Ruleset Update Summary - 2026/01/06 - v11097

Ruleset Updates
1

Summary:

16 new OPEN, 16 new PRO (16 + 0)

Thanks @malware_traffic

Added rules:

Open:

  • 2066591 - ET PHISHING GhostFrame Landing Page Loader Request 2026-01-05 (phishing.rules)
  • 2066592 - ET PHISHING GhostFrame Phish Landing Page M1 2026-01-06 (phishing.rules)
  • 2066593 - ET PHISHING GhostFrame Request for Blob 2026-01-05 (phishing.rules)
  • 2066594 - ET PHISHING GhostFrame Phish Landing Page M2 2026-01-05 (phishing.rules)
  • 2066595 - ET PHISHING GhostFrame Phish Server Checkin M1 (phishing.rules)
  • 2066596 - ET PHISHING GhostFrame Phish Server Checkin M2 (phishing.rules)
  • 2066597 - ET PHISHING GhostFrame Phish Landing Page M3 2026-01-05 (phishing.rules)
  • 2066598 - ET WEB_SPECIFIC_APPS EnGenius diag_ping pings Parameter Command Injection Attempt (CVE-2024-45242) (web_specific_apps.rules)
  • 2066599 - ET EXPLOIT RAR File Directory Traversal Inbound (CVE-2025-6218) (exploit.rules)
  • 2066600 - ET EXPLOIT RAR File Directory Traversal Upload (CVE-2025-6218) (exploit.rules)
  • 2066601 - ET WEB_SPECIFIC_APPS Victure Dual_freq_un_apple Multiple Parameters Command Injection Attempt (CVE-2024-53939) (web_specific_apps.rules)
  • 2066602 - ET WEB_SPECIFIC_APPS Victure admin domain Parameter Command Injection Attempt (CVE-2025-53940) (web_specific_apps.rules)
  • 2066603 - ET WEB_SPECIFIC_APPS Tuoshi set_online check_ip Parameter Command Injection Attempt (CVE-2024-53944) (web_specific_apps.rules)
  • 2066604 - ET WEB_SPECIFIC_APPS Tuoshi set_timesetting ntpserver Parameter Command Injection Attempt (CVE-2024-43989) (web_specific_apps.rules)
  • 2066605 - ET WEB_SPECIFIC_APPS NRADIO radio ssid_g1_wlan Parameter Command Injection Attempt (CVE-2024-53942) (web_specific_apps.rules)
  • 2066606 - ET MALWARE Lumma Stealer Victim Fingerprinting Activity (malware.rules)

Modified inactive rules:

  • 2002898 - ET WEB_SPECIFIC_APPS PHP Web Calendar Remote File Inclusion Attempt (web_specific_apps.rules)
  • 2007700 - ET MALWARE ExplorerHijack Trojan HTTP Checkin (malware.rules)
  • 2009351 - ET MALWARE Urlzone/Bebloh Communication with Controller (malware.rules)
  • 2009757 - ET WEB_SPECIFIC_APPS Clickheat Cache.php mosConfig_absolute_path Remote File Inclusion (web_specific_apps.rules)
  • 2010723 - ET MALWARE Oficla Russian Malware Bundle C&C instruction response with runurl (malware.rules)
  • 2015690 - ET EXPLOIT_KIT NeoSploit - Obfuscated Payload Requested (exploit_kit.rules)
  • 2101327 - GPL EXPLOIT ssh CRC32 overflow (exploit.rules)
  • 2103145 - GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 response overflow attempt (netbios.rules)
  • 2800177 - ETPRO EXPLOIT CA Multiple Products DBASVR RPC Server Crafted Pointer Buffer Overflow 6 (exploit.rules)
  • 2800431 - ETPRO SQL MySQL XML Functions Scalar XPath Denial of Service (sql.rules)
  • 2800740 - ETPRO EXPLOIT CA BrightStor ARCserve Backup Media Server SUN-RPC Procedure 191 Code Execution (Published Exploit) (exploit.rules)
  • 2800866 - ETPRO SQL IBM Informix Dynamic Server oninit.exe EXPLAIN Stack Buffer Overflow (sql.rules)
  • 2801194 - ETPRO EXPLOIT Apple CUPS IPP Use-after-free Memory Corruption byte 0x35 (exploit.rules)
  • 2803274 - ETPRO MALWARE Common Downloader Header Pattern UH (malware.rules)
  • 2803432 - ETPRO ADWARE_PUP Adware Torangcomz or Related Install Checkin (adware_pup.rules)
  • 2804033 - ETPRO MALWARE Win32/Bancos.DV Reporting via SMTP 4 (malware.rules)
  • 2804185 - ETPRO MALWARE Win32/Dluca.AN Checkin (malware.rules)
  • 2804659 - ETPRO MALWARE Variant.Graftor.8567 Checkin (malware.rules)