Summary:
39 new OPEN, 65 new PRO (39 + 26)
Thanks @karol_paciorek
Added rules:
Open:
- 2052720 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (evokeoutlooklits .shop) (malware.rules)
- 2052721 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (rejectbettysmartws .shop) (malware.rules)
- 2052722 - ET MALWARE Observed Lumma Stealer Related Domain (evokeoutlooklits .shop in TLS SNI) (malware.rules)
- 2052723 - ET MALWARE Observed Lumma Stealer Related Domain (rejectbettysmartws .shop in TLS SNI) (malware.rules)
- 2052724 - ET MALWARE DNS Query to Async RAT Related Domain (loaded-swift-degrees-packages .trycloudflare .com) (malware.rules)
- 2052725 - ET MALWARE DNS Query to Async RAT Related Domain (undjsj .duckdns .org) (malware.rules)
- 2052726 - ET MALWARE DNS Query to Async RAT Related Domain (maintenance-princess-musical-vocational .trycloudflare .com) (malware.rules)
- 2052727 - ET MALWARE DNS Query to Async RAT Related Domain (invoice .trycloudflare .com) (malware.rules)
- 2052728 - ET MALWARE DNS Query to Async RAT Related Domain (tired-shareholders-reservoir-talked .trycloudflare .com) (malware.rules)
- 2052729 - ET MALWARE DNS Query to Async RAT Related Domain (nail-lists-compact-project .trycloudflare .com) (malware.rules)
- 2052730 - ET MALWARE DNS Query to Async RAT Related Domain (snap-guide-leeds-des .trycloudflare .com) (malware.rules)
- 2052731 - ET MALWARE DNS Query to Async RAT Related Domain (boy-such-icon-positive .trycloudflare .com) (malware.rules)
- 2052732 - ET MALWARE DNS Query to Async RAT Related Domain (oral-career-renewable-bacterial .trycloudflare .com) (malware.rules)
- 2052733 - ET MALWARE DNS Query to Async RAT Related Domain (invoicetrycloudflare .com) (malware.rules)
- 2052734 - ET MALWARE DNS Query to Async RAT Related Domain (bangkok-generally-ensemble-nfl .trycloudflare .com) (malware.rules)
- 2052735 - ET MALWARE Observed Async RAT Related Domain (nail-lists-compact-project .trycloudflare .com in TLS SNI) (malware.rules)
- 2052736 - ET MALWARE Observed Async RAT Related Domain (invoice .trycloudflare .com in TLS SNI) (malware.rules)
- 2052737 - ET MALWARE Observed Async RAT Related Domain (boy-such-icon-positive .trycloudflare .com in TLS SNI) (malware.rules)
- 2052738 - ET MALWARE Observed Async RAT Related Domain (snap-guide-leeds-des .trycloudflare .com in TLS SNI) (malware.rules)
- 2052739 - ET MALWARE Observed Async RAT Related Domain (invoicetrycloudflare .com in TLS SNI) (malware.rules)
- 2052740 - ET MALWARE Observed Async RAT Related Domain (oral-career-renewable-bacterial .trycloudflare .com in TLS SNI) (malware.rules)
- 2052741 - ET MALWARE Observed Async RAT Related Domain (loaded-swift-degrees-packages .trycloudflare .com in TLS SNI) (malware.rules)
- 2052742 - ET MALWARE Observed Async RAT Related Domain (maintenance-princess-musical-vocational .trycloudflare .com in TLS SNI) (malware.rules)
- 2052743 - ET MALWARE Observed Async RAT Related Domain (tired-shareholders-reservoir-talked .trycloudflare .com in TLS SNI) (malware.rules)
- 2052744 - ET MALWARE Observed Async RAT Related Domain (bangkok-generally-ensemble-nfl .trycloudflare .com in TLS SNI) (malware.rules)
- 2052745 - ET MALWARE Observed Async RAT Related Domain (undjsj .duckdns .org in TLS SNI) (malware.rules)
- 2052746 - ET MALWARE Observed DNS Query to Unknown Malware Domain (qpps .site) (malware.rules)
- 2052747 - ET MALWARE Observed Unknown Malware Domain (qpps .site) in TLS SNI (malware.rules)
- 2052748 - ET INFO Observed DNS over HTTPS Domain (dns .editechstudio .com) in TLS SNI (info.rules)
- 2052749 - ET INFO Observed DNS over HTTPS Domain (dns .mateo .ovh) in TLS SNI (info.rules)
- 2052750 - ET INFO Observed DNS over HTTPS Domain (dns .eliv .co .kr) in TLS SNI (info.rules)
- 2052751 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (asyncprogramminghub .com) (exploit_kit.rules)
- 2052752 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (asyncprogramminghub .com) (exploit_kit.rules)
- 2052753 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (public .clickstat360 .com) (exploit_kit.rules)
- 2052754 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (public .clickstat360 .com) (exploit_kit.rules)
- 2052755 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (chezfur .com) (exploit_kit.rules)
- 2052756 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (osiria-agency .com) (exploit_kit.rules)
- 2052757 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (chezfur .com) (exploit_kit.rules)
- 2052758 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (osiria-agency .com) (exploit_kit.rules)
Pro:
- 2856962 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
- 2856963 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2856964 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2856965 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
- 2856966 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
- 2856967 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
- 2856968 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
- 2856969 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
- 2856970 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
- 2856971 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
- 2856972 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
- 2856973 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
- 2856974 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
- 2856975 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
- 2856976 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2856977 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2856978 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
- 2856979 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
- 2856980 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
- 2856981 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
- 2856982 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
- 2856983 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
- 2856984 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
- 2856985 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
- 2856986 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
- 2856987 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
Disabled and modified rules:
- 2051096 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .collection .aixpirts .com) (malware.rules)
- 2051097 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .collection .aixpirts .com) (malware.rules)
- 2051098 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (aljannatquranteach .com) (exploit_kit.rules)
- 2051099 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (bbsupplyandsalon .com) (exploit_kit.rules)
- 2051100 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (betsmovepiyango47 .com) (exploit_kit.rules)
- 2051101 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (bigcuda .com) (exploit_kit.rules)
- 2051102 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (eduvationgroup .com) (exploit_kit.rules)
- 2051103 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (eoskinec .com) (exploit_kit.rules)
- 2051104 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (ezwhatsappp .com) (exploit_kit.rules)
- 2051105 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (growcalm .com) (exploit_kit.rules)
- 2051106 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (grupodistribuidora .com) (exploit_kit.rules)
- 2051107 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (aljannatquranteach .com) (exploit_kit.rules)
- 2051108 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (bbsupplyandsalon .com) (exploit_kit.rules)
- 2051109 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (betsmovepiyango47 .com) (exploit_kit.rules)
- 2051110 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (bigcuda .com) (exploit_kit.rules)
- 2051111 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (eduvationgroup .com) (exploit_kit.rules)
- 2051112 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (eoskinec .com) (exploit_kit.rules)
- 2051113 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (ezwhatsappp .com) (exploit_kit.rules)
- 2051114 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (growcalm .com) (exploit_kit.rules)
- 2051115 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (grupodistribuidora .com) (exploit_kit.rules)
- 2051434 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (africanbeatmaker .com) (exploit_kit.rules)
- 2051435 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (aiifolrida .com) (exploit_kit.rules)
- 2051436 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (amarod .com) (exploit_kit.rules)
- 2051437 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (auburnartwalk .com) (exploit_kit.rules)
- 2051438 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (africanbeatmaker .com) (exploit_kit.rules)
- 2051439 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (aiifolrida .com) (exploit_kit.rules)
- 2051440 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (amarod .com) (exploit_kit.rules)
- 2051441 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (auburnartwalk .com) (exploit_kit.rules)
- 2051464 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .aus .mimico-cooperative .org) (malware.rules)
- 2051465 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .aus .mimico-cooperative .org) (malware.rules)
- 2051466 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (briefscala .com) (exploit_kit.rules)
- 2051467 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (briefscala .com) (exploit_kit.rules)
- 2051495 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .distributors .commdistinc .com) (malware.rules)
- 2051496 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .distributors .commdistinc .com) (malware.rules)
- 2051576 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (advanceddataenterprise .com) (exploit_kit.rules)
- 2051577 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (advanceddataenterprise .com) (exploit_kit.rules)
- 2051608 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .round .fishingreelinvestment .com) (malware.rules)
- 2051609 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .round .fishingreelinvestment .com) (malware.rules)
- 2051610 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (ausgov .pro) (exploit_kit.rules)
- 2051611 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (digestlivepro .com) (exploit_kit.rules)
- 2051612 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (ausgov .pro) (exploit_kit.rules)
- 2051613 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (digestlivepro .com) (exploit_kit.rules)
- 2051614 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (bestopgoespink .com) (exploit_kit.rules)
- 2051615 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (bestopgoespink .com) (exploit_kit.rules)
- 2051682 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .policy .donnafrey .com) (malware.rules)
- 2051683 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .policy .donnafrey .com) (malware.rules)
- 2051686 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (worldofmantas .com) (exploit_kit.rules)
- 2051687 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (ausgov .pro) (exploit_kit.rules)
- 2051688 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (edulokam .com) (exploit_kit.rules)
- 2051689 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (worldofmantas .com) (exploit_kit.rules)
- 2051690 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (ausgov .pro) (exploit_kit.rules)
- 2051691 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (edulokam .com) (exploit_kit.rules)
- 2051692 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (7commbeta .com) (exploit_kit.rules)
- 2051693 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (7commbeta .com) (exploit_kit.rules)
- 2051694 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (ezshipsy .com) (exploit_kit.rules)
- 2051695 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (ezshipsy .com) (exploit_kit.rules)
- 2052639 - ET MALWARE DNS Query to Darkgate Domain (savoystocks .com) (malware.rules)