Ruleset Update Summary - 2026/03/18 - v11151

Ruleset Updates
1

Summary:

19 new OPEN, 30 new PRO (19 + 11)

Added rules:

Open:

  • 2068315 - ET INFO Proxy Service Domain in DNS Lookup (proxyjet .io) (info.rules)
  • 2068316 - ET INFO Proxy Service Domain in TLS SNI (proxyjet .io) (info.rules)
  • 2068317 - ET WEB_SPECIFIC_APPS BMC FootPrints SEC_TOKEN Extraction Authentication Bypass Attempted (CVE-2025-71257) (web_specific_apps.rules)
  • 2068318 - ET WEB_SPECIFIC_APPS BMC FootPrints searchWeb url parameter SSRF (CVE-2025-21758) (web_specific_apps.rules)
  • 2068319 - ET WEB_SPECIFIC_APPS BMC FootPrints RSS feedUrl parameter SSRF (CVE-2025-21759) (web_specific_apps.rules)
  • 2068320 - ET WEB_SPECIFIC_APPS BMC FootPrints aspnetconfig __VIEWSTATE Parameter Unsafe Deserialization Remote Code Execution Attempt (CVE-2025-21760) (web_specific_apps.rules)
  • 2068321 - ET INFO DYNAMIC_DNS Query to a *.ovie .gob .mx domain (info.rules)
  • 2068322 - ET INFO DYNAMIC_DNS HTTP Request to a *.ovie .gob .mx domain (info.rules)
  • 2068323 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (battloeaxes .digital) (malware.rules)
  • 2068324 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (battloeaxes .digital) in TLS SNI (malware.rules)
  • 2068325 - ET HUNTING 302 Redirect to Microsoft Edge Browser (hunting.rules)
  • 2068326 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (wedbrty .top) (exploit_kit.rules)
  • 2068327 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (dist-ctroy .top) (exploit_kit.rules)
  • 2068328 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (wedbrty .top) (exploit_kit.rules)
  • 2068329 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (dist-ctroy .top) (exploit_kit.rules)
  • 2068330 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (voginc .com) (exploit_kit.rules)
  • 2068331 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (voginc .com) (exploit_kit.rules)
  • 2068332 - ET INFO Proxy Service Domain in DNS Lookup (fusionproxy .net) (info.rules)
  • 2068333 - ET INFO Proxy Service Domain in TLS SNI (fusionproxy .net) (info.rules)

Pro:

  • 2866642 - ETPRO WEB_SPECIFIC_APPS SolarWinds Web Help Desk Authentication Bypass (CVE-2025-40554) (web_specific_apps.rules)
  • 2866643 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2866644 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2866645 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2866646 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2866647 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2866648 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2866649 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2866650 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2866651 - ETPRO MALWARE Observed DNS Query to UNK_VaporVibes Domain (malware.rules)
  • 2866652 - ETPRO MALWARE Observed UNK_VaporVibes Domain in TLS SNI (malware.rules)

Modified inactive rules:

  • 2018901 - ET MALWARE BITTERBUG Checkin 2 (malware.rules)
  • 2019610 - ET MALWARE Possible EITest Flash Redirect (malware.rules)
  • 2020333 - ET MALWARE MSIL/Agent.PYO Retrieving Update (malware.rules)
  • 2020895 - ET EXPLOIT_KIT Magnitude Flash Exploit (IE) M2 (exploit_kit.rules)
  • 2808784 - ETPRO MOBILE_MALWARE Android/TrojanSMS.Hippo.Q Checkin (mobile_malware.rules)
  • 2809318 - ETPRO MALWARE Win32/Chanitor.A .onion Proxy domain lookup (malware.rules)