Ruleset Update Summary - 2024/06/03 - v10608

Summary:

21 new OPEN, 24 new PRO (21 + 3)


Added rules:

Open:

  • 2053209 - ET MALWARE Win32/Imposter 360 Internet Protection Activity (GET) (malware.rules)
  • 2053210 - ET MALWARE Observed DNS Query to Observed DNS Query to Malicious Domain (adblock2024 .shop) Domain (malware.rules)
  • 2053211 - ET MALWARE Observed Malicious Domain (adblock2024 .shop in TLS SNI) (malware.rules)
  • 2053212 - ET INFO Observed DNS Over HTTPS Domain (dns1 .lothuscorp .com .br) in TLS SNI (info.rules)
  • 2053213 - ET INFO Observed DNS Over HTTPS Domain (dns .l337 .site) in TLS SNI (info.rules)
  • 2053214 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .patent .international-med .com) (malware.rules)
  • 2053215 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .patent .international-med .com) (malware.rules)
  • 2053216 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (theonelartist .com) (exploit_kit.rules)
  • 2053217 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (theonelartist .com) (exploit_kit.rules)
  • 2053218 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (webapidevelopment .com) (exploit_kit.rules)
  • 2053219 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (webapidevelopment .com) (exploit_kit.rules)
  • 2053220 - ET INFO DYNAMIC_DNS Query to a *.tsurukawa .org Domain (info.rules)
  • 2053221 - ET INFO DYNAMIC_DNS HTTP Request to a *.tsurukawa .org Domain (info.rules)
  • 2053222 - ET INFO DYNAMIC_DNS Query to a *.danielaabrantes .com Domain (info.rules)
  • 2053223 - ET INFO DYNAMIC_DNS HTTP Request to a *.danielaabrantes .com Domain (info.rules)
  • 2053224 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (rankrandomotherwjsui .shop) (malware.rules)
  • 2053225 - ET MALWARE Observed Lumma Stealer Related Domain (rankrandomotherwjsui .shop in TLS SNI) (malware.rules)
  • 2053226 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (burnfamesoilratewo .shop) (malware.rules)
  • 2053227 - ET MALWARE Observed Lumma Stealer Related Domain (burnfamesoilratewo .shop in TLS SNI) (malware.rules)
  • 2053228 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (grazeinnocenttyyek .shop) (malware.rules)
  • 2053229 - ET MALWARE Observed Lumma Stealer Related Domain (grazeinnocenttyyek .shop in TLS SNI) (malware.rules)

Pro:

  • 2857097 - ETPRO MALWARE BruteRatelc4 CnC Domain in DNS Lookup (malware.rules)
  • 2857098 - ETPRO MALWARE Observed BruteRatelc4 Domain in TLS SNI (malware.rules)
  • 2857099 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Modified inactive rules:

  • 2020731 - ET WEB_SPECIFIC_APPS Possible Netscaler SQLi bypass (URI data) (web_specific_apps.rules)
  • 2020732 - ET WEB_SPECIFIC_APPS Possible Netscaler SQLi bypass (POST data) (web_specific_apps.rules)
  • 2020733 - ET WEB_SPECIFIC_APPS Possible Netscaler SQLi bypass (cookie) (web_specific_apps.rules)

Removed rules:

  • 2845266 - ETPRO PHISHING Successful PrimaBanka Phish 2020-11-02 (phishing.rules)