Summary:
30 new OPEN, 35 new PRO (30 + 5)
Added rules:
Open:
- 2066261 - ET MALWARE Observed StealC_V2 Payload Request (GET) (malware.rules)
- 2066262 - ET MALWARE Observed StealC_V2 Payload Request (GET) (malware.rules)
- 2066263 - ET MALWARE Observed StealC_V2 Payload Request (GET) (malware.rules)
- 2066264 - ET MALWARE Observed StealC_V2 Payload Request (GET) (malware.rules)
- 2066265 - ET MALWARE Observed StealC_V2 Payload Request (GET) (malware.rules)
- 2066266 - ET PHISHING UNK_NeedleSalt Phishing Redirect (phishing.rules)
- 2066267 - ET MALWARE Win32/TA569 Gholoader CnC Domain in DNS Lookup (app .enzirt .com) (malware.rules)
- 2066268 - ET MALWARE Win32/TA569 Gholoader CnC Domain in TLS SNI (app .enzirt .com) (malware.rules)
- 2066269 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (wwexp .com) (exploit_kit.rules)
- 2066270 - ET EXPLOIT_KIT LandUpdate808 Domain (wwexp .com) in TLS SNI (exploit_kit.rules)
- 2066271 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discoverymaidykew .shop) (malware.rules)
- 2066272 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discoverymaidykew .shop) in TLS SNI (malware.rules)
- 2066273 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (downind .cyou) (malware.rules)
- 2066274 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (downind .cyou) in TLS SNI (malware.rules)
- 2066275 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (harshnz .cyou) (malware.rules)
- 2066276 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (harshnz .cyou) in TLS SNI (malware.rules)
- 2066277 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (huddles .cyou) (malware.rules)
- 2066278 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (huddles .cyou) in TLS SNI (malware.rules)
- 2066279 - ET WEB_SPECIFIC_APPS Vaultwarden Escalation of Privilege via OrgHeaders Variable Confusion (CVE-2025-24365) (web_specific_apps.rules)
- 2066280 - ET MALWARE StealC_V2 CnC Activity (POST) (malware.rules)
- 2066281 - ET WEB_SPECIFIC_APPS HPE Intelligent Management Center UrlAccessController Authentication Bypass (CVE 2017-5791) (web_specific_apps.rules)
- 2066282 - ET WEB_SPECIFIC_APPS Fortinet FortiWeb OS Command Injection (CVE-2025-58034) (web_specific_apps.rules)
- 2066283 - ET WEB_SPECIFIC_APPS Zoho ManageEngine Password Manager Pro SQL Injection (CVE-2022-40300) (web_specific_apps.rules)
- 2066284 - ET WEB_SPECIFIC_APPS Zoho ManageEngine OpManager addMailServerSettings SQL Injection (CVE-2018-18949) M1 (web_specific_apps.rules)
- 2066285 - ET WEB_SPECIFIC_APPS Zoho ManageEngine OpManager addMailServerSettings SQL Injection (CVE-2018-18949) M2 (web_specific_apps.rules)
- 2066286 - ET WEB_SPECIFIC_APPS Zoho ManageEngine OpManager getGraphData SQL Injection (CVE-2018-20173) (web_specific_apps.rules)
- 2066287 - ET WEB_SPECIFIC_APPS Zoho ManageEngine OpManager setManaged SQL Injection (CVE-2018-17283) (web_specific_apps.rules)
- 2066288 - ET WEB_SPECIFIC_APPS Zoho ManageEngine OpManager getReportData SQL Injection (CVE-2021-41288) (web_specific_apps.rules)
- 2066289 - ET WEB_SPECIFIC_APPS Zoho ManageEngine OpManager getObjectData Insecure Deserialization RCE (CVE-2023-31099) (web_specific_apps.rules)
- 2066290 - ET WEB_SERVER Kubernetes NodeLogQuery Command Injection (CVE-2024-9042) (web_server.rules)
Pro:
- 2865324 - ETPRO PHISHING Observed UNK_NeedleSalt Domain in TLS SNI (phishing.rules)
- 2865325 - ETPRO PHISHING Observed UNK_NeedleSalt Domain in TLS SNI (phishing.rules)
- 2865355 - ETPRO PHISHING UNK_ArmyDrive Domain in DNS Lookup (phishing.rules)
- 2865356 - ETPRO PHISHING UNK_ArmyDrive Domain in TLS SNI (phishing.rules)
- 2865357 - ETPRO PHISHING Tycoon 2FA Fake Captcha Check (phishing.rules)
Modified inactive rules:
- 2001297 - ET P2P eDonkey File Status Request (p2p.rules)
- 2001460 - ET ADWARE_PUP Sexmaniack Install Tracking (adware_pup.rules)
- 2003379 - ET EXPLOIT Computer Associates BrightStor ARCserve Backup for Laptops LGServer.exe DoS (exploit.rules)
- 2003921 - ET WEB_SPECIFIC_APPS DVDdb XSS Attempt – listmovies.php s (web_specific_apps.rules)
- 2007758 - ET USER_AGENTS Eldorado.BHO User-Agent Detected (netcfg) (user_agents.rules)
- 2009591 - ET WEB_SPECIFIC_APPS Citrix XenCenterWeb console.php XSS attempt (web_specific_apps.rules)
- 2010601 - ET WEB_SPECIFIC_APPS 35mm Slide Gallery imgdir Parameter Directory Traversal Attempt (web_specific_apps.rules)
- 2012054 - ET SMTP Potential Exim HeaderX with run exploit attempt (smtp.rules)
- 2012904 - ET MOBILE_MALWARE SymbOS/SuperFairy.D Bookmarked Connection to Server (mobile_malware.rules)
- 2013041 - ET MOBILE_MALWARE DNS Query For Known Mobile Malware Control Server (searchwebmobile .com) (mobile_malware.rules)
- 2013199 - ET MALWARE Trojan/Hacktool.Sniffer Successful Install Message (malware.rules)
- 2013516 - ET MALWARE TR/Spy.Gen checkin via dns ANY query (malware.rules)
- 2017005 - ET CURRENT_EVENTS Possible Microsoft Office PNG overflow attempt invalid tEXt chunk length (current_events.rules)
- 2017248 - ET EXPLOIT_KIT PluginDetect plus Java version check (exploit_kit.rules)
- 2017368 - ET MALWARE Possible Avatar RootKit Yahoo Group Search (malware.rules)
- 2017893 - ET EXPLOIT_KIT DotkaChef Landing URI Struct (exploit_kit.rules)
- 2018506 - ET MALWARE Upatre Compromised Site hot-buys (malware.rules)
- 2018616 - ET MALWARE Win32/Sharik C2 Incoming Crafted Request (malware.rules)
- 2019416 - ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack (policy.rules)
- 2021784 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Shifu CnC) (malware.rules)
- 2021843 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC) (malware.rules)
- 2022508 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) (malware.rules)
- 2024114 - ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain (malware.rules)
- 2100424 - GPL ICMP Mobile Registration Request undefined code (icmp.rules)
- 2100548 - GPL FTP FTP ‘MKD .’ possible warez site (ftp.rules)
- 2101236 - GPL WEB_SERVER Tomcat sourcecode view attempt 3 (web_server.rules)
- 2800166 - ETPRO EXPLOIT CA BrightStor ARCServe Backup LGServer Authentication Username Overflow (exploit.rules)
- 2800420 - ETPRO EXPLOIT UltraVNC VNCViewer Authenticate Buffer Overflow 1 (exploit.rules)
- 2801183 - ETPRO EXPLOIT Apple CUPS IPP Use-after-free Memory Corruption byte 0x37 (exploit.rules)
- 2801302 - ETPRO MALWARE RogueSoftware.Win32.WindowsOptimizationAndSecurity Sending stolen info (malware.rules)
- 2807148 - ETPRO MALWARE Win32/Spy.Bancos.OGH Checkin (malware.rules)
- 2808773 - ETPRO MOBILE_MALWARE Android/Koler.B Checkin (mobile_malware.rules)
- 2809386 - ETPRO MALWARE PWS.Win32.Mujormel.A Reporting Infection via SMTP (malware.rules)
- 2809633 - ETPRO MALWARE Win32/ProxyChanger.EO Receiving Proxy.pac (malware.rules)
- 2811458 - ETPRO MALWARE Mikey Clickfraud Response (malware.rules)
- 2812602 - ETPRO MALWARE Win32/Genasom.FO Sending Ransom Details (malware.rules)
- 2815613 - ETPRO MOBILE_MALWARE Android/Adware.AdsWo.A Checkin 2 (mobile_malware.rules)
- 2819963 - ETPRO EXPLOIT Belkin g_n150 Password Disclosure Attempt (exploit.rules)
- 2820186 - ETPRO MOBILE_MALWARE Android Unknown Trojan Checkin (mobile_malware.rules)
- 2822222 - ETPRO MALWARE Evil Redirector to EK - Observed Malicious SSL Cert (malware.rules)
- 2825032 - ETPRO MALWARE Zeus Panda Banker Malicious SSL Certificate Detected (malware.rules)
Removed rules:
- 2865324 - ETPRO MALWARE Observed UNK_NeedleSalt Domain in TLS SNI (malware.rules)
- 2865325 - ETPRO MALWARE Observed UNK_NeedleSalt Domain in TLS SNI (malware.rules)
- 2865326 - ETPRO MALWARE Observed StealC_V2 Payload Request (GET) (malware.rules)
- 2865327 - ETPRO MALWARE Observed StealC_V2 Payload Request (GET) (malware.rules)
- 2865328 - ETPRO MALWARE Observed StealC_V2 Payload Request (GET) (malware.rules)
- 2865329 - ETPRO MALWARE Observed StealC_V2 Payload Request (GET) (malware.rules)
- 2865330 - ETPRO MALWARE Observed StealC_V2 Payload Request (GET) (malware.rules)