Ruleset Update Summary - 2025/10/10 - v11037

Ruleset Updates
1

Summary:

35 new OPEN, 36 new PRO (35 + 1)

Added rules:

Open:

  • 2065123 - ET INFO Observed RMM Domain in DNS Lookup (online .miradore .com) (info.rules)
  • 2065124 - ET INFO Observed RMM Domain in DNS Lookup (gateway .miradore .com) (info.rules)
  • 2065125 - ET INFO Observed RMM Domain in DNS Lookup (ejbca .miradore .com) (info.rules)
  • 2065126 - ET INFO Observed RMM Domain in DNS Lookup (mdmcontent .miradore .com) (info.rules)
  • 2065127 - ET INFO Observed RMM Domain in DNS Lookup (miradore .zendesk .com) (info.rules)
  • 2065128 - ET INFO Observed RMM Domain in DNS Lookup (mdnotificationservice .azurewebsites .net) (info.rules)
  • 2065129 - ET INFO Observed RMM Domain in DNS Lookup (gerwconline .blob .core .windows .net) (info.rules)
  • 2065130 - ET INFO Observed RMM Domain in TLS SNI (online .miradore .com) (info.rules)
  • 2065131 - ET INFO Observed RMM Domain in TLS SNI (gateway .miradore .com) (info.rules)
  • 2065132 - ET INFO Observed RMM Domain in TLS SNI (ejbca .miradore .com) (info.rules)
  • 2065133 - ET INFO Observed RMM Domain in TLS SNI (mdmcontent .miradore .com) (info.rules)
  • 2065134 - ET INFO Observed RMM Domain in TLS SNI (miradore .zendesk .com) (info.rules)
  • 2065135 - ET INFO Observed RMM Domain in TLS SNI (mdnotificationservice .azurewebsites .net) (info.rules)
  • 2065136 - ET INFO Observed RMM Domain in TLS SNI (gerwconline .blob .core .windows .net) (info.rules)
  • 2065137 - ET WEB_SPECIFIC_APPS D-Link form2Dhcpip.cgi nvmacaddr Parameter Buffer Overflow Attempt (CVE-2023-43238) (web_specific_apps.rules)
  • 2065138 - ET WEB_SPECIFIC_APPS D-Link ipportFilter sip_address Parameter Buffer Overflow Attempt (CVE-2023-43240) (web_specific_apps.rules)
  • 2065139 - ET WEB_SPECIFIC_APPS D-Link setMAC macCloneMac Parameter Buffer Overflow Attempt (CVE-2023-43237) (web_specific_apps.rules)
  • 2065140 - ET WEB_SPECIFIC_APPS D-Link showMACfilterMAC flag_5g Parameter Buffer Overflow Attempt (CVE-2023-43239) (web_specific_apps.rules)
  • 2065141 - ET WEB_SPECIFIC_APPS D-Link SetWLanRadioSettings Multiple XML Tags Buffer Overflow Attempt (CVE-2023-44839, CVE-2023-43241) (web_specific_apps.rules)
  • 2065142 - ET WEB_SPECIFIC_APPS D-Link SetWLanRadioSecurity Key Parameter Command Injection Attempt (CVE-2024-48634) (web_specific_apps.rules)
  • 2065143 - ET WEB_SPECIFIC_APPS D-Link SetWLanRadioSecurity Multiple XML Tags Buffer Overflow Attempt (CVE-2023-44839, CVE-2022-46569) (web_specific_apps.rules)
  • 2065144 - ET WEB_SPECIFIC_APPS D-Link myMusic.cgi Multiple Parameters Command Injection Attempt (CVE-2024-7922) (web_specific_apps.rules)
  • 2065145 - ET WEB_SPECIFIC_APPS D-Link SetWifiDownSettings Multiple XML Tags Buffer Overflow Attempt (CVE-2023-43235) (web_specific_apps.rules)
  • 2065146 - ET WEB_SPECIFIC_APPS D-Link dns_more_check.data enable Parameter Buffer Overflow Attempt (web_specific_apps.rules)
  • 2065147 - ET WEB_SPECIFIC_APPS D-Link hictlist_show.data enable Parameter Buffer Overflow Attempt (web_specific_apps.rules)
  • 2065148 - ET WEB_SPECIFIC_APPS D-Link jingx.data Multiple Parameters Buffer Overflow Attempt (web_specific_apps.rules)
  • 2065149 - ET WEB_SPECIFIC_APPS D-Link thdbase.asp Multiple Parameters Buffer Overflow Attempt (web_specific_apps.rules)
  • 2065150 - ET WEB_SPECIFIC_APPS D-Link wan_ping.data wan_ping Parameter Buffer Overflow Attempt (web_specific_apps.rules)
  • 2065151 - ET WEB_SPECIFIC_APPS D-Link web_keyword.data Multiple Parameters Buffer Overflow Attempt (web_specific_apps.rules)
  • 2065152 - ET WEB_SPECIFIC_APPS Tenda SetIpMacBind Multiple Parameters Buffer Overflow Attempt (CVE-2025-9089, CVE-2025-1853, CVE-2024-40417, CVE-2023-41556, CVE-2023-40902, CVE-2023-40896) (web_specific_apps.rules)
  • 2065153 - ET WEB_SPECIFIC_APPS Tenda setAdvPolicyData rebootTime Parameter Buffer Overflow Attempt (web_specific_apps.rules)
  • 2065154 - ET WEB_SPECIFIC_APPS Tenda setVlanInfo Multiple Parameters Buffer Overflow Attempt (CVE-2023-46060, CVE-2023-51093) (web_specific_apps.rules)
  • 2065155 - ET WEB_SPECIFIC_APPS Tenda SetFirewallCfg firewallEn Parameter Buffer Overflow Attempt (CVE-2025-8810, CVE-2025-29358, CVE-2025-1851, CVE-2024-2809) (web_specific_apps.rules)
  • 2065156 - ET WEB_SPECIFIC_APPS Tenda openSchedWifi Multiple Parameters Buffer Overflow Attempt (CVE-2025-46035) (web_specific_apps.rules)
  • 2065157 - ET WEB_SPECIFIC_APPS Tenda SetVirtualServerCfg list Parameter Buffer Overflow Attempt (CVE-2025-29361, CVE-2024-4112, CVE-2024-40416, CVE-2024-10282) (web_specific_apps.rules)

Pro:

  • 2864772 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)

Modified inactive rules:

  • 2001398 - ET ADWARE_PUP Bfast.com Spyware (adware_pup.rules)
  • 2001538 - ET ADWARE_PUP Oenji.com Install (adware_pup.rules)
  • 2001539 - ET ADWARE_PUP Spyspotter.com Access Likely Spyware (adware_pup.rules)
  • 2001988 - ET EXPLOIT MySQL MaxDB Buffer Overflow (exploit.rules)
  • 2002729 - ET POLICY Outbound Hamachi VPN Connection Attempt (policy.rules)
  • 2003241 - ET ADWARE_PUP New.net Spyware Checkin (adware_pup.rules)
  • 2003435 - ET MALWARE Stormy Variant HTTP Request (malware.rules)
  • 2003455 - ET POLICY Hi5.com Social Site Access (policy.rules)
  • 2003727 - ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt – ltdialogo.php pathCGX (web_specific_apps.rules)
  • 2003728 - ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt – logingecon.php pathCGX (web_specific_apps.rules)
  • 2003729 - ET WEB_SPECIFIC_APPS CGX Remote Inclusion Attempt – login.php pathCGX (web_specific_apps.rules)
  • 2006408 - ET POLICY HTTP Request on Unusual Port Possibly Hostile (policy.rules)
  • 2007627 - ET POLICY Hyves Login Attempt (policy.rules)
  • 2007955 - ET MALWARE Cygo Checkin (malware.rules)
  • 2008197 - ET ADWARE_PUP Winxdefender.com Fake AV Package Post Install Checkin (adware_pup.rules)
  • 2008368 - ET MALWARE Unknown Keylogger checkin (malware.rules)
  • 2008562 - ET HUNTING Suspicious SMTP handshake outbound (hunting.rules)
  • 2008755 - ET MALWARE Autorun.qvi Related HTTP Get on Off Port (malware.rules)
  • 2009261 - ET SHELLCODE Bonn Shellcode (shellcode.rules)
  • 2009270 - ET SHELLCODE Bonn Shellcode (UDP) (shellcode.rules)
  • 2009271 - ET SHELLCODE Langenfeld Shellcode (UDP) (shellcode.rules)
  • 2009846 - ET WEB_SPECIFIC_APPS WB News global.php config Parameter Remote File Inclusion (web_specific_apps.rules)
  • 2010152 - ET MALWARE Koobface C&C availability check successful (malware.rules)
  • 2010153 - ET MALWARE Koobface fetch C&C command detected (malware.rules)
  • 2010442 - ET MALWARE Possible Storm Variant HTTP Post (U) (malware.rules)
  • 2010695 - ET MALWARE Aurora Backdoor (C&C) client connection to CnC (malware.rules)
  • 2010696 - ET MALWARE Aurora Backdoor (C&C) connection CnC response (malware.rules)
  • 2011871 - ET POLICY SubmitToTDWTF.asmx DailyWTF Potential Source Code Leakage (policy.rules)
  • 2012638 - ET ACTIVEX RealNetworks RealGames StubbyUtil.ShellCtl.1 InstallerDlg.dll Remote Command Execution Attempt (activex.rules)
  • 2012639 - ET ACTIVEX RealNetworks RealGames StubbyUtil.ShellCtl.1 InstallerDlg.dll Remote Command Execution Attempt (activex.rules)
  • 2012640 - ET ACTIVEX RealNetworks RealGames StubbyUtil.ShellCtl.1 InstallerDlg.dll Remote Command Execution Attempt (activex.rules)
  • 2012856 - ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending Call Logs to Remote Server (mobile_malware.rules)
  • 2012857 - ET MOBILE_MALWARE SPR/MobileSpy Mobile Spyware Sending SMS Logs to Remote Server (mobile_malware.rules)
  • 2012858 - ET MOBILE_MALWARE SymbOS.Sagasi.a Worm Sending Data to Server (mobile_malware.rules)
  • 2012997 - ET WEB_SERVER PHP Possible http Remote File Inclusion Attempt (web_server.rules)
  • 2013389 - ET ADWARE_PUP Adware/CommonName Reporting (adware_pup.rules)
  • 2013390 - ET MALWARE Suspicious User Agent 3653Client (malware.rules)
  • 2014022 - ET SCAN Gootkit Scanner User-Agent Inbound (scan.rules)
  • 2014197 - ET EXPLOIT_KIT Yang Pack Exploit Kit Landing Page Known JavaScript Function Detected (exploit_kit.rules)
  • 2015782 - ET EXPLOIT_KIT Magnitude EK (formerly Popads) Other Java Exploit Kit 32-32 byte hex hostile jar (exploit_kit.rules)
  • 2016204 - ET WEB_SERVER Possible CVE-2013-0156 Ruby On Rails XML YAML tag with !ruby (web_server.rules)
  • 2016822 - ET WEB_CLIENT Possible Internet Explorer Use After Free Inbound (CVE-2013-1347) (web_client.rules)
  • 2017192 - ET CURRENT_EVENTS c0896 Hacked Site Response Octal (Outbound) (current_events.rules)
  • 2017862 - ET EXPLOIT_KIT CrimePack PDF Exploit (exploit_kit.rules)
  • 2017863 - ET EXPLOIT_KIT CrimePack Java Exploit (exploit_kit.rules)
  • 2018351 - ET MALWARE Upatre SSL Compromised site kionic (malware.rules)
  • 2018352 - ET MALWARE Possible FakeAV binary download (setup) (malware.rules)
  • 2018353 - ET CURRENT_EVENTS Win32.RBrute Scan (Outgoing) (current_events.rules)
  • 2018354 - ET CURRENT_EVENTS Win32.RBrute Scan (incoming) (current_events.rules)
  • 2018483 - ET MALWARE Possible Zendran ELF IRCBot Joining Channel 2 (malware.rules)
  • 2018686 - ET WEB_CLIENT Possible Malvertising Redirect URI Struct Jul 16 2014 (web_client.rules)
  • 2020020 - ET MALWARE US-CERT TA14-353A WIPER4 (malware.rules)
  • 2020021 - ET MALWARE Possible Operation Poisoned Helmand jar download (malware.rules)
  • 2020650 - ET MALWARE Banker Boleto Fraud JS_BROBAN.SM Known Domain (bagacaoutra.ru) (malware.rules)
  • 2021031 - ET MALWARE Malicious SSL Cert (KINS C2) (malware.rules)
  • 2021032 - ET MALWARE Malicious SSL Cert (KINS C2) (malware.rules)
  • 2022324 - ET MALWARE Malicious SSL certificate detected (Possible Sinkhole) (malware.rules)
  • 2023010 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC) (malware.rules)
  • 2023011 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Downloader.Pony CnC) (malware.rules)
  • 2023012 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi CnC) (malware.rules)
  • 2023174 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
  • 2023175 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
  • 2023176 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (RockLoader CnC) (malware.rules)
  • 2023543 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gootkit CnC) (malware.rules)
  • 2100345 - GPL FTP wu-ftpd 2.6.0 site exec format string overflow generic (ftp.rules)
  • 2100348 - GPL FTP wu-ftpd 2.6.0 (ftp.rules)
  • 2100628 - GPL SCAN nmap TCP (scan.rules)
  • 2100989 - GPL SCAN sensepost.exe command shell attempt (scan.rules)
  • 2101228 - GPL SCAN nmap XMAS (scan.rules)
  • 2102377 - GPL EXPLOIT ISAKMP second payload certificate request length overflow attempt (exploit.rules)
  • 2102379 - GPL EXPLOIT ISAKMP forth payload certificate request length overflow attempt (exploit.rules)
  • 2102414 - GPL EXPLOIT ISAKMP initial contact notification without SPI attempt (exploit.rules)
  • 2800103 - ETPRO EXPLOIT Borland Interbase Database Service Create-Request Buffer Overflow (exploit.rules)
  • 2800104 - ETPRO IMAP Ipswitch IMail Server IMAP SEARCH Command Date String Stack Overflow (imap.rules)
  • 2800357 - ETPRO EXPLOIT IBM DB2 Universal Database XML Query Buffer Overflow (exploit.rules)
  • 2800656 - ETPRO DOS Microsoft Windows Active Directory LDAP SearchRequest Denial of Service Attempt 2 (dos.rules)
  • 2800665 - ETPRO EXPLOIT CA BrightStor ARCserve Backup caloggerd Opcode 79 Stack Buffer Overflow (exploit.rules)
  • 2800666 - ETPRO EXPLOIT Borland Software InterBase ibserver.exe Service Attach Request Buffer Overflow (exploit.rules)
  • 2801094 - ETPRO SCADA_SPECIAL PROSOFT (Event 20) Function Not Available Error (scada_special.rules)
  • 2801095 - ETPRO SCADA_SPECIAL PROSOFT (Event 21) Point Not Available (scada_special.rules)
  • 2801512 - ETPRO NETBIOS Multiple Load Library Vulns dwmapi.dll - SMB ASCII (netbios.rules)
  • 2803214 - ETPRO MALWARE Win32.Poshtroper.A Checkin (malware.rules)
  • 2803537 - ETPRO MALWARE Backdoor.DsBot.dov/Win32.Morto.A Checkin (malware.rules)
  • 2803538 - ETPRO MALWARE Generic.4803182 Checkin (malware.rules)
  • 2803845 - ETPRO DOS Microsoft Forefront Unified Access Gateway DoS Attempt 1 (dos.rules)
  • 2803988 - ETPRO MALWARE Win32/Toshinc.A Checkin (malware.rules)
  • 2804287 - ETPRO MALWARE Trojan.MulDrop3.23293 Checkin (malware.rules)
  • 2804289 - ETPRO MALWARE Trojan-Downloader.Win32.FraudLoad.zpaf Checkin (malware.rules)
  • 2804621 - ETPRO MALWARE Worm.Win32/VB.BN Checkin 2 (malware.rules)
  • 2804831 - ETPRO MALWARE Win32.Injecter.fvp Checkin (malware.rules)
  • 2804952 - ETPRO MALWARE Win32/Ofreayo.A Checkin (malware.rules)
  • 2804953 - ETPRO MALWARE Hupigon.68562 Checkin (malware.rules)
  • 2804954 - ETPRO MALWARE Trojan.Fadedoor.10B-1 Checkin (malware.rules)
  • 2805245 - ETPRO MALWARE MAC OSX Trojan Campaign .jar file request 1 (malware.rules)
  • 2805246 - ETPRO MALWARE MAC OSX Trojan Campaign .jar file request 2 (malware.rules)
  • 2805381 - ETPRO WEB_CLIENT Rebot JavaScript Injected Site inbound (web_client.rules)
  • 2805386 - ETPRO WEB_CLIENT Possible Client requesting Rebot JavaScript Redirect (web_client.rules)
  • 2805530 - ETPRO MALWARE Win32/Busky.gen Checkin (malware.rules)
  • 2805695 - ETPRO MALWARE W32/Delfloader.B.gen!Eldorado Checkin 2 (malware.rules)
  • 2805811 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.GingerMaster.a Checkin 2 (mobile_malware.rules)
  • 2805813 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.GingerMaster.a Checkin 4 (mobile_malware.rules)
  • 2806330 - ETPRO MOBILE_MALWARE Spy.AndroidOS.Zitmo.a Checkin (mobile_malware.rules)
  • 2806991 - ETPRO DOS Active Directory DOS (CVE-2013-3868) (dos.rules)
  • 2807120 - ETPRO MALWARE Downloader/Win32.Zlob Checkin Response (malware.rules)
  • 2807122 - ETPRO MALWARE Win32/Spy.Delf.PHC Checkin (malware.rules)
  • 2808882 - ETPRO MOBILE_MALWARE Android.Trojan.AutoSMS.BF Checkin (mobile_malware.rules)
  • 2809176 - ETPRO EXPLOIT DTLS Pre 1.0 HelloVerifyRequest CookieSize Heap Overflow CVE-2014-6321 (exploit.rules)
  • 2809177 - ETPRO EXPLOIT DTLS 1.0 HelloVerifyRequest CookieSize Heap Overflow CVE-2014-6321 (exploit.rules)
  • 2809178 - ETPRO EXPLOIT DTLS 1.2 HelloVerifyRequest CookieSize Heap Overflow CVE-2014-6321 (exploit.rules)
  • 2809585 - ETPRO MOBILE_MALWARE Android.Riskware.SMSReg.EI Checkin (mobile_malware.rules)
  • 2809761 - ETPRO MOBILE_MALWARE Android Unknown Trojan Checkin (mobile_malware.rules)
  • 2810169 - ETPRO MALWARE Win32/TrojanDownloader.Blocrypt Conn Check (malware.rules)
  • 2810700 - ETPRO MOBILE_MALWARE AdWare.AndroidOS.Xynyin.a Checkin (mobile_malware.rules)
  • 2811225 - ETPRO MALWARE Win32/TrojanDownloader.Banload.VOG Retrieving compressed PE set (ZIP) (malware.rules)
  • 2812769 - ETPRO MOBILE_MALWARE Monitor.AndroidOS.SpyBubble.a Checkin (mobile_malware.rules)
  • 2814065 - ETPRO MALWARE Possible EncryptorRaas Variant .onion Proxy Domain (malware.rules)
  • 2814423 - ETPRO MALWARE JS/RecJS DNS Lookup (cuninn.servebbs.com) (malware.rules)
  • 2814424 - ETPRO MALWARE JS/RecJS DNS Lookup (grihostad.servebbs.com) (malware.rules)
  • 2814425 - ETPRO MALWARE JS/RecJS DNS Lookup (askpotubeda.isteingeek.de) (malware.rules)
  • 2816148 - ETPRO MALWARE Malicious SSL certificate detected (Backdoor.Mizzmo) (malware.rules)
  • 2819914 - ETPRO MALWARE Jupiter Banker Injects Domain in SSL Client Hello (malware.rules)
  • 2820344 - ETPRO MALWARE PowerShell/Agent.B Checkin to Tor Domain (malware.rules)
  • 2821209 - ETPRO MALWARE Malicious SSL certificate detected (Malware C2) (malware.rules)
  • 2821210 - ETPRO MALWARE Malicious SSL certificate detected (Malware C2) (malware.rules)
  • 2823422 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.lr Checkin (mobile_malware.rules)
  • 2824273 - ETPRO MALWARE Zeus Panda Banker Malicious SSL Certificate Detected (malware.rules)
  • 2825425 - ETPRO EXPLOIT Windows Uniscribe Remote Code Execution Vulnerability (CVE-2017-0089) (exploit.rules)
  • 2825426 - ETPRO EXPLOIT Windows Uniscribe Remote Code Execution Vulnerability (CVE-2017-0090) (exploit.rules)
  • 2825620 - ETPRO MALWARE PyCL/Fatboy Python Ransomware CnC Activity (malware.rules)