Ruleset Update Summary - 2024/05/22 - v10601

Ruleset Updates
1

Summary:

24 new OPEN, 30 new PRO (24 + 6)

There will be no rule release on Monday, May 27th, 2024 on account of it being both a US and UK holiday.

Added rules:

Open:

  • 2052820 - ET EXPLOIT D-Link DIR-X4860 RCE Attempt Inbound (exploit.rules)
  • 2052821 - ET SCAN OpenVASVT RCE Test String in HTTP Request Inbound M2 (scan.rules)
  • 2052822 - ET SCAN OpenVASVT RCE Test String in HTTP Request Inbound M3 (scan.rules)
  • 2052823 - ET EXPLOIT OpenTSDB RCE in HTTP Request M1 (CVE-2023-25826) (exploit.rules)
  • 2052824 - ET EXPLOIT OpenTSDB RCE in HTTP Request M2 (CVE-2023-25826) (exploit.rules)
  • 2052825 - ET EXPLOIT OpenTSDB RCE in HTTP Request M3 (CVE-2023-25826) (exploit.rules)
  • 2052826 - ET EXPLOIT OpenTSDB RCE in HTTP Request M1 (CVE-2023-25827) (exploit.rules)
  • 2052827 - ET EXPLOIT OpenTSDB RCE in HTTP Request M2 (CVE-2023-25827) (exploit.rules)
  • 2052828 - ET MALWARE Observed UTG-Q-010 Malicious SSL Cert (malware.rules)
  • 2052829 - ET MALWARE UTG-Q-010 CnC Domain in DNS Lookup (chemdl .ioskaishi .live) (malware.rules)
  • 2052830 - ET MALWARE Observed UTG-Q-010 Domain (chemdl .ioskaishi .live) in TLS SNI (malware.rules)
  • 2052831 - ET MALWARE UTG-Q-010 CnC Checkin (malware.rules)
  • 2052832 - ET MALWARE UTG-Q-010 Payload Retrieval Attempt (malware.rules)
  • 2052833 - ET MALWARE UTG-Q-010 Go Backdoor CnC Checkin (malware.rules)
  • 2052834 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (load .memoryloader .com) (exploit_kit.rules)
  • 2052835 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (load .memoryloader .com) (exploit_kit.rules)
  • 2052836 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (awakentoyoga .com) (exploit_kit.rules)
  • 2052837 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (lucabet68 .online) (exploit_kit.rules)
  • 2052838 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (awakentoyoga .com) (exploit_kit.rules)
  • 2052839 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (lucabet68 .online) (exploit_kit.rules)
  • 2052840 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (jurassicworldtheexhibition .com) (exploit_kit.rules)
  • 2052841 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (womendonotdothat .com) (exploit_kit.rules)
  • 2052842 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (jurassicworldtheexhibition .com) (exploit_kit.rules)
  • 2052843 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (womendonotdothat .com) (exploit_kit.rules)

Pro:

  • 2857014 - ETPRO MALWARE DNS Query to UNK APT Domain (malware.rules)
  • 2857015 - ETPRO MALWARE DNS Query to UNK APT Domain (malware.rules)
  • 2857016 - ETPRO MALWARE DNS Query to UNK APT Domain (malware.rules)
  • 2857017 - ETPRO MALWARE Observed UNK APT Domain in TLS SNI (malware.rules)
  • 2857018 - ETPRO MALWARE Observed UNK APT Domain in TLS SNI (malware.rules)
  • 2857019 - ETPRO MALWARE Observed UNK APT Domain in TLS SNI (malware.rules)

Modified inactive rules:

  • 2031449 - ET MALWARE FormBook CnC Checkin (GET) (malware.rules)
  • 2031453 - ET MALWARE FormBook CnC Checkin (GET) (malware.rules)
  • 2853519 - ETPRO EXPLOIT Microsoft Protected Extensible Authentication Protocol RCE xbits set, noalert (CVE-2023-21690) (exploit.rules)
  • 2853520 - ETPRO EXPLOIT Microsoft Protected Extensible Authentication Protocol RCE Attempt Inbound (CVE-2023-21690) (exploit.rules)