Summary:
17 new OPEN, 34 new PRO (17 + 17)
Added rules:
Open:
- 2068359 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (anteria .pics) (malware.rules)
- 2068360 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (anteria .pics) in TLS SNI (malware.rules)
- 2068361 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ossifvg .click) (malware.rules)
- 2068362 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ossifvg .click) in TLS SNI (malware.rules)
- 2068363 - ET EXPLOIT Dahua Netkeyboard Authentication Bypass Attempt M1 (DHIP) (CVE-2021-33044) (exploit.rules)
- 2068364 - ET EXPLOIT Dahua Netkeyboard Authentication Bypass Attempt M2 (http) (CVE-2021-33044) (exploit.rules)
- 2068365 - ET EXPLOIT Dahua Loopback Authentication Bypass Attempt M1 (DHIP) (CVE-2021-33045) (exploit.rules)
- 2068366 - ET EXPLOIT Dahua Loopback Authentication Bypass Attempt M2 (http) (CVE-2021-33044) (exploit.rules)
- 2068367 - ET WEB_SPECIFIC_APPS Hikvision ping.php jsondata[ip] Parameter Command Injection Attempt (CVE-2023-6895) (web_specific_apps.rules)
- 2068368 - ET WEB_SPECIFIC_APPS Hikvision applyCT datasourcename Parameter Command Injection Attempt (CVE-2025-34067) (web_specific_apps.rules)
- 2068369 - ET WEB_SPECIFIC_APPS Hikvision Authentication Bypass Attempt M1 (user/password enumeration) (CVE-2017-7921) (web_specific_apps.rules)
- 2068370 - ET WEB_SPECIFIC_APPS Hikvision Authentication Bypass Attempt M2 (snapshot retrieval) (CVE-2017-7921) (web_specific_apps.rules)
- 2068371 - ET WEB_SPECIFIC_APPS Hikvision Authentication Bypass Attempt M3 (configuration retrieval) (CVE-2017-7921) (web_specific_apps.rules)
- 2068372 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (breitonghoul .top) (exploit_kit.rules)
- 2068373 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (breitonghoul .top) (exploit_kit.rules)
- 2068374 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (images .bluebehi .eu .org) (malware.rules)
- 2068375 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (images .bluebehi .eu .org) (malware.rules)
Pro:
- 2866671 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
- 2866672 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
- 2866673 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
- 2866674 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
- 2866675 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
- 2866676 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
- 2866677 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
- 2866678 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
- 2866679 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
- 2866680 - ETPRO MALWARE TA455 CnC Domain in DNS Lookup (malware.rules)
- 2866681 - ETPRO MALWARE TA455 CnC Domain in DNS Lookup (malware.rules)
- 2866682 - ETPRO MALWARE TA455 CnC Domain in DNS Lookup (malware.rules)
- 2866683 - ETPRO MALWARE TA455 CnC Domain in TLS SNI (malware.rules)
- 2866684 - ETPRO MALWARE TA455 CnC Domain in TLS SNI (malware.rules)
- 2866685 - ETPRO MALWARE TA455 CnC Domain in TLS SNI (malware.rules)
- 2866686 - ETPRO MALWARE TA455 CnC Exfil Activity M1 (malware.rules)
- 2866687 - ETPRO MALWARE TA455 CnC Exfil Activity M2 (malware.rules)
Modified inactive rules:
- 2007876 - ET EXPLOIT ExtremeZ-IP File and Print Server Multiple Vulnerabilities - udp (exploit.rules)
- 2009675 - ET ATTACK_RESPONSE Possible Ipconfig Information Detected in HTTP Response (attack_response.rules)
- 2022961 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gootkit C2) (malware.rules)
- 2024080 - ET MALWARE ABUSE.CH SSL Fingerprint Blacklist Malicious SSL Certificate Detected (Gozi MITM) (malware.rules)
- 2819981 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Opfake.a Checkin 15 (mobile_malware.rules)
- 2825850 - ETPRO EXPLOIT Windows Kernel Information Disclosure Vulnerability Inbound (CVE-2017-0167) (exploit.rules)