Ruleset Update Summary - 2025/10/06 - v11033

rulesbot · October 6, 2025, 8:40pm

Summary:

16 new OPEN, 28 new PRO (16 + 12)

Added rules:

Open:

2065049 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (genuspt .pics) (malware.rules)
2065050 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (genuspt .pics) in TLS SNI (malware.rules)
2065051 - ET WEB_SERVER Cisco ASA/FTD WebVPN Authentication Bypass (CVE-2025-20362) (web_server.rules)
2065052 - ET WEB_SERVER Cisco ASA/FTD Authenticated Buffer Overflow (CVE-2025-20333) (web_server.rules)
2065053 - ET WEB_SERVER SonicWall SMA Authenticated RAC_DOWNLOAD_TAR Arbitrary File Deletion (CVE-2025-32819) (web_server.rules)
2065054 - ET WEB_SPECIFIC_APPS SonicWall SMA Authenticated Arbitrary File Write via NxPostConnectionScriptFileResource (CVE-2025-32820) (web_specific_apps.rules)
2065055 - ET INFO DYNAMIC_DNS Query to a *.caribdeals .com domain (info.rules)
2065056 - ET INFO DYNAMIC_DNS HTTP Request to a *.caribdeals .com domain (info.rules)
2065057 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (viadigm .com) (exploit_kit.rules)
2065058 - ET EXPLOIT_KIT LandUpdate808 Domain (viadigm .com) in TLS SNI (exploit_kit.rules)
2065059 - ET WEB_SPECIFIC_APPS D-Link msp_info.htm Multiple Parameters Command Injection Attempt (CVE-2025-11335, CVE-2025-6899, CVE-2024-44414, CVE-2024-44402) (web_specific_apps.rules)
2065060 - ET WEB_SPECIFIC_APPS D-Link hi_block.asp Multiple Parameters Buffer Overflow Attempt (CVE-2025-11338, CVE-2025-11339) (web_specific_apps.rules)
2065061 - ET WEB_SPECIFIC_APPS Tenda GetRouterStatus newVersion Parameter Buffer Overflow Attempt (CVE-2025-11328) (web_specific_apps.rules)
2065062 - ET WEB_SPECIFIC_APPS Tenda SetUpnpCfg upnpEn Parameter Buffer Overflow Attempt (CVE-2025-11327) (web_specific_apps.rules)
2065063 - ET WEB_SPECIFIC_APPS Tenda WifiMacFilterSet wifi_chkHz Parameter Buffer Overflow Attempt (CVE-2025-11326) (web_specific_apps.rules)
2065064 - ET WEB_SPECIFIC_APPS SonicWall SMA Authenticated Command Injection (CVE-2025-32821) (web_specific_apps.rules)

Pro:

2864756 - ETPRO MALWARE Observed DNS Query to UNK_ArmyDrive Domain (malware.rules)
2864757 - ETPRO MALWARE Observed UNK_ArmyDrive Domain in TLS SNI (malware.rules)
2864758 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2864759 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2864760 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2864761 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2864762 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2864763 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2864764 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2864765 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2864766 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
2864767 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)

Modified inactive rules:

2002848 - ET VOIP SIP UDP Softphone INVITE overflow (voip.rules)
2003211 - ET ADWARE_PUP Best-targeted-traffic.com Spyware Ping (adware_pup.rules)
2003404 - ET ADWARE_PUP WhenUClick.com WhenUSave Data Retrieval (DataChunksGZ) (adware_pup.rules)
2008332 - ET MALWARE Steam Pass Stealer FTP Upload (malware.rules)
2008449 - ET MALWARE Keylogger.ane Checkin (malware.rules)
2009225 - ET WEB_SPECIFIC_APPS ea-gBook index_inc.php inc_ordner parameter remote file inclusion (web_specific_apps.rules)
2009277 - ET SHELLCODE Lichtenfels Shellcode (UDP) (shellcode.rules)
2010579 - ET POLICY Possible Reference to Al Qaeda Propaganda Theme/Group (Takfir) (policy.rules)
2010582 - ET POLICY Possible Reference to Terrorist Literature (Jihad, Martyrdom…) SMTP (policy.rules)
2013384 - ET MALWARE W32/Siscos CnC Checkin (malware.rules)
2013750 - ET ACTIVEX DivX Plus Web Player DivXPlaybackModule File URL Buffer Overflow Attempt (activex.rules)
2014183 - ET ADWARE_PUP Malicious ad_track.php file Reporting (adware_pup.rules)
2015669 - ET WEB_CLIENT Malicious Redirect n.php h=&s= (web_client.rules)
2016817 - ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated in Base64 2 (exploit_kit.rules)
2017187 - ET CURRENT_EVENTS c0896 Hacked Site Response (Outbound) 1 (current_events.rules)
2019108 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
2019859 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
2019860 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
2020164 - ET MALWARE Linux/DDoS.M SCANNER command (malware.rules)
2020165 - ET MALWARE Linux/DDoS.M KILLATTK command (malware.rules)
2021305 - ET EXPLOIT_KIT CottonCastle/Niteris EK Landing URI Struct June 19 2015 M3 (exploit_kit.rules)
2021375 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC) (malware.rules)
2021967 - ET WEB_CLIENT Fake Virus Phone Scam Redirector Oct 19 M1 (web_client.rules)
2021968 - ET WEB_CLIENT Fake Virus Phone Scam Redirector Oct 19 M2 (web_client.rules)
2023161 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC) (malware.rules)
2100116 - GPL MALWARE BackOrifice access (malware.rules)
2102032 - GPL RPC yppasswd user update TCP (rpc.rules)
2102485 - GPL ACTIVEX Norton antivirus sysmspam.dll load attempt (activex.rules)
2800344 - ETPRO EXPLOIT Openwsman HTTP Basic Authentication Buffer Overflow (exploit.rules)
2800793 - ETPRO EXPLOIT CA BrightStor ARCserve Backup XDR Parsing Buffer Overflow Attempt (exploit.rules)
2800835 - ETPRO EXPLOIT CA Products UDP Discovery Service Remote Buffer Overflow 1 (exploit.rules)
2800953 - ETPRO MALWARE Download.Win32.Genome.bwmu Fake Adobe Reader Download Request (malware.rules)
2801723 - ETPRO SCADA Modbus TCP Function Code Scan (scada.rules)
2801962 - ETPRO MALWARE Kryptik/CodecPack.amda/TROJ_RENOS.SM3 Checkin (malware.rules)
2804610 - ETPRO MALWARE Trojan.Win32.Chifrax.dgn Checkin (malware.rules)
2804725 - ETPRO ADWARE_PUP Adware.GreenIO Checkin (adware_pup.rules)
2804817 - ETPRO MALWARE Win32/Autoit.NJT Checkin (malware.rules)
2805075 - ETPRO MALWARE W32/VBKrypt.LYKL!tr Checkin (malware.rules)
2806984 - ETPRO DOS Active Directory DOS (CVE-2013-3868) (dos.rules)
2806986 - ETPRO DOS Active Directory DOS (CVE-2013-3868) (dos.rules)
2808381 - ETPRO EXPLOIT_KIT SweetOrange EK Thread 2 Specific Landing URI Struct Jul 16 2014 (exploit_kit.rules)
2808607 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Wirec.a Checkin 2 (mobile_malware.rules)
2809989 - ETPRO MALWARE Cryptolocker .onion Proxy Domain (nne4b5ujqqedvrkh) (malware.rules)
2816738 - ETPRO MALWARE Bladabindi/njRat Variant CnC Checkin (malware.rules)
2819904 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.je Checkin (mobile_malware.rules)
2820538 - ETPRO MALWARE TorrentLocker DNS query to Domain *.gefryhard.org (malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2025/03/20 - v10887 Ruleset Updates	106	March 20, 2025
Ruleset Update Summary - 2025/03/24 - v10889 Ruleset Updates	129	March 24, 2025
Ruleset Update Summary - 2025/07/25 - v10978 Ruleset Updates	75	July 25, 2025
Ruleset Update Summary - 2025/04/07 - v10899 Ruleset Updates	155	April 7, 2025
Ruleset Update Summary - 2025/03/13 - v10878 Ruleset Updates	135	March 13, 2025

Ruleset Update Summary - 2025/10/06 - v11033

Summary:

Added rules:

Open:

Pro:

Modified inactive rules:

Related topics