[***] Summary: [***]
11 new Open, 28 new Pro (11 + 17). JS Skimmer, IBM Data Risk Manager Exploits, ELF/TheMoon.Linksys, Various Phishing.
Many rules in the Suricata 5 ruleset have been updated with Suricata 5 rule syntax/keywords. A complete list of rules that were changed can be found via the changelog here:
https://rules.emergingthreats.net/changelogs/suricata-5.0-enhanced.etpro.2020-04-21T23:06:57.txt
Please be aware that after the deprecation of our Suricata 2/3 support (April 15th 2020), the path for downloading the last pushed production Suricata 2/3 rulesets have changed. Deprecated rulesets are available at https://rules.emergingthreatspro.com/OINK/old for ETPro and https://rules.emergingthreatspro.com/open/old/ for ETOpen. All requests for the Suricata 2/3 at their previous locations will now lead to the Suricata 4.0 production rules for ETPro and the rule download instructions for ETOpen.
Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2029982 - ET TROJAN MalDoc Requesting Payload 2020-04-21 (trojan.rules)
2029983 - ET WEB_SERVER Possible Apache DDos UA Observed (DDos Apache)
Outbound (web_server.rules)
2029984 - ET WEB_CLIENT Possible Apache DDos UA Observed (DDos Apache)
Inbound (web_client.rules)
2029985 - ET EXPLOIT IBM Data Risk Manager Remote Code Execution via NMAP
Scan (exploit.rules)
2029986 - ET EXPLOIT IBM Data Risk Manager Authentication Bypass -
Session ID Assignment (set) (exploit.rules)
2029987 - ET EXPLOIT IBM Data Risk Manager Authentication Bypass -
Password Retrieval (exploit.rules)
2029988 - ET EXPLOIT Possible IBM Data Risk Manager Authentication Bypass
- Session ID Assignment (exploit.rules)
2029989 - ET EXPLOIT Possible IBM Data Risk Manager Authentication Bypass
- Password Retrieval (exploit.rules)
2029990 - ET EXPLOIT IBM Data Risk Manager Arbitrary File Download
Attempt (exploit.rules)
2029991 - ET MALWARE JS Skimmer Domain in DNS Lookup (malware.rules)
2029992 - ET MALWARE JS Skimmer Domain in DNS Lookup (malware.rules)
Pro:
2842115 - ETPRO TROJAN MalDoc Requesting Payload 2020-04-21 (trojan.rules)
2842116 - ETPRO USER_AGENTS Observed Suspicious UA (Mozilla/5.0)
(user_agents.rules)
2842117 - ETPRO WORM ELF/TheMoon.Linksys Worm Activity (Outbound)
(worm.rules)
2842118 - ETPRO TROJAN ELF/Generic Infected IOT Device Checkin M1
(trojan.rules)
2842119 - ETPRO TROJAN ELF/Generic Infected IOT Device Checkin M2
(trojan.rules)
2842120 - ETPRO TROJAN ELF/Generic Infected IOT Device Checkin M3
(trojan.rules)
2842121 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-21 1) (trojan.rules)
2842122 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-21 2) (trojan.rules)
2842123 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-21 3) (trojan.rules)
2842124 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-04-21 4) (trojan.rules)
2842125 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-04-21 (current_events.rules)
2842126 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-04-21 (current_events.rules)
2842127 - ETPRO CURRENT_EVENTS Successful Generic Credit Card Information
Phish 2020-04-21 (current_events.rules)
2842128 - ETPRO CURRENT_EVENTS Successful Advanzia Bank Phish 2020-04-21
(current_events.rules)
2842129 - ETPRO CURRENT_EVENTS Successful Advanzia Bank Phish 2020-04-21
(current_events.rules)
2842130 - ETPRO TROJAN TrojanDropper.Binder.FR CnC Activity M6
(trojan.rules)
2842131 - ETPRO TROJAN Observed Malicious SSL Cert (Ursnif CnC)
(trojan.rules)
[///] Modified active rules: [///]
2842073 - ETPRO TROJAN BazaLoader Variant CnC (Checkin) (trojan.rules)
2842090 - ETPRO TROJAN BazaLoader CnC (Download Request) (trojan.rules)
[---] Disabled and modified rules: [---]
2011121 - ET TROJAN Phoenix Exploit Kit Facebook phishing page payload
could be ZeuS (trojan.rules)