Ruleset Update Summary - 2025/01/09 - v10834

Ruleset Updates
1

Summary:

38 new OPEN, 40 new PRO (38 + 2)

Added rules:

Open:

  • 2059079 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (bingazo .digital) (exploit_kit.rules)
  • 2059080 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (mffaccessories .com) (exploit_kit.rules)
  • 2059081 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (bingazo .digital) (exploit_kit.rules)
  • 2059082 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (mffaccessories .com) (exploit_kit.rules)
  • 2059083 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (exodvs .com) (exploit_kit.rules)
  • 2059084 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (exodvs .com) (exploit_kit.rules)
  • 2059085 - ET MALWARE Konni APT CnC Checkin (GET) (malware.rules)
  • 2059086 - ET MALWARE Win32/SocGholish CnC Domain in DNS Lookup (* .static .buyweatherstriponline .com) (malware.rules)
  • 2059087 - ET MALWARE Win32/SocGholish CnC Domain in TLS SNI (* .static .buyweatherstriponline .com) (malware.rules)
  • 2059088 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (skidjazzyric .click) (malware.rules)
  • 2059089 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (skidjazzyric .click in TLS SNI) (malware.rules)
  • 2059090 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stomachyumem .cyou) (malware.rules)
  • 2059091 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (stomachyumem .cyou in TLS SNI) (malware.rules)
  • 2059092 - ET EXPLOIT_KIT CC Skimmer Domain in DNS Lookup (chartzend .com) (exploit_kit.rules)
  • 2059093 - ET EXPLOIT_KIT CC Skimmer Domain in TLS Lookup (chartzend .com) (exploit_kit.rules)
  • 2059094 - ET WEB_SPECIFIC_APPS [Perch Security] Nagios XI Web SSH Terminal sshterm Cross-Site Scripting (CVE-2021-25299) (web_specific_apps.rules)
  • 2059095 - ET WEB_SPECIFIC_APPS Ivanti Connect Secure Host Checker Recon (CVE-2025-0282) (web_specific_apps.rules)
  • 2059096 - ET MALWARE PHASEJAM Web Shell Activity Observed M1 (malware.rules)
  • 2059097 - ET MALWARE PHASEJAM Web Shell Activity Observed M2 (malware.rules)
  • 2059098 - ET INFO SMBv2 Protocol Negotiation Observed (info.rules)
  • 2059099 - ET INFO SMBv2 Protocol Session Setup Observed (info.rules)
  • 2059100 - ET INFO SMBv2 Protocol Session Logoff Observed (info.rules)
  • 2059101 - ET INFO SMBv2 Protocol Tree Connect Observed (info.rules)
  • 2059102 - ET INFO SMBv2 Protocol Tree Disconnect Observed (info.rules)
  • 2059103 - ET INFO SMBv2 Protocol Create Operation Observed (info.rules)
  • 2059104 - ET INFO SMBv2 Protocol Close Operation Observed (info.rules)
  • 2059105 - ET INFO SMBv2 Protocol Flush Operation Observed (info.rules)
  • 2059106 - ET INFO SMBv2 Protocol Read Operation Observed (info.rules)
  • 2059107 - ET INFO SMBv2 Protocol Write Operation Observed (info.rules)
  • 2059108 - ET INFO SMBv2 Protocol Lock Operation Observed (info.rules)
  • 2059109 - ET INFO SMBv2 Protocol Ioctl Operation Observed (info.rules)
  • 2059110 - ET INFO SMBv2 Protocol Cancel Operation Observed (info.rules)
  • 2059111 - ET INFO SMBv2 Protocol KeepAlive Operation Observed (info.rules)
  • 2059112 - ET INFO SMBv2 Protocol Find Operation Observed (info.rules)
  • 2059113 - ET INFO SMBv2 Protocol Notify Operation Observed (info.rules)
  • 2059114 - ET INFO SMBv2 Protocol GetInfo Operation Observed (info.rules)
  • 2059115 - ET INFO SMBv2 Protocol SetInfo Operation Observed (info.rules)
  • 2059116 - ET INFO SMBv2 Protocol Break Operation Observed (info.rules)

Pro:

  • 2859558 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859559 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)