Ruleset Update Summary - 2024/12/06 - v10792

Summary:

16 new OPEN, 19 new PRO (16 + 3)

Thanks @JAMESWT_MHT


Added rules:

Open:

  • 2058114 - ET MALWARE Iris Stealer CnC Domain in DNS Lookup (irisstealer .xyz) (malware.rules)
  • 2058115 - ET MALWARE Observed Iris Stealer Domain (irisstealer .xyz) in TLS SNI (malware.rules)
  • 2058116 - ET ATTACK_RESPONSE RuPSRAT Command Inbound (Download/Execute GoBayden) (attack_response.rules)
  • 2058117 - ET WEB_SPECIFIC_APPS Riello Netman 204 UPS SQL Injection Attempt (CVE-2024-8877) (web_specific_apps.rules)
  • 2058118 - ET INFO DYNAMIC_DNS Query to a *.pscenergy .com domain (info.rules)
  • 2058119 - ET INFO DYNAMIC_DNS HTTP Request to a *.pscenergy .com domain (info.rules)
  • 2058120 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (best-net .biz) (exploit_kit.rules)
  • 2058121 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (tasteofgoodness .info) (exploit_kit.rules)
  • 2058122 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (casibom .cyou) (exploit_kit.rules)
  • 2058123 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (dcaa .info) (exploit_kit.rules)
  • 2058124 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (best-net .biz) (exploit_kit.rules)
  • 2058125 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (tasteofgoodness .info) (exploit_kit.rules)
  • 2058126 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (casibom .cyou) (exploit_kit.rules)
  • 2058127 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (dcaa .info) (exploit_kit.rules)
  • 2058128 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (coeshor .com) (exploit_kit.rules)
  • 2058129 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (coeshor .com) (exploit_kit.rules)

Pro:

  • 2859269 - ETPRO MALWARE BaydenRAT CnC Activity M1 (malware.rules)
  • 2859270 - ETPRO MALWARE BaydenRAT CnC Activity M2 (malware.rules)
  • 2859271 - ETPRO MALWARE BaydenRAT CnC Activity M3 (malware.rules)

Modified inactive rules:

  • 2025388 - ET MALWARE SteamStealer Malicious SSL Certificate Detected (malware.rules)
  • 2025409 - ET CURRENT_EVENTS CERTEGO Possible JScript Coming Over SMB v2 (current_events.rules)
  • 2025781 - ET EXPLOIT Possible ModSecurity 3.0.0 Cross-Site Scripting (exploit.rules)
  • 2025985 - ET INFO Adobe PDX in HTTP Flowbit Set (info.rules)
  • 2026097 - ET MALWARE Suspected Monero Miner CnC Channel TXT Lookup (malware.rules)
  • 2026466 - ET PHISHING Successful Generic Phish (set) 2018-10-10 (phishing.rules)
  • 2026680 - ET MALWARE DNS Query for DNSpionage CnC Domain (malware.rules)
  • 2027259 - ET INFO Dotted Quad Host PS1 Request (info.rules)
  • 2027268 - ET ATTACK_RESPONSE Possible Remote System32 DLL Hijack Command Inbound via HTTP (T1038, T1105) (attack_response.rules)
  • 2027535 - ET PHISHING Cloned Cox Page - Possible Phishing Landing M2 (phishing.rules)
  • 2027561 - ET PHISHING Generic Miarroba Phishing Landing (phishing.rules)
  • 2027602 - ET MALWARE Gift Cardshark CnC Domain in DNS Lookup (malware.rules)
  • 2027603 - ET MALWARE Gift Cardshark CnC Domain in DNS Lookup (malware.rules)
  • 2027604 - ET MALWARE Gift Cardshark CnC Domain in DNS Lookup (malware.rules)
  • 2027759 - ET DNS Query for .co TLD (dns.rules)
  • 2027872 - ET INFO HTTP Request to Suspicious *.biz Domain (info.rules)
  • 2027874 - ET INFO HTTP Request to Suspicious *.cloud Domain (info.rules)
  • 2028972 - ET EXPLOIT_KIT Possible PurpleFox/RIG EK Flash Request M1 (exploit_kit.rules)
  • 2831006 - ETPRO MALWARE LokiBot CnC DNS Lookup (lokipanel) (malware.rules)
  • 2832311 - ETPRO MALWARE SocketPlayer Netflix Killswitch DNS Lookup 3 (asdkaaskdlaksdjjkjsdnddasakkkaksjdjndkjansdkswda) (malware.rules)
  • 2833888 - ETPRO MALWARE FIN7 GRIFFON CnC Domain in DNS Lookup (malware.rules)
  • 2833891 - ETPRO MALWARE SocketPlayer Netflix Killswitch DNS Lookup 5 (opkqpowekdasdoaijsdoiiowqewqewowekkjndkjansdka) (malware.rules)
  • 2835354 - ETPRO EXPLOIT Possible CVE-2019-0703 Request SMBv1 (exploit.rules)
  • 2835355 - ETPRO EXPLOIT Possible CVE-2019-0703 Response SMBv1 (exploit.rules)
  • 2835356 - ETPRO EXPLOIT Possible CVE-2019-0703 Request SMBv2 (exploit.rules)
  • 2835357 - ETPRO EXPLOIT Possible CVE-2019-0703 Response SMBv2 (exploit.rules)
  • 2835635 - ETPRO MALWARE Possible Kimsuky Phishing or Malware DNS Lookup (malware.rules)
  • 2835773 - ETPRO PHISHING Successful Generic Credit Card Information Phish 2019-04-07 (phishing.rules)
  • 2835792 - ETPRO PHISHING Successful Generic Credit Card Information Phish 2019-04-09 (phishing.rules)
  • 2836138 - ETPRO HUNTING Suspicious POST with 0 Len and Minimal Headers (hunting.rules)
  • 2836750 - ETPRO PHISHING Successful Generic Credit Card Information Phish 2019-06-10 (phishing.rules)
  • 2836902 - ETPRO MALWARE Suspected APT33 Spearphishing Related DNS Lookup (malware.rules)
  • 2839262 - ETPRO EXPLOIT_KIT Possible GreenFlash Sundown EK Flash Artifact (exploit_kit.rules)
  • 2840168 - ETPRO HUNTING Observed Powershell Keylogging Code Inbound (hunting.rules)

Disabled and modified rules:

  • 2002911 - ET SCAN Potential VNC Scan 5900-5920 (scan.rules)