Ruleset Update Summary - 2024/06/24 - v10626

Ruleset Updates
1

Summary:

48 new OPEN, 54 new PRO (48 + 6)

Thanks @Gi7w0rm

Added rules:

Open:

  • 2053801 - ET EXPLOIT Solarwinds Serv-U Directory Traversal Attempt Inbound (CVE-2024-28995) (exploit.rules)
  • 2053802 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (interactiveuidevelopment .com) (exploit_kit.rules)
  • 2053803 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (interactiveuidevelopment .com) (exploit_kit.rules)
  • 2053804 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (onecapitalresidences .com) (exploit_kit.rules)
  • 2053805 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (messageflowpro .com) (exploit_kit.rules)
  • 2053806 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (myoptimasunlab .com) (exploit_kit.rules)
  • 2053807 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (onecapitalresidences .com) (exploit_kit.rules)
  • 2053808 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (messageflowpro .com) (exploit_kit.rules)
  • 2053809 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (myoptimasunlab .com) (exploit_kit.rules)
  • 2053810 - ET MALWARE ZPHP CnC Domain in DNS Lookup (bynx .store) (malware.rules)
  • 2053811 - ET MALWARE ZPHP CnC Domain in TLS SNI (bynx .store) (malware.rules)
  • 2053812 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (backcreammykiel .shop) (malware.rules)
  • 2053813 - ET MALWARE Observed Lumma Stealer Related Domain (backcreammykiel .shop in TLS SNI) (malware.rules)
  • 2053814 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (composepayyersellew .shop) (malware.rules)
  • 2053815 - ET MALWARE Observed Lumma Stealer Related Domain (composepayyersellew .shop in TLS SNI) (malware.rules)
  • 2053816 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (quotakickerrywos .shop) (malware.rules)
  • 2053817 - ET MALWARE Observed Lumma Stealer Related Domain (quotakickerrywos .shop in TLS SNI) (malware.rules)
  • 2053818 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (sailorshelfquids .shop) (malware.rules)
  • 2053819 - ET INFO DNS Query to Remote Monitoring and Management Domain (centrastage .net) (info.rules)
  • 2053820 - ET MALWARE Observed Lumma Stealer Related Domain (sailorshelfquids .shop in TLS SNI) (malware.rules)
  • 2053821 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (ablesulkyfirstyews .shop) (malware.rules)
  • 2053822 - ET MALWARE Observed Lumma Stealer Related Domain (ablesulkyfirstyews .shop in TLS SNI) (malware.rules)
  • 2053823 - ET INFO DYNAMIC_DNS Query to a *.pchelp-24 .com Domain (info.rules)
  • 2053824 - ET INFO DYNAMIC_DNS HTTP Request to a *.pchelp-24 .com Domain (info.rules)
  • 2053825 - ET INFO Observed Remote Monitoring and Management Domain (centrastage .net in TLS SNI) (info.rules)
  • 2053826 - ET INFO DYNAMIC_DNS Query to a *.rasenftinc .com Domain (info.rules)
  • 2053827 - ET INFO DYNAMIC_DNS HTTP Request to a *.rasenftinc .com Domain (info.rules)
  • 2053828 - ET INFO DYNAMIC_DNS Query to a *.melaniebest .com Domain (info.rules)
  • 2053829 - ET INFO DYNAMIC_DNS HTTP Request to a *.melaniebest .com Domain (info.rules)
  • 2053830 - ET MALWARE SocGholish CnC Domain in DNS (* .partners .gloriadeicr .com) (malware.rules)
  • 2053831 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .partners .gloriadeicr .com in TLS SNI) (malware.rules)
  • 2053832 - ET INFO Centrastage RMM Server Response M1 (info.rules)
  • 2053833 - ET INFO Centrastage RMM Agent Checkin (info.rules)
  • 2053834 - ET INFO Centrastage RMM Server Response M2 (info.rules)
  • 2053835 - ET INFO Centrastage RMM Agent Update Request (info.rules)
  • 2053836 - ET MALWARE Mint Stealer CnC Checkin (malware.rules)
  • 2053837 - ET MALWARE Mint Stealer CnC Server Response (malware.rules)
  • 2053838 - ET MALWARE Mint Stealer Data Exfiltration Attempt (malware.rules)
  • 2053839 - ET MALWARE Mint Stealer Data Exfiltration Server Response (malware.rules)
  • 2053840 - ET MALWARE Mint Stealer Injection Request (malware.rules)
  • 2053841 - ET MALWARE Mint Stealer Injection Server Response (malware.rules)
  • 2053842 - ET MALWARE Generic DDoS Kit Checkin (POST) M1 (malware.rules)
  • 2053843 - ET PHISHING MyGovAU Credential Phish Landing Page 2024-06-24 (phishing.rules)
  • 2053844 - ET PHISHING Successful Generic Credential Phishing 2024-06-24 (phishing.rules)
  • 2053845 - ET MALWARE Mint Stealer CnC Domain in DNS Lookup (mint-c2 .top) (malware.rules)
  • 2053846 - ET MALWARE Mint Stealer CnC Domain in DNS Lookup (ashvgcgfxdfcgvcgfdcg .best) (malware.rules)
  • 2053847 - ET MALWARE Observed Mint Stealer Domain (mint-c2 .top) in TLS SNI (malware.rules)
  • 2053848 - ET MALWARE Observed Mint Stealer Domain (ashvgcgfxdfcgvcgfdcg .best) in TLS SNI (malware.rules)

Pro:

  • 2857299 - ETPRO MALWARE TA399 Domain in DNS Lookup (malware.rules)
  • 2857300 - ETPRO MALWARE Observed TA399 Domain in TLS SNI (malware.rules)
  • 2857301 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2857302 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2857309 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2857310 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)

Modified inactive rules:

  • 2033451 - ET EXPLOIT Possible Dovecot Memory Corruption Inbound (CVE-2019-11500) (exploit.rules)
  • 2033482 - ET EXPLOIT ysoserial Payload in HTTP URI (Groovy1) M1 (exploit.rules)
  • 2033483 - ET EXPLOIT ysoserial Payload in HTTP URI (Groovy1) M2 (exploit.rules)
  • 2033484 - ET EXPLOIT ysoserial Payload in HTTP URI (Groovy1) M3 (exploit.rules)
  • 2033524 - ET EXPLOIT ysoserial Payload in HTTP Header (Groovy1) M1 (exploit.rules)
  • 2033525 - ET EXPLOIT ysoserial Payload in HTTP Header (Groovy1) M2 (exploit.rules)
  • 2033526 - ET EXPLOIT ysoserial Payload in HTTP Header (Groovy1) M3 (exploit.rules)
  • 2033566 - ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Groovy1) M1 (exploit.rules)
  • 2033567 - ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Groovy1) M2 (exploit.rules)
  • 2033568 - ET EXPLOIT HTTP POST Request With ysoserial In Request Body (Groovy1) M3 (exploit.rules)
  • 2033733 - ET EXPLOIT Microsoft Windows VBScript Engine VbsErase Memory Corruption (CVE-2019-0667) (exploit.rules)
  • 2034095 - ET DOS Possible Apache Traffic Server HTTP2 Settings Flood Denial of Service Inbound (CVE-2019-9515) (dos.rules)
  • 2034096 - ET DOS Possible Apache Traffic Server HTTP2 Settings Flood Error Response (CVE-2019-9515) (dos.rules)
  • 2034671 - ET EXPLOIT Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (tcp) (CVE-2021-44228) (exploit.rules)
  • 2034672 - ET EXPLOIT Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (udp) (CVE-2021-44228) (exploit.rules)
  • 2034702 - ET EXPLOIT Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed (tcp) (CVE-2021-44228) (exploit.rules)
  • 2034703 - ET EXPLOIT Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed (udp) (CVE-2021-44228) (exploit.rules)
  • 2034804 - ET EXPLOIT Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (udp) (Outbound) (CVE-2021-44228) (exploit.rules)
  • 2034834 - ET EXPLOIT Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed (udp) (Outbound) (CVE-2021-44228) (exploit.rules)
  • 2034835 - ET EXPLOIT Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed (tcp) (Outbound) (CVE-2021-44228) (exploit.rules)
  • 2034836 - ET EXPLOIT Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (tcp) (Outbound) (CVE-2021-44228) (exploit.rules)
  • 2037041 - ET EXPLOIT Apache Tommcat/JBoss RCE Inbound (CVE-2013-4810) (exploit.rules)
  • 2039005 - ET EXPLOIT Possible Zoho ManageEngine RCE Attempt Inbound (CVE-2022-35405) (exploit.rules)
  • 2849429 - ETPRO EXPLOIT Possible dhcpcd IPv6 IA/NA Buffer Overflow [Advertise 0x02] Inbound (CVE-2019-11577) (exploit.rules)
  • 2849512 - ETPRO DOS HPE Intelligent Management Center dbman Opcode 10003 Filename Denial of Service (CVE-2019-5355) (dos.rules)
  • 2849513 - ETPRO EXPLOIT Lighttpd url-path-2f-decode Denial of Service Inbound (CVE-2019-11072) (exploit.rules)
  • 2850028 - ETPRO EXPLOIT VMware vCenter Vulnerable Path M1 flowbit set (CVE-2021-22005) (exploit.rules)
  • 2850029 - ETPRO EXPLOIT VMware vCenter Vulnerable Path M2 flowbit set (CVE-2021-22005) (exploit.rules)
  • 2850030 - ETPRO EXPLOIT VMware vCenter Vulnerable Path M3 flowbit set (CVE-2021-22005) (exploit.rules)
  • 2850055 - ETPRO EXPLOIT VMware vCenter RCE Exploitation Attempt M1 (CVE-2021-22005) (exploit.rules)
  • 2850121 - ETPRO DOS Possible Windows Network File System RPCSEC_GSS Handling Denial of Service (CVE-2020-17047) (dos.rules)
  • 2850122 - ETPRO EXPLOIT Possible OpenSLP Project/VMWare OpenSLP Heap Buffer Overflow (CVE-2019-5544) (exploit.rules)
  • 2850307 - ETPRO EXPLOIT Possible FreeBSD NFSv4 Integer Overflow Inbound (CVE-2018-17157) (exploit.rules)