Ruleset Update Summary - 2025/10/01 - v11028

Ruleset Updates
1

Summary:

30 new OPEN, 33 new PRO (30 + 3)

Added rules:

Open:

  • 2063969 - ET HUNTING Valve Steam Store Domain in TLS SNI (store .steampowered .com) (hunting.rules)
  • 2065003 - ET MALWARE BPFDoor UDP Magic Packet (Inbound) M1 (malware.rules)
  • 2065004 - ET MALWARE BPFDoor UDP Magic Packet (Inbound) M2 (malware.rules)
  • 2065005 - ET MALWARE BPFDoor UDP Magic Packet (Inbound) M3 (malware.rules)
  • 2065006 - ET MALWARE BPFDoor ICMP Magic Packet (Inbound) M1 (malware.rules)
  • 2065007 - ET MALWARE BPFDoor ICMP Magic Packet (Inbound) M2 (malware.rules)
  • 2065008 - ET MALWARE BPFDoor ICMP Magic Packet (Inbound) M3 (malware.rules)
  • 2065009 - ET MALWARE BPFDoor TCP Magic Packet (Inbound) M1 (malware.rules)
  • 2065010 - ET MALWARE BPFDoor TCP Magic Packet (Inbound) M2 (malware.rules)
  • 2065011 - ET MALWARE BPFDoor TCP Magic Packet (Inbound) M3 (malware.rules)
  • 2065012 - ET MALWARE BPFDoor TCP Magic Packet (Inbound) M4 (malware.rules)
  • 2065013 - ET MALWARE BPFDoor TCP Magic Packet (Inbound) M5 (malware.rules)
  • 2065014 - ET MALWARE BPFDoor TCP Magic Packet (Inbound) M6 (malware.rules)
  • 2065015 - ET MALWARE BPFDoor Direct Connection Client Response (Outbound) (malware.rules)
  • 2065016 - ET MALWARE BPFDoor Heartbeat (Outbound) (malware.rules)
  • 2065017 - ET INFO DYNAMIC_DNS Query to a *.maderasrm .cl domain (info.rules)
  • 2065018 - ET INFO DYNAMIC_DNS HTTP Request to a *.maderasrm .cl domain (info.rules)
  • 2065019 - ET INFO DYNAMIC_DNS Query to a *.giripawan .com .np domain (info.rules)
  • 2065020 - ET INFO DYNAMIC_DNS HTTP Request to a *.giripawan .com .np domain (info.rules)
  • 2065021 - ET INFO DYNAMIC_DNS Query to a *.mukeshbasnet .com .np domain (info.rules)
  • 2065022 - ET INFO DYNAMIC_DNS HTTP Request to a *.mukeshbasnet .com .np domain (info.rules)
  • 2065023 - ET INFO DYNAMIC_DNS Query to a *.einfach-du .ch domain (info.rules)
  • 2065024 - ET INFO DYNAMIC_DNS HTTP Request to a *.einfach-du .ch domain (info.rules)
  • 2065025 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (aeropeics .com) (exploit_kit.rules)
  • 2065026 - ET EXPLOIT_KIT LandUpdate808 Domain (aeropeics .com) in TLS SNI (exploit_kit.rules)
  • 2065027 - ET WEB_SPECIFIC_APPS Totolink setWifiAclRules desc Parameter Command Injection Attempt (CVE-2025-11005) (web_specific_apps.rules)
  • 2065028 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (aeropeics .com) (exploit_kit.rules)
  • 2065029 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (aeropeics .com) (exploit_kit.rules)
  • 2065030 - ET INFO Observed DNS Query to Dynamic DNS Domain (dedyn .io) (info.rules)
  • 2065031 - ET INFO Observed Dynamic DNS Domain (dedyn .io in TLS SNI) (info.rules)

Pro:

  • 2864727 - ETPRO MALWARE PureCrypter Stager CnC Activity M1 (malware.rules)
  • 2864728 - ETPRO MALWARE PureCrypter Stager CnC Activity M2 (malware.rules)
  • 2864729 - ETPRO MALWARE PureCrypter Stager CnC Response (malware.rules)

Modified inactive rules:

  • 2001218 - ET WEB_SPECIFIC_APPS PHPNuke general XSS attempt (web_specific_apps.rules)
  • 2001588 - ET ADWARE_PUP MarketScore.com Spyware Activity (1) (adware_pup.rules)
  • 2001589 - ET ADWARE_PUP MarketScore.com Spyware Activity (2) (adware_pup.rules)
  • 2001678 - ET ADWARE_PUP Webhancer Agent Activity (adware_pup.rules)
  • 2001737 - ET ADWARE_PUP ak-networks.com Spyware Code Install (adware_pup.rules)
  • 2002349 - ET ADWARE_PUP Alexa Spyware Reporting URL (adware_pup.rules)
  • 2003121 - ET POLICY docs.google.com Activity (policy.rules)
  • 2003442 - ET ADWARE_PUP Webbuying.net Spyware Installing (adware_pup.rules)
  • 2003513 - ET HUNTING Suspicious Mozilla User-Agent typo (MOzilla/4.0) (hunting.rules)
  • 2003530 - ET HUNTING Suspicious Mozilla User-Agent Separator - likely Fake (Mozilla/4.0+(compatible +MSIE+) (hunting.rules)
  • 2003588 - ET ADWARE_PUP Worm.Pyks HTTP C&C Traffic User-Agent (skw00001) (adware_pup.rules)
  • 2003597 - ET POLICY Google Calendar in Use (policy.rules)
  • 2003694 - ET WEB_SPECIFIC_APPS NoAH Remote Inclusion Attempt – mfa_theme.php tpls (web_specific_apps.rules)
  • 2003894 - ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt – dev_logon.asp username (web_specific_apps.rules)
  • 2003895 - ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt – registerAccount.asp (web_specific_apps.rules)
  • 2003896 - ET WEB_SPECIFIC_APPS Nokia Intellisync Mobile Suite XSS Attempt – create_account.asp (web_specific_apps.rules)
  • 2007914 - ET WORM SDBot HTTP Checkin (worm.rules)
  • 2008031 - ET MALWARE Dorf/Win32.Inject.adt C&C Communication Outbound (malware.rules)
  • 2008032 - ET MALWARE Dorf/Win32.Inject.adt C&C Communication Inbound (malware.rules)
  • 2009146 - ET ATTACK_RESPONSE Possible ASPXSpy Request (attack_response.rules)
  • 2009147 - ET ATTACK_RESPONSE Possible ASPXSpy Related Activity (attack_response.rules)
  • 2009149 - ET ATTACK_RESPONSE Possible ASPXSpy Upload Attempt (attack_response.rules)
  • 2009295 - ET HUNTING Suspicious Mozilla User-Agent Likely Fake (Mozilla/5.0) (hunting.rules)
  • 2009345 - ET ATTACK_RESPONSE HTTP 401 Unauthorized (attack_response.rules)
  • 2009346 - ET ATTACK_RESPONSE Frequent HTTP 401 Unauthorized - Possible Brute Force Attack (attack_response.rules)
  • 2009487 - ET MALWARE Downloader Possible AV KILLER (malware.rules)
  • 2009502 - ET WEB_SPECIFIC_APPS Quantum Game Library server_request.php CONFIG Parameter Remote File Inclusion (web_specific_apps.rules)
  • 2010223 - ET WEB_SPECIFIC_APPS Possible Mambo Cache_Lite Class mosConfig_absolute_path Remote File Inclusion Attempt (web_specific_apps.rules)
  • 2010325 - ET ACTIVEX COM Object MS06-042 CLSID 34 Access Attempt (activex.rules)
  • 2010326 - ET ACTIVEX COM Object MS06-042 CLSID 35 Access Attempt (activex.rules)
  • 2010327 - ET ACTIVEX COM Object MS06-042 CLSID 36 Access Attempt (activex.rules)
  • 2010328 - ET ACTIVEX COM Object MS06-042 CLSID 37 Access Attempt (activex.rules)
  • 2010908 - ET HUNTING Mozilla User-Agent (Mozilla/5.0) Inbound Likely Fake (hunting.rules)
  • 2011015 - ET WEB_SERVER Possible Sun Microsystems Sun Java System Web Server Remote File Disclosure Attempt (web_server.rules)
  • 2011016 - ET WEB_SERVER Possible Sun Microsystems Sun Java System Web Server Long OPTIONS URI Overflow Attmept (web_server.rules)
  • 2011199 - ET MALWARE Outbound AVISOSVB MSSQL Request (malware.rules)
  • 2011759 - ET WEB_SERVER TIEHTTP User-Agent (web_server.rules)
  • 2012617 - ET MALWARE Unknown Malware PatchPathNewS3.dat Request (malware.rules)
  • 2013122 - ET MALWARE Vilsel.ayjv Checkin (aid) (malware.rules)
  • 2013377 - ET MALWARE W32/Alunik User Agent Detected (malware.rules)
  • 2013861 - ET INFO Query for Suspicious .nl.ai Domain (info.rules)
  • 2013862 - ET INFO Query for Suspicious .xe.cx Domain (info.rules)
  • 2013996 - ET CURRENT_EVENTS Adobe PDF Universal 3D file corrupted download 1 (current_events.rules)
  • 2013997 - ET CURRENT_EVENTS Adobe PDF Universal 3D file corrupted download 2 (current_events.rules)
  • 2013998 - ET MALWARE W32/Jorik DDOS Instructions From CnC Server (malware.rules)
  • 2014435 - ET MALWARE Infostealer.Banprox Proxy.pac Download (malware.rules)
  • 2014599 - ET MALWARE Mac Flashback Checkin 3 (malware.rules)
  • 2014755 - ET MALWARE W32/HupigonUser.Backdoor Rabclib UA Checkin (malware.rules)
  • 2014760 - ET MALWARE W32/Votwup.Backdoor Checkin (malware.rules)
  • 2015517 - ET MALWARE .HTM being served from WP 1-flash-gallery Upload DIR (likely malicious) (malware.rules)
  • 2015753 - ET MALWARE Pincav.cjvb Checkin (malware.rules)
  • 2016180 - ET SNMP missing community string attempt 3 (snmp.rules)
  • 2016353 - ET EXPLOIT_KIT Styx Exploit Kit Landing Applet With Getmyfile.exe Payload (exploit_kit.rules)
  • 2016460 - ET MALWARE WEBC2-CSON Checkin - APT1 Related (malware.rules)
  • 2016807 - ET EXPLOIT_KIT Eval With Base64.decode seen in DOL Watering Hole Attack 05/01/13 (exploit_kit.rules)
  • 2017075 - ET EXPLOIT_KIT Sweet Orange applet structure June 27 2013 (exploit_kit.rules)
  • 2017174 - ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 redirect (web_server.rules)
  • 2017175 - ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 redirectAction (web_server.rules)
  • 2018206 - ET EXPLOIT_KIT Hello/LightsOut EK Secondary Landing (exploit_kit.rules)
  • 2018207 - ET EXPLOIT_KIT LightsOut EK Exploit/Payload Request (exploit_kit.rules)
  • 2018464 - ET MALWARE OneLouder EXE download possibly installing Zeus P2P (malware.rules)
  • 2018465 - ET MALWARE Possible Backdoor.Adwind Download 2 (malware.rules)
  • 2018569 - ET CURRENT_EVENTS Possible Inbound SNMP Router DoS (Disable Forwarding) (current_events.rules)
  • 2019100 - ET EXPLOIT_KIT FlashPack EK Redirect Sept 01 2014 (exploit_kit.rules)
  • 2019203 - ET MALWARE Backdoor.Win32.PcClient.bal CnC (OUTBOUND) 3 (malware.rules)
  • 2019375 - ET WEB_CLIENT Possible Sweet Orange redirection Oct 8 2014 (web_client.rules)
  • 2019843 - ET MALWARE Vawtrak/NeverQuest Posting Data (malware.rules)
  • 2019987 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2020292 - ET MALWARE Generic DNS Query for Suspicious CryptoWall (crpt) Domains (malware.rules)
  • 2020633 - ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204) (exploit.rules)
  • 2020634 - ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204) (policy.rules)
  • 2020635 - ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204) (policy.rules)
  • 2020636 - ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204) (policy.rules)
  • 2020637 - ET POLICY FREAK Weak Export Suite From Client (CVE-2015-0204) (policy.rules)
  • 2021109 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC) (malware.rules)
  • 2021598 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM) (malware.rules)
  • 2021599 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM) (malware.rules)
  • 2021897 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC) (malware.rules)
  • 2021898 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
  • 2021899 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
  • 2021959 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
  • 2021961 - ET MALWARE PlugX or EvilGrab DNS Lookup (appeur.gnway.cc) (malware.rules)
  • 2022248 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
  • 2022249 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC) (malware.rules)
  • 2022250 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC) (malware.rules)
  • 2022251 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC) (malware.rules)
  • 2022320 - ET WEB_CLIENT Tech Support Phone Scam Landing Dec 30 M2 (web_client.rules)
  • 2022798 - ET MALWARE SHUJIN .onion Payment Page (malware.rules)
  • 2022942 - ET MALWARE Possible Malicous Macro DL EXE Jul 01 2016 (exe generic custom headers) (malware.rules)
  • 2023537 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2) (malware.rules)
  • 2024423 - ET MALWARE x0Proto File Contents Exfil Request (malware.rules)
  • 2100600 - GPL EXPLOIT EXPLOIT statdx (exploit.rules)
  • 2101317 - GPL INAPPROPRIATE anal sex (inappropriate.rules)
  • 2101409 - GPL SNMP SNMP community string buffer overflow attempt (snmp.rules)
  • 2101417 - GPL SNMP request udp (snmp.rules)
  • 2101418 - GPL SNMP request tcp (snmp.rules)
  • 2101420 - GPL SNMP trap tcp (snmp.rules)
  • 2101422 - GPL SNMP community string buffer overflow attempt with evasion (snmp.rules)
  • 2101837 - GPL INAPPROPRIATE alt.binaries.pictures.tinygirls (inappropriate.rules)
  • 2102095 - GPL RPC CMSD TCP CMSD_CREATE array buffer overflow attempt (rpc.rules)
  • 2102608 - GPL SQL sysdbms_repcat_rgt.check_ddl_text buffer overflow attempt (sql.rules)
  • 2102679 - GPL SQL sys.dbms_system.ksdwrt buffer overflow attempt (sql.rules)
  • 2102684 - GPL SQL sys.ltutil.pushdeferredtxns buffer overflow attempt (sql.rules)
  • 2103041 - GPL NETBIOS SMB-DS NT Trans NT CREATE unicode andx DACL overflow attempt (netbios.rules)
  • 2800067 - ETPRO EXPLOIT CA Multiple Products Console Server Login Credentials Handling Buffer Overflow 1 (exploit.rules)
  • 2800068 - ETPRO EXPLOIT CA Multiple Products Console Server Login Credentials Handling Buffer Overflow 2 (exploit.rules)
  • 2800069 - ETPRO EXPLOIT CA Multiple Products Console Server Login Credentials Handling Buffer Overflow 3 (exploit.rules)
  • 2800321 - ETPRO VOIP Asterisk Invalid RTP Payload Type Number Memory Corruption 1 (voip.rules)
  • 2800323 - ETPRO RPC Sun Solaris rpc.ypupdated Command Injection Vulnerability (rpc.rules)
  • 2800324 - ETPRO RPC Sun Solaris rpc.ypupdated Command Injection Vulnerability (rpc.rules)
  • 2800577 - ETPRO WEB_SERVER Apache Struts2 ParametersInterceptor Remote Command Execution 2 (web_server.rules)
  • 2800578 - ETPRO SMTP Ipswitch IMail Server List Mailer Reply-To Address Buffer Overflow (smtp.rules)
  • 2800579 - ETPRO SMTP Ipswitch IMail Server Mailing List Message Subject Buffer Overflow (smtp.rules)
  • 2800580 - ETPRO IMAP Novell GroupWise Internet Agent IMAP Service Stack Buffer Overflow (imap.rules)
  • 2800941 - ETPRO ACTIVEX Novell iPrint Client GetDriverSettings Stack Buffer Overflow 2 (activex.rules)
  • 2800942 - ETPRO EXPLOIT Microsoft Forefront Unified Access Gateway Signurl.asp Cross-Site Scripting (exploit.rules)
  • 2800943 - ETPRO MALWARE Trojan.Win32.Konad.A Activity (malware.rules)
  • 2800944 - ETPRO MALWARE Trojan.Win32.Konad.A Receiving Config (malware.rules)
  • 2801134 - ETPRO SCADA SCHWEITZER SEL2032-Modem Status Change Attempt (scada.rules)
  • 2801135 - ETPRO SCADA SCHWEITZER SEL2032-Modem Status Changed (scada.rules)
  • 2801136 - ETPRO SCADA SCHWEITZER SEL2032-Password function detected (scada.rules)
  • 2801137 - ETPRO SCADA SCHWEITZER SEL2032-Passwords were viewed (scada.rules)
  • 2801373 - ETPRO NETBIOS Microsoft Windows Active Directory BROWSER ELECTION Buffer Overflow CIFS (CVE-2011-0654) (netbios.rules)
  • 2801374 - ETPRO NETBIOS Microsoft Windows Active Directory BROWSER ELECTION Buffer Overflow Internal Netbios 138 1 (netbios.rules)
  • 2801375 - ETPRO NETBIOS Microsoft Windows Active Directory BROWSER ELECTION Buffer Overflow Internal Netbios 138 2 (netbios.rules)
  • 2801376 - ETPRO NETBIOS Microsoft Windows Active Directory BROWSER ELECTION Buffer Overflow Internal Netbios 139 (netbios.rules)
  • 2801377 - ETPRO NETBIOS Microsoft Windows Active Directory BROWSER ELECTION Buffer Overflow Internal SMB (netbios.rules)
  • 2802089 - ETPRO EXPLOIT IBM Tivoli Directory Server ibmslapd.exe Integer Overflow (exploit.rules)
  • 2802583 - ETPRO MALWARE Backdoor.Win32.Qakbot.E (Backdoor Communication) (malware.rules)
  • 2802966 - ETPRO MALWARE Win32.Banker.IC Checkin (malware.rules)
  • 2802967 - ETPRO MALWARE Backdoor.Win32.Hassar.A Checkin (malware.rules)
  • 2802968 - ETPRO ACTIVEX Tom Sawyer GET Extension Factory COM Object Instantiation Memory Corruption 1 (activex.rules)
  • 2802969 - ETPRO ACTIVEX Tom Sawyer GET Extension Factory COM Object Instantiation Memory Corruption 2 (activex.rules)
  • 2803357 - ETPRO EXPLOIT Sybase Open Server Function Pointer Array Code Execution 1 (exploit.rules)
  • 2803513 - ETPRO MALWARE Win32/VB.AED Checkin off-ports (malware.rules)
  • 2803834 - ETPRO MALWARE Win32/Isnup.B Checkin (malware.rules)
  • 2803835 - ETPRO MALWARE Generic.Banker.OT.89A60848 Checkin (malware.rules)
  • 2803837 - ETPRO MALWARE Win32.Cycbot-MM Checkin 2 (malware.rules)
  • 2803981 - ETPRO MALWARE Win32/Banload.ACI Checkin (malware.rules)
  • 2803982 - ETPRO MALWARE Win32/Scar.G Checkin (malware.rules)
  • 2804102 - ETPRO ACTIVEX HP Protect Tools Device Access Manager for Windows arbitrary code execution (activex.rules)
  • 2804266 - ETPRO MALWARE Trojan.Win32.Scar.fsah Checkin (malware.rules)
  • 2804267 - ETPRO MALWARE TR/Crypt.XPACK.Gen Checkin (malware.rules)
  • 2804269 - ETPRO ADWARE_PUP RogueAntiSpyware Install (adware_pup.rules)
  • 2804270 - ETPRO MALWARE Trojan-Downloader.Win32.Agent.gyda Checkin (malware.rules)
  • 2804442 - ETPRO MALWARE TrojanDropper.Win32/Umrena.F Checkin (malware.rules)
  • 2804443 - ETPRO MALWARE Win32/Banload.gen!B Checkin (malware.rules)
  • 2804595 - ETPRO MALWARE Trojan-Downloader.Win32.FraudLoad.xdfp Checkin (malware.rules)
  • 2804711 - ETPRO MALWARE Trojan-Banker.Win32.Banz.jpb Checkin 2 (malware.rules)
  • 2804714 - ETPRO MALWARE Backdoor.Win32.Bredolab.ugk Checkin (malware.rules)
  • 2805171 - ETPRO MALWARE Trojan-Spy.Win32.Zbot.ecnq Checkin (malware.rules)
  • 2805220 - ETPRO ADWARE_PUP Win-Adware/KorAd.138208 Checkin (adware_pup.rules)
  • 2805221 - ETPRO MALWARE Trojan.Generic.KDV.671881 TLSv1 Client Hello (malware.rules)
  • 2805222 - ETPRO MALWARE Trojan.Generic.KDV.671881 TLSv1 Server Hello Certificate (malware.rules)
  • 2805350 - ETPRO MALWARE Variant.Graftor.17107 Checkin (malware.rules)
  • 2805352 - ETPRO MALWARE POST to a mp3 file (malware.rules)
  • 2805353 - ETPRO MALWARE POST to a rar file (malware.rules)
  • 2805503 - ETPRO MALWARE Win32/Wemosis.C CnC Response (malware.rules)
  • 2805666 - ETPRO MALWARE Trojan-Downloader.Win32.FraudLoad.zdmn Redirection (malware.rules)
  • 2805780 - ETPRO ADWARE_PUP AdWare.Win32.KSG.vl Checkin (adware_pup.rules)
  • 2805875 - ETPRO RETIRED Win32/Reveton.N Checkin (retired.rules)
  • 2806566 - ETPRO MALWARE Win32/C2Lop.B Download (malware.rules)
  • 2806819 - ETPRO WEB_CLIENT Potential Internet Explorer Use After Free CVE-2013-3188 1 (web_client.rules)
  • 2806820 - ETPRO WEB_CLIENT Potential Internet Explorer Use After Free CVE-2013-3188 2 (web_client.rules)
  • 2807105 - ETPRO DOS Possible MS13-082 JSON Parsing Vulnerability CVE-2013-3861 Attempt 1 (dos.rules)
  • 2807106 - ETPRO DOS Possible MS13-082 JSON Parsing Vulnerability CVE-2013-3861 Attempt 2 (dos.rules)
  • 2807107 - ETPRO WEB_SERVER Microsoft SharePoint XSS attempt (CVE-2013-3895) (web_server.rules)
  • 2807474 - ETPRO MALWARE Miniduke Checkin 2 (malware.rules)
  • 2807618 - ETPRO MALWARE Win32/TrojanDownloader.Banload.ROP Response (malware.rules)
  • 2807762 - ETPRO MALWARE Win32/Killav.CM Checkin (malware.rules)
  • 2807763 - ETPRO MALWARE Win32/Hider.G GET .ini Request (malware.rules)
  • 2807905 - ETPRO MALWARE Trojan.Win32.Ircbot IRC LOGIN (malware.rules)
  • 2808353 - ETPRO MOBILE_MALWARE Android.Trojan.FakeBank.I Checkin (mobile_malware.rules)
  • 2808591 - ETPRO ADWARE_PUP PUP.Optional.OneMoreGame.A checkin (adware_pup.rules)
  • 2808958 - ETPRO MALWARE Backdoor.Cakwerd Dropping Files (malware.rules)
  • 2809376 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.lt Checkin (mobile_malware.rules)
  • 2809571 - ETPRO MALWARE Waterbug PluginDetect URI Structure (malware.rules)
  • 2809572 - ETPRO MALWARE Trojan.Win32.VinSelf.p Malformed Checkin (malware.rules)
  • 2810145 - ETPRO MALWARE Win32/Vobfus.EK C&C DNS request (malware.rules)
  • 2814205 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.FakeInst.ej Checkin 2 (mobile_malware.rules)
  • 2814609 - ETPRO MALWARE Malicious .doc Encrypted Payload Oct 27 (1) (malware.rules)
  • 2814979 - ETPRO EXPLOIT SSL Certificate With Directory Traversal (exploit.rules)
  • 2816731 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.hu Checkin (mobile_malware.rules)
  • 2816732 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.hu Checkin 2 (mobile_malware.rules)
  • 2819888 - ETPRO MALWARE Andr/InfoStl-AU .onion Proxy Domain (malware.rules)
  • 2820093 - ETPRO EXPLOIT_KIT Sundown/Xer EK Landing May 05 2016 M2 (b641) (exploit_kit.rules)
  • 2820094 - ETPRO EXPLOIT_KIT Sundown/Xer EK Landing May 05 2016 M2 (b642) (exploit_kit.rules)
  • 2820739 - ETPRO MALWARE Malicious SSL certificate detected (Ursnif Injects) (malware.rules)
  • 2820957 - ETPRO MALWARE Possible Ransomware Variant .onion Proxy Domain (malware.rules)
  • 2821180 - ETPRO MALWARE Malicious SSL Certificate Detected (Zloader CnC) (malware.rules)
  • 2821602 - ETPRO MALWARE Malicious SSL certificate detected (Malware C2) (malware.rules)
  • 2822166 - ETPRO MALWARE Malicious SSL certificate detected (Ursnif Injects) (malware.rules)
  • 2822167 - ETPRO MALWARE Malicious SSL certificate detected (Ursnif Injects) (malware.rules)
  • 2822168 - ETPRO MALWARE Malicious SSL certificate detected (Ursnif Injects) (malware.rules)
  • 2822355 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.jp Checkin (mobile_malware.rules)
  • 2822585 - ETPRO MALWARE Observed Malicious SSL Cert (Zeus Panda) (malware.rules)
  • 2824681 - ETPRO MALWARE Zeus Panda Banker Malicious SSL Certificate Detected (malware.rules)
  • 2824682 - ETPRO MALWARE ZLoader Malicious SSL Cert Observed (malware.rules)
  • 2825589 - ETPRO MALWARE Samsam Ransomware Domain in SSL Client Hello (malware.rules)
  • 2825590 - ETPRO MALWARE Samsam Ransomware Domain in SSL Client Hello (malware.rules)
  • 2826337 - ETPRO EXPLOIT Windows Kernel Information Disclosure Vulnerability (CVE-2017-0259) (exploit.rules)
  • 2826338 - ETPRO EXPLOIT Win32k Elevation of Privilege Vulnerability (CVE-2017-0263) (exploit.rules)

Disabled and modified rules:

  • 2027697 - ET MALWARE VBA/TrojanDownloader.Agent.PAC Retreiving Malicious VBScript (malware.rules)

Removed rules:

  • 2063969 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (store .steampowered .com) (malware.rules)