Ruleset Update Summary - 2024/05/07 - v10591

Ruleset Updates
1

Summary:

49 new OPEN, 49 new PRO (49 + 0)

Thanks @naumovax, @500mk500

Added rules:

Open:

  • 2052455 - ET ADWARE_PUP Win32/Generic Loader Activity (GET) (adware_pup.rules)
  • 2052456 - ET INFO Observed DNS Over HTTPS Domain (dns .cr4zzy .xyz in TLS SNI) (info.rules)
  • 2052457 - ET MALWARE GhostRat CnC Checkin (malware.rules)
  • 2052458 - ET MALWARE DNS Query to Magecart Domain (vidkimob .quest) (malware.rules)
  • 2052459 - ET MALWARE DNS Query to Magecart Domain (znanielec .online) (malware.rules)
  • 2052460 - ET MALWARE DNS Query to Magecart Domain (setmic .shop) (malware.rules)
  • 2052461 - ET MALWARE DNS Query to Magecart Domain (intrgqc .site) (malware.rules)
  • 2052462 - ET MALWARE DNS Query to Magecart Domain (stabit .click) (malware.rules)
  • 2052463 - ET MALWARE DNS Query to Magecart Domain (beztech .site) (malware.rules)
  • 2052464 - ET MALWARE DNS Query to Magecart Domain (yanaloop .shop) (malware.rules)
  • 2052465 - ET MALWARE DNS Query to Magecart Domain (oitool .shop) (malware.rules)
  • 2052466 - ET MALWARE DNS Query to Magecart Domain (teloom .site) (malware.rules)
  • 2052467 - ET MALWARE DNS Query to Magecart Domain (nuinetec .store) (malware.rules)
  • 2052468 - ET MALWARE DNS Query to Magecart Domain (feitec .online) (malware.rules)
  • 2052469 - ET MALWARE DNS Query to Magecart Domain (grutic .store) (malware.rules)
  • 2052470 - ET MALWARE DNS Query to Magecart Domain (avitech .site) (malware.rules)
  • 2052471 - ET MALWARE DNS Query to Magecart Domain (defcleth .click) (malware.rules)
  • 2052472 - ET MALWARE DNS Query to Magecart Domain (sewloot .click) (malware.rules)
  • 2052473 - ET MALWARE DNS Query to Magecart Domain (reftop .click) (malware.rules)
  • 2052474 - ET MALWARE DNS Query to Magecart Domain (clifolink .online) (malware.rules)
  • 2052475 - ET MALWARE DNS Query to Magecart Domain (jeitoon .quest) (malware.rules)
  • 2052476 - ET MALWARE DNS Query to Magecart Domain (feigoton .store) (malware.rules)
  • 2052477 - ET MALWARE Observed Magecart Domain (vidkimob .quest in TLS SNI) (malware.rules)
  • 2052478 - ET MALWARE Observed Magecart Domain (znanielec .online in TLS SNI) (malware.rules)
  • 2052479 - ET MALWARE Observed Magecart Domain (setmic .shop in TLS SNI) (malware.rules)
  • 2052480 - ET MALWARE Observed Magecart Domain (intrgqc .site in TLS SNI) (malware.rules)
  • 2052481 - ET MALWARE Observed Magecart Domain (stabit .click in TLS SNI) (malware.rules)
  • 2052482 - ET MALWARE Observed Magecart Domain (beztech .site in TLS SNI) (malware.rules)
  • 2052483 - ET MALWARE Observed Magecart Domain (yanaloop .shop in TLS SNI) (malware.rules)
  • 2052484 - ET MALWARE Observed Magecart Domain (oitool .shop in TLS SNI) (malware.rules)
  • 2052485 - ET MALWARE Observed Magecart Domain (teloom .site in TLS SNI) (malware.rules)
  • 2052486 - ET MALWARE Observed Magecart Domain (nuinetec .store in TLS SNI) (malware.rules)
  • 2052487 - ET MALWARE Observed Magecart Domain (feitec .online in TLS SNI) (malware.rules)
  • 2052488 - ET MALWARE Observed Magecart Domain (grutic .store in TLS SNI) (malware.rules)
  • 2052489 - ET MALWARE Observed Magecart Domain (avitech .site in TLS SNI) (malware.rules)
  • 2052490 - ET MALWARE Observed Magecart Domain (defcleth .click in TLS SNI) (malware.rules)
  • 2052491 - ET MALWARE Observed Magecart Domain (sewloot .click in TLS SNI) (malware.rules)
  • 2052492 - ET MALWARE Observed Magecart Domain (reftop .click in TLS SNI) (malware.rules)
  • 2052493 - ET MALWARE Observed Magecart Domain (clifolink .online in TLS SNI) (malware.rules)
  • 2052494 - ET MALWARE Observed Magecart Domain (jeitoon .quest in TLS SNI) (malware.rules)
  • 2052495 - ET MALWARE Observed Magecart Domain (feigoton .store in TLS SNI) (malware.rules)
  • 2052496 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (bandarsport .net) (exploit_kit.rules)
  • 2052497 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (itemsdostawa .com) (exploit_kit.rules)
  • 2052498 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (bandarsport .net) (exploit_kit.rules)
  • 2052499 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (itemsdostawa .com) (exploit_kit.rules)
  • 2052500 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (libidotechnexus .com) (exploit_kit.rules)
  • 2052501 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (libidotechnexus .com) (exploit_kit.rules)
  • 2052502 - ET EXPLOIT_KIT ClearFake Domain in DNS Lookup (valentinedaycard .com) (exploit_kit.rules)
  • 2052503 - ET EXPLOIT_KIT ClearFake Domain in TLS SNI (valentinedaycard .com) (exploit_kit.rules)

Disabled and modified rules:

  • 2012189 - ET WEB_SPECIFIC_APPS phpscripte24 Vor und Ruckwarts Auktions System Blind SQL Injection Attempt (web_specific_apps.rules)
  • 2012834 - ET WEB_SPECIFIC_APPS ChillyCMS mod Parameter Blind SQL Injection Attempt (web_specific_apps.rules)
  • 2036512 - ET MALWARE PoshC2 - Observed Default URI Structure M3 (malware.rules)
  • 2036513 - ET MALWARE PoshC2 - Observed Default URI Structure M4 (malware.rules)
  • 2037083 - ET EXPLOIT Possible Microsoft Support Diagnostic Tool Exploitation Inbound (CVE-2022-30190) (exploit.rules)
  • 2037863 - ET MALWARE Trojan.Dropper.HTML.Agent Payload (malware.rules)
  • 2801474 - ETPRO NETBIOS Microsoft Address Book msoeres32.dll Insecure Library Loading - SMB-DS Unicode (netbios.rules)
  • 2801475 - ETPRO NETBIOS Microsoft Address Book msoeres32.dll Insecure Library Loading - SMB-DS ASCII (netbios.rules)
  • 2801476 - ETPRO NETBIOS Microsoft Address Book msoeres32.dll Insecure Library Loading - SMB Unicode (netbios.rules)
  • 2801477 - ETPRO NETBIOS Microsoft Address Book msoeres32.dll Insecure Library Loading - SMB ASCII (netbios.rules)
  • 2801478 - ETPRO WEB_CLIENT Microsoft Address Book Insecure msoeres32.dll Library Loading (web_client.rules)
  • 2801484 - ETPRO WEB_CLIENT Microsoft Address Book wab32res.dll Insecure Library Loading (web_client.rules)
  • 2801486 - ETPRO NETBIOS Microsoft Windows Backup Manager fveapi.dll Insecure Library Loading - SMB-DS Unicode (netbios.rules)
  • 2801888 - ETPRO WEB_CLIENT Microsoft Windows OpenType Font Validation Integer Overflow 1 (web_client.rules)
  • 2801889 - ETPRO WEB_CLIENT Microsoft Windows OpenType Font Validation Integer Overflow 2 (web_client.rules)
  • 2801890 - ETPRO WEB_CLIENT Microsoft Windows OpenType Font Validation Integer Overflow 3 (web_client.rules)
  • 2801891 - ETPRO WEB_CLIENT Microsoft Windows OpenType Font Validation Integer Overflow 4 (web_client.rules)
  • 2801892 - ETPRO WEB_CLIENT Microsoft Windows OpenType Font Validation Integer Overflow 5 (web_client.rules)
  • 2801893 - ETPRO WEB_CLIENT Microsoft Windows OpenType Font Validation Integer Overflow 6 (web_client.rules)
  • 2801894 - ETPRO WEB_CLIENT Microsoft Windows OpenType Font Validation Integer Overflow 7 (web_client.rules)
  • 2801895 - ETPRO WEB_CLIENT Microsoft Windows OpenType Font Validation Integer Overflow 8 (web_client.rules)
  • 2801896 - ETPRO WEB_CLIENT Microsoft Windows OpenType Font Validation Integer Overflow 9 (web_client.rules)
  • 2801897 - ETPRO WEB_CLIENT Microsoft Windows OpenType Font Validation Integer Overflow 10 (web_client.rules)
  • 2801898 - ETPRO WEB_CLIENT Microsoft Windows OpenType Font Validation Integer Overflow 11 (web_client.rules)
  • 2801899 - ETPRO WEB_CLIENT Microsoft Windows OpenType Font Validation Integer Overflow 12 (web_client.rules)
  • 2801900 - ETPRO WEB_CLIENT Microsoft Windows OpenType Font Validation Integer Overflow 13 (web_client.rules)
  • 2801901 - ETPRO WEB_CLIENT Microsoft Windows OpenType Font Validation Integer Overflow 14 (web_client.rules)
  • 2801902 - ETPRO WEB_CLIENT Microsoft Windows OpenType Font Validation Integer Overflow 15 (web_client.rules)
  • 2801903 - ETPRO WEB_CLIENT Microsoft Windows OpenType Font Validation Integer Overflow 16 (web_client.rules)
  • 2803131 - ETPRO MALWARE Dropper.Haed.co Checkin (malware.rules)
  • 2803219 - ETPRO CHAT mig33 Client Login (chat.rules)
  • 2803220 - ETPRO CHAT mig33 Client Login Challenge Response (chat.rules)
  • 2803224 - ETPRO CHAT mig33 Client Keep Alive (chat.rules)
  • 2803225 - ETPRO CHAT mig33 Server Login Challenge (chat.rules)
  • 2803226 - ETPRO CHAT mig33 Server Keep Alive (chat.rules)
  • 2803251 - ETPRO ADWARE_PUP Ticno Multibar Checkin (adware_pup.rules)
  • 2803277 - ETPRO MALWARE Generic.KD.70372 Checkin (malware.rules)
  • 2856316 - ETPRO MALWARE Observed DNS Query to Sliver Related Domain (malware.rules)
  • 2856317 - ETPRO MALWARE Observed Sliver Related Domain in TLS SNI (malware.rules)