Summary:
38 new OPEN, 77 new PRO (38 + 39)
Thanks @Jane_0sint
Added rules:
Open:
- 2060968 - ET WEB_SPECIFIC_APPS Edimax IC-7100 Command Injection Attempt (CVE-2025-1316) (web_specific_apps.rules)
- 2060969 - ET MALWARE Amadey CnC Response (malware.rules)
- 2060970 - ET INFO DYNAMIC_DNS Query to a *.schrottspiele .de domain (info.rules)
- 2060971 - ET INFO DYNAMIC_DNS HTTP Request to a *.schrottspiele .de domain (info.rules)
- 2060972 - ET INFO DYNAMIC_DNS Query to a *.or-g .net domain (info.rules)
- 2060973 - ET INFO DYNAMIC_DNS HTTP Request to a *.or-g .net domain (info.rules)
- 2060974 - ET INFO DYNAMIC_DNS Query to a *.silvaharo .com domain (info.rules)
- 2060975 - ET INFO DYNAMIC_DNS HTTP Request to a *.silvaharo .com domain (info.rules)
- 2060976 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (cityesca .top) (malware.rules)
- 2060977 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (cityesca .top) in TLS SNI (malware.rules)
- 2060978 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gunrightsp .run) (malware.rules)
- 2060979 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gunrightsp .run) in TLS SNI (malware.rules)
- 2060980 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (partparcadi .shop) (malware.rules)
- 2060981 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (partparcadi .shop) in TLS SNI (malware.rules)
- 2060982 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rugbybrign .life) (malware.rules)
- 2060983 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (rugbybrign .life) in TLS SNI (malware.rules)
- 2060984 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (advennture .top) (malware.rules)
- 2060985 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (advennture .top in TLS SNI) (malware.rules)
- 2060986 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (esccapewz .run) (malware.rules)
- 2060987 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (esccapewz .run in TLS SNI) (malware.rules)
- 2060988 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (travewlio .shop) (malware.rules)
- 2060989 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (travewlio .shop in TLS SNI) (malware.rules)
- 2060990 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (touvrlane .bet) (malware.rules)
- 2060991 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (touvrlane .bet in TLS SNI) (malware.rules)
- 2060992 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sighbtseeing .shop) (malware.rules)
- 2060993 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sighbtseeing .shop in TLS SNI) (malware.rules)
- 2060994 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (holidamyup .today) (malware.rules)
- 2060995 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (holidamyup .today in TLS SNI) (malware.rules)
- 2060996 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (triplooqp .world) (malware.rules)
- 2060997 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (triplooqp .world in TLS SNI) (malware.rules)
- 2060998 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (computertecs .com) (exploit_kit.rules)
- 2060999 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (vfclan .com) (exploit_kit.rules)
- 2061000 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (janhugo .com) (exploit_kit.rules)
- 2061001 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (computertecs .com) (exploit_kit.rules)
- 2061002 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (vfclan .co) (exploit_kit.rules)
- 2061003 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (janhugo .com) (exploit_kit.rules)
- 2061004 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (mail .pacifictaxcounsel .com) (malware.rules)
- 2061005 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (mail .pacifictaxcounsel .com) (malware.rules)
Pro:
- 2860817 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2860818 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
- 2860819 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
- 2860820 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
- 2860821 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2860822 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2860823 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2860824 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
- 2860825 - ETPRO MALWARE Win32/XWorm CnC Command - INFO Outbound (malware.rules)
- 2860826 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
- 2860827 - ETPRO MALWARE Win32/XWorm CnC Command - RD+ Inbound (malware.rules)
- 2860828 - ETPRO MALWARE Win32/XWorm CnC Command - RD- Outbound (malware.rules)
- 2860829 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
- 2860830 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
- 2860831 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
- 2860832 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
- 2860833 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
- 2860834 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
- 2860835 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
- 2860836 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
- 2860837 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
- 2860838 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2860839 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2860840 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2860841 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
- 2860842 - ETPRO MALWARE Win32/XWorm CnC Command - INFO Outbound (malware.rules)
- 2860843 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
- 2860844 - ETPRO MALWARE Win32/XWorm CnC Command - RD+ Inbound (malware.rules)
- 2860845 - ETPRO MALWARE Win32/XWorm CnC Command - RD- Outbound (malware.rules)
- 2860846 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
- 2860847 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
- 2860848 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
- 2860849 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
- 2860850 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
- 2860851 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
- 2860852 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
- 2860853 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
- 2860854 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
- 2860855 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
Disabled and modified rules:
- 2060874 - ET MALWARE Win32/TA569 Gholoader Domain in DNS Lookup (support .traininghub .world) (malware.rules)
- 2060875 - ET MALWARE Win32/TA569 Gholoader Domain in TLS SNI (support .traininghub .world) (malware.rules)