Weekly Detection Rule (YARA and Snort) Information – Week 3, October 2024
The following is the information on Yara and Snort rules (week 3, October 2024) collected and shared by the AhnLab TIP service.
- 3 YARA Rules
| Detection name | Description | Source |
|---|---|---|
| MAL_RANSOM_INC_Aug24 | Detects INC ransomware and it’s variants like Lynx | https://github.com/Neo23x0/signature-base3 |
| MAL_EXPL_Perfctl_Oct24 | Detects exploits used in relation with Perfctl malware campaigns | https://github.com/Neo23x0/signature-base3 |
| MAL_LNX_Perfctl_Oct24 | Detects Perfctl malware samples | https://github.com/Neo23x0/signature-base3 |
- 10 Snort Rules
| Detection name | Source |
|---|---|
| ET EXPLOIT PHP Arbitrary Object Instantiation – ImageMagick MSL File Descriptor RCE | https://rules.emergingthreatspro.com/open/ |
| ET EXPLOIT PHP Arbitrary Object Instantiation RCE – ImageMagick MSL VID Scheme | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Havoc Demon CnC Request | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN Win32/DeerStealer CnC Checkin | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Ivanti Connect Secure CRLF Injection Remote Code Execution Attempt (CVE-2024-37404) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Ivanti Connect Secure Shared Object File Upload Attempt | https://rules.emergingthreatspro.com/open/ |
| ET TROJAN CleanUp Loader HTTP Request (GET) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Palo Alto Expedition Unauthenticated Admin Password Reset (CVE-2024-5910) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Palo Alto Expedition Authenticated Command Injection via Cronjobs (CVE-2024-9464) | https://rules.emergingthreatspro.com/open/ |
| ET WEB_SPECIFIC_APPS Palto Alto Expedition Unauthenticated SQL Injection in Checkpoint Config Parser (CVE-2024-9465) | https://rules.emergingthreatspro.com/open/ |
