Ruleset Update Summary - 2026/03/03 - v11138

Ruleset Updates
1

Summary:

32 new OPEN, 46 new PRO (32 + 14)

Added rules:

Open:

  • 2067969 - ET INFO DYNAMIC_DNS Query to a *.posambient .com domain (info.rules)
  • 2067970 - ET INFO DYNAMIC_DNS HTTP Request to a *.posambient .com domain (info.rules)
  • 2067971 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (achandograca .com) (exploit_kit.rules)
  • 2067972 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (foodgefy .com) (exploit_kit.rules)
  • 2067973 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (medipeads .com) (exploit_kit.rules)
  • 2067974 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (nicorica .com) (exploit_kit.rules)
  • 2067975 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (stgbran .com) (exploit_kit.rules)
  • 2067976 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (wuliaox .com) (exploit_kit.rules)
  • 2067977 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (achandograca .com) (exploit_kit.rules)
  • 2067978 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (foodgefy .com) (exploit_kit.rules)
  • 2067979 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (medipeads .com) (exploit_kit.rules)
  • 2067980 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (nicorica .com) (exploit_kit.rules)
  • 2067981 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (stgbran .com) (exploit_kit.rules)
  • 2067982 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (wuliaox .com) (exploit_kit.rules)
  • 2067983 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (eshleytrei .top) (exploit_kit.rules)
  • 2067984 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (nonserest .top) (exploit_kit.rules)
  • 2067985 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (eshleytrei .top) (exploit_kit.rules)
  • 2067986 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (nonserest .top) (exploit_kit.rules)
  • 2067987 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (customer .grovecityroofing .com) (malware.rules)
  • 2067988 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (devel .reputationreviews .org) (malware.rules)
  • 2067989 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (feedback .grovecitypestcontrol .com) (malware.rules)
  • 2067990 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (images .grovecityshoplocal .com) (malware.rules)
  • 2067991 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (my .homesforsalegrovecityohio .com) (malware.rules)
  • 2067992 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (customer .grovecityroofing .com) (malware.rules)
  • 2067993 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (devel .reputationreviews .org) (malware.rules)
  • 2067994 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (feedback .grovecitypestcontrol .com) (malware.rules)
  • 2067995 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (images .grovecityshoplocal .com) (malware.rules)
  • 2067996 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (my .homesforsalegrovecityohio .com) (malware.rules)
  • 2067997 - ET WEB_SPECIFIC_APPS Juniper PTX Series On-Box Anomaly Detection Framwork Command Injection Attempt (CVE-2026-21902) M1 (web_specific_apps.rules)
  • 2067998 - ET WEB_SPECIFIC_APPS Juniper PTX Series On-Box Anomaly Detection Framwork Command Injection Attempt (CVE-2026-21902) M2 (web_specific_apps.rules)
  • 2067999 - ET WEB_SPECIFIC_APPS Juniper PTX Series On-Box Anomaly Detection Framwork Command Injection Attempt (CVE-2026-21902) M3 (web_specific_apps.rules)
  • 2068000 - ET WEB_SPECIFIC_APPS Juniper PTX Series On-Box Anomaly Detection Framwork Command Injection Attempt (CVE-2026-21902) M4 (web_specific_apps.rules)

Pro:

  • 2866411 - ETPRO EXPLOIT Microsoft Windows LNK File UI Misrepresentation Remote Code Execution (CVE-2025-9491) M1 (exploit.rules)
  • 2866412 - ETPRO EXPLOIT Microsoft Windows LNK File UI Misrepresentation Remote Code Execution (CVE-2025-9491) M2 (exploit.rules)
  • 2866413 - ETPRO WEB_SPECIFIC_APPS SolarWinds WebHelpDesk Authentication Bypass (CVE-2025-40552) (web_specific_apps.rules)
  • 2866414 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2866415 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2866416 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2866417 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2866418 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2866419 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2866420 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2866421 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2866422 - ETPRO PHISHING TA4903 Domain in DNS Lookup (phishing.rules)
  • 2866423 - ETPRO PHISHING TA4903 Domain in TLS SNI (phishing.rules)
  • 2866424 - ETPRO WEB_SPECIFIC_APPS SolarWinds WebHelpDesk Remote Code Execution (CVE-2025-40553) (web_specific_apps.rules)