Ruleset Update Summary - 2025/10/29 - v11051

Ruleset Updates
1

Summary:

8 new OPEN, 9 new PRO (8 + 1)

Friday (10/31) is a team holiday and there will not be a release

Added rules:

Open:

  • 2065561 - ET INFO DYNAMIC_DNS Query to a *.3trust .com domain (info.rules)
  • 2065562 - ET INFO DYNAMIC_DNS HTTP Request to a *.3trust .com domain (info.rules)
  • 2065563 - ET MALWARE Amadey PowerShell Loader Inbound (malware.rules)
  • 2065564 - ET MALWARE SearchLoader CnC Beacon (malware.rules)
  • 2065565 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (polimakels .com) (exploit_kit.rules)
  • 2065566 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (polimakels .com) (exploit_kit.rules)
  • 2065567 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (varorg .com) (exploit_kit.rules)
  • 2065568 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (varorg .com) (exploit_kit.rules)

Pro:

  • 2865018 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)

Modified inactive rules:

  • 2007644 - ET MALWARE Win32.Agent.cah Checkin Request (malware.rules)
  • 2013028 - ET POLICY curl User-Agent Outbound (policy.rules)
  • 2013781 - ET MALWARE Win32.Scar.dvov Searchstar.co.kr related Checkin (malware.rules)
  • 2014120 - ET ADWARE_PUP Win32/Eorezo-B Adware Checkin (adware_pup.rules)
  • 2014632 - ET MALWARE FireEye.STX RAT Checkin (malware.rules)
  • 2015547 - ET MALWARE Pakes2 - EXE Download Request (malware.rules)
  • 2016716 - ET EXPLOIT_KIT BHEK q.php iframe inbound (exploit_kit.rules)
  • 2016837 - ET MALWARE Alina Checkin (malware.rules)
  • 2017100 - ET EXPLOIT_KIT /Styx EK - /jlnp.html (exploit_kit.rules)
  • 2018873 - ET MALWARE Tor based locker Ransom Page (malware.rules)
  • 2019250 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 7 (web_server.rules)
  • 2021696 - ET EXPLOIT_KIT Possible TDS Redirecting to EK Aug 19 2015 (exploit_kit.rules)
  • 2100392 - GPL ICMP Datagram Conversion Error (icmp.rules)
  • 2101444 - GPL TFTP Get (tftp.rules)
  • 2800133 - ETPRO EXPLOIT Trend Micro ServerProtect RPC RPCFN_CMON_SetSvcImpersonateUser Buffer Overflow (exploit.rules)
  • 2800697 - ETPRO EXPLOIT Microsoft Word mso.dll LsCreateLine Memory Corruption (Published Exploit) (exploit.rules)
  • 2801289 - ETPRO WORM Worm.Win32.Slenfbot.G Checkin 1 (worm.rules)
  • 2801987 - ETPRO EXPLOIT_KIT Stage 3 Indicator Black Hole Exploit Kit dropper (exploit_kit.rules)
  • 2805397 - ETPRO MALWARE PWS.Win32/OnLineGames.KQ Checkin (malware.rules)
  • 2805551 - ETPRO MALWARE hanbi121b Checkin (malware.rules)
  • 2805716 - ETPRO MALWARE Win32.Doldow Trojan Checkin (malware.rules)
  • 2807372 - ETPRO MALWARE Win32/Dapato.L Requesting Data via MSSQL Off-Port (malware.rules)
  • 2807660 - ETPRO WEB_CLIENT Possible Microsoft Internet Explorer Use After free (CVE-2014-0289) (web_client.rules)
  • 2807933 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-1751) (web_client.rules)
  • 2809868 - ETPRO MOBILE_MALWARE RiskTool.AndroidOS.SMSreg.gc Checkin (mobile_malware.rules)
  • 2816177 - ETPRO MALWARE W32/Nymaim Checkin 4 (malware.rules)