Ruleset Update Summary - 2024/06/11 - v10615

rulesbot · June 11, 2024, 9:03pm

Summary:

32 new OPEN, 33 new PRO (32 + 1)

Added rules:

Open:

2053437 - ET PHISHING Telegram QR Code Login Landing Page 2024-06-10 (phishing.rules)
2053438 - ET PHISHING UEFA EURO 2024 Survey Landing Page 2024-06-11 (phishing.rules)
2053439 - ET MALWARE SocGholish Domain in DNS Lookup (collar .agrcwv .org) (malware.rules)
2053440 - ET MALWARE SocGholish Domain in TLS SNI (collar .agrcwv .org) (malware.rules)
2053441 - ET WEB_SERVER Possible SQL Injection (varchar2) in HTTP Request Body (web_server.rules)
2053442 - ET EXPLOIT UFIDA PLM getWorkGroups Unauthorized Information Access Attempt (exploit.rules)
2053443 - ET WEB_SERVER Possible SQL Injection CHAR() in HTTP Request Body M1 (web_server.rules)
2053444 - ET EXPLOIT Zhibang International ERP System SQL Injection Attempt (exploit.rules)
2053445 - ET EXPLOIT ZhongCheng Kexin Ticket Management System SQLi Attempt (exploit.rules)
2053446 - ET WEB_SERVER Possible SQL Injection CHAR() in HTTP Request Body M2 (web_server.rules)
2053447 - ET EXPLOIT JEPaaS Development Platform File Upload Authentication Bypass (exploit.rules)
2053448 - ET EXPLOIT Possible Telerik Deserialization Attempt - POST to Vulnerable Path with Specific Extension (CVE-2024-1800) (exploit.rules)
2053449 - ET WEB_SERVER Possible SQL Injection CHR() in HTTP Request Body M1 (web_server.rules)
2053450 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (mormonindianajones .com) (exploit_kit.rules)
2053451 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (santapubcrawlchattanooga .com) (exploit_kit.rules)
2053452 - ET WEB_SERVER Possible SQL Injection CHR() in HTTP Request Body M2 (web_server.rules)
2053453 - ET EXPLOIT Possible Telerik Auth Bypass Attempt - Account Creation from External Host (CVE-2024-4358) (exploit.rules)
2053454 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (mormonindianajones .com) (exploit_kit.rules)
2053455 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (santapubcrawlchattanooga .com) (exploit_kit.rules)
2053456 - ET WEB_SERVER Possible SQL Injection sp_configure in HTTP Request Body (web_server.rules)
2053457 - ET WEB_SERVER Possible SQL Injection DELETE FROM in HTTP Request Body (web_server.rules)
2053458 - ET WEB_SERVER Possible SQL Injection INSERT INTO in HTTP Request Body (web_server.rules)
2053459 - ET WEB_SERVER Possible SQL Injection SELECT FROM in HTTP Request Body (web_server.rules)
2053460 - ET WEB_SERVER Possible SQL Injection (varchar) in HTTP Request Body (web_server.rules)
2053461 - ET WEB_SERVER Possible SQL Injection (exec) in HTTP Request Body (web_server.rules)
2053462 - ET WEB_SERVER Possible SQL Injection (declare) in HTTP Request Body (web_server.rules)
2053463 - ET WEB_SERVER Possible SQL Injection INTO OUTFILE in HTTP Request Body (web_server.rules)
2053464 - ET WEB_SERVER Possible SQL Injection Obfuscated by REVERSE function in HTTP Request Body (web_server.rules)
2053465 - ET WEB_SERVER Possible SQL Injection SELECT CONCAT in HTTP Request Body (web_server.rules)
2053466 - ET WEB_SERVER Possible SQL Injection SELECT CAST in HTTP Request Body (web_server.rules)
2053467 - ET WEB_SERVER Possible SQL Injection SELECT CAST in HTTP URI (web_server.rules)
2053468 - ET WEB_SERVER Possible SQL Injection UNION SELECT in HTTP Request Body (web_server.rules)

Pro:

2857177 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Modified inactive rules:

2008170 - ET WEB_CLIENT Microsoft Internet Explorer ieframe.dll Script Injection Vulnerability (web_client.rules)
2800304 - ETPRO ACTIVEX Microsoft Office Web Components URL Parsing Buffer Overflow (activex.rules)
2800305 - ETPRO ACTIVEX Microsoft Office Web Components URL Parsing Buffer Overflow (activex.rules)

Disabled and modified rules:

2004965 - ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt – comments.php id ASCII (web_specific_apps.rules)
2012574 - ET WEB_SPECIFIC_APPS RecordPress header.php rp-menu.php Cross Site Scripting Attempt (web_specific_apps.rules)
2035139 - ET INFO Commonly Abused File Sharing Site Domain Observed (transfer .sh in DNS Lookup) (info.rules)
2035966 - ET INFO DYNAMIC_DNS Query to a *.wikaba .com Domain (info.rules)
2035967 - ET INFO DYNAMIC_DNS HTTP Request to a *.wikaba .com Domain (info.rules)
2036104 - ET INFO DYNAMIC_DNS Query to a *.dsmtp .com Domain (info.rules)
2036105 - ET INFO DYNAMIC_DNS HTTP Request to a *.dsmtp .com Domain (info.rules)
2036400 - ET MALWARE TraderTraitor CnC Domain (dafom .dev) in DNS Lookup (malware.rules)
2042685 - ET INFO DYNAMIC_DNS Query to a *.dyndns-at-home .com Domain (info.rules)
2042731 - ET INFO DYNAMIC_DNS HTTP Request to a *.myvnc .com Domain (info.rules)
2043255 - ET PHISHING Observed Phishing Domain in DNS Lookup (circle-ci .com) (phishing.rules)
2047656 - ET INFO DYNAMIC_DNS Query to a *.appia .com .au Domain (info.rules)
2047657 - ET INFO DYNAMIC_DNS HTTP Request to a *.appia .com .au Domain (info.rules)
2047658 - ET INFO DYNAMIC_DNS Query to a *.joseulloa .cl Domain (info.rules)
2047659 - ET INFO DYNAMIC_DNS HTTP Request to a *.joseulloa .cl Domain (info.rules)
2047766 - ET INFO DNS Query for Webhook/HTTP Request Inspection/Tunneling Service (.free .beeceptor .com) (info.rules)
2049104 - ET MALWARE Lazarus CnC Domain in DNS Lookup (online-meeting .team) (malware.rules)
2049105 - ET MALWARE Lazarus CnC Domain in DNS Lookup (team-meet .online) (malware.rules)
2049106 - ET MALWARE Lazarus CnC Domain in DNS Lookup (safemeeting .online) (malware.rules)
2049107 - ET MALWARE Lazarus CnC Domain in DNS Lookup (videomeethub .online) (malware.rules)
2050125 - ET INFO DNS Query to Online Application Hosting Domain (supabase .co) (info.rules)
2050593 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (cakecoldsplurgrewe .pw) (malware.rules)
2051443 - ET INFO Observed DNS Over HTTPS Domain (doh .phdns2 .lonet .org in TLS SNI) (info.rules)
2051846 - ET MALWARE DNS Query to Earth Krahang APT Domain (update .centos-yum .com) (malware.rules)
2051867 - ET MALWARE Dinodas RAT CnC Domain in DNS Lookup (update .centos-yum .com) (malware.rules)
2051960 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .schedule .golfballnutz .com) (malware.rules)
2052257 - ET INFO Observed DNS Over HTTPS Domain (doh .phdns2 .lonet .org in TLS SNI) (info.rules)
2052809 - ET MALWARE Observed Malicious Domain (storagedsolutions .azurefd .net in TLS SNI) (malware.rules)
2052943 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (lucabet68 .online) (exploit_kit.rules)
2052948 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (lucabet68 .online) (exploit_kit.rules)
2804337 - ETPRO INFO DYNAMIC_DNS HTTP Request to a *.25u.com Domain (info.rules)
2804357 - ETPRO INFO DYNAMIC_DNS Request to a *.gr8domain.biz Domain (info.rules)
2856462 - ETPRO MALWARE DNS Query to Hello2Malware Domain (malware.rules)
2856958 - ETPRO MALWARE Unknown Malware Domain in DNS Lookup (malware.rules)
2857141 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/06/12 - v10616 Ruleset Updates	400	June 12, 2024
Ruleset Update Summary - 2023/06/20 - v10354 Ruleset Updates	243	June 20, 2023
Ruleset Update Summary - 2024/02/12 - v10530 Ruleset Updates	234	February 12, 2024
Ruleset Update Summary - 2024/08/14 - v10666 Ruleset Updates	58	August 14, 2024
Ruleset Update Summary - 2023/08/31 - v10407 Ruleset Updates	284	August 31, 2023

Ruleset Update Summary - 2024/06/11 - v10615

Summary:

Added rules:

Open:

Pro:

Modified inactive rules:

Disabled and modified rules:

Related Topics