Ruleset Update Summary - 2025/10/09 - v11036

Ruleset Updates
1

Summary:

12 new OPEN, 12 new PRO (12 + 0)

Added rules:

Open:

  • 2065111 - ET WEB_SPECIFIC_APPS D-Link hd_config.cgi Multiple Parameters Command Injection Attempt (CVE-2024-8214, CVE-2024-8213, CVE-2024-8212, CVE-2024-8211, CVE-2024-8210, CVE-2024-8134, CVE-2024-8133) (web_specific_apps.rules)
  • 2065112 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (mlampell .com) (exploit_kit.rules)
  • 2065113 - ET EXPLOIT_KIT LandUpdate808 Domain (mlampell .com) in TLS SNI (exploit_kit.rules)
  • 2065114 - ET WEB_SPECIFIC_APPS D-Link webdav_mgr.cgi f_path Parameter Command Injection Attempt (CVE-2024-8132) (web_specific_apps.rules)
  • 2065115 - ET WEB_SPECIFIC_APPS D-Link apkg_mgr.cgi f_module_name Parameter Command Injection Attempt (CVE-2024-8131) (web_specific_apps.rules)
  • 2065116 - ET WEB_SPECIFIC_APPS D-Link s3.cgi Multiple Parameters Command Injection Attempt (CVE-2024-8129, CVE-2024-8130) (web_specific_apps.rules)
  • 2065117 - ET WEB_SPECIFIC_APPS D-Link webfile_mgr.cgi path Parameter Command Injection Attempt (CVE-2024-8127, CVE-2024-8128) (web_specific_apps.rules)
  • 2065118 - ET WEB_SPECIFIC_APPS D-Link photocenter_mgr.cgi Multiple Parameters Buffer Overflow Attempt (CVE-2024-7828, CVE-2024-7829, CVE-2024-7830, CVE-2024-7831 CVE-2024-7832, CVE-2024-7849) (web_specific_apps.rules)
  • 2065119 - ET WEB_SPECIFIC_APPS D-Link photocenter_mgr.cgi filter Parameter Command Injection Attempt (CVE-2024-7715) (web_specific_apps.rules)
  • 2065120 - ET WEB_SPECIFIC_APPS Tenda wifiScheduledSet Parameter Null Pointer Dereference (CVE-2025-11550) (web_specific_apps.rules)
  • 2065121 - ET WEB_SPECIFIC_APPS Tenda wifiMacFilterSet mac Parameter Buffer Overflow Attempt (CVE-2025-11549) (web_specific_apps.rules)
  • 2065122 - ET WEB_SPECIFIC_APPS D-Link dir_setWanWifi statuscheckpppoeuser Parameter Buffer Overflow Attempt (CVE-2025-61577) (web_specific_apps.rules)

Modified inactive rules:

  • 2000593 - ET ADWARE_PUP Binet Ad Retrieval (adware_pup.rules)
  • 2001198 - ET ADWARE_PUP Twaintec Download Attempt (adware_pup.rules)
  • 2001199 - ET ADWARE_PUP Twaintec Ad Retrieval (adware_pup.rules)
  • 2001216 - ET ADWARE_PUP Twaintec Reporting Data (adware_pup.rules)
  • 2002877 - ET MALWARE TROJAN BankSnif/Nethelper User-Agent (nethelper) (malware.rules)
  • 2003222 - ET ADWARE_PUP MyWebSearch Toolbar Receiving Config 2 (adware_pup.rules)
  • 2003240 - ET ADWARE_PUP New.net Spyware updating (adware_pup.rules)
  • 2003353 - ET ADWARE_PUP Winferno Registry Fix Spyware Download (adware_pup.rules)
  • 2003543 - ET ADWARE_PUP Winfixmaster.com Fake Anti-Spyware Install (adware_pup.rules)
  • 2003604 - ET POLICY Baidu.com Agent User-Agent (Desktop Web System) Outbound (policy.rules)
  • 2003608 - ET POLICY Baidu.com Related Agent User-Agent (iexp) Outbound (policy.rules)
  • 2003617 - ET ADWARE_PUP MyWebSearch Toolbar Posting Activity Report (adware_pup.rules)
  • 2003726 - ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt – mtdialogo.php pathCGX (web_specific_apps.rules)
  • 2003746 - ET WEB_SPECIFIC_APPS Simple PHP Script Gallery Remote Inclusion index.php gallery (web_specific_apps.rules)
  • 2003913 - ET WEB_SPECIFIC_APPS Kayako eSupport XSS Attempt – index.php _m (web_specific_apps.rules)
  • 2006409 - ET POLICY HTTP POST on unusual Port Possibly Hostile (policy.rules)
  • 2007899 - ET ADWARE_PUP User-Agent (HTTP_CONNECT) (adware_pup.rules)
  • 2007952 - ET MALWARE Downloader.49651 Checkin (malware.rules)
  • 2007953 - ET MALWARE Downloader.49651 Install Report (malware.rules)
  • 2007954 - ET MALWARE Downloader.49651 Online Report (malware.rules)
  • 2008675 - ET MALWARE Backdoor.Win32.Assasin.20.C Control Session Start (malware.rules)
  • 2008676 - ET MALWARE Backdoor.Win32.Assasin.20.C Control Session Server Reply (malware.rules)
  • 2008677 - ET MALWARE Backdoor.Win32.Assasin.20.C Control Channel Client Reply (malware.rules)
  • 2008842 - ET POLICY Possible HTTP-TUNNEL to External Proxy for Anonymous Access (policy.rules)
  • 2008843 - ET POLICY Possible HTTP-TUNNEL to External Proxy for Anonymous Access (server download) (policy.rules)
  • 2008996 - ET WEB_SPECIFIC_APPS Simple Text-File Login script slogin_path parameter remote file inclusion (web_specific_apps.rules)
  • 2009259 - ET SHELLCODE Furth Shellcode (shellcode.rules)
  • 2009260 - ET SHELLCODE Langenfeld Shellcode (shellcode.rules)
  • 2009272 - ET SHELLCODE Furth Shellcode (UDP) (shellcode.rules)
  • 2009407 - ET MALWARE Koobface BLACKLABEL (malware.rules)
  • 2009868 - ET ACTIVEX Possible Acer LunchApp Arbitrary Code Exucution Attempt (activex.rules)
  • 2010441 - ET MALWARE Possible Storm Variant HTTP Post (S) (malware.rules)
  • 2010591 - ET POLICY Possible Reference to Al Qaeda Propaganda Theme (Al-Wala’ Wal Bara) SMTP (policy.rules)
  • 2010722 - ET HUNTING Suspicious Non-Escaping backslash in User-Agent Inbound (hunting.rules)
  • 2010814 - ET ACTIVEX Possible AOL 9.5 BindToFile Heap Overflow Attempt (activex.rules)
  • 2011291 - ET WEB_SERVER Asprox Spambot SQL-Injection Atempt (web_server.rules)
  • 2011293 - ET USER_AGENTS Suspicious User Agent (GabPath) (user_agents.rules)
  • 2011294 - ET MALWARE Trojan.Win32.FraudPack.aweo (malware.rules)
  • 2012208 - ET MALWARE FAKEAV CryptMEN pack.exe Payload Download (malware.rules)
  • 2012636 - ET ACTIVEX RealNetworks RealGames StubbyUtil.ProcessMgr.1 InstallerDlg.dll Remote Command Execution Attempt (activex.rules)
  • 2012637 - ET ACTIVEX RealNetworks RealGames StubbyUtil.ProcessMgr.1 InstallerDlg.dll Remote Command Execution Attempt (activex.rules)
  • 2012852 - ET MOBILE_MALWARE SymbOS/Yxes.I TipFile.jsp CnC Server Communication (mobile_malware.rules)
  • 2012853 - ET MOBILE_MALWARE SymbOS/Yxes.I NumberFile.jsp CnC Server Communication (mobile_malware.rules)
  • 2012854 - ET MOBILE_MALWARE SymbOS/Merogo User Agent (mobile_malware.rules)
  • 2012855 - ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending Geographic Location Logs To Remote Server (mobile_malware.rules)
  • 2013148 - ET SHELLCODE JavaScript Redefinition of a HeapLib Object - Likely Malicious Heap Spray Attempt (shellcode.rules)
  • 2013660 - ET EXPLOIT_KIT Unknown Exploit Kit Landing Response Malicious JavaScript (exploit_kit.rules)
  • 2013661 - ET EXPLOIT_KIT Exploit kit worms.jar (exploit_kit.rules)
  • 2014107 - ET MALWARE Zeus POST Request to CnC - cookie variation (malware.rules)
  • 2016380 - ET EXPLOIT_KIT Sakura Exploit Kit Encrypted Binary (1) (exploit_kit.rules)
  • 2017079 - ET EXPLOIT_KIT Sibhost Status Check GET Jul 01 2013 (exploit_kit.rules)
  • 2017450 - ET CURRENT_EVENTS Sakura Sep 10 2013 (current_events.rules)
  • 2018350 - ET MALWARE Upatre SSL Compromised site potpourriflowers (malware.rules)
  • 2019538 - ET MALWARE Ransom.Win32.Blocker.fwlm Checkin (malware.rules)
  • 2019869 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
  • 2019870 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
  • 2019871 - ET MALWARE DNS Query for Operation Cleaver Domain (malware.rules)
  • 2020647 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2021417 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC) (malware.rules)
  • 2022212 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC) (malware.rules)
  • 2022267 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
  • 2022322 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
  • 2022602 - ET WEB_CLIENT Microsoft Fake Support Phone Scam Mar 7 (web_client.rules)
  • 2023006 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2) (malware.rules)
  • 2023007 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2) (malware.rules)
  • 2023008 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC) (malware.rules)
  • 2023009 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
  • 2023170 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
  • 2023171 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
  • 2023172 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
  • 2023173 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
  • 2100341 - GPL FTP XXXXX overflow (ftp.rules)
  • 2100342 - GPL FTP wu-ftpd 2.6.0 site exec format string overflow Solaris 2.8 (ftp.rules)
  • 2100343 - GPL FTP wu-ftpd 2.6.0 site exec format string overflow FreeBSD (ftp.rules)
  • 2100344 - GPL FTP wu-ftpd 2.6.0 site exec format string overflow Linux (ftp.rules)
  • 2100346 - GPL FTP wu-ftpd 2.6.0 site exec format string check (ftp.rules)
  • 2100627 - GPL SCAN cybercop os SFU12 probe (scan.rules)
  • 2100629 - GPL SCAN nmap fingerprint attempt (scan.rules)
  • 2102376 - GPL EXPLOIT ISAKMP first payload certificate request length overflow attempt (exploit.rules)
  • 2102380 - GPL EXPLOIT ISAKMP fifth payload certificate request length overflow attempt (exploit.rules)
  • 2102413 - GPL EXPLOIT ISAKMP delete hash with empty hash attempt (exploit.rules)
  • 2102486 - GPL EXPLOIT ISAKMP invalid identification payload attempt (exploit.rules)
  • 2103138 - GPL NETBIOS SMB-DS Trans2 QUERY_FILE_INFO andx attempt (netbios.rules)
  • 2103142 - GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 andx attempt (netbios.rules)
  • 2103192 - GPL WEB_CLIENT Windows Media Player directory traversal via Content-Disposition attempt (web_client.rules)
  • 2800099 - ETPRO IMAP Ipswitch IMail Server IMAP SEARCH Command Buffer Overflow (imap.rules)
  • 2800356 - ETPRO EXPLOIT Trend Micro OfficeScan Server cgiRecvFile Buffer Overflow (exploit.rules)
  • 2800659 - ETPRO DOS OpenLDAP ber_get_next BER Decoding Denial of Service Attempt (dos.rules)
  • 2800660 - ETPRO EXPLOIT Novell eDirectory LDAP NULL Search Parameter Buffer Overflow 1 (exploit.rules)
  • 2800661 - ETPRO EXPLOIT Novell eDirectory LDAP NULL Search Parameter Buffer Overflow 2 (exploit.rules)
  • 2800662 - ETPRO EXPLOIT Novell eDirectory LDAP NULL Search Parameter Buffer Overflow 3 (exploit.rules)
  • 2801506 - ETPRO NETBIOS Multiple Load Library Vulns wintab32.dll - SMB ASCII (netbios.rules)
  • 2801507 - ETPRO NETBIOS Multiple Load Library Vulns wintab32.dll - SMB Unicode (netbios.rules)
  • 2801732 - ETPRO SCADA RealWin HMI Service Buffer Overflow Attempt 3 (scada.rules)
  • 2801733 - ETPRO SCADA NetBiter Config HICP Hostname Buffer Overflow (scada.rules)
  • 2801734 - ETPRO SCADA WellinTech KingView Remote Heap Overflow Attempt (scada.rules)
  • 2802100 - ETPRO ADWARE_PUP Zango Toolbar User-Agent (BAR) (adware_pup.rules)
  • 2802101 - ETPRO MALWARE Backdoor.Win32.Bewymbot.A Checkin (malware.rules)
  • 2802979 - ETPRO EXPLOIT HP OpenView NNM nnmRptconfig.exe schdParams and nameParams Buffer Overflow (exploit.rules)
  • 2803209 - ETPRO MALWARE Trojan.Win32.Orsam Checkin Flowbit Set (malware.rules)
  • 2803210 - ETPRO MALWARE Trojan.Win32.Orsam Receiving CnC Config (malware.rules)
  • 2803211 - ETPRO ADWARE_PUP AdWare.Win32.AdMedia Checkin (adware_pup.rules)
  • 2803986 - ETPRO MALWARE Win32/Agent.CS Checkin (malware.rules)
  • 2804826 - ETPRO MALWARE Win32/Locotout.gen!A CnC Traffic (malware.rules)
  • 2804828 - ETPRO MALWARE Trojan/Buzus.hgv Checkin (malware.rules)
  • 2805528 - ETPRO MALWARE Backdoor.Win32.PcClient Tunnel 1 (malware.rules)
  • 2805529 - ETPRO MALWARE Backdoor.Win32.PcClient Tunnel 2 (malware.rules)
  • 2805810 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.GingerMaster.a Checkin 1 (mobile_malware.rules)
  • 2806996 - ETPRO MALWARE Win32/Agent.PVY Checkin (malware.rules)
  • 2807119 - ETPRO MALWARE Downloader/Win32.Zlob Checkin (malware.rules)
  • 2807494 - ETPRO MALWARE Trojan-Dropper.Win32.Sysn.aajj Checkin 2 (malware.rules)
  • 2808052 - ETPRO MOBILE_MALWARE Android.Riskware.SmsPay.C Checkin (mobile_malware.rules)
  • 2808212 - ETPRO EXPLOIT_KIT Safe/Critx/FlashPack URI Struct June 19 2014 1 (exploit_kit.rules)
  • 2808213 - ETPRO EXPLOIT_KIT Safe/Critx/FlashPack URI Struct June 19 2014 2 (exploit_kit.rules)
  • 2808376 - ETPRO MOBILE_MALWARE Android.Trojan.SMSSend.RZ Checkin 2 (mobile_malware.rules)
  • 2808377 - ETPRO MOBILE_MALWARE Android.Trojan.SMSSend.IA Checkin (mobile_malware.rules)
  • 2808973 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.bo Checkin (mobile_malware.rules)
  • 2808974 - ETPRO MALWARE Jaik Variant Checkin (malware.rules)
  • 2809477 - ETPRO MALWARE Backdoor.Win32.DarkKomet.emda .onion Proxy Domain (malware.rules)
  • 2809583 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.m Checkin 3 (mobile_malware.rules)
  • 2810168 - ETPRO MOBILE_MALWARE Android/Rlove.A Checkin 2 (mobile_malware.rules)
  • 2811786 - ETPRO ADWARE_PUP ADWARE/MultiPlug.Gen4 Checkin (adware_pup.rules)
  • 2812179 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmThief.eq Checkin (mobile_malware.rules)
  • 2812501 - ETPRO MALWARE Agent.BLVS Initial Host Data POST M1 (malware.rules)
  • 2814061 - ETPRO ADWARE_PUP Adware.Cntads Variant Activity (adware_pup.rules)
  • 2814062 - ETPRO MALWARE Win32/Kortor.A External IP Check (malware.rules)
  • 2814231 - ETPRO MOBILE_MALWARE Android/Uten.A Checkin 2 (mobile_malware.rules)
  • 2814420 - ETPRO MALWARE JS/RecJS DNS Lookup (askleonri.isteingeek.de) (malware.rules)
  • 2814421 - ETPRO MALWARE JS/RecJS DNS Lookup (edrimake.endofinternet.net) (malware.rules)
  • 2814422 - ETPRO MALWARE JS/RecJS DNS Lookup (qkmakein.endofinternet.net) (malware.rules)
  • 2814636 - ETPRO MOBILE_MALWARE Android.Adware.Mulad.AD Checkin (mobile_malware.rules)
  • 2814830 - ETPRO WEB_CLIENT IE Use After Free CEditEventSink (CVE-2015-6071) (web_client.rules)
  • 2815364 - ETPRO MALWARE Win32/Qbot/Quakbot Checkin via HTTP GET (malware.rules)
  • 2815563 - ETPRO PHISHING Base64 Javascript URL Refresh - Common Phish Landing Obfuscation Dec 31 (phishing.rules)
  • 2816935 - ETPRO MOBILE_MALWARE Android/TrojanSMS.FakeInst.GY Checkin (mobile_malware.rules)
  • 2819913 - ETPRO MALWARE Jupiter Banker Injects DNS Lookup (malware.rules)
  • 2820342 - ETPRO MALWARE Win32/Banker Checkin 1 (malware.rules)
  • 2820547 - ETPRO MALWARE Malicious SSL certificate detected (Ursnif Injects) (malware.rules)
  • 2820548 - ETPRO MALWARE Malicious SSL certificate detected (Ursnif Injects) (malware.rules)
  • 2820981 - ETPRO MALWARE Malicious SSL certificate detected (Malware C2) (malware.rules)
  • 2822618 - ETPRO MOBILE_MALWARE Trojan-Ransom.AndroidOS.Sugs.a Checkin (mobile_malware.rules)
  • 2822989 - ETPRO MALWARE Malicious SSL Certificate Detected (Qadars CnC) (malware.rules)
  • 2824848 - ETPRO MALWARE Odinaff Malicious SSL Certificate Detected (malware.rules)
  • 2824849 - ETPRO MALWARE Serpent Ransomware Onion Domain (malware.rules)
  • 2825419 - ETPRO EXPLOIT Possible EXE Exploiting Win32k DDI Vulnerablity Inbound (CVE-2017-0081) (exploit.rules)
  • 2825421 - ETPRO EXPLOIT Windows Uniscribe Remote Code Execution Vulnerability (CVE-2017-0083) (exploit.rules)
  • 2825422 - ETPRO EXPLOIT Windows Uniscribe Remote Code Execution Vulnerability (CVE-2017-0086) (exploit.rules)
  • 2825423 - ETPRO EXPLOIT Windows Uniscribe Remote Code Execution Vulnerability (CVE-2017-0087) (exploit.rules)
  • 2825424 - ETPRO EXPLOIT Windows Uniscribe Remote Code Execution Vulnerability (CVE-2017-0088) (exploit.rules)