Ruleset Update Summary - 2024/12/23 - v10813

Ruleset Updates
1

Summary:

67 new OPEN, 100 new PRO (67 + 33)

Added rules:

Open:

  • 2058449 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (magicaltaster .click) (malware.rules)
  • 2058450 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (magicaltaster .click in TLS SNI) (malware.rules)
  • 2058451 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (brammdysocitrey .shop) (malware.rules)
  • 2058452 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (brammdysocitrey .shop in TLS SNI) (malware.rules)
  • 2058453 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (inventionspo .click) (malware.rules)
  • 2058454 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (inventionspo .click in TLS SNI) (malware.rules)
  • 2058455 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (kitteprincv .click) (malware.rules)
  • 2058456 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (kitteprincv .click in TLS SNI) (malware.rules)
  • 2058457 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stem-mellows .cyou) (malware.rules)
  • 2058458 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (stem-mellows .cyou in TLS SNI) (malware.rules)
  • 2058459 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thesishsej .click) (malware.rules)
  • 2058460 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (thesishsej .click in TLS SNI) (malware.rules)
  • 2058461 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (qamar-alsharqia .com) (exploit_kit.rules)
  • 2058462 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (dcfei .xyz) (exploit_kit.rules)
  • 2058463 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (qamar-alsharqia .com) (exploit_kit.rules)
  • 2058464 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (dcfei .xyz) (exploit_kit.rules)
  • 2058465 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (sokrpro .com) (exploit_kit.rules)
  • 2058466 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (satpr .com) (exploit_kit.rules)
  • 2058467 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (sokrpro .com) (exploit_kit.rules)
  • 2058468 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (satpr .com) (exploit_kit.rules)
  • 2058469 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .office .enewlaw .com) (malware.rules)
  • 2058470 - ET MALWARE SocGholish CnC Domain in TLS SNI (* .office .enewlaw .com) (malware.rules)
  • 2058471 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (boneyn .com) (exploit_kit.rules)
  • 2058472 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (boneyn .com) (exploit_kit.rules)
  • 2058473 - ET MALWARE Observed ClickFix Powershell Delivery Page Inbound (malware.rules)
  • 2058474 - ET INFO DYNAMIC_DNS Query to a *.polytama .co .id domain (info.rules)
  • 2058475 - ET INFO DYNAMIC_DNS HTTP Request to a *.polytama .co .id domain (info.rules)
  • 2058476 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (analysiserjzy .click) (malware.rules)
  • 2058477 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (analysiserjzy .click in TLS SNI) (malware.rules)
  • 2058478 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bakedgooak .site) (malware.rules)
  • 2058479 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (bakedgooak .site in TLS SNI) (malware.rules)
  • 2058480 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bashfulacid .lat) (malware.rules)
  • 2058481 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (bashfulacid .lat in TLS SNI) (malware.rules)
  • 2058482 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cuddlyready .xyz) (malware.rules)
  • 2058483 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cuddlyready .xyz in TLS SNI) (malware.rules)
  • 2058484 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (curverpluch .lat) (malware.rules)
  • 2058485 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (curverpluch .lat in TLS SNI) (malware.rules)
  • 2058486 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (driblbemris .lat) (malware.rules)
  • 2058487 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (driblbemris .lat in TLS SNI) (malware.rules)
  • 2058488 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (greywe-snotty .cyou) (malware.rules)
  • 2058489 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (greywe-snotty .cyou in TLS SNI) (malware.rules)
  • 2058490 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hosue-billowy .cyou) (malware.rules)
  • 2058491 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (hosue-billowy .cyou in TLS SNI) (malware.rules)
  • 2058492 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (manyrestro .lat) (malware.rules)
  • 2058493 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (manyrestro .lat in TLS SNI) (malware.rules)
  • 2058494 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pollution-raker .cyou) (malware.rules)
  • 2058495 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (pollution-raker .cyou in TLS SNI) (malware.rules)
  • 2058496 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ripe-blade .cyou) (malware.rules)
  • 2058497 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ripe-blade .cyou in TLS SNI) (malware.rules)
  • 2058498 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sendypaster .xyz) (malware.rules)
  • 2058499 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sendypaster .xyz in TLS SNI) (malware.rules)
  • 2058500 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shapestickyr .lat) (malware.rules)
  • 2058501 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (shapestickyr .lat in TLS SNI) (malware.rules)
  • 2058502 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (slipperyloo .lat) (malware.rules)
  • 2058503 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (slipperyloo .lat in TLS SNI) (malware.rules)
  • 2058504 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (smash-boiling .cyou) (malware.rules)
  • 2058505 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (smash-boiling .cyou in TLS SNI) (malware.rules)
  • 2058506 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (steppriflej .xyz) (malware.rules)
  • 2058507 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (steppriflej .xyz in TLS SNI) (malware.rules)
  • 2058508 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (supporse-comment .cyou) (malware.rules)
  • 2058509 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (supporse-comment .cyou in TLS SNI) (malware.rules)
  • 2058510 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (talkynicer .lat) (malware.rules)
  • 2058511 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (talkynicer .lat in TLS SNI) (malware.rules)
  • 2058512 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tentabatte .lat) (malware.rules)
  • 2058513 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (tentabatte .lat in TLS SNI) (malware.rules)
  • 2058514 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wordyfindy .lat) (malware.rules)
  • 2058515 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (wordyfindy .lat in TLS SNI) (malware.rules)

Pro:

  • 2859395 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2859396 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2859397 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2859398 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2859399 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2859400 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2859401 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2859402 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2859403 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859404 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859405 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859406 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859407 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859408 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859409 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859410 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2859411 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2859412 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2859413 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2859414 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2859415 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2859416 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2859417 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2859418 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2859419 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2859420 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2859421 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2859422 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2859423 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2859424 - ETPRO PHISHING TA4903 Domain in DNS Lookup (phishing.rules)
  • 2859425 - ETPRO PHISHING TA4903 Domain in TLS SNI (phishing.rules)
  • 2859426 - ETPRO PHISHING TA4903 Domain in DNS Lookup (phishing.rules)
  • 2859427 - ETPRO PHISHING TA4903 Domain in TLS SNI (phishing.rules)

Modified inactive rules:

  • 2001181 - ET ACTIVEX Internet Explorer Plugin.ocx Heap Overflow (activex.rules)
  • 2001342 - ET WEB_SERVER IIS ASP.net Auth Bypass / Canonicalization (web_server.rules)
  • 2001343 - ET WEB_SERVER IIS ASP.net Auth Bypass / Canonicalization % 5 C (web_server.rules)
  • 2001346 - ET INAPPROPRIATE Kiddy Porn preteen (inappropriate.rules)
  • 2001347 - ET INAPPROPRIATE Kiddy Porn pre-teen (inappropriate.rules)
  • 2001348 - ET INAPPROPRIATE Kiddy Porn early teen (inappropriate.rules)
  • 2001349 - ET INAPPROPRIATE free XXX (inappropriate.rules)
  • 2001350 - ET INAPPROPRIATE hardcore anal (inappropriate.rules)
  • 2001351 - ET INAPPROPRIATE masturbation (inappropriate.rules)
  • 2001352 - ET INAPPROPRIATE ejaculation (inappropriate.rules)
  • 2001353 - ET INAPPROPRIATE BDSM (inappropriate.rules)
  • 2001365 - ET WEB_SERVER Alternate Data Stream source view attempt (web_server.rules)
  • 2001386 - ET INAPPROPRIATE Kiddy Porn pthc (inappropriate.rules)
  • 2001387 - ET INAPPROPRIATE Kiddy Porn zeps (inappropriate.rules)
  • 2001388 - ET INAPPROPRIATE Kiddy Porn r@ygold (inappropriate.rules)
  • 2001389 - ET INAPPROPRIATE Kiddy Porn childlover (inappropriate.rules)
  • 2001392 - ET INAPPROPRIATE Sextracker Tracking Code Detected (1) (inappropriate.rules)
  • 2001393 - ET INAPPROPRIATE Sextracker Tracking Code Detected (2) (inappropriate.rules)
  • 2002131 - ET WEB_SERVER Oracle Reports XML Information Disclosure (web_server.rules)
  • 2002132 - ET WEB_SERVER Oracle Reports DESFORMAT Information Disclosure (web_server.rules)
  • 2002199 - ET NETBIOS SMB-DS DCERPC PnP HOD bind attempt (netbios.rules)
  • 2002200 - ET NETBIOS SMB-DS DCERPC PnP bind attempt (netbios.rules)
  • 2002201 - ET NETBIOS SMB-DS DCERPC PnP QueryResConfList exploit attempt (netbios.rules)
  • 2002202 - ET NETBIOS SMB DCERPC PnP bind attempt (netbios.rules)
  • 2002203 - ET NETBIOS SMB DCERPC PnP QueryResConfList exploit attempt (netbios.rules)
  • 2002667 - ET WEB_SERVER sumthin scan (web_server.rules)
  • 2002721 - ET WEB_SERVER Cisco IOS HTTP set enable password attack (web_server.rules)
  • 2002844 - ET WEB_SERVER WebDAV search overflow (web_server.rules)
  • 2002864 - ET WEB_SERVER osCommerce extras/update.php disclosure (web_server.rules)
  • 2002900 - ET WEB_SERVER CGI AWstats Migrate Command Attempt (web_server.rules)
  • 2002925 - ET INAPPROPRIATE Google Image Search, Safe Mode Off (inappropriate.rules)
  • 2002971 - ET ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 1 Access Attempt (activex.rules)
  • 2003099 - ET WEB_SERVER Poison Null Byte (web_server.rules)
  • 2003158 - ET ACTIVEX Microsoft WMIScriptUtils.WMIObjectBroker object call CSLID (activex.rules)
  • 2003159 - ET ACTIVEX Microsoft VsmIDE.DTE object call CSLID (activex.rules)
  • 2003160 - ET ACTIVEX Microsoft DExplore.AppObj.8.0 object call CSLID (activex.rules)
  • 2003161 - ET ACTIVEX Microsoft VisualStudio.DTE.8.0 object call CSLID (activex.rules)
  • 2003162 - ET ACTIVEX Microsoft Microsoft.DbgClr.DTE.8.0 object call CSLID (activex.rules)
  • 2003163 - ET ACTIVEX Microsoft VsaIDE.DTE object call CSLID (activex.rules)
  • 2003164 - ET ACTIVEX Microsoft Business Object Factory object call CSLID (activex.rules)
  • 2003165 - ET ACTIVEX Microsoft Outlook Data Object object call CSLID (activex.rules)
  • 2003166 - ET ACTIVEX Microsoft Outlook.Application object call CSLID (activex.rules)
  • 2003329 - ET VOIP Centrality IP Phone (PA-168 Chipset) Session Hijacking (voip.rules)
  • 2003530 - ET HUNTING Suspicious Mozilla User-Agent Separator - likely Fake (Mozilla/4.0+(compatible +MSIE+) (hunting.rules)
  • 2003536 - ET ATTACK_RESPONSE r57 phpshell source being uploaded (attack_response.rules)
  • 2007571 - ET POLICY Remote Desktop Connection via non RDP Port (policy.rules)
  • 2007653 - ET ATTACK_RESPONSE RFI Scanner detected (attack_response.rules)
  • 2007654 - ET ATTACK_RESPONSE C99 Modified phpshell detected (attack_response.rules)
  • 2007655 - ET ATTACK_RESPONSE lila.jpg phpshell detected (attack_response.rules)
  • 2007656 - ET ATTACK_RESPONSE ALBANIA id.php detected (attack_response.rules)
  • 2007657 - ET ATTACK_RESPONSE Mic22 id.php detected (attack_response.rules)
  • 2007715 - ET ATTACK_RESPONSE Off-Port FTP Without Banners - user (attack_response.rules)
  • 2007717 - ET ATTACK_RESPONSE Off-Port FTP Without Banners - pass (attack_response.rules)
  • 2007723 - ET ATTACK_RESPONSE Off-Port FTP Without Banners - retr (attack_response.rules)
  • 2007932 - ET ACTIVEX Symantec BackupExec Calendar Control (PVCalendar.ocx) BoF Vulnerability (activex.rules)
  • 2008062 - ET ACTIVEX Universal HTTP File Upload Remote File Deletetion (activex.rules)
  • 2008129 - ET ACTIVEX LEADTOOLS Multimedia Toolkit 15 Arbitrary Files Overwrite (activex.rules)
  • 2008207 - ET WEB_SERVER Possible File Injection Compromise (HaCKeD By BeLa & BodyguarD) (web_server.rules)
  • 2008887 - ET ACTIVEX Microsoft XML Core Services DTD Cross Domain Information Disclosure clsid (activex.rules)
  • 2009033 - ET HUNTING Suspicious Executable (Win exe under 128) (hunting.rules)
  • 2009034 - ET HUNTING Suspicious Executable (PE offset 160) (hunting.rules)
  • 2009035 - ET HUNTING Suspicious Executable (PE offset 512) (hunting.rules)
  • 2009146 - ET ATTACK_RESPONSE Possible ASPXSpy Request (attack_response.rules)
  • 2009147 - ET ATTACK_RESPONSE Possible ASPXSpy Related Activity (attack_response.rules)
  • 2009295 - ET HUNTING Suspicious Mozilla User-Agent Likely Fake (Mozilla/5.0) (hunting.rules)
  • 2009345 - ET ATTACK_RESPONSE HTTP 401 Unauthorized (attack_response.rules)
  • 2009346 - ET ATTACK_RESPONSE Frequent HTTP 401 Unauthorized - Possible Brute Force Attack (attack_response.rules)
  • 2009400 - ET ACTIVEX Microsoft Communications Control Clsid Access (activex.rules)
  • 2009401 - ET ACTIVEX Microgaming FlashXControl Control Clsid Access (activex.rules)
  • 2009402 - ET ACTIVEX eBay Enhanced Picture Services Control Clsid Access (1) (activex.rules)
  • 2009403 - ET ACTIVEX eBay Enhanced Picture Services Control Clsid Access (2) (activex.rules)
  • 2009404 - ET ACTIVEX HP Virtual Rooms Control Clsid Access (activex.rules)
  • 2009411 - ET ACTIVEX McAfee ePolicy Orchestrator naPolicyManager.dll Arbitrary Data Write Attempt (activex.rules)
  • 2009484 - ET WEB_SERVER Cpanel lastvisit.html Arbitary file disclosure (web_server.rules)
  • 2009675 - ET ATTACK_RESPONSE Possible Ipconfig Information Detected in HTTP Response (attack_response.rules)
  • 2009799 - ET WEB_SERVER PHP Attack Tool Morfeus F Scanner - M (web_server.rules)
  • 2009868 - ET ACTIVEX Possible Acer LunchApp Arbitrary Code Exucution Attempt (activex.rules)
  • 2010263 - ET ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 2 Access Attempt (activex.rules)
  • 2010264 - ET ACTIVEX Wmm2fxa.dll COM Object Instantiation Memory Corruption CLSID 3 Access Attempt (activex.rules)
  • 2010379 - ET WEB_SERVER JBOSS/JMX REMOTE WAR deployment attempt (POST) (web_server.rules)
  • 2010721 - ET HUNTING Suspicious Non-Escaping backslash in User-Agent Outbound (hunting.rules)
  • 2011015 - ET WEB_SERVER Possible Sun Microsystems Sun Java System Web Server Remote File Disclosure Attempt (web_server.rules)
  • 2011223 - ET WEB_CLIENT Malvertising drive by kit encountered - Loading… (web_client.rules)
  • 2011291 - ET WEB_SERVER Asprox Spambot SQL-Injection Atempt (web_server.rules)
  • 2011759 - ET WEB_SERVER TIEHTTP User-Agent (web_server.rules)
  • 2011970 - ET CURRENT_EVENTS SWF served from /tmp/ (current_events.rules)
  • 2011978 - ET WEB_CLIENT MALVERTISING Alureon JavaScript IFRAME Redirect (web_client.rules)
  • 2012192 - ET ACTIVEX NewV SmartClient NewvCommon.ocx DelFile Method Arbitrary File Deletion Attempt (activex.rules)
  • 2012231 - ET ACTIVEX Oracle Document Capture Insecure Read Method File Access Attempt (activex.rules)
  • 2012233 - ET ACTIVEX Oracle Document Capture File Overwrite Attempt (activex.rules)
  • 2012327 - ET HUNTING All Numerical .cn Domain Likely Malware Related (hunting.rules)
  • 2012525 - ET CURRENT_EVENTS Download of Microsft Office File From Russian Content-Language Website (current_events.rules)
  • 2012526 - ET CURRENT_EVENTS Download of Microsoft Office File From Chinese Content-Language Website (current_events.rules)
  • 2012527 - ET CURRENT_EVENTS Download of PDF File From Russian Content-Language Website (current_events.rules)
  • 2012528 - ET CURRENT_EVENTS Download of PDF File From Chinese Content-Language Website (current_events.rules)
  • 2012529 - ET CURRENT_EVENTS WindowsLive Imposter Site WindowsLive.png (current_events.rules)
  • 2012530 - ET WEB_CLIENT WindowsLive Imposter Site Landing Page (web_client.rules)
  • 2012531 - ET CURRENT_EVENTS WindowsLive Imposter Site blt .png (current_events.rules)
  • 2012532 - ET CURRENT_EVENTS WindowsLive Imposter Site Payload Download (current_events.rules)
  • 2012614 - ET WEB_SERVER Internal WebServer Compromised By Lizamoon Mass SQL-Injection Attacks (web_server.rules)
  • 2012622 - ET CURRENT_EVENTS Adobe Flash Unicode SWF File Embedded in Office File Caution - Could be Hostile (current_events.rules)
  • 2012624 - ET CURRENT_EVENTS Lizamoon Related Compromised site served to local client (current_events.rules)
  • 2012625 - ET CURRENT_EVENTS Potential Lizamoon Client Request /ur.php (current_events.rules)
  • 2012731 - ET WEB_CLIENT Likely Redirector to Exploit Page /in/rdrct/rckt/? (web_client.rules)
  • 2012767 - ET HUNTING Suspicious IAT HttpAddRequestHeader - Can Be Used For HTTP CnC (hunting.rules)
  • 2012768 - ET HUNTING Suspicious IAT ZwProtectVirtualMemory - Undocumented API Which Can be Used for Rootkit Functionality (hunting.rules)
  • 2012777 - ET HUNTING Suspicious IAT EnableExecuteProtectionSupport - Undocumented API to Modify DEP (hunting.rules)
  • 2012780 - ET HUNTING Suspicious IAT SetKeyboardState - Can Be Used for Keylogging (hunting.rules)
  • 2012929 - ET ACTIVEX Cisco AnyConnect VPN Secure Mobility Client Arbitrary Program Execution Attempt (activex.rules)
  • 2012997 - ET WEB_SERVER PHP Possible http Remote File Inclusion Attempt (web_server.rules)
  • 2013010 - ET WEB_CLIENT Request to malicious info.php drive-by landing (web_client.rules)
  • 2013011 - ET WEB_CLIENT Malicious PHP 302 redirect response with avtor URI and cookie (web_client.rules)
  • 2013048 - ET CURRENT_EVENTS Fake Shipping Invoice Request to JPG.exe Executable (current_events.rules)
  • 2013061 - ET WEB_CLIENT Sidename.js Injected Script Served by Local WebServer (web_client.rules)
  • 2013093 - ET CURRENT_EVENTS Clickfraud Framework Request (current_events.rules)
  • 2013094 - ET CURRENT_EVENTS Phoenix/Fiesta URI Requested Contains /? and hex (current_events.rules)
  • 2013130 - ET ACTIVEX Black Ice Cover Page SDK DownloadImageFileURL Method Exploit (activex.rules)
  • 2013192 - ET WEB_CLIENT cssminibar.js Injected Script Served by Local WebServer (web_client.rules)
  • 2013244 - ET WEB_CLIENT Known Injected Credit Card Fraud Malvertisement Script (web_client.rules)
  • 2013328 - ET CURRENT_EVENTS DNS Query for Known Hostile Domain (gooqlepics .com) (current_events.rules)
  • 2013486 - ET WEB_CLIENT Phoenix landing page JAVASMB (web_client.rules)
  • 2013565 - ET ACTIVEX Tom Sawyer Software Possible Memory Corruption Attempt (activex.rules)
  • 2013978 - ET WEB_CLIENT Lilupophilupop Injected Script Being Served to Client (web_client.rules)
  • 2013979 - ET WEB_CLIENT Lilupophilupop Injected Script Being Served from Local Server (web_client.rules)
  • 2013996 - ET CURRENT_EVENTS Adobe PDF Universal 3D file corrupted download 1 (current_events.rules)
  • 2013997 - ET CURRENT_EVENTS Adobe PDF Universal 3D file corrupted download 2 (current_events.rules)
  • 2014038 - ET WEB_CLIENT MALVERTISING OpenX BrowserDetect.init Download (web_client.rules)
  • 2014039 - ET WEB_CLIENT MALVERTISING Alureon Malicious IFRAME (web_client.rules)
  • 2025469 - ET MALWARE Win32/DanijBot User-Agent (malware.rules)
  • 2026100 - ET MALWARE Aura Ransomware User-Agent (malware.rules)
  • 2034671 - ET EXPLOIT Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (tcp) (CVE-2021-44228) (exploit.rules)
  • 2034672 - ET EXPLOIT Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (udp) (CVE-2021-44228) (exploit.rules)
  • 2034702 - ET EXPLOIT Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed (tcp) (CVE-2021-44228) (exploit.rules)
  • 2034703 - ET EXPLOIT Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed (udp) (CVE-2021-44228) (exploit.rules)
  • 2034757 - ET EXPLOIT Apache log4j RCE Attempt (http ldap) (Outbound) (CVE-2021-44228) (exploit.rules)
  • 2034804 - ET EXPLOIT Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (udp) (Outbound) (CVE-2021-44228) (exploit.rules)
  • 2034834 - ET EXPLOIT Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed (udp) (Outbound) (CVE-2021-44228) (exploit.rules)
  • 2034835 - ET EXPLOIT Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed (tcp) (Outbound) (CVE-2021-44228) (exploit.rules)
  • 2034836 - ET EXPLOIT Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (tcp) (Outbound) (CVE-2021-44228) (exploit.rules)
  • 2100308 - GPL FTP NextFTP client overflow (ftp.rules)
  • 2100339 - GPL FTP OpenBSD x86 ftpd (ftp.rules)
  • 2100340 - GPL FTP PWD overflow (ftp.rules)
  • 2100341 - GPL FTP XXXXX overflow (ftp.rules)
  • 2100360 - GPL FTP serv-u directory transversal (ftp.rules)
  • 2100489 - GPL FTP FTP no password (ftp.rules)
  • 2100491 - GPL FTP FTP Bad login (ftp.rules)
  • 2100543 - GPL FTP FTP ‘STOR 1MB’ possible warez site (ftp.rules)
  • 2100544 - GPL FTP FTP ‘RETR 1MB’ possible warez site (ftp.rules)
  • 2100545 - GPL FTP FTP 'CWD / ’ possible warez site (ftp.rules)
  • 2100546 - GPL FTP FTP 'CWD ’ possible warez site (ftp.rules)
  • 2100547 - GPL FTP MKD space space possible warez site (ftp.rules)
  • 2100548 - GPL FTP FTP ‘MKD .’ possible warez site (ftp.rules)
  • 2100553 - GPL FTP FTP anonymous login attempt (ftp.rules)
  • 2100554 - GPL FTP MKD / possible warez site (ftp.rules)
  • 2100556 - GPL P2P Outbound GNUTella client request (p2p.rules)
  • 2100567 - GPL SMTP SMTP relaying denied (smtp.rules)
  • 2100631 - GPL SMTP ehlo cybercop attempt (smtp.rules)
  • 2100632 - GPL SMTP expn cybercop attempt (smtp.rules)
  • 2100716 - GPL TELNET TELNET access (telnet.rules)
  • 2100721 - GPL SMTP OUTBOUND bad file attachment (smtp.rules)
  • 2100909 - GPL WEB_SERVER datasource username attempt (web_server.rules)
  • 2100919 - GPL WEB_SERVER datasource password attempt (web_server.rules)
  • 2100920 - GPL WEB_SERVER datasource attempt (web_server.rules)
  • 2100923 - GPL WEB_SERVER getodbcin attempt (web_server.rules)
  • 2100937 - GPL WEB_SERVER _vti_rpc access (web_server.rules)
  • 2100971 - GPL WEB_SERVER ISAPI .printer access (web_server.rules)
  • 2100988 - GPL WEB_SERVER SAM Attempt (web_server.rules)
  • 2101023 - GPL WEB_SERVER msadcs.dll access (web_server.rules)
  • 2101056 - GPL WEB_SERVER Tomcat view source attempt (web_server.rules)
  • 2101110 - GPL WEB_SERVER apache source.asp file access (web_server.rules)
  • 2101118 - GPL WEB_SERVER ls%20-l (web_server.rules)
  • 2101122 - GPL WEB_SERVER /etc/passwd (web_server.rules)
  • 2101156 - GPL WEB_SERVER apache directory disclosure attempt (web_server.rules)
  • 2101236 - GPL WEB_SERVER Tomcat sourcecode view attempt 3 (web_server.rules)
  • 2101237 - GPL WEB_SERVER Tomcat sourcecode view attempt 2 (web_server.rules)
  • 2101238 - GPL WEB_SERVER Tomcat sourcecode view attempt 1 (web_server.rules)
  • 2101285 - GPL WEB_SERVER msdac access (web_server.rules)
  • 2101288 - GPL WEB_SERVER /_vti_bin/ access (web_server.rules)
  • 2101311 - GPL INAPPROPRIATE hardcore anal (inappropriate.rules)
  • 2101313 - GPL INAPPROPRIATE up skirt (inappropriate.rules)
  • 2101315 - GPL INAPPROPRIATE hot young sex (inappropriate.rules)
  • 2101316 - GPL INAPPROPRIATE fuck fuck fuck (inappropriate.rules)
  • 2101317 - GPL INAPPROPRIATE anal sex (inappropriate.rules)
  • 2101318 - GPL INAPPROPRIATE hardcore rape (inappropriate.rules)
  • 2101320 - GPL INAPPROPRIATE fuck movies (inappropriate.rules)
  • 2101328 - GPL WEB_SERVER /bin/ps command attempt (web_server.rules)
  • 2101332 - GPL WEB_SERVER /usr/bin/id command attempt (web_server.rules)
  • 2101349 - GPL WEB_SERVER bin/python access attempt (web_server.rules)
  • 2101355 - GPL WEB_SERVER /usr/bin/perl execution attempt (web_server.rules)
  • 2101368 - GPL WEB_SERVER /bin/ls| command attempt (web_server.rules)
  • 2101369 - GPL WEB_SERVER /bin/ls command attempt (web_server.rules)
  • 2101370 - GPL WEB_SERVER /etc/inetd.conf access (web_server.rules)
  • 2101371 - GPL WEB_SERVER /etc/motd access (web_server.rules)
  • 2101445 - GPL FTP FTP file_id.diz access possible warez site (ftp.rules)
  • 2101449 - GPL FTP FTP anonymous ftp login attempt (ftp.rules)
  • 2101450 - GPL SMTP expn *@ (smtp.rules)
  • 2101489 - GPL WEB_SERVER /~nobody access (web_server.rules)
  • 2101530 - GPL FTP format string attempt (ftp.rules)
  • 2101625 - GPL FTP large SYST command (ftp.rules)
  • 2101662 - GPL WEB_SERVER /~ftp access (web_server.rules)
  • 2101699 - GPL P2P Fastrack kazaa/morpheus traffic (p2p.rules)
  • 2101738 - GPL WEB_SERVER global.inc access (web_server.rules)
  • 2101777 - GPL FTP STAT * dos attempt (ftp.rules)
  • 2101778 - GPL FTP STAT ? dos attempt (ftp.rules)
  • 2101809 - GPL WEB_SERVER Apache Chunked-Encoding worm attempt (web_server.rules)
  • 2101817 - GPL WEB_SERVER MS Site Server default login attempt (web_server.rules)
  • 2101818 - GPL WEB_SERVER MS Site Server admin attempt (web_server.rules)
  • 2101833 - GPL INAPPROPRIATE naked lesbians (inappropriate.rules)
  • 2101837 - GPL INAPPROPRIATE alt.binaries.pictures.tinygirls (inappropriate.rules)
  • 2101847 - GPL WEB_SERVER webalizer access (web_server.rules)
  • 2101852 - GPL WEB_SERVER robots.txt access (web_server.rules)
  • 2101857 - GPL WEB_SERVER robot.txt access (web_server.rules)
  • 2101971 - GPL FTP SITE EXEC format string attempt (ftp.rules)
  • 2102056 - GPL WEB_SERVER TRACE attempt (web_server.rules)
  • 2102091 - GPL WEB_SERVER WEBDAV nessus safe scan attempt (web_server.rules)
  • 2102121 - GPL POP3 DELE negative argument attempt (pop3.rules)
  • 2102122 - GPL POP3 UIDL negative argument attempt (pop3.rules)
  • 2102131 - GPL WEB_SERVER IISProtect access (web_server.rules)
  • 2102178 - GPL FTP USER format string attempt (ftp.rules)
  • 2102179 - GPL FTP PASS format string attempt (ftp.rules)
  • 2102250 - GPL POP3 USER format string attempt (pop3.rules)
  • 2102332 - GPL FTP MKDIR format string attempt (ftp.rules)
  • 2102333 - GPL FTP RENAME format string attempt (ftp.rules)
  • 2102417 - GPL FTP format string attempt (ftp.rules)
  • 2102485 - GPL ACTIVEX Norton antivirus sysmspam.dll load attempt (activex.rules)
  • 2102574 - GPL FTP RETR format string attempt (ftp.rules)
  • 2102666 - GPL POP3 PASS format string attempt (pop3.rules)
  • 2103062 - GPL WEB_SPECIFIC_APPS NetScreen SA 5000 delhomepage.cgi access (web_specific_apps.rules)
  • 2103148 - GPL ACTIVEX winhelp clsid attempt (activex.rules)
  • 2103272 - GPL WORM mydoom.a backdoor upload/execute attempt (worm.rules)
  • 2103460 - GPL FTP REST with numeric argument (ftp.rules)
  • 2800004 - ETPRO SMTP Microsoft Outlook Express MHTML URL Processing Vulnerability (smtp.rules)
  • 2800008 - ETPRO WEB_SERVER PHP memory_limit Exploit Attempt (web_server.rules)
  • 2800058 - ETPRO TELNET Microsoft Telnet Client Information Disclosure (telnet.rules)
  • 2800062 - ETPRO SMTP Microsoft Exchange Server iCal Properties Handling Denial of Service (smtp.rules)
  • 2800075 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption (activex.rules)
  • 2800076 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption (activex.rules)
  • 2800077 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption (activex.rules)
  • 2800078 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption (activex.rules)
  • 2800079 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption (activex.rules)
  • 2800080 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption (activex.rules)
  • 2800081 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption (activex.rules)
  • 2800082 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption (activex.rules)
  • 2800083 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption (activex.rules)
  • 2800084 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption (activex.rules)
  • 2800085 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption (activex.rules)
  • 2800086 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption (activex.rules)
  • 2800087 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption (activex.rules)
  • 2800088 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption (activex.rules)
  • 2800152 - ETPRO ACTIVEX Microsoft Windows MFC Library FileFind Class Heap Overflow (activex.rules)
  • 2800244 - ETPRO NETBIOS Microsoft Windows Message Queuing Service RPC Bind Little (netbios.rules)
  • 2800249 - ETPRO NETBIOS Microsoft Windows Message Queuing Service RPC Bind Big (netbios.rules)
  • 2800254 - ETPRO WEB_SERVER Apache mod_imap and mod_imagemap Module Cross-Site Scripting (web_server.rules)
  • 2800262 - ETPRO ACTIVEX Macrovision InstallShield Update Service (activex.rules)
  • 2800264 - ETPRO ACTIVEX Macrovision InstallShield Update Service isusweb.dll (SDWUSWebAgent) (activex.rules)
  • 2800270 - ETPRO SQL SAP MaxDB Remote Arbitrary Commands Execution (sql.rules)
  • 2800273 - ETPRO ACTIVEX Microsoft Rich Textbox Control SaveFile Insecure Method Arbitrary File Overwrite (activex.rules)
  • 2800274 - ETPRO ACTIVEX Microsoft Rich Textbox Control SaveFile Insecure Method Arbitrary File Overwrite (activex.rules)
  • 2800275 - ETPRO ACTIVEX Microsoft Rich Textbox Control SaveFile Insecure Method Arbitrary File Overwrite (activex.rules)
  • 2800276 - ETPRO ACTIVEX Microsoft Rich Textbox Control SaveFile Insecure Method Arbitrary File Overwrite (activex.rules)
  • 2800373 - ETPRO NETBIOS Microsoft Windows Internet Printing Service Bind (netbios.rules)
  • 2800374 - ETPRO NETBIOS Microsoft Windows Internet Printing Service Request (netbios.rules)
  • 2800375 - ETPRO NETBIOS Microsoft Windows Internet Printing Service Integer Overflow (netbios.rules)
  • 2800401 - ETPRO NETBIOS Samba Root File System Access Security Bypass 1 (netbios.rules)
  • 2800402 - ETPRO NETBIOS Samba Root File System Access Security Bypass 2 (netbios.rules)
  • 2800430 - ETPRO SQL MySQL XML Functions Scalar XPath Denial of Service (sql.rules)
  • 2800431 - ETPRO SQL MySQL XML Functions Scalar XPath Denial of Service (sql.rules)
  • 2800518 - ETPRO NETBIOS Microsoft Windows SMBv2 Infinite Loop Denial of Service (netbios.rules)
  • 2800519 - ETPRO NETBIOS Microsoft Windows SMBv2 Infinite Loop Denial of Service (netbios.rules)
  • 2800540 - ETPRO SQL Oracle TimesTen In-Memory Database HTTP Request Denial of Service (sql.rules)
  • 2800568 - ETPRO WEB_SERVER HP Performance Manager Apache Tomcat Policy Bypass (web_server.rules)
  • 2800569 - ETPRO WEB_SERVER Microsoft SharePoint Server Help.aspx Denial of Service 1 (web_server.rules)
  • 2800570 - ETPRO WEB_SERVER Microsoft SharePoint Server Help.aspx Denial of Service 2 (web_server.rules)
  • 2800573 - ETPRO WEB_SERVER Microsoft IIS Directory Authentication Security Bypass (web_server.rules)
  • 2800624 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption (activex.rules)
  • 2800625 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption Imjpcksid.dll (activex.rules)
  • 2800626 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption Imjpskdic.dll (activex.rules)
  • 2800743 - ETPRO ACTIVEX Microsoft Internet Explorer daxctle.ocx KeyFrame Method Memory Corruption (activex.rules)
  • 2800756 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption - 1 (activex.rules)
  • 2800757 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption - 2 (activex.rules)
  • 2800758 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption - 3 (activex.rules)
  • 2800759 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption - 4 (activex.rules)
  • 2800760 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption - 5 (activex.rules)
  • 2800761 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption - 6 (activex.rules)
  • 2800762 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption - 7 (activex.rules)
  • 2800763 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption - 8 (activex.rules)
  • 2800764 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption - 9 (activex.rules)
  • 2800765 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption - 10 (activex.rules)
  • 2800769 - ETPRO ACTIVEX Misc Microsoft Internet Explorer COM Object Instantiation Memory Corruption 13 (activex.rules)
  • 2800770 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption 14 (activex.rules)
  • 2800771 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption 15 (activex.rules)
  • 2800772 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption 16 (activex.rules)
  • 2800773 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption 17 (activex.rules)
  • 2800780 - ETPRO ACTIVEX Microsoft Design Tools msdds.dll Memory Corruption (activex.rules)
  • 2800798 - ETPRO WEB_SERVER Microsoft IIS Repeated Parameter Request Denial Of Service (web_server.rules)
  • 2801015 - ETPRO SCADA CONTROL MICROSYSTEMS (Event 20) Function Not Available Error (scada.rules)
  • 2801042 - ETPRO SCADA GE Event Log Display Detected (scada.rules)
  • 2801043 - ETPRO SCADA GE (Event 51)Clear Audit Log Attempt (scada.rules)
  • 2801056 - ETPRO SCADA DIRECTLOGIC (Event 47)Device Poll All (scada.rules)
  • 2801057 - ETPRO SCADA DIRECTLOGIC (Event 15) Station Number Error (scada.rules)
  • 2801058 - ETPRO SCADA DIRECTLOGIC (Event 20) Function Not Available (scada.rules)
  • 2801059 - ETPRO SCADA DIRECTLOGIC (Event 21) Point Not Available (scada.rules)
  • 2801078 - ETPRO SCADA DIRECTLOGIC (Event 11) Unlock PLC Attempt (scada.rules)
  • 2801105 - ETPRO SCADA PROSOFT (Event 15) Station Number Error (scada.rules)
  • 2801106 - ETPRO SCADA PROSOFT (Event 21) Point Not Available (scada.rules)
  • 2801128 - ETPRO SCADA SCHWEITZER SEL2032-Date Command Detected (scada.rules)
  • 2801131 - ETPRO SCADA SCHWEITZER SEL2032-Potential Login Attempt (scada.rules)
  • 2801132 - ETPRO SCADA SCHWEITZER SEL2032-Level 1 Successful Login (scada.rules)
  • 2801133 - ETPRO SCADA SCHWEITZER SEL2032-Level 2 Successful Login (scada.rules)
  • 2801179 - ETPRO ACTIVEX Microsoft Internet Explorer HTML Object Memory Corruption (activex.rules)
  • 2801304 - ETPRO POP3 Inetserv 3.23 POP3 DoS (pop3.rules)
  • 2801305 - ETPRO POP3 Inetserv 3.23 POP3 DoS (RETR) (pop3.rules)
  • 2801306 - ETPRO POP3 Inetserv 3.23 POP3 DoS (DELE) (pop3.rules)
  • 2801504 - ETPRO NETBIOS Multiple Load Library Vulns wintab32.dll - SMB-DS ASCII (netbios.rules)
  • 2801505 - ETPRO NETBIOS Multiple Load Library Vulns wintab32.dll - SMB-DS Unicode (netbios.rules)
  • 2801506 - ETPRO NETBIOS Multiple Load Library Vulns wintab32.dll - SMB ASCII (netbios.rules)
  • 2801507 - ETPRO NETBIOS Multiple Load Library Vulns wintab32.dll - SMB Unicode (netbios.rules)
  • 2801552 - ETPRO NETBIOS Microsoft Powerpoint msnsspc.dll Insecure Library - SMB-DS Unicode (netbios.rules)
  • 2801553 - ETPRO NETBIOS Microsoft Powerpoint msnsspc.dll Insecure Library - SMB-DS ASCII (netbios.rules)
  • 2801554 - ETPRO NETBIOS Microsoft Powerpoint msnsspc.dll Insecure Library - SMB Unicode (netbios.rules)
  • 2801555 - ETPRO NETBIOS Microsoft Powerpoint msnsspc.dll Insecure Library - SMB ASCII (netbios.rules)
  • 2801680 - ETPRO SCADA DNP3 Disable Unsolicited Responses (scada.rules)
  • 2801683 - ETPRO SCADA DNP3 Cold Restart From Authorized Client (scada.rules)
  • 2801684 - ETPRO SCADA DNP3 Cold Restart From Unauthorized Client (scada.rules)
  • 2801685 - ETPRO SCADA DNP3 Unauthorized Read Request to a PLC (scada.rules)
  • 2801686 - ETPRO SCADA DNP3 Unauthorized Write Request to a PLC (scada.rules)
  • 2801687 - ETPRO SCADA DNP3 Unauthorized Miscellaneous Request to a PLC (scada.rules)
  • 2801688 - ETPRO SCADA DNP3 Stop Application (scada.rules)
  • 2801689 - ETPRO SCADA DNP3 Warm Restart (scada.rules)
  • 2801690 - ETPRO SCADA DNP3 Broadcast Request from Authorized Client (scada.rules)
  • 2801691 - ETPRO SCADA DNP3 Broadcast Request from Unauthorized Client (scada.rules)
  • 2801700 - ETPRO SCADA_SPECIAL DNP3 Unauthorized Write Request to a PLC (scada_special.rules)
  • 2801701 - ETPRO SCADA_SPECIAL DNP3 Unauthorized Miscellaneous Request to a PLC (scada_special.rules)
  • 2801704 - ETPRO SCADA_SPECIAL DNP3 Broadcast Request from Authorized Client (scada_special.rules)
  • 2801705 - ETPRO SCADA_SPECIAL DNP3 Broadcast Request from Unauthorized Client (scada_special.rules)
  • 2801710 - ETPRO SCADA Modbus TCP Force Listen Only Mode (scada.rules)
  • 2801711 - ETPRO SCADA Modbus TCP Restart Communications Option (scada.rules)
  • 2801712 - ETPRO SCADA Modbus TCP Clear Counters and Diagnostic Registers (scada.rules)
  • 2801713 - ETPRO SCADA Modbus TCP Read Device Identification (scada.rules)
  • 2801714 - ETPRO SCADA Modbus TCP Report Server Information (scada.rules)
  • 2801715 - ETPRO SCADA Modbus TCP Unauthorized Read Request to a PLC (scada.rules)
  • 2801716 - ETPRO SCADA Modbus TCP Unauthorized Write Request to a PLC (scada.rules)
  • 2802023 - ETPRO ACTIVEX Vulnerable IE8 Developer Toolkit COM Object Use (activex.rules)
  • 2802024 - ETPRO ACTIVEX Vulnerable WBEM.SingleView.1 Object clsid Access (activex.rules)
  • 2802030 - ETPRO ACTIVEX Vulnerable Windows Messenger Service clsid Access (activex.rules)
  • 2802176 - ETPRO NETBIOS WINS Replication 4 byte Read Prior to Buffer Exploit Attempt (netbios.rules)
  • 2802834 - ETPRO SMTP Postfix SASL AUTH Handle Reuse Memory Corruption(Published Exploit) 1 (smtp.rules)
  • 2802835 - ETPRO SMTP Postfix SASL AUTH Handle Reuse Memory Corruption(Published Exploit) 2 (smtp.rules)
  • 2802836 - ETPRO SMTP Postfix SASL AUTH Handle Reuse Memory Corruption(Published Exploit) 3 (smtp.rules)
  • 2802968 - ETPRO ACTIVEX Tom Sawyer GET Extension Factory COM Object Instantiation Memory Corruption 1 (activex.rules)
  • 2802969 - ETPRO ACTIVEX Tom Sawyer GET Extension Factory COM Object Instantiation Memory Corruption 2 (activex.rules)
  • 2802970 - ETPRO ACTIVEX Tom Sawyer GET Extension Factory COM Object Instantiation Memory Corruption 3 (activex.rules)
  • 2802988 - ETPRO NETBIOS Malformed Distributed File System (DFS) Response Attack (netbios.rules)
  • 2802997 - ETPRO NETBIOS Client GET_DFS_REFERRAL Request Flowbit Set (netbios.rules)
  • 2802998 - ETPRO NETBIOS Microsoft DFS Server Hostname Length Absent in DFS Referral Response - Likely Attack (netbios.rules)
  • 2803001 - ETPRO NETBIOS Microsoft SMBv2 0-Length Write Request Parsing Vulnerability Attack (netbios.rules)
  • 2803002 - ETPRO NETBIOS Microsoft SMBv2-DS 0-Length Write Request Parsing Vulnerability Attack (netbios.rules)
  • 2803003 - ETPRO NETBIOS Microsoft SMBv2 Negative EOF Create Response Parsing Vulnerability Attack (netbios.rules)
  • 2803004 - ETPRO NETBIOS Microsoft SMBv2-DS Negative EOF Create Response Parsing Vulnerability Attack (netbios.rules)
  • 2803073 - ETPRO WEB_SERVER Oracle Web Server Expect Header Cross-Site Scripting (web_server.rules)
  • 2803106 - ETPRO DNS ISC BIND RRSIG RRsets Denial of Service TCP 1 (dns.rules)
  • 2803281 - ETPRO NETBIOS Oracle Java Runtime Environment Insecure File Loading (hotspot_compiler) - SMB-DS ASCII (netbios.rules)
  • 2803282 - ETPRO NETBIOS Oracle Java Runtime Environment Insecure File Loading (hotspot_compiler) - SMB-DS Unicode (netbios.rules)
  • 2803283 - ETPRO NETBIOS Oracle Java Runtime Environment Insecure File Loading (hotspot_compiler) - SMB ASCII (netbios.rules)
  • 2803284 - ETPRO NETBIOS Oracle Java Runtime Environment Insecure File Loading (hotspot_compiler) - SMB Unicode (netbios.rules)
  • 2803285 - ETPRO NETBIOS Oracle Java Runtime Environment Insecure File Loading (hotspotrc) - SMB-DS ASCII (netbios.rules)
  • 2803286 - ETPRO NETBIOS Oracle Java Runtime Environment Insecure File Loading (hotspotrc) - SMB-DS Unicode (netbios.rules)
  • 2803287 - ETPRO NETBIOS Oracle Java Runtime Environment Insecure File Loading (hotspotrc) - SMB Unicode (netbios.rules)
  • 2803288 - ETPRO NETBIOS Oracle Java Runtime Environment Insecure File Loading (hotspotrc) - SMB ASCII (netbios.rules)
  • 2803376 - ETPRO WEB_SERVER Microsoft .NET Framework ChartControl Information Disclosure Attempt (web_server.rules)
  • 2803377 - ETPRO WEB_SERVER Microsoft Report Viewer control Cross-Site Scripting (web_server.rules)
  • 2803407 - ETPRO NETBIOS Microsoft Internet Explorer url.dll Telnet Handler Insecure Exe Loading - SMB ASCII (netbios.rules)
  • 2803408 - ETPRO NETBIOS Microsoft Internet Explorer url.dll Telnet Handler Insecure Exe Loading - SMB-DS ASCII (netbios.rules)
  • 2803409 - ETPRO NETBIOS Microsoft Internet Explorer url.dll Telnet Handler Insecure Exe Loading - SMB Unicode (netbios.rules)
  • 2803410 - ETPRO NETBIOS Microsoft Internet Explorer url.dll Telnet Handler Insecure Exe Loading - SMB-DS Unicode (netbios.rules)
  • 2803645 - ETPRO WEB_SERVER Microsoft SharePoint Remote File Disclosure Upload Inbound (web_server.rules)
  • 2803646 - ETPRO WEB_SERVER Microsoft SharePoint Remote File Disclosure Access (web_server.rules)
  • 2803730 - ETPRO WEB_SERVER Microsoft SharePoint XML Handling Remote File Disclosure (Published Exploit) (web_server.rules)
  • 2803964 - ETPRO SCADA IGSS 8 ODBC Server Multiple Remote Uninitialized Pointer Free DoS - SET (scada.rules)
  • 2803983 - ETPRO ACTIVEX Oracle Hyperion Strategic Finance 12.x Tidestone Formula One WorkBook OLE Control TTF16.ocx Remote Heap Overflow (activex.rules)
  • 2804075 - ETPRO SCADA Siemens Automation License Manager Service Exception attempt 1 (scada.rules)
  • 2804077 - ETPRO SCADA Siemens Automation License Manager Service Exception attempt 2 (scada.rules)
  • 2833765 - ETPRO MALWARE OilRig BONDUPDATER C2 via DNS (malware.rules)
  • 2835138 - ETPRO MALWARE FinderBot User-Agent (nnn/) (malware.rules)
  • 2837411 - ETPRO ATTACK_RESPONSE Metasploit Meterpreter Reverse HTTPS Certificate Observed M58 (attack_response.rules)
  • 2839439 - ETPRO MALWARE Observed Mirai Variant UA (system_file/2.0) (malware.rules)