Ruleset Update Summary - 2024/08/30 - v10678

Ruleset Updates
1

Summary:

39 new OPEN, 39 new PRO (39 + 0)

Thanks @Unit42_Intel, @Jane_0sint, @g0njxa

Added rules:

Open:

  • 2055642 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (approoverowps .shop) (malware.rules)
  • 2055643 - ET MALWARE Observed Lumma Stealer Related Domain (approoverowps .shop in TLS SNI) (malware.rules)
  • 2055645 - ET HUNTING Byte-order mark UTF-16LE (little endian) (hunting.rules)
  • 2055646 - ET HUNTING Byte-order mark UTF-16BE (big endian) (hunting.rules)
  • 2055647 - ET HUNTING Byte-order mark UTF-32LE (little endian) (hunting.rules)
  • 2055648 - ET HUNTING Byte-order mark UTF-32BE (big endian) (hunting.rules)
  • 2055649 - ET HUNTING Byte-order mark UTF-7 (hunting.rules)
  • 2055650 - ET HUNTING Byte-order mark UTF-1 (hunting.rules)
  • 2055651 - ET HUNTING Byte-order mark UTF-EBCDIC (hunting.rules)
  • 2055652 - ET MALWARE Godzilla Webshell Interaction Attempt (malware.rules)
  • 2055653 - ET MALWARE Lumma Stealer Related Fake Captcha URI Structure M1 (malware.rules)
  • 2055654 - ET MALWARE Lumma Stealer Related Fake Captcha URI Structure M2 (malware.rules)
  • 2055655 - ET MALWARE Lumma Stealer Related Fake Captcha URI Structure M3 (malware.rules)
  • 2055656 - ET MALWARE Lumma Stealer Related Fake Captcha URI Structure M4 (malware.rules)
  • 2055657 - ET MALWARE [ANY.RUN] Diamotrix Clipper Wallet Request (User-Agent) (malware.rules)
  • 2055658 - ET MALWARE [ANY.RUN] Diamotrix Clipper Wallet Request URI Observed (POST) (malware.rules)
  • 2055659 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (load .webdatahoster .com) (exploit_kit.rules)
  • 2055660 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (load .webdatahoster .com) (exploit_kit.rules)
  • 2055661 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (sofinefitness .com) (exploit_kit.rules)
  • 2055662 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (genifyart .com) (exploit_kit.rules)
  • 2055663 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (sofinefitness .com) (exploit_kit.rules)
  • 2055664 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (genifyart .com) (exploit_kit.rules)
  • 2055665 - ET EXPLOIT OSX/AppleJeus CitrineSleet Domain in DNS Lookup (exploit.rules)
  • 2055666 - ET EXPLOIT OSX/AppleJeus CitrineSleet Domain in DNS Lookup (exploit.rules)
  • 2055667 - ET EXPLOIT OSX/AppleJeus CitrineSleet Domain in TLS SNI (exploit.rules)
  • 2055668 - ET EXPLOIT OSX/AppleJeus CitrineSleet Domain in TLS SNI (exploit.rules)
  • 2055669 - ET EXPLOIT_KIT Credit Card Skimmer Domain in DNS Lookup (pixelia .shop) (exploit_kit.rules)
  • 2055670 - ET EXPLOIT_KIT Credit Card Skimmer Domain in DNS Lookup (secunnet .shop) (exploit_kit.rules)
  • 2055671 - ET EXPLOIT_KIT Credit Card Skimmer Domain in DNS Lookup (creatls .com) (exploit_kit.rules)
  • 2055672 - ET EXPLOIT_KIT Credit Card Skimmer Domain in DNS Lookup (getstylify .com) (exploit_kit.rules)
  • 2055673 - ET EXPLOIT_KIT Credit Card Skimmer Domain in DNS Lookup (graphiqsw .com) (exploit_kit.rules)
  • 2055674 - ET EXPLOIT_KIT Credit Card Skimmer Domain in DNS Lookup (metricelevate .com) (exploit_kit.rules)
  • 2055675 - ET EXPLOIT_KIT Credit Card Skimmer Domain in TLS SNI (pixelia .shop) (exploit_kit.rules)
  • 2055676 - ET EXPLOIT_KIT Credit Card Skimmer Domain in TLS SNI (secunnet .shop) (exploit_kit.rules)
  • 2055677 - ET EXPLOIT_KIT Credit Card Skimmer Domain in TLS SNI (creatls .com) (exploit_kit.rules)
  • 2055678 - ET EXPLOIT_KIT Credit Card Skimmer Domain in TLS SNI (getstylify .com) (exploit_kit.rules)
  • 2055679 - ET EXPLOIT_KIT Credit Card Skimmer Domain in TLS SNI (graphiqsw .com) (exploit_kit.rules)
  • 2055680 - ET EXPLOIT_KIT Credit Card Skimmer Domain in TLS SNI (metricelevate .com) (exploit_kit.rules)
  • 2055681 - ET WEB_SPECIFIC_APPS Aruba 501 Authenticated RCE via Ping Command (web_specific_apps.rules)

Disabled and modified rules:

  • 2004961 - ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt – comments.php id SELECT (web_specific_apps.rules)
  • 2004963 - ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt – comments.php id INSERT (web_specific_apps.rules)
  • 2004964 - ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt – comments.php id DELETE (web_specific_apps.rules)
  • 2004966 - ET WEB_SPECIFIC_APPS LushiNews SQL Injection Attempt – comments.php id UPDATE (web_specific_apps.rules)
  • 2005373 - ET WEB_SPECIFIC_APPS Fullaspsite GeometriX Download Portal SQL Injection Attempt – down_indir.asp id UNION SELECT (web_specific_apps.rules)
  • 2005374 - ET WEB_SPECIFIC_APPS Fullaspsite GeometriX Download Portal SQL Injection Attempt – down_indir.asp id INSERT (web_specific_apps.rules)
  • 2005375 - ET WEB_SPECIFIC_APPS Fullaspsite GeometriX Download Portal SQL Injection Attempt – down_indir.asp id DELETE (web_specific_apps.rules)
  • 2005376 - ET WEB_SPECIFIC_APPS Fullaspsite GeometriX Download Portal SQL Injection Attempt – down_indir.asp id ASCII (web_specific_apps.rules)
  • 2005377 - ET WEB_SPECIFIC_APPS Fullaspsite GeometriX Download Portal SQL Injection Attempt – down_indir.asp id UPDATE (web_specific_apps.rules)
  • 2005823 - ET WEB_SPECIFIC_APPS iGeneric iG Calendar SQL Injection Attempt – user.php id SELECT (web_specific_apps.rules)
  • 2005824 - ET WEB_SPECIFIC_APPS iGeneric iG Calendar SQL Injection Attempt – user.php id UNION SELECT (web_specific_apps.rules)
  • 2005825 - ET WEB_SPECIFIC_APPS iGeneric iG Calendar SQL Injection Attempt – user.php id INSERT (web_specific_apps.rules)
  • 2005826 - ET WEB_SPECIFIC_APPS iGeneric iG Calendar SQL Injection Attempt – user.php id DELETE (web_specific_apps.rules)
  • 2005827 - ET WEB_SPECIFIC_APPS iGeneric iG Calendar SQL Injection Attempt – user.php id ASCII (web_specific_apps.rules)
  • 2005828 - ET WEB_SPECIFIC_APPS iGeneric iG Calendar SQL Injection Attempt – user.php id UPDATE (web_specific_apps.rules)
  • 2005979 - ET WEB_SPECIFIC_APPS aFAQ SQL Injection Attempt – faqDsp.asp catcode SELECT (web_specific_apps.rules)
  • 2005980 - ET WEB_SPECIFIC_APPS aFAQ SQL Injection Attempt – faqDsp.asp catcode UNION SELECT (web_specific_apps.rules)
  • 2005981 - ET WEB_SPECIFIC_APPS aFAQ SQL Injection Attempt – faqDsp.asp catcode INSERT (web_specific_apps.rules)
  • 2005982 - ET WEB_SPECIFIC_APPS aFAQ SQL Injection Attempt – faqDsp.asp catcode DELETE (web_specific_apps.rules)
  • 2005983 - ET WEB_SPECIFIC_APPS aFAQ SQL Injection Attempt – faqDsp.asp catcode ASCII (web_specific_apps.rules)
  • 2005984 - ET WEB_SPECIFIC_APPS aFAQ SQL Injection Attempt – faqDsp.asp catcode UPDATE (web_specific_apps.rules)
  • 2006273 - ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt – down.asp id SELECT (web_specific_apps.rules)
  • 2006274 - ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt – down.asp id UNION SELECT (web_specific_apps.rules)
  • 2006275 - ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt – down.asp id INSERT (web_specific_apps.rules)
  • 2006276 - ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt – down.asp id DELETE (web_specific_apps.rules)
  • 2006277 - ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt – down.asp id ASCII (web_specific_apps.rules)
  • 2006278 - ET WEB_SPECIFIC_APPS Burak Yylmaz Download Portal SQL Injection Attempt – down.asp id UPDATE (web_specific_apps.rules)
  • 2006351 - ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt – lire-avis.php aa SELECT (web_specific_apps.rules)
  • 2006352 - ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt – lire-avis.php aa UNION SELECT (web_specific_apps.rules)
  • 2006353 - ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt – lire-avis.php aa INSERT (web_specific_apps.rules)
  • 2006354 - ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt – lire-avis.php aa DELETE (web_specific_apps.rules)
  • 2006355 - ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt – lire-avis.php aa ASCII (web_specific_apps.rules)
  • 2006356 - ET WEB_SPECIFIC_APPS ProNews SQL Injection Attempt – lire-avis.php aa UPDATE (web_specific_apps.rules)
  • 2006560 - ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt – email.php id SELECT (web_specific_apps.rules)
  • 2006561 - ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt – email.php id UNION SELECT (web_specific_apps.rules)
  • 2006562 - ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt – email.php id INSERT (web_specific_apps.rules)
  • 2006564 - ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt – email.php id DELETE (web_specific_apps.rules)
  • 2006565 - ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt – email.php id ASCII (web_specific_apps.rules)
  • 2006566 - ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt – email.php id UPDATE (web_specific_apps.rules)
  • 2006754 - ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt – polls.php id SELECT (web_specific_apps.rules)
  • 2006755 - ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt – polls.php id UNION SELECT (web_specific_apps.rules)
  • 2006756 - ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt – polls.php id INSERT (web_specific_apps.rules)
  • 2006757 - ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt – polls.php id DELETE (web_specific_apps.rules)
  • 2006758 - ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt – polls.php id ASCII (web_specific_apps.rules)
  • 2006759 - ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt – polls.php id UPDATE (web_specific_apps.rules)
  • 2007076 - ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt – dircat.asp cid SELECT (web_specific_apps.rules)
  • 2007077 - ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt – dircat.asp cid UNION SELECT (web_specific_apps.rules)
  • 2007078 - ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt – dircat.asp cid INSERT (web_specific_apps.rules)
  • 2007079 - ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt – dircat.asp cid DELETE (web_specific_apps.rules)
  • 2007080 - ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt – dircat.asp cid ASCII (web_specific_apps.rules)
  • 2007081 - ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt – dircat.asp cid UPDATE (web_specific_apps.rules)
  • 2007082 - ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt – dirSub.asp sid SELECT (web_specific_apps.rules)
  • 2007083 - ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt – dirSub.asp sid UNION SELECT (web_specific_apps.rules)
  • 2007084 - ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt – dirSub.asp sid INSERT (web_specific_apps.rules)
  • 2007085 - ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt – dirSub.asp sid DELETE (web_specific_apps.rules)
  • 2007086 - ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt – dirSub.asp sid ASCII (web_specific_apps.rules)
  • 2007087 - ET WEB_SPECIFIC_APPS Enthrallweb eHomes SQL Injection Attempt – dirSub.asp sid UPDATE (web_specific_apps.rules)
  • 2007288 - ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt – users.php id SELECT (web_specific_apps.rules)
  • 2007289 - ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt – users.php id UNION SELECT (web_specific_apps.rules)
  • 2007290 - ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt – users.php id INSERT (web_specific_apps.rules)
  • 2007291 - ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt – users.php id DELETE (web_specific_apps.rules)
  • 2007292 - ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt – users.php id ASCII (web_specific_apps.rules)
  • 2007293 - ET WEB_SPECIFIC_APPS Neocrome Seditio SQL Injection Attempt – users.php id UPDATE (web_specific_apps.rules)
  • 2007482 - ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt – default.asp page SELECT (web_specific_apps.rules)
  • 2007483 - ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt – default.asp page UNION SELECT (web_specific_apps.rules)
  • 2007484 - ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt – default.asp page DELETE (web_specific_apps.rules)
  • 2007485 - ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt – default.asp page ASCII (web_specific_apps.rules)
  • 2007486 - ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt – default.asp page UPDATE (web_specific_apps.rules)
  • 2007564 - ET WEB_SPECIFIC_APPS ActiveNews Manager SQL Injection Attempt – default.asp page INSERT (web_specific_apps.rules)
  • 2008865 - ET WEB_SPECIFIC_APPS PozScripts Business Directory Script cid parameter SQL Injection (web_specific_apps.rules)