Ruleset Update Summary - 2025/04/16 - v10907

Ruleset Updates
1

Summary:

26 new OPEN, 28 new PRO (26 + 2)

Thanks @travisbgreen, @Jane_0sint

Added rules:

Open:

  • 2061585 - ET PHISHING Observed DNS Query to TA450 Domain (phishing.rules)
  • 2061586 - ET PHISHING Observed TA450 Domain in TLS SNI (phishing.rules)
  • 2061587 - ET PHISHING Observed DNS Query to UNK_RemoteRogue Domain (phishing.rules)
  • 2061588 - ET PHISHING Observed DNS Query to UNK_RemoteRogue Domain (phishing.rules)
  • 2061589 - ET PHISHING Observed DNS Query to UNK_RemoteRogue Domain (phishing.rules)
  • 2061590 - ET PHISHING Observed UNK_RemoteRogue Domain in TLS SNI (phishing.rules)
  • 2061591 - ET PHISHING Observed UNK_RemoteRogue Domain in TLS SNI (phishing.rules)
  • 2061592 - ET PHISHING Observed UNK_RemoteRogue Domain in TLS SNI (phishing.rules)
  • 2061619 - ET EXPLOIT [CORELIGHT] CrushFTP Auth Bypass Attempt (CVE-2025-31161) (exploit.rules)
  • 2061620 - ET WEB_SPECIFIC_APPS Totolink A3700R Multiple Authentication Bypass cstecgecgi.cgi Endpoints (CVE-2025-3663 - CVE-2025-3668) (web_specific_apps.rules)
  • 2061621 - ET WEB_SPECIFIC_APPS D-Link DIR-605L/DIR-618 Multiple Authentication Bypass URI Endpoints (CVE-2025-2546 - CVE-2025-2553) (web_specific_apps.rules)
  • 2061622 - ET WEB_SPECIFIC_APPS D-Link DIR-823G Multiple HNAP SOAPAction Endpoints Authentication Bypass (CVE-2025-2359, CVE-2025-2360) (web_specific_apps.rules)
  • 2061623 - ET WEB_SPECIFIC_APPS D-Link DIR-823G Multiple HNAP SOAPAction Endpoints Authentication Bypass (web_specific_apps.rules)
  • 2061624 - ET INFO DYNAMIC_DNS Query to a *.grupoinca .com .pe domain (info.rules)
  • 2061625 - ET INFO DYNAMIC_DNS HTTP Request to a *.grupoinca .com .pe domain (info.rules)
  • 2061626 - ET INFO DYNAMIC_DNS Query to a *.yunjiaoshi .com domain (info.rules)
  • 2061627 - ET INFO DYNAMIC_DNS HTTP Request to a *.yunjiaoshi .com domain (info.rules)
  • 2061628 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shiftvc .digital) (malware.rules)
  • 2061629 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (shiftvc .digital) in TLS SNI (malware.rules)
  • 2061630 - ET WEB_SPECIFIC_APPS Tenda FH1202 default.cfg Authentication Bypass Attempt (CVE-2025-2993) (web_specific_apps.rules)
  • 2061631 - ET WEB_SERVER SonicWall SMA Post-Auth sitecustomization CGI Command Injection (web_server.rules)
  • 2061632 - ET WEB_SERVER SonicWall SMA Post-Auth importlogo CGI File Upload (web_server.rules)
  • 2061635 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (layardrama21 .top) (exploit_kit.rules)
  • 2061636 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (layardrama21 .top) (exploit_kit.rules)
  • 2061637 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (signin .certifiedbk .com) (malware.rules)
  • 2061638 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (signin .certifiedbk .com) (malware.rules)

Pro:

  • 2861178 - ETPRO MALWARE DeerStealer CnC Response (malware.rules)
  • 2861179 - ETPRO MALWARE DeerStealer CnC Checkin (malware.rules)

Removed rules:

  • 2061585 - ET MALWARE Observed DNS Query to TA450 Domain (malware.rules)
  • 2061586 - ET MALWARE Observed TA450 Domain in TLS SNI (malware.rules)
  • 2061587 - ET MALWARE Observed DNS Query to UNK_RemoteRogue Domain (malware.rules)
  • 2061588 - ET MALWARE Observed DNS Query to UNK_RemoteRogue Domain (malware.rules)
  • 2061589 - ET MALWARE Observed DNS Query to UNK_RemoteRogue Domain (malware.rules)
  • 2061590 - ET MALWARE Observed UNK_RemoteRogue Domain in TLS SNI (malware.rules)
  • 2061591 - ET MALWARE Observed UNK_RemoteRogue Domain in TLS SNI (malware.rules)
  • 2061592 - ET MALWARE Observed UNK_RemoteRogue Domain in TLS SNI (malware.rules)