Summary:
11 new OPEN, 14 new PRO (11 + 3)
Added rules:
Open:
- 2063949 - ET WEB_SPECIFIC_APPS ABB Cylon Flxeon siteGuide.js filename/originalname Parameter Command Injection Attempt (web_specific_apps.rules)
- 2063950 - ET WEB_SPECIFIC_APPS ABB Cylon Flxeon users.js oldPassword/newPassword Parameter Command Injection Attempt (web_specific_apps.rules)
- 2063951 - ET WEB_SPECIFIC_APPS ABB Cylon Flxeon cert.js Multiple Parameters Command Injection Attempt (web_specific_apps.rules)
- 2063952 - ET WEB_SPECIFIC_APPS ABB Cylon Flxeon timeConfig.js Multiple Parameters Command Injection Attempt (web_specific_apps.rules)
- 2063953 - ET WEB_SPECIFIC_APPS ABB Cylon Flxeon upload.js Multiple Parameters Command Injection Attempt (web_specific_apps.rules)
- 2063954 - ET INFO DYNAMIC_DNS Query to a *.unowel .com domain (info.rules)
- 2063955 - ET INFO DYNAMIC_DNS HTTP Request to a *.unowel .com domain (info.rules)
- 2063956 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (feedback .fortunetaxs .com) (malware.rules)
- 2063957 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (feedback .fortunetaxs .com) (malware.rules)
- 2063958 - ET MALWARE TA569 Middleware Server Domain in DNS Lookup (www .keynotecapitals .com) (malware.rules)
- 2063959 - ET MALWARE TA569 Middleware Server Domain in TLS SNI (www .keynotecapitals .com) (malware.rules)
Pro:
- 2864117 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2864118 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
- 2864119 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
Disabled and modified rules:
- 2063380 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (accsrf .top) (malware.rules)
- 2063381 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (accsrf .top in TLS SNI) (malware.rules)