Ruleset Update Summary - 2025/09/25 - v11024

Ruleset Updates
1

Summary:

17 new OPEN, 23 new PRO (17 + 6)

Added rules:

Open:

  • 2064917 - ET HUNTING Request for Webshell in .well-known directory (hunting.rules)
  • 2064918 - ET WEB_SPECIFIC_APPS H3C aspForm param Parameter Buffer Overflow Attempt (CVE-2025-10942) (web_specific_apps.rules)
  • 2064919 - ET WEB_SPECIFIC_APPS Mikrotik libjson Multiple Parameters Buffer Overflow Attempt (CVE-2025-10948) (web_specific_apps.rules)
  • 2064920 - ET WEB_SPECIFIC_APPS Fortra GoAnywhere MFT Authentication Bypass via License Servlet (CVE-2025-10035) (web_specific_apps.rules)
  • 2064921 - ET WEB_SPECIFIC_APPS Fortra GoAnywhere MFT Response Valid License Request Token Disclosure (web_specific_apps.rules)
  • 2064922 - ET HUNTING Fortra GoAnywhere MFT Insecure Deserialization via License Servlet (CVE-2025-10035) (hunting.rules)
  • 2064923 - ET WEB_SPECIFIC_APPS ASUS RT-AC3200 Buffer Overflow in appGet.cgi (CVE-2018-14712) (web_specific_apps.rules)
  • 2064924 - ET WEB_SPECIFIC_APPS ASUS GT-AC2900 Authentication Bypass via Null Character in asus_token HTTP Cookie (CVE-2021-32030) (web_specific_apps.rules)
  • 2064925 - ET WEB_SPECIFIC_APPS ASUS RT-AC3200 Reflected Cross-Site Scripting in appGet.cgi (CVE-2018-14710) (web_specific_apps.rules)
  • 2064926 - ET INFO DYNAMIC_DNS Query to a *.reisezeiter .ch domain (info.rules)
  • 2064927 - ET INFO DYNAMIC_DNS HTTP Request to a *.reisezeiter .ch domain (info.rules)
  • 2064928 - ET WEB_SPECIFIC_APPS ASUS RT-AC3200 Uncontrolled Format String via nvram_match Hook Family in appGet.cgi (CVE-2018-14713) (web_specific_apps.rules)
  • 2064929 - ET WEB_SPECIFIC_APPS ASUS RT-AC3200 Command Injection via load_script Hook in appGet.cgi (CVE-2018-14714) (web_specific_apps.rules)
  • 2064930 - ET WEB_SPECIFIC_APPS UTT formApMail senderEmail Parameter Buffer Overflow Attempt (CVE-2025-10953) (web_specific_apps.rules)
  • 2064931 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (projects .alternativesynergies .com) (malware.rules)
  • 2064932 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (projects .alternativesynergies .com) (malware.rules)
  • 2064933 - ET WEB_SPECIFIC_APPS Fortinet FortiWeb Out of Bounds Access via HTTP Cookie (CVE-2025-52970) (web_specific_apps.rules)

Pro:

  • 2864692 - ETPRO ATTACK_RESPONSE ReverseLoader Decimal Obfuscated MZ Inbound M1 (attack_response.rules)
  • 2864693 - ETPRO ATTACK_RESPONSE ReverseLoader Decimal Obfuscated MZ Inbound M2 (attack_response.rules)
  • 2864694 - ETPRO MALWARE Observed DNS Query to ReverseLoader Domain (malware.rules)
  • 2864695 - ETPRO MALWARE Observed DNS Query to ReverseLoader Domain (malware.rules)
  • 2864696 - ETPRO MALWARE Observed ReverseLoader Domain in TLS SNI (malware.rules)
  • 2864697 - ETPRO MALWARE Observed ReverseLoader Domain in TLS SNI (malware.rules)

Modified inactive rules:

  • 2026471 - ET MALWARE Kraken Ransomware Start Activity 1 (malware.rules)
  • 2026472 - ET MALWARE [PTsecurity] Kraken Ransomware Start Activity 2 (malware.rules)
  • 2026644 - ET MALWARE Observed Malicious SSL Cert (BrushaLoader Domain) (malware.rules)
  • 2026659 - ET MALWARE Observed Malicious SSL Cert (BrushaLoader Domain) (malware.rules)
  • 2026687 - ET MALWARE [PTsecurity] WeChat (Ransomware/Stealer) Config (malware.rules)
  • 2026726 - ET MALWARE ELF/Win32 Lucky Ransomware Encryption Process Started (malware.rules)
  • 2026727 - ET MALWARE Lucky Ransomware Reporting Successful File Encryption (malware.rules)
  • 2026774 - ET INFO DNS Over TLS Request Outbound (info.rules)
  • 2026899 - ET MALWARE Observed Malicious SSL Cert (BrushaLoader CnC) (malware.rules)
  • 2027168 - ET POLICY Powershell Activity Over SMB - Likely Lateral Movement (policy.rules)
  • 2833190 - ETPRO MALWARE Observed Malicious SSL Cert (MalDoc DL 2018-10-18 2) (malware.rules)
  • 2833520 - ETPRO MALWARE Observed Malicious SSL Cert (SocGholish Redirect) (malware.rules)
  • 2833853 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 453 (mobile_malware.rules)
  • 2833861 - ETPRO MALWARE Observed Malicious SSL Cert (APT 34 CnC Domain) (malware.rules)
  • 2833864 - ETPRO MALWARE Observed Malicious SSL Cert (BrushaLoader CnC) (malware.rules)
  • 2833977 - ETPRO MALWARE Observed Malicious SSL Cert (Ursnif CnC) (malware.rules)
  • 2834172 - ETPRO MALWARE Observed Malicious SSL Cert (MalDoc DL 2019-01-02) (malware.rules)
  • 2834218 - ETPRO MALWARE SSL/TLS Certificate Observed (DarkHydrus) (malware.rules)
  • 2834273 - ETPRO MALWARE UnHuman Bot CnC Activity (malware.rules)
  • 2834921 - ETPRO MALWARE Brushaloader Domain in TLS SNI (malware.rules)