Ruleset Update Summary - 2024/12/18 - v10810

Ruleset Updates
1

Summary:

22 new OPEN, 24 new PRO (22 + 2)

Added rules:

Open:

  • 2058383 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (egaolife .info) (exploit_kit.rules)
  • 2058384 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (bladyburger .online) (exploit_kit.rules)
  • 2058385 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (buylevlen .xyz) (exploit_kit.rules)
  • 2058386 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (egaolife .info) (exploit_kit.rules)
  • 2058387 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (bladyburger .online) (exploit_kit.rules)
  • 2058388 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (buylevlen .xyz) (exploit_kit.rules)
  • 2058389 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (dsassoc .com) (exploit_kit.rules)
  • 2058390 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (calbbs .com) (exploit_kit.rules)
  • 2058391 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (dsassoc .com) (exploit_kit.rules)
  • 2058392 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (calbbs .com) (exploit_kit.rules)
  • 2058393 - ET WEB_SPECIFIC_APPS NUUO NVRmini upgrade_handle.php uploaddir Command Injection Attempt (CVE-2018-14933) (web_specific_apps.rules)
  • 2058394 - ET WEB_SPECIFIC_APPS Draytek mainfunction.cgi doCfgExport option Arbitrary File Read Attempt (CVE-2023-1009) (web_specific_apps.rules)
  • 2058395 - ET MALWARE UNK_FlappyBird Domain in DNS Lookup (onnetmais .org) (malware.rules)
  • 2058396 - ET MALWARE UNK_FlappyBird Domain in TLS SNI (onnetmais .org) (malware.rules)
  • 2058397 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pancakedipyps .click) (malware.rules)
  • 2058398 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (pancakedipyps .click in TLS SNI) (malware.rules)
  • 2058399 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (receptivesfii .click) (malware.rules)
  • 2058400 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (receptivesfii .click in TLS SNI) (malware.rules)
  • 2058401 - ET MALWARE StealC/Vidar CnC Domain in DNS Lookup (hulkpara .xyz) (malware.rules)
  • 2058402 - ET MALWARE Observed StealC/Vidar Stealer Domain (hulkpara .xyz in TLS SNI) (malware.rules)
  • 2058403 - ET WEB_SPECIFIC_APPS Draytek mainfunction.cgi getSyslogFile option Arbitrary File Read Attempt (CVE-2023-1163) (web_specific_apps.rules)
  • 2058404 - ET WEB_SPECIFIC_APPS Draytek mainfunction.cgi dumpSyslog option Arbitrary File Deletion Attempt (CVE-2023-6265) (web_specific_apps.rules)

Pro:

  • 2859378 - ETPRO MALWARE Win32/Stealc/Vidar Stealer Host Details Exfil (POST) M2 (malware.rules)
  • 2859379 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Enabled and modified rules:

  • 2050453 - ET EXPLOIT_KIT Parrot TDS Domain in DNS Lookup (sync .webappclick .net) (exploit_kit.rules)
  • 2050462 - ET EXPLOIT_KIT Parrot TDS Domain in TLS SNI (sync .webappclick .net) (exploit_kit.rules)

Modified inactive rules:

  • 2000032 - ET NETBIOS LSA exploit (netbios.rules)
  • 2000033 - ET NETBIOS MS04011 Lsasrv.dll RPC exploit (WinXP) (netbios.rules)
  • 2000046 - ET NETBIOS MS04011 Lsasrv.dll RPC exploit (Win2k) (netbios.rules)
  • 2000559 - ET WEB_SERVER THCIISLame IIS SSL Exploit Attempt (web_server.rules)
  • 2000562 - ET HUNTING OUTBOUND Suspicious Email Attachment (hunting.rules)
  • 2001055 - ET MISC HP Web JetAdmin ExecuteFile admin access (misc.rules)
  • 2001608 - ET INAPPROPRIATE Likely Porn (inappropriate.rules)
  • 2001628 - ET ATTACK_RESPONSE Outbound PHP Connection (attack_response.rules)
  • 2010722 - ET HUNTING Suspicious Non-Escaping backslash in User-Agent Inbound (hunting.rules)
  • 2010814 - ET ACTIVEX Possible AOL 9.5 BindToFile Heap Overflow Attempt (activex.rules)
  • 2011016 - ET WEB_SERVER Possible Sun Microsystems Sun Java System Web Server Long OPTIONS URI Overflow Attmept (web_server.rules)
  • 2011050 - ET ACTIVEX Liquid XML Studio 2010 OpenFile Method Remote Heap Overflow Attempt (activex.rules)
  • 2012543 - ET ACTIVEX RealPlayer CDDA URI Overflow Uninitialized Pointer Attempt (activex.rules)
  • 2012984 - ET SMTP Sophos.com Block Message (smtp.rules)
  • 2053328 - ET HUNTING Generic POST with Common Control/Escape Character in Filename Parameter - Possible Command Injection Attempt (hunting.rules)
  • 2100139 - GPL WEB_SERVER WEB-IIS Remote IIS Server Name spoof attempt loopback IP (web_server.rules)
  • 2100144 - GPL FTP ADMw0rm ftp login attempt (ftp.rules)
  • 2100286 - GPL POP3 x86 BSD overflow (pop3.rules)
  • 2100287 - GPL POP3 x86 BSD overflow 2 (pop3.rules)
  • 2100335 - GPL FTP .rhosts (ftp.rules)
  • 2100337 - GPL FTP CEL overflow attempt (ftp.rules)
  • 2100338 - GPL FTP SITE EXEC format string (ftp.rules)
  • 2100342 - GPL FTP wu-ftpd 2.6.0 site exec format string overflow Solaris 2.8 (ftp.rules)
  • 2100343 - GPL FTP wu-ftpd 2.6.0 site exec format string overflow FreeBSD (ftp.rules)
  • 2100344 - GPL FTP wu-ftpd 2.6.0 site exec format string overflow Linux (ftp.rules)
  • 2100345 - GPL FTP wu-ftpd 2.6.0 site exec format string overflow generic (ftp.rules)
  • 2100346 - GPL FTP wu-ftpd 2.6.0 site exec format string check (ftp.rules)
  • 2100348 - GPL FTP wu-ftpd 2.6.0 (ftp.rules)
  • 2101748 - GPL FTP command overflow attempt (ftp.rules)
  • 2101866 - GPL POP3 USER overflow attempt (pop3.rules)
  • 2102108 - GPL POP3 CAPA overflow attempt (pop3.rules)
  • 2102109 - GPL POP3 TOP overflow attempt (pop3.rules)
  • 2102111 - GPL POP3 DELE overflow attempt (pop3.rules)
  • 2102112 - GPL POP3 RSET overflow attempt (pop3.rules)
  • 2102272 - GPL FTP LIST integer overflow attempt (ftp.rules)
  • 2102340 - GPL FTP SITE CHMOD overflow attempt (ftp.rules)
  • 2102343 - GPL FTP STOR overflow attempt (ftp.rules)
  • 2102344 - GPL FTP XCWD overflow attempt (ftp.rules)
  • 2102590 - GPL SMTP MAIL FROM overflow attempt (smtp.rules)
  • 2800471 - ETPRO RPC Sun Solaris sadmind RPC Request Integer Overflow 1 (rpc.rules)
  • 2800883 - ETPRO POP3 -ERR overflow attempt (pop3.rules)
  • 2800884 - ETPRO POP3 Pegasus Mail error overflow attempt (pop3.rules)