Ruleset Update Summary - 2025/11/05 - v11056

Ruleset Updates
1

Summary:

29 new OPEN, 29 new PRO (29 + 0)

Added rules:

Open:

  • 2065649 - ET MALWARE TA398 CurlBack_RAT CnC Activity - Fetch Commands M2 (malware.rules)
  • 2065650 - ET MALWARE TA398 CurlBack_RAT CnC Activity - Upload Results (malware.rules)
  • 2065651 - ET INFO Observed RMM Domain in DNS Lookup (meshcentral .com) (info.rules)
  • 2065652 - ET INFO Observed RMM Domain (meshcentral .com in TLS SNI) (info.rules)
  • 2065653 - ET WEB_SPECIFIC_APPS Cacti links.php Multiple Parameters Cross Site Scripting Attempt (CVE-2024-43362, CVE-2024-43364) (web_specific_apps.rules)
  • 2065654 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (forrbes .com) (exploit_kit.rules)
  • 2065655 - ET EXPLOIT_KIT LandUpdate808 Domain (forrbes .com) in TLS SNI (exploit_kit.rules)
  • 2065656 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (imf1 .com) (exploit_kit.rules)
  • 2065657 - ET EXPLOIT_KIT LandUpdate808 Domain (imf1 .com) in TLS SNI (exploit_kit.rules)
  • 2065658 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sanguen .courses) (malware.rules)
  • 2065659 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sanguen .courses) in TLS SNI (malware.rules)
  • 2065660 - ET MALWARE TA569 Middleware Server Domain in DNS Lookup (cronapiworkersvc .com) (malware.rules)
  • 2065661 - ET MALWARE TA569 Middleware Server Domain in DNS Lookup (taskrunnersrvmod .com) (malware.rules)
  • 2065662 - ET MALWARE TA569 Middleware Server Domain in DNS Lookup (buildtoolsrvcore .com) (malware.rules)
  • 2065663 - ET MALWARE TA569 Middleware Server Domain in DNS Lookup (parserapiprocess .com) (malware.rules)
  • 2065664 - ET MALWARE TA569 Middleware Server Domain in DNS Lookup (sessionstorexint .com) (malware.rules)
  • 2065665 - ET MALWARE TA569 Middleware Server Domain in TLS SNI (cronapiworkersvc .com) (malware.rules)
  • 2065666 - ET MALWARE TA569 Middleware Server Domain in TLS SNI (taskrunnersrvmod .com) (malware.rules)
  • 2065667 - ET MALWARE TA569 Middleware Server Domain in TLS SNI (buildtoolsrvcore .com) (malware.rules)
  • 2065668 - ET MALWARE TA569 Middleware Server Domain in TLS SNI (parserapiprocess .com) (malware.rules)
  • 2065669 - ET MALWARE TA569 Middleware Server Domain in TLS SNI (sessionstorexint .com) (malware.rules)
  • 2065670 - ET PHISHING Tycoon 2FA Document Delivery Webpage (phishing.rules)
  • 2065671 - ET PHISHING Tycoon 2FA Fake Captcha Check (phishing.rules)
  • 2065672 - ET PHISHING GoPhish Credential Theft Landing Page (phishing.rules)
  • 2065673 - ET PHISHING Observed Tycoon 2FA Analysis Evasion (phishing.rules)
  • 2065674 - ET PHISHING Observed DNS Query to Phishing Domain (sdk .heawoofroo .digital) (phishing.rules)
  • 2065675 - ET PHISHING Observed DNS Query to Phishing Domain (serviciomarconi .cl) (phishing.rules)
  • 2065676 - ET PHISHING Observed Phishing Domain (sdk .heawoofroo .digital in TLS SNI) (phishing.rules)
  • 2065677 - ET PHISHING Observed Phishing Domain (serviciomarconi .cl in TLS SNI) (phishing.rules)

Modified inactive rules:

  • 2001050 - ET ADWARE_PUP CometSystems Spyware (adware_pup.rules)
  • 2001366 - ET DOS Possible Microsoft SQL Server Remote Denial Of Service Attempt (dos.rules)
  • 2002192 - ET CHAT MSN status change (chat.rules)
  • 2002296 - ET ADWARE_PUP Searchfeed.com Spyware 1 (adware_pup.rules)
  • 2002913 - ET EXPLOIT VNC Client response (exploit.rules)
  • 2003873 - ET WEB_SPECIFIC_APPS Redoable XSS Attempt – header.php s (web_specific_apps.rules)
  • 2003893 - ET WEB_SPECIFIC_APPS TutorialCMS (Photoshop Tutorials) XSS Attempt – search.php search (web_specific_apps.rules)
  • 2003937 - ET MALWARE Bandook iwebho/BBB-phish trojan leaking user data (malware.rules)
  • 2007650 - ET MALWARE Mac Trojan HTTP Checkin (accept-language violation) (malware.rules)
  • 2008196 - ET MALWARE Dropper 6dzone.com Related Trojan (malware.rules)
  • 2008549 - ET ADWARE_PUP Systemdoctor.com/Antivir2008 related Fake Anti-Virus User-Agent (AntivirXP) (adware_pup.rules)
  • 2009869 - ET ACTIVEX Possible SmartVMD VideoMovement.dll Buffer Overflow Attempt (activex.rules)
  • 2012865 - ET MALWARE Vinself Backdoor Checkin (malware.rules)
  • 2013176 - ET EXPLOIT_KIT EgyPack Exploit Kit Post-Infection Request (exploit_kit.rules)
  • 2013905 - ET MALWARE Suspicious User Agent banderas (malware.rules)
  • 2015894 - ET MALWARE Unknown FakeAV - /get/*.crp (malware.rules)
  • 2017757 - ET EXPLOIT_KIT Possible Java Lang Runtime in B64 Observed in Goon EK 1 (exploit_kit.rules)
  • 2018722 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (Vawtrak C2) (malware.rules)
  • 2019257 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 14 (web_server.rules)
  • 2019558 - ET MALWARE Sofacy HTTP Request testservice24.net (malware.rules)
  • 2020055 - ET MALWARE TorrentLocker DNS Lookup (princeofnigeria.net) (malware.rules)
  • 2022065 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu) (malware.rules)
  • 2022272 - ET MALWARE Sakula DNS Lookup (mail.cbppnews.com) (malware.rules)
  • 2022440 - ET MALWARE Scarlet Mimic DNS Lookup 30 (malware.rules)
  • 2100400 - GPL ICMP_INFO Destination Unreachable Network Unreachable for Type of Service (icmp_info.rules)
  • 2101438 - GPL POLICY Windows Media Video download (policy.rules)
  • 2101504 - GPL POLICY AFS access (policy.rules)
  • 2102344 - GPL FTP XCWD overflow attempt (ftp.rules)
  • 2800140 - ETPRO EXPLOIT Trend Micro ServerProtect EarthAgent RPC RPCFN_CopyAUSrc Buffer Overflow 2 (exploit.rules)
  • 2800395 - ETPRO EXPLOIT Apple CUPS PNG Filter Overly Large Image Height Integer Overflow 2 (exploit.rules)
  • 2800960 - ETPRO EXPLOIT HP Data Protector OmniInet Service NULL Dereference Denial of Service (exploit.rules)
  • 2802988 - ETPRO NETBIOS Malformed Distributed File System (DFS) Response Attack (netbios.rules)
  • 2803239 - ETPRO MALWARE MimimiBot.f Checkin (malware.rules)
  • 2803716 - ETPRO EXPLOIT EMC AutoStart Error Logging Stack Buffer Overflow (exploit.rules)
  • 2804312 - ETPRO ADWARE_PUP NSIS.Adware-BC Install 2 (adware_pup.rules)
  • 2804752 - ETPRO MALWARE Trojan-Banker.Win32.Banker2.bwv Checkin (malware.rules)
  • 2805403 - ETPRO MALWARE Win32/Pift Drop/Checkin (malware.rules)
  • 2805838 - ETPRO MALWARE .Win32.Vobfus Trojan UA ???[A-F] (malware.rules)
  • 2806115 - ETPRO WEB_CLIENT Microsoft Internet Explorer onBeforeCopy Use After Free (web_client.rules)
  • 2808754 - ETPRO MOBILE_MALWARE Trojan.AndroidOS.Krosec.a Checkin (mobile_malware.rules)
  • 2809207 - ETPRO MALWARE Backdoor.W32/OnionDuke.A Checkin (malware.rules)
  • 2809512 - ETPRO EXPLOIT Possible IPMI 1.5 Session-ID Exploit Attempt CVE-2014-8272 (exploit.rules)
  • 2815041 - ETPRO MALWARE Trojan.InstallCube.407 Checkin (malware.rules)
  • 2815592 - ETPRO MALWARE Win32.Rifdoor Checkin (set) (malware.rules)
  • 2819668 - ETPRO MALWARE Unknown Checkin (malware.rules)
  • 2823243 - ETPRO MALWARE Observed Malicious Ransomware SSL Cert (WickedLocker) (malware.rules)