Ruleset Update Summary - 2026/04/30 - v11183

Ruleset Updates
1

Summary:

16 new OPEN, 29 new PRO (16 + 13)

Added rules:

Open:

  • 2069079 - ET INFO DYNAMIC_DNS Query to a *.flashhub .net domain (info.rules)
  • 2069080 - ET INFO DYNAMIC_DNS HTTP Request to a *.flashhub .net domain (info.rules)
  • 2069081 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (boletukk .cyou) (malware.rules)
  • 2069082 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (boletukk .cyou) in TLS SNI (malware.rules)
  • 2069083 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (falofao .cyou) (malware.rules)
  • 2069084 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (falofao .cyou) in TLS SNI (malware.rules)
  • 2069085 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (lucidanchor .top) (exploit_kit.rules)
  • 2069086 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (safecore .top) (exploit_kit.rules)
  • 2069087 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (lucidanchor .top) (exploit_kit.rules)
  • 2069088 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (safecore .top) (exploit_kit.rules)
  • 2069089 - ET EXPLOIT_KIT LandUpdate808 Domain in DNS Lookup (satserfield .com) (exploit_kit.rules)
  • 2069090 - ET EXPLOIT_KIT LandUpdate808 Domain in TLS SNI (satserfield .com) (exploit_kit.rules)
  • 2069091 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (dl .nyc-blockchain .com) (malware.rules)
  • 2069092 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (schedule .re-canada .com) (malware.rules)
  • 2069093 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (dl .nyc-blockchain .com) (malware.rules)
  • 2069094 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (schedule .re-canada .com) (malware.rules)

Pro:

  • 2867387 - ETPRO WEB_SPECIFIC_APPS cPanel & WHM Authentication Bypass (CVE-2026-41940) (web_specific_apps.rules)
  • 2867388 - ETPRO WEB_SPECIFIC_APPS cPanel & WHM Forced Session Re-serialization via Token Denial (CVE-2026-41940) (web_specific_apps.rules)
  • 2867389 - ETPRO WEB_SPECIFIC_APPS cPanel & WHM Forced Session Re-serialization via Token Denial Response (CVE-2026-41940) (web_specific_apps.rules)
  • 2867390 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - PING Outbound (malware.rules)
  • 2867391 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PING Outbound (malware.rules)
  • 2867392 - ETPRO MALWARE TA584 Win32/XWorm CnC Command - Ping Inbound (malware.rules)
  • 2867393 - ETPRO MALWARE TA584 Win32/XWorm V2 CnC Command - RD- Inbound (malware.rules)
  • 2867394 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - sendPlugin Outbound (malware.rules)
  • 2867395 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - Informations Outbound (malware.rules)
  • 2867396 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - GetInformations Inbound (malware.rules)
  • 2867397 - ETPRO MALWARE TA584 Win32/XWorm V3 CnC Command - PCShutdown Inbound (malware.rules)
  • 2867398 - ETPRO PHISHING Observed DNS Query to TA2730 Domain (phishing.rules)
  • 2867399 - ETPRO PHISHING Observed TA2730 Domain in TLS SNI (phishing.rules)

Disabled and modified rules:

  • 2004804 - ET WEB_SPECIFIC_APPS Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt – functions.php id UNION SELECT (web_specific_apps.rules)
  • 2004805 - ET WEB_SPECIFIC_APPS Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt – functions.php id INSERT (web_specific_apps.rules)
  • 2004806 - ET WEB_SPECIFIC_APPS Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt – functions.php id DELETE (web_specific_apps.rules)
  • 2004807 - ET WEB_SPECIFIC_APPS Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt – functions.php id ASCII (web_specific_apps.rules)
  • 2004808 - ET WEB_SPECIFIC_APPS Mathis Dirksen-Thedens ZephyrSoft Toolbox Address Book Continued (ABC) SQL Injection Attempt – functions.php id UPDATE (web_specific_apps.rules)
  • 2006568 - ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt – voirannonce.php no UNION SELECT (web_specific_apps.rules)
  • 2006569 - ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt – voirannonce.php no INSERT (web_specific_apps.rules)
  • 2006570 - ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt – voirannonce.php no DELETE (web_specific_apps.rules)
  • 2006571 - ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt – voirannonce.php no ASCII (web_specific_apps.rules)
  • 2006572 - ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt – voirannonce.php no UPDATE (web_specific_apps.rules)
  • 2006574 - ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt – fiche_membre.php idmembre UNION SELECT (web_specific_apps.rules)
  • 2006575 - ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt – fiche_membre.php idmembre INSERT (web_specific_apps.rules)
  • 2006576 - ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt – fiche_membre.php idmembre DELETE (web_specific_apps.rules)
  • 2006577 - ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt – fiche_membre.php idmembre ASCII (web_specific_apps.rules)
  • 2006578 - ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt – fiche_membre.php idmembre UPDATE (web_specific_apps.rules)
  • 2006586 - ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt – changeannonce.php idannonce UNION SELECT (web_specific_apps.rules)
  • 2006587 - ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt – changeannonce.php idannonce INSERT (web_specific_apps.rules)
  • 2006588 - ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt – changeannonce.php idannonce DELETE (web_specific_apps.rules)
  • 2006589 - ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt – changeannonce.php idannonce ASCII (web_specific_apps.rules)
  • 2006590 - ET WEB_SPECIFIC_APPS AnnonceScriptHP SQL Injection Attempt – changeannonce.php idannonce UPDATE (web_specific_apps.rules)