Ruleset Update Summary - 2024/07/05 - v10639

Summary:

100 new OPEN, 104 new PRO (100 + 4)

Thanks @reddrip7, @g0njxa


Added rules:

Open:

  • 2054254 - ET MALWARE ZPHP CnC Domain in DNS Lookup (osgnhr9zv .top) (malware.rules)
  • 2054255 - ET MALWARE ZPHP CnC Domain in TLS SNI (osgnhr9zv .top) (malware.rules)
  • 2054256 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (tempesolarcompany .com) (exploit_kit.rules)
  • 2054257 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (helloehoes .com) (exploit_kit.rules)
  • 2054258 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (tempesolarcompany .com) (exploit_kit.rules)
  • 2054259 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (helloehoes .com) (exploit_kit.rules)
  • 2054260 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (malware.rules)
  • 2054261 - ET MALWARE Observed Lumma Stealer Related Domain (malware.rules)
  • 2054262 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (bouncedgowp .shop) (malware.rules)
  • 2054263 - ET MALWARE Observed Lumma Stealer Related Domain (bouncedgowp .shop in TLS SNI) (malware.rules)
  • 2054264 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (bannngwko .shop) (malware.rules)
  • 2054265 - ET MALWARE Observed Lumma Stealer Related Domain (bannngwko .shop in TLS SNI) (malware.rules)
  • 2054266 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (affecthorsedpo .shop) (malware.rules)
  • 2054267 - ET MALWARE Observed Lumma Stealer Related Domain (affecthorsedpo .shop in TLS SNI) (malware.rules)
  • 2054268 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (publicitttyps .shop) (malware.rules)
  • 2054269 - ET MALWARE Observed Lumma Stealer Related Domain (publicitttyps .shop in TLS SNI) (malware.rules)
  • 2054270 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (answerrsdo .shop) (malware.rules)
  • 2054271 - ET MALWARE Observed Lumma Stealer Related Domain (answerrsdo .shop in TLS SNI) (malware.rules)
  • 2054272 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (benchillppwo .shop) (malware.rules)
  • 2054273 - ET MALWARE Observed Lumma Stealer Related Domain (benchillppwo .shop in TLS SNI) (malware.rules)
  • 2054274 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (radiationnopp .shop) (malware.rules)
  • 2054275 - ET MALWARE Observed Lumma Stealer Related Domain (radiationnopp .shop in TLS SNI) (malware.rules)
  • 2054276 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (bargainnykwo .shop) (malware.rules)
  • 2054277 - ET MALWARE Observed Lumma Stealer Related Domain (bargainnykwo .shop in TLS SNI) (malware.rules)
  • 2054278 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (lyingchemicow .shop) (malware.rules)
  • 2054279 - ET MALWARE Observed Lumma Stealer Related Domain (lyingchemicow .shop in TLS SNI) (malware.rules)
  • 2054280 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (unwielldyzpwo .shop) (malware.rules)
  • 2054281 - ET MALWARE Observed Lumma Stealer Related Domain (unwielldyzpwo .shop in TLS SNI) (malware.rules)
  • 2054282 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (stationacutwo .shop) (malware.rules)
  • 2054283 - ET MALWARE Observed Lumma Stealer Related Domain (stationacutwo .shop in TLS SNI) (malware.rules)
  • 2054284 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (invisibledovereats .shop) (malware.rules)
  • 2054285 - ET MALWARE Observed Lumma Stealer Related Domain (invisibledovereats .shop in TLS SNI) (malware.rules)
  • 2054286 - ET INFO DYNAMIC_DNS Query to a *.legonas .net Domain (info.rules)
  • 2054287 - ET INFO DYNAMIC_DNS HTTP Request to a *.legonas .net Domain (info.rules)
  • 2054288 - ET INFO DYNAMIC_DNS Query to a *.fullsense .com .br Domain (info.rules)
  • 2054289 - ET INFO DYNAMIC_DNS HTTP Request to a *.fullsense .com .br Domain (info.rules)
  • 2054290 - ET INFO Observed DNS Over HTTPS Domain (dns .gayanalysing .co .uk) in TLS SNI (info.rules)
  • 2054291 - ET INFO Observed DNS Over HTTPS Domain (dns .vault81 .de) in TLS SNI (info.rules)
  • 2054292 - ET INFO Observed DNS Over HTTPS Domain (dns .busold .ws) in TLS SNI (info.rules)
  • 2054293 - ET INFO Observed DNS Over HTTPS Domain (dns .stirringphoto .com) in TLS SNI (info.rules)
  • 2054294 - ET INFO Observed DNS Over HTTPS Domain (doh .linngde .com) in TLS SNI (info.rules)
  • 2054295 - ET INFO Observed DNS Over HTTPS Domain (dns .vojtat .cz) in TLS SNI (info.rules)
  • 2054296 - ET INFO Observed DNS Over HTTPS Domain (dns .kapite .in) in TLS SNI (info.rules)
  • 2054297 - ET INFO Observed DNS Over HTTPS Domain (dns .fizz .studio) in TLS SNI (info.rules)
  • 2054298 - ET INFO Observed DNS Over HTTPS Domain (ahoj .email) in TLS SNI (info.rules)
  • 2054299 - ET INFO Observed DNS Over HTTPS Domain (affsoft .cc) in TLS SNI (info.rules)
  • 2054300 - ET INFO Observed DNS Over HTTPS Domain (dns .brian-wee .com) in TLS SNI (info.rules)
  • 2054301 - ET INFO Observed DNS Over HTTPS Domain (loadlow .me) in TLS SNI (info.rules)
  • 2054302 - ET INFO Observed DNS Over HTTPS Domain (dns .milftech .xyz) in TLS SNI (info.rules)
  • 2054303 - ET INFO Observed DNS Over HTTPS Domain (dns .falkenthal .org) in TLS SNI (info.rules)
  • 2054304 - ET INFO Observed DNS Over HTTPS Domain (maherhost .uk) in TLS SNI (info.rules)
  • 2054305 - ET INFO Observed DNS Over HTTPS Domain (adguard .senthil .us) in TLS SNI (info.rules)
  • 2054306 - ET INFO Observed DNS Over HTTPS Domain (doh .serverhost .no) in TLS SNI (info.rules)
  • 2054307 - ET INFO Observed DNS Over HTTPS Domain (dns .criena .net) in TLS SNI (info.rules)
  • 2054308 - ET INFO Observed DNS Over HTTPS Domain (dns .faked .org) in TLS SNI (info.rules)
  • 2054309 - ET INFO Observed DNS Over HTTPS Domain (dns .mtoo .vip) in TLS SNI (info.rules)
  • 2054310 - ET INFO Observed DNS Over HTTPS Domain (aerodrorne .vip) in TLS SNI (info.rules)
  • 2054311 - ET INFO Observed DNS Over HTTPS Domain (doh .jtcargokebumen .com) in TLS SNI (info.rules)
  • 2054312 - ET INFO Observed DNS Over HTTPS Domain (dns .ourvau .lt) in TLS SNI (info.rules)
  • 2054313 - ET INFO Observed DNS Over HTTPS Domain (dns .numerus .com) in TLS SNI (info.rules)
  • 2054314 - ET INFO Observed DNS Over HTTPS Domain (mnrv .trade) in TLS SNI (info.rules)
  • 2054315 - ET INFO Observed DNS Over HTTPS Domain (affcdn .net) in TLS SNI (info.rules)
  • 2054316 - ET INFO Observed DNS Over HTTPS Domain (doh .angry .im) in TLS SNI (info.rules)
  • 2054317 - ET INFO Observed DNS Over HTTPS Domain (dns .volatile .ovh) in TLS SNI (info.rules)
  • 2054318 - ET INFO Observed DNS Over HTTPS Domain (dns .nako .kr) in TLS SNI (info.rules)
  • 2054319 - ET INFO Observed DNS Over HTTPS Domain (adguard .pggns .de) in TLS SNI (info.rules)
  • 2054320 - ET INFO Observed DNS Over HTTPS Domain (dns .tierradeayala .com) in TLS SNI (info.rules)
  • 2054321 - ET INFO Observed DNS Over HTTPS Domain (dns .beardic .cn) in TLS SNI (info.rules)
  • 2054322 - ET INFO Observed DNS Over HTTPS Domain (dns .jichi .io) in TLS SNI (info.rules)
  • 2054323 - ET INFO Observed DNS Over HTTPS Domain (bth .dance) in TLS SNI (info.rules)
  • 2054324 - ET INFO Observed DNS Over HTTPS Domain (dns .odinpl .com) in TLS SNI (info.rules)
  • 2054325 - ET INFO Observed DNS Over HTTPS Domain (vorlif .org) in TLS SNI (info.rules)
  • 2054326 - ET INFO Observed DNS Over HTTPS Domain (atws2425 .xyz) in TLS SNI (info.rules)
  • 2054327 - ET INFO Observed DNS Over HTTPS Domain (doh .5u3 .org) in TLS SNI (info.rules)
  • 2054328 - ET INFO Observed DNS Over HTTPS Domain (dns .shareworx .net) in TLS SNI (info.rules)
  • 2054329 - ET INFO Observed DNS Over HTTPS Domain (dns .nick-slowinski .de) in TLS SNI (info.rules)
  • 2054330 - ET INFO Observed DNS Over HTTPS Domain (antarlangit .my .id) in TLS SNI (info.rules)
  • 2054331 - ET INFO Observed DNS Over HTTPS Domain (nicsezcheckfbi .gov) in TLS SNI (info.rules)
  • 2054332 - ET INFO Observed DNS Over HTTPS Domain (uni5wap .info) in TLS SNI (info.rules)
  • 2054333 - ET INFO Observed DNS Over HTTPS Domain (aerodrorne .live) in TLS SNI (info.rules)
  • 2054334 - ET INFO Observed DNS Over HTTPS Domain (dns .w3ctag .org) in TLS SNI (info.rules)
  • 2054335 - ET INFO Observed DNS Over HTTPS Domain (4netguides .org) in TLS SNI (info.rules)
  • 2054336 - ET INFO Observed DNS Over HTTPS Domain (nashkan .net) in TLS SNI (info.rules)
  • 2054337 - ET INFO Observed DNS Over HTTPS Domain (rabbitdns .org) in TLS SNI (info.rules)
  • 2054338 - ET MALWARE Possible UTG-Q-010 CnC Activity (GET) (malware.rules)
  • 2054339 - ET MALWARE UTG-Q-010 URI Observed in HTTP Request (malware.rules)
  • 2054340 - ET MALWARE Observed Malicious UTG-Q-010 Related Certificate Observed (O=IGhnPoQvfb) (malware.rules)
  • 2054341 - ET MALWARE UTG-Q-010 CnC Domain in DNS Lookup (conn .phmdbad .live) (malware.rules)
  • 2054342 - ET MALWARE UTG-Q-010 CnC Domain in DNS Lookup (chemdl .gangtao .live) (malware.rules)
  • 2054343 - ET MALWARE Observed UTG-Q-010 Domain (conn .phmdbad .live in TLS SNI) (malware.rules)
  • 2054344 - ET MALWARE Observed UTG-Q-010 Domain (chemdl .gangtao .live in TLS SNI) (malware.rules)
  • 2054345 - ET MALWARE Xworm CnC Domain in DNS Lookup (223 .ip .ply .gg) (malware.rules)
  • 2054346 - ET MALWARE Observed Xworm Domain (223 .ip .ply .gg in TLS SNI) (malware.rules)
  • 2054347 - ET MALWARE Cryptbot CnC Domain in DNS Lookup (analforeverlove .top) (malware.rules)
  • 2054348 - ET MALWARE Cryptbot CnC Domain in DNS Lookup (rzfift15ht .top) (malware.rules)
  • 2054349 - ET MALWARE Cryptbot CnC Domain in DNS Lookup (rzeight18pt .top) (malware.rules)
  • 2054350 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 (malware.rules)
  • 2054351 - ET MALWARE Observed Cryptbot Domain (analforeverlove .top in TLS SNI) (malware.rules)
  • 2054352 - ET MALWARE Observed Cryptbot Domain (rzfift15ht .top in TLS SNI) (malware.rules)
  • 2054353 - ET MALWARE Observed Cryptbot Domain (rzeight18pt .top in TLS SNI) (malware.rules)

Pro:

  • 2857513 - ETPRO INFO Inbound Anti-DDoS Challenge Authentication Page (info.rules)
  • 2857514 - ETPRO EXPLOIT Exim Extension Blocklist Bypass (CVE-2024-39929) (exploit.rules)
  • 2857517 - ETPRO PHISHING DNS Query to GoPhish Domain (phishing.rules)
  • 2857518 - ETPRO PHISHING Observed GoPhish Domain in TLS SNI (phishing.rules)