Ruleset Update Summary - 2026/01/08 - v11099

Ruleset Updates
1

Summary:

17 new OPEN, 19 new PRO (17 + 2)

Added rules:

Open:

  • 2066619 - ET ADWARE_PUP Installer Analytics Checkin (POST) (adware_pup.rules)
  • 2066620 - ET USER_AGENTS Installer Analytics User Agent (AdvinstAnalytics) (user_agents.rules)
  • 2066621 - ET WEB_SPECIFIC_APPS Roundcube Webmail Cross-Site Scripting (CVE-2024-42009) (web_specific_apps.rules)
  • 2066622 - ET EXPLOIT Roundcube XSS via SVG Animate Attributes (CVE-2024-37383) (exploit.rules)
  • 2066623 - ET MALWARE MaskGramStealer CnC initial Victim Checkin (malware.rules)
  • 2066624 - ET WEB_SPECIFIC_APPS GL-iNet install_package Command Injection Attempt (CVE-2025-67091) (web_specific_apps.rules)
  • 2066625 - ET MALWARE MaskGramStealer Host Profile Exfil (POST) (malware.rules)
  • 2066626 - ET WEB_SPECIFIC_APPS FLIR controllerFlirSystem.php dns Parameter Command Injection Attempt (CVE-2017-20216) (web_specific_apps.rules)
  • 2066627 - ET WEB_SPECIFIC_APPS FLIR dns dns Parameter Command Injection Attempt (CVE-2017-20215) (web_specific_apps.rules)
  • 2066628 - ET WEB_SPECIFIC_APPS FLIR file Parameter Arbitrary File Read Attempt (CVE-2017-20212) (web_specific_apps.rules)
  • 2066629 - ET MALWARE MaskGramStealer Host Running Processes Exfil (POST) (malware.rules)
  • 2066630 - ET MALWARE MaskGramStealer Host Installed Applications List Exfil (POST) (malware.rules)
  • 2066631 - ET MALWARE MaskGramStealer Host Screenshot Exfil (POST) (malware.rules)
  • 2066632 - ET WEB_SPECIFIC_APPS Kuwfi formMultiApnSetting pincode Parameter Command Injection Attempt M1 (CVE-2024-53945) (web_specific_apps.rules)
  • 2066633 - ET MALWARE Observed DNS Query to MaskGramStealer Domain (morozmyau-658 .cfd) (malware.rules)
  • 2066634 - ET WEB_SPECIFIC_APPS Kuwfi atCmd cmds Parameter Command Injection Attempt M2 (CVE-2024-53945) (web_specific_apps.rules)
  • 2066635 - ET MALWARE Observed MaskGramStealer Domain (morozmyau-658 .cfd in TLS SNI) (malware.rules)

Pro:

  • 2865476 - ETPRO PHISHING Observed Generic Phish Landing Page Inbound (phishing.rules)
  • 2865595 - ETPRO EXPLOIT MDaemon Email Server XSS via img Tag (CVE-2025-3929) (exploit.rules)

Modified inactive rules:

  • 2001516 - ET ADWARE_PUP Smartpops.com Spyware Install (adware_pup.rules)
  • 2002773 - ET MALWARE FSG Packed Binary via HTTP Inbound (malware.rules)
  • 2007655 - ET ATTACK_RESPONSE lila.jpg phpshell detected (attack_response.rules)
  • 2009019 - ET MALWARE VMProtect Demo version Packed Binary - Likely Hostile (malware.rules)
  • 2009053 - ET WEB_SPECIFIC_APPS MODx CMS Thumbnail.php base_path Remote File Inclusion (web_specific_apps.rules)
  • 2009307 - ET WEB_SPECIFIC_APPS WeBid cron.php include_path Parameter Remote File Inclusion (web_specific_apps.rules)
  • 2009693 - ET WEB_SPECIFIC_APPS Zen Cart Remote Code Execution (web_specific_apps.rules)
  • 2009758 - ET WEB_SPECIFIC_APPS Clickheat Clickheat_Heatmap.php mosConfig_absolute_path Remote File Inclusion (web_specific_apps.rules)
  • 2010377 - ET POLICY JBOSS/JMX port 80 access from outside (policy.rules)
  • 2010724 - ET MALWARE Oficla Russian Malware Bundle C&C instruction response (malware.rules)
  • 2011242 - ET EXPLOIT Possible VLC Media Player M3U File FTP URL Processing Stack Buffer Overflow Attempt (exploit.rules)
  • 2015691 - ET EXPLOIT_KIT NeoSploit - PDF Exploit Requested (exploit_kit.rules)
  • 2024073 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM) (malware.rules)
  • 2100375 - GPL ICMP_INFO PING LINUX/*BSD (icmp_info.rules)
  • 2800178 - ETPRO EXPLOIT CA Multiple Products DBASVR RPC Server Crafted Pointer Buffer Overflow 7 (exploit.rules)
  • 2800741 - ETPRO EXPLOIT CA BrightStor ARCserve Backup Media Server SUN-RPC Procedure 191 Code Execution (Published Exploit) (exploit.rules)
  • 2800867 - ETPRO ADWARE_PUP RogueAntiSpyware Spyware User Agent (adware_pup.rules)
  • 2801195 - ETPRO EXPLOIT Apple CUPS IPP Use-after-free Memory Corruption byte 0x36 (exploit.rules)
  • 2804034 - ETPRO MALWARE Win32/Bancos.DV Reporting via SMTP 5 (malware.rules)
  • 2804512 - ETPRO WEB_SERVER Microsoft SharePoint Server XSS attempt 1 (web_server.rules)
  • 2804996 - ETPRO MALWARE Trojan-Banker.Win32.Banker.ssqw Checkin (malware.rules)
  • 2805110 - ETPRO MALWARE Trojan-Downloader.Banload Chekin (malware.rules)
  • 2823703 - ETPRO MALWARE Observed Malicious SSL Cert (FlokiBot CnC) (malware.rules)

Removed rules:

  • 2865476 - ETPRO HUNTING Observed Generic Phish Landing Page Inbound (hunting.rules)