Ruleset Update Summary - 2025/12/03 - v11075

rulesbot · December 3, 2025, 10:20pm

Summary:

16 new OPEN, 19 new PRO (16 + 3)

Added rules:

Open:

2065993 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (abqsales .com) (exploit_kit.rules)
2065994 - ET EXPLOIT_KIT LandUpdate808 Domain (abqsales .com) in TLS SNI (exploit_kit.rules)
2065995 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (dsourceva .com) (exploit_kit.rules)
2065996 - ET EXPLOIT_KIT LandUpdate808 Domain (dsourceva .com) in TLS SNI (exploit_kit.rules)
2065997 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (profyfk .click) (malware.rules)
2065998 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (profyfk .click) in TLS SNI (malware.rules)
2065999 - ET WEB_SPECIFIC_APPS MasaCMS m Tag Pre-Auth RCE via JSON API (CVE-2024-32641) (web_specific_apps.rules)
2066000 - ET WEB_SPECIFIC_APPS AvTech Config.cgi Network.FTP Multiple Parameters Command Injection Attempt (CVE-2025-57198) (web_specific_apps.rules)
2066001 - ET WEB_SPECIFIC_APPS AvTech Config.cgi Network.SMTP Multiple Parameters Command Injection Attempt (CVE-2025-57200) (web_specific_apps.rules)
2066002 - ET WEB_SPECIFIC_APPS AvTech Config.cgi Network.NetworkShare Multiple Parameters Command Injection Attempt (CVE-2025-57201) (web_specific_apps.rules)
2066003 - ET WEB_SPECIFIC_APPS AvTech Config.cgi Network.NetworkFailureDetection.Address Parameter Command Injection Attempt (CVE-2025-57199) (web_specific_apps.rules)
2066004 - ET WEB_SPECIFIC_APPS AvTech PwdGrp.cgi user Parameter Cross Site Scripting Attempt (CVE-2025-57202) (web_specific_apps.rules)
2066005 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (billing .keywordmatters .com) (malware.rules)
2066006 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (cpanel .succeedwithaffiliatemarketing .com) (malware.rules)
2066007 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (billing .keywordmatters .com) (malware.rules)
2066008 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (cpanel .succeedwithaffiliatemarketing .com) (malware.rules)

Pro:

2865268 - ETPRO MALWARE BPFDoor Magic Packet (X) Inbound (malware.rules)
2865269 - ETPRO MALWARE BPFDoor Magic Packet (X) IPv6 Inbound (malware.rules)
2865270 - ETPRO MALWARE Win32/zgRAT CnC Checkin (malware.rules)

Modified inactive rules:

2001406 - ET POLICY Possible hidden zip extension .cpl (policy.rules)
2003411 - ET EXPLOIT Solaris telnet USER environment vuln Attack inbound (exploit.rules)
2007685 - ET MALWARE E-Jihad 3.0 HTTP Activity 3 (malware.rules)
2008879 - ET WEB_SPECIFIC_APPS Free Directory Script 1.1.1 API_HOME_DIR parameter Remote File Inclusion (web_specific_apps.rules)
2009750 - ET MALWARE Banker/Bancos/Infostealer Possible Rootkit - HTTP HEAD Request (malware.rules)
2010158 - ET MALWARE Nanspy Bot Checkin (malware.rules)
2011398 - ET MALWARE Yoyo-DDoS Bot Execute DDoS Command From CnC Server (malware.rules)
2011732 - ET DOS Possible VNC ClientCutText Message Denial of Service/Memory Corruption Attempt (dos.rules)
2012103 - ET EXPLOIT D-Link bsc_wlan.php Security Bypass (exploit.rules)
2013034 - ET MALWARE WebToolbar.Win32.WhenU.r Reporting (malware.rules)
2016999 - ET MALWARE Connection to Microsoft Sinkhole IP (Possbile Infected Host) (malware.rules)
2020664 - ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204) (exploit.rules)
2022959 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (H1N1 CnC) (malware.rules)
2065992 - ET WEB_SPECIFIC_APPS Western Digital username Parameter Command Injection Attempt (CVE-2016-10107) (web_specific_apps.rules)
2100418 - GPL ICMP Information Request undefined code (icmp.rules)
2102021 - GPL RPC mountd UDP unmount request (rpc.rules)
2800158 - ETPRO EXPLOIT CA ARCserve Backup for Laptops and Desktops LGServer Multiple Buffer Overflows 5 (exploit.rules)
2800413 - ETPRO EXPLOIT Oracle Secure Backup NDMP Packet Handling Multiple Memory Corruption 2 (exploit.rules)
2801297 - ETPRO MALWARE Generic Proxy Bot Checkin (malware.rules)
2801394 - ETPRO MALWARE Generic Dropper Checkin callback (malware.rules)
2802007 - ETPRO EXPLOIT IBM solidDB solid.exe Authentication Bypass Little Endian 3 (exploit.rules)
2803890 - ETPRO MALWARE Win32/Alureon.FL Checkin (malware.rules)
2804020 - ETPRO MALWARE Trojan-Downloader.Win32.Generic Install (malware.rules)
2805561 - ETPRO MALWARE W32/Banbra.AVBB!tr Checkin (malware.rules)
2805909 - ETPRO ADWARE_PUP drspyzero Checkin (adware_pup.rules)
2809295 - ETPRO MALWARE Backdoor.IRC.Azbot CnC via IRC (malware.rules)
2824320 - ETPRO WEB_CLIENT Possible Acrobat Reader JS Use After Free (CVE-2017-2958) (web_client.rules)

Topic	Replies	Views
Ruleset Update Summary - 2025/11/27 - v11072 Ruleset Updates	146	November 27, 2025
Ruleset Update Summary - 2025/11/14 - v11063 Ruleset Updates	98	November 14, 2025
Ruleset Update Summary - 2025/11/06 - v11057 Ruleset Updates	72	November 6, 2025
Ruleset Update Summary - 2025/06/10 - v10947 Ruleset Updates	127	June 10, 2025
Ruleset Update Summary - 2025/10/06 - v11033 Ruleset Updates	100	October 6, 2025

Ruleset Update Summary - 2025/12/03 - v11075

Summary:

Added rules:

Open:

Pro:

Modified inactive rules:

Related topics