Ruleset Update Summary - 2025/11/10 - v11059

Ruleset Updates
1

Summary:

17 new OPEN, 27 new PRO (17 + 10)

Added rules:

Open:

  • 2065702 - ET INFO DYNAMIC_DNS Query to a *.familiawhite .com .ar domain (info.rules)
  • 2065703 - ET INFO DYNAMIC_DNS HTTP Request to a *.familiawhite .com .ar domain (info.rules)
  • 2065704 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (quantdatai .live) (malware.rules)
  • 2065705 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (quantdatai .live) in TLS SNI (malware.rules)
  • 2065706 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (files .parsonspaving .ca) (malware.rules)
  • 2065707 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (images .nestledinniagara .com) (malware.rules)
  • 2065708 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (files .parsonspaving .ca) (malware.rules)
  • 2065709 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (images .nestledinniagara .com) (malware.rules)
  • 2065710 - ET MALWARE TA569 Middleware Server Domain in DNS Lookup (shadowqueueflow .com) (malware.rules)
  • 2065711 - ET MALWARE TA569 Middleware Server Domain in DNS Lookup (diariodetaubateregiao .com .br) (malware.rules)
  • 2065712 - ET MALWARE TA569 Middleware Server Domain in TLS SNI (shadowqueueflow .com) (malware.rules)
  • 2065713 - ET MALWARE TA569 Middleware Server Domain in TLS SNI (diariodetaubateregiao .com .br) (malware.rules)
  • 2065714 - ET WEB_SPECIFIC_APPS Gladinet Triofox Authentication Bypass via Initial Setup (CVE-2025-12480) (web_specific_apps.rules)
  • 2065715 - ET WEB_SPECIFIC_APPS JumpServer Connection Token Leak (CVE-2025-62712) (web_specific_apps.rules)
  • 2065716 - ET WEB_SPECIFIC_APPS WSO2 API Manager Blind XML External Entity Injection (CVE-2025-2905) M1 (web_specific_apps.rules)
  • 2065717 - ET WEB_SPECIFIC_APPS WSO2 API Manager Blind XML External Entity Injection (CVE-2025-2905) M2 (web_specific_apps.rules)
  • 2065718 - ET WEB_SPECIFIC_APPS WSO2 API Manager Blind XML External Entity Injection (CVE-2025-2905) M3 (web_specific_apps.rules)

Pro:

  • 2865129 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2865130 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2865131 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2865132 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2865133 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2865134 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2865135 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2865136 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2865137 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2865139 - ETPRO WEB_SPECIFIC_APPS Fortinet FortiGate Configuration Management Database (CMDB) Directory Traversal (web_specific_apps.rules)

Modified inactive rules:

  • 2001795 - ET DOS Excessive SMTP MAIL-FROM DDoS (dos.rules)
  • 2002299 - ET ADWARE_PUP Searchfeed.com Spyware 4 (adware_pup.rules)
  • 2002300 - ET ADWARE_PUP Searchfeed.com Spyware 5 (adware_pup.rules)
  • 2002351 - ET ADWARE_PUP Comet Systems Spyware Update Download (adware_pup.rules)
  • 2002352 - ET ADWARE_PUP Comet Systems Spyware Context Report (adware_pup.rules)
  • 2002918 - ET EXPLOIT VNC Server VNC Auth Offer - No Challenge string (exploit.rules)
  • 2002923 - ET EXPLOIT VNC Server Not Requiring Authentication (case 2) (exploit.rules)
  • 2002924 - ET EXPLOIT VNC Server Not Requiring Authentication (exploit.rules)
  • 2003168 - ET POLICY Winamp Streaming User Agent (policy.rules)
  • 2003716 - ET WEB_SPECIFIC_APPS LaVague Remote Inclusion Attempt – printbar.php views_path (web_specific_apps.rules)
  • 2007901 - ET MALWARE Banker.OPX HTTP Checkin (malware.rules)
  • 2007977 - ET ADWARE_PUP Dokterfix.com Fake AV User-Agent (Magic NetInstaller) (adware_pup.rules)
  • 2008155 - ET MALWARE Trats.a Post-Infection Checkin (malware.rules)
  • 2009449 - ET MALWARE Trash Family - HTTP POST (malware.rules)
  • 2010100 - ET MALWARE Palevo/BFBot/Mariposa client join attempt (malware.rules)
  • 2010101 - ET MALWARE Palevo/BFBot/Mariposa server join acknowledgement (malware.rules)
  • 2010590 - ET POLICY Possible Reference to Al Qaeda Propaganda Theme/Group (Takfir) SMTP (policy.rules)
  • 2012232 - ET ACTIVEX Oracle Document Capture File Deletion Attempt (activex.rules)
  • 2012233 - ET ACTIVEX Oracle Document Capture File Overwrite Attempt (activex.rules)
  • 2013404 - ET MALWARE Suspicious User Agent ksdl_1_0 (malware.rules)
  • 2014317 - ET MALWARE ZeuS Clickfraud List Delivered To Client (malware.rules)
  • 2014318 - ET WEB_CLIENT Clickpayz redirection to *.clickpayz.com (web_client.rules)
  • 2014319 - ET EXPLOIT Dadong Java Exploit Requested (exploit.rules)
  • 2015553 - ET WEB_CLIENT Fake-AV Conditional Redirect (Blackmuscats) (web_client.rules)
  • 2015676 - ET EXPLOIT_KIT Unknown Java Exploit Kit Payload Download Request - Sep 04 2012 (exploit_kit.rules)
  • 2015897 - ET EXPLOIT_KIT Possible TDS Exploit Kit /flow redirect at .ru domain (exploit_kit.rules)
  • 2017469 - ET EXPLOIT_KIT Possible SNET EK VBS Download (exploit_kit.rules)
  • 2017621 - ET WEB_CLIENT Possible Cutwail Redirect to Magnitude EK (web_client.rules)
  • 2017759 - ET EXPLOIT_KIT Possible Java Lang Runtime in B64 Observed in Goon EK 3 (exploit_kit.rules)
  • 2018724 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2018725 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2019259 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 16 (web_server.rules)
  • 2019260 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 17 (web_server.rules)
  • 2019261 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 18 (web_server.rules)
  • 2019560 - ET MALWARE Sofacy HTTP Request updatepc.org (malware.rules)
  • 2019561 - ET MALWARE Sofacy HTTP Request updatesoftware24.com (malware.rules)
  • 2019562 - ET MALWARE Sofacy HTTP Request windows-updater.com (malware.rules)
  • 2019894 - ET EXPLOIT_KIT Probable malicious download from e-mail link /1.php (exploit_kit.rules)
  • 2020567 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS CnC) (malware.rules)
  • 2020743 - ET EXPLOIT_KIT HanJuan EK Landing March 24 2015 M1 (exploit_kit.rules)
  • 2020811 - ET MALWARE Volatile Cedar Win32.Explosive External IP Leak (malware.rules)
  • 2021055 - ET MALWARE Carbon FormGrabber/Retgate.A/Rombertik Checkin (malware.rules)
  • 2021056 - ET MALWARE Dyre Downloading Mailer 2 (malware.rules)
  • 2021136 - ET EXPLOIT_KIT Sundown EK Landing May 21 2015 M1 (exploit_kit.rules)
  • 2021137 - ET EXPLOIT_KIT Sundown EK Landing May 21 2015 M2 (exploit_kit.rules)
  • 2021430 - ET MALWARE Possible IE MSMXL Detection of Local SYS (Likely Malicious) (malware.rules)
  • 2021617 - ET MOBILE_MALWARE Android.Trojan.SLocker.DZ Checkin 2 (mobile_malware.rules)
  • 2021733 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM) (malware.rules)
  • 2021734 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Tinba MITM) (malware.rules)
  • 2021920 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC) (malware.rules)
  • 2021921 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC) (malware.rules)
  • 2022275 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Malware CnC) (malware.rules)
  • 2022765 - ET MALWARE Retefe Banker .onion Domain (malware.rules)
  • 2022766 - ET MALWARE Retefe Banker .onion Domain (malware.rules)
  • 2023319 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
  • 2023320 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
  • 2100281 - GPL MISC Ascend Route (misc.rules)
  • 2100402 - GPL ICMP_INFO Destination Unreachable Port Unreachable (icmp_info.rules)
  • 2100403 - GPL ICMP_INFO Destination Unreachable Precedence Cutoff in effect (icmp_info.rules)
  • 2100404 - GPL ICMP_INFO Destination Unreachable Protocol Unreachable (icmp_info.rules)
  • 2101748 - GPL FTP command overflow attempt (ftp.rules)
  • 2102578 - GPL RPC kerberos principal name overflow UDP (rpc.rules)
  • 2103080 - GPL GAMES Unreal Tournament secure overflow attempt (games.rules)
  • 2800142 - ETPRO EXPLOIT Motorola Timbuktu Crafted Login Request Buffer Overflow 1 (exploit.rules)
  • 2800143 - ETPRO EXPLOIT Motorola Timbuktu Crafted Login Request Buffer Overflow 2 (exploit.rules)
  • 2800397 - ETPRO CHAT Cerulean Studios Trillian AIM XML Tag Handling Heap Buffer Overflow (chat.rules)
  • 2800706 - ETPRO EXPLOIT Microsoft Windows Media Player ASX Playlist Parsing Buffer Overflow (exploit.rules)
  • 2800707 - ETPRO EXPLOIT Oracle Database Server Login Access Control Bypass (exploit.rules)
  • 2800708 - ETPRO EXPLOIT Alt-N MDaemon IMAP Server CREATE Command Buffer Overflow (exploit.rules)
  • 2801552 - ETPRO NETBIOS Microsoft Powerpoint msnsspc.dll Insecure Library - SMB-DS Unicode (netbios.rules)
  • 2801553 - ETPRO NETBIOS Microsoft Powerpoint msnsspc.dll Insecure Library - SMB-DS ASCII (netbios.rules)
  • 2801995 - ETPRO MALWARE Buzus/Bifrost Checkin (malware.rules)
  • 2802886 - ETPRO MALWARE Trojan.Win32.Dcbavict.A Checkin 2 (malware.rules)
  • 2802887 - ETPRO MALWARE Trojan.Win32.Dcbavict.A Checkin 3 (malware.rules)
  • 2802888 - ETPRO WEB_SPECIFIC_APPS AWStats Totals awstatstotals.php sort Parameter Code Execution (web_specific_apps.rules)
  • 2803250 - ETPRO MALWARE Variant.TDss.24 Checkin (malware.rules)
  • 2803252 - ETPRO EXPLOIT Oracle Java RMI Services Default Configuration Remote Code Execution (exploit.rules)
  • 2803718 - ETPRO MALWARE Win32/Vundo.B Checkin (malware.rules)
  • 2803719 - ETPRO MALWARE TrojanSpy.Zbot.abrq Checkin (malware.rules)
  • 2803720 - ETPRO MALWARE Generic.122EAAF6 Checkin (malware.rules)
  • 2803876 - ETPRO GAMES NEXON Online Gaming Connection (games.rules)
  • 2804315 - ETPRO MALWARE Trojan-Downloader.Win32.Banload!IK Checkin (malware.rules)
  • 2804481 - ETPRO MALWARE Win32/TrojanDownloader.Banload.QFP Checkin (malware.rules)
  • 2804755 - ETPRO MALWARE Sus/BancDl-A Checkin (malware.rules)
  • 2804852 - ETPRO MALWARE Backdoor.Win32/Simda.gen!A Checkin (malware.rules)
  • 2804974 - ETPRO MALWARE Trojan.Win32.Spy!IK Checkin (malware.rules)
  • 2804975 - ETPRO MALWARE Trojan-Banker.Win32.Bancos.tge Checkin (malware.rules)
  • 2805094 - ETPRO MALWARE W32/VB.POZ!tr.dldr exec SQL command (exec retorna dados) (malware.rules)
  • 2805097 - ETPRO MALWARE Win32/Vbinder.CO Checkin (malware.rules)
  • 2805263 - ETPRO MALWARE Trojan.Win32.Workir.yf Checkin (malware.rules)
  • 2805556 - ETPRO WEB_SPECIFIC_APPS Zenworks RTRlet Applet Access With Harcoded Creds (web_specific_apps.rules)
  • 2805839 - ETPRO MALWARE Win32/Tibs.gen!G / Trojan-Downloader.Win32.Zlob.jsq Checkin (malware.rules)
  • 2806613 - ETPRO MALWARE Trojan.Win32.Pincav.cngr Checkin 2 (malware.rules)
  • 2808494 - ETPRO MOBILE_MALWARE Android.Gumen.A Checkin (mobile_malware.rules)
  • 2809515 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.FakeInst.en Checkin (mobile_malware.rules)
  • 2809875 - ETPRO MALWARE Unknown Trojan .onion Proxy Domain (malware.rules)
  • 2810188 - ETPRO ADWARE_PUP MultiPlug Code Signing Certificate Seen (adware_pup.rules)
  • 2810730 - ETPRO MALWARE Trojan-Downloader.Banload Connectivity Check (malware.rules)
  • 2810731 - ETPRO MOBILE_MALWARE Android/Igexin.A Checkin (mobile_malware.rules)
  • 2812540 - ETPRO MALWARE Win32/Setaclod.A Checkin (malware.rules)
  • 2813004 - ETPRO MOBILE_MALWARE Android/HiddenApp.D Checkin (mobile_malware.rules)
  • 2813005 - ETPRO MOBILE_MALWARE Android/HiddenApp.D Checkin 2 (mobile_malware.rules)
  • 2814673 - ETPRO MALWARE Malicious SSL certificate detected (Ursnif CnC) (malware.rules)
  • 2815043 - ETPRO MALWARE Malicious SSL Certificate Detected (Gootkit C2) (malware.rules)
  • 2815596 - ETPRO PHISHING Docusign Phish Landing Page Jan 5 (phishing.rules)
  • 2815815 - ETPRO WEB_CLIENT Observed Malvertising Domain DNS Request (markets.mediasoftmac.com) (web_client.rules)
  • 2815816 - ETPRO WEB_CLIENT Observed Malvertising Domain DNS Request (advertising.northside-market.com) (web_client.rules)
  • 2820381 - ETPRO MALWARE Hawkeye Keylogger SMTP Checkin M1 (malware.rules)
  • 2820585 - ETPRO MALWARE Ursnif DNS Query (malware.rules)