Ruleset Update Summary - 2025/10/15 - v11040

Ruleset Updates
1

Summary:

22 new OPEN, 22 new PRO (22 + 0)

Thanks @Jane_0sint

Added rules:

Open:

  • 2065194 - ET WEB_SPECIFIC_APPS Oracle E-Business Suite (EBS) Authentication Bypass (SyncServlet) (CVE-2025-61882) (web_specific_apps.rules)
  • 2065195 - ET WEB_SPECIFIC_APPS Oracle E-Business Suite (EBS) Template Manager Template Copy (CVE-2025-61882) (web_specific_apps.rules)
  • 2065196 - ET WEB_SPECIFIC_APPS Oracle E-Business Suite (EBS) Template Manager Template File Add (CVE-2025-61882) (web_specific_apps.rules)
  • 2065197 - ET WEB_SPECIFIC_APPS Oracle E-Business Suite (EBS) Unauthenticated Template Manager Template Preview (CVE-2025-61882) (web_specific_apps.rules)
  • 2065198 - ET HUNTING Windows Shortcut Link Padded Whitespace in Command Line Arguments (ZDI-CAN-25373) (hunting.rules)
  • 2065199 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (signaturepl .com) (exploit_kit.rules)
  • 2065200 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (signaturepl .com) (exploit_kit.rules)
  • 2065201 - ET WEB_SPECIFIC_APPS Tenda WifiExtraSet wpapsk_crypto Parameter Buffer Overflow Attempt (CVE-2025-25663, CVE-2025-10838, CVE-2025-7596, CVE-2025-5799) (web_specific_apps.rules)
  • 2065202 - ET WEB_SPECIFIC_APPS Netgear password.cgi http_passwd Parameter Buffer Overflow Attempt (CVE-2023-38925) (web_specific_apps.rules)
  • 2065203 - ET WEB_SPECIFIC_APPS Netgear password.cgi http_passwd Parameter Command Injection Attempt (web_specific_apps.rules)
  • 2065204 - ET MALWARE iMonitor EAM CnC Agent Request (FILEAGENTD) (malware.rules)
  • 2065205 - ET MALWARE iMonitor EAM CnC Server Response (TRANSFBEGIN) (malware.rules)
  • 2065206 - ET MALWARE iMonitor EAM CnC Agent Request (FILEHEADER) (malware.rules)
  • 2065207 - ET MALWARE iMonitor EAM CnC Server Response (TRANSFDATA) (malware.rules)
  • 2065208 - ET WEB_SPECIFIC_APPS TVT queryDevInfo Information Disclosure (CVE-2024-7339) (web_specific_apps.rules)
  • 2065209 - ET WEB_SPECIFIC_APPS TVT language Command Injection Attempt (CVE-2025-34036) (web_specific_apps.rules)
  • 2065210 - ET MALWARE iMonitor EAM CnC Agent Request (AGENTCONN) (malware.rules)
  • 2065211 - ET WEB_SPECIFIC_APPS LILIN dvr_box Server Parameter Command Injection Attempt (CVE-2025-34132) (web_specific_apps.rules)
  • 2065212 - ET MALWARE iMonitor EAM CnC Server Response (RDPBEEND) (malware.rules)
  • 2065213 - ET MALWARE iMonitor EAM CnC Agent Request (AGENTALARM) (malware.rules)
  • 2065214 - ET MALWARE iMonitor EAM CnC Agent Request (AGENTINFOM) (malware.rules)
  • 2065215 - ET MALWARE iMonitor EAM CnC Server Response (DEVNLOADCLIENT) (malware.rules)

Modified inactive rules:

  • 2001458 - ET ADWARE_PUP Bundleware Spyware cab Download (adware_pup.rules)
  • 2001459 - ET ADWARE_PUP Overpro Spyware Games (adware_pup.rules)
  • 2001491 - ET ADWARE_PUP Xpire.info Spyware Checkin (adware_pup.rules)
  • 2001541 - ET ADWARE_PUP Xpire.info Install Report (adware_pup.rules)
  • 2002017 - ET ADWARE_PUP Overpro Spyware Install Report (adware_pup.rules)
  • 2002066 - ET WEB_SPECIFIC_APPS CSV-DB CSV_DB.CGI Remote Command Execution Attempt (web_specific_apps.rules)
  • 2002100 - ET WEB_SPECIFIC_APPS WPS wps_shop.cgi Remote Command Execution Attempt (web_specific_apps.rules)
  • 2002822 - ET POLICY Wget User Agent (policy.rules)
  • 2002886 - ET EXPLOIT SYS get_domain_index_metadata Privilege Escalation Attempt (exploit.rules)
  • 2003190 - ET MALWARE Win32.Lager Trojan Reporting Spam (malware.rules)
  • 2003296 - ET MALWARE Possible Web-based DDoS-command being issued (malware.rules)
  • 2003402 - ET EXPLOIT US-ASCII Obfuscated VBScript execute command (exploit.rules)
  • 2003403 - ET EXPLOIT US-ASCII Obfuscated VBScript (exploit.rules)
  • 2007979 - ET MALWARE Backdoor.Win32.VB.brg C&C Reporting Version (malware.rules)
  • 2007980 - ET MALWARE Backdoor.Win32.VB.brg C&C Kill Command Send (malware.rules)
  • 2008066 - ET ADWARE_PUP Blank User-Agent (descriptor but no string) (adware_pup.rules)
  • 2009101 - ET WEB_SPECIFIC_APPS REALTOR define.php Remote File Inclusion (web_specific_apps.rules)
  • 2009167 - ET WEB_SPECIFIC_APPS AdaptCMS Lite rss_importer_functions.php sitepath Parameter Remote File Inclusion (web_specific_apps.rules)
  • 2009333 - ET WEB_SPECIFIC_APPS ODARS resource_categories_view.php CLASSES_ROOT parameter Remote file inclusion (web_specific_apps.rules)
  • 2009927 - ET WEB_SPECIFIC_APPS x10 Automatic MP3 Script layout_lyrics.php web_root Parameter Remote File Inclusion (web_specific_apps.rules)
  • 2010341 - ET WEB_SPECIFIC_APPS OS Commerce 2.2 RC2 Potential Anonymous Remote Code Execution (web_specific_apps.rules)
  • 2012871 - ET MALWARE Gozi posting form data (malware.rules)
  • 2013019 - ET MOBILE_MALWARE Iphone iKee.B Checkin (mobile_malware.rules)
  • 2013489 - ET MALWARE Best Pack Exploit Pack Binary Load Request (malware.rules)
  • 2014113 - ET MALWARE Win32/Injector.MUD Variant Reporting (malware.rules)
  • 2014208 - ET MALWARE TLD4 Purple Haze Variant Initial CnC Request for Ad Servers (malware.rules)
  • 2014933 - ET MALWARE Win32/Bicololo.Dropper ne_unik CnC Server Response (malware.rules)
  • 2015667 - ET MALWARE NeoSploit - Version Enumerated - null (malware.rules)
  • 2015668 - ET WEB_CLIENT FlimKit/Other - Landing Page - 100HexChar value and applet (web_client.rules)
  • 2016708 - ET EXPLOIT_KIT CrimeBoss Recent Jar (3) (exploit_kit.rules)
  • 2017093 - ET EXPLOIT_KIT CritX/SafePack/FlashPack EXE Download Jul 01 2013 (exploit_kit.rules)
  • 2017613 - ET EXPLOIT_KIT Possible Magnitude EK (formerly Popads) IE Exploit with IE UA Oct 16 2013 (exploit_kit.rules)
  • 2018593 - ET EXPLOIT_KIT Safe/CritX/FlashPack EK CVE-2013-3918 (exploit_kit.rules)
  • 2018696 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM) (malware.rules)
  • 2018697 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2018865 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2019123 - ET MALWARE Cryptolocker .onion Proxy Domain (erhitnwfvpgajfbu) (malware.rules)
  • 2019124 - ET MALWARE Cryptolocker .onion Proxy Domain in SNI (malware.rules)
  • 2019549 - ET MALWARE Sofacy HTTP Request checkmalware.info (malware.rules)
  • 2020030 - ET MALWARE Win32/Spy.Agent.OHT - AnunakAPT HTTP Checkin Response 2 (malware.rules)
  • 2021974 - ET WEB_CLIENT Fake Virus Phone Scam Redirector Oct 19 M3 (web_client.rules)
  • 2022415 - ET MALWARE Scarlet Mimic DNS Lookup 5 (malware.rules)
  • 2022907 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Sinkhole) (malware.rules)
  • 2022908 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL Certificate Detected (Sinkhole) (malware.rules)
  • 2023267 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
  • 2023268 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Quakbot CnC) (malware.rules)
  • 2065190 - ET INFO Observed DNS Query to File Sharing Service Domain (app .box .com) (info.rules)
  • 2065191 - ET INFO Observed DNS Query to FIle Sharing Service Domain (acrobat .adobe .com) (info.rules)
  • 2065192 - ET INFO Observed File Sharing Service Domain (app .box .com in TLS SNI) (info.rules)
  • 2100308 - GPL FTP NextFTP client overflow (ftp.rules)
  • 2100503 - GPL MISC Source Port 20 to <1024 (misc.rules)
  • 2102333 - GPL FTP RENAME format string attempt (ftp.rules)
  • 2103137 - GPL NETBIOS SMB-DS Trans2 QUERY_FILE_INFO attempt (netbios.rules)
  • 2103141 - GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 attempt (netbios.rules)
  • 2103154 - GPL DNS UDP inverse query overflow (dns.rules)
  • 2800004 - ETPRO SMTP Microsoft Outlook Express MHTML URL Processing Vulnerability (smtp.rules)
  • 2800370 - ETPRO EXPLOIT Novell eDirectory SOAP Handling Accept Language Header Heap Overflow 2 (exploit.rules)
  • 2800371 - ETPRO EXPLOIT Multiple Vendors CUPS HPGL Filter Remote Code Execution 1 (exploit.rules)
  • 2800372 - ETPRO EXPLOIT Multiple Vendors CUPS HPGL Filter Remote Code Execution 2 (exploit.rules)
  • 2800678 - ETPRO EXPLOIT HP StorageWorks Storage Mirroring Double Take Service Code Execution 10 (exploit.rules)
  • 2800679 - ETPRO EXPLOIT HP StorageWorks Storage Mirroring Double Take Service Code Execution 11 (exploit.rules)
  • 2803226 - ETPRO CHAT mig33 Server Keep Alive (chat.rules)
  • 2803227 - ETPRO CHAT mig33 Server Login Fail (chat.rules)
  • 2803383 - ETPRO MALWARE Win32/Mocmex.gen!A Checkin (malware.rules)
  • 2803384 - ETPRO EXPLOIT Sybase Open Server Null Byte Stack Memory Corruption - SET (exploit.rules)
  • 2803996 - ETPRO MALWARE Trojan.Win32.Malex!IK Checkin (malware.rules)
  • 2804126 - ETPRO MALWARE TrojanSpy.Win32/Bancos.ADR Checkin (malware.rules)
  • 2804632 - ETPRO MALWARE Proxy.Win32.Agent.bvy Checkin (malware.rules)
  • 2804740 - ETPRO ADWARE_PUP Downloader.Generic10.BZSM Install (adware_pup.rules)
  • 2804741 - ETPRO MALWARE BScope.Trojan.Banker Checkin (malware.rules)
  • 2805387 - ETPRO MALWARE Win32/Banbot.A Checkin (malware.rules)
  • 2805700 - ETPRO MALWARE Trojan.Win32.Agent2.fjpq Checkin (malware.rules)
  • 2805825 - ETPRO MALWARE Backdoor.Win32.Rbot.kkw Checkin (malware.rules)
  • 2806737 - ETPRO MALWARE Trojan-Proxy.Win32.Small.ez Checkin (malware.rules)
  • 2807500 - ETPRO MALWARE Trojan-Downloader.Win32.Agent.aah Checkin (malware.rules)
  • 2807501 - ETPRO MALWARE Win32/Spy.Banker.ZSX Download (malware.rules)
  • 2807641 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0270) (web_client.rules)
  • 2807642 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0271) (web_client.rules)
  • 2808060 - ETPRO MOBILE_MALWARE RiskTool.AndroidOS.SMSreg.de Checkin 4 (mobile_malware.rules)
  • 2808623 - ETPRO ADWARE_PUP Adware C2 via Twitter (adware_pup.rules)
  • 2808888 - ETPRO MALWARE Win32/BrowserPassview Checkin via SMTP 2 (malware.rules)
  • 2809280 - ETPRO MALWARE Win32.Infostealer.Compfolder Checkin (malware.rules)
  • 2809486 - ETPRO MALWARE Win32.Sysn Variant Checkin (malware.rules)
  • 2810002 - ETPRO MALWARE Cryptorbit Ransomware .onion Proxy Domain (4sfxctgp53imlvzk) (malware.rules)
  • 2810878 - ETPRO MALWARE Possible Ransomware Variant .onion Proxy Domain (malware.rules)
  • 2811243 - ETPRO EXPLOIT DLink DNS/DNR 320 check_login Authentication Bypass HTTP Request (exploit.rules)
  • 2811608 - ETPRO MALWARE Upatre Common URI Struct Jun 19 2015 (malware.rules)
  • 2812983 - ETPRO MALWARE TrojanDownloader.Banload.VHZ Checkin 3 (malware.rules)
  • 2814651 - ETPRO MOBILE_MALWARE Android/TrojanDropper.Agent.CT Checkin 2 (mobile_malware.rules)
  • 2814847 - ETPRO MOBILE_MALWARE Android/Fobus.X Checkin 2 (mobile_malware.rules)
  • 2815018 - ETPRO MALWARE Redyms CnC DNS Lookup (iqcgqyaeqimiiycs.org) (malware.rules)
  • 2815178 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Pyrof.a Checkin (mobile_malware.rules)
  • 2815574 - ETPRO MALWARE Zbot .onion Proxy Domain (malware.rules)
  • 2816161 - ETPRO MALWARE Possible Ironhalo Receiving Encoded Payload M1 (malware.rules)
  • 2819647 - ETPRO EXPLOIT_KIT Possible SunDown/Xer EK Payload Apr 08 M1 (exploit_kit.rules)
  • 2819927 - ETPRO MALWARE Malicious SSL certificate detected (Backdoor.Mizzmo) (malware.rules)
  • 2820561 - ETPRO MALWARE TorrentLocker DNS query to Domain *.capturen.net (malware.rules)
  • 2825207 - ETPRO MALWARE Zeus Panda Banker Malicious SSL Certificate Detected (malware.rules)