Summary:
21 new OPEN, 25 new PRO (21 + 4)
Thanks @monitorsg
Added rules:
Open:
- 2060800 - ET WEB_SPECIFIC_APPS PHP-CGI OS Command Injection (soft hyphen) (CVE-2024-4577) (web_specific_apps.rules)
- 2060801 - ET WEB_SPECIFIC_APPS Apache Tomcat Path Equivalence (CVE-2025-24813) (web_specific_apps.rules)
- 2060802 - ET INFO Observed URL Shortener Service (t2m .io) in DNS Lookup (info.rules)
- 2060803 - ET MALWARE Observed DNS Query to Rasuq Force Domain (malware.rules)
- 2060804 - ET MALWARE Observed Rasuq Force Domain in TLS SNI (malware.rules)
- 2060805 - ET INFO Observed URL Shortener Service Domain (t2m .io) in TLS SNI (info.rules)
- 2060806 - ET INFO Abused File Hosting Domain (uploadnow .io) in DNS Lookup (info.rules)
- 2060807 - ET INFO Abused File Sharing Domain (uploadnow .io) in TLS SNI (info.rules)
- 2060808 - ET INFO Observed URL Shortener Service (tr .ee) in DNS Lookup (info.rules)
- 2060809 - ET INFO Observed URL Shortener Service Domain (tr .ee) in TLS SNI (info.rules)
- 2060810 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (webmail .denver-computer .com) (malware.rules)
- 2060811 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (webmail .denver-computer .com) (malware.rules)
- 2060812 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (doodstream .shop) (exploit_kit.rules)
- 2060813 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (doodstream .shop) (exploit_kit.rules)
- 2060814 - ET WEB_SPECIFIC_APPS GLPI Pre-auth SQL Injection (CVE-2025-24799) (web_specific_apps.rules)
- 2060815 - ET PHISHING TA453 Google Drive Lookalike (drives .googles. * .site) (phishing.rules)
- 2060816 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cuddlypifllow .life) (malware.rules)
- 2060817 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cuddlypifllow .life) in TLS SNI (malware.rules)
- 2060818 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (infuzoriatufelka .com) (malware.rules)
- 2060819 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (infuzoriatufelka .com) in TLS SNI (malware.rules)
- 2060820 - ET PHISHING TA453 Google Drive Lookalike (drives .googles. * .site) (phishing.rules)
Pro:
- 2860680 - ETPRO MALWARE Rasauq Force Rootkit Checkin via Discord (malware.rules)
- 2860681 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2860682 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
- 2860683 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
Disabled and modified rules:
- 2060762 - ET PHISHING TA453 Domain in DNS Lookup (phishing.rules)
- 2060776 - ET PHISHING TA453 Domain in TLS SNI (phishing.rules)