Ruleset Update Summary - 2025/11/26 - v11071

Ruleset Updates
1

Summary:

15 new OPEN, 15 new PRO (15 + 0)

Please be aware that Thursday and Friday (27 November and 28 November, 2025) are Proofpoint company holidays. There will be no rule releases on either of these days. Daily rule releases will recommence on Monday, 01 December, 2025

Added rules:

Open:

  • 2065917 - ET PHISHING Observed GoPhish Credential Theft Form (phishing.rules)
  • 2065918 - ET WEB_SPECIFIC_APPS GL.iNet request for logread.tar (Possible CVE-2024-27356) (web_specific_apps.rules)
  • 2065919 - ET WEB_SPECIFIC_APPS GL.iNet request for client.ovpn (Possible CVE-2024-27356) (web_specific_apps.rules)
  • 2065920 - ET INFO DYNAMIC_DNS Query to a *.tuev-nord .hk domain (info.rules)
  • 2065921 - ET INFO DYNAMIC_DNS HTTP Request to a *.tuev-nord .hk domain (info.rules)
  • 2065922 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (alpeoqa .cyou) (malware.rules)
  • 2065923 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (alpeoqa .cyou) in TLS SNI (malware.rules)
  • 2065924 - ET PHISHING Common Credential Theft Redirect Page (phishing.rules)
  • 2065925 - ET WEB_SPECIFIC_APPS GL.iNet Possible admin sid brute force attempt (CVE-2024-39225) (web_specific_apps.rules)
  • 2065926 - ET WEB_SPECIFIC_APPS GL.iNet ubus account Authentication Bypass Attempt (CVE-2024-42561) (web_specific_apps.rules)
  • 2065927 - ET WEB_SPECIFIC_APPS Grafana SCIM User Provisioning Privilege Escalation (CVE-2025-41115) (web_specific_apps.rules)
  • 2065928 - ET WEB_SPECIFIC_APPS WordPress W3 Total Cache Plugin Remote Code Execution (CVE-2025-9501) (web_specific_apps.rules)
  • 2065929 - ET WEB_SPECIFIC_APPS Grafana Open Redirect (CVE-2025-4123) M1 (web_specific_apps.rules)
  • 2065930 - ET WEB_SPECIFIC_APPS Grafana Open Redirect (CVE-2025-4123) M2 (web_specific_apps.rules)
  • 2065931 - ET WEB_SERVER R.V.R Elettronica TEX Unauthenticated Password Change (CVE-2025-63207) (web_server.rules)

Modified inactive rules:

  • 2001385 - ET EXPLOIT Possible ShixxNote buffer-overflow + remote shell attempt (exploit.rules)
  • 2001402 - ET POLICY ZIPPED DOC in transit (policy.rules)
  • 2001540 - ET ADWARE_PUP Searchmiracle.com Spyware Install (v3cab) (adware_pup.rules)
  • 2007681 - ET MALWARE E-Jihad 3.0 DNS Activity UDP (4) (malware.rules)
  • 2007690 - ET ADWARE_PUP IEDefender (iedefender.com) Fake Antispyware User Agent (IEDefender 2.1) (adware_pup.rules)
  • 2009752 - ET MALWARE Monkif/DlKroha Trojan Activity HTTP Outbound (malware.rules)
  • 2013408 - ET POLICY SSL MiTM Vulnerable iOS 4.x CDMA iPhone device (CVE-2011-0228) (policy.rules)
  • 2014028 - ET MALWARE Likely CryptMEN FakeAV Download vclean (malware.rules)
  • 2019270 - ET WEB_SERVER Possible CVE-2014-6271 Attempt in HTTP URLENCODE Generic 27 (web_server.rules)
  • 2021924 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Gozi MITM) (malware.rules)
  • 2100413 - GPL ICMP_INFO IPV6 Where-Are-You (icmp_info.rules)
  • 2101924 - GPL RPC mountd UDP export request (rpc.rules)
  • 2800154 - ETPRO EXPLOIT CA ARCserve Backup for Laptops and Desktops LGServer Multiple Buffer Overflows 1 (exploit.rules)
  • 2800718 - ETPRO EXPLOIT CA BrightStor ARCserve Backup Media Server SUN RPC Denial of Service (exploit.rules)
  • 2802003 - ETPRO MALWARE Backdoor.Win32.Refpron.I Checkin (malware.rules)
  • 2803730 - ETPRO WEB_SERVER Microsoft SharePoint XML Handling Remote File Disclosure (Published Exploit) (web_server.rules)
  • 2816773 - ETPRO MALWARE Unknown Keylogger .onion Checkin (malware.rules)