Ruleset Update Summary - 2025/03/12 - v10877

Ruleset Updates
1

Summary:

21 new OPEN, 25 new PRO (21 + 4)

Thanks @monitorsg

Added rules:

Open:

  • 2060800 - ET WEB_SPECIFIC_APPS PHP-CGI OS Command Injection (soft hyphen) (CVE-2024-4577) (web_specific_apps.rules)
  • 2060801 - ET WEB_SPECIFIC_APPS Apache Tomcat Path Equivalence (CVE-2025-24813) (web_specific_apps.rules)
  • 2060802 - ET INFO Observed URL Shortener Service (t2m .io) in DNS Lookup (info.rules)
  • 2060803 - ET MALWARE Observed DNS Query to Rasuq Force Domain (malware.rules)
  • 2060804 - ET MALWARE Observed Rasuq Force Domain in TLS SNI (malware.rules)
  • 2060805 - ET INFO Observed URL Shortener Service Domain (t2m .io) in TLS SNI (info.rules)
  • 2060806 - ET INFO Abused File Hosting Domain (uploadnow .io) in DNS Lookup (info.rules)
  • 2060807 - ET INFO Abused File Sharing Domain (uploadnow .io) in TLS SNI (info.rules)
  • 2060808 - ET INFO Observed URL Shortener Service (tr .ee) in DNS Lookup (info.rules)
  • 2060809 - ET INFO Observed URL Shortener Service Domain (tr .ee) in TLS SNI (info.rules)
  • 2060810 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (webmail .denver-computer .com) (malware.rules)
  • 2060811 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (webmail .denver-computer .com) (malware.rules)
  • 2060812 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (doodstream .shop) (exploit_kit.rules)
  • 2060813 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (doodstream .shop) (exploit_kit.rules)
  • 2060814 - ET WEB_SPECIFIC_APPS GLPI Pre-auth SQL Injection (CVE-2025-24799) (web_specific_apps.rules)
  • 2060815 - ET PHISHING TA453 Google Drive Lookalike (drives .googles. * .site) (phishing.rules)
  • 2060816 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cuddlypifllow .life) (malware.rules)
  • 2060817 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cuddlypifllow .life) in TLS SNI (malware.rules)
  • 2060818 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (infuzoriatufelka .com) (malware.rules)
  • 2060819 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (infuzoriatufelka .com) in TLS SNI (malware.rules)
  • 2060820 - ET PHISHING TA453 Google Drive Lookalike (drives .googles. * .site) (phishing.rules)

Pro:

  • 2860680 - ETPRO MALWARE Rasauq Force Rootkit Checkin via Discord (malware.rules)
  • 2860681 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2860682 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2860683 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)

Disabled and modified rules:

  • 2060762 - ET PHISHING TA453 Domain in DNS Lookup (phishing.rules)
  • 2060776 - ET PHISHING TA453 Domain in TLS SNI (phishing.rules)