Ruleset Update Summary - 2025/12/04 - v11076

Ruleset Updates
1

Summary:

20 new OPEN, 20 new PRO (20 + 0)

Added rules:

Open:

  • 2066009 - ET INFO Network Tunneling Service in DNS Lookup (tunnl .gg) (info.rules)
  • 2066010 - ET INFO Observed Network Tunneling Service Domain (tunnl .gg) in TLS SNI (info.rules)
  • 2066011 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in DNS Lookup (tdsworkout .com) (exploit_kit.rules)
  • 2066012 - ET EXPLOIT_KIT Malicious TA2726 TDS Domain in TLS SNI (tdsworkout .com) (exploit_kit.rules)
  • 2066013 - ET INFO Network Tunneling Service in DNS Lookup (zrok .io) (info.rules)
  • 2066014 - ET INFO Network Tunneling Service in DNS Lookup (ssh-j .com) (info.rules)
  • 2066015 - ET INFO Network Tunneling Service in DNS Lookup (bore .pub) (info.rules)
  • 2066016 - ET INFO Network Tunneling Service in DNS Lookup (telebit .io) (info.rules)
  • 2066017 - ET INFO Network Tunneling Service in DNS Lookup (sharedwithexpose .com) (info.rules)
  • 2066018 - ET INFO Network Tunneling Service in DNS Lookup (tunnel .pyjam .as) (info.rules)
  • 2066019 - ET INFO Observed Networking Tunneling Service (zrok .io) in TLS SNI (info.rules)
  • 2066020 - ET INFO Observed Networking Tunneling Service (ssh-j .com) in TLS SNI (info.rules)
  • 2066021 - ET INFO Observed Networking Tunneling Service (bore .pub) in TLS SNI (info.rules)
  • 2066022 - ET INFO Observed Networking Tunneling Service (telebit .io) in TLS SNI (info.rules)
  • 2066023 - ET INFO Observed Networking Tunneling Service (sharedwithexpose .com) in TLS SNI (info.rules)
  • 2066024 - ET INFO Observed Networking Tunneling Service (tunnel .pyjam .as) in TLS SNI (info.rules)
  • 2066025 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (hobmjoi .click) (malware.rules)
  • 2066026 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (hobmjoi .click) in TLS SNI (malware.rules)
  • 2066027 - ET WEB_SPECIFIC_APPS React Server Components React2Shell Unsafe Flight Protocol Property Traversal (CVE-2025-55182) (web_specific_apps.rules)
  • 2066028 - ET WEB_SPECIFIC_APPS Vite RSC React2Shell Unsafe Flight Protocol Property Traversal (CVE-2025-55182) (web_specific_apps.rules)

Modified inactive rules:

  • 2001217 - ET EXPLOIT Adobe Acrobat Reader Malicious URL Null Byte (exploit.rules)
  • 2001407 - ET POLICY hidden zip extension .pif (policy.rules)
  • 2001744 - ET ADWARE_PUP Searchmiracle.com Spyware Install (install) (adware_pup.rules)
  • 2002769 - ET ADWARE_PUP Corpsespyware.net Distribution - studiolacase (adware_pup.rules)
  • 2003412 - ET EXPLOIT Solaris telnet USER environment vuln Attack outbound (exploit.rules)
  • 2007686 - ET MALWARE E-Jihad 3.0 DDoS HTTP Activity OUTBOUND (malware.rules)
  • 2009694 - ET MALWARE Navipromo related update (malware.rules)
  • 2012543 - ET ACTIVEX RealPlayer CDDA URI Overflow Uninitialized Pointer Attempt (activex.rules)
  • 2013192 - ET WEB_CLIENT cssminibar.js Injected Script Served by Local WebServer (web_client.rules)
  • 2013686 - ET MALWARE ZeroAccess/Max++ Rootkit C&C Activity 2 (malware.rules)
  • 2017115 - ET EXPLOIT_KIT Sweet Orange applet July 08 2013 (exploit_kit.rules)
  • 2017628 - ET MALWARE Possible Sakura Jar Download Oct 22 2013 (malware.rules)
  • 2017629 - ET CURRENT_EVENTS FlashPack Oct 23 2013 (current_events.rules)
  • 2020665 - ET EXPLOIT FREAK Weak Export Suite From Server (CVE-2015-0204) (exploit.rules)
  • 2021738 - ET MOBILE_MALWARE Trojan.iPhoneOS.KeyRaider Checkin 2 (mobile_malware.rules)
  • 2022459 - ET MALWARE Scarlet Mimic DNS Lookup 49 (malware.rules)
  • 2022960 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Ixeshe CnC) (malware.rules)
  • 2100417 - GPL ICMP_INFO Information Request (icmp_info.rules)
  • 2800159 - ETPRO EXPLOIT CA ARCserve Backup for Laptops and Desktops LGServer Multiple Buffer Overflows 6 (exploit.rules)
  • 2800414 - ETPRO EXPLOIT Fujitsu SystemcastWizard Lite PXEService UDP Handling Buffer Overflow (exploit.rules)
  • 2801298 - ETPRO MALWARE Generic Proxy Bot Checkin 2 (malware.rules)
  • 2802008 - ETPRO EXPLOIT IBM solidDB solid.exe Authentication Bypass Big Endian 1 (exploit.rules)
  • 2803891 - ETPRO MALWARE TrojanSpy.Win32/Banker.AAX Checkin (malware.rules)
  • 2804021 - ETPRO MALWARE Win32/Tibia.AB Checkin (malware.rules)
  • 2805104 - ETPRO MALWARE Win32/Malagent Checkin (malware.rules)
  • 2807030 - ETPRO MALWARE TrojanDropper.Agent.axkq Response 1 (malware.rules)
  • 2807532 - ETPRO MALWARE W32/Banker.YNL!tr.spy sending info about infection via SMTP (malware.rules)
  • 2808385 - ETPRO MALWARE Win32.Xema Checkin (malware.rules)
  • 2808769 - ETPRO MALWARE Backdoor.Win32.Androm Requesting payload 2 (malware.rules)
  • 2808897 - ETPRO MOBILE_MALWARE AndroidOS.Ifacefone.A Checkin (mobile_malware.rules)
  • 2809789 - ETPRO MALWARE WORM_AUTORUN.BMC (Screen) (malware.rules)
  • 2812555 - ETPRO WEB_CLIENT CottonCastle/Niteris EK Redirector Struct Aug 20 2015 (web_client.rules)
  • 2815604 - ETPRO MALWARE Inexsmar/Darkhotel Stage1 Checkin (malware.rules)
  • 2815827 - ETPRO MALWARE PadCrypt CnC Checkin (malware.rules)
  • 2816199 - ETPRO MALWARE Possible PlugX DNS Lookup (malware.rules)
  • 2820179 - ETPRO MALWARE CryptXXX Possible Payment Page (malware.rules)
  • 2820396 - ETPRO MALWARE Helminth Checkin (malware.rules)