Summary:
50 new OPEN, 51 new PRO (50 + 1)
Added rules:
Open:
- 2068093 - ET MALWARE Observed DNS Query to LoJax Domain (jflynci .com) (malware.rules)
- 2068094 - ET MALWARE Observed DNS Query to LoJax Domain (ikmtrust .com) (malware.rules)
- 2068095 - ET MALWARE Observed DNS Query to LoJax Domain (webstp .com) (malware.rules)
- 2068096 - ET MALWARE Observed DNS Query to LoJax Domain (secao .org) (malware.rules)
- 2068097 - ET MALWARE Observed DNS Query to LoJax Domain (remotepx .net) (malware.rules)
- 2068098 - ET MALWARE Observed DNS Query to LoJax Domain (rdsnets .com) (malware.rules)
- 2068099 - ET MALWARE Observed DNS Query to LoJax Domain (sysanalyticweb .com) (malware.rules)
- 2068100 - ET MALWARE Observed DNS Query to LoJax Domain (elaxo .org) (malware.rules)
- 2068101 - ET MALWARE Observed DNS Query to LoJax Domain (rpcnetconnect .com) (malware.rules)
- 2068102 - ET MALWARE Observed DNS Query to LoJax Domain (lxwo .org) (malware.rules)
- 2068103 - ET MALWARE Observed LoJax Domain (jflynci .com in TLS SNI) (malware.rules)
- 2068104 - ET MALWARE Observed LoJax Domain (ikmtrust .com in TLS SNI) (malware.rules)
- 2068105 - ET MALWARE Observed LoJax Domain (webstp .com in TLS SNI) (malware.rules)
- 2068106 - ET MALWARE Observed LoJax Domain (secao .org in TLS SNI) (malware.rules)
- 2068107 - ET MALWARE Observed LoJax Domain (remotepx .net in TLS SNI) (malware.rules)
- 2068108 - ET MALWARE Observed LoJax Domain (rdsnets .com in TLS SNI) (malware.rules)
- 2068109 - ET MALWARE Observed LoJax Domain (sysanalyticweb .com in TLS SNI) (malware.rules)
- 2068110 - ET MALWARE Observed LoJax Domain (elaxo .org in TLS SNI) (malware.rules)
- 2068111 - ET MALWARE Observed LoJax Domain (rpcnetconnect .com in TLS SNI) (malware.rules)
- 2068112 - ET MALWARE Observed LoJax Domain (lxwo .org in TLS SNI) (malware.rules)
- 2068113 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (picture .jeaniescottmedia .com) (malware.rules)
- 2068114 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (picture .jeaniescottmedia .com) (malware.rules)
- 2068115 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (chokepopilarvirusew .shop) (malware.rules)
- 2068116 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (chokepopilarvirusew .shop) in TLS SNI (malware.rules)
- 2068117 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (egyptnf .click) (malware.rules)
- 2068118 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (egyptnf .click) in TLS SNI (malware.rules)
- 2068119 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (familbg .club) (malware.rules)
- 2068120 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (familbg .club) in TLS SNI (malware.rules)
- 2068121 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gennods .cyou) (malware.rules)
- 2068122 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gennods .cyou) in TLS SNI (malware.rules)
- 2068123 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (genusne .click) (malware.rules)
- 2068124 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (genusne .click) in TLS SNI (malware.rules)
- 2068125 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lumpeem .quest) (malware.rules)
- 2068126 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (lumpeem .quest) in TLS SNI (malware.rules)
- 2068127 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbyyt .club) (malware.rules)
- 2068128 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (mobbyyt .club) in TLS SNI (malware.rules)
- 2068129 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thundut .biz) (malware.rules)
- 2068130 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (thundut .biz) in TLS SNI (malware.rules)
- 2068131 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (watchhr .biz) (malware.rules)
- 2068132 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (watchhr .biz) in TLS SNI (malware.rules)
- 2068133 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (workltt .quest) (malware.rules)
- 2068134 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (workltt .quest) in TLS SNI (malware.rules)
- 2068135 - ET INFO EasyTier Mesh VPN Domain (stun .easytier .cn) in DNS Lookup (info.rules)
- 2068136 - ET INFO EasyTier Mesh VPN Domain (stun-v6 .easytier .top) in DNS Lookup (info.rules)
- 2068137 - ET INFO EasyTier Mesh VPN Domain (public .easytier .top) in DNS Lookup (info.rules)
- 2068138 - ET INFO EasyTier Mesh VPN Domain (public .easytier .cn) in DNS Lookup (info.rules)
- 2068139 - ET INFO EasyTier Mesh VPN Domain (stun .henyuan-v6 .easytier .cn) in DNS Lookup (info.rules)
- 2068140 - ET WEB_SPECIFIC_APPS D-Link VpnConfigSetup submit-url Parameter Buffer Overflow Attempt (CVE-2026-2961) (web_specific_apps.rules)
- 2068141 - ET WEB_SPECIFIC_APPS D-Link formDateReboot submit-url Parameter Buffer Overflow Attempt (CVE-2026-2962) (web_specific_apps.rules)
- 2068142 - ET ATTACK_RESPONSE ASP.NET Web BackDoor Webshell Title Banner Observed (attack_response.rules)
Pro:
- 2866491 - ETPRO PHISHING TA453 Phish Landing Page 2026-03-09 (phishing.rules)
Modified inactive rules:
- 2002900 - ET WEB_SERVER CGI AWstats Migrate Command Attempt (web_server.rules)
- 2003675 - ET WEB_SPECIFIC_APPS PMECMS Remote Inclusion Attempt – mod_special_index.php config pathMod (web_specific_apps.rules)
- 2003910 - ET WEB_SPECIFIC_APPS ACP3 XSS Attempt – index.php form name (web_specific_apps.rules)
- 2008900 - ET WEB_SPECIFIC_APPS ModernBill export_batch.inc.php DIR Parameter Remote File Inclusion (web_specific_apps.rules)
- 2009129 - ET MALWARE Bifrose Response from Controller (PING PONG) (malware.rules)
- 2009313 - ET WEB_SPECIFIC_APPS WeBid ST_platforms.php include_path Parameter Remote File Inclusion (web_specific_apps.rules)
- 2010762 - ET WEB_SPECIFIC_APPS Possible Zenoss Cross Site Request Forgery UserCommand Attempt (web_specific_apps.rules)
- 2101199 - GPL WEB_SERVER Compaq Insight directory traversal (web_server.rules)