Ruleset Update Summary - 2025/10/02 - v11030

Ruleset Updates
1

Summary:

6 new OPEN, 22 new PRO (6 + 16)

Thanks @haxrob

Added rules:

Open:

  • 2065032 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (content-website-analytics .comm) (exploit_kit.rules)
  • 2065033 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (content-website-analytics .comm) (exploit_kit.rules)
  • 2065034 - ET WEB_SPECIFIC_APPS ABB Cylon Aspect 3.07.00 Remote Code Execution (web_specific_apps.rules)
  • 2065035 - ET ATTACK_RESPONSE Braodo Loader Inbound (attack_response.rules)
  • 2065036 - ET USER_AGENTS TruffleHog Repo Scanner User-Agent (TruffleHog3) (user_agents.rules)
  • 2065037 - ET WEB_SPECIFIC_APPS Palo Alto GlobalProtect Directory Traversal in Session Cookie (CVE-2024-3400) (web_specific_apps.rules)

Pro:

  • 2864730 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2864731 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2864732 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2864733 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2864734 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2864735 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2864736 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2864737 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2864738 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2864739 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2864740 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2864741 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2864742 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2864743 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2864744 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2864745 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)

Modified inactive rules:

  • 2001066 - ET MALWARE IE Ilookup Trojan (malware.rules)
  • 2001481 - ET ADWARE_PUP MediaTickets Spyware Install (adware_pup.rules)
  • 2001503 - ET ADWARE_PUP Medialoads.com Spyware Config (adware_pup.rules)
  • 2001517 - ET ADWARE_PUP Websearch.com Outbound Dialer Retrieval (adware_pup.rules)
  • 2001530 - ET ADWARE_PUP ak-networks.com Spyware Code Download (adware_pup.rules)
  • 2002036 - ET ADWARE_PUP Weird on the Web /180 Solutions Checkin (adware_pup.rules)
  • 2002838 - ET POLICY Google Search Appliance browsing the Internet (policy.rules)
  • 2002867 - ET WEB_SPECIFIC_APPS Horde 3.0.9-3.1.0 Help Viewer Remote PHP Exploit (web_specific_apps.rules)
  • 2002868 - ET WEB_SPECIFIC_APPS Horde Web Mail Help Access (web_specific_apps.rules)
  • 2003219 - ET ADWARE_PUP Alexa Spyware Reporting (adware_pup.rules)
  • 2003585 - ET ADWARE_PUP Trojan User-Agent (Windows Updates Manager) (adware_pup.rules)
  • 2003606 - ET ADWARE_PUP Alexa Spyware Reporting URL Visited (adware_pup.rules)
  • 2003619 - ET ADWARE_PUP Alexa Spyware Redirecting User (adware_pup.rules)
  • 2003641 - ET MALWARE Downloader.Small User Agent Detected (NetScafe) (malware.rules)
  • 2006398 - ET MALWARE Socks666 Checkin Packet (malware.rules)
  • 2006399 - ET MALWARE Socks666 Checkin Success Packet (malware.rules)
  • 2007595 - ET MALWARE Downloader.Dluca HTTP Checkin (malware.rules)
  • 2007898 - ET MALWARE Sohanad Checkin via HTTP (malware.rules)
  • 2008236 - ET MALWARE Fake.Googlebar or Softcash.org Related Post-Infection Checkin (malware.rules)
  • 2008652 - ET WEB_SPECIFIC_APPS ScriptsEz Easy Image Downloader id File Disclosure (web_specific_apps.rules)
  • 2009077 - ET MALWARE TROJ_INJECT.NI Update Request (malware.rules)
  • 2009244 - ET ATTACK_RESPONSE Cisco TclShell TFTP Read Request (attack_response.rules)
  • 2009246 - ET SHELLCODE Bindshell2 Decoder Shellcode (shellcode.rules)
  • 2009398 - ET WEB_SPECIFIC_APPS HoMaP plugin_admin.php _settings Parameter Remote File Inclusion (web_specific_apps.rules)
  • 2009435 - ET WEB_SPECIFIC_APPS e107 123 FlashChat Module 123flashchat.php e107path Parameter Remote File Inclusion (web_specific_apps.rules)
  • 2009504 - ET WEB_SPECIFIC_APPS Quantum Game Library smarty.inc.php CONFIG Parameter Remote File Inclusion (web_specific_apps.rules)
  • 2009723 - ET WEB_SPECIFIC_APPS QuickTeam qte_web.php qte_web_path Parameter Remote File Inclusion (web_specific_apps.rules)
  • 2009812 - ET MALWARE AVKiller with Backdoor checkin (malware.rules)
  • 2009884 - ET SCAN Unusually Fast 400 Error Messages (Bad Request), Possible Web Application Scan (scan.rules)
  • 2009885 - ET SCAN Unusually Fast 404 Error Messages (Page Not Found), Possible Web Application Scan/Directory Guessing Attack (scan.rules)
  • 2010329 - ET ACTIVEX COM Object MS06-042 CLSID 38 Access Attempt (activex.rules)
  • 2010330 - ET ACTIVEX COM Object MS06-042 CLSID 39 Access Attempt (activex.rules)
  • 2010331 - ET ACTIVEX COM Object MS06-042 CLSID 40 Access Attempt (activex.rules)
  • 2010332 - ET ACTIVEX COM Object MS06-042 CLSID 41 Access Attempt (activex.rules)
  • 2010452 - ET MALWARE Potential Fake AV GET installer.1.exe (malware.rules)
  • 2010453 - ET MALWARE Potential Fake AV GET installer_1.exe (malware.rules)
  • 2010465 - ET MALWARE Potential Fake AV Download (download/install.php) (malware.rules)
  • 2011988 - ET EXPLOIT_KIT Phoenix-style Exploit Kit Java Request with semicolon in URI (exploit_kit.rules)
  • 2011989 - ET MALWARE Suspicious executable download adobe-flash.v (malware.rules)
  • 2011991 - ET MALWARE FAKEAV Gemini systempack exe download (malware.rules)
  • 2012192 - ET ACTIVEX NewV SmartClient NewvCommon.ocx DelFile Method Arbitrary File Deletion Attempt (activex.rules)
  • 2012621 - ET EXPLOIT Adobe Flash SWF File Embedded in XLS FILE Caution - Could be Exploit (exploit.rules)
  • 2012622 - ET CURRENT_EVENTS Adobe Flash Unicode SWF File Embedded in Office File Caution - Could be Hostile (current_events.rules)
  • 2012839 - ET MALWARE Trojan-Downloader.Win32.Small Checkin (malware.rules)
  • 2013285 - ET MALWARE DarkComet-RAT Client Keepalive (malware.rules)
  • 2013999 - ET ADWARE_PUP W32/Adware.Ibryte User-Agent (ic Windows NT 5.1 MSIE 6.0 Firefox/ Def) (adware_pup.rules)
  • 2014437 - ET MALWARE FakeAV Landing Page - Initializing Protection System (malware.rules)
  • 2014605 - ET ADWARE_PUP W32/GameVance Adware Server Reponse To Client Checkin (adware_pup.rules)
  • 2014606 - ET ADWARE_PUP W32/GameVance User-Agent (aw v3) (adware_pup.rules)
  • 2017176 - ET WEB_SERVER Possible Apache Struts OGNL Command Execution CVE-2013-2251 action (web_server.rules)
  • 2018208 - ET DOS Inbound GoldenEye DoS attack (dos.rules)
  • 2018209 - ET EXPLOIT_KIT Rawin EK Java fakav.jar (exploit_kit.rules)
  • 2018466 - ET MALWARE Possible Backdoor.Unrecom Download (malware.rules)
  • 2018568 - ET CURRENT_EVENTS Possible Inbound SNMP Router DoS (TTL 1) (current_events.rules)
  • 2018573 - ET EXPLOIT_KIT Safe/CritX/FlashPack EK Secondary Landing (exploit_kit.rules)
  • 2019516 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Backoff CnC) (malware.rules)
  • 2019517 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2020296 - ET MALWARE Scieron Retrieving Information (malware.rules)
  • 2020864 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2021112 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex CnC) (malware.rules)
  • 2021113 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dyre CnC) (malware.rules)
  • 2022252 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
  • 2022364 - ET WEB_CLIENT Fake Virus Phone Scam Landing Jan 13 M1 (web_client.rules)
  • 2022707 - ET MALWARE LuminosityLink - Data Channel Client Request 2 (malware.rules)
  • 2022709 - ET MALWARE LuminosityLink - CnC Password Exfil (malware.rules)
  • 2023157 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC) (malware.rules)
  • 2023538 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Tuhkit C2) (malware.rules)
  • 2023539 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM) (malware.rules)
  • 2023540 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC) (malware.rules)
  • 2023541 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TrickBot CnC) (malware.rules)
  • 2024205 - ET MALWARE Win32/Cradle Ransomware Onion Domain (malware.rules)
  • 2027697 - ET MALWARE VBA/TrojanDownloader.Agent.PAC Retreiving Malicious VBScript (malware.rules)
  • 2100292 - GPL NETBIOS x86 Linux samba overflow (netbios.rules)
  • 2100517 - GPL MISC xdmcp query (misc.rules)
  • 2100567 - GPL SMTP SMTP relaying denied (smtp.rules)
  • 2101311 - GPL INAPPROPRIATE hardcore anal (inappropriate.rules)
  • 2101419 - GPL SNMP trap udp (snmp.rules)
  • 2102018 - GPL RPC mountd TCP dump request (rpc.rules)
  • 2103033 - GPL NETBIOS SMB-DS NT Trans NT CREATE unicode andx SACL overflow attempt (netbios.rules)
  • 2103049 - GPL NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt (netbios.rules)
  • 2103057 - GPL NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt (netbios.rules)
  • 2103195 - GPL NETBIOS name query overflow attempt TCP (netbios.rules)
  • 2800070 - ETPRO EXPLOIT CA Multiple Products Console Server Login Credentials Handling Buffer Overflow 4 (exploit.rules)
  • 2800071 - ETPRO EXPLOIT Symantec Discovery XFERWAN Service Buffer Overflow (exploit.rules)
  • 2800072 - ETPRO DOS Linux Kernel NetFilter SCTP Unknown Chunk Types Denial of Service 1 (dos.rules)
  • 2800322 - ETPRO VOIP Asterisk Invalid RTP Payload Type Number Memory Corruption 2 (voip.rules)
  • 2800325 - ETPRO EXPLOIT GNOME Project libxslt Library RC4 Key String Buffer Overflow 1 (exploit.rules)
  • 2800326 - ETPRO EXPLOIT GNOME Project libxslt Library RC4 Key String Buffer Overflow 2 (exploit.rules)
  • 2800327 - ETPRO EXPLOIT GNOME Project libxslt Library RC4 Key String Buffer Overflow 3 (exploit.rules)
  • 2800581 - ETPRO EXPLOIT HP OpenView Network Node Manager webappmon.exe execvp_nc Buffer Overflow (exploit.rules)
  • 2800582 - ETPRO WEB_SERVER Novell Teaming ajaxUploadImageFile Remote Code Execution (web_server.rules)
  • 2801138 - ETPRO SCADA SCHWEITZER SEL2032-Access Level 1/2 Password Changed (scada.rules)
  • 2801139 - ETPRO SCADA SCHWEITZER SEL2032-Access Level 1 or 2 Password Disabled (scada.rules)
  • 2801141 - ETPRO SCADA SCHWEITZER SEL2032-Time Change was Successful (scada.rules)
  • 2801378 - ETPRO NETBIOS Microsoft Windows Active Directory BROWSER ELECTION Buffer Overflow Internal CIFS (CVE-2011-0654) (netbios.rules)
  • 2801948 - ETPRO MALWARE PC Total Defender or related Fake AV Checkin (malware.rules)
  • 2802094 - ETPRO MALWARE Trojan.Win32.TMaquina.A Checkin (malware.rules)
  • 2802585 - ETPRO MALWARE Backdoor.Win32.Kadrbot.A Checkin (malware.rules)
  • 2802862 - ETPRO EXPLOIT HP Intelligent Management Center imcsyslogdm Use After Free (exploit.rules)
  • 2802970 - ETPRO ACTIVEX Tom Sawyer GET Extension Factory COM Object Instantiation Memory Corruption 3 (activex.rules)
  • 2802971 - ETPRO MALWARE Killproc.5707/Generic Checkin Request 1 (malware.rules)
  • 2803192 - ETPRO EXPLOIT HP OpenView Storage Data Protector Stack Overflow (Published Expoit) (exploit.rules)
  • 2803358 - ETPRO EXPLOIT Sybase Open Server Function Pointer Array Code Execution 2 (exploit.rules)
  • 2803359 - ETPRO EXPLOIT Sybase Open Server Function Pointer Array Code Execution 3 (exploit.rules)
  • 2803677 - ETPRO MALWARE Trojan.Win32.Mybios.A Checkin (malware.rules)
  • 2803983 - ETPRO ACTIVEX Oracle Hyperion Strategic Finance 12.x Tidestone Formula One WorkBook OLE Control TTF16.ocx Remote Heap Overflow (activex.rules)
  • 2804273 - ETPRO MALWARE Win32/Bancos.ACM Checkin (malware.rules)
  • 2804446 - ETPRO MALWARE Win32/Votead Checkin (malware.rules)
  • 2804448 - ETPRO MALWARE Trojan.Zlob Install (malware.rules)
  • 2804596 - ETPRO MALWARE Trojan-Banker.Win32.Banbra.anwx Checkin (malware.rules)
  • 2804598 - ETPRO ADWARE_PUP Win32.Adware-gen Install (adware_pup.rules)
  • 2804599 - ETPRO ADWARE_PUP Win32/Adware.Kraddare.DB Install (adware_pup.rules)
  • 2804811 - ETPRO MALWARE P2P-Worm.Win32.Palevo.boxg Checkin (malware.rules)
  • 2805172 - ETPRO MALWARE W32/Downloader.BEMB.dropper Checkin (malware.rules)
  • 2805173 - ETPRO MALWARE Trojan-PSW.Win32.Agent.ozr Checkin (malware.rules)
  • 2805174 - ETPRO MALWARE W32/Banbra.ASYO!tr Checkin (malware.rules)
  • 2805223 - ETPRO MALWARE W32/Scar.GKKK!tr Checkin (malware.rules)
  • 2805355 - ETPRO MALWARE POST to a gif file (malware.rules)
  • 2805356 - ETPRO MALWARE POST to a bmp file (malware.rules)
  • 2805504 - ETPRO MALWARE W32/Banload.RCI!tr.dldr Checkin (malware.rules)
  • 2805668 - ETPRO ADWARE_PUP Generic PUP.x!vi!1B41AF78BF55 Checkin (adware_pup.rules)
  • 2805669 - ETPRO MALWARE TROJ_DLOADER.ANP Checkin (malware.rules)
  • 2805671 - ETPRO MALWARE Variant.Barys.1820 Checkin (malware.rules)
  • 2805836 - ETPRO MALWARE ponmocup Checkin 1 (malware.rules)
  • 2805837 - ETPRO MALWARE ponmocup Checkin 2 (malware.rules)
  • 2805879 - ETPRO MALWARE W32/Koobface.hcy CnC response (malware.rules)
  • 2806312 - ETPRO MALWARE Win32/Spy.Bancos.OUH Checkin (malware.rules)
  • 2806822 - ETPRO WEB_SERVER ADFS Service Account Leak CVE-2013-3185 (web_server.rules)
  • 2806823 - ETPRO DOS ICMP with truncated IPv6 header CVE-2013-3182 (dos.rules)
  • 2806824 - ETPRO DOS ICMP with truncated IPv6 header CVE-2013-3182 (dos.rules)
  • 2806970 - ETPRO WEB_SERVER Microsoft SharePoint DoS 1 CVE-2013-0081 (web_server.rules)
  • 2807108 - ETPRO MALWARE Trojan-Banker.Win32.Banbra.aztd Response (malware.rules)
  • 2807476 - ETPRO MALWARE Win32/TrojanDownloader.Onkods.V Download (malware.rules)
  • 2807477 - ETPRO MALWARE Trojan-Downloader.Win32.Agent.bofr Checkin (malware.rules)
  • 2807621 - ETPRO MALWARE Zegost.Gen CnC (OUTBOUND) (malware.rules)
  • 2808038 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0310) (web_client.rules)
  • 2808357 - ETPRO MOBILE_MALWARE Android/TelMan.A Checkin (mobile_malware.rules)
  • 2809072 - ETPRO MALWARE Win32.RShot Checkin (malware.rules)
  • 2809268 - ETPRO MALWARE W32/PVZ-In Checkin (Operation Cleaver) (malware.rules)
  • 2809463 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Svpeng.c Checkin (mobile_malware.rules)
  • 2810150 - ETPRO MALWARE Exaction Cryptolocker .onion Proxy Domain (iupfnqg2uaigwoei) (malware.rules)
  • 2810151 - ETPRO MALWARE Trojan-Spy.Win32.Zbot.urtu .onion Proxy Domain (4tsur32luets6fhe) (malware.rules)
  • 2810846 - ETPRO MOBILE_MALWARE Android.Riskware.SmsPay.C Checkin 8 (mobile_malware.rules)
  • 2811579 - ETPRO MALWARE Malicious SSL certificate detected (Meterpreter) (malware.rules)
  • 2812156 - ETPRO MALWARE MSIL/Mictanort.A Checkin (malware.rules)
  • 2816316 - ETPRO MALWARE Win32/Agent.XRA (Robo) DNS Lookup (malware.rules)
  • 2816318 - ETPRO MALWARE Win32/Agent.XRA (Robo) DNS Lookup (malware.rules)
  • 2820961 - ETPRO MOBILE_MALWARE Trojan-Downloader.AndroidOS.Boqx.a Checkin 2 (mobile_malware.rules)
  • 2821411 - ETPRO MOBILE_MALWARE Android/SLocker.AC Checkin (mobile_malware.rules)
  • 2825391 - ETPRO EXPLOIT Possible Scripting Engine Information Disclosure Vulnerability (CVE-2017-0049) (exploit.rules)
  • 2825762 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 19 (mobile_malware.rules)

Disabled and modified rules:

  • 2065028 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (aeropeics .com) (exploit_kit.rules)
  • 2065029 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (aeropeics .com) (exploit_kit.rules)