Summary:
33 new OPEN, 49 new PRO (33 + 16)
Added rules:
Open:
- 2059299 - ET WEB_SPECIFIC_APPS phpGACL acl_admin action Parameter Reflected Cross-Site Scripting (CVE-2020-13562) (web_specific_apps.rules)
- 2059300 - ET WEB_SPECIFIC_APPS phpGACL assign_group group_id Parameter Reflected Cross-Site Scripting (CVE-2020-13563) (web_specific_apps.rules)
- 2059301 - ET WEB_SPECIFIC_APPS phpGACL acl_admin acl_id Parameter Reflected Cross-Site Scripting (CVE-2020-13564) (web_specific_apps.rules)
- 2059302 - ET WEB_SPECIFIC_APPS WordPress Limit Login Attempts Plugin Stored Cross Site Scripting (CVE-2023-1861) (web_specific_apps.rules)
- 2059303 - ET WEB_SPECIFIC_APPS Apache ActiveMQ Web Console message jsp Cross-Site Scripting (CVE-2020-13947) M1 (web_specific_apps.rules)
- 2059304 - ET WEB_SPECIFIC_APPS Apache ActiveMQ Web Console message jsp Cross-Site Scripting (CVE-2020-13947) M2 (web_specific_apps.rules)
- 2059305 - ET WEB_SPECIFIC_APPS Apache Superset Markdown Component Stored Cross-Site Scripting (CVE-2021-27907) M1 (web_specific_apps.rules)
- 2059306 - ET WEB_SPECIFIC_APPS Apache Superset Markdown Component Stored Cross-Site Scripting (CVE-2021-27907) M2 (web_specific_apps.rules)
- 2059307 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (kuishang .top) (exploit_kit.rules)
- 2059308 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (nfwatches .top) (exploit_kit.rules)
- 2059309 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (kuishang .top) (exploit_kit.rules)
- 2059310 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (nfwatches .top) (exploit_kit.rules)
- 2059311 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bustlingwakef .click) (malware.rules)
- 2059312 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (bustlingwakef .click in TLS SNI) (malware.rules)
- 2059313 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (crowsudysto .shop) (malware.rules)
- 2059314 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (crowsudysto .shop in TLS SNI) (malware.rules)
- 2059315 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (feerdaiks .biz) (malware.rules)
- 2059316 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (feerdaiks .biz in TLS SNI) (malware.rules)
- 2059317 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impresnyb .cyou) (malware.rules)
- 2059318 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (impresnyb .cyou in TLS SNI) (malware.rules)
- 2059319 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (seekwiggleuz .shop) (malware.rules)
- 2059320 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (seekwiggleuz .shop in TLS SNI) (malware.rules)
- 2059321 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (skatestringje .click) (malware.rules)
- 2059322 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (skatestringje .click in TLS SNI) (malware.rules)
- 2059323 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stewwybravez .click) (malware.rules)
- 2059324 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (stewwybravez .click in TLS SNI) (malware.rules)
- 2059325 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (unwrittenuzy .shop) (malware.rules)
- 2059326 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (unwrittenuzy .shop in TLS SNI) (malware.rules)
- 2059327 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (uprootquincju .shop) (malware.rules)
- 2059328 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (uprootquincju .shop in TLS SNI) (malware.rules)
- 2059329 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (welltodobaoz .shop) (malware.rules)
- 2059330 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (welltodobaoz .shop in TLS SNI) (malware.rules)
- 2059331 - ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2 (malware.rules)
Pro:
- 2859373 - ETPRO HUNTING HTTP POST Request with Attempted Directory Traversal Inbound (hunting.rules)
- 2859622 - ETPRO EXPLOIT_KIT FoxTDS Initial Check (exploit_kit.rules)
- 2859623 - ETPRO EXPLOIT_KIT FoxTDS Filtered Locked (exploit_kit.rules)
- 2859624 - ETPRO EXPLOIT_KIT FoxTDS Filtered Blacklisted (exploit_kit.rules)
- 2859625 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
- 2859626 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
- 2859627 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
- 2859628 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2859629 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
- 2859630 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
- 2859631 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
- 2859632 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
- 2859633 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
- 2859634 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
- 2859635 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
- 2859636 - ETPRO MALWARE Vidar/StealC CnC Exfil via SQL Database (POST) (malware.rules)
Disabled and modified rules:
- 2059291 - ET EXPLOIT_KIT Malicious TDS Domain in DNS Lookup (cdn1 .massearchtraffic .top) (exploit_kit.rules)
- 2059292 - ET EXPLOIT_KIT Malicious TDS Domain in TLS SNI (cdn1 .massearchtraffic .top) (exploit_kit.rules)
Removed rules:
- 2859373 - ETPRO WEB_SPECIFIC_APPS HTTP POST Request with Attempted Directory Traversal Inbound (web_specific_apps.rules)