Ruleset Update Summary - 2025/06/17 - v10952

Ruleset Updates
1

Summary:

19 new OPEN, 19 new PRO (19 + 0)

Thanks @TLP_R3D

Added rules:

Open:

  • 2048947 - ET INFO Observed DNS Query to PC Optimizer Software Domain (fortect .com) (info.rules)
  • 2048948 - ET INFO Observed PC Optimizer Software Domain (fortect .com in TLS SNI) (info.rules)
  • 2063023 - ET WEB_SPECIFIC_APPS Grafana Account Takeover via Path Traversal & Open Redirect (CVE-2025-4123) (web_specific_apps.rules)
  • 2063024 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (starpopz .live) (malware.rules)
  • 2063025 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (starpopz .live) in TLS SNI (malware.rules)
  • 2063026 - ET WEB_SPECIFIC_APPS ZendTo Dropoff Path Traversal (CVE-2025-34508) (web_specific_apps.rules)
  • 2063027 - ET WEB_SPECIFIC_APPS Totolink A3002R formSysLog submit-url Parameter Buffer Overflow Attempt (web_specific_apps.rules)
  • 2063028 - ET WEB_SPECIFIC_APPS Tenda DhcpListClient list Parameter Buffer Overflow Attempt (CVE-2024-32293) (web_specific_apps.rules)
  • 2063029 - ET WEB_SPECIFIC_APPS Tenda SetSpeedWan speed_dir Parameter Buffer Overflow Attempt (web_specific_apps.rules)
  • 2063030 - ET WEB_SPECIFIC_APPS Tenda addressNat mitInterface Parameter Buffer Overflow Attempt (web_specific_apps.rules)
  • 2063031 - ET WEB_SPECIFIC_APPS Tenda WifiWpsOOB index Parameter Buffer Overflow Attempt (CVE-2025-29032) (web_specific_apps.rules)
  • 2063032 - ET WEB_SPECIFIC_APPS TP-Link WanSlaacCfgRpm.htm dnsserver1 Parameter Buffer Overflow Attempt (web_specific_apps.rules)
  • 2063033 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (lqsword .top) (exploit_kit.rules)
  • 2063034 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (lqsword .top) (exploit_kit.rules)
  • 2063035 - ET MALWARE Observed TA4557 More_eggs Fake Resume Page (malware.rules)
  • 2063036 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (cpanel .realizr .today) (malware.rules)
  • 2063037 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (specification .saferunion .com) (malware.rules)
  • 2063038 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (cpanel .realizr .today) (malware.rules)
  • 2063039 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (specification .saferunion .com) (malware.rules)

Removed rules:

  • 2048947 - ET ADWARE_PUP Observed DNS Query to PC Optimizer Software Domain (fortect .com) (adware_pup.rules)
  • 2048948 - ET ADWARE_PUP Observed PC Optimizer Software Domain (fortect .com in TLS SNI) (adware_pup.rules)