Ruleset Update Summary - 2026/01/12 - v11101

Summary:

38 new OPEN, 58 new PRO (38 + 20)

Added rules:

Open:

• 2066676 - ET WEB_SPECIFIC_APPS Totolink exportOvpn user Parameter Command Injection Attempt (web_specific_apps.rules)
• 2066677 - ET WEB_SPECIFIC_APPS UTT formPictureUrl importpictureurl Parameter Buffer Overflow Attempt (CVE-2026-0841) (web_specific_apps.rules)
• 2066678 - ET WEB_SPECIFIC_APPS UTT formConfigNoticeConfig timestart Parameter Buffer Overflow Attempt (CVE-2026-0840) (web_specific_apps.rules)
• 2066679 - ET WEB_SPECIFIC_APPS UTT APSecurity wepkey1 Parameter Buffer Overflow Attempt (CVE-2026-0839) (web_specific_apps.rules)
• 2066680 - ET WEB_SPECIFIC_APPS UTT ConfigWirelessBase ssid Parameter Buffer Overflow Attempt (CVE-2026-0838) (web_specific_apps.rules)
• 2066681 - ET WEB_SPECIFIC_APPS UTT formFireWall GroupName Parameter Buffer Overflow Attempt (CVE-2026-0837) (web_specific_apps.rules)
• 2066682 - ET WEB_SPECIFIC_APPS UTT formRemoteControl Profile Parameter Buffer Overflow Attempt (web_specific_apps.rules)
• 2066683 - ET WEB_SPECIFIC_APPS UTT formConfigCliForEngineerOnly addCommand Parameter Buffer Overflow Attempt (web_specific_apps.rules)
• 2066684 - ET MALWARE 123Stealer Obfuscated CnC Exfil (POST) M1 (malware.rules)
• 2066685 - ET MALWARE 123Stealer Victim CnC Checkin (POST) (malware.rules)
• 2066686 - ET MALWARE GhostPenguin C2 Beacon Observed (malware.rules)
• 2066687 - ET MALWARE 123Stealer Victim CnC Checkin (GET) (malware.rules)
• 2066688 - ET MALWARE 123Stealer CnC Command Inbound (Ping) (malware.rules)
• 2066689 - ET ATTACK_RESPONSE 123Stealer Payload Inbound (attack_response.rules)
• 2066690 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mirelvse .cyou) (malware.rules)
• 2066691 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mirelvse .cyou) in TLS SNI (malware.rules)
• 2066692 - ET INFO DYNAMIC_DNS Query to a *.your .my .id domain (info.rules)
• 2066693 - ET INFO DYNAMIC_DNS HTTP Request to a *.your .my .id domain (info.rules)
• 2066694 - ET INFO DYNAMIC_DNS Query to a *.edbtraining .com .au domain (info.rules)
• 2066695 - ET INFO DYNAMIC_DNS HTTP Request to a *.edbtraining .com .au domain (info.rules)
• 2066696 - ET INFO DYNAMIC_DNS Query to a *.eminescusm .ro domain (info.rules)
• 2066697 - ET INFO DYNAMIC_DNS HTTP Request to a *.eminescusm .ro domain (info.rules)
• 2066698 - ET INFO DYNAMIC_DNS Query to a *.chem101 .com domain (info.rules)
• 2066699 - ET INFO DYNAMIC_DNS HTTP Request to a *.chem101 .com domain (info.rules)
• 2066700 - ET INFO DYNAMIC_DNS Query to a *.railway .web .id domain (info.rules)
• 2066701 - ET INFO DYNAMIC_DNS HTTP Request to a *.railway .web .id domain (info.rules)
• 2066702 - ET INFO DYNAMIC_DNS Query to a *.generaloweb .com domain (info.rules)
• 2066703 - ET INFO DYNAMIC_DNS HTTP Request to a *.generaloweb .com domain (info.rules)
• 2066704 - ET INFO DYNAMIC_DNS Query to a *.xn–72cg7bdd3bro6b3ab9c8btw4x .com domain (info.rules)
• 2066705 - ET INFO DYNAMIC_DNS HTTP Request to a *.xn–72cg7bdd3bro6b3ab9c8btw4x .com domain (info.rules)
• 2066706 - ET INFO DYNAMIC_DNS Query to a *.2bd .net domain (info.rules)
• 2066707 - ET INFO DYNAMIC_DNS HTTP Request to a *.2bd .net domain (info.rules)
• 2066708 - ET INFO DYNAMIC_DNS Query to a *.jo3 .org domain (info.rules)
• 2066709 - ET INFO DYNAMIC_DNS HTTP Request to a *.jo3 .org domain (info.rules)
• 2066710 - ET INFO DYNAMIC_DNS Query to a *.anjumanallana .in domain (info.rules)
• 2066711 - ET INFO DYNAMIC_DNS HTTP Request to a *.anjumanallana .in domain (info.rules)
• 2066712 - ET INFO DYNAMIC_DNS Query to a *.baumgardner .us domain (info.rules)
• 2066713 - ET INFO DYNAMIC_DNS HTTP Request to a *.baumgardner .us domain (info.rules)

Pro:

• 2865594 - ETPRO MALWARE UNK_SteadySplit CnC Connectivity Check (POST) (malware.rules)
• 2865597 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
• 2865598 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
• 2865599 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
• 2865600 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
• 2865601 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
• 2865602 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
• 2865603 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
• 2865604 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
• 2865605 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
• 2865606 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
• 2865607 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
• 2865608 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
• 2865609 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
• 2865610 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
• 2865611 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
• 2865612 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
• 2865613 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
• 2865614 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
• 2865615 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)

Modified inactive rules:

• 2000005 - ET EXPLOIT Cisco Telnet Buffer Overflow (exploit.rules)
• 2002817 - ET ADWARE_PUP DelFin Project Spyware (setup) (adware_pup.rules)
• 2003318 - ET P2P Edonkey Get Sources Request (by hash) (p2p.rules)
• 2003684 - ET WEB_SPECIFIC_APPS MXBB Remote Inclusion Attempt – faq.php module_root_path (web_specific_apps.rules)
• 2003693 - ET WEB_SPECIFIC_APPS PHPtree Remote Inclusion Attempt – cms2.php s_dir (web_specific_apps.rules)
• 2003905 - ET WEB_SPECIFIC_APPS ACP3 XSS Attempt – index.php form mods (web_specific_apps.rules)
• 2003906 - ET WEB_SPECIFIC_APPS ACP3 XSS Attempt – index.php form (web_specific_apps.rules)
• 2007657 - ET ATTACK_RESPONSE Mic22 id.php detected (attack_response.rules)
• 2007698 - ET MALWARE Vanquish Trojan HTTP Checkin (malware.rules)
• 2008142 - ET USER_AGENTS Vapsup User-Agent (doshowmeanad loader v2.1) (user_agents.rules)
• 2008273 - ET MALWARE Bifrose Connect to Controller (malware.rules)
• 2008973 - ET MALWARE onmuz.com Infection Activity (malware.rules)
• 2008999 - ET ACTIVEX EvansFTP EvansFTP.ocx Remote Buffer Overflow (activex.rules)
• 2009209 - ET MALWARE Rogue A/V Win32/FakeXPA GET Request (malware.rules)
• 2009309 - ET WEB_SPECIFIC_APPS WeBid ST_browsers.php include_path Parameter Remote File Inclusion (web_specific_apps.rules)
• 2009514 - ET MALWARE FAKE/ROGUE AV HTTP Post (malware.rules)
• 2009759 - ET WEB_SPECIFIC_APPS Clickheat GlobalVariables.php mosConfig_absolute_path Remote File Inclusion - 1 (web_specific_apps.rules)
• 2009760 - ET WEB_SPECIFIC_APPS Clickheat main.php mosConfig_absolute_path Parameter Remote File Inclusion -2 (web_specific_apps.rules)
• 2010378 - ET POLICY JBOSS/JMX port 8080 access from outside (policy.rules)
• 2010565 - ET MALWARE Bebloh C&C HTTP POST (malware.rules)
• 2010744 - ET MALWARE Oficla Russian Malware Bundle C&C instruction response (2) (malware.rules)
• 2011917 - ET MALWARE FAKEAV Gemini - JavaScript Redirection To Scanning Page (malware.rules)
• 2014972 - ET CURRENT_EVENTS HeapLib JS Library (current_events.rules)
• 2015819 - ET EXPLOIT_KIT g01pack Exploit Kit .homelinux. Landing Page (exploit_kit.rules)
• 2015922 - ET EXPLOIT_KIT Possible Glazunov Java exploit request /9-10-/4-5-digit (exploit_kit.rules)
• 2016065 - ET EXPLOIT_KIT Magnitude EK (formerly Popads) Embedded Open Type Font file .eot (exploit_kit.rules)
• 2016420 - ET DNS Reply Sinkhole - German Company (dns.rules)
• 2016421 - ET DNS Reply Sinkhole - 1and1 Internet AG (dns.rules)
• 2017483 - ET EXPLOIT_KIT Unknown EK Using Office/.Net ROP/ASLR Bypass (exploit_kit.rules)
• 2017484 - ET EXPLOIT_KIT Unknown EK Using Office/.Net ROP/ASLR Bypass (exploit_kit.rules)
• 2018763 - ET MALWARE Win.Trojan.Agent-29225 Checkin (malware.rules)
• 2019152 - ET MALWARE ABUSE.CH SSL Blacklist Malicious SSL certificate detected (KINS C2) (malware.rules)
• 2021936 - ET MALWARE Possible PlugX DNS Lookup (operaa.net) (malware.rules)
• 2022571 - ET MALWARE Malicious SSL certificate detected (Geodo MITM) (malware.rules)
• 2022609 - ET MALWARE Panda Banker CnC (malware.rules)
• 2024075 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM) (malware.rules)
• 2100469 - GPL SCAN PING NMAP (scan.rules)
• 2100884 - GPL EXPLOIT formmail access (exploit.rules)
• 2101821 - GPL EXPLOIT LPD dvips remote command execution attempt (exploit.rules)
• 2800179 - ETPRO EXPLOIT CA Multiple Products DBASVR RPC Server Crafted Pointer Buffer Overflow 8 (exploit.rules)
• 2800180 - ETPRO EXPLOIT CA Multiple Products DBASVR RPC Server Crafted Pointer Buffer Overflow 9 (exploit.rules)
• 2800433 - ETPRO EXPLOIT IBM Tivoli Storage Manager Express Backup Heap Corruption 1 (exploit.rules)
• 2800434 - ETPRO EXPLOIT IBM Tivoli Storage Manager Express Backup Heap Corruption 2 (exploit.rules)
• 2800742 - ETPRO EXPLOIT Symantec pcAnywhere Buffer Overflow (exploit.rules)
• 2800743 - ETPRO ACTIVEX Microsoft Internet Explorer daxctle.ocx KeyFrame Method Memory Corruption (activex.rules)
• 2801196 - ETPRO EXPLOIT Apple CUPS IPP Use-after-free Memory Corruption byte 0x41 (exploit.rules)
• 2801197 - ETPRO EXPLOIT Apple CUPS IPP Use-after-free Memory Corruption byte 0x42 (exploit.rules)
• 2801866 - ETPRO MALWARE Emogen.H User-Agent Detected (malware.rules)
• 2802898 - ETPRO MALWARE Win32/IRCBrute/Floder.ej Command Report (malware.rules)
• 2804513 - ETPRO WEB_SERVER Microsoft SharePoint Server XSS attempt 2 (web_server.rules)
• 2804514 - ETPRO WEB_SERVER Microsoft SharePoint Server XSS attempt 3 (web_server.rules)
• 2804661 - ETPRO MALWARE Win32/Spy.Banker.XAG Checkin (malware.rules)
• 2804998 - ETPRO MALWARE Trojan.Downloader.gen.h Checkin (malware.rules)
• 2805284 - ETPRO ADWARE_PUP Win32/Pelfpoi.M Checkin (adware_pup.rules)
• 2808403 - ETPRO MALWARE Win32/PowerLoader.B Checkin response (malware.rules)
• 2808652 - ETPRO MALWARE TROJAN-DROPPER.WIN32.DINWOD.SIL Checkin (malware.rules)
• 2816215 - ETPRO MOBILE_MALWARE Android.Monitor.SilentTracker.B Checkin (mobile_malware.rules)
• 2820841 - ETPRO EXPLOIT_KIT SunDown EK Landing June 21 2016 M1 (exploit_kit.rules)
• 2823705 - ETPRO MALWARE Observed Malicious SSL Cert (FlokiBot CnC) (malware.rules)
• 2824113 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Opfake.cc Checkin (mobile_malware.rules)

Removed rules:

• 2865594 - ETPRO HUNTING ToneShell CnC Connectivity Check (POST) (hunting.rules)