[***] Summary: [***]
2 new OPEN, 32 new PRO (2 + 30). Win32/Phorpiex, NanoCore, MuddyWater, Remcos, SnakeKeylogger, Various Phish.
Many rules in the Suricata 5 ruleset have been updated with Suricata 5 rule syntax/keywords. A complete list of rules that were changed can be found via the changelog here:
https://rules.emergingthreats.net/changelogs/suricata-5.0-enhanced.open-nogpl.2020-11-17T23:02:48.txt
Please share issues, feedback, and requests at https://feedback.emergingthreats.net/feedback
[+++] Added rules: [+++]
Open:
2031147 - ET WEB_SPECIFIC_APPS Oracle WebLogic RCE Shell Inbound M2
(CVE-2020-14882) (web_specific_apps.rules)
2031210 - ET TROJAN Win32/Phorpiex Template 6 Active - Outbound
Malicious Email Spam (trojan.rules)
Pro:
2845509 - ETPRO TROJAN NanoCore RAT CnC 28 (trojan.rules)
2845510 - ETPRO USER_AGENTS non-standard curl User-Agent (user_agents.rules)
2845511 - ETPRO TROJAN MuddyWater/SHARPSTATS System Info Exfil (trojan.rules)
2845512 - ETPRO TROJAN MuddyWater Request for .dat (trojan.rules)
2845513 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-11-17 1) (trojan.rules)
2845514 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-11-17 2) (trojan.rules)
2845515 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-11-17 3) (trojan.rules)
2845516 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-11-17 4) (trojan.rules)
2845517 - ETPRO TROJAN CoinMiner Known Malicious Stratum Authline
(2020-11-17 5) (trojan.rules)
2845518 - ETPRO CURRENT_EVENTS Successful PSN Phish 2020-11-17
(current_events.rules)
2845519 - ETPRO CURRENT_EVENTS Successful AT&T Phish 2020-11-17
(current_events.rules)
2845520 - ETPRO CURRENT_EVENTS Successful Banco Falabella Phish
2020-11-17 (current_events.rules)
2845521 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish
2020-11-17 (current_events.rules)
2845522 - ETPRO CURRENT_EVENTS Successful Wells Fargo Phish
2020-11-17 (current_events.rules)
2845523 - ETPRO CURRENT_EVENTS Successful Generic Secure Invoice
Phish 2020-11-17 (current_events.rules)
2845524 - ETPRO CURRENT_EVENTS Successful Generic Phish 2020-11-17
(current_events.rules)
2845525 - ETPRO CURRENT_EVENTS Successful Navy Federal Credit Union
Phish 2020-11-17 (current_events.rules)
2845526 - ETPRO CURRENT_EVENTS Successful Microsoft Account Phish
2020-11-17 (current_events.rules)
2845527 - ETPRO CURRENT_EVENTS Successful Dropbox Phish 2020-11-17
(current_events.rules)
2845528 - ETPRO TROJAN W32/Downloader.Llgergop Activity (trojan.rules)
2845529 - ETPRO TROJAN W32/Gxwxt CnC Host Checkin (trojan.rules)
2845530 - ETPRO TROJAN W32/Gxwxt CnC Activity (trojan.rules)
2845531 - ETPRO TROJAN iSpy/HawkSpy Keylogger Reporting Infection
via SMTP M4 (trojan.rules)
2845532 - ETPRO TROJAN SnakeKeylogger Exfil via FTP M1 (trojan.rules)
2845533 - ETPRO TROJAN SnakeKeylogger Exfil via FTP M2 (trojan.rules)
2845534 - ETPRO TROJAN SnakeKeylogger Exfil via FTP M3 (trojan.rules)
2845535 - ETPRO TROJAN SnakeKeylogger Exfil via FTP M4 (trojan.rules)
2845536 - ETPRO TROJAN SnakeKeylogger Exfil via FTP M5 (trojan.rules)
2845537 - ETPRO TROJAN Win32/Remcos RAT Checkin 610 (trojan.rules)
2845538 - ETPRO TROJAN Win32/Remcos RAT Checkin 611 (trojan.rules)
[///] Modified active rules: [///]
2007994 - ET INFO Suspicious User-Agent (1 space) (info.rules)
2009549 - ET TROJAN Generic Downloader - HTTP POST (trojan.rules)
2014726 - ET POLICY Outdated Flash Version M1 (policy.rules)
2014803 - ET TROJAN VBS/Wimmie.A Set (trojan.rules)
2017045 - ET TROJAN Possible Drive DDoS Check-in (trojan.rules)
2017305 - ET TROJAN Win32/Cridex Checkin (trojan.rules)
2020027 - ET TROJAN Win32/Spy.Agent.OHT - AnunakAPT HTTP Checkin 1
(trojan.rules)
2020172 - ET TROJAN Known Sinkhole Response Header CERT.PL (trojan.rules)
2023466 - ET EXPLOIT D-Link DSL-2740R Remote DNS Change Attempt
(exploit.rules)
2024019 - ET CURRENT_EVENTS Paypal Phishing Landing Feb 24 2017
(current_events.rules)
2024379 - ET POLICY Outdated Flash Version M2 (policy.rules)
[---] Disabled and modified rules: [---]
2020157 - ET TROJAN Win32/Emotet.C Variant Checkin (trojan.rules)
2806308 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.FakeInst.a
Checkin (mobile_malware.rules)
2809518 - ETPRO MOBILE_MALWARE Trojan-SMS.AndroidOS.Agent.az Checkin
2 (mobile_malware.rules)
2828478 - ETPRO TROJAN VB.BadPatch Checkin (trojan.rules)
[---] Removed rules: [---]
2031147 - ET EXPLOIT Oracle WebLogic RCE Shell Inbound
(CVE-2020-14882) M2 (exploit.rules)