Ruleset Update Summary - 2025/10/03 - v11031

Ruleset Updates
1

Summary:

11 new OPEN, 21 new PRO (11 + 10)

Thanks @ViriBack

Added rules:

Open:

  • 2065038 - ET INFO Observed DNS Query to Actor Abused File Sharing Platform (krakencloud .net) (info.rules)
  • 2065039 - ET INFO Actor Abused File Sharing Platform in TLS SNI (krakencloud .net) (info.rules)
  • 2065040 - ET WEB_SPECIFIC_APPS EmbedThis GoAhead Embedded Web Server HTML Injection via name Parameter (CVE-2023-53155) (web_specific_apps.rules)
  • 2065041 - ET WEB_SERVER MegaRAC Redfish Authentication Bypass via HTTP Header Spoofing (CVE-2023-34329) (web_server.rules)
  • 2065042 - ET WEB_SPECIFIC_APPS Dell UnityVSA AccessTool.pm getCASURL Function Pre-Auth Command Injection Attempt (CVE-2025-36604) (web_specific_apps.rules)
  • 2065043 - ET WEB_SPECIFIC_APPS Sitecore XP Unauthenticated Remote Code Execution in Report.ashx (CVE-2021-42237) (web_specific_apps.rules)
  • 2065044 - ET MALWARE JS/FatturaPDF CnC Checkin (GET) (malware.rules)
  • 2065045 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (tylorperry .com) (exploit_kit.rules)
  • 2065046 - ET EXPLOIT_KIT LandUpdate808 Domain (tylorperry .com) in TLS SNI (exploit_kit.rules)
  • 2065047 - ET MALWARE Oyster Backdoor CnC Checkin M5 (malware.rules)
  • 2065048 - ET MALWARE Oyster Backdoor CnC Checkin M6 (malware.rules)

Pro:

  • 2864746 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2864747 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2864748 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2864749 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2864750 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2864751 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2864752 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2864753 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2864754 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2864755 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)

Modified inactive rules:

  • 2000903 - ET ADWARE_PUP Avres Agent Receiving Instructions (adware_pup.rules)
  • 2000908 - ET ADWARE_PUP WhenUClick.com App and Search Bar Install (1) (adware_pup.rules)
  • 2000909 - ET ADWARE_PUP WhenUClick.com App and Search Bar Install (2) (adware_pup.rules)
  • 2000910 - ET ADWARE_PUP WhenUClick.com Clock Sync App Checkin (adware_pup.rules)
  • 2001507 - ET ADWARE_PUP Medialoads.com Spyware Identifying Country of Origin (adware_pup.rules)
  • 2001509 - ET ADWARE_PUP Medialoads.com Spyware Reporting (register.cgi) (adware_pup.rules)
  • 2001666 - ET ADWARE_PUP Metarewards Spyware Activity (adware_pup.rules)
  • 2002897 - ET WEB_SPECIFIC_APPS Horde README access probe (web_specific_apps.rules)
  • 2003056 - ET WEB_SPECIFIC_APPS EiQNetworks Security Analyzer Buffer Overflow (web_specific_apps.rules)
  • 2003330 - ET POLICY Possible Spambot Host DNS MX Query High Count (policy.rules)
  • 2003648 - ET MALWARE Clicker.BC User Agent Detected (linkrunner) (malware.rules)
  • 2003922 - ET WEB_SPECIFIC_APPS Sendcard XSS Attempt – sendcard.php form (web_specific_apps.rules)
  • 2007613 - ET MALWARE Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 1 (malware.rules)
  • 2007614 - ET MALWARE Possible Infection Report Mail - Indy Mail lib and MAC Message Body - Priority 3 (malware.rules)
  • 2008502 - ET MALWARE Antispywareexpert.com Fake AS Install Checkin (malware.rules)
  • 2009248 - ET SHELLCODE Lindau (linkbot) xor Decoder Shellcode (shellcode.rules)
  • 2009283 - ET SHELLCODE Lindau (linkbot) xor Decoder Shellcode (UDP) (shellcode.rules)
  • 2009284 - ET SHELLCODE Rothenburg Shellcode (UDP) (shellcode.rules)
  • 2009400 - ET ACTIVEX Microsoft Communications Control Clsid Access (activex.rules)
  • 2010359 - ET WEB_SPECIFIC_APPS FSphp FSphp.php FSPHP_LIB Parameter Remote File Inclusion Attempt (web_specific_apps.rules)
  • 2010360 - ET WEB_SPECIFIC_APPS FSphp navigation.php FSPHP_LIB Parameter Remote File Inclusion Attempt (web_specific_apps.rules)
  • 2010361 - ET WEB_SPECIFIC_APPS FSphp pathwirte.php FSPHP_LIB Parameter Remote File Inclusion Attempt (web_specific_apps.rules)
  • 2010570 - ET POLICY Possible Reference to Terrorist Literature (Moderate Islam…) (policy.rules)
  • 2010684 - ET MALWARE Likely Fake Antivirus Download Setup_2012.exe (malware.rules)
  • 2011994 - ET FTP ProFTPD Backdoor Inbound Backdoor Open Request (ACIDBITCHEZ) (ftp.rules)
  • 2011995 - ET MALWARE Suspicious invoice.scr Download Request (malware.rules)
  • 2012194 - ET ACTIVEX Real Networks RealPlayer SP RecordClip Method Remote Code Execution Attempt (activex.rules)
  • 2012624 - ET CURRENT_EVENTS Lizamoon Related Compromised site served to local client (current_events.rules)
  • 2012984 - ET SMTP Sophos.com Block Message (smtp.rules)
  • 2013130 - ET ACTIVEX Black Ice Cover Page SDK DownloadImageFileURL Method Exploit (activex.rules)
  • 2013131 - ET ACTIVEX Black Ice Fax Voice SDK GetItemQueue Method Remote Code Execution Exploit (activex.rules)
  • 2013132 - ET ACTIVEX Black Ice Fax Voice SDK GetFirstItem Method Remote Code Execution Exploit (activex.rules)
  • 2014097 - ET EXPLOIT_KIT Excessive new Array With Newline - Exploit Kit Behavior Flowbit Set (exploit_kit.rules)
  • 2015873 - ET EXPLOIT_KIT Cool Exploit Kit Requesting Payload (exploit_kit.rules)
  • 2015874 - ET RETIRED Known Reveton Domain HTTP whatwillber.com (retired.rules)
  • 2016357 - ET EXPLOIT_KIT CritXPack - URI - jpfoff.php (exploit_kit.rules)
  • 2017576 - ET EXPLOIT_KIT Styx EK jply.html (exploit_kit.rules)
  • 2018086 - ET MALWARE Possible malicious zipped-executable (malware.rules)
  • 2018336 - ET MALWARE Asprox Fake Ximian Evolution X-Mailer Header (XimianEvolution1.4.6) (malware.rules)
  • 2019518 - ET MALWARE Win32/Chanitor.A Domain in SNI (malware.rules)
  • 2019519 - ET MALWARE Win32/Chanitor.A DNS Lookup (malware.rules)
  • 2019848 - ET MALWARE Sony Breach Wiper Callout (malware.rules)
  • 2019996 - ET MALWARE US-CERT TA14-353A Listening Implant 2 (malware.rules)
  • 2020297 - ET MALWARE Scieron Retrieving Information Response (malware.rules)
  • 2020302 - ET MALWARE Dridex Post Checkin Activity 2 (malware.rules)
  • 2020505 - ET MALWARE Win32.Sality.3 Checkin (malware.rules)
  • 2020710 - ET WEB_CLIENT Fake Windows Security Warning - Alert (web_client.rules)
  • 2020713 - ET MALWARE 9002 RAT C&C DNS request (malware.rules)
  • 2020802 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC) (malware.rules)
  • 2021244 - ET MALWARE Dridex Download June 10 2015 (malware.rules)
  • 2021815 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Spy.Shiz CnC) (malware.rules)
  • 2022365 - ET WEB_CLIENT Fake Virus Phone Scam Landing Jan 13 M2 (web_client.rules)
  • 2022366 - ET WEB_CLIENT Fake Virus Phone Scam Landing Jan 13 M3 (web_client.rules)
  • 2022408 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) (malware.rules)
  • 2022710 - ET MALWARE LuminosityLink - CnC (malware.rules)
  • 2022711 - ET MALWARE TeslaCrypt/AlphaCrypt Variant .onion Payment Domain(xzjvzkgjxebzreap) (malware.rules)
  • 2022799 - ET MALWARE Malicious SSL certificate detected (Ursnif Injects) (malware.rules)
  • 2022943 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2) (malware.rules)
  • 2023542 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Zeus CnC) (malware.rules)
  • 2036698 - ET INFO Possible JARM Fingerprinting Client Hello via tls1_3_reverse (info.rules)
  • 2100335 - GPL FTP .rhosts (ftp.rules)
  • 2100574 - GPL RPC mountd TCP export request (rpc.rules)
  • 2100679 - GPL EXPLOIT sp_adduser database user creation (exploit.rules)
  • 2101315 - GPL INAPPROPRIATE hot young sex (inappropriate.rules)
  • 2101318 - GPL INAPPROPRIATE hardcore rape (inappropriate.rules)
  • 2101833 - GPL INAPPROPRIATE naked lesbians (inappropriate.rules)
  • 2101917 - GPL MISC UPnP service discover attempt (misc.rules)
  • 2101925 - GPL RPC mountd TCP exportall request (rpc.rules)
  • 2101951 - GPL RPC mountd TCP mount request (rpc.rules)
  • 2102044 - GPL POLICY PPTP Start Control Request attempt (policy.rules)
  • 2103025 - GPL NETBIOS SMB-DS NT Trans NT CREATE unicode andx oversized Security Descriptor attempt (netbios.rules)
  • 2800073 - ETPRO DOS Linux Kernel NetFilter SCTP Unknown Chunk Types Denial of Service 2 (dos.rules)
  • 2800075 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption (activex.rules)
  • 2800076 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption (activex.rules)
  • 2800077 - ETPRO ACTIVEX Microsoft Internet Explorer COM Object Instantiation Memory Corruption (activex.rules)
  • 2800328 - ETPRO EXPLOIT CA ARCserve Backup for Laptops and Desktops LGServer Handshake Buffer Overflow 1 (exploit.rules)
  • 2800329 - ETPRO EXPLOIT CA ARCserve Backup for Laptops and Desktops LGServer Handshake Buffer Overflow 2 (exploit.rules)
  • 2800330 - ETPRO EXPLOIT CA ARCserve Backup for Laptops and Desktops LGServer Handshake Buffer Overflow 3 (exploit.rules)
  • 2800331 - ETPRO EXPLOIT CA ARCserve Backup for Laptops and Desktops LGServer Handshake Buffer Overflow 4 (exploit.rules)
  • 2800332 - ETPRO EXPLOIT CA ARCserve Backup for Laptops and Desktops LGServer Handshake Buffer Overflow 5 (exploit.rules)
  • 2800585 - ETPRO EXPLOIT Symantec Alert Management System HNDLRSVC Arbitrary Command Execution (exploit.rules)
  • 2800587 - ETPRO SQL Oracle WebLogic Server Node Manager Command Execution (sql.rules)
  • 2801140 - ETPRO SCADA SCHWEITZER SEL2032-Time Command Detected (scada.rules)
  • 2801142 - ETPRO SCADA SCHWEITZER SEL2032-Unsuccessful attempt to change time (scada.rules)
  • 2801710 - ETPRO SCADA Modbus TCP Force Listen Only Mode (scada.rules)
  • 2801711 - ETPRO SCADA Modbus TCP Restart Communications Option (scada.rules)
  • 2803193 - ETPRO MALWARE Win32.Agent.grdm Checkin 1 (malware.rules)
  • 2803194 - ETPRO MALWARE Win32.Agent.grdm Checkin 2 (malware.rules)
  • 2803680 - ETPRO MALWARE Win32.Zapchast.ffs Checkin (malware.rules)
  • 2803681 - ETPRO MALWARE Trojan.Win32.Syswrt.dvd Checkin 1 (malware.rules)
  • 2803984 - ETPRO ADWARE_PUP Adware.SponsorKeyword Install (adware_pup.rules)
  • 2804450 - ETPRO MALWARE Virus.Win32.Virut.ce Install (malware.rules)
  • 2804601 - ETPRO MALWARE Win32/Klovbot.E Checkin (malware.rules)
  • 2804716 - ETPRO MALWARE Trojan-Downloader.Win32.Dapato.fxd Checkin (malware.rules)
  • 2804717 - ETPRO MALWARE Backdoor.Win32.Koutodoor.aihc Checkin (malware.rules)
  • 2804812 - ETPRO MALWARE Trojan-Banker.BAT.Banker.m Checkin (malware.rules)
  • 2805224 - ETPRO MALWARE Win32/TrojanDownloader.Banload.OKO Checkin (malware.rules)
  • 2805361 - ETPRO MALWARE Win32/Vwealer.BQ Checkin (malware.rules)
  • 2805510 - ETPRO MALWARE Zeus Checkin (malware.rules)
  • 2806829 - ETPRO MOBILE_MALWARE Trojan-Downloader.AndroidOS.Fav.a Checkin (mobile_malware.rules)
  • 2806971 - ETPRO WEB_SERVER Microsoft SharePoint DoS 2 CVE-2013-0081 (web_server.rules)
  • 2806972 - ETPRO WEB_SERVER Microsoft SharePoint XSS attempt (CVE-2013-3180) (web_server.rules)
  • 2807109 - ETPRO MALWARE RemoteAdmin.Win32.Minicom.38 Broadcasting (malware.rules)
  • 2807221 - ETPRO MALWARE Win32/Spy.Bancos.OUF Checkin via SMTP (malware.rules)
  • 2807334 - ETPRO ADWARE_PUP Win32/Adware.VrBrothers.AA Checkin (adware_pup.rules)
  • 2807337 - ETPRO ADWARE_PUP Adware.Agent.NRL Checkin (adware_pup.rules)
  • 2808040 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-1815) (web_client.rules)
  • 2808041 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-1815) (web_client.rules)
  • 2808359 - ETPRO ADWARE_PUP Facemoi Adware Installer Download (adware_pup.rules)
  • 2808596 - ETPRO MALWARE Win32/Tiny.o Checkin (malware.rules)
  • 2808598 - ETPRO MALWARE Wetware Bot Checkin (malware.rules)
  • 2808720 - ETPRO MOBILE_MALWARE Android/Univert.B Checkin (mobile_malware.rules)
  • 2808722 - ETPRO MOBILE_MALWARE Android/Tekwon.A Checkin 3 (mobile_malware.rules)
  • 2808872 - ETPRO MALWARE Trojan.StoleCert.SPK CnC (malware.rules)
  • 2808961 - ETPRO MALWARE Mal/Emogen-R Checkin (malware.rules)
  • 2808962 - ETPRO MOBILE_MALWARE Android/Pholoc.C Checkin (mobile_malware.rules)
  • 2808963 - ETPRO MOBILE_MALWARE Android/Pholoc.C Checkin 2 (mobile_malware.rules)
  • 2809074 - ETPRO MALWARE WIN32.AGENT.AGLKL Checkin (malware.rules)
  • 2810302 - ETPRO MALWARE Win32/SkyDll.A Checkin (malware.rules)
  • 2810303 - ETPRO MALWARE Backdoor.Insidious Checkin (malware.rules)
  • 2810848 - ETPRO DOS Possible mDNS Amplification Scan in Progress (dos.rules)
  • 2811971 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.af Checkin via SMTP (mobile_malware.rules)
  • 2811973 - ETPRO MALWARE Win32/Korplug.FO Checkin (malware.rules)
  • 2816120 - ETPRO PHISHING DHL Phish Landing Feb 08 2016 (phishing.rules)
  • 2816121 - ETPRO MALWARE Possible Ransomware Variant .onion Proxy Domain (malware.rules)
  • 2816736 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Paccy.b Checkin (mobile_malware.rules)
  • 2819894 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Tiny.bw Checkin (mobile_malware.rules)
  • 2820962 - ETPRO MOBILE_MALWARE Trojan-Downloader.AndroidOS.Boqx.a Checkin 3 (mobile_malware.rules)
  • 2822172 - ETPRO MOBILE_MALWARE Android/Niynuy.A Checkin 2 (mobile_malware.rules)
  • 2823397 - ETPRO MALWARE Observed Malicious SSL Cert (FlokiBot CnC) (malware.rules)

Removed rules:

  • 2863628 - ETPRO MALWARE Formbook CnC Domain in DNS Lookup (malware.rules)
  • 2863629 - ETPRO MALWARE Observed Formbook Domain in TLS SNI (malware.rules)