Ruleset Update Summary - 2025/01/22 - v10843

rulesbot · January 22, 2025, 9:31pm

Summary:

75 new OPEN, 94 new PRO (75 + 19)

Added rules:

Open:

2059376 - ET DOS Possible Brute Force Attack Using FastHTTP (dos.rules)
2059391 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (notifyfrogger .top) (malware.rules)
2059392 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (notifyfrogger .top in TLS SNI) (malware.rules)
2059393 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (conquemappe .bond) (malware.rules)
2059394 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (conquemappe .bond in TLS SNI) (malware.rules)
2059395 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (learnyprocce .bond) (malware.rules)
2059396 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (learnyprocce .bond in TLS SNI) (malware.rules)
2059397 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cowertbabei .bond) (malware.rules)
2059398 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cowertbabei .bond in TLS SNI) (malware.rules)
2059399 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (elfinyamen .bond) (malware.rules)
2059400 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (elfinyamen .bond in TLS SNI) (malware.rules)
2059401 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ceaselessarogg .shop) (malware.rules)
2059402 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ceaselessarogg .shop in TLS SNI) (malware.rules)
2059403 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (yuriy-gagarin .com) (malware.rules)
2059404 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (yuriy-gagarin .com in TLS SNI) (malware.rules)
2059405 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vladimir-ulyanov .com) (malware.rules)
2059406 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vladimir-ulyanov .com in TLS SNI) (malware.rules)
2059407 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (nikolay-romanov .su) (malware.rules)
2059408 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (nikolay-romanov .su in TLS SNI) (malware.rules)
2059409 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (carfeuspitt .bond) (malware.rules)
2059410 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (carfeuspitt .bond in TLS SNI) (malware.rules)
2059411 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (noxiuos-utopi .bond) (malware.rules)
2059412 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (noxiuos-utopi .bond in TLS SNI) (malware.rules)
2059413 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (moonehobno .bond) (malware.rules)
2059414 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (moonehobno .bond in TLS SNI) (malware.rules)
2059415 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rainy-lamep .bond) (malware.rules)
2059416 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rainy-lamep .bond in TLS SNI) (malware.rules)
2059417 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (idioticgoodev .top) (malware.rules)
2059418 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (idioticgoodev .top in TLS SNI) (malware.rules)
2059419 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (immolatechallen .bond) (malware.rules)
2059420 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (immolatechallen .bond in TLS SNI) (malware.rules)
2059421 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (impolitewearr .biz) (malware.rules)
2059422 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (impolitewearr .biz in TLS SNI) (malware.rules)
2059423 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (toppyneedus .biz) (malware.rules)
2059424 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) (malware.rules)
2059425 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lightdeerysua .biz) (malware.rules)
2059426 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (lightdeerysua .biz in TLS SNI) (malware.rules)
2059427 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (suggestyuoz .biz) (malware.rules)
2059428 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (suggestyuoz .biz in TLS SNI) (malware.rules)
2059429 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hoursuhouy .biz) (malware.rules)
2059430 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (hoursuhouy .biz in TLS SNI) (malware.rules)
2059431 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mixedrecipew .biz) (malware.rules)
2059432 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mixedrecipew .biz in TLS SNI) (malware.rules)
2059433 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (pleasedcfrown .biz) (malware.rules)
2059434 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (pleasedcfrown .biz in TLS SNI) (malware.rules)
2059435 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (affordtempyo .biz) (malware.rules)
2059436 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (affordtempyo .biz in TLS SNI) (malware.rules)
2059437 - ET WEB_SPECIFIC_APPS Progress WhatsUp Gold SnmpExtendedActiveMonitor Path Traversal Vulnerability (CVE-2024-12105) (web_specific_apps.rules)
2059438 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (liveskortv .icu) (exploit_kit.rules)
2059439 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (viagrapillerpris .top) (exploit_kit.rules)
2059440 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (liveskortv .icu) (exploit_kit.rules)
2059441 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (viagrapillerpris .top) (exploit_kit.rules)
2059442 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (vglweb .com) (exploit_kit.rules)
2059443 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (vglweb .com) (exploit_kit.rules)
2059444 - ET WEB_SPECIFIC_APPS Nuuo NVRmini/NVRsolo handle_import_user.php Unauthenticated Remote Code Execution Attempt (CVE-2022-23227) (web_specific_apps.rules)
2059445 - ET MALWARE Win32/SocGholish CnC Domain in DNS Lookup (* .app .andredenault .com) (malware.rules)
2059446 - ET MALWARE Win32/SocGholish CnC Domain in TLS SNI (* .app .andredenault .com) (malware.rules)
2059447 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (abaft-taboo .bond) (malware.rules)
2059448 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (abaft-taboo .bond in TLS SNI) (malware.rules)
2059449 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (avoidspaderik .shop) (malware.rules)
2059450 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (avoidspaderik .shop in TLS SNI) (malware.rules)
2059451 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (boilyroose .shop) (malware.rules)
2059452 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (boilyroose .shop in TLS SNI) (malware.rules)
2059453 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (comptetscant .shop) (malware.rules)
2059454 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (comptetscant .shop in TLS SNI) (malware.rules)
2059455 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (yndo-pepper .bond) (malware.rules)
2059456 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (yndo-pepper .bond in TLS SNI) (malware.rules)
2059457 - ET INFO DYNAMIC_DNS Query to a * .fortiddns .com Domain (info.rules)
2059458 - ET INFO DYNAMIC_DNS HTTP Request to a * .fortiddns .com Domain (info.rules)
2059459 - ET INFO DYNAMIC_DNS Query to a * .float-zone .com Domain (info.rules)
2059460 - ET INFO DYNAMIC_DNS HTTP Request to a * .float-zone .com Domain (info.rules)
2059461 - ET INFO DYNAMIC_DNS Query to a * .fortidyndns .com Domain (info.rules)
2059462 - ET INFO DYNAMIC_DNS HTTP Request to a * .fortidyndns .com Domain (info.rules)
2059463 - ET WEB_SPECIFIC_APPS Axis Communications Security Camera Command Injection Attempt (CVE-2018-10660) M1 (web_specific_apps.rules)
2059464 - ET WEB_SPECIFIC_APPS Axis Communications Security Camera Command Injection Attempt (CVE-2018-10660, CVE-2018-10661, CVE-2018-10662) M2 (web_specific_apps.rules)

Pro:

2859756 - ETPRO HUNTING Windows OLE Remote Code Execution (CVE-2025-21298) (hunting.rules)
2859757 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859758 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859759 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859760 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859761 - ETPRO MALWARE SmartLoader CnC Activity (PUT) (malware.rules)
2859762 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2859763 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2859764 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2859765 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2859766 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
2859767 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2859768 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
2859769 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2859770 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
2859771 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2859772 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2859773 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
2859774 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)

Disabled and modified rules:

2057676 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (eliztalks .com) (exploit_kit.rules)
2057677 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (eliztalks .com) (exploit_kit.rules)
2057678 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (franklinida .com) (exploit_kit.rules)
2057679 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (franklinida .com) (exploit_kit.rules)
2057688 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (petshopsg .com) (exploit_kit.rules)
2057689 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (petshopsg .com) (exploit_kit.rules)
2057712 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (inayatullah .com) (exploit_kit.rules)
2057713 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (viralnavigator .com) (exploit_kit.rules)
2057714 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (eegqzvxd .shop) (exploit_kit.rules)
2057715 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (inayatullah .com) (exploit_kit.rules)
2057716 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (viralnavigator .com) (exploit_kit.rules)
2057717 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (eegqzvxd .shop) (exploit_kit.rules)
2057718 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (genhil .com) (exploit_kit.rules)
2057719 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (genhil .com) (exploit_kit.rules)
2057724 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (tickerwell .com) (exploit_kit.rules)
2057725 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (tickerwell .com) (exploit_kit.rules)
2057732 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (segurofinalizar .shop) (exploit_kit.rules)
2057733 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (segurofinalizar .shop) (exploit_kit.rules)
2057734 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (nyciot .com) (exploit_kit.rules)
2057735 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (nyciot .com) (exploit_kit.rules)
2057739 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (safigdata .com) (exploit_kit.rules)
2057740 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (safigdata .com) (exploit_kit.rules)
2057772 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (swaceapp .com) (exploit_kit.rules)
2057773 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (swaceapp .com) (exploit_kit.rules)
2057774 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (elizgallery .com) (exploit_kit.rules)
2057775 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (elizgallery .com) (exploit_kit.rules)
2057776 - ET MALWARE SocGholish CnC Domain in DNS Lookup (* .cases .pcohenlaw .com) (malware.rules)
2057780 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (16october-etmdeposit329 .top) (exploit_kit.rules)
2057781 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (jaipurraj .com) (exploit_kit.rules)
2057782 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (16october-etmdeposit329 .top) (exploit_kit.rules)
2057783 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (jaipurraj .com) (exploit_kit.rules)
2859496 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859506 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859507 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859508 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859509 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859522 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859523 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859541 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859542 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859543 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
2859544 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Removed rules:

2059376 - ET MALWARE Possible Brute Force Attack Using FastHTTP (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2024/12/26 - v10817 Ruleset Updates	79	December 26, 2024
Ruleset Update Summary - 2024/11/15 - v10743 Ruleset Updates	126	November 15, 2024
Ruleset Update Summary - 2024/11/12 - v10740 Ruleset Updates	120	November 12, 2024
Ruleset Update Summary - 2024/11/14 - v10742 Ruleset Updates	79	November 14, 2024
Ruleset Update Summary - 2024/03/11 - v10549 Ruleset Updates	943	March 11, 2024

Ruleset Update Summary - 2025/01/22 - v10843

Summary:

Added rules:

Open:

Pro:

Disabled and modified rules:

Removed rules:

Related topics