Ruleset Update Summary - 2025/10/20 - v11043

Ruleset Updates
1

Summary:

0 new OPEN, 0 new PRO (0 + 0)

Thanks @Jasonish

This out-of-band release is intended to fix a PCRE compilation error for ETPRO rule 2864929 reported to be causing problems with Suricata 8.0.1 customers.

Modified inactive rules:

  • 2000010 - ET DOS Cisco 514 UDP flood DoS (dos.rules)
  • 2001947 - ET ADWARE_PUP Zenotecnico Adware (adware_pup.rules)
  • 2002089 - ET ADWARE_PUP CWS qck.cc Spyware Installer (in.php) (adware_pup.rules)
  • 2002158 - ET WEB_SERVER XML-RPC for PHP Remote Code Injection (web_server.rules)
  • 2002702 - ET WEB_SPECIFIC_APPS OSTicket Remote Code Execution Attempt (web_specific_apps.rules)
  • 2002934 - ET POLICY libwww-perl User Agent (policy.rules)
  • 2002964 - ET MALWARE Generic Spyware Update Download (malware.rules)
  • 2003196 - ET EXPLOIT FTP .message file write (exploit.rules)
  • 2003197 - ET EXPLOIT ProFTPD .message file overflow attempt (exploit.rules)
  • 2003354 - ET ADWARE_PUP Yourscreen.com Spyware Download (adware_pup.rules)
  • 2003385 - ET USER_AGENTS sgrunt Dialer User Agent (sgrunt) (user_agents.rules)
  • 2003417 - ET ADWARE_PUP CNSMIN (3721.com) Spyware Activity (adware_pup.rules)
  • 2003418 - ET ADWARE_PUP CNSMIN (3721.com) Spyware Activity 2 (adware_pup.rules)
  • 2003419 - ET ADWARE_PUP CNSMIN (3721.com) Spyware Activity 3 (adware_pup.rules)
  • 2003549 - ET MALWARE Bandook v1.2 Initial Connection and Report (malware.rules)
  • 2003550 - ET MALWARE Bandook v1.2 Get Processes (malware.rules)
  • 2003678 - ET WEB_SPECIFIC_APPS Tropicalm Remote Inclusion Attempt – dosearch.php RESPATH (web_specific_apps.rules)
  • 2003687 - ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt – payflow_pro.php abs_path (web_specific_apps.rules)
  • 2003688 - ET WEB_SPECIFIC_APPS TurnKeyWebTools Remote Inclusion Attempt – global.php abs_path (web_specific_apps.rules)
  • 2003897 - ET WEB_SPECIFIC_APPS Adobe RoboHelp XSS Attempt whstart.js (web_specific_apps.rules)
  • 2003898 - ET WEB_SPECIFIC_APPS Adobe RoboHelp XSS Attempt whcsh_home.htm (web_specific_apps.rules)
  • 2006386 - ET ADWARE_PUP Deepdo.com Toolbar/Spyware User Agent (DeepdoUpdate) (adware_pup.rules)
  • 2007786 - ET ADWARE_PUP PCDoc.co.kr Fake AV User-Agent (PCDoc11) (adware_pup.rules)
  • 2007804 - ET ADWARE_PUP PCDoc.co.kr Fake AV User-Agent (mypcdoctor) (adware_pup.rules)
  • 2008457 - ET ADWARE_PUP Deepdo Toolbar User-Agent (FavUpdate) (adware_pup.rules)
  • 2008531 - ET MALWARE Infected System Looking up chr.santa-inbox.com CnC Server (malware.rules)
  • 2010648 - ET MALWARE Lethic Spambot CnC Connect Command (malware.rules)
  • 2010649 - ET MALWARE Lethic Spambot CnC Connect Command (port 25 specifically) (malware.rules)
  • 2010650 - ET MALWARE Lethic Spambot CnC Bot Command Confirmation (malware.rules)
  • 2010651 - ET MALWARE Lethic Spambot CnC Bot Transaction Relay (malware.rules)
  • 2012641 - ET ACTIVEX Sun Java Runtime New Plugin Docbase Buffer Overflow Attempt (activex.rules)
  • 2012780 - ET HUNTING Suspicious IAT SetKeyboardState - Can Be Used for Keylogging (hunting.rules)
  • 2012782 - ET MOBILE_MALWARE SymbOS SuperFairy.D StartUpdata.ini Missing File HTTP Request (mobile_malware.rules)
  • 2012783 - ET MOBILE_MALWARE SymbOS SuperFairy.D BackgroundUpdata.ini Missing File HTTP Request (mobile_malware.rules)
  • 2013024 - ET EXPLOIT_KIT Exploit kit mario.jar (exploit_kit.rules)
  • 2013025 - ET EXPLOIT_KIT Java/PDF Exploit kit from /Home/games/ initial landing (exploit_kit.rules)
  • 2013027 - ET EXPLOIT_KIT Java/PDF Exploit kit initial landing (exploit_kit.rules)
  • 2013165 - ET EXPLOIT 2Wire Password Reset Vulnerability via GET (exploit.rules)
  • 2013166 - ET EXPLOIT 2Wire Password Reset Vulnerability via POST (exploit.rules)
  • 2013493 - ET MALWARE DNS query for Morto RDP worm related domain qfsl.co.be (malware.rules)
  • 2013494 - ET MALWARE DNS query for Morto RDP worm related domain qfsl.co.cc (malware.rules)
  • 2013496 - ET MALWARE DNS query for Morto RDP worm related domain jifr.co.be (malware.rules)
  • 2013775 - ET EXPLOIT_KIT Saturn Exploit Kit binary download request (exploit_kit.rules)
  • 2013776 - ET EXPLOIT_KIT Saturn Exploit Kit probable Java exploit request (exploit_kit.rules)
  • 2014216 - ET RETIRED Delf/Troxen/Zema controller responding to client (retired.rules)
  • 2014307 - ET MALWARE W32/SelfStarterInternet.InfoStealer Checkin (malware.rules)
  • 2014805 - ET MALWARE Unknown java_ara Bin Download (malware.rules)
  • 2015888 - ET EXPLOIT_KIT Magnitude EK (formerly Popads) Java Exploit Kit 32 byte hex with trailing digit java payload request (exploit_kit.rules)
  • 2016393 - ET EXPLOIT_KIT Impact Exploit Kit Landing Page (exploit_kit.rules)
  • 2016450 - ET MALWARE Backdoor.Win32/Likseput.A Checkin (malware.rules)
  • 2016830 - ET WEB_CLIENT Injection - var j=0 (web_client.rules)
  • 2016831 - ET EXPLOIT_KIT CVE-2013-2423 IVKM PoC Seen in Unknown EK (exploit_kit.rules)
  • 2016832 - ET EXPLOIT_KIT HellSpawn EK Requesting Jar (exploit_kit.rules)
  • 2016833 - ET EXPLOIT_KIT IE HTML+TIME ANIMATECOLOR with eval as seen in unknown EK (exploit_kit.rules)
  • 2018235 - ET EXPLOIT CritX/SafePack/FlashPack CVE-2013-2551 (exploit.rules)
  • 2018236 - ET WEB_CLIENT CritX/SafePack/FlashPack SilverLight Secondary Landing (web_client.rules)
  • 2018237 - ET CURRENT_EVENTS CritX/SafePack/FlashPack SilverLight file as eot (current_events.rules)
  • 2018701 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM) (malware.rules)
  • 2018702 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak MITM) (malware.rules)
  • 2018703 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2018704 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2018989 - ET EXPLOIT_KIT Unknown Malvertising EK Landing URI Sruct Aug 22 2014 (exploit_kit.rules)
  • 2018990 - ET EXPLOIT_KIT Unknown Malvertising EK Payload URI Sruct Aug 22 2014 (exploit_kit.rules)
  • 2018991 - ET EXPLOIT_KIT Unknown Malvertising EK Silverlight URI Sruct Aug 22 2014 (exploit_kit.rules)
  • 2018992 - ET EXPLOIT_KIT Unknown Malvertising EK Flash URI Sruct Aug 22 2014 (exploit_kit.rules)
  • 2019243 - ET MALWARE Infostealer.Boleteiro checking stolen boleto payment information (malware.rules)
  • 2019398 - ET MALWARE Possible SandWorm INF Download (SMB) (malware.rules)
  • 2019399 - ET MALWARE Possible SandWorm INF Download (SMB UNICODE) (malware.rules)
  • 2019551 - ET MALWARE Sofacy HTTP Request check-fix.com (malware.rules)
  • 2019570 - ET MALWARE Sofacy DNS Lookup hotfix-update.com (malware.rules)
  • 2020885 - ET MALWARE Kriptovor Retrieving RAR Payload (malware.rules)
  • 2020952 - ET MALWARE CryptoLocker .onion Proxy Domain (pf3tlgkpks7pu7yr) (malware.rules)
  • 2020953 - ET MALWARE CryptoLocker .onion Proxy Domain (v7lfogalalzc2c4d) (malware.rules)
  • 2021041 - ET MALWARE Teerac/CryptoFortress .onion Proxy Domain (cld7vqwcvn2bii67) (malware.rules)
  • 2021181 - ET WEB_CLIENT Fake AV Phone Scam Landing June 4 2015 M1 (web_client.rules)
  • 2021182 - ET WEB_CLIENT Fake AV Phone Scam Landing June 4 2015 M2 (web_client.rules)
  • 2021767 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
  • 2021769 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
  • 2022420 - ET MALWARE Scarlet Mimic DNS Lookup 10 (malware.rules)
  • 2022421 - ET MALWARE Scarlet Mimic DNS Lookup 11 (malware.rules)
  • 2022422 - ET MALWARE Scarlet Mimic DNS Lookup 12 (malware.rules)
  • 2022423 - ET MALWARE Scarlet Mimic DNS Lookup 13 (malware.rules)
  • 2100315 - GPL EXPLOIT x86 Linux mountd overflow (exploit.rules)
  • 2103094 - GPL NETBIOS SMB-DS llsrpc create tree attempt (netbios.rules)
  • 2800374 - ETPRO NETBIOS Microsoft Windows Internet Printing Service Request (netbios.rules)
  • 2800375 - ETPRO NETBIOS Microsoft Windows Internet Printing Service Integer Overflow (netbios.rules)
  • 2800376 - ETPRO NETBIOS Microsoft Windows SMB Search Request Buffer Overflow 1 (netbios.rules)
  • 2800377 - ETPRO NETBIOS Microsoft Windows SMB Search Request Buffer Overflow 2 (netbios.rules)
  • 2800379 - ETPRO EXPLOIT Sun Solstice AdminSuite sadmind service adm_build_path Buffer Overflow high ports (exploit.rules)
  • 2800685 - ETPRO EXPLOIT Sun Directory Server LDAP Denial of Service (exploit.rules)
  • 2800686 - ETPRO EXPLOIT Sun Directory Server LDAP Denial of Service or Known Exploit Trigger (exploit.rules)
  • 2800839 - ETPRO EXPLOIT HP Data Protector Express DtbClsLogin Stack Buffer Overflow (exploit.rules)
  • 2800842 - ETPRO EXPLOIT IBM Rational Quality Manager and Test Lab Manager Policy Bypass (exploit.rules)
  • 2801379 - ETPRO EXPLOIT Novell ZENworks Configuration Management TFTPD Remote Code Execution 1 (exploit.rules)
  • 2801380 - ETPRO EXPLOIT Novell ZENworks Configuration Management TFTPD Remote Code Execution 2 (exploit.rules)
  • 2801381 - ETPRO EXPLOIT Novell ZENworks Configuration Management TFTPD Remote Code Execution 3 (exploit.rules)
  • 2803389 - ETPRO MALWARE Backdoor.Agent.AAXM Checkin (malware.rules)
  • 2803862 - ETPRO MALWARE Win32/Tiptuf.A Checkin (malware.rules)
  • 2803863 - ETPRO MALWARE Win32/Yabinder.2_0 User-Agent (Sekreter) (malware.rules)
  • 2804744 - ETPRO MALWARE Win32/Alureon.V exe download 1 (malware.rules)
  • 2804839 - ETPRO MALWARE Trojan-Dropper.Win32.Injector.dvnk Checkin - SET (malware.rules)
  • 2804964 - ETPRO MALWARE Win32.Nitol.B/Ahea.gen Checkin (malware.rules)
  • 2805388 - ETPRO MALWARE Win32/FakePlus Checkin (malware.rules)
  • 2805541 - ETPRO SQL MSSQL Reporting Services XSS (sql.rules)
  • 2805542 - ETPRO MALWARE W32/Autorun.worm.zf.gen Checkin (malware.rules)
  • 2805543 - ETPRO MALWARE Trojan.KillFiles.9696 Checkin (malware.rules)
  • 2805996 - ETPRO MALWARE Trojan-PWS.Banker6 sending info via SMTP (malware.rules)
  • 2806097 - ETPRO MALWARE Sinowal/Torpig checkin (malware.rules)
  • 2806208 - ETPRO MOBILE_MALWARE Android.Uracto Checkin (mobile_malware.rules)
  • 2807011 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.u Checkin (mobile_malware.rules)
  • 2807647 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0276) 1 (web_client.rules)
  • 2807648 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0276) 2 (web_client.rules)
  • 2807649 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0276) 3 (web_client.rules)
  • 2807650 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0277) 1 (web_client.rules)
  • 2808742 - ETPRO MALWARE Win32.Darpa Checkin (malware.rules)
  • 2809491 - ETPRO DOS MS RADIUS DoS Vulnerability CVE-2015-0015 (dos.rules)
  • 2809492 - ETPRO DOS MS RADIUS DoS Vulnerability CVE-2015-0015 (dos.rules)
  • 2809493 - ETPRO DOS MS RADIUS DoS Vulnerability CVE-2015-0015 (dos.rules)
  • 2809494 - ETPRO DOS MS RADIUS DoS Vulnerability CVE-2015-0015 (dos.rules)
  • 2809604 - ETPRO MOBILE_MALWARE Android/FakeTimer.B Checkin (mobile_malware.rules)
  • 2812519 - ETPRO MALWARE Vaultlock/BitCryptor CnC Status Update (malware.rules)
  • 2814430 - ETPRO MOBILE_MALWARE Android.Trojan.HiddenApp.BY Checkin (mobile_malware.rules)
  • 2814431 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmsThief.ay Checkin (mobile_malware.rules)
  • 2815023 - ETPRO ADWARE_PUP Win32/Adware.RVplatform PUP Checkin (adware_pup.rules)
  • 2815184 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.SmForw.ff Checkin 4 (mobile_malware.rules)
  • 2815385 - ETPRO MALWARE TeslaCrypt/AlphaCrypt Payment DNS Lookup (malware.rules)
  • 2815579 - ETPRO MALWARE Possible NanoLocker Connectivity Check (malware.rules)
  • 2815794 - ETPRO EXPLOIT_KIT Possible EK SSL Redir DNS Lookup (exploit_kit.rules)
  • 2815795 - ETPRO EXPLOIT_KIT Possible EK SSL Redir DNS Lookup (exploit_kit.rules)
  • 2816167 - ETPRO MOBILE_MALWARE Trojan-Downloader.AndroidOS.Kloncer.a Checkin (mobile_malware.rules)
  • 2820789 - ETPRO MALWARE Malicious SSL certificate detected (Ursnif Injects) (malware.rules)
  • 2820790 - ETPRO MALWARE Malicious SSL certificate detected (Gootkit Injects) (malware.rules)