Ruleset Update Summary - 2025/10/07 - v11034

Ruleset Updates
1

Summary:

26 new OPEN, 29 new PRO (26 + 3)

Added rules:

Open:

  • 2065065 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (amgi1 .com) (exploit_kit.rules)
  • 2065066 - ET EXPLOIT_KIT LandUpdate808 Domain (amgi1 .com) in TLS SNI (exploit_kit.rules)
  • 2065067 - ET MALWARE TA569 Middleware Server Domain in DNS Lookup (visitclouds .com) (malware.rules)
  • 2065068 - ET MALWARE TA569 Middleware Server Domain in TLS SNI (visitclouds .com) (malware.rules)
  • 2065069 - ET INFO Observed RMM Domain in DNS Lookup (n-able .com) (info.rules)
  • 2065070 - ET INFO Observed RMM Domain in DNS Lookup (pubnub .com) (info.rules)
  • 2065071 - ET INFO Observed RMM Domain in DNS Lookup (swi-rc .com) (info.rules)
  • 2065072 - ET INFO Observed RMM Domain in DNS Lookup (swi-tc .com) (info.rules)
  • 2065073 - ET INFO Observed RMM Domain in DNS Lookup (beanywhere .com) (info.rules)
  • 2065074 - ET INFO Observed RMM Domain in DNS Lookup (systemmonitor .us) (info.rules)
  • 2065075 - ET INFO Observed RMM Domain in DNS Lookup (swi-rc .cdn-sw .net) (info.rules)
  • 2065076 - ET INFO Observed RMM Domain in DNS Lookup (remote .management) (info.rules)
  • 2065077 - ET INFO Observed RMM Domain in DNS Lookup (system-monitor .com) (info.rules)
  • 2065078 - ET INFO Observed RMM Domain in DNS Lookup (systemmonitor .co .uk) (info.rules)
  • 2065079 - ET INFO Observed RMM Domain in DNS Lookup (systemmonitor .eu .com) (info.rules)
  • 2065080 - ET INFO Observed RMM Domain in TLS SNI (n-able .com) (info.rules)
  • 2065081 - ET INFO Observed RMM Domain in TLS SNI (pubnub .com) (info.rules)
  • 2065082 - ET INFO Observed RMM Domain in TLS SNI (swi-rc .com) (info.rules)
  • 2065083 - ET INFO Observed RMM Domain in TLS SNI (swi-tc .com) (info.rules)
  • 2065084 - ET INFO Observed RMM Domain in TLS SNI (beanywhere .com) (info.rules)
  • 2065085 - ET INFO Observed RMM Domain in TLS SNI (systemmonitor .us) (info.rules)
  • 2065086 - ET INFO Observed RMM Domain in TLS SNI (swi-rc .cdn-sw .net) (info.rules)
  • 2065087 - ET INFO Observed RMM Domain in TLS SNI (remote .management) (info.rules)
  • 2065088 - ET INFO Observed RMM Domain in TLS SNI (system-monitor .com) (info.rules)
  • 2065089 - ET INFO Observed RMM Domain in TLS SNI (systemmonitor .co .uk) (info.rules)
  • 2065090 - ET INFO Observed RMM Domain in TLS SNI (systemmonitor .eu .com) (info.rules)

Pro:

  • 2864768 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2864769 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2864770 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)

Modified inactive rules:

  • 2001055 - ET MISC HP Web JetAdmin ExecuteFile admin access (misc.rules)
  • 2001307 - ET ADWARE_PUP Wild Tangent Agent Installation (adware_pup.rules)
  • 2001309 - ET ADWARE_PUP Wild Tangent Agent Checking In (adware_pup.rules)
  • 2001310 - ET ADWARE_PUP Wild Tangent Agent Traffic (adware_pup.rules)
  • 2001314 - ET ADWARE_PUP Wild Tangent Agent (adware_pup.rules)
  • 2002956 - ET ADWARE_PUP Bestcount.net Spyware Downloading vxgame (adware_pup.rules)
  • 2002957 - ET ADWARE_PUP Bestcount.net Spyware Initial Infection Download (adware_pup.rules)
  • 2003153 - ET ADWARE_PUP Bestcount.net Spyware Exploit Download (adware_pup.rules)
  • 2003221 - ET ADWARE_PUP MySearchNow.com Spyware (adware_pup.rules)
  • 2003237 - ET VOIP MultiTech SIP UDP Overflow (voip.rules)
  • 2003336 - ET ADWARE_PUP AntiVermins.com Fake Antispyware Package User-Agent (AntiVerminser) (adware_pup.rules)
  • 2003538 - ET MALWARE Klom.A Connecting to Controller (malware.rules)
  • 2006411 - ET MALWARE Storm Worm HTTP Request (malware.rules)
  • 2007570 - ET ADWARE_PUP User-Agent (Dummy) (adware_pup.rules)
  • 2007618 - ET MALWARE Storm Worm ICMP DDOS Traffic (malware.rules)
  • 2007772 - ET ADWARE_PUP User-Agent (Internet Explorer (compatible)) (adware_pup.rules)
  • 2007996 - ET ADWARE_PUP Sears.com/Kmart.com My SHC Community spyware download (adware_pup.rules)
  • 2008339 - ET MALWARE Keypack.co.kr Related Trojan User-Agent Detected (malware.rules)
  • 2008575 - ET POLICY ASProtect/ASPack Packed Binary (policy.rules)
  • 2008915 - ET ADWARE_PUP MySideSearch.com Spyware Install (adware_pup.rules)
  • 2009172 - ET MALWARE Psyb0t joining an IRC Channel (malware.rules)
  • 2009255 - ET SHELLCODE Mannheim Shellcode (shellcode.rules)
  • 2009256 - ET SHELLCODE Berlin Shellcode (shellcode.rules)
  • 2009275 - ET SHELLCODE Berlin Shellcode (UDP) (shellcode.rules)
  • 2009276 - ET SHELLCODE Mannheim Shellcode (UDP) (shellcode.rules)
  • 2009411 - ET ACTIVEX McAfee ePolicy Orchestrator naPolicyManager.dll Arbitrary Data Write Attempt (activex.rules)
  • 2010583 - ET POLICY Possible Reference to Terrorist Literature (The Call to Global…) SMTP (policy.rules)
  • 2010584 - ET POLICY Possible Reference to Terrorist Literature (Knights under the…) SMTP (policy.rules)
  • 2010585 - ET POLICY Possible Reference to Terrorist Literature (Jihad against…) SMTP (policy.rules)
  • 2010586 - ET POLICY Possible Reference to Terrorist Literature (Declaration of War against the Americans…) SMTP (policy.rules)
  • 2010914 - ET MALWARE Arucer FIND FILE Command (malware.rules)
  • 2010915 - ET MALWARE Arucer YES Command (malware.rules)
  • 2010916 - ET MALWARE Arucer ADD RUN ONCE Command (malware.rules)
  • 2010917 - ET MALWARE Arucer DEL FILE Command (malware.rules)
  • 2011858 - ET MALWARE Likely Hostile HTTP Header GET structure (malware.rules)
  • 2011999 - ET MALWARE Trojan.Spy.YEK MAC and IP POST (malware.rules)
  • 2012628 - ET EXPLOIT Java Exploit Attempt Request for .id from octal host (exploit.rules)
  • 2012755 - ET SCAN Possible SQLMAP Scan (scan.rules)
  • 2012844 - ET MOBILE_MALWARE SymbOS/Yxes.B/E CnC Checkin Request (mobile_malware.rules)
  • 2012845 - ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Request (mobile_malware.rules)
  • 2012846 - ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Request 2 (mobile_malware.rules)
  • 2012847 - ET MOBILE_MALWARE SymbOS/Yxes.F CnC Checkin Request 3 (mobile_malware.rules)
  • 2013140 - ET MOBILE_MALWARE SymbOS/Yxes CnC Checkin Message (mobile_malware.rules)
  • 2013141 - ET MOBILE_MALWARE SymbOS/Yxes Plugucsrv.sisx File Download (mobile_malware.rules)
  • 2013142 - ET MOBILE_MALWARE SymbOS/Yxes Jump.jsp CnC Checkin Message (mobile_malware.rules)
  • 2013385 - ET MALWARE Accept-encode HTTP header with UA indicating infected host (malware.rules)
  • 2013751 - ET MALWARE Possible German Governmental Backdoor/R2D2.A 1 (malware.rules)
  • 2013752 - ET MALWARE Possible German Governmental Backdoor/R2D2.A 2 (malware.rules)
  • 2016371 - ET EXPLOIT_KIT Exploit Kit Java jpg download (exploit_kit.rules)
  • 2016818 - ET EXPLOIT_KIT Possible Java Applet JNLP applet_ssv_validated in Base64 3 (exploit_kit.rules)
  • 2016820 - ET MALWARE DEEP PANDA Checkin 2 (malware.rules)
  • 2017188 - ET CURRENT_EVENTS c0896 Hacked Site Response (Outbound) 2 (current_events.rules)
  • 2017189 - ET CURRENT_EVENTS c0896 Hacked Site Response (Outbound) 3 (current_events.rules)
  • 2017333 - ET EXPLOIT_KIT Styx EK - /jvvn.html (exploit_kit.rules)
  • 2017861 - ET EXPLOIT_KIT Grandsoft/SofosFO EK Java Payload URI Struct (exploit_kit.rules)
  • 2018477 - ET MALWARE Downloader.Win32.Tesch.A Server CnC Checkin Reply (malware.rules)
  • 2018478 - ET MALWARE Downloader.Win32.Tesch.A Bot Command Checkin 1 (malware.rules)
  • 2018685 - ET MALWARE Win32/Aibatook checkin (malware.rules)
  • 2019107 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2019109 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2019385 - ET CURRENT_EVENTS Possible TWiki RCE attempt (current_events.rules)
  • 2019386 - ET CURRENT_EVENTS Possible TWiki Apache config file upload attempt (current_events.rules)
  • 2019861 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
  • 2019862 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
  • 2019863 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
  • 2020009 - ET MALWARE US-CERT TA14-353A Lightweight Backdoor 3 (malware.rules)
  • 2020166 - ET MALWARE Linux/DDoS.M LOLNOGTFO command (malware.rules)
  • 2021115 - ET MALWARE CTB-Locker .onion Proxy Domain (tlunjscxn5n76iyz) (malware.rules)
  • 2021177 - ET WEB_CLIENT Fake AV Phone Scam Landing June 2 2015 (web_client.rules)
  • 2021306 - ET EXPLOIT_KIT Likely CottonCastle/Niteris EK Response June 19 2015 (exploit_kit.rules)
  • 2021307 - ET EXPLOIT_KIT CottonCastle/Niteris EK Exploit URI Struct June 19 2015 (exploit_kit.rules)
  • 2021308 - ET EXPLOIT_KIT CottonCastle/Niteris EK Payload June 19 2015 (exploit_kit.rules)
  • 2021817 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
  • 2021900 - ET MOBILE_MALWARE YiSpecter Activity M1 (mobile_malware.rules)
  • 2021901 - ET MOBILE_MALWARE YiSpecter Activity M2 (mobile_malware.rules)
  • 2022055 - ET INFO PK/Compressed doc/JAR header (info.rules)
  • 2022206 - ET MALWARE Ponmocup plugin #2600 (SIP scanner) (malware.rules)
  • 2022409 - ET WEB_CLIENT Fake AV Phone Scam Landing Jan 26 2016 (web_client.rules)
  • 2023162 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC) (malware.rules)
  • 2023163 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Vawtrak CnC) (malware.rules)
  • 2023164 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC) (malware.rules)
  • 2023165 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
  • 2100339 - GPL FTP OpenBSD x86 ftpd (ftp.rules)
  • 2101281 - GPL RPC portmap listing UDP 32771 (rpc.rules)
  • 2101777 - GPL FTP STAT * dos attempt (ftp.rules)
  • 2102026 - GPL RPC yppasswd username overflow attempt TCP (rpc.rules)
  • 2102404 - GPL NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt (netbios.rules)
  • 2800090 - ETPRO EXPLOIT Ingres Database uuid_from_char Stack Buffer Overflow (exploit.rules)
  • 2800091 - ETPRO RPC MIT Kerberos kadmind RPC Library Uninitialized Pointer Code Execution (rpc.rules)
  • 2800092 - ETPRO RPC MIT Kerberos kadmind RPC Library Unix Authentication Buffer Overflow (rpc.rules)
  • 2800345 - ETPRO ADWARE_PUP BugsPrey (Init Connection) (adware_pup.rules)
  • 2800652 - ETPRO EXPLOIT CA ARCserve Backup Discovery Service Denial of Service 1 (exploit.rules)
  • 2800653 - ETPRO EXPLOIT CA ARCserve Backup Discovery Service Denial of Service 2 (exploit.rules)
  • 2800654 - ETPRO DOS Microsoft Windows Active Directory LDAP SearchRequest Denial of Service Attempt Flowbit Set (dos.rules)
  • 2800655 - ETPRO DOS Microsoft Windows Active Directory LDAP SearchRequest Denial of Service Attempt 1 (dos.rules)
  • 2800836 - ETPRO EXPLOIT CA Products UDP Discovery Service Remote Buffer Overflow 2 (exploit.rules)
  • 2801272 - ETPRO EXPLOIT CA BrightStor ARCserve Backup Media Server SUN RPC Service Buffer Overflow (exploit.rules)
  • 2801724 - ETPRO SCADA WonderWare SuiteLink DOS Attempt (scada.rules)
  • 2801725 - ETPRO SCADA RealWin INFOTAG/SET_CONTROL Packet Processing Buffer Overflow (scada.rules)
  • 2801726 - ETPRO SCADA ClearSCADA Heap Overflow Attempt (scada.rules)
  • 2801727 - ETPRO SCADA Wonderware InBatch Buffer Overflow Attempt (scada.rules)
  • 2802978 - ETPRO WEB_SPECIFIC_APPS Cisco Network Registrar Default Credentials Authentication Bypass (web_specific_apps.rules)
  • 2803525 - ETPRO MALWARE Backdoor.Win32.Derusbi.A Checkin (malware.rules)
  • 2803527 - ETPRO MALWARE Backdoor.Win32.Yunsip.A Checkin 1 (malware.rules)
  • 2804283 - ETPRO MALWARE Backdoor.Hupigon Checkin (malware.rules)
  • 2804612 - ETPRO ADWARE_PUP Win32/Adware.WindowsLiveProtect.A Checkin (adware_pup.rules)
  • 2804726 - ETPRO MALWARE Trojan.Win32.Zapchast.ffs exe Download (malware.rules)
  • 2804727 - ETPRO ADWARE_PUP SmartSecure Checkin (adware_pup.rules)
  • 2804818 - ETPRO MALWARE Win32/TrojanDownloader.Banload.QWQ Checkin (malware.rules)
  • 2805234 - ETPRO MALWARE Win32/Banload.AMR Checkin (malware.rules)
  • 2805236 - ETPRO MALWARE DNS Query to FinFisher Spy Kit Domain (tiger .gamma-international .de) (malware.rules)
  • 2805237 - ETPRO MALWARE HTTP Request to FinFisher Spy Kit Domain (ff-demo.blogdns.org) (malware.rules)
  • 2805520 - ETPRO MALWARE Win32/Teazodo.A!dll Checkin (malware.rules)
  • 2805521 - ETPRO MALWARE W32/Gpcode.NAI Checkin (malware.rules)
  • 2805522 - ETPRO MALWARE W32/Gimemo.APVH!tr Checkin (malware.rules)
  • 2805682 - ETPRO NETBIOS Microsoft Windows Explorer Briefcase Database File Integer Underflow (netbios.rules)
  • 2806441 - ETPRO MALWARE Variant.Zusy.43699 Checkin (malware.rules)
  • 2808734 - ETPRO ADWARE_PUP PUA.DNWRandomHack Checkin (adware_pup.rules)
  • 2810162 - ETPRO MALWARE Win32.VB.hlqz Keepalive (malware.rules)
  • 2812170 - ETPRO MALWARE MSIL/Nitwil.A FTP wallet.dat Exfil (malware.rules)
  • 2812171 - ETPRO MALWARE Win32/QQpass.gen!E Activity (malware.rules)
  • 2812336 - ETPRO MOBILE_MALWARE Android.Trojan.InfoStealer.CD Checkin (mobile_malware.rules)
  • 2812965 - ETPRO MALWARE Malicious SSL Certificate detected (Variant.Barys) (malware.rules)
  • 2812966 - ETPRO MALWARE MSIL/Stimilina.F Checkin (malware.rules)
  • 2814060 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmThief.es Checkin (mobile_malware.rules)
  • 2814822 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.fg Checkin (mobile_malware.rules)
  • 2816332 - ETPRO MALWARE Malicious SSL certificate detected (Ursnif Injects) (malware.rules)
  • 2816742 - ETPRO MALWARE Rexpot Receiving Payload M2 (malware.rules)
  • 2820974 - ETPRO MOBILE_MALWARE Android Trojan HummingBad Checkin (mobile_malware.rules)
  • 2821197 - ETPRO MALWARE ZeusSSL/Terdot.A/Zloader Malicious SSL Cert Observed (malware.rules)
  • 2821624 - ETPRO MALWARE Observed Malicious SSL Cert (Zeus Panda Injects) (malware.rules)
  • 2822186 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Agent.gz Checkin (mobile_malware.rules)
  • 2824700 - ETPRO MALWARE Satan Ransomware .onion Proxy Domain (malware.rules)
  • 2824701 - ETPRO MALWARE Satan Ransomware .onion Proxy Domain (malware.rules)
  • 2825414 - ETPRO EXPLOIT Uniscribe Remote Code Execution Vulnerability (CVE-2017-0072) (exploit.rules)
  • 2825415 - ETPRO WEB_CLIENT Windows GDI+ Information Disclosure Vulnerability (CVE-2017-0073) (web_client.rules)
  • 2825416 - ETPRO EXPLOIT Possible EXE Exploiting Win32k DDI EoP Inbound (CVE-2017-0078) (exploit.rules)

Disabled and modified rules:

  • 2064788 - ET EXPLOIT_KIT Observed DNS Query to ClickFix Domain (lehmanpipe .com) (exploit_kit.rules)
  • 2064789 - ET EXPLOIT_KIT Observed ClickFix Domain (lehmanpipe .com in TLS SNI) (exploit_kit.rules)