Ruleset Update Summary - 2026/05/06 - v11187

Ruleset Updates
1

Summary:

20 new OPEN, 36 new PRO (20 + 16)

Thanks @suyog41

Added rules:

Open:

  • 2069172 - ET MALWARE BPFDoor ICMP Echo Request (Outbound) (malware.rules)
  • 2069173 - ET MALWARE BPFDoor ICMP Echo Reply (Inbound) (malware.rules)
  • 2069174 - ET MALWARE BPFDoor ICMP Echo Request with X: (Outbound) (malware.rules)
  • 2069175 - ET MALWARE BPFDoor ICMP Echo Reply with X: (Inbound) (malware.rules)
  • 2069176 - ET MALWARE TA569 Gholoader CnC Domain in DNS Lookup (cpanel .khomeini .eu .org) (malware.rules)
  • 2069177 - ET MALWARE TA569 Gholoader CnC Domain in TLS SNI (cpanel .khomeini .eu .org) (malware.rules)
  • 2069178 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (activebridgehub .top) (exploit_kit.rules)
  • 2069179 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (blueharborlab .top) (exploit_kit.rules)
  • 2069180 - ET EXPLOIT_KIT ZPHP Domain in DNS Lookup (silentmatrix .top) (exploit_kit.rules)
  • 2069181 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (activebridgehub .top) (exploit_kit.rules)
  • 2069182 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (blueharborlab .top) (exploit_kit.rules)
  • 2069183 - ET EXPLOIT_KIT ZPHP Domain in TLS SNI (silentmatrix .top) (exploit_kit.rules)
  • 2069184 - ET WEB_SPECIFIC_APPS D-Link DI-8100 url_rule.asp Stack Buffer Overflow (CVE-2026-7854) (web_specific_apps.rules)
  • 2069185 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (genxetia .cyou) (malware.rules)
  • 2069186 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (genxetia .cyou) in TLS SNI (malware.rules)
  • 2069187 - ET WEB_SPECIFIC_APPS D-Link DI-8100 auto_reboot.asp Stack Buffer Overflow (CVE-2026-7853) (web_specific_apps.rules)
  • 2069188 - ET WEB_SPECIFIC_APPS D-Link DI-8100 yyxz.asp Stack Buffer Overflow (CVE-2026-7851) (web_specific_apps.rules)
  • 2069189 - ET WEB_SPECIFIC_APPS D-Link DI-8100 url_member.asp Stack Buffer Overflow (CVE-2026-7856) (web_specific_apps.rules)
  • 2069190 - ET MALWARE LedgerCheck User-Agent Observed (malware.rules)
  • 2069191 - ET WEB_SPECIFIC_APPS D-Link DI-8100 user_group.asp Stack Buffer Overflow (CVE-2026-7857) (web_specific_apps.rules)

Pro:

  • 2867430 - ETPRO WEB_SPECIFIC_APPS Materialise OrthoView OS Command Injection (CVE-2025-23049) (web_specific_apps.rules)
  • 2867431 - ETPRO EXPLOIT MongoDB Atlas Server Unauthenticated DoS (CVE-2026-25611) (exploit.rules)
  • 2867432 - ETPRO MALWARE Malicious Win32/NetSupport Rat CnC Checkin (malware.rules)
  • 2867433 - ETPRO WEB_SPECIFIC_APPS LiteLLM SQL Injection via Authentication Header (CVE-2026-42208) M2 (web_specific_apps.rules)
  • 2867434 - ETPRO WEB_SPECIFIC_APPS LiteLLM SQL Injection via Authentication Header (CVE-2026-42208) M3 (web_specific_apps.rules)
  • 2867435 - ETPRO WEB_SPECIFIC_APPS LiteLLM SQL Injection via Authentication Header (CVE-2026-42208) M4 (web_specific_apps.rules)
  • 2867436 - ETPRO WEB_SPECIFIC_APPS Adobe Experience Manager Forms EDCLicenseService XXE (CVE-2025-54254) (web_specific_apps.rules)
  • 2867437 - ETPRO WEB_SPECIFIC_APPS Adobe Experience Manager Forms EDCLicenseService SOAP Fault (CVE-2025-54254) (web_specific_apps.rules)
  • 2867438 - ETPRO MALWARE Observed DNS Query to FlowPS MaaS Domain (malware.rules)
  • 2867439 - ETPRO WEB_SPECIFIC_APPS Adobe Experience Manager Forms Struts devMode OGNL Injection (CVE-2025-54253) (web_specific_apps.rules)
  • 2867440 - ETPRO MALWARE Observed FlowPS MaaS Domain in TLS SNI (malware.rules)
  • 2867441 - ETPRO ATTACK_RESPONSE FlowPS MaaS Payload Inbound (attack_response.rules)
  • 2867442 - ETPRO ATTACK_RESPONSE FlowPS MaaS Payload Inbound (attack_response.rules)
  • 2867443 - ETPRO ATTACK_RESPONSE FlowPS MaaS Payload Inbound (attack_response.rules)
  • 2867444 - ETPRO ATTACK_RESPONSE FlowPS MaaS CnC Activity (POST) (attack_response.rules)
  • 2867445 - ETPRO MALWARE FlowPS MaaS Payload Request (malware.rules)
2

@

Thank you to @Pb-22 for sparking discussion about BPFDoor coverage!