Ruleset Update Summary - 2024/07/05 - v10639

rulesbot · July 5, 2024, 9:09pm

Summary:

100 new OPEN, 104 new PRO (100 + 4)

Thanks @reddrip7, @g0njxa

Added rules:

Open:

2054254 - ET MALWARE ZPHP CnC Domain in DNS Lookup (osgnhr9zv .top) (malware.rules)
2054255 - ET MALWARE ZPHP CnC Domain in TLS SNI (osgnhr9zv .top) (malware.rules)
2054256 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (tempesolarcompany .com) (exploit_kit.rules)
2054257 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (helloehoes .com) (exploit_kit.rules)
2054258 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (tempesolarcompany .com) (exploit_kit.rules)
2054259 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (helloehoes .com) (exploit_kit.rules)
2054260 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (malware.rules)
2054261 - ET MALWARE Observed Lumma Stealer Related Domain (malware.rules)
2054262 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (bouncedgowp .shop) (malware.rules)
2054263 - ET MALWARE Observed Lumma Stealer Related Domain (bouncedgowp .shop in TLS SNI) (malware.rules)
2054264 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (bannngwko .shop) (malware.rules)
2054265 - ET MALWARE Observed Lumma Stealer Related Domain (bannngwko .shop in TLS SNI) (malware.rules)
2054266 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (affecthorsedpo .shop) (malware.rules)
2054267 - ET MALWARE Observed Lumma Stealer Related Domain (affecthorsedpo .shop in TLS SNI) (malware.rules)
2054268 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (publicitttyps .shop) (malware.rules)
2054269 - ET MALWARE Observed Lumma Stealer Related Domain (publicitttyps .shop in TLS SNI) (malware.rules)
2054270 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (answerrsdo .shop) (malware.rules)
2054271 - ET MALWARE Observed Lumma Stealer Related Domain (answerrsdo .shop in TLS SNI) (malware.rules)
2054272 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (benchillppwo .shop) (malware.rules)
2054273 - ET MALWARE Observed Lumma Stealer Related Domain (benchillppwo .shop in TLS SNI) (malware.rules)
2054274 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (radiationnopp .shop) (malware.rules)
2054275 - ET MALWARE Observed Lumma Stealer Related Domain (radiationnopp .shop in TLS SNI) (malware.rules)
2054276 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (bargainnykwo .shop) (malware.rules)
2054277 - ET MALWARE Observed Lumma Stealer Related Domain (bargainnykwo .shop in TLS SNI) (malware.rules)
2054278 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (lyingchemicow .shop) (malware.rules)
2054279 - ET MALWARE Observed Lumma Stealer Related Domain (lyingchemicow .shop in TLS SNI) (malware.rules)
2054280 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (unwielldyzpwo .shop) (malware.rules)
2054281 - ET MALWARE Observed Lumma Stealer Related Domain (unwielldyzpwo .shop in TLS SNI) (malware.rules)
2054282 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (stationacutwo .shop) (malware.rules)
2054283 - ET MALWARE Observed Lumma Stealer Related Domain (stationacutwo .shop in TLS SNI) (malware.rules)
2054284 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (invisibledovereats .shop) (malware.rules)
2054285 - ET MALWARE Observed Lumma Stealer Related Domain (invisibledovereats .shop in TLS SNI) (malware.rules)
2054286 - ET INFO DYNAMIC_DNS Query to a *.legonas .net Domain (info.rules)
2054287 - ET INFO DYNAMIC_DNS HTTP Request to a *.legonas .net Domain (info.rules)
2054288 - ET INFO DYNAMIC_DNS Query to a *.fullsense .com .br Domain (info.rules)
2054289 - ET INFO DYNAMIC_DNS HTTP Request to a *.fullsense .com .br Domain (info.rules)
2054290 - ET INFO Observed DNS Over HTTPS Domain (dns .gayanalysing .co .uk) in TLS SNI (info.rules)
2054291 - ET INFO Observed DNS Over HTTPS Domain (dns .vault81 .de) in TLS SNI (info.rules)
2054292 - ET INFO Observed DNS Over HTTPS Domain (dns .busold .ws) in TLS SNI (info.rules)
2054293 - ET INFO Observed DNS Over HTTPS Domain (dns .stirringphoto .com) in TLS SNI (info.rules)
2054294 - ET INFO Observed DNS Over HTTPS Domain (doh .linngde .com) in TLS SNI (info.rules)
2054295 - ET INFO Observed DNS Over HTTPS Domain (dns .vojtat .cz) in TLS SNI (info.rules)
2054296 - ET INFO Observed DNS Over HTTPS Domain (dns .kapite .in) in TLS SNI (info.rules)
2054297 - ET INFO Observed DNS Over HTTPS Domain (dns .fizz .studio) in TLS SNI (info.rules)
2054298 - ET INFO Observed DNS Over HTTPS Domain (ahoj .email) in TLS SNI (info.rules)
2054299 - ET INFO Observed DNS Over HTTPS Domain (affsoft .cc) in TLS SNI (info.rules)
2054300 - ET INFO Observed DNS Over HTTPS Domain (dns .brian-wee .com) in TLS SNI (info.rules)
2054301 - ET INFO Observed DNS Over HTTPS Domain (loadlow .me) in TLS SNI (info.rules)
2054302 - ET INFO Observed DNS Over HTTPS Domain (dns .milftech .xyz) in TLS SNI (info.rules)
2054303 - ET INFO Observed DNS Over HTTPS Domain (dns .falkenthal .org) in TLS SNI (info.rules)
2054304 - ET INFO Observed DNS Over HTTPS Domain (maherhost .uk) in TLS SNI (info.rules)
2054305 - ET INFO Observed DNS Over HTTPS Domain (adguard .senthil .us) in TLS SNI (info.rules)
2054306 - ET INFO Observed DNS Over HTTPS Domain (doh .serverhost .no) in TLS SNI (info.rules)
2054307 - ET INFO Observed DNS Over HTTPS Domain (dns .criena .net) in TLS SNI (info.rules)
2054308 - ET INFO Observed DNS Over HTTPS Domain (dns .faked .org) in TLS SNI (info.rules)
2054309 - ET INFO Observed DNS Over HTTPS Domain (dns .mtoo .vip) in TLS SNI (info.rules)
2054310 - ET INFO Observed DNS Over HTTPS Domain (aerodrorne .vip) in TLS SNI (info.rules)
2054311 - ET INFO Observed DNS Over HTTPS Domain (doh .jtcargokebumen .com) in TLS SNI (info.rules)
2054312 - ET INFO Observed DNS Over HTTPS Domain (dns .ourvau .lt) in TLS SNI (info.rules)
2054313 - ET INFO Observed DNS Over HTTPS Domain (dns .numerus .com) in TLS SNI (info.rules)
2054314 - ET INFO Observed DNS Over HTTPS Domain (mnrv .trade) in TLS SNI (info.rules)
2054315 - ET INFO Observed DNS Over HTTPS Domain (affcdn .net) in TLS SNI (info.rules)
2054316 - ET INFO Observed DNS Over HTTPS Domain (doh .angry .im) in TLS SNI (info.rules)
2054317 - ET INFO Observed DNS Over HTTPS Domain (dns .volatile .ovh) in TLS SNI (info.rules)
2054318 - ET INFO Observed DNS Over HTTPS Domain (dns .nako .kr) in TLS SNI (info.rules)
2054319 - ET INFO Observed DNS Over HTTPS Domain (adguard .pggns .de) in TLS SNI (info.rules)
2054320 - ET INFO Observed DNS Over HTTPS Domain (dns .tierradeayala .com) in TLS SNI (info.rules)
2054321 - ET INFO Observed DNS Over HTTPS Domain (dns .beardic .cn) in TLS SNI (info.rules)
2054322 - ET INFO Observed DNS Over HTTPS Domain (dns .jichi .io) in TLS SNI (info.rules)
2054323 - ET INFO Observed DNS Over HTTPS Domain (bth .dance) in TLS SNI (info.rules)
2054324 - ET INFO Observed DNS Over HTTPS Domain (dns .odinpl .com) in TLS SNI (info.rules)
2054325 - ET INFO Observed DNS Over HTTPS Domain (vorlif .org) in TLS SNI (info.rules)
2054326 - ET INFO Observed DNS Over HTTPS Domain (atws2425 .xyz) in TLS SNI (info.rules)
2054327 - ET INFO Observed DNS Over HTTPS Domain (doh .5u3 .org) in TLS SNI (info.rules)
2054328 - ET INFO Observed DNS Over HTTPS Domain (dns .shareworx .net) in TLS SNI (info.rules)
2054329 - ET INFO Observed DNS Over HTTPS Domain (dns .nick-slowinski .de) in TLS SNI (info.rules)
2054330 - ET INFO Observed DNS Over HTTPS Domain (antarlangit .my .id) in TLS SNI (info.rules)
2054331 - ET INFO Observed DNS Over HTTPS Domain (nicsezcheckfbi .gov) in TLS SNI (info.rules)
2054332 - ET INFO Observed DNS Over HTTPS Domain (uni5wap .info) in TLS SNI (info.rules)
2054333 - ET INFO Observed DNS Over HTTPS Domain (aerodrorne .live) in TLS SNI (info.rules)
2054334 - ET INFO Observed DNS Over HTTPS Domain (dns .w3ctag .org) in TLS SNI (info.rules)
2054335 - ET INFO Observed DNS Over HTTPS Domain (4netguides .org) in TLS SNI (info.rules)
2054336 - ET INFO Observed DNS Over HTTPS Domain (nashkan .net) in TLS SNI (info.rules)
2054337 - ET INFO Observed DNS Over HTTPS Domain (rabbitdns .org) in TLS SNI (info.rules)
2054338 - ET MALWARE Possible UTG-Q-010 CnC Activity (GET) (malware.rules)
2054339 - ET MALWARE UTG-Q-010 URI Observed in HTTP Request (malware.rules)
2054340 - ET MALWARE Observed Malicious UTG-Q-010 Related Certificate Observed (O=IGhnPoQvfb) (malware.rules)
2054341 - ET MALWARE UTG-Q-010 CnC Domain in DNS Lookup (conn .phmdbad .live) (malware.rules)
2054342 - ET MALWARE UTG-Q-010 CnC Domain in DNS Lookup (chemdl .gangtao .live) (malware.rules)
2054343 - ET MALWARE Observed UTG-Q-010 Domain (conn .phmdbad .live in TLS SNI) (malware.rules)
2054344 - ET MALWARE Observed UTG-Q-010 Domain (chemdl .gangtao .live in TLS SNI) (malware.rules)
2054345 - ET MALWARE Xworm CnC Domain in DNS Lookup (223 .ip .ply .gg) (malware.rules)
2054346 - ET MALWARE Observed Xworm Domain (223 .ip .ply .gg in TLS SNI) (malware.rules)
2054347 - ET MALWARE Cryptbot CnC Domain in DNS Lookup (analforeverlove .top) (malware.rules)
2054348 - ET MALWARE Cryptbot CnC Domain in DNS Lookup (rzfift15ht .top) (malware.rules)
2054349 - ET MALWARE Cryptbot CnC Domain in DNS Lookup (rzeight18pt .top) (malware.rules)
2054350 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 (malware.rules)
2054351 - ET MALWARE Observed Cryptbot Domain (analforeverlove .top in TLS SNI) (malware.rules)
2054352 - ET MALWARE Observed Cryptbot Domain (rzfift15ht .top in TLS SNI) (malware.rules)
2054353 - ET MALWARE Observed Cryptbot Domain (rzeight18pt .top in TLS SNI) (malware.rules)

Pro:

2857513 - ETPRO INFO Inbound Anti-DDoS Challenge Authentication Page (info.rules)
2857514 - ETPRO EXPLOIT Exim Extension Blocklist Bypass (CVE-2024-39929) (exploit.rules)
2857517 - ETPRO PHISHING DNS Query to GoPhish Domain (phishing.rules)
2857518 - ETPRO PHISHING Observed GoPhish Domain in TLS SNI (phishing.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/07/19 - v10649 Ruleset Updates	131	July 19, 2024
Ruleset Update Summary - 2024/08/26 - v10674 Ruleset Updates	83	August 26, 2024
Ruleset Update Summary - 2024/02/05 - v10524 Ruleset Updates	427	February 5, 2024
Ruleset Update Summary - 2024/08/22 - v10672 Ruleset Updates	57	August 22, 2024
Ruleset Update Summary - 2024/01/08 - v10501 Ruleset Updates	541	January 8, 2024

Ruleset Update Summary - 2024/07/05 - v10639

Summary:

Added rules:

Open:

Pro:

Related Topics