Ruleset Update Summary - 2024/04/09 - v10571

Ruleset Updates
1

Summary:

6 new OPEN, 13 new PRO (6 + 7)

Thanks @sensepost

Added rules:

Open:

  • 2051961 - ET WEB_SPECIFIC_APPS ReCrystallize Server Possible Authentication Bypass Attempt via AdminUsername Cookie (CVE-2024-26331) (web_specific_apps.rules)
  • 2051962 - ET WEB_SPECIFIC_APPS ReCrystallize Server Possible Authentication Bypass Attempt via AdminUsername Cookie (CVE-2024-26331) and Arbitrary File Upload via FileManagement.aspx (CVE-2024-28269) (web_specific_apps.rules)
  • 2051963 - ET WEB_SPECIFIC_APPS ReCrystallize Server DownloadFile.aspx Abuse (web_specific_apps.rules)
  • 2051964 - ET WEB_SPECIFIC_APPS ReCrystallize Server ViewReport.aspx Abuse (web_specific_apps.rules)
  • 2051965 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .loans .fishingreelinvestments .com) (malware.rules)
  • 2051966 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .loans .fishingreelinvestments .com) (malware.rules)

Pro:

  • 2856586 - ETPRO MALWARE RustyGate Bot Activity (POST) M1 (malware.rules)
  • 2856587 - ETPRO MALWARE RustyGate Bot Activity (POST) M2 (malware.rules)
  • 2856588 - ETPRO MALWARE Observed Malicious SSL Cert (RustyGate Bot Related) (malware.rules)
  • 2856589 - ETPRO MALWARE Malicious Payload Delivery Domain in DNS Lookup (malware.rules)
  • 2856590 - ETPRO MALWARE Malicious Payload Delivery Domain in TLS SNI (malware.rules)
  • 2856591 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2856592 - ETPRO MALWARE TA582 Domain in HTTP HOST (malware.rules)

Modified inactive rules:

  • 2011234 - ET MALWARE Cosmu Process Dump Report (malware.rules)
  • 2019009 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2019070 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2019151 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2019153 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2019192 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2019708 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2019721 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2019839 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2019879 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2019962 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2019987 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2020079 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2020196 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2020307 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2020567 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2020647 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2020687 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2020688 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2020689 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC) (malware.rules)
  • 2020697 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2020735 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC) (malware.rules)
  • 2020745 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2020802 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC) (malware.rules)
  • 2021013 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) (malware.rules)
  • 2021016 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC) (malware.rules)
  • 2021063 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC) (malware.rules)
  • 2021106 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) (malware.rules)
  • 2021112 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) (malware.rules)
  • 2021186 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) (malware.rules)
  • 2021315 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Possible Sinkhole) (malware.rules)
  • 2021339 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM) (malware.rules)
  • 2021340 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM) (malware.rules)
  • 2021341 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM) (malware.rules)
  • 2021342 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM) (malware.rules)
  • 2021343 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM) (malware.rules)
  • 2021344 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM) (malware.rules)
  • 2021345 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM) (malware.rules)
  • 2021346 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM) (malware.rules)
  • 2021347 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM) (malware.rules)
  • 2021348 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM) (malware.rules)
  • 2021349 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM) (malware.rules)
  • 2021350 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2021353 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) (malware.rules)
  • 2021355 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM) (malware.rules)
  • 2021375 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC) (malware.rules)
  • 2021393 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) (malware.rules)
  • 2021512 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) (malware.rules)
  • 2021514 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) (malware.rules)
  • 2021519 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) (malware.rules)
  • 2021529 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) (malware.rules)
  • 2021563 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) (malware.rules)
  • 2021596 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) (malware.rules)
  • 2021622 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) (malware.rules)
  • 2022021 - ET MALWARE Malicious SSL certificate detected (Spy.Shiz CnC) (malware.rules)
  • 2808503 - ETPRO MALWARE Possible Win32/Zbot Serial Number in SSL Cert (malware.rules)
  • 2809855 - ETPRO MALWARE Backdoor.Win32.Androm.ghhv Possible SSL Cert (malware.rules)
  • 2809923 - ETPRO MALWARE Win32/Spy.Shiz.NCO SSL Cert (malware.rules)
  • 2811051 - ETPRO MALWARE KINS Possible SSL Cert (malware.rules)
  • 2812255 - ETPRO MALWARE Win32/Frethog.BP Possible SSL Cert (malware.rules)
  • 2812256 - ETPRO MALWARE Win32/Caphaw.D Possible SSL Cert (malware.rules)
  • 2812272 - ETPRO MALWARE KINS Possible SSL Cert (malware.rules)
  • 2814035 - ETPRO MALWARE Shifu SSL Cert (malware.rules)
  • 2815976 - ETPRO MALWARE CnC SSL Cert (malware.rules)
  • 2816053 - ETPRO MALWARE Possible Vawtrak Injects SSL Cert (malware.rules)
  • 2825200 - ETPRO MALWARE Zeus Panda Banker Malicious SSL Certificate Detected (malware.rules)
  • 2825207 - ETPRO MALWARE Zeus Panda Banker Malicious SSL Certificate Detected (malware.rules)
  • 2826050 - ETPRO MALWARE Zeus Panda Banker Malicious SSL Certificate Detected (malware.rules)
  • 2826052 - ETPRO MALWARE Zeus Panda Banker Malicious SSL Certificate Detected (malware.rules)
  • 2827117 - ETPRO MALWARE Zeus Panda Banker Malicious SSL Certificate Detected (malware.rules)

Disabled and modified rules:

  • 2011866 - ET HUNTING Suspicious Embedded Shockwave Flash In PDF (hunting.rules)
  • 2012511 - ET WEB_CLIENT Opera Window.Open document.cloneNode Null Pointer Deference Attempt (web_client.rules)
  • 2013473 - ET SCAN Apache mod_deflate DoS via many multiple byte Range values (scan.rules)
  • 2013861 - ET INFO Query for Suspicious .nl.ai Domain (info.rules)
  • 2013862 - ET INFO Query for Suspicious .xe.cx Domain (info.rules)
  • 2015576 - ET POLICY DNS Query to .onion proxy Domain (tor2web) (policy.rules)
  • 2021321 - ET MALWARE Gozi/Ursnif/Papras Grabftp Module Download (malware.rules)
  • 2021513 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) (malware.rules)