Ruleset Update Summary - 2025/12/12 - v11082

Ruleset Updates
1

Summary:

18 new OPEN, 21 new PRO (18 + 3)

Thanks @KevinRoss

Added rules:

Open:

  • 2066291 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (DfreamWave .cyou) (malware.rules)
  • 2066292 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (DfreamWave .cyou) in TLS SNI (malware.rules)
  • 2066293 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fartyfun .fun) (malware.rules)
  • 2066294 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fartyfun .fun) in TLS SNI (malware.rules)
  • 2066295 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gapi-node .io) (malware.rules)
  • 2066296 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gapi-node .io) in TLS SNI (malware.rules)
  • 2066297 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (numpersb .fun) (malware.rules)
  • 2066298 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (numpersb .fun) in TLS SNI (malware.rules)
  • 2066299 - ET MALWARE CastleLoader Malware Outbound Checkin (malware.rules)
  • 2066300 - ET WEB_SPECIFIC_APPS UTT formConfigFastDirectionW ssid Parameter Buffer Overflow Attempt (CVE-2025-14535) (web_specific_apps.rules)
  • 2066301 - ET WEB_SPECIFIC_APPS UTT formNatStaticMap NatBind Parameter Buffer Overflow Attempt (CVE-2025-14534) (web_specific_apps.rules)
  • 2066302 - ET WEB_SPECIFIC_APPS UTT formWebAuthGlobalConfig hidcontact Parameter Buffer Overflow Attempt (CVE-2025-14572) (web_specific_apps.rules)
  • 2066303 - ET WEB_SPECIFIC_APPS UTT formPdbUpConfig policyNames Parameter Command Injection Attempt (CVE-2025-13442) (web_specific_apps.rules)
  • 2066304 - ET WEB_SPECIFIC_APPS Tenda SetServerConfig Buffer Overflow Attempt (CVE-2025-11120) (web_specific_apps.rules)
  • 2066305 - ET WEB_SPECIFIC_APPS Tenda SetDevNetName mac Parameter Buffer Overflow Attempt (CVE-2025-0566) (web_specific_apps.rules)
  • 2066306 - ET MALWARE Observed StealC_V2 Payload URL (GET) (malware.rules)
  • 2066307 - ET MALWARE Observed StealC_V2 Payload URL (GET) (malware.rules)
  • 2066308 - ET MALWARE Observed StealC_V2 Payload URL (GET) (malware.rules)

Pro:

  • 2865358 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2865359 - ETPRO PHISHING UNK_NeedleSalt Redirect Activity (set) (phishing.rules)
  • 2865360 - ETPRO PHISHING UNK_NeedleSalt Redirect Activity (phishing.rules)

Modified inactive rules:

  • 2000580 - ET ADWARE_PUP Shop At Home Select.com Install Attempt (adware_pup.rules)
  • 2003518 - ET EXPLOIT Computer Associates Brightstor ARCServe Backup Mediasvr.exe Remote Exploit (exploit.rules)
  • 2003739 - ET WEB_SPECIFIC_APPS Yaap Remote Inclusion Attempt – common.php root_path (web_specific_apps.rules)
  • 2007864 - ET MALWARE Banload HTTP Checkin Detected (malware.rules)
  • 2009592 - ET WEB_SPECIFIC_APPS Citrix XenCenterWeb forcesd.php XSS attempt (web_specific_apps.rules)
  • 2011188 - ET USER_AGENTS Nine Ball User-Agent Detected (NQX315) (user_agents.rules)
  • 2013410 - ET POLICY Outbound MSSQL Connection to Standard port (1433) (policy.rules)
  • 2014135 - ET RETIRED Zeus/Reveton checkin to /images.rar (retired.rules)
  • 2017894 - ET EXPLOIT_KIT DotkaChef Payload Dec 20 2013 (exploit_kit.rules)
  • 2019417 - ET CURRENT_EVENTS excessive fatal alerts (possible POODLE attack against client) (current_events.rules)
  • 2021844 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (TorrentLocker CnC) (malware.rules)
  • 2022509 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex) (malware.rules)
  • 2024115 - ET MALWARE DeepEnd Research Ransomware CrypMIC Payment Onion Domain (malware.rules)
  • 2100423 - GPL ICMP_INFO Mobile Registration Request (icmp_info.rules)
  • 2100554 - GPL FTP MKD / possible warez site (ftp.rules)
  • 2101056 - GPL WEB_SERVER Tomcat view source attempt (web_server.rules)
  • 2800167 - ETPRO EXPLOIT CA BrightStor ARCServe Backup LGServer Arbitrary File Upload (exploit.rules)
  • 2800421 - ETPRO EXPLOIT UltraVNC VNCViewer Authenticate Buffer Overflow 2 (exploit.rules)
  • 2800730 - ETPRO EXPLOIT Trend Micro ServerProtect Crafted RPC Call CMON_NetTestConnection Buffer Overflow (exploit.rules)
  • 2801184 - ETPRO EXPLOIT Apple CUPS IPP Use-after-free Memory Corruption byte 0x38 (exploit.rules)
  • 2803571 - ETPRO ADWARE_PUP Adware.Websearch Checkin (adware_pup.rules)
  • 2803697 - ETPRO MALWARE Backdoor.Win32.Protux.B Checkin 1 (malware.rules)
  • 2804501 - ETPRO ADWARE_PUP PAK_Generic.001 Checkin (adware_pup.rules)
  • 2806029 - ETPRO EXPLOIT ADOBE PDF zeroday 14 February (exploit.rules)
  • 2807539 - ETPRO MALWARE Trojan.Win32.VB.bzqf Checkin (malware.rules)
  • 2808249 - ETPRO MALWARE Win32/Gablrub Checkin (malware.rules)
  • 2808504 - ETPRO MALWARE Bublik.sda pastebin Request (malware.rules)
  • 2808774 - ETPRO MALWARE Win32.Sasfis Checkin (malware.rules)
  • 2809886 - ETPRO MALWARE Androm Checkin (malware.rules)
  • 2811078 - ETPRO MOBILE_MALWARE Android/Haynu.A Checkin (mobile_malware.rules)
  • 2811459 - ETPRO ADWARE_PUP Win32/Meinhudong.C Variant Checkin (adware_pup.rules)
  • 2812603 - ETPRO MALWARE Win32/Genasom.FO Malicious Redirect (malware.rules)
  • 2815063 - ETPRO MALWARE Win32/Kitkiot.A CnC Inbound (malware.rules)
  • 2815412 - ETPRO MALWARE Trojan-Ransomware Radamant Fetch Mask (malware.rules)
  • 2815996 - ETPRO MALWARE MSIL/Spy.Banker.DJ .onion Proxy Domain (malware.rules)
  • 2823046 - ETPRO MALWARE Malicious SSL Certificate Detected (Dreambot Variant) (malware.rules)
  • 2823480 - ETPRO MALWARE Zeus Panda Banker Malicious SSL Certificate Detected (malware.rules)

Disabled and modified rules:

  • 2815711 - ETPRO EXPLOIT MS16-007 Office DLL Loading RCE M02 (CVE-2016-0016) (exploit.rules)
  • 2815714 - ETPRO EXPLOIT MS16-007 Office DLL Loading RCE M05 (CVE-2016-0016) (exploit.rules)
  • 2815717 - ETPRO EXPLOIT MS16-007 Office DLL Loading RCE M08 (CVE-2016-0016) (exploit.rules)