Ruleset Update Summary - 2025/11/20 - v11067

Ruleset Updates
1

Summary:

30 new OPEN, 30 new PRO (30 + 0)

Added rules:

Open:

  • 2065838 - ET WEB_SPECIFIC_APPS Tenda SetSysAutoRebbotCfg rebootTime Parameter Buffer Overflow Attempt (CVE-2025-65222) (web_specific_apps.rules)
  • 2065839 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (koleporter .com) (exploit_kit.rules)
  • 2065840 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (koleporter .com) (exploit_kit.rules)
  • 2065841 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (app .myonlineprofits .com) (malware.rules)
  • 2065842 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (static .myonlinegigs .com) (malware.rules)
  • 2065843 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (app .myonlineprofits .com) (malware.rules)
  • 2065844 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (static .myonlinegigs .com) (malware.rules)
  • 2065845 - ET WEB_SPECIFIC_APPS Ilevia ping.php ip Parameter Command Injection Attempt (CVE-2025-60738) (web_specific_apps.rules)
  • 2065846 - ET INFO DYNAMIC_DNS Query to a *.fizicamedicala .ro domain (info.rules)
  • 2065847 - ET INFO DYNAMIC_DNS HTTP Request to a *.fizicamedicala .ro domain (info.rules)
  • 2065848 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (petitesalope .com) (exploit_kit.rules)
  • 2065849 - ET EXPLOIT_KIT LandUpdate808 Domain (petitesalope .com) in TLS SNI (exploit_kit.rules)
  • 2065850 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (decalcy .qpon) (malware.rules)
  • 2065851 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (decalcy .qpon) in TLS SNI (malware.rules)
  • 2065852 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sticka .qpon) (malware.rules)
  • 2065853 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (sticka .qpon) in TLS SNI (malware.rules)
  • 2065854 - ET MALWARE Observed DNS Query to Aura Stealer Domain (mscloud .cfd) (malware.rules)
  • 2065855 - ET MALWARE Observed DNS Query to Aura Stealer Domain (searchagent .cfd) (malware.rules)
  • 2065856 - ET MALWARE Observed Aura Stealer Domain (mscloud .cfd in TLS SNI) (malware.rules)
  • 2065857 - ET MALWARE Observed Aura Stealer Domain (searchagent .cfd in TLS SNI) (malware.rules)
  • 2065858 - ET MALWARE Aura Stealer CnC Exfil (POST) (malware.rules)
  • 2065859 - ET MALWARE Aura Stealer Conf Checkin (POST) (malware.rules)
  • 2065860 - ET MALWARE Aura Stealer Victim Checkin (GET) (malware.rules)
  • 2065861 - ET MALWARE Aura Stealer CnC Response (true) (malware.rules)
  • 2065862 - ET MALWARE Aura Stealer CnC Response (false) (malware.rules)
  • 2065863 - ET MALWARE OtterCookie File Exfiltration M2 (malware.rules)
  • 2065864 - ET MALWARE Observed DNS Query to Aura Stealer Domain (magicupdate .cfd) (malware.rules)
  • 2065865 - ET MALWARE Observed Aura Stealer Domain (magicupdate .cfd in TLS SNI) (malware.rules)
  • 2065866 - ET MALWARE OtterCookie CnC Checkin Response (malware.rules)
  • 2065867 - ET INFO Observed DNS Query to .cfd TLD (info.rules)

Modified inactive rules:

  • 2001456 - ET ADWARE_PUP ContextPanel Reporting (adware_pup.rules)
  • 2004579 - ET WEB_SPECIFIC_APPS Invision Power Board XSS Attempt – module_image.php (web_specific_apps.rules)
  • 2007678 - ET MALWARE E-Jihad 3.0 DNS Activity UDP (1) (malware.rules)
  • 2008519 - ET MALWARE Win32.Agent.zrm/Infostealer.Bancos Checkin (malware.rules)
  • 2010487 - ET DOS Potential Inbound NTP denial-of-service attempt (repeated mode 7 reply) (dos.rules)
  • 2013188 - ET EXPLOIT VSFTPD Backdoor User Login Smiley (exploit.rules)
  • 2014127 - ET POLICY Splashtop Remote Control Checkin (policy.rules)
  • 2014476 - ET MALWARE HTTP Request to Zaletelly CnC Domain zaletellyxx.be (malware.rules)
  • 2014641 - ET EXPLOIT_KIT Incognito Exploit Kit landing page request to images.php?t=4xxxxxxx (exploit_kit.rules)
  • 2015682 - ET EXPLOIT_KIT Unknown Java Exploit Kit with fast-flux like behavior static initial landing - Sep 05 2012 (exploit_kit.rules)
  • 2015805 - ET MALWARE Mini-Flame v 4.x C2 HTTP request (malware.rules)
  • 2101625 - GPL FTP large SYST command (ftp.rules)
  • 2800715 - ETPRO EXPLOIT Tivoli Storage Manager Initial Sign-on Request Buffer Overflow (exploit.rules)
  • 2803255 - ETPRO NETBIOS Microsoft Windows LNK File Code Execution SMB (netbios.rules)
  • 2803726 - ETPRO WEB_SERVER OpenSSL ECDH Use After Free Flowbit Unset TLS 1.0 (web_server.rules)
  • 2803727 - ETPRO WEB_SERVER OpenSSL ECDH Use After Free Flowbit Set SSL 3.0 (web_server.rules)
  • 2804162 - ETPRO MALWARE Win32/Spy.Bancos.OBT Checkin (malware.rules)
  • 2805100 - ETPRO MALWARE Win32/Bancos.ACM Checkin 2 (malware.rules)
  • 2807525 - ETPRO MALWARE Trojan.Win32.Storup Checkin (malware.rules)
  • 2820591 - ETPRO EXPLOIT_KIT Magnitude EK Landing Jun 13 2016 (exploit_kit.rules)
  • 2822427 - ETPRO MOBILE_MALWARE Trojan-Spy.AndroidOS.Oversa.a Checkin (mobile_malware.rules)

Removed rules:

  • 2844703 - ETPRO INFO Observed DNS over HTTPS Domain in TLS SNI (doh .dns .sb) (info.rules)