Ruleset Update Summary - 2025/11/03 - v11054

Ruleset Updates
1

Summary:

16 new OPEN, 32 new PRO (16 + 16)

Added rules:

Open:

  • 2065621 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (guiasexo .com) (exploit_kit.rules)
  • 2065622 - ET EXPLOIT_KIT LandUpdate808 Domain (guiasexo .com) in TLS SNI (exploit_kit.rules)
  • 2065623 - ET MALWARE Win32/IcedID CnC Domain in DNS Lookup (ewyersbetter .com) (malware.rules)
  • 2065624 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (anunnbj .lat) (malware.rules)
  • 2065625 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (anunnbj .lat) in TLS SNI (malware.rules)
  • 2065626 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (dotauan .pro) (exploit_kit.rules)
  • 2065627 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (dotauan .pro) (exploit_kit.rules)
  • 2065628 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (graffetti .com) (exploit_kit.rules)
  • 2065629 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (graffetti .com) (exploit_kit.rules)
  • 2065630 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (plesk .breeconsulting .net) (malware.rules)
  • 2065631 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (plesk .breeconsulting .net) (malware.rules)
  • 2065632 - ET WEB_SPECIFIC_APPS Tenda DatabaseiniSet Time Parameter Buffer Overflow Attempt (CVE-2025-12618) (web_specific_apps.rules)
  • 2065633 - ET WEB_SPECIFIC_APPS Tenda openNetworkGateway wpapsk_crypto2_4g Parameter Buffer Overflow Attempt (CVE-2025-12619) (web_specific_apps.rules)
  • 2065634 - ET WEB_SPECIFIC_APPS Tenda SysRunCmd getui Parameter Buffer Overflow Attempt (CVE-2025-12622) (web_specific_apps.rules)
  • 2065635 - ET WEB_SPECIFIC_APPS Wavlink login.cgi pagelogin Parameter Buffer Overflow Attempt (CVE-2025-61128) (web_specific_apps.rules)
  • 2065636 - ET WEB_SPECIFIC_APPS Guetebruck param.cgi group Parameter SQL Injection Attempt (CVE-2025-12463) (web_specific_apps.rules)

Pro:

  • 2865043 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2865044 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2865045 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2865046 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2865047 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2865048 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2865049 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2865050 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2865051 - ETPRO MALWARE UNK_FreeGems CnC Exfil (POST) (malware.rules)
  • 2865052 - ETPRO MALWARE Observed DNS Query to UNK_FreeGems Compromised Domain (malware.rules)
  • 2865053 - ETPRO MALWARE Observed UNK_FreeGems Compromised Domain in TLS SNI (malware.rules)
  • 2865054 - ETPRO MALWARE TA398 CurlBack_RAT CnC Activity - Register Client (malware.rules)
  • 2865055 - ETPRO MALWARE TA398 CurlBack_RAT CnC Activity - Register Client Response (malware.rules)
  • 2865056 - ETPRO MALWARE TA398 CurlBack_RAT CnC Activity - Fetch Commands (malware.rules)
  • 2865057 - ETPRO MALWARE TA398 CurlBack_RAT CnC Activity - Fetch Commands Reponse (malware.rules)
  • 2865058 - ETPRO MALWARE TA398 CurlBack_RAT CnC Activity - Checkin (malware.rules)

Modified inactive rules:

  • 2000044 - ET POLICY Yahoo Mail Message Send (policy.rules)
  • 2000341 - ET POLICY Yahoo Mail General Page View (policy.rules)
  • 2000601 - ET ADWARE_PUP Salongas Infection (adware_pup.rules)
  • 2001224 - ET ADWARE_PUP Regnow.com Gamehouse.com Access (adware_pup.rules)
  • 2001241 - ET CHAT MSN file transfer request (chat.rules)
  • 2001242 - ET CHAT MSN file transfer accept (chat.rules)
  • 2001243 - ET CHAT MSN file transfer reject (chat.rules)
  • 2002843 - ET DOS Microsoft Streaming Server Malformed Request (dos.rules)
  • 2003358 - ET ADWARE_PUP Catchonlife.com Spyware (adware_pup.rules)
  • 2003451 - ET ADWARE_PUP K8l.info Spyware Activity (adware_pup.rules)
  • 2003475 - ET P2P ABC Torrent User-Agent (ABC/ABC-3.1.0) (p2p.rules)
  • 2003562 - ET MALWARE Bandook v1.35 Get Processes Command Send (malware.rules)
  • 2003563 - ET MALWARE Bandook v1.35 Start Socks5 Proxy Command Send (malware.rules)
  • 2003564 - ET MALWARE Bandook v1.35 Socks5 Proxy Start Command Reply (malware.rules)
  • 2003565 - ET MALWARE Bandook v1.35 Get Processes Command Reply (malware.rules)
  • 2003888 - ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt – browseCat.php catFile (web_specific_apps.rules)
  • 2003889 - ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt – browseSubCat.php catFile (web_specific_apps.rules)
  • 2003890 - ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt – openTutorial.php id (web_specific_apps.rules)
  • 2003891 - ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt – topFrame.php id (web_specific_apps.rules)
  • 2007918 - ET MALWARE Dropper-497 (Yumato) System Stats Report (malware.rules)
  • 2007919 - ET MALWARE Dropper-497 Yumato Reply from server (malware.rules)
  • 2008130 - ET MALWARE Win32.Lydra.hj HTTP Checkin (malware.rules)
  • 2008476 - ET EXPLOIT Foofus.net Password dumping dll injection (exploit.rules)
  • 2008660 - ET MALWARE Torpig Infection Reporting (malware.rules)
  • 2008839 - ET ADWARE_PUP AdWare.Win32.MWGuide checkin (adware_pup.rules)
  • 2009467 - ET WEB_SPECIFIC_APPS Recly Competitions Component competitions.php GLOBALS Parameter Remote File Inclusion (web_specific_apps.rules)
  • 2009468 - ET WEB_SPECIFIC_APPS Recly Competitions Component settings.php mosConfig_absolute_path Parameter Remote File Inclusion (web_specific_apps.rules)
  • 2010823 - ET MALWARE Torpig Related Fake User-Agent (Apache (compatible…)) (malware.rules)
  • 2012045 - ET EXPLOIT VMware Tools Update OS Command Injection Attempt (exploit.rules)
  • 2012228 - ET ADWARE_PUP Suspicious Russian Content-Language Ru Which May Be Malware Related (adware_pup.rules)
  • 2012388 - ET MALWARE USPS SPAM Inbound possible spyeye trojan (malware.rules)
  • 2012389 - ET EXPLOIT_KIT Java Exploit Kit Success Check-in Executable Download Likely (exploit_kit.rules)
  • 2013901 - ET MALWARE Suspicious User Agent GeneralDownloadApplication (malware.rules)
  • 2013902 - ET MALWARE Win32.BlackControl Retrieving IP Information (malware.rules)
  • 2013903 - ET MALWARE Suspicious User Agent GetFile (malware.rules)
  • 2014810 - ET ADWARE_PUP Malicious pusk.exe download (adware_pup.rules)
  • 2016718 - ET EXPLOIT_KIT BHEK q.php iframe outbound (exploit_kit.rules)
  • 2016719 - ET EXPLOIT_KIT BHEK ff.php iframe outbound (exploit_kit.rules)
  • 2016721 - ET EXPLOIT_KIT Possible Sakura Jar Download (exploit_kit.rules)
  • 2016840 - ET EXPLOIT_KIT FlimKit Landing (exploit_kit.rules)
  • 2017102 - ET EXPLOIT_KIT /Styx EK - /jorg.html (exploit_kit.rules)
  • 2017755 - ET EXPLOIT_KIT Possible Goon EK Java Payload (exploit_kit.rules)
  • 2017882 - ET WEB_SERVER Apache Solr Arbitrary XSLT inclusion attack (CVE-2013-6397) (web_server.rules)
  • 2017996 - ET EXPLOIT_KIT GoonEK Landing Jan 21 2013 SilverLight 2 (exploit_kit.rules)
  • 2017997 - ET EXPLOIT_KIT GoonEK Landing Jan 21 2013 SilverLight 3 (exploit_kit.rules)
  • 2018115 - ET MALWARE FTP File Upload - BlackPOS Naming Scheme (malware.rules)
  • 2018717 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (CryptoWall C2) (malware.rules)
  • 2018719 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2018720 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Shylock C2) (malware.rules)
  • 2018876 - ET POLICY DNS Query to .onion proxy Domain (onion.cab) (policy.rules)
  • 2018877 - ET MALWARE Tor based locker knowledgewiki.info in SNI July 31 2014 (malware.rules)
  • 2018878 - ET POLICY tor4u tor2web .onion Proxy domain in SNI (policy.rules)
  • 2018995 - ET EXPLOIT_KIT Archie EK CVE-2014-0515 Aug 24 2014 (exploit_kit.rules)
  • 2018996 - ET EXPLOIT_KIT Archie EK CVE-2014-0497 Aug 24 2014 (exploit_kit.rules)
  • 2018997 - ET EXPLOIT_KIT Archie EK Secondary Landing Aug 24 2014 (exploit_kit.rules)
  • 2019252 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 9 (web_server.rules)
  • 2019253 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 10 (web_server.rules)
  • 2019254 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 11 (web_server.rules)
  • 2019255 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 12 (web_server.rules)
  • 2019400 - ET MALWARE Possible Bedep Connectivity Check (malware.rules)
  • 2019556 - ET MALWARE Sofacy HTTP Request secnetcontrol.com (malware.rules)
  • 2019887 - ET MALWARE Possible Dyre DGA NXDOMAIN Responses (.cn) (malware.rules)
  • 2020050 - ET MALWARE TorrentLocker DNS Lookup (js-static.ru) (malware.rules)
  • 2020051 - ET MALWARE TorrentLocker DNS Lookup (lagosadventures.com) (malware.rules)
  • 2020052 - ET MALWARE TorrentLocker DNS Lookup (lebanonwarrior.ru) (malware.rules)
  • 2020053 - ET MALWARE TorrentLocker DNS Lookup (nigerianbrothers.net) (malware.rules)
  • 2020323 - ET WEB_SERVER Heimdallbot Attack Tool Inbound (web_server.rules)
  • 2021320 - ET EXPLOIT_KIT KaiXin Secondary Landing Page June 22 2015 (exploit_kit.rules)
  • 2022438 - ET MALWARE Scarlet Mimic DNS Lookup 28 (malware.rules)
  • 2022891 - ET MALWARE Unknown Botnet Checkin (malware.rules)
  • 2023503 - ET MALWARE XRatLocker/AiraCrop Ransomware Payment Domain (malware.rules)
  • 2023504 - ET MALWARE XRatLocker/AiraCrop Ransomware Payment Domain (malware.rules)
  • 2023550 - ET MALWARE Malicious SSL Certificate Detected (Gootkit CnC) (malware.rules)
  • 2100395 - GPL ICMP_INFO Destination Unreachable Destination Network Unknown (icmp_info.rules)
  • 2100396 - GPL ICMP_INFO Destination Unreachable Fragmentation Needed and DF bit was set (icmp_info.rules)
  • 2100397 - GPL ICMP_INFO Destination Unreachable Host Precedence Violation (icmp_info.rules)
  • 2100398 - GPL ICMP_INFO Destination Unreachable Host Unreachable for Type of Service (icmp_info.rules)
  • 2100488 - GPL MISC Connection Closed MSG from Port 80 (misc.rules)
  • 2100519 - GPL TFTP parent directory (tftp.rules)
  • 2100520 - GPL TFTP root directory (tftp.rules)
  • 2100524 - GPL POLICY tcp port 0 traffic (policy.rules)
  • 2102159 - GPL MISC BGP invalid type 0 (misc.rules)
  • 2102178 - GPL FTP USER format string attempt (ftp.rules)
  • 2102343 - GPL FTP STOR overflow attempt (ftp.rules)
  • 2800135 - ETPRO EXPLOIT Trend Micro ServerProtect SPNT Engine RPC Buffer Overflows 1 (exploit.rules)
  • 2800136 - ETPRO EXPLOIT Trend Micro ServerProtect SPNT Engine RPC Buffer Overflows 2 (exploit.rules)
  • 2800137 - ETPRO EXPLOIT Trend Micro ServerProtect SPNT Engine RPC Buffer Overflows 3 (exploit.rules)
  • 2800138 - ETPRO EXPLOIT Trend Micro ServerProtect SPNT Engine RPC Buffer Overflows 4 (exploit.rules)
  • 2800391 - ETPRO MALWARE SRaT 1.6 Checkin (malware.rules)
  • 2800392 - ETPRO MALWARE SRaT 1.6 Server Response (malware.rules)
  • 2800700 - ETPRO EXPLOIT avast! Antivirus ACE File Handling Buffer Overflow (exploit.rules)
  • 2800701 - ETPRO EXPLOIT Nullsoft Winamp Midi File Header Handling Buffer Overflow (exploit.rules)
  • 2800702 - ETPRO EXPLOIT Nullsoft Winamp Midi File Header Handling Buffer Overflow (Published Exploit) (exploit.rules)
  • 2800854 - ETPRO EXPLOIT Oracle Java Runtime CMM readMabCurveData Buffer Overflow ICC DL (exploit.rules)
  • 2800855 - ETPRO EXPLOIT Oracle Java Runtime CMM readMabCurveData Buffer Overflow ICM DL (exploit.rules)
  • 2800856 - ETPRO EXPLOIT Oracle Java Runtime CMM readMabCurveData Buffer Overflow (exploit.rules)
  • 2800956 - ETPRO EXPLOIT HP Data Protector Manager MMD Service Stack Buffer Overflow (exploit.rules)
  • 2800957 - ETPRO ADWARE_PUP RogueSoftware.Win32.RClean User-Agent (adware_pup.rules)
  • 2801171 - ETPRO SCADA_SPECIAL SCHWEITZER (Event 24) View Device Status (scada_special.rules)
  • 2801291 - ETPRO WORM Worm.Win32.Slenfbot.G Checkin 3 (worm.rules)
  • 2802110 - ETPRO MALWARE Trojan.Win32.Banker.bgcp Checkin (malware.rules)
  • 2802111 - ETPRO MALWARE Trojan.Win32.TAvesto.A Checkin (malware.rules)
  • 2802112 - ETPRO MALWARE Worm.Win32.Autorun.BPT Checkin (malware.rules)
  • 2803245 - ETPRO MALWARE Win32.Geral.rco Checkin (malware.rules)
  • 2803403 - ETPRO WORM Worm.Win32.Autorun.hi Checkin - SET (worm.rules)
  • 2803404 - ETPRO WORM Worm.Win32.Autorun.hi Checkin (worm.rules)
  • 2803554 - ETPRO MALWARE Win32/Fosniw.B Dropper Checkin (malware.rules)
  • 2803555 - ETPRO MALWARE Trojan.Win32.Scar.dhnx Checkin off-ports (malware.rules)
  • 2803556 - ETPRO MALWARE Trojan.Win32.Scar.dhnx Checkin (malware.rules)
  • 2803711 - ETPRO MALWARE Trojan-Downloader.Win32.Diple.A Checkin 3 (malware.rules)
  • 2803712 - ETPRO MALWARE Backdoor.Win32.Qinubot.A Checkin 1 (malware.rules)
  • 2803713 - ETPRO MALWARE Backdoor.Win32.Qinubot.A Checkin 2 (malware.rules)
  • 2803870 - ETPRO ADWARE_PUP Adware/Win32.Gamevance.hfco Install (adware_pup.rules)
  • 2804474 - ETPRO MALWARE Win32/Spy.Banker.XBV Checkin (malware.rules)
  • 2804476 - ETPRO MALWARE Trojan.Win32.Jorik.Agent.ee Checkin (malware.rules)
  • 2804748 - ETPRO MALWARE W32/Banker.JGT Checkin 2 (malware.rules)
  • 2804749 - ETPRO MALWARE Win32/Shodi.G Checkin (malware.rules)
  • 2804750 - ETPRO MALWARE Backdoor.Win32.VB.hes Checkin (malware.rules)
  • 2804847 - ETPRO MALWARE Ransom.EJ/Winlock.5857 Checkin (malware.rules)
  • 2804848 - ETPRO MALWARE Trojan-Downloader.Win32.Adload.cfms Checkin (malware.rules)
  • 2804849 - ETPRO MALWARE Win32/Spy.Bancos.OMJ Checkin (malware.rules)
  • 2805088 - ETPRO MALWARE Trojan-Spy.Win32.Delf.adpb checkin (malware.rules)
  • 2805090 - ETPRO MALWARE Win32/Sality.AT Checkin 3 (malware.rules)
  • 2805261 - ETPRO MALWARE Trojan.Win32.Jorik.Yoddos.no .exe request (malware.rules)
  • 2805262 - ETPRO ADWARE_PUP Win32/Adware-ABW INSTALL (adware_pup.rules)
  • 2805399 - ETPRO MALWARE Win32/Rochap.A Checkin (malware.rules)
  • 2805400 - ETPRO MALWARE W32/Yakes.AP!tr Checkin (malware.rules)
  • 2806006 - ETPRO WEB_CLIENT Internet Explorer CMarkUP Use After Free (CVE-2013-0020) (web_client.rules)
  • 2806112 - ETPRO WEB_CLIENT Internet Explorer GetMarkUpPtr Use After free 1 (CVE-2013-0092) (web_client.rules)
  • 2806113 - ETPRO WEB_CLIENT CVE-2013-0092 GetMarkUpPtr Use After free 2 (web_client.rules)
  • 2806870 - ETPRO MALWARE Pift DNS TXT CnC response (malware.rules)
  • 2807133 - ETPRO ADWARE_PUP W32/Toolbar.WIDGI User-Agent(WidgiToolbar-) (adware_pup.rules)
  • 2807661 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free 1 (CVE-2014-0290) (web_client.rules)
  • 2807662 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free 2 (CVE-2014-0290) (web_client.rules)
  • 2807935 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-1753) (web_client.rules)
  • 2807936 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-1755) (web_client.rules)
  • 2808074 - ETPRO ADWARE_PUP AdWare.Win32.MMag.d Checkin (adware_pup.rules)
  • 2808752 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.MTK.e Checkin (mobile_malware.rules)
  • 2809206 - ETPRO MALWARE FakeMS.abms Checkin (malware.rules)
  • 2809509 - ETPRO MOBILE_MALWARE Android/AdDisplay.Frupi.A Checkin (mobile_malware.rules)
  • 2809870 - ETPRO MALWARE Chanitor .onion Proxy Domain (malware.rules)
  • 2809871 - ETPRO MALWARE Chanitor .onion Proxy Domain (malware.rules)
  • 2810363 - ETPRO EXPLOIT_KIT Malicious Redirect Leading to EK March 30 2015 (exploit_kit.rules)
  • 2811056 - ETPRO MALWARE Win32/Spy.POSCardStealer.N DNS Lookup (mail.rumpleskin.org) (malware.rules)
  • 2812207 - ETPRO MOBILE_MALWARE Android.Trojan.SMSSend.DN Checkin (mobile_malware.rules)
  • 2812373 - ETPRO MALWARE Win32/Injector.CGDU .onion Proxy Domain (malware.rules)
  • 2812377 - ETPRO MALWARE Malicious SSL certificate detected (Dridex) (malware.rules)
  • 2814090 - ETPRO MOBILE_MALWARE Android/Locker.EW Checkin (mobile_malware.rules)
  • 2814668 - ETPRO MALWARE Malicious SSL certificate detected (Meterpreter) (malware.rules)
  • 2815037 - ETPRO MALWARE Ransomware/Poshcoder Onion Domain Lookup (malware.rules)
  • 2815589 - ETPRO MALWARE Sacto DNS Lookup (malware.rules)
  • 2816178 - ETPRO MALWARE Malicious SSL certificate detected (Backdoor.Mizzmo) (malware.rules)
  • 2816179 - ETPRO MALWARE Malicious SSL certificate detected (Backdoor.Mizzmo) (malware.rules)
  • 2816372 - ETPRO MALWARE Cryptolocker Variant .onion Proxy Domain (malware.rules)
  • 2816577 - ETPRO MALWARE Python.Ragua FTP Password 2 (malware.rules)
  • 2819945 - ETPRO MALWARE Win32/Bayrob Flowbit SET 1 (malware.rules)
  • 2819946 - ETPRO MALWARE Win32/Bayrob Flowbit SET 2 (malware.rules)
  • 2819947 - ETPRO MALWARE Win32/Bayrob Checkin (malware.rules)
  • 2820579 - ETPRO MALWARE iSpy Keylogger Exfil via FTP (malware.rules)
  • 2823451 - ETPRO MALWARE Malicious SSL Certificate Detected (Vawtrak CnC) (malware.rules)
  • 2825459 - ETPRO MALWARE ZLoader Malicious SSL Cert Observed (malware.rules)

Disabled and modified rules:

  • 2062502 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (www .alifsemi .com) (malware.rules)
  • 2062503 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (www .alifsemi .com) (malware.rules)