Ruleset Update Summary - 2025/01/30 - v10849

Ruleset Updates
1

Summary:

8 new OPEN, 13 new PRO (8 + 5)

Added rules:

Open:

  • 2059785 - ET WEB_SPECIFIC_APPS Mitel 6800 802.1x Support Command Injection (CVE-2024-41710) (web_specific_apps.rules)
  • 2059786 - ET WEB_SPECIFIC_APPS SonicOS SSLVPN Authentication Bypass (CVE-2024-53704) (web_specific_apps.rules)
  • 2059787 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (ppdpharmaco .com) (exploit_kit.rules)
  • 2059788 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (ppdpharmaco .com) (exploit_kit.rules)
  • 2059789 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (portable2016 .top) (exploit_kit.rules)
  • 2059790 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (eoogg .top) (exploit_kit.rules)
  • 2059791 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (portable2016 .top) (exploit_kit.rules)
  • 2059792 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (eoogg .top) (exploit_kit.rules)

Pro:

  • 2859846 - ETPRO MALWARE Observed SmokeLoader CnC Activity M3 (malware.rules)
  • 2859847 - ETPRO MALWARE SmokeLoader GET Request to Decoy PDF (malware.rules)
  • 2859848 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2859849 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)
  • 2859850 - ETPRO MALWARE TA582 Domain in DNS Lookup (malware.rules)

Modified inactive rules:

  • 2009709 - ET WEB_SPECIFIC_APPS phpMyAdmin Setup Code Injection (phpinfo) (web_specific_apps.rules)
  • 2009710 - ET WEB_SPECIFIC_APPS phpMyAdmin Setup Code Injection (system) (web_specific_apps.rules)
  • 2013250 - ET WEB_CLIENT Microsoft Word RTF pFragments Stack Buffer Overflow Attempt (CVE-2010-3333) (web_client.rules)
  • 2013280 - ET WEB_CLIENT Microsoft Word RTF pFragments Stack Overflow Attempt (CVE-2010-3333) (web_client.rules)
  • 2014335 - ET WEB_CLIENT Adobe Flash Player Malformed MP4 Remote Code Execution Attempt (CVE-2012-0754) (web_client.rules)
  • 2014461 - ET EXPLOIT Java Atomic Reference Exploit Attempt Metasploit Specific (CVE-2012-0507) (exploit.rules)
  • 2014865 - ET WEB_CLIENT MP4 Embedded in PDF File - Potential Flash Exploit (CVE-2012-0754) (web_client.rules)
  • 2014938 - ET WEB_CLIENT Potential MSXML2.DOMDocument Uninitialized Memory Corruption (CVE-2012-1889) (web_client.rules)
  • 2015554 - ET WEB_CLIENT Potential MSXML2.DOM Document.3.0 Uninitialized Memory Corruption Attempt (CVE-2012-1889) (web_client.rules)
  • 2015555 - ET WEB_CLIENT Potential MSXML2.DOMDocument.4-6.0 Uninitialized Memory Corruption (CVE-2012-1889) (web_client.rules)
  • 2015712 - ET WEB_CLIENT Internet Explorer execCommand function Use after free Vulnerability (CVE-2012-4969) (web_client.rules)
  • 2015849 - ET EXPLOIT_KIT Metasploit CVE-2012-1723 Path (Seen in Unknown EK) 10/29/12 (exploit_kit.rules)
  • 2016133 - ET EXPLOIT Escaped Unicode Char in Location CVE-2012-4792 EIP (Exploit Specific replace) (exploit.rules)
  • 2016136 - ET EXPLOIT Metasploit CVE-2012-4792 EIP in URI IE 8 (exploit.rules)
  • 2016137 - ET EXPLOIT EIP in URI M1 (CVE-2012-4792) (exploit.rules)
  • 2016138 - ET EXPLOIT Possible Internet Explorer Use-After-Free Inbound (CVE-2012-4792) (exploit.rules)
  • 2016822 - ET WEB_CLIENT Possible Internet Explorer Use After Free Inbound (CVE-2013-1347) (web_client.rules)
  • 2016831 - ET EXPLOIT_KIT CVE-2013-2423 IVKM PoC Seen in Unknown EK (exploit_kit.rules)
  • 2017129 - ET WEB_CLIENT Potential Internet Explorer Use After Free (CVE-2013-3163) (web_client.rules)
  • 2017130 - ET WEB_CLIENT Potential Internet Explorer Use After Free CVE-2013-3163 2 (web_client.rules)
  • 2017131 - ET EXPLOIT Potential Internet Explorer Use After Free CVE-2013-3163 Exploit URI Struct 1 (exploit.rules)
  • 2017133 - ET WEB_CLIENT Microsoft Internet Explorer Use-After-Free (CVE-2013-3163) (web_client.rules)
  • 2017155 - ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 redirect (web_server.rules)
  • 2017156 - ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 redirectAction (web_server.rules)
  • 2017157 - ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 action (web_server.rules)
  • 2017174 - ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 redirect (web_server.rules)
  • 2017175 - ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 redirectAction (web_server.rules)
  • 2017176 - ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 action (web_server.rules)
  • 2017366 - ET WEB_SERVER Coldfusion 9 Auth Bypass CVE-2013-0632 (web_server.rules)
  • 2017409 - ET EXPLOIT Possible MHTML CVE-2012-0158 Vulnerable CLSID+b64 Office Doc Magic 1 (exploit.rules)
  • 2017410 - ET EXPLOIT Possible MHTML CVE-2012-0158 Vulnerable CLSID+b64 Office Doc Magic 2 (exploit.rules)
  • 2017411 - ET EXPLOIT Possible MHTML CVE-2012-0158 Vulnerable CLSID+b64 Office Doc Magic 3 (exploit.rules)
  • 2017568 - ET EXPLOIT Possible Metasploit Java CVE-2013-2465 Class Name Sub Algo (exploit.rules)
  • 2017572 - ET WEB_CLIENT Possible Microsoft Internet Explorer Use-After-Free (CVE-2013-3897) (web_client.rules)
  • 2017601 - ET EXPLOIT_KIT Nuclear EK CVE-2013-2551 IE Exploit URI Struct (exploit_kit.rules)
  • 2017671 - ET EXPLOIT Possible CVE-2013-3906 CnC Checkin (exploit.rules)
  • 2017693 - ET EXPLOIT_KIT Styx iframe with obfuscated CVE-2013-2551 (exploit_kit.rules)
  • 2017774 - ET EXPLOIT_KIT Nuclear EK CVE-2013-2551 URI Struct Nov 26 2013 (exploit_kit.rules)
  • 2017785 - ET EXPLOIT_KIT Nuclear EK IE Exploit CVE-2013-2551 (exploit_kit.rules)
  • 2017849 - ET EXPLOIT_KIT Possible CVE-2013-2551 As seen in SPL2 EK (exploit_kit.rules)
  • 2017907 - ET EXPLOIT_KIT GoonEK Landing with CVE-2013-2551 Dec 29 2013 (exploit_kit.rules)
  • 2018147 - ET WEB_CLIENT Possible IE10 Use After Free CVE-2014-0322 (web_client.rules)
  • 2018235 - ET EXPLOIT CritX/SafePack/FlashPack CVE-2013-2551 (exploit.rules)
  • 2018259 - ET EXPLOIT_KIT DRIVEBY Nuclear EK CVE-2013-2551 URI Struct Nov 26 2013 (exploit_kit.rules)
  • 2018308 - ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 2 (exploit.rules)
  • 2018309 - ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 3 (exploit.rules)
  • 2018310 - ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 4 (exploit.rules)
  • 2018311 - ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 5 (exploit.rules)
  • 2018312 - ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 6 (exploit.rules)
  • 2018313 - ET WEB_CLIENT Possible Word RTF Memory Corruption Payload Inbound (CVE-2014-1761) (web_client.rules)
  • 2018314 - ET EXPLOIT Possible CVE-2014-1761 Inbound SMTP 1 (exploit.rules)
  • 2018931 - ET EXPLOIT_KIT DRIVEBY Archie.EK CVE-2013-2551 URI Struct (exploit_kit.rules)
  • 2018996 - ET EXPLOIT_KIT Archie EK CVE-2014-0497 Aug 24 2014 (exploit_kit.rules)
  • 2019188 - ET EXPLOIT_KIT Nuclear EK CVE-2013-2551 Sept 17 2014 (exploit_kit.rules)
  • 2019189 - ET EXPLOIT_KIT Nuclear EK CVE-2013-2551 URI Struct Sept 17 2014 (exploit_kit.rules)
  • 2019242 - ET MALWARE Linux/DDoS.M distributed via CVE-2014-6271 Checkin (malware.rules)
  • 2019244 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 1 (web_server.rules)
  • 2019245 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 2 (web_server.rules)
  • 2019246 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 3 (web_server.rules)
  • 2019247 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 4 (web_server.rules)
  • 2019248 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 5 (web_server.rules)
  • 2019249 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 6 (web_server.rules)
  • 2019250 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 7 (web_server.rules)
  • 2019251 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 8 (web_server.rules)
  • 2019252 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 9 (web_server.rules)
  • 2019253 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 10 (web_server.rules)
  • 2019254 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 11 (web_server.rules)
  • 2019255 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 12 (web_server.rules)
  • 2019256 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 13 (web_server.rules)
  • 2019257 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 14 (web_server.rules)
  • 2019258 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 15 (web_server.rules)
  • 2019259 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 16 (web_server.rules)
  • 2019260 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 17 (web_server.rules)
  • 2019261 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 18 (web_server.rules)
  • 2019262 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 19 (web_server.rules)
  • 2019263 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 20 (web_server.rules)
  • 2019264 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 21 (web_server.rules)
  • 2019265 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 22 (web_server.rules)
  • 2019266 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 23 (web_server.rules)
  • 2019267 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 24 (web_server.rules)
  • 2019268 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 25 (web_server.rules)
  • 2019269 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 26 (web_server.rules)
  • 2019270 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 27 (web_server.rules)
  • 2019271 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 28 (web_server.rules)
  • 2019272 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 29 (web_server.rules)
  • 2019273 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 30 (web_server.rules)
  • 2019420 - ET WEB_CLIENT Possible CVE-2014-4113 Exploit Download (web_client.rules)
  • 2019732 - ET WEB_CLIENT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Percent Hex Encode (web_client.rules)
  • 2019752 - ET EXPLOIT Possible Sweet Orange CVE-2014-6332 Payload Request (exploit.rules)
  • 2019775 - ET EXPLOIT_KIT Possible Internet Explorer CVE-2014-6332 Common Construct b64 3 (Observed in Archie EK) (exploit_kit.rules)
  • 2020067 - ET EXPLOIT Possible CVE-2014-6332 Arrays with Offset Dec 23 (exploit.rules)
  • 2020498 - ET EXPLOIT_KIT DRIVEBY Possible Unknown EK HFS CVE-2014-6332 (exploit_kit.rules)
  • 2021364 - ET EXPLOIT_KIT Magnitude CVE-2015-3113 Jun 29 2015 M1 (exploit_kit.rules)
  • 2023151 - ET EXPLOIT_KIT Encoded CVE-2014-6332 (As Observed in SunDown EK) M1 (exploit_kit.rules)
  • 2023152 - ET EXPLOIT_KIT Encoded CVE-2014-6332 (As Observed in SunDown EK) M2 (exploit_kit.rules)
  • 2023153 - ET EXPLOIT_KIT Encoded CVE-2014-6332 (As Observed in SunDown EK) M3 (exploit_kit.rules)
  • 2023277 - ET EXPLOIT_KIT SunDown EK CVE-2015-0016 Sep 22 2016 (b641) (exploit_kit.rules)
  • 2023278 - ET EXPLOIT_KIT SunDown EK CVE-2015-0016 Sep 22 2016 (b642) (exploit_kit.rules)
  • 2023280 - ET EXPLOIT_KIT SunDown EK CVE-2016-0189 Sep 22 2016 (b641) (exploit_kit.rules)
  • 2023281 - ET EXPLOIT_KIT SunDown EK CVE-2016-0189 Sep 22 2016 (b642) (exploit_kit.rules)
  • 2023283 - ET EXPLOIT_KIT SunDown EK CVE-2013-2551 Sep 22 2016 (b641) (exploit_kit.rules)
  • 2023284 - ET EXPLOIT_KIT SunDown EK CVE-2013-2551 Sep 22 2016 (b642) (exploit_kit.rules)
  • 2023285 - ET EXPLOIT_KIT SunDown EK CVE-2013-2551 Sep 22 2016 (b643) (exploit_kit.rules)
  • 2023288 - ET MALWARE BleedingLife EK CVE-2014-6332 Exploit (malware.rules)
  • 2023289 - ET MALWARE BleedingLife EK CVE-2016-0189 Exploit (malware.rules)
  • 2024706 - ET EXPLOIT Possible CVE-2017-8759 Soap File DL (exploit.rules)
  • 2030387 - ET EXPLOIT Possible CVE-2020-11899 Multicast out-of-bound read (exploit.rules)
  • 2030889 - ET EXPLOIT [401TRG] Possible Zerologon (CVE-2020-1472) M2 (exploit.rules)
  • 2033781 - ET EXPLOIT Use-After-Free in QuickTimePluginReplacement (CVE-2021-1879) (exploit.rules)
  • 2034199 - ET EXPLOIT Oracle BI Publisher Authentication Bypass (CVE-2019-2616) (exploit.rules)
  • 2034626 - ET EXPLOIT Exiftool RCE Inbound (CVE-2021-22204) (exploit.rules)
  • 2034670 - ET ATTACK_RESPONSE DNS Query for Observed CVE-2021-44228 Callback Domain (bingsearchlib .com) (attack_response.rules)
  • 2034671 - ET EXPLOIT Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (tcp) (CVE-2021-44228) (exploit.rules)
  • 2034672 - ET EXPLOIT Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (udp) (CVE-2021-44228) (exploit.rules)
  • 2034702 - ET EXPLOIT Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed (tcp) (CVE-2021-44228) (exploit.rules)
  • 2034703 - ET EXPLOIT Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed (udp) (CVE-2021-44228) (exploit.rules)
  • 2034757 - ET EXPLOIT Apache log4j RCE Attempt (http ldap) (Outbound) (CVE-2021-44228) (exploit.rules)
  • 2034804 - ET EXPLOIT Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (udp) (Outbound) (CVE-2021-44228) (exploit.rules)
  • 2034834 - ET EXPLOIT Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed (udp) (Outbound) (CVE-2021-44228) (exploit.rules)
  • 2034835 - ET EXPLOIT Apache log4j RCE Attempt - 2021/12/12 Obfuscation Observed (tcp) (Outbound) (CVE-2021-44228) (exploit.rules)
  • 2034836 - ET EXPLOIT Apache log4j RCE Attempt - 2021/12/13 Obfuscation Observed (tcp) (Outbound) (CVE-2021-44228) (exploit.rules)
  • 2034970 - ET EXPLOIT Sonicwall Unauthenticated Stack-Based Buffer Overflow (CVE-2021-20038) (exploit.rules)
  • 2036378 - ET EXPLOIT WSO2 Server RCE (CVE-2022-29464) (exploit.rules)
  • 2037041 - ET EXPLOIT Apache Tommcat/JBoss RCE Inbound (CVE-2013-4810) (exploit.rules)
  • 2037083 - ET EXPLOIT Possible Microsoft Support Diagnostic Tool Exploitation Inbound (CVE-2022-30190) (exploit.rules)
  • 2038672 - ET EXPLOIT Jira Server/Data Center 8.4.0 Remote File Read Attempt (CVE-2021-26086) M1 (exploit.rules)
  • 2038673 - ET EXPLOIT Jira Server/Data Center 8.4.0 Remote File Read Attempt (CVE-2021-26086) M2 (exploit.rules)
  • 2038781 - ET EXPLOIT D-Link Remote Code Execution Attempt (CVE-2022-26258) (exploit.rules)
  • 2039005 - ET EXPLOIT Possible Zoho ManageEngine RCE Attempt Inbound (CVE-2022-35405) (exploit.rules)
  • 2048469 - ET CURRENT_EVENTS Possible Atlassian Confluence CVE-2023-22515 Scan Activity (current_events.rules)
  • 2048470 - ET CURRENT_EVENTS Possible Atlassian Confluence CVE-2023-22515 Scan Activity (current_events.rules)
  • 2048581 - ET CURRENT_EVENTS Possible Atlassian Confluence CVE-2023-22515 Scan Activity - Clone (current_events.rules)
  • 2048737 - ET EXPLOIT Cisco IOS XE Web Server Auth Bypass (CVE-2023-20198) (Outbound) M2 (exploit.rules)
  • 2048738 - ET EXPLOIT Cisco IOS XE Web Server Auth Bypass (CVE-2023-20198) (Inbound) M2 (exploit.rules)
  • 2048739 - ET EXPLOIT Possible Cisco IOS XE Web Server Implant 404 Response (CVE-2023-20198) (Outbound) M1 (exploit.rules)
  • 2048740 - ET EXPLOIT Possible Cisco IOS XE Web Server Implant 404 Response (CVE-2023-20198) (Inbound) M1 (exploit.rules)
  • 2048741 - ET EXPLOIT Possible Cisco IOS XE Web Server Implant 404 Response (CVE-2023-20198) (Outbound) M2 (exploit.rules)
  • 2048742 - ET EXPLOIT Possible Cisco IOS XE Web Server Implant 404 Response (CVE-2023-20198) (Inbound) M2 (exploit.rules)
  • 2800385 - ETPRO WEB_CLIENT Adobe Reader and Acrobat util.printf Stack Buffer Overflow 1 (web_client.rules)
  • 2800386 - ETPRO WEB_CLIENT Adobe Reader and Acrobat util.printf Stack Buffer Overflow 2 (web_client.rules)
  • 2800977 - ETPRO SMTP Exim string_format Remote Code Execution Attempt (smtp.rules)
  • 2800979 - ETPRO SMTP Exim string_format Remote Code Execution (smtp.rules)
  • 2803254 - ETPRO NETBIOS Microsoft Windows LNK File Code Execution SMB-DS (netbios.rules)
  • 2803255 - ETPRO NETBIOS Microsoft Windows LNK File Code Execution SMB (netbios.rules)
  • 2804857 - ETPRO WEB_CLIENT Microsoft DOC File download - ListView Overflow 2 -SET (CVE-2012-0158) (web_client.rules)
  • 2804858 - ETPRO WEB_CLIENT Microsoft DOC File download - ListView Overflow (CVE-2012-0158) (web_client.rules)
  • 2804859 - ETPRO WEB_CLIENT Microsoft DOC File download - TreeView Overflow 1 -SET (CVE-2012-0158) (web_client.rules)
  • 2804860 - ETPRO WEB_CLIENT Microsoft DOC File download - TreeView Overflow 2 -SET (CVE-2012-0158) (web_client.rules)
  • 2804861 - ETPRO WEB_CLIENT Microsoft DOC File download - TreeView Overflow (CVE-2012-0158) (web_client.rules)
  • 2806358 - ETPRO WEB_CLIENT Possible Microsoft Internet Explorer VML Use After Free 2 (CVE-2013-2551) (web_client.rules)
  • 2806359 - ETPRO WEB_CLIENT Possible Microsoft Internet Explorer VML Use After Free 1 (CVE-2013-2551) (web_client.rules)
  • 2806634 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use-After-Free 1 (CVE-2013-1347) (web_client.rules)
  • 2806635 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use-After-Free 2 (CVE-2013-1347) (web_client.rules)
  • 2807511 - ETPRO WEB_CLIENT PDF use after free (CVE-2014-0496) 1 (web_client.rules)
  • 2807512 - ETPRO WEB_CLIENT PDF use after free (CVE-2014-0496) 2 (web_client.rules)
  • 2807985 - ETPRO WEB_CLIENT Possible Internet Explorer RCE CVE-2014-1776 (web_client.rules)
  • 2808996 - ETPRO WEB_CLIENT Internet Explorer 11 Sandbox Escapes vulnerable ActiveX control in executable (CVE-2014-4123) (web_client.rules)
  • 2809380 - ETPRO EXPLOIT Possible CVE-2014-6324 Priv escalation attempt (exploit.rules)
  • 2811959 - ETPRO WEB_CLIENT JScript9 Memory Corruption Vulnerability (CVE-2015-2419) (web_client.rules)
  • 2820084 - ETPRO EXPLOIT_KIT CVE-2013-2551 M1 (b642) Observed in Sundown/Xer EK (exploit_kit.rules)
  • 2820554 - ETPRO EXPLOIT_KIT CVE-2015-0016 As Observed in Magnitude EK Jun 09 2016 (exploit_kit.rules)
  • 2820898 - ETPRO EXPLOIT_KIT CVE-2014-6332 as Observed in Sednit EK M1 (exploit_kit.rules)
  • 2820899 - ETPRO EXPLOIT_KIT CVE-2014-6332 as Observed in Sednit EK M2 (exploit_kit.rules)
  • 2821359 - ETPRO EXPLOIT_KIT CVE-2015-0016 As Observed in Magnitude EK Jul 26 2016 (exploit_kit.rules)
  • 2821576 - ETPRO EXPLOIT Microsoft Windows Possible gdi32 Out Of Bound Memory Access Executable Inbound (CVE-2016-3309) (exploit.rules)
  • 2825378 - ETPRO WEB_CLIENT Possible Microsoft Internet Explorer Information Disclosure (CVE-2017-0022) (web_client.rules)
  • 2825385 - ETPRO WEB_CLIENT Internet Explorer Type Confusion (CVE-2017-0037) (web_client.rules)
  • 2825406 - ETPRO WEB_CLIENT Internet Explorer Information Disclosure Vulnerability (CVE-2017-0059) (web_client.rules)
  • 2825858 - ETPRO WEB_CLIENT Internet Explorer EOP Vulnerability (CVE-2017-0210) (web_client.rules)
  • 2826338 - ETPRO EXPLOIT Win32k Elevation of Privilege Vulnerability (CVE-2017-0263) (exploit.rules)
  • 2835354 - ETPRO EXPLOIT Possible CVE-2019-0703 Request SMBv1 (exploit.rules)
  • 2835355 - ETPRO EXPLOIT Possible CVE-2019-0703 Response SMBv1 (exploit.rules)
  • 2835356 - ETPRO EXPLOIT Possible CVE-2019-0703 Request SMBv2 (exploit.rules)
  • 2835357 - ETPRO EXPLOIT Possible CVE-2019-0703 Response SMBv2 (exploit.rules)
  • 2840459 - ETPRO EXPLOIT Possible Spoofed TLS Certificate Inbound (CVE-2020-0601) (exploit.rules)
  • 2849479 - ETPRO EXPLOIT Microsoft Windows SMBv3 Compression Remote Code Execution Inbound (CVE-2020-0796) (exploit.rules)
  • 2850028 - ETPRO EXPLOIT VMware vCenter Vulnerable Path M1 flowbit set (CVE-2021-22005) (exploit.rules)
  • 2850029 - ETPRO EXPLOIT VMware vCenter Vulnerable Path M2 flowbit set (CVE-2021-22005) (exploit.rules)
  • 2850030 - ETPRO EXPLOIT VMware vCenter Vulnerable Path M3 flowbit set (CVE-2021-22005) (exploit.rules)
  • 2850031 - ETPRO EXPLOIT VMWare vCenter - Server Responded to Request For Path Vulnerable to RCE (CVE-2021-22005) (exploit.rules)
  • 2850055 - ETPRO EXPLOIT VMware vCenter RCE Exploitation Attempt M1 (CVE-2021-22005) (exploit.rules)
  • 2850122 - ETPRO EXPLOIT Possible OpenSLP Project/VMWare OpenSLP Heap Buffer Overflow (CVE-2019-5544) (exploit.rules)
  • 2851768 - ETPRO WEB_CLIENT Microsoft DOC File download - ListView Overflow 1 -SET (CVE-2012-0158) (web_client.rules)
  • 2857471 - ETPRO INFO Server Responding to Microsoft Office HTTP Request for .html - Possible Windows MSHTML Platform Security Feature Bypass (CVE-2024-30040) (info.rules)

Disabled and modified rules:

  • 2059767 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (innerkomen .com) (malware.rules)
  • 2059768 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (innerkomen .com in TLS SNI) (malware.rules)
  • 2059769 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (guardeduppe .com) (malware.rules)
  • 2059770 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (guardeduppe .com in TLS SNI) (malware.rules)
  • 2059771 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (toppyneedus .biz) (malware.rules)
  • 2059772 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (toppyneedus .biz in TLS SNI) (malware.rules)
  • 2059773 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (flockefaccek .org) (malware.rules)
  • 2059774 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (flockefaccek .org in TLS SNI) (malware.rules)
  • 2059775 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (babberstalek .org) (malware.rules)
  • 2059776 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (babberstalek .org in TLS SNI) (malware.rules)
  • 2059777 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (classyhelped .net) (malware.rules)
  • 2059778 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (classyhelped .net in TLS SNI) (malware.rules)
  • 2059779 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (carrystuppeder .net) (malware.rules)
  • 2059780 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (carrystuppeder .net in TLS SNI) (malware.rules)
  • 2059781 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rebuildhurrte .com) (malware.rules)
  • 2059782 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rebuildhurrte .com in TLS SNI) (malware.rules)
  • 2059783 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (climepunneddus .com) (malware.rules)
  • 2059784 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (climepunneddus .com in TLS SNI) (malware.rules)