Ruleset Update Summary - 2024/06/12 - v10616

Ruleset Updates
1

Summary:

19 new OPEN, 27 new PRO (19 + 8)

Added rules:

Open:

  • 2053469 - ET PHISHING Generic Survey Credential Phish Landing Page 2024-06-11 (phishing.rules)
  • 2053470 - ET PHISHING Generic Survey Credential Phish Landing Page 2024-06-12 (phishing.rules)
  • 2053471 - ET INFO DYNAMIC_DNS Query to a *.famsenden .com Domain (info.rules)
  • 2053472 - ET INFO DYNAMIC_DNS HTTP Request to a *.famsenden .com Domain (info.rules)
  • 2053473 - ET MALWARE ZPHP CnC Domain in DNS Lookup (r6pedihosi .website) (malware.rules)
  • 2053474 - ET MALWARE ZPHP CnC Domain in TLS SNI (r6pedihosi .website) (malware.rules)
  • 2053475 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (newmarketofficecleaning .com) (exploit_kit.rules)
  • 2053476 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (newmarketofficecleaning .com) (exploit_kit.rules)
  • 2053477 - ET EXPLOIT Dahua DSS Security Management Platform Attempted Privilege Escalation (exploit.rules)
  • 2053478 - ET EXPLOIT Telecommunications Gateway Configuration Management System Unauthenticated File Upload (exploit.rules)
  • 2053479 - ET WEB_SERVER Possible SQL Injection WAITFOR DELAY in HTTP URI (web_server.rules)
  • 2053480 - ET WEB_SERVER Possible SQL injection WAITFOR DELAY in HTTP Request Body (web_server.rules)
  • 2053481 - ET INFO Observed DNS over HTTPS Domain (ad .johnwick .me) (info.rules)
  • 2053482 - ET INFO Observed DNS over HTTPS Domain (adfiltro .fun) (info.rules)
  • 2053483 - ET INFO Observed DNS over HTTPS Domain (ad .johnwick .me in TLS SNI) (info.rules)
  • 2053484 - ET INFO Observed DNS over HTTPS Domain (adfiltro .fun in TLS SNI) (info.rules)
  • 2053485 - ET WEB_SPECIFIC_APPS Apache OFBiz Directory Traversal Remote Code Execution Attempt (CVE-2024-36104) (web_specific_apps.rules)
  • 2053486 - ET PHISHING Generic Phish Redirector Domain in DNS Lookup (datatrail .xyz) (phishing.rules)
  • 2053487 - ET PHISHING Observed Generic Phish Redirector Domain (datatrail .xyz in TLS SNI) (phishing.rules)

Pro:

  • 2857182 - ETPRO MALWARE JS/FakeUpdate Malicious HTTP Cookie Observed (malware.rules)
  • 2857183 - ETPRO MALWARE PS/PoshAdvisor CnC Checkin (malware.rules)
  • 2857184 - ETPRO MALWARE Win32/WARMCOOKIE Initial CnC Checkin (malware.rules)
  • 2857185 - ETPRO MALWARE Win32/WARMCOOKIE Exfiltrating to CnC (malware.rules)
  • 2857186 - ETPRO MALWARE CopyFix Fake Browser Update Page Inbound (malware.rules)
  • 2857187 - ETPRO MALWARE CopyFix CnC Domain in DNS Lookup (malware.rules)
  • 2857188 - ETPRO MALWARE Observed CopyFix Domain in TLS SNI (malware.rules)
  • 2857189 - ETPRO MALWARE CopyFix CnC Activity (GET) (malware.rules)

Disabled and modified rules:

  • 2006445 - ET WEB_SERVER Possible SQL Injection Attempt SELECT FROM in HTTP URI (web_server.rules)
  • 2006447 - ET WEB_SERVER Possible SQL Injection Attempt UPDATE SET in HTTP URI (web_server.rules)
  • 2028367 - ET JA3 Hash - Possible Malware - Eitest Chrome Popup (ja3.rules)
  • 2028394 - ET JA3 Hash - Possible Malware - USPS Malspam (ja3.rules)
  • 2028398 - ET JA3 Hash - Possible Malware - Various Malspam/RigEK/Dreambot (ja3.rules)
  • 2028399 - ET JA3 Hash - Possible Malware - Various RigEK/Cryptowall/Dridex (ja3.rules)
  • 2049108 - ET MALWARE Observed Lazarus Domain (team-meet .online in TLS SNI) (malware.rules)
  • 2049109 - ET MALWARE Observed Lazarus Domain (videomeethub .online in TLS SNI) (malware.rules)
  • 2051442 - ET INFO Observed DNS Over HTTPS Domain (doh .phdns4 .lonet .org in TLS SNI) (info.rules)
  • 2051444 - ET INFO Observed DNS Over HTTPS Domain (doh .phdns1 .lonet .org in TLS SNI) (info.rules)
  • 2051445 - ET INFO Observed DNS Over HTTPS Domain (doh .phdns5 .lonet .org in TLS SNI) (info.rules)
  • 2052425 - ET MALWARE Observed APT42/TA453 Domain (litby .us in TLS SNI) (malware.rules)
  • 2803516 - ETPRO USER_AGENTS Suspicious User-Agent (HTTP_FILEDOWN) (user_agents.rules)
  • 2840852 - ETPRO MALWARE ELF/Mirai User-Agent Observed (Outbound) (malware.rules)
  • 2840853 - ETPRO SCAN ELF/Mirai User-Agent Observed (Inbound) (scan.rules)
  • 2856168 - ETPRO PHISHING Suspected TA453 Domain in TLS SNI (phishing.rules)
  • 2856465 - ETPRO MALWARE Observed Hello2Malware Domain in TLS SNI (malware.rules)
  • 2856959 - ETPRO MALWARE Unknown Malware Domain in TLS SNI (malware.rules)