Ruleset Update Summary - 2025/12/02 - v11074

Ruleset Updates
1

Summary:

18 new OPEN, 41 new PRO (18 + 23)

Added rules:

Open:

  • 2065975 - ET EXPLOIT Oracle Identity Governance Pre-Auth ByPass M1 (CVE-2025-61757) (exploit.rules)
  • 2065976 - ET EXPLOIT Oracle Identity Governance Pre-Auth ByPass M2 (CVE-2025-61757) (exploit.rules)
  • 2065977 - ET WEB_SPECIFIC_APPS Zyxel ATP Authenticated Remote Code Execution (CVE-2025-8078) (web_specific_apps.rules)
  • 2065978 - ET INFO DYNAMIC_DNS Query to a *.bostoncareercounselor .com domain (info.rules)
  • 2065979 - ET INFO DYNAMIC_DNS HTTP Request to a *.bostoncareercounselor .com domain (info.rules)
  • 2065980 - ET INFO DYNAMIC_DNS Query to a *.coaching2lead .com domain (info.rules)
  • 2065981 - ET INFO DYNAMIC_DNS HTTP Request to a *.coaching2lead .com domain (info.rules)
  • 2065982 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (extirpo .cyou) (malware.rules)
  • 2065983 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (extirpo .cyou) in TLS SNI (malware.rules)
  • 2065984 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (salespe .cyou) (malware.rules)
  • 2065985 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (salespe .cyou) in TLS SNI (malware.rules)
  • 2065986 - ET WEB_SPECIFIC_APPS Tenda SetSambaConf samba_userNameSda Parameter Buffer Overflow Attempt (CVE-2025-9813) (web_specific_apps.rules)
  • 2065987 - ET WEB_SPECIFIC_APPS D-Link mng_platform.asp addr Parameter Command Injection Attempt (CVE-2025-9769) (web_specific_apps.rules)
  • 2065988 - ET WEB_SPECIFIC_APPS FLIR prod.php cmd Parameter Cross Site Scripting Attempt (CVE-2025-5127) (web_specific_apps.rules)
  • 2065989 - ET WEB_SPECIFIC_APPS Western Digital google_analytics.php arg Parameter Command Injection Attempt (CVE-2016-10108) (web_specific_apps.rules)
  • 2065990 - ET WEB_SPECIFIC_APPS Western Digital remoteBackups.php jobName Parameter Command Injection Attempt (web_specific_apps.rules)
  • 2065991 - ET WEB_SPECIFIC_APPS Cacti host.php snmp_community Parameter Command Injection Attempt (CVE-2025-66399) (web_specific_apps.rules)
  • 2065992 - ET WEB_SPECIFIC_APPS Western Digital username Parameter Command Injection Attempt (CVE-2016-10107) (web_specific_apps.rules)

Pro:

  • 2865245 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)
  • 2865246 - ETPRO PHISHING TA453 Domain in DNS Lookup (phishing.rules)
  • 2865247 - ETPRO PHISHING TA453 Domain in DNS Lookup (phishing.rules)
  • 2865248 - ETPRO PHISHING TA453 Domain in DNS Lookup (phishing.rules)
  • 2865249 - ETPRO PHISHING TA453 Domain in TLS SNI (phishing.rules)
  • 2865250 - ETPRO PHISHING TA453 Domain in TLS SNI (phishing.rules)
  • 2865251 - ETPRO PHISHING TA453 Domain in TLS SNI (phishing.rules)
  • 2865252 - ETPRO PHISHING TA451 Domain in DNS Lookup (phishing.rules)
  • 2865253 - ETPRO PHISHING TA451 Domain in DNS Lookup (phishing.rules)
  • 2865254 - ETPRO PHISHING TA451 Domain in DNS Lookup (phishing.rules)
  • 2865255 - ETPRO PHISHING TA451 Domain in DNS Lookup (phishing.rules)
  • 2865256 - ETPRO PHISHING TA451 Domain in DNS Lookup (phishing.rules)
  • 2865257 - ETPRO PHISHING TA451 Domain in TLS SNI (phishing.rules)
  • 2865258 - ETPRO PHISHING TA451 Domain in TLS SNI (phishing.rules)
  • 2865259 - ETPRO PHISHING TA451 Domain in TLS SNI (phishing.rules)
  • 2865260 - ETPRO PHISHING TA451 Domain in TLS SNI (phishing.rules)
  • 2865261 - ETPRO PHISHING TA451 Domain in TLS SNI (phishing.rules)
  • 2865262 - ETPRO MALWARE TA451 Domain in DNS Lookup (malware.rules)
  • 2865263 - ETPRO MALWARE TA451 Domain in DNS Lookup (malware.rules)
  • 2865264 - ETPRO MALWARE TA451 Domain in DNS Lookup (malware.rules)
  • 2865265 - ETPRO MALWARE TA451 Domain in TLS SNI (malware.rules)
  • 2865266 - ETPRO MALWARE TA451 Domain in TLS SNI (malware.rules)
  • 2865267 - ETPRO MALWARE TA451 Domain in TLS SNI (malware.rules)

Modified inactive rules:

  • 2011674 - ET DOS SolarWinds TFTP Server Long Write Request Denial Of Service Attempt (dos.rules)
  • 2016998 - ET MALWARE Connection to Fitsec Sinkhole IP (Possible Infected Host) (malware.rules)
  • 2017114 - ET EXPLOIT_KIT Styx iframe with obfuscated Java version check Jul 04 2013 (exploit_kit.rules)
  • 2019727 - ET EXPLOIT_KIT NullHole EK Exploit URI Struct (exploit_kit.rules)
  • 2021737 - ET MOBILE_MALWARE Trojan.iPhoneOS.KeyRaider Checkin (mobile_malware.rules)
  • 2022458 - ET MALWARE Scarlet Mimic DNS Lookup 48 (malware.rules)
  • 2022606 - ET WEB_CLIENT Generic Fake Support Phone Scam Mar 9 M2 (web_client.rules)
  • 2802006 - ETPRO EXPLOIT IBM solidDB solid.exe Authentication Bypass Little Endian 2 (exploit.rules)
  • 2803003 - ETPRO NETBIOS Microsoft SMBv2 Negative EOF Create Response Parsing Vulnerability Attack (netbios.rules)
  • 2806020 - ETPRO WEB_CLIENT Internet Explorer CMarkUP Use After Free (CVE-2013-0030) (web_client.rules)
  • 2808768 - ETPRO MALWARE Win32.Yakes.fpbx Checkin (malware.rules)
  • 2809788 - ETPRO MALWARE WORM_AUTORUN.BMC (keylogger) (malware.rules)
  • 2811450 - ETPRO MALWARE Possible Ransomware Variant .onion Proxy Domain (malware.rules)
  • 2812554 - ETPRO WEB_CLIENT CottonCastle/Niteris EK Redirector Struct Aug 20 2015 (web_client.rules)
  • 2813016 - ETPRO PHISHING Generic Unlock PDF Phish Landing Sept 14 (phishing.rules)
  • 2815216 - ETPRO MALWARE Unknown CnC Checkin (malware.rules)
  • 2816198 - ETPRO MALWARE Possible PlugX DNS Lookup (malware.rules)