Ruleset Update Summary - 2025/11/19 - v11066

Ruleset Updates
1

Summary:

24 new OPEN, 37 new PRO (24 + 13)

Added rules:

Open:

  • 2065814 - ET INFO DYNAMIC_DNS Query to a *.linuxoz .net domain (info.rules)
  • 2065815 - ET INFO DYNAMIC_DNS HTTP Request to a *.linuxoz .net domain (info.rules)
  • 2065816 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (ukhorizons .com) (exploit_kit.rules)
  • 2065817 - ET EXPLOIT_KIT LandUpdate808 Domain (ukhorizons .com) in TLS SNI (exploit_kit.rules)
  • 2065818 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (extermz .lat) (malware.rules)
  • 2065819 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (extermz .lat) in TLS SNI (malware.rules)
  • 2065820 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (resusct .qpon) (malware.rules)
  • 2065821 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (resusct .qpon) in TLS SNI (malware.rules)
  • 2065822 - ET MALWARE WallStealer User-Agent Observed (SystemInfo Client) (malware.rules)
  • 2065823 - ET MALWARE WallStealer CnC Checkin - System Information (malware.rules)
  • 2065824 - ET MALWARE WallStealer CnC Checkin - Data Exfiltration (malware.rules)
  • 2065825 - ET MALWARE WallStealer CnC Checkin - get_dll Request (malware.rules)
  • 2065826 - ET MALWARE WallStealer CnC Response M1 (malware.rules)
  • 2065827 - ET MALWARE WallStealer CnC Response M2 (malware.rules)
  • 2065828 - ET MALWARE WallStealer CnC Response M3 (malware.rules)
  • 2065829 - ET MALWARE WallStealer CnC Domain in DNS Lookup (defender-temeerty .sbs) (malware.rules)
  • 2065830 - ET MALWARE WallStealer CnC Domain in DNS Lookup (telemetry-defender .lol) (malware.rules)
  • 2065831 - ET MALWARE Observed WallStealer Domain (defender-temeerty .sbs in TLS SNI) (malware.rules)
  • 2065832 - ET MALWARE Observed WallStealer Domain (telemetry-defender .lol in TLS SNI) (malware.rules)
  • 2065833 - ET MALWARE Arkanix Stealer CnC Domain in DNS Lookup (arkanix .pw) (malware.rules)
  • 2065834 - ET MALWARE Observed Arkanix Stealer Domain (arkanix .pw in TLS SNI) (malware.rules)
  • 2065835 - ET MALWARE Arkanix Stealer CnC Checkin (malware.rules)
  • 2065836 - ET MALWARE Arkanix Stealer CnC Response M1 (malware.rules)
  • 2065837 - ET MALWARE Arkanix Stealer Data Exfiltration Attempt (malware.rules)

Pro:

  • 2865192 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2865193 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2865194 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2865195 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2865196 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD+ Outbound (malware.rules)
  • 2865197 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2865198 - ETPRO MALWARE Win32/XWorm V2 CnC Command - sendfileto Inbound (malware.rules)
  • 2865199 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2865200 - ETPRO MALWARE Win32/XWorm V3 CnC Command - savePlugin Inbound (malware.rules)
  • 2865201 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2865202 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2865203 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Outbound (malware.rules)
  • 2865204 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)

Modified inactive rules:

  • 2001258 - ET CHAT Yahoo IM conference message (chat.rules)
  • 2002866 - ET POLICY Winpcap Installation in Progress (policy.rules)
  • 2004578 - ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt – module_email.php (web_specific_apps.rules)
  • 2007566 - ET MALWARE Downloader.MisleadApp Fake Security Product Install (malware.rules)
  • 2007677 - ET MALWARE E-Jihad 3.0 DNS Activity TCP (5) (malware.rules)
  • 2007759 - ET ADWARE_PUP Alfaantivirus.com Fake Anti-Virus User-Agent (IM Download) (adware_pup.rules)
  • 2008267 - ET MALWARE Banker.JU Related HTTP Post-infection Checkin (malware.rules)
  • 2012650 - ET MALWARE HTTP Request to a Malware Related Numerical .cn Domain (malware.rules)
  • 2013187 - ET MALWARE Backdoor Win32/IRCbot.FJ Cnc connection dns lookup (malware.rules)
  • 2014640 - ET EXPLOIT_KIT Incognito Exploit Kit payload request to images.php?t=N (exploit_kit.rules)
  • 2018127 - ET EXPLOIT_KIT Goon EK Java JNLP URI Struct Feb 12 2014 (exploit_kit.rules)
  • 2018501 - ET EXPLOIT_KIT Gongda EK Secondary Landing (exploit_kit.rules)
  • 2018732 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
  • 2019008 - ET CURRENT_EVENTS Safe/CritX/FlashPack Java Payload (current_events.rules)
  • 2019267 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 24 (web_server.rules)
  • 2020887 - ET MALWARE Shellshock Worm Checkin (malware.rules)
  • 2100410 - GPL ICMP_INFO Fragment Reassembly Time Exceeded (icmp_info.rules)
  • 2803254 - ETPRO NETBIOS Microsoft Windows LNK File Code Execution SMB-DS (netbios.rules)
  • 2803884 - ETPRO MALWARE Trojan.Win32.Scar.evwl Checkin (malware.rules)
  • 2804014 - ETPRO MALWARE Trojan.Win32/Malat Checkin (malware.rules)
  • 2804321 - ETPRO ADWARE_PUP Adware DL.Fosniw!lhp5vDLfRus Checkin (adware_pup.rules)
  • 2805721 - ETPRO MALWARE Win32.Winoff Checkin (malware.rules)
  • 2807805 - ETPRO WEB_CLIENT Microsoft Internet Explorer Use After free (CVE-2014-0304) (web_client.rules)
  • 2808497 - ETPRO MALWARE Backdoor.Korgapam CnC (INBOUND) 1 (malware.rules)
  • 2809622 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Perkel.c Checkin (mobile_malware.rules)
  • 2811640 - ETPRO MALWARE NanoCore RAT CnC 3 (malware.rules)
  • 2814679 - ETPRO MALWARE AbaddonPOS Exfiltrating CC Numbers 3 (malware.rules)
  • 2815405 - ETPRO MALWARE Backdoor.Beendoor Connecting to XMPP Channel (malware.rules)

Disabled and modified rules:

  • 2864622 - ETPRO MALWARE Observed ClickFix Style URI in HTTP GET (malware.rules)