rules)
  • 2021688 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC) (malware.rules)
  • 2021704 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC) (malware.rules)
  • 2021717 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC) (malware.rules)
  • 2021722 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC) (malware.rules)
  • 2021731 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC) (malware.rules)
  • 2021732 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC) (malware.rules)
  • 2021750 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC) (malware.rules)
  • 2021751 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC) (malware.rules)
  • 2021771 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC) (malware.rules)
  • 2021784 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC) (malware.rules)
  • 2021802 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC) (malware.rules)
  • 2021803 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC) (malware.rules)
  • 2021804 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC) (malware.rules)
  • 2021816 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Spy.Shiz CnC) (malware.rules)
  • 2021819 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC) (malware.rules)
  • 2021824 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC) (malware.rules)
  • 2021895 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC) (malware.rules)
  • 2021903 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC) (malware.rules)
  • 2022058 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Shifu) (malware.rules)
  • 2022065 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu) (malware.rules)
  • 2022212 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC) (malware.rules)
  • 2022231 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC) (malware.rules)
  • 2022249 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC) (malware.rules)
  • 2022275 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Malware CnC) (malware.rules)
  • 2022514 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC) (malware.rules)
  • 2022553 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Malware CnC) (malware.rules)
  • 2022624 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Kasidet CnC) (malware.rules)
  • 2022713 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (malware.rules)
  • 2022880 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC) (malware.rules)
  • 2808823 - ETPRO MALWARE Gozi/Ursnif/Papras SSL Cert (malware.rules)
  • 2808899 - ETPRO MALWARE Win32/Spy.Zbot.ACB SSL Cert (malware.rules)
  • 2811046 - ETPRO MALWARE TorrentLocker SSL Cert (malware.rules)
  • 2813092 - ETPRO MALWARE TorrentLocker SSL Cert (malware.rules)
  • 2814015 - ETPRO MALWARE TorrentLocker SSL Cert (malware.rules)
  • 2814027 - ETPRO MALWARE TorrentLocker SSL Cert (malware.rules)

Disabled and modified rules:

  • 2016567 - ET MALWARE Win32/Urausy.C Checkin 2 (malware.rules)
  • 2018094 - ET MALWARE DirtJumper Activity (malware.rules)
  • 2018208 - ET DOS Inbound GoldenEye DoS attack (dos.rules)
  • 2018242 - ET MALWARE Possible Zeus GameOver Connectivity Check (malware.rules)
  • 2018452 - ET MALWARE CryptoWall Check-in (malware.rules)
  • 2019344 - ET MALWARE FAKEIE Minimal Headers (flowbit set) (malware.rules)
  • 2019345 - ET MALWARE Possible CryptoLocker TorComponent DL (malware.rules)
  • 2019500 - ET MALWARE Vawtrak/NeverQuest Posting Data (malware.rules)
  • 2019501 - ET MALWARE Vawtrak/NeverQuest Posting Data (malware.rules)
  • 2020027 - ET MALWARE Win32/Spy.Agent.OHT - AnunakAPT HTTP Checkin 1 (malware.rules)
  • 2022707 - ET MALWARE LuminosityLink - Data Channel Client Request 2 (malware.rules)
  • 2022709 - ET MALWARE LuminosityLink - CnC Password Exfil (malware.rules)
  • 2022710 - ET MALWARE LuminosityLink - CnC (malware.rules)
  • 2022907 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Sinkhole) (malware.rules)
  • 2022908 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Sinkhole) (malware.rules)
  • 2022948 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Malware C2) (malware.rules)
  • 2022953 - ET MALWARE Malicious SSL certificate detected (OSX/Keydnap CnC) (malware.rules)
  • 2022983 - ET MALWARE Possible Maldoc Downloading EXE Jul 26 2016 (malware.rules)
  • 2026002 - ET MALWARE [PTsecurity] Tinba (Banking Trojan) Check-in (malware.rules)
  • 2029176 - ET MALWARE Observed Buran Ransomware UA (malware.rules)
  • 2048357 - ET MALWARE AtlasAgent Activity (POST) (malware.rules)
  • 2051543 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (fieldtrollyeowskwe .shop) (malware.rules)
  • 2051544 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (edurestunningcrackyow .fune) (malware.rules)
  • 2051545 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (lighterepisodeheighte .fune) (malware.rules)
  • 2051546 - ET MALWARE Observed Lumma Stealer Related Domain (fieldtrollyeowskwe .shop in TLS SNI) (malware.rules)
  • 2051547 - ET MALWARE Observed Lumma Stealer Related Domain (edurestunningcrackyow .fune in TLS SNI) (malware.rules)
  • 2051548 - ET MALWARE Observed Lumma Stealer Related Domain (lighterepisodeheighte .fune in TLS SNI) (malware.rules)
  • 2051549 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (lighterepisodeheighte .funs) (malware.rules)
  • 2051550 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (superemeboxlogosites .pro) (malware.rules)
  • 2051551 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (edurestunningcrackyow .funs) (malware.rules)
  • 2051552 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (pooreveningfuseor .pww) (malware.rules)
  • 2051553 - ET MALWARE Observed Lumma Stealer Related Domain (lighterepisodeheighte .funs in TLS SNI) (malware.rules)
  • 2051554 - ET MALWARE Observed Lumma Stealer Related Domain (superemeboxlogosites .pro in TLS SNI) (malware.rules)
  • 2051555 - ET MALWARE Observed Lumma Stealer Related Domain (edurestunningcrackyow .funs in TLS SNI) (malware.rules)
  • 2051556 - ET MALWARE Observed Lumma Stealer Related Domain (pooreveningfuseor .pww in TLS SNI) (malware.rules)
  • 2814961 - ETPRO MALWARE Possible Dyre SSL Cert Nov 17 2015 (malware.rules)
  • 2819813 - ETPRO MALWARE TorrentLocker DNS query to Domain *.dirtyslim.org (malware.rules)
  • 2820485 - ETPRO MALWARE TorrentLocker DNS query to Domain *.billmassanger.com (malware.rules)
  • 2820486 - ETPRO MALWARE DNS query to Win32/Kitkiot.A Domain (malware.rules)
  • 2820520 - ETPRO MALWARE TorrentLocker DNS query to Domain *.manybigtoys.com (malware.rules)
  • 2820538 - ETPRO MALWARE TorrentLocker DNS query to Domain *.gefryhard.org (malware.rules)
  • 2820560 - ETPRO MALWARE TorrentLocker DNS query to Domain *.pinterpoint.biz (malware.rules)
  • 2820575 - ETPRO MALWARE TorrentLocker DNS query to Domain *.businesnews.net (malware.rules)
  • 2820579 - ETPRO MALWARE iSpy Keylogger Exfil via FTP (malware.rules)
  • 2820583 - ETPRO MALWARE TorrentLocker DNS query to Domain pahrently.biz (malware.rules)
  • 2820585 - ETPRO MALWARE Ursnif DNS Query (malware.rules)
  • 2821144 - ETPRO MALWARE Backdoor.WaterTiger Checkin M1 (malware.rules)
  • 2821208 - ETPRO MALWARE HackTool Win32/ChromePass sending stolen data via SMTP 3 (malware.rules)
  • 2827512 - ETPRO MALWARE Win32/Unk.CoinMiner Activity (malware.rules)
  • 2827930 - ETPRO COINMINER CoinMiner Config Inbound (coinminer.rules)
  • 2828546 - ETPRO MALWARE Observed Malicious Coinminer Downloader Domain in SNI (malware.rules)
  • 2829925 - ETPRO MALWARE MSIL/MinerG8 CoinMiner CnC Response (malware.rules)