Ruleset Update Summary - 2026/04/16 - v11173

Ruleset Updates
1

Summary:

14 new OPEN, 19 new PRO (14 + 5)

Thanks @suyog41

Added rules:

Open:

  • 2068711 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (windlrr .com) (exploit_kit.rules)
  • 2068795 - ET INFO DYNAMIC_DNS Query to a *.isfacat .net domain (info.rules)
  • 2068796 - ET INFO DYNAMIC_DNS HTTP Request to a *.isfacat .net domain (info.rules)
  • 2068797 - ET INFO DYNAMIC_DNS Query to a *.gandurlogistics .com domain (info.rules)
  • 2068798 - ET INFO DYNAMIC_DNS HTTP Request to a *.gandurlogistics .com domain (info.rules)
  • 2068799 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (knowale .cyou) (malware.rules)
  • 2068800 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (knowale .cyou) in TLS SNI (malware.rules)
  • 2068801 - ET WEB_SPECIFIC_APPS Dolibarr ERP/CRM societe_extrafields.php dol_eval Allow List Bypass via computed_value Parameter (CVE-2026-22666) (web_specific_apps.rules)
  • 2068802 - ET WEB_SPECIFIC_APPS SmarterTools SmarterMail ConnectToHub Remote Code Execution (CVE-2026-24423) (web_specific_apps.rules)
  • 2068803 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (crypta-wave .top) (exploit_kit.rules)
  • 2068804 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (crypta-wave .top) (exploit_kit.rules)
  • 2068805 - ET MALWARE COMSUON Stealer Exfil via Telegram (malware.rules)
  • 2068806 - ET WEB_SPECIFIC_APPS Fortinet FortiSandbox Unauthenticated Remote Code Execution (CVE-2026-39808) (web_specific_apps.rules)
  • 2068807 - ET HUNTING Fake Windows Powershell User-Agent Observed (powershell) (hunting.rules)

Pro:

  • 2867079 - ETPRO MALWARE SesameStealer User-Agent Observed (malware.rules)
  • 2867080 - ETPRO MALWARE SesameStealer CnC Beacon (GET) (malware.rules)
  • 2867081 - ETPRO MALWARE DonutLoader Requesting Additional Payload (malware.rules)
  • 2867082 - ETPRO MALWARE Observed DNS Query to SesameStealer Domain (malware.rules)
  • 2867083 - ETPRO MALWARE Observed SesameStealer Domain in TLS SNI (malware.rules)

Disabled and modified rules:

  • 2866984 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2866988 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2866993 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2866998 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2867000 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)

Removed rules:

  • 2068711 - ET MALWARE XorBee RAT CnC Domain in DNS Lookup (windlrr .com) (malware.rules)