Summary:
24 new OPEN, 29 new PRO (24 + 5)
Thanks @MalasadaTech
Added rules:
Open:
- 2054218 - ET INFO Server Responded with Vulnerable OpenSSH Version (CVE-2024-6387) (info.rules)
- 2054219 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (jswebcloud .net) (exploit_kit.rules)
- 2054220 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (jswebcloud .net) (exploit_kit.rules)
- 2054221 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in DNS Lookup (speedchaoptimise .com) (exploit_kit.rules)
- 2054222 - ET EXPLOIT_KIT TA569 Keitaro TDS Domain in TLS SNI (speedchaoptimise .com) (exploit_kit.rules)
- 2054223 - ET MALWARE TA427 Outlook Stealer Loader (malware.rules)
- 2054224 - ET INFO Browser Automation Toolkit in DNS Lookup (bablosoft .com) (info.rules)
- 2054225 - ET INFO Browser Automation Toolkit in TLS SNI (bablosoft .com) (info.rules)
- 2054226 - ET INFO Fingerprinting Service in DNS Lookup (customfingerprints .bablosoft .com) (info.rules)
- 2054227 - ET INFO Fingerprinting Service in TLS SNI (customfingerprints .bablosoft .com) (info.rules)
- 2054228 - ET EXPLOIT_KIT LandUpdate808 Inject Inbound (exploit_kit.rules)
- 2054229 - ET HUNTING CloudFlare Trace Site (hunting.rules)
- 2054230 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (edveha .com) (exploit_kit.rules)
- 2054231 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (uhsee .com) (exploit_kit.rules)
- 2054232 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (ashleypuerner .com) (exploit_kit.rules)
- 2054233 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (elamoto .com) (exploit_kit.rules)
- 2054234 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (zoomzle .com) (exploit_kit.rules)
- 2054235 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (kongtuke .com) (exploit_kit.rules)
- 2054236 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (edveha .com) (exploit_kit.rules)
- 2054237 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (uhsee .com) (exploit_kit.rules)
- 2054238 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (ashleypuerner .com) (exploit_kit.rules)
- 2054239 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (elamoto .com) (exploit_kit.rules)
- 2054240 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (zoomzle .com) (exploit_kit.rules)
- 2054241 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (kongtuke .com) (exploit_kit.rules)
Pro:
- 2857462 - ETPRO EXPLOIT_KIT Evil Keitaro Set-Cookie Inbound to VexTrio (exploit_kit.rules)
- 2857463 - ETPRO EXPLOIT_KIT Evil Keitaro Set-Cookie Inbound to Balada (exploit_kit.rules)
- 2857464 - ETPRO EXPLOIT_KIT Evil Keitaro Set-Cookie Inbound to VexTrio (exploit_kit.rules)
- 2857467 - ETPRO HUNTING VBA BinaryStream in HTTP Response (hunting.rules)
- 2857468 - ETPRO PHISHING Chinese Embassy Credential Phish Landing Page 2024-07-02 (phishing.rules)
Disabled and modified rules:
- 2001569 - ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection (scan.rules)
- 2001579 - ET SCAN Behavioral Unusual Port 139 traffic Potential Scan or Infection (scan.rules)
- 2010938 - ET SCAN Suspicious inbound to mSQL port 4333 (scan.rules)
- 2013028 - ET POLICY curl User-Agent Outbound (policy.rules)
- 2014127 - ET POLICY Splashtop Remote Control Checkin (policy.rules)
- 2014129 - ET POLICY Splashtop Remote Control Session Keepalive (policy.rules)
- 2014701 - ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 6 or 7 set (dns.rules)
- 2014702 - ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set (dns.rules)
- 2018457 - ET MALWARE Possible Upatre Downloader SSL certificate (fake loc) (malware.rules)
- 2023453 - ET MALWARE Ransomware/Cerber Checkin 2 (malware.rules)
- 2023612 - ET MALWARE Ransomware/Cerber Checkin M3 (1) (malware.rules)
- 2023613 - ET MALWARE Ransomware/Cerber Checkin M3 (2) (malware.rules)
- 2023614 - ET MALWARE Ransomware/Cerber Checkin M3 (3) (malware.rules)
- 2023615 - ET MALWARE Ransomware/Cerber Checkin M3 (4) (malware.rules)
- 2023616 - ET MALWARE Ransomware/Cerber Checkin M3 (5) (malware.rules)
- 2023617 - ET MALWARE Ransomware/Cerber Checkin M3 (6) (malware.rules)
- 2023618 - ET MALWARE Ransomware/Cerber Checkin M3 (7) (malware.rules)
- 2023619 - ET MALWARE Ransomware/Cerber Checkin M3 (8) (malware.rules)
- 2023620 - ET MALWARE Ransomware/Cerber Checkin M3 (9) (malware.rules)
- 2023621 - ET MALWARE Ransomware/Cerber Checkin M3 (10) (malware.rules)
- 2023622 - ET MALWARE Ransomware/Cerber Checkin M3 (11) (malware.rules)
- 2023623 - ET MALWARE Ransomware/Cerber Checkin M3 (12) (malware.rules)
- 2023624 - ET MALWARE Ransomware/Cerber Checkin M3 (13) (malware.rules)
- 2023625 - ET MALWARE Ransomware/Cerber Checkin M3 (14) (malware.rules)
- 2023626 - ET MALWARE Ransomware/Cerber Checkin M3 (15) (malware.rules)
- 2023627 - ET MALWARE Ransomware/Cerber Checkin M3 (16) (malware.rules)
- 2053842 - ET MALWARE Generic DDoS Kit Checkin (POST) M1 (malware.rules)
- 2053844 - ET PHISHING Successful Generic Credential Phishing 2024-06-24 (phishing.rules)
- 2803760 - ETPRO MALWARE Worm.Win32.AutoTsifiri.n DNS Tunnel (malware.rules)
- 2806561 - ETPRO POLICY Ultrasurf Proxy Anonymizer TLS ClientHello Attempt (policy.rules)
- 2810018 - ETPRO EXPLOIT NETLOGON Spoofing Vulnerability SMB2 (CVE-2015-0005) (exploit.rules)
- 2816764 - ETPRO MALWARE Ransomware/Cerber Checkin Error ICMP Response (malware.rules)
Removed rules:
- 2857461 - ETPRO INFO Server Responded with Vulnerable OpenSSH Version (CVE-2024-6387) (info.rules)