Ruleset Update Summary - 2024/12/19 - v10811

Summary:

28 new OPEN, 31 new PRO (28 + 3)

Thanks @dimitribest


Added rules:

Open:

  • 2058405 - ET WEB_SPECIFIC_APPS Fortinet FortiWLM Unauthenticated Command Injection (CVE-2023-34993) (web_specific_apps.rules)
  • 2058406 - ET WEB_SPECIFIC_APPS Fortinet FortiWLM Unauthenticated Limited Arbitrary File Read (web_specific_apps.rules)
  • 2058407 - ET WEB_SPECIFIC_APPS Fortinet FortiWLM Authenticated Command Injection (CVE-2023-48782) (web_specific_apps.rules)
  • 2058408 - ET WEB_SPECIFIC_APPS Fortinet FortiWLM Unauthenticated Arbitrary File Read (CVE-2023-48783) (web_specific_apps.rules)
  • 2058409 - ET HUNTING Fortinet FortiWLM Unauthenticated SQL Injection (CVE-2023-34991) (hunting.rules)
  • 2058410 - ET MALWARE Xenorat Default C2 Server Response Inbound (malware.rules)
  • 2058411 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (esondent .com) (exploit_kit.rules)
  • 2058412 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (incms .biz) (exploit_kit.rules)
  • 2058413 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (esondent .com) (exploit_kit.rules)
  • 2058414 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (incms .biz) (exploit_kit.rules)
  • 2058415 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (gwcomics .com) (exploit_kit.rules)
  • 2058416 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (gwcomics .com) (exploit_kit.rules)
  • 2058417 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .demo .ezra-ai .com) (malware.rules)
  • 2058418 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .demo .ezra-ai .com) (malware.rules)
  • 2058419 - ET MALWARE Xenorat Default Handshake Inbound (malware.rules)
  • 2058420 - ET INFO DYNAMIC_DNS Query to a *.freedns .rocks domain (info.rules)
  • 2058421 - ET INFO DYNAMIC_DNS HTTP Request to a *.freedns .rocks domain (info.rules)
  • 2058422 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (berrylinyj .cyou) (malware.rules)
  • 2058423 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (berrylinyj .cyou in TLS SNI) (malware.rules)
  • 2058424 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lossekniyyt .click) (malware.rules)
  • 2058425 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (lossekniyyt .click in TLS SNI) (malware.rules)
  • 2058426 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (scrambledmy .cfd) (malware.rules)
  • 2058427 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (scrambledmy .cfd in TLS SNI) (malware.rules)
  • 2058428 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (simplerapplau .click) (malware.rules)
  • 2058429 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (simplerapplau .click in TLS SNI) (malware.rules)
  • 2058430 - ET MALWARE Observed DNS Query to Lazarus Domain (atokyonews .com) (malware.rules)
  • 2058431 - ET MALWARE Observed Lazarus Domain (atokyonews .com in TLS SNI) (malware.rules)
  • 2058432 - ET EXPLOIT Fortinet FortiClient EMS SQL Injection (CVE-2023-48788) (exploit.rules)

Pro:

  • 2859390 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859391 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859392 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Modified inactive rules:

  • 2029306 - ET MALWARE Observed Thanatos Ransomware Variant Pico User-Agent (malware.rules)
  • 2030377 - ET MALWARE Operation Interception Payload CnC Checkin (malware.rules)
  • 2840852 - ETPRO MALWARE ELF/Mirai User-Agent Observed (Outbound) (malware.rules)
  • 2840853 - ETPRO SCAN ELF/Mirai User-Agent Observed (Inbound) (scan.rules)
  • 2850032 - ETPRO MALWARE MSIL/TrojanDownloader.Agent.IUJ User-Agent (malware.rules)
  • 2850613 - ETPRO MALWARE Win32/Lmbmiad CnC User-Agent (ve3xtest) (malware.rules)
  • 2850616 - ETPRO MALWARE Win32/Lmbmiad CnC User-Agent (noandk) (malware.rules)