Summary:
16 new OPEN, 33 new PRO (16 + 17)
Added rules:
Open:
- 2065678 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (dolmain .com) (exploit_kit.rules)
- 2065679 - ET EXPLOIT_KIT LandUpdate808 Domain (dolmain .com) in TLS SNI (exploit_kit.rules)
- 2065680 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (edentista .com) (exploit_kit.rules)
- 2065681 - ET EXPLOIT_KIT LandUpdate808 Domain (edentista .com) in TLS SNI (exploit_kit.rules)
- 2065682 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (saeam .com) (exploit_kit.rules)
- 2065683 - ET EXPLOIT_KIT LandUpdate808 Domain (saeam .com) in TLS SNI (exploit_kit.rules)
- 2065684 - ET WEB_SPECIFIC_APPS Adobe Coldfusion BlazeDS Java Object Deserialization Remote Code Execution (CVE-2017-3066) (web_specific_apps.rules)
- 2065685 - ET WEB_SPECIFIC_APPS Wordpress Post SMTP Plugin Unauthenticated Account Takeover via Email Log Disclosure (CVE-2025-11833) (web_specific_apps.rules)
- 2065686 - ET EXPLOIT Adobe ColdFusion ODBC Agent Memory Corruption (CVE-2022-35690) (exploit.rules)
- 2065687 - ET WEB_SPECIFIC_APPS Adobe ColdFusion Unauthenticated Remote Code Execution (CVE-2023-29300) (web_specific_apps.rules)
- 2065688 - ET WEB_SPECIFIC_APPS Adobe ColdFusion Access Control Bypass (CVE-2023-38205) (web_specific_apps.rules)
- 2065689 - ET PHISHING Observed DNS Query to Phishing Domain (processserverscleveland .com) (phishing.rules)
- 2065690 - ET EXPLOIT 7-Zip 7z File PPMd Properties Parsing Integer Underflow (CVE-2023-31102) (exploit.rules)
- 2065691 - ET PHISHING Observed Phishing Domain (processserverscleveland .com in TLS SNI) (phishing.rules)
- 2065692 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (secure .kasindramaharaj .com) (malware.rules)
- 2065693 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (secure .kasindramaharaj .com) (malware.rules)
Pro:
- 2865076 - ETPRO WEB_SPECIFIC_APPS 3CX Phone System VAD_Deploy.aspx Arbitrary File Upload (web_specific_apps.rules)
- 2865077 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
- 2865078 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2865079 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
- 2865080 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
- 2865081 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
- 2865082 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
- 2865083 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
- 2865084 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
- 2865085 - ETPRO HUNTING ConnectWise ScreenConnect Revoked Code Signing Certificate M3 (hunting.rules)
- 2865086 - ETPRO HUNTING ConnectWise ScreenConnect Revoked Code Signing Certificate M4 (hunting.rules)
- 2865087 - ETPRO HUNTING ConnectWise ScreenConnect Revoked Code Signing Certificate M5 (hunting.rules)
- 2865088 - ETPRO HUNTING ConnectWise ScreenConnect Revoked Code Signing Certificate M6 (hunting.rules)
- 2865089 - ETPRO HUNTING ConnectWise ScreenConnect Revoked Code Signing Certificate M7 (hunting.rules)
- 2865090 - ETPRO MALWARE pngMoonWalk CnC Activity (POST) (malware.rules)
- 2865091 - ETPRO MALWARE Observed DNS Query to pngMoonwalk Domain (malware.rules)
- 2865092 - ETPRO MALWARE Observed pngMoonwalk Domain in TLS SNI (malware.rules)
Modified inactive rules:
- 2001655 - ET ADWARE_PUP Comet Systems Spyware Traffic (context.xml) (adware_pup.rules)
- 2002297 - ET ADWARE_PUP Searchfeed.com Spyware 2 (adware_pup.rules)
- 2002662 - ET WEB_SPECIFIC_APPS TWiki INCLUDE remote command execution attempt (web_specific_apps.rules)
- 2002914 - ET EXPLOIT VNC Server VNC Auth Offer (exploit.rules)
- 2003236 - ET DOS NetrWkstaUserEnum Request with large Preferred Max Len (dos.rules)
- 2008484 - ET ADWARE_PUP Cleancop.co.kr Fake AV User-Agent (CleancopUpdate) (adware_pup.rules)
- 2012391 - ET MALWARE Tatanga Checkin (malware.rules)
- 2016035 - ET CURRENT_EVENTS Possible SibHost PDF Request (current_events.rules)
- 2021731 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC) (malware.rules)
- 2022066 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (ProxyChanger) (malware.rules)
- 2022441 - ET MALWARE Scarlet Mimic DNS Lookup 31 (malware.rules)
- 2100401 - GPL ICMP_INFO Destination Unreachable Network Unreachable (icmp_info.rules)
- 2101437 - GPL POLICY Windows Media download (policy.rules)
- 2800141 - ETPRO EXPLOIT RealNetworks Helix DNA Server RTSP Service Heap Overflow (exploit.rules)
- 2800396 - ETPRO CHAT Cerulean Studios Trillian Image Filename XML Tag Stack Buffer Overflow (chat.rules)
- 2800705 - ETPRO EXPLOIT Microsoft Outlook iCal Meeting Request Malformed VEVENT Record Dereference Memory Corruption (exploit.rules)
- 2800859 - ETPRO EXPLOIT HP Data Protector Media Operations Null Pointer Deference Denial of Service Request (exploit.rules)
- 2800961 - ETPRO EXPLOIT HP Data Protector OmniInet Service NULL Dereference Denial of Service (exploit.rules)
- 2802885 - ETPRO MALWARE Trojan.Win32.Dcbavict.A Checkin 1 (malware.rules)
- 2803875 - ETPRO MALWARE Win32/Agent.KA Checkin (malware.rules)
- 2804313 - ETPRO MALWARE Trojan-Dropper.Win32.Agent.exc Checkin (malware.rules)
- 2804478 - ETPRO MALWARE W32/Autorun.worm.bbs Install (malware.rules)
- 2804753 - ETPRO MALWARE Win32/Wadolin.A Checkin (malware.rules)
- 2805404 - ETPRO MALWARE Linux/Wirenet keep-alive outbound (malware.rules)
- 2810728 - ETPRO MOBILE_MALWARE Android/SMSreg.AV Checkin 2 (mobile_malware.rules)
- 2815593 - ETPRO MALWARE Win32.Rifdoor Checkin (malware.rules)
- 2816183 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Agent.hf Checkin (mobile_malware.rules)
- 2819669 - ETPRO MALWARE Unknown Ransomware Checkin (malware.rules)
- 2823244 - ETPRO MALWARE Observed Malicious Ransomware Domain SSL Cert in SNI (Hidden-Tear Variant) (malware.rules)