Ruleset Update Summary - 2026/01/29 - v11114

Ruleset Updates
1

Summary:

10 new OPEN, 14 new PRO (10 + 4)

Added rules:

Open:

  • 2067186 - ET WEB_SERVER GNU InetUtils Authentication Bypass via USER Environment Variable (CVE-2026-24061) (web_server.rules)
  • 2067187 - ET WEB_SPECIFIC_APPS Oracle WebLogic Server Proxy Plug-in Authentication Bypass (CVE-2026-21962) (web_specific_apps.rules)
  • 2067188 - ET WEB_SPECIFIC_APPS SolarWinds Web Help Desk Authentication Bypass (CVE-2025-40536) (web_specific_apps.rules)
  • 2067189 - ET WEB_SPECIFIC_APPS SolarWinds Web Help Desk Unauthenticated Remote Code Execution via Java Deserialization (CVE-2025-40551) (web_specific_apps.rules)
  • 2067190 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (tannypro .com) (exploit_kit.rules)
  • 2067191 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (tannypro .com) (exploit_kit.rules)
  • 2067192 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (sni .ptbaconsulting .com) (malware.rules)
  • 2067193 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (sni .ptbaconsulting .com) (malware.rules)
  • 2067194 - ET PHISHING CoGUI Phish Landing Page M1 2026-01-29 (phishing.rules)
  • 2067195 - ET PHISHING CoGUI Phish Landing Page M2 2026-01-29 (phishing.rules)

Pro:

  • 2865852 - ETPRO WEB_SPECIFIC_APPS Fortinet FortiCloud SAML Authentication Bypass (CVE-2026-24858) (web_specific_apps.rules)
  • 2865853 - ETPRO MALWARE Common Tycoon 2FA Fake Captcha Landing Page Title (flowbit set) (malware.rules)
  • 2865854 - ETPRO MALWARE Tycoon 2FA HTML in Fake Favicon .ico Response M1 (malware.rules)
  • 2865855 - ETPRO MALWARE Tycoon 2FA HTML in Fake Favicon .ico Response M2 (malware.rules)

Modified inactive rules:

  • 2063446 - ET PHISHING Tycoon2FA Phish Landing Page 2025-07-14 (phishing.rules)

Disabled and modified rules:

  • 2067111 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (trebblay .com) (exploit_kit.rules)
  • 2067112 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (trebblay .com) (exploit_kit.rules)
  • 2067143 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (heismanscholarship .com) (exploit_kit.rules)
  • 2067144 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (heismanscholarship .com) (exploit_kit.rules)
  • 2067145 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (trebblay .com) (exploit_kit.rules)
  • 2067146 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (trebblay .com) (exploit_kit.rules)
  • 2067147 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (special .blainrealtor .net) (malware.rules)
  • 2067148 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (special .blainrealtor .net) (malware.rules)

Removed rules:

  • 2865814 - ETPRO WEB_SERVER GNU InetUtils Authentication Bypass via USER Environment Variable (CVE-2026-24061) (web_server.rules)