Ruleset Update Summary - 2025/10/30 - v11052

rulesbot · October 30, 2025, 8:48pm

Summary:

44 new OPEN, 68 new PRO (44 + 24)

Please be aware that Friday, 31 October is a Proofpoint company holiday. As such, there will be no daily ruleset update tomorrow. The next daily ruleset update will be on Monday, 3 November.

Added rules:

Open:

2065569 - ET WEB_SPECIFIC_APPS Atlassian Confluence Server-Side Request Forgery (CVE-2021-26072) (web_specific_apps.rules)
2065570 - ET WEB_SPECIFIC_APPS IPFire fwhosts.cgi COUNTRY_CODE Parameter Cross Site Scripting Attempt (CVE-2025-34301) (web_specific_apps.rules)
2065571 - ET WEB_SPECIFIC_APPS IPFire fwhosts.cgi PROT Parameter Cross Site Scripting Attempt (CVE-2025-34302) (web_specific_apps.rules)
2065572 - ET WEB_SPECIFIC_APPS IPFire ids.cgi IGNORE_ENTRY_REMARK Parameter Cross Site Scripting Attempt (CVE-2025-34303) (web_specific_apps.rules)
2065573 - ET WEB_SPECIFIC_APPS IPFire ovpnclients.dat CONNECTION_NAME Parameter SQL Injection Attempt (CVE-2025-34304) (web_specific_apps.rules)
2065574 - ET WEB_SPECIFIC_APPS IPFire weakeonlan.cgi CLIENT_COMMENT Parameter Cross Site Scripting Attempt (CVE-2025-34305) (web_specific_apps.rules)
2065575 - ET WEB_SPECIFIC_APPS IPFire dhcp.cgi Multiple Parameters Cross Site Scripting Attempt (CVE-2025-34305) (web_specific_apps.rules)
2065576 - ET WEB_SPECIFIC_APPS IPFire connscheduler.cgi ACTION_COMMENT Parameter Cross Site Scripting Attempt (CVE-2025-34305) (web_specific_apps.rules)
2065577 - ET WEB_SPECIFIC_APPS IPFire dnsforward.cgi REMARK Parameter Cross Site Scripting Attempt (CVE-2025-34305) (web_specific_apps.rules)
2065578 - ET WEB_SPECIFIC_APPS IPFire vpnmain.cgi REMARK Parameter Cross Site Scripting Attempt (CVE-2025-34305) (web_specific_apps.rules)
2065579 - ET WEB_SPECIFIC_APPS IPFire dns.cgi REMARK Parameter Cross Site Scripting Attempt (CVE-2025-34305) (web_specific_apps.rules)
2065580 - ET WEB_SPECIFIC_APPS IPFire firewalllogip.dat pienumber Parameter Cross Site Scripting Attempt (CVE-2025-34306) (web_specific_apps.rules)
2065581 - ET INFO DYNAMIC_DNS Query to a *.itafricagroup .com domain (info.rules)
2065582 - ET INFO DYNAMIC_DNS HTTP Request to a *.itafricagroup .com domain (info.rules)
2065583 - ET WEB_SPECIFIC_APPS IPFire firewalllogip.dat pienumber Parameter Cross Site Scripting Attempt (CVE-2025-34307) (web_specific_apps.rules)
2065584 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (caddov .mom) (malware.rules)
2065585 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (caddov .mom) in TLS SNI (malware.rules)
2065586 - ET WEB_SPECIFIC_APPS IPFire time.cgi UPDATE_VALUE Parameter Cross Site Scripting Attempt (CVE-2025-34308) (web_specific_apps.rules)
2065587 - ET WEB_SPECIFIC_APPS IPFire ddns.cgi Multiple Parameters Cross Site Scripting Attempt (CVE-2025-34309) (web_specific_apps.rules)
2065588 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (fellsminjs .com) (exploit_kit.rules)
2065589 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (fellsminjs .com) (exploit_kit.rules)
2065590 - ET MALWARE TA569 Middleware Server Domain in DNS Lookup (bedenefuneralhome .com) (malware.rules)
2065591 - ET MALWARE TA569 Middleware Server Domain in TLS SNI (bedenefuneralhome .com) (malware.rules)
2065592 - ET WEB_SPECIFIC_APPS IPFire qos.cgi Multiple Parameters Cross Site Scripting Attempt (CVE-2025-34310) (web_specific_apps.rules)
2065593 - ET HUNTING WASM RWX Page Memory Allocation - Common Shellcode Precursor (hunting.rules)
2065594 - ET WEB_SPECIFIC_APPS IPFire calamaris.dat Multiple Parameters Command Injection Attempt (CVE-2025-34311) (web_specific_apps.rules)
2065595 - ET EXPLOIT Chrome V8 Shellcode Inject Attempt (exploit.rules)
2065596 - ET WEB_SPECIFIC_APPS IPFire urlfilter.cgi BE_NAME Parameter Command Injection Attempt (CVE-2025-34312) (web_specific_apps.rules)
2065597 - ET MALWARE Observed DNS Query to Malicious Domain (redirect-workspace .com) (malware.rules)
2065598 - ET MALWARE Observed DNS Query to Malicious Domain (docs-workspace .live) (malware.rules)
2065599 - ET MALWARE Observed DNS Query to Malicious Domain (linkeedservice .com) (malware.rules)
2065600 - ET MALWARE Observed DNS Query to Malicious Domain (form-space .org) (malware.rules)
2065601 - ET MALWARE Observed Malicious Domain (redirect-workspace .com in TLS SNI) (malware.rules)
2065602 - ET WEB_SPECIFIC_APPS IPFire urlfilter.cgi QUOTA_USERS Parameter Cross Site Scripting Attempt (CVE-2025-34313) (web_specific_apps.rules)
2065603 - ET MALWARE Observed Malicious Domain (docs-workspace .live in TLS SNI) (malware.rules)
2065604 - ET MALWARE Observed Malicious Domain (linkeedservice .com in TLS SNI) (malware.rules)
2065605 - ET MALWARE Observed Malicious Domain (form-space .org in TLS SNI) (malware.rules)
2065606 - ET WEB_SPECIFIC_APPS IPFire urlfilter.cgi Multiple Parameters Cross Site Scripting Attempt (CVE-2025-34314) (web_specific_apps.rules)
2065607 - ET WEB_SPECIFIC_APPS IPFire config.dat REMOTELOG_ADDR Parameter Cross Site Scripting Attempt (CVE-2025-34315) (web_specific_apps.rules)
2065608 - ET WEB_SPECIFIC_APPS IPFire mail.cgi Multiple Parameters Cross Site Scripting Attempt (CVE-2025-34316) (web_specific_apps.rules)
2065609 - ET WEB_SPECIFIC_APPS IPFire dns.cgi TLS_HOSTNAME Parameter Cross Site Scripting Attempt (CVE-2025-34317) (web_specific_apps.rules)
2065610 - ET MALWARE TA398 Domain in DNS Lookup (intelupates .com) (malware.rules)
2065611 - ET MALWARE TA398 Domain in TLS SNI (intelupates .com) (malware.rules)
2065612 - ET WEB_SPECIFIC_APPS IPFire proxy.cgi Multiple Parameters Cross Site Scripting Attempt (CVE-2025-34318) (web_specific_apps.rules)

Pro:

2865019 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2865020 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2865021 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2865022 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2865023 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
2865024 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2865025 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
2865026 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2865027 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
2865028 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2865029 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2865030 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
2865031 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2865032 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2865033 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2865034 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2865035 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2865036 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2865037 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2865038 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2865039 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
2865040 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
2865041 - ETPRO MALWARE TA398 Domain in DNS Lookup (malware.rules)
2865042 - ETPRO MALWARE TA398 Domain in TLS SNI (malware.rules)

Modified inactive rules:

2001033 - ET ADWARE_PUP Casino on Net Data Download (adware_pup.rules)
2002853 - ET DOS FreeBSD NFS RPC Kernel Panic (dos.rules)
2003561 - ET MALWARE Bandook v1.35 Window List Reply (malware.rules)
2003747 - ET WEB_SPECIFIC_APPS gnuedu Remote Inclusion Attempt – lom.php ETCDIR (web_specific_apps.rules)
2007917 - ET MALWARE Dropper-497 (Yumato) Initial Checkin (malware.rules)
2008608 - ET USER_AGENTS WinFixer Trojan Related User-Agent (ElectroSun) (user_agents.rules)
2008681 - ET ADWARE_PUP iframebiz - /qwertyuiyw12ertyuytre/adv***.php (adware_pup.rules)
2009466 - ET WEB_SPECIFIC_APPS Recly Competitions Component add.php GLOBALS Parameter Remote File Inclusion (web_specific_apps.rules)
2010267 - ET MALWARE Sinowal/Torpig Checkin (malware.rules)
2012646 - ET MALWARE Malicious JAR olig (malware.rules)
2013900 - ET MALWARE W32/Yaq Checkin (malware.rules)
2014633 - ET WEB_SPECIFIC_APPS phpMyAdmin setup.php Remote File inclusion Attempt (CVE-2010-3055) (web_specific_apps.rules)
2014950 - ET WEB_SPECIFIC_APPS Nagios XI div parameter Cross-Site Scripting Attempt (web_specific_apps.rules)
2016717 - ET EXPLOIT_KIT BHEK ff.php iframe inbound (exploit_kit.rules)
2017101 - ET EXPLOIT_KIT /Styx EK - /jovf.html (exploit_kit.rules)
2017995 - ET EXPLOIT_KIT GoonEK Landing Jan 21 2013 SilverLight 1 (exploit_kit.rules)
2018242 - ET MALWARE Possible Zeus GameOver Connectivity Check (malware.rules)
2018874 - ET MALWARE Tor based locker .onion Proxy DNS lookup July 31 2014 (malware.rules)
2019251 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 8 (web_server.rules)
2019555 - ET MALWARE Sofacy HTTP Request scanmalware.info (malware.rules)
2019711 - ET MALWARE W32Autorun.worm.aaeh Checkin (malware.rules)
2019712 - ET MALWARE W32/Keylogger.CI Checkin (malware.rules)
2020049 - ET MALWARE TorrentLocker DNS Lookup (it-newsblog.ru) (malware.rules)
2020735 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Ransomware CnC) (malware.rules)
2100394 - GPL ICMP_INFO Destination Unreachable Destination Host Unknown (icmp_info.rules)
2102336 - GPL TFTP NULL command attempt (tftp.rules)
2800134 - ETPRO EXPLOIT Trend Micro ServerProtect RPC RPCFN_CMON_SetSvcImpersonateUser Buffer Overflow 2 (exploit.rules)
2801169 - ETPRO SCADA_SPECIAL SCHWEITZER (Event 33) Date Change Attempt (scada_special.rules)
2801290 - ETPRO WORM Worm.Win32.Slenfbot.G Checkin 2 (worm.rules)
2802109 - ETPRO EXPLOIT CA Total Defense Suite UNCWS getDBConfigSettings Credential Information Disclosure (exploit.rules)
2803238 - ETPRO MALWARE Trojan.Win32.Agent.dhy Checkin (malware.rules)
2803710 - ETPRO MALWARE Trojan-Downloader.Win32.Diple.A Checkin 2 (malware.rules)
2804472 - ETPRO MALWARE Trojan.Crypt.Delf.AH Checkin (malware.rules)
2804637 - ETPRO INFO DNS Query to a *.coom .in Abused DNS Domain (info.rules)
2805259 - ETPRO MALWARE Win32/Zegost.AD CnC Traffic 2 (malware.rules)
2805398 - ETPRO MALWARE Trojan.Heur.hm0@fjz6PkS Checkin (malware.rules)
2805717 - ETPRO WEB_CLIENT Microsoft Internet Explorer CTreeNode Use After Free (web_client.rules)
2806001 - ETPRO MALWARE Win32/Tepv.A CnC Credentials Returned (malware.rules)
2807934 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-1752) (web_client.rules)
2809869 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.FakeInst.ep Checkin (mobile_malware.rules)
2820577 - ETPRO MALWARE TorrentLocker DNS query to Domain *.mybariton.com (malware.rules)
2823450 - ETPRO MALWARE Malicious SSL Certificate Detected (Vawtrak CnC) (malware.rules)
2825820 - ETPRO MOBILE_MALWARE Trojan-Banker.AndroidOS.Asacub.a Checkin 33 (mobile_malware.rules)

Topic	Replies	Views
Ruleset Update Summary - 2025/11/24 - v11069 Ruleset Updates	79	November 24, 2025
Ruleset Update Summary - 2025/10/21 - v11045 Ruleset Updates	100	October 21, 2025
Ruleset Update Summary - 2025/05/13 - v10926 Ruleset Updates	179	May 13, 2025
Ruleset Update Summary - 2024/12/17 - v10809 Ruleset Updates	106	December 17, 2024
Ruleset Update Summary - 2025/11/10 - v11059 Ruleset Updates	70	November 10, 2025