Ruleset Update Summary - 2025/10/16 - v11041

rulesbot · October 16, 2025, 8:15pm

Summary:

18 new OPEN, 18 new PRO (18 + 0)

Added rules:

Open:

2065216 - ET WEB_SPECIFIC_APPS OptiLink/GPON admin/formTracert target_addr Parameter Command Injection Attempt (CVE-2025-34049) (web_specific_apps.rules)
2065217 - ET WEB_SPECIFIC_APPS Syrotec/GPON shellCMDExec command Parameter Command Injection Attempt (CVE-2024-46658) (web_specific_apps.rules)
2065218 - ET WEB_SPECIFIC_APPS Planet formPingCmd Multiple Parameters Command Injection Attempt (CVE-2025-54405, CVE-2025-54406) (web_specific_apps.rules)
2065219 - ET WEB_SPECIFIC_APPS Planet formPingCmd Multiple Parameters Buffer Overflow Attempt (CVE-2025-54399, CVE-2025-54400, CVE-2025-54401, CVE-2025-54402) (web_specific_apps.rules)
2065220 - ET WEB_SPECIFIC_APPS ByteValue webRead/open path Parameter Command Injection Attempt (CVE-2023-7011) (web_specific_apps.rules)
2065221 - ET WEB_SPECIFIC_APPS ASMAX CGI script system Parameter Command Injection Attempt (CVE-2009-5156) (web_specific_apps.rules)
2065222 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (manage .veranoresorts .com) (malware.rules)
2065223 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (manage .veranoresorts .com) (malware.rules)
2065224 - ET MALWARE Observed DNS Query to Cobalt Strike Domain (cloudflarecache .cfd) (malware.rules)
2065225 - ET MALWARE Observed DNS Query to Cobalt Strike Domain (bootcdncache .com) (malware.rules)
2065226 - ET MALWARE Observed Cobalt Strike Domain (cloudflarecache .cfd in TLS SNI) (malware.rules)
2065227 - ET MALWARE Observed Cobalt Strike Domain (bootcdncache .com in TLS SNI) (malware.rules)
2065228 - ET WEB_SPECIFIC_APPS Brickcom configfile.dump action Parameter Information Disclosure Attempt (CVE-2017-9238) (web_specific_apps.rules)
2065229 - ET MALWARE Cobalt Strike Get Mission Request (POST) (malware.rules)
2065230 - ET MALWARE Cobalt Strike CnC Checkin (Submit Result) (malware.rules)
2065231 - ET MALWARE Cobalt Strike ScreenShot Exfil (POST) (malware.rules)
2065232 - ET WEB_SPECIFIC_APPS Brickcom syslog.dump action Parameter Information Disclosure Attempt (CVE-2017-9238) (web_specific_apps.rules)
2065233 - ET WEB_SPECIFIC_APPS Brickcom camerainfo.cgi a Parameter Information Disclosure Attempt (CVE-2017-9238) (web_specific_apps.rules)

Modified inactive rules:

2002088 - ET ADWARE_PUP C4tdownload.com Spyware Activity (adware_pup.rules)
2002129 - ET WEB_SPECIFIC_APPS Cacti Input Validation Attack (web_specific_apps.rules)
2002824 - ET POLICY CURL User Agent (policy.rules)
2002887 - ET EXPLOIT SYS get_domain_index_tables Access (exploit.rules)
2007878 - ET ACTIVEX Apple QuickTime <= 7.4.1 QTPlugin.ocx Multiple Remote Stack Overflow (activex.rules)
2007981 - ET MALWARE Backdoor.Win32.VB.brg C&C Kill Command Acknowledge (malware.rules)
2008456 - ET ADWARE_PUP EMO/PCPrivacyCleaner Rougue Secuirty App GET Checkin (adware_pup.rules)
2010510 - ET WEB_SPECIFIC_APPS Possible OSSIM uniqueid Parameter Remote Command Execution Attempt (web_specific_apps.rules)
2011334 - ET ADWARE_PUP User-Agent (C\WINDOWS\system32\NetLogom.exe) (adware_pup.rules)
2012777 - ET HUNTING Suspicious IAT EnableExecuteProtectionSupport - Undocumented API to Modify DEP (hunting.rules)
2013020 - ET MOBILE_MALWARE DroidKungFu Checkin (mobile_malware.rules)
2013490 - ET POLICY NetBIOS nbtstat Type Query Outbound (policy.rules)
2014458 - ET CURRENT_EVENTS Italian Spam Campaign (current_events.rules)
2016709 - ET EXPLOIT_KIT CrimeBoss Recent Jar (4) (exploit_kit.rules)
2016828 - ET EXPLOIT_KIT Unknown EK Requsting Payload (exploit_kit.rules)
2017743 - ET CURRENT_EVENTS Possible WhiteLotus IE Payload (current_events.rules)
2017744 - ET EXPLOIT_KIT StyX EK Payload Cookie (exploit_kit.rules)
2018698 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
2018866 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
2018987 - ET EXPLOIT_KIT Sweet Orange EK Thread Specific Java Exploit (exploit_kit.rules)
2019395 - ET MALWARE Possible SandWorm INF Download (malware.rules)
2019550 - ET MALWARE Sofacy HTTP Request checkwinframe.com (malware.rules)
2021258 - ET WEB_CLIENT Fake AV Phone Scam Landing June 11 2015 M3 (web_client.rules)
2021975 - ET WEB_CLIENT Fake Virus Phone Scam Landing Oct 19 M5 (web_client.rules)
2022417 - ET MALWARE Scarlet Mimic DNS Lookup 7 (malware.rules)
2023269 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Qadars MITM) (malware.rules)
2100197 - GPL ICMP undefined code (icmp.rules)
2101838 - GPL EXPLOIT SSH server banner overflow (exploit.rules)
2800846 - ETPRO MALWARE Worm.Win32.Faketube Activity (update request) (malware.rules)
2801276 - ETPRO EXPLOIT HP OpenView Network Node Manager nnmRptConfig.exe nameParams text1 Buffer Overflow (exploit.rules)
2801281 - ETPRO EXPLOIT NetSupport Manager Client Buffer Overflow Relative (exploit.rules)
2803228 - ETPRO CHAT mig33 Server Registered OK (chat.rules)
2803385 - ETPRO EXPLOIT Sybase Open Server Null Byte Stack Memory Corruption (exploit.rules)
2804127 - ETPRO MALWARE Trojan.Autoit.F Checkin (malware.rules)
2804301 - ETPRO MALWARE Win32/TrojanDownloader.Banload.QOM Checkin (malware.rules)
2804961 - ETPRO MALWARE W32/Karagany.TK Checkin (malware.rules)
2805382 - ETPRO MALWARE Trojan-Dropper.Win32.Daws.atjm Checkin (malware.rules)
2805701 - ETPRO MALWARE Win32/Phintok.A Checkin 1 (malware.rules)
2807643 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0273) (web_client.rules)
2807644 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0274) (web_client.rules)
2808889 - ETPRO MOBILE_MALWARE Backdoor.AndroidOS.Masnu.a Checkin (mobile_malware.rules)
2808890 - ETPRO MOBILE_MALWARE Android.Trojan.SMSSend.CH Checkin (mobile_malware.rules)
2809488 - ETPRO DOS MS RADIUS DoS Vulnerability CVE-2015-0015 (dos.rules)
2809489 - ETPRO DOS MS RADIUS DoS Vulnerability CVE-2015-0015 (dos.rules)
2814652 - ETPRO EXPLOIT_KIT Magnitude EK Landing Oct 27 2015 (exploit_kit.rules)
2814848 - ETPRO EXPLOIT_KIT Magnitude EK Landing Nov 10 2015 M1 (exploit_kit.rules)
2816162 - ETPRO MALWARE Possible Ironhalo Receiving Encoded Payload M2 (malware.rules)
2816758 - ETPRO MALWARE Ursnif Injects Domain in SSL Client Hello (malware.rules)
2819648 - ETPRO EXPLOIT_KIT SunDown/Xer Payload (URL Primer) (exploit_kit.rules)
2819928 - ETPRO MOBILE_MALWARE Android.Trojan.InfoStealer.CH Checkin (mobile_malware.rules)
2820563 - ETPRO EXPLOIT_KIT Magnitude EK Landing Jun 10 2016 (exploit_kit.rules)

Topic	Replies	Views
Ruleset Update Summary - 2025/05/13 - v10926 Ruleset Updates	175	May 13, 2025
Ruleset Update Summary - 2025/03/20 - v10887 Ruleset Updates	105	March 20, 2025
Ruleset Update Summary - 2025/03/11 - v10876 Ruleset Updates	140	March 11, 2025
Ruleset Update Summary - 2025/10/15 - v11040 Ruleset Updates	67	October 15, 2025
Ruleset Update Summary - 2025/09/25 - v11024 Ruleset Updates	90	September 25, 2025

Ruleset Update Summary - 2025/10/16 - v11041

Summary:

Added rules:

Open:

Modified inactive rules:

Related topics