Ruleset Update Summary - 2025/11/17 - v11064

rulesbot · November 17, 2025, 10:00pm

Summary:

19 new OPEN, 28 new PRO (19 + 9)

Added rules:

Open:

2065782 - ET INFO DYNAMIC_DNS Query to a *.alltricities .com domain (info.rules)
2065783 - ET INFO DYNAMIC_DNS HTTP Request to a *.alltricities .com domain (info.rules)
2065784 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deactlr .qpon) (malware.rules)
2065785 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (deactlr .qpon) in TLS SNI (malware.rules)
2065786 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (epidmov .top) (malware.rules)
2065787 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (epidmov .top) in TLS SNI (malware.rules)
2065788 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (onfireg .qpon) (malware.rules)
2065789 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (onfireg .qpon) in TLS SNI (malware.rules)
2065790 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bitteam .info) (malware.rules)
2065791 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (bitteam .info) in TLS SNI (malware.rules)
2065792 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (secure .hoststewart .com) (malware.rules)
2065793 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (secure .hoststewart .com) (malware.rules)
2065794 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (apraadhi .com) (exploit_kit.rules)
2065795 - ET EXPLOIT_KIT LandUpdate808 Domain (apraadhi .com) in TLS SNI (exploit_kit.rules)
2065796 - ET WEB_SPECIFIC_APPS D-Link authentication.cgi password Parameter Buffer Overflow Attempt (CVE-2025-13188) (web_specific_apps.rules)
2065797 - ET WEB_SPECIFIC_APPS Tenda PPTPUserSetting delno Parameter Buffer Overflow Attempt (CVE-2025-13288) (web_specific_apps.rules)
2065798 - ET WEB_SPECIFIC_APPS D-Link soap.cgi service Parameter Command Injection Attempt (CVE-2025-9752) (web_specific_apps.rules)
2065799 - ET WEB_SPECIFIC_APPS D-Link form2Dhcpip Multiple Parameters Buffer Overflow Attempt (CVE-2022-29322) (web_specific_apps.rules)
2065800 - ET WEB_SPECIFIC_APPS D-Link route Multiple Parameters Buffer Overflow Attempt (CVE-2025-25896) (web_specific_apps.rules)

Pro:

2865170 - ETPRO HUNTING ConnectWise ScreenConnect Revoked Code Signing Certificate (hunting.rules)
2865171 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
2865172 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
2865173 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
2865174 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
2865175 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
2865176 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
2865177 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
2865178 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)

Modified inactive rules:

2001256 - ET CHAT Yahoo IM conference invitation (chat.rules)
2001257 - ET CHAT Yahoo IM conference logon success (chat.rules)
2002917 - ET EXPLOIT RealVNC Server Authentication Bypass Successful (exploit.rules)
2002921 - ET EXPLOIT VNC Multiple Authentication Failures (exploit.rules)
2002948 - ET POLICY External Windows Update in Progress (policy.rules)
2002949 - ET POLICY Windows Update in Progress (policy.rules)
2003075 - ET ADWARE_PUP Content-loader.com Spyware Install 2 (adware_pup.rules)
2003076 - ET ADWARE_PUP Content-loader.com (ownusa.info) Spyware Install (adware_pup.rules)
2004576 - ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt – module_bbcodeloader.php (web_specific_apps.rules)
2004577 - ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt – module_div.php (web_specific_apps.rules)
2007675 - ET MALWARE E-Jihad 3.0 DNS Activity TCP (3) (malware.rules)
2007676 - ET MALWARE E-Jihad 3.0 DNS Activity TCP (4) (malware.rules)
2007811 - ET MALWARE Metajuan trojan checkin (malware.rules)
2008891 - ET MALWARE MEREDROP/micr0s0fts.cn Related Checkin (malware.rules)
2009414 - ET DOS Large amount of TCP ZeroWindow - Possible Nkiller2 DDos attack (dos.rules)
2010554 - ET DOS Netgear DG632 Web Management Denial Of Service Attempt (dos.rules)
2011371 - ET MALWARE Stupid Stealer C&C Communication (2) (malware.rules)
2016988 - ET MALWARE KeyBoy Backdoor File Manager Response Header (malware.rules)
2017624 - ET CURRENT_EVENTS Tenda Router Backdoor 2 (current_events.rules)
2018123 - ET MALWARE Win32/Almanahe.B Checkin (malware.rules)
2018730 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
2019005 - ET EXPLOIT_KIT FlashPack EK Redirect Aug 25 2014 (exploit_kit.rules)
2019006 - ET EXPLOIT_KIT FlashPack EK Exploit Landing Aug 25 2014 (exploit_kit.rules)
2019264 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 21 (web_server.rules)
2019265 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 22 (web_server.rules)
2019895 - ET EXPLOIT_KIT Malicious Redirect Leading to EK Dec 08 2014 (exploit_kit.rules)
2022448 - ET MALWARE Scarlet Mimic DNS Lookup 38 (malware.rules)
2022449 - ET MALWARE Scarlet Mimic DNS Lookup 39 (malware.rules)
2022678 - ET MALWARE Ransomware/Coverton CnC 2 (malware.rules)
2022957 - ET EXPLOIT_KIT Evil Redirector Leading To EK Jul 10 M1 (exploit_kit.rules)
2023286 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
2023287 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
2023324 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
2023325 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
2100408 - GPL ICMP_INFO Echo Reply (icmp_info.rules)
2100409 - GPL ICMP Echo Reply undefined code (icmp.rules)
2800148 - ETPRO ACTIVEX Microsoft SQL Server Distributed Management Objects Buffer Overflow (activex.rules)
2800149 - ETPRO EXPLOIT Trend Micro ServerProtect TMregChange Stack Overflow (exploit.rules)
2800403 - ETPRO EXPLOIT Linux Kernel SCTP FWD-TSN Handling Buffer Overflow (exploit.rules)
2800964 - ETPRO MALWARE Banker/Banbra.fxe Checkin (malware.rules)
2802997 - ETPRO NETBIOS Client GET_DFS_REFERRAL Request Flowbit Set (netbios.rules)
2803258 - ETPRO MALWARE Backdoor.Win32.RDPdoor.AE Checkin 3 (malware.rules)
2803409 - ETPRO NETBIOS Microsoft Internet Explorer url.dll Telnet Handler Insecure Exe Loading - SMB Unicode (netbios.rules)
2803724 - ETPRO WEB_SERVER OpenSSL ECDH Use After Free Flowbit Set TLS 1.0 (web_server.rules)
2803725 - ETPRO WEB_SERVER OpenSSL ECDH Use After Free Attempt TLS 1.0 (web_server.rules)
2804012 - ETPRO MALWARE TrojanDropper.Win32/Dogrobot.E Checkin 1 (malware.rules)
2804013 - ETPRO MALWARE TrojanDropper.Win32/Dogrobot.E Checkin 2 (malware.rules)
2805267 - ETPRO ADWARE_PUP Adware.Casino-36 Checkin (adware_pup.rules)
2805405 - ETPRO MALWARE Win32/SchwarzeSonne.AP Checkin (malware.rules)
2805719 - ETPRO MALWARE Trojan-Proxy.Win32.Small.ai Checkin (malware.rules)
2807802 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0299) (web_client.rules)
2807803 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0302) (web_client.rules)
2808081 - ETPRO WEB_CLIENT Acrobat Reader Possible CVE-2014-0527 Use After Free (web_client.rules)
2809008 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.op Checkin (mobile_malware.rules)
2809517 - ETPRO MOBILE_MALWARE Android/TrojanSMS.Agent.SD Checkin 2 (mobile_malware.rules)
2809879 - ETPRO MALWARE Athena Variant .onion Proxy Domain (malware.rules)
2810190 - ETPRO MALWARE Critroni .onion Proxy Domain (malware.rules)
2810893 - ETPRO MALWARE W97M.Dropper Downloading EXE (malware.rules)
2814262 - ETPRO MALWARE MSIL/Crimson CnC Client Command (update) (malware.rules)
2814676 - ETPRO MALWARE MSIL/Kryptik.CNO Retrieving Payload (malware.rules)
2814677 - ETPRO MALWARE AbaddonPOS Exfiltrating CC Numbers 1 (malware.rules)
2815048 - ETPRO MALWARE Win32/Spy.Banker.ABMV CnC Response (malware.rules)

Disabled and modified rules:

2056031 - ET PHISHING Generic Credential Phish Landing Page (2024-09-20) (phishing.rules)

Topic	Replies	Views
Ruleset Update Summary - 2025/05/12 - v10925 Ruleset Updates	111	May 12, 2025
Ruleset Update Summary - 2025/09/09 - v11011 Ruleset Updates	74	September 9, 2025
Ruleset Update Summary - 2025/09/23 - v11022 Ruleset Updates	61	September 23, 2025
Ruleset Update Summary - 2025/07/25 - v10978 Ruleset Updates	76	July 25, 2025
Ruleset Update Summary - 2025/03/20 - v10887 Ruleset Updates	107	March 20, 2025

Ruleset Update Summary - 2025/11/17 - v11064

Summary:

Added rules:

Open:

Pro:

Modified inactive rules:

Disabled and modified rules:

Related topics