Summary:
38 new OPEN, 55 new PRO (38 + 17)
Added rules:
Open:
- 2067114 - ET INFO Redirect to MSP360 Software Download Request M1 (info.rules)
- 2067115 - ET INFO Redirect to MSP360 Software Download Request M2 (info.rules)
- 2067116 - ET INFO Download Request for MSP360 Software (info.rules)
- 2067117 - ET INFO POST to MSP360 Backup Services (info.rules)
- 2067118 - ET INFO Remote Monitoring and Management (RMM) Tool in DNS Lookup (cloudberrylab .com) (info.rules)
- 2067119 - ET INFO Remote Monitoring and Management (RMM) Tool in TLS SNI (cloudberrylab .com) (info.rules)
- 2067120 - ET WEB_SPECIFIC_APPS FreePBX Authentication Bypass via Forged Authorization Header (CVE-2025-66039) (web_specific_apps.rules)
- 2067121 - ET WEB_SPECIFIC_APPS ServiceNow BodySnatcher Virtual Agent API Authentication Bypass (CVE-2025-12420) (web_specific_apps.rules)
- 2067122 - ET WEB_SPECIFIC_APPS ServiceNow BodySnatcher Now Assist AI Agents Authentication Bypass (CVE-2025-12420) (web_specific_apps.rules)
- 2067123 - ET WEB_SPECIFIC_APPS FreePBX Authentication Bypass via Forged Authorization Header (CVE-2025-61678) (web_specific_apps.rules)
- 2067124 - ET WEB_SPECIFIC_APPS SmarterTools SmarterMail Authentication Bypass (WT-2026-0001) (web_specific_apps.rules)
- 2067125 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (peersneaps .fun) (malware.rules)
- 2067126 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (peersneaps .fun) in TLS SNI (malware.rules)
- 2067127 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (teleportfilmona .online) (malware.rules)
- 2067128 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (teleportfilmona .online) in TLS SNI (malware.rules)
- 2067129 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (worryorangeurgencyjew .site) (malware.rules)
- 2067130 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (worryorangeurgencyjew .site) in TLS SNI (malware.rules)
- 2067131 - ET MALWARE Observed ClickFix WebPage Inbound (malware.rules)
- 2067132 - ET MALWARE Observed ClickFix WebPage Inbound (malware.rules)
- 2067133 - ET EXPLOIT Redis RCE Attempt (CVE-2022-0543) M2 (exploit.rules)
- 2067134 - ET WEB_SERVER Oracle WebLogic Server Remote Code Execution via Insecure Deserialization (CVE-2020-14644) (web_server.rules)
- 2067135 - ET WEB_SPECIFIC_APPS Belkin formPPTPSetup pptpUserName Parameter Buffer Overflow Attempt (CVE-2025-7086, CVE-2025-11296) (web_specific_apps.rules)
- 2067136 - ET WEB_SPECIFIC_APPS Belkin formL2TPSetup L2TPUserName Parameter Buffer Overflow Attempt (CVE-2025-7087, CVE-2025-11294) (web_specific_apps.rules)
- 2067137 - ET WEB_SPECIFIC_APPS Belkin formPPPoESetup pppUserName Parameter Buffer Overflow Attempt (CVE-2025-7088, CVE-2025-11295) (web_specific_apps.rules)
- 2067138 - ET WEB_SPECIFIC_APPS Belkin formWanTcpipSetup pppUserName Parameter Buffer Overflow Attempt (CVE-2025-7089, CVE-2025-11299) (web_specific_apps.rules)
- 2067139 - ET WEB_SPECIFIC_APPS D-Link sylogapply syslogIp Parameter Command Injection Attempt (CVE-2018-17064) (web_specific_apps.rules)
- 2067140 - ET WEB_SPECIFIC_APPS D-Link wirelessApcli/wirelessApcli_5g Multiple Parameters Buffer Overflow Attempt (2025-5622) (web_specific_apps.rules)
- 2067141 - ET WEB_SPECIFIC_APPS D-Link qosClassifier Multiple Parameters Buffer Overflow Attempt (CVE-2025-5623) (web_specific_apps.rules)
- 2067142 - ET WEB_SPECIFIC_APPS D-Link form2IPQoSTcAdd Multiple Parameters Buffer Overflow Attempt (CVE-2024-13106) (web_specific_apps.rules)
- 2067143 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (heismanscholarship .com) (exploit_kit.rules)
- 2067144 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (heismanscholarship .com) (exploit_kit.rules)
- 2067145 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (trebblay .com) (exploit_kit.rules)
- 2067146 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (trebblay .com) (exploit_kit.rules)
- 2067147 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (special .blainrealtor .net) (malware.rules)
- 2067148 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (special .blainrealtor .net) (malware.rules)
- 2067149 - ET MALWARE Observed DNS Query to MaskGramStealer Domain (mosslotus2020 .shop) (malware.rules)
- 2067150 - ET MALWARE Observed MaskGramStealer Domain (mosslotus2020 .shop in TLS SNI) (malware.rules)
- 2067151 - ET MALWARE GET Request to Known Payload Delivery Host (Multiple Stealers) (malware.rules)
Pro:
- 2865825 - ETPRO MALWARE Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
- 2865826 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2865827 - ETPRO MALWARE Win32/XWorm CnC Command - Ping Inbound (malware.rules)
- 2865828 - ETPRO MALWARE Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
- 2865829 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
- 2865830 - ETPRO MALWARE Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
- 2865831 - ETPRO MALWARE Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
- 2865832 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
- 2865833 - ETPRO EXPLOIT Microsoft Office Security Feature Bypass M1 (CVE-2026-21509) (exploit.rules)
- 2865834 - ETPRO EXPLOIT Microsoft Office Security Feature Bypass M2 (CVE-2026-21509) (exploit.rules)
- 2865835 - ETPRO EXPLOIT Schneider Electric C-Bus Toolkit Arbitrary File Delete Attempt (CVE-2023-5399) (exploit.rules)
- 2865836 - ETPRO EXPLOIT Juniper Junos OS EX Series and SRX Series PHP External Variable Modification Attempt (CVE-2023-36845) (exploit.rules)
- 2865837 - ETPRO EXPLOIT Advantech WebAccess webvrpcs Service Directory Traversal (CVE-2017-16720) (exploit.rules)
- 2865838 - ETPRO MALWARE Observed DNS Query to ClickFix Domain (malware.rules)
- 2865839 - ETPRO MALWARE Observed ClickFix Domain in TLS SNI (malware.rules)
- 2865840 - ETPRO EXPLOIT_KIT Observed DNS Query to Compromised Domain Hosting ClickFix (exploit_kit.rules)
- 2865841 - ETPRO EXPLOIT_KIT Observed Compromised Domain Hosting ClickFix in TLS SNI (exploit_kit.rules)