@@ -37,6 +37,7 @@
#
# This Ruleset is EmergingThreats Open optimized for snort-2.9.0.
+
#by Jaime Blasco
#
#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE HTTP 401 Unauthorized"; flow:from_server,established; content:"401"; http_stat_code; threshold: type both, count 1, seconds 300, track by_dst; reference:url,doc.emergingthreats.net/2009345; classtype:attempted-recon; sid:2009345; rev:7;)
@@ -682,11 +683,11 @@
#Temporarily disabled until we get a fix for an FP problem
#
-#alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET DOS Possible Cisco ASA 5500 Series Adaptive Security Appliance Remote SIP Inspection Device Reload Denial of Service Attempt"; content:"REGISTER"; depth:8; nocase; isdataat:400,relative; pcre:"/REGISTER.{400}/smi"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19915; reference:cve,2010-0569; reference:url,doc.emergingthreats.net/2010818; classtype:attempted-dos; sid:2010818; rev:3;)
+##alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET DELETED Possible Cisco ASA 5500 Series Adaptive Security Appliance Remote SIP Inspection Device Reload Denial of Service Attempt"; content:"REGISTER"; depth:8; nocase; isdataat:400,relative; pcre:"/REGISTER.{400}/smi"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19915; reference:cve,2010-0569; reference:url,doc.emergingthreats.net/2010818; classtype:attempted-dos; sid:2010818; rev:4;)
#matt jonkman, idea from Jason Weir
#
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS DHL Spam Inbound"; flow:established,to_server; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename=|22|DHL_"; nocase; content:".zip|22|"; nocase; pcre:"/filename=\x22DHL_(tracking|document|(|print_|package_)label)(|_nr|_id.nr)(|[0-9]{4,5}|_[0-9a-z]{4,5})\.zip\x22/i"; reference:url,doc.emergingthreats.net/2010148; classtype:trojan-activity; sid:2010148; rev:11;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS DHL Spam Inbound"; flow:established,to_server; content:"name=|22|DHL"; nocase; content:".zip|22|"; within:68; nocase; pcre:"/name=\x22DHL(\s|_|\-)?[a-z0-9\-_\.\s]{0,63}\.zip\x22/i"; reference:url,doc.emergingthreats.net/2010148; classtype:trojan-activity; sid:2010148; rev:12;)
#matt jonkman, idea from Jason Weir
#
@@ -706,7 +707,7 @@
#Matt Jonkman
#
-alert tcp !152.0.0.0/16 any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS UPS Spam Inbound"; flow:established,to_server; content:"ups.com"; nocase; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename"; pcre:"/filename\s*=.*(UPS|United Parcel Service).*\.(rar|exe|zip)/im"; classtype:trojan-activity; sid:2010644; rev:14;)
+alert tcp !152.0.0.0/16 any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS UPS Spam Inbound"; flow:established,to_server; content:"ups.com"; nocase; fast_pattern; content:"Content-Disposition|3A| attachment|3b|"; nocase; content:"filename"; pcre:"/filename\s*?=[^\n]*?(UPS|United Parcel Service)[^\n]*?\.(rar|exe|zip)/im"; classtype:trojan-activity; sid:2010644; rev:15;)
#evilghost
#
@@ -813,7 +814,7 @@
#kevin ross
#Additional references and slight modification to msg
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible IE iepeers.dll Use-after-free Code Execution Attempt"; flow:established,to_client; file_data; content:".addBehavior"; nocase; content:"|23|default|23|userdata"; nocase; within:100; content:"setAttribute"; nocase; distance:0; content:"onclick"; nocase; distance:0; content:"onclick"; nocase; distance:0; reference:url,www.rec-sec.com/2010/03/10/internet-explorer-iepeers-use-after-free-exploit/; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20052; reference:url,www.microsoft.com/technet/security/bulletin/ms10-018.mspx; reference:url,www.kb.cert.org/vuls/id/744549; reference:cve,2010-0806; reference:url,doc.emergingthreats.net/2010931; classtype:attempted-user; sid:2010931; rev:7;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible IE iepeers.dll Use-after-free Code Execution Attempt"; flow:established,to_client; file_data; content:".addBehavior"; nocase; content:"|23|default|23|userdata"; nocase; within:100; content:"setAttribute"; nocase; distance:0; content:"onclick"; nocase; distance:0; content:"onclick"; nocase; distance:0; reference:url,www.rec-sec.com/2010/03/10/internet-explorer-iepeers-use-after-free-exploit/; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20052; reference:url,www.microsoft.com/technet/security/bulletin/ms10-018.mspx; reference:url,www.kb.cert.org/vuls/id/744549; reference:cve,2010-0806; reference:url,doc.emergingthreats.net/2010931; classtype:attempted-user; sid:2010931; rev:7;)
#kevin ross
#
@@ -1086,7 +1087,7 @@
#56 ocurrences
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely Infostealer exe Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/crack."; http_uri; content:".exe"; http_uri; pcre:"/\crack\.\d+\.exe$/Ui"; classtype:trojan-activity; sid:2010059; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely Infostealer exe Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/crack."; http_uri; content:".exe"; http_uri; pcre:"/\/crack\.\d+\.exe$/Ui"; classtype:trojan-activity; sid:2010059; rev:7;)
#51 ocurrences
#
@@ -1240,7 +1241,7 @@
#by sp0ok3r
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Skype Easybits Extras Manager - Exploit"; flow:established,from_server; content:"gygte"; nocase; content:"gygte"; nocase; distance:0; reference:url,www.m86security.com/labs/traceitem.asp?article=1347; reference:url,doc.emergingthreats.net/2011680; classtype:trojan-activity; sid:2011680; rev:4;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Skype Easybits Extras Manager - Exploit"; flow:established,from_server; content:"gygte"; nocase; content:"gygte"; nocase; distance:0; reference:url,www.m86security.com/labs/traceitem.asp?article=1347; reference:url,doc.emergingthreats.net/2011680; classtype:trojan-activity; sid:2011680; rev:5;)
#by Pedro Marinho, re 58816f781154bda381fdcb1e3fab7bdd
#
@@ -1268,7 +1269,7 @@
#by David Wharton
#
-alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Windows Help Center Arbitrary Command Execution Exploit Attempt"; flow:established,from_server; file_data; content:"hcp|3a|//"; nocase; distance:0; content:"<script "; nocase; distance:0; content:"defer"; nocase; distance:0; content:"unescape"; nocase; distance:0; pcre:"/src\s*=\s*[\x22\x27]?hcp\x3a\x2f\x2F[^\n]*<script\s*defer[^\n]*unescape/i"; reference:url,www.exploit-db.com/exploits/13808/; reference:url,doc.emergingthreats.net/2011173; classtype:misc-attack; sid:2011173; rev:8;)
+alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Windows Help Center Arbitrary Command Execution Exploit Attempt"; flow:established,from_server; file_data; content:"hcp|3a|//"; fast_pattern; nocase; distance:0; content:"script"; nocase; distance:0; content:"defer"; nocase; distance:0; content:"unescape"; nocase; distance:0; pcre:"/src\s*=\s*[\x22\x27]?hcp\x3a\x2f\x2F[^\n]*?(%3c|<)script[^\n]*?defer[^\n]*?unescape/i"; reference:url,www.exploit-db.com/exploits/13808/; reference:url,doc.emergingthreats.net/2011173; reference:cve,2010-1885; classtype:misc-attack; sid:2011173; rev:13;)
#by evilghost
#
@@ -1477,7 +1478,7 @@
#by Blake Hartstein
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 5250 (msg:"ET EXPLOIT MISC Computer Associates Negative Content-Length Buffer Overflow"; flow:established,to_server; content:"Content-Length|3A|"; nocase; pcre:"/^Content-Length\x3a\s*-\d+/smi"; reference:bugtraq,16354; reference:cve,2005-3653; reference:url,doc.emergingthreats.net/bin/view/Main/2002791; classtype:web-application-attack; sid:2002791; rev:4;)
+##alert tcp $EXTERNAL_NET any -> $HOME_NET 5250 (msg:"ET DELETED MISC Computer Associates Negative Content-Length Buffer Overflow"; flow:established,to_server; content:"Content-Length|3A|"; nocase; pcre:"/^Content-Length\x3a\s*-\d+/smi"; reference:bugtraq,16354; reference:cve,2005-3653; reference:url,doc.emergingthreats.net/bin/view/Main/2002791; classtype:web-application-attack; sid:2002791; rev:5;)
#Blake Hartstein of Demarc
#
@@ -1509,7 +1510,7 @@
#by David Maciejak
#
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CVSTrac filediff Arbitrary Remote Code Execution"; flow: to_server,established; content:"filediff|3f|f="; nocase; http_uri; pcre:"/filediff\?f=.+&v1=[\d.]+&v2=[\d.]+\;.+/Ui"; reference:bugtraq,10878; reference:cve,2004-1456; reference:url,doc.emergingthreats.net/bin/view/Main/2002697; classtype:web-application-attack; sid:2002697; rev:7;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CVSTrac filediff Arbitrary Remote Code Execution"; flow: to_server,established; content:"filediff|3f|f="; nocase; http_uri; pcre:"/\/filediff\?((&?v\d?=[\d.]+?)+?&f\x3d|f\x3d.+?(&v\d?=[\d.]+?)+?).+?\x3b.+?\x3b/Ui"; reference:bugtraq,10878; reference:cve,2004-1456; reference:url,doc.emergingthreats.net/bin/view/Main/2002697; classtype:web-application-attack; sid:2002697; rev:8;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"ET EXPLOIT CVS server heap overflow attempt (target Linux)"; flow: to_server,established; dsize: >512; content:"|45 6e 74 72 79 20 43 43 43 43 43 43 43 43 43 2f 43 43|"; offset: 0; depth: 20; threshold: type limit, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/2000048; classtype:attempted-admin; sid:2000048; rev:5;)
@@ -1538,11 +1539,11 @@
#by Shirkdog
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED Cisco-MARS/JBoss jmx-console POST"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/jmx-console/HtmlAdaptor"; nocase; http_uri; flowbits:set,cmars.jboss; reference:bugtraq,19071; reference:url,doc.emergingthreats.net/bin/view/Main/2003064; classtype:attempted-admin; sid:2003064; rev:6;)
+##alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED Cisco-MARS/JBoss jmx-console POST"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/jmx-console/HtmlAdaptor"; nocase; http_uri; flowbits:set,cmars.jboss; reference:bugtraq,19071; reference:url,doc.emergingthreats.net/bin/view/Main/2003064; classtype:attempted-admin; sid:2003064; rev:7;)
#by Shirkdog
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED Cisco-MARS/JBoss Remote Command Execution"; flowbits:isset,cmars.jboss; flow:to_server,established; content:"action=invokeOp"; nocase; content:"jboss.script"; nocase; content:"Runtime|2e|getRuntime|25|28|25|29|2e|exec|25|28"; nocase; reference:bugtraq,19071; reference:url,doc.emergingthreats.net/bin/view/Main/2003065; classtype:attempted-admin; sid:2003065; rev:4;)
+##alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED Cisco-MARS/JBoss Remote Command Execution"; flowbits:isset,cmars.jboss; flow:to_server,established; content:"action=invokeOp"; nocase; content:"jboss.script"; nocase; content:"Runtime|2e|getRuntime|25|28|25|29|2e|exec|25|28"; nocase; reference:bugtraq,19071; reference:url,doc.emergingthreats.net/bin/view/Main/2003065; classtype:attempted-admin; sid:2003065; rev:5;)
#Submitted by Cody Hatch
#
@@ -2363,19 +2364,19 @@
#By Michael Hale Ligh and Ryan Smith
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /nds"; flow:to_server,established; content:"/nds"; depth:10; nocase; fast_pattern; content:"|0d0a|Host|3a|"; nocase; content:!"|0d0a|"; within:56; reference:url,doc.emergingthreats.net/bin/view/Main/2003145; classtype:web-application-attack; sid:2003145; rev:4;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /nds"; flow:to_server,established; content:"/nds"; depth:10; nocase; fast_pattern; content:"|0d0a|Host|3a|"; nocase; content:!"|0d0a|"; within:56; reference:url,doc.emergingthreats.net/bin/view/Main/2003145; classtype:web-application-attack; sid:2003145; rev:5;)
#By Michael Hale Ligh and Ryan Smith
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /dhost"; flow:to_server,established; content:"/dhost"; depth:10; nocase; fast_pattern; content:"|0d0a|Host|3a|"; nocase; content:!"|0d0a|"; within:56; reference:url,doc.emergingthreats.net/bin/view/Main/2003146; classtype:web-application-attack; sid:2003146; rev:4;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /dhost"; flow:to_server,established; content:"/dhost"; depth:10; nocase; fast_pattern; content:"|0d0a|Host|3a|"; nocase; content:!"|0d0a|"; within:56; reference:url,doc.emergingthreats.net/bin/view/Main/2003146; classtype:web-application-attack; sid:2003146; rev:5;)
#By Michael Hale Ligh and Ryan Smith
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /nds (linewrap)"; flow:to_server,established; content:"/nds"; depth:10; nocase; fast_pattern; content:"|0d0a|Host|3a|"; nocase; content:"|0d0a20|"; within:56; reference:url,doc.emergingthreats.net/bin/view/Main/2003148; classtype:web-application-attack; sid:2003148; rev:4;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /nds (linewrap)"; flow:to_server,established; content:"/nds"; depth:10; nocase; fast_pattern; content:"|0d0a|Host|3a|"; nocase; content:"|0d0a20|"; within:56; reference:url,doc.emergingthreats.net/bin/view/Main/2003148; classtype:web-application-attack; sid:2003148; rev:5;)
#By Michael Hale Ligh and Ryan Smith
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /dhost (linewrap)"; flow:to_server,established; content:"/dhost"; depth:10; nocase; fast_pattern; content:"|0d0a|Host|3a|"; nocase; content:"|0d0a20|"; within:56; reference:url,doc.emergingthreats.net/bin/view/Main/2003147; classtype:web-application-attack; sid:2003147; rev:4;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /dhost (linewrap)"; flow:to_server,established; content:"/dhost"; depth:10; nocase; fast_pattern; content:"|0d0a|Host|3a|"; nocase; content:"|0d0a20|"; within:56; reference:url,doc.emergingthreats.net/bin/view/Main/2003147; classtype:web-application-attack; sid:2003147; rev:5;)
#by Akash Mahajan
#
@@ -2429,7 +2430,7 @@
#Mark Tombaugh
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER XML-RPC for PHP Remote Code Injection"; flow:established,to_server; content:"POST"; nocase; http_method; content:"xmlrpc.php"; http_uri; content:"methodCall"; http_client_body; nocase; pcre:"/>.*\'\s*\)\s*\)*\s*\;/R"; reference:url,www.securityfocus.com/bid/14088/exploit; reference:cve,2005-1921; reference:url,doc.emergingthreats.net/bin/view/Main/2002158; classtype:web-application-attack; sid:2002158; rev:9;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER XML-RPC for PHP Remote Code Injection"; flow:established,to_server; content:"POST"; nocase; http_method; content:"xmlrpc.php"; http_uri; fast_pattern:only; content:"methodCall"; http_client_body; nocase; pcre:"/>.*?\'\s*?\)\s*?\)*?\s*?\;/R"; reference:url,www.securityfocus.com/bid/14088/exploit; reference:cve,2005-1921; reference:url,doc.emergingthreats.net/bin/view/Main/2002158; classtype:web-application-attack; sid:2002158; rev:12;)
#by Steve Adair steven@securityzone - 11/28/2006, updates from Mat Rowley
#
@@ -2489,15 +2490,15 @@
#by Rich Rumble
#
-alert tcp any any -> $HOME_NET 139:445 (msg:"ET EXPLOIT PWDump4 Password dumping exe copied to victim"; flow:to_server,established; content:"|4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 50 00 57 00 44 00 55 00 4D 00 50 00 34 00 2E 00 65 00 78 00 65|"; fast_pattern:only; reference:url,xinn.org/Snort-pwdump4.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008444; classtype:suspicious-filename-detect; sid:2008444; rev:3;)
+alert tcp any any -> $HOME_NET [139,445] (msg:"ET EXPLOIT PWDump4 Password dumping exe copied to victim"; flow:to_server,established; content:"|4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 50 00 57 00 44 00 55 00 4D 00 50 00 34 00 2E 00 65 00 78 00 65|"; reference:url,xinn.org/Snort-pwdump4.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008444; classtype:suspicious-filename-detect; sid:2008444; rev:3;)
#PWDump6
#
-alert tcp any any -> $HOME_NET 139:445 (msg:"ET EXPLOIT Pwdump6 Session Established test file created on victim"; flow:to_server,established; content:"|5c 00 74 00 65 00 73 00 74 00 2e 00 70 00 77 00 64|"; fast_pattern:only; reference:url,xinn.org/Snort-pwdump6.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008445; classtype:suspicious-filename-detect; sid:2008445; rev:3;)
+alert tcp any any -> $HOME_NET [139,445] (msg:"ET EXPLOIT Pwdump6 Session Established test file created on victim"; flow:to_server,established; content:"|5c 00 74 00 65 00 73 00 74 00 2e 00 70 00 77 00 64|"; fast_pattern:only; reference:url,xinn.org/Snort-pwdump6.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008445; classtype:suspicious-filename-detect; sid:2008445; rev:4;)
#This should catch both FGDump and PWDump
#
-alert tcp any any -> $HOME_NET 139:445 (msg:"ET EXPLOIT Foofus.net Password dumping, dll injection"; flow:to_server,established; content:"|6c 00 73 00 72 00 65 00 6d 00 6f 00 72 00 61|"; fast_pattern:only; reference:url,xinn.org/Snort-fgdump.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008476; classtype:suspicious-filename-detect; sid:2008476; rev:3;)
+alert tcp any any -> $HOME_NET [139,445] (msg:"ET EXPLOIT Foofus.net Password dumping, dll injection"; flow:to_server,established; content:"|6c 00 73 00 72 00 65 00 6d 00 6f 00 72 00 61|"; fast_pattern:only; reference:url,xinn.org/Snort-fgdump.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008476; classtype:suspicious-filename-detect; sid:2008476; rev:4;)
#by Kyle Haugsness, Erik Fichtner, and Matt Jonkman
#VNC State Machine, good for other uses
@@ -2661,7 +2662,7 @@
#by David Wharton
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"ET EXPLOIT VLC web interface buffer overflow attempt"; flow:to_server,established; content:"|2F|requests|2F|status|2E|xml|3F|"; nocase; http_uri; content:"input|3D|smb|3A 2F 2F|"; nocase; http_uri; pcre:"/\x2Frequests\x2Fstatus\x2Exml\x3F[^\x0A\x0D]*input\x3D[^\x0A\x0D\x26\x3B]{1000}/iU"; reference:url,milw0rm.org/exploits/9029; reference:url,doc.emergingthreats.net/2009511; classtype:web-application-attack; sid:2009511; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"ET EXPLOIT VLC web interface buffer overflow attempt"; flow:to_server,established; content:"|2F|requests|2F|status|2E|xml|3F|"; nocase; http_uri; content:"input|3D|smb|3A 2F|"; nocase; http_uri; pcre:"/\x2Frequests\x2Fstatus\x2Exml\x3F[^\x0A\x0D]*input\x3D[^\x0A\x0D\x26\x3B]{1000}/iU"; reference:url,milw0rm.org/exploits/9029; reference:url,doc.emergingthreats.net/2009511; classtype:web-application-attack; sid:2009511; rev:5;)
#by kevin ross
#
@@ -2669,7 +2670,7 @@
#by kevin ross
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible VLC Medial Player M3U File FTP URL Processing Stack Buffer Overflow Attempt"; flowbits:isset,ET.m3u.download; flow:established,to_client; content:"ftp|3A|//"; nocase; content:"PRAV"; within:10; isdataat:2000,relative; content:!"|0A|"; within:2000; reference:url,securitytracker.com/alerts/2010/Jul/1024172.html; reference:url,doc.emergingthreats.net/2011242; classtype:attempted-user; sid:2011242; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible VLC Media Player M3U File FTP URL Processing Stack Buffer Overflow Attempt"; flowbits:isset,ET.m3u.download; flow:established,to_client; content:"ftp|3A|//"; nocase; content:"PRAV"; within:10; isdataat:2000,relative; content:!"|0A|"; within:2000; reference:url,securitytracker.com/alerts/2010/Jul/1024172.html; reference:url,doc.emergingthreats.net/2011242; classtype:attempted-user; sid:2011242; rev:3;)
#By Paul Dokas, posted on http://isc.sans.org/diary.php?date=2005-06-27
#
@@ -2738,12 +2739,12 @@
#by Akash Mahajan of Stillsecure
#disabled but adding the default port for the server otherwise sig is way to generic
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 7700 (msg:"ET EXPLOIT Zilab Chat and Instant Messaging Heap Overflow Vulnerability"; flow:established; content:"|21 00 21 03|"; fast_pattern:only; pcre:"/[0-9a-zA-Z]{10,}/R"; reference:url,aluigi.altervista.org/adv/zilabzcsx-adv.txt; reference:bugtraq,27940; reference:url,doc.emergingthreats.net/bin/view/Main/2007933; classtype:misc-attack; sid:2007933; rev:8;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 7700 (msg:"ET EXPLOIT Zilab Chat and Instant Messaging Heap Overflow Vulnerability"; flow:established; content:"|21 00 21 03|"; pcre:"/[0-9a-zA-Z]{10}/R"; reference:url,aluigi.altervista.org/adv/zilabzcsx-adv.txt; reference:bugtraq,27940; reference:url,doc.emergingthreats.net/bin/view/Main/2007933; classtype:misc-attack; sid:2007933; rev:8;)
#by Akash Mahajan of Stillsecure
#adding server default port otherwise sig is way to generic
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 7700 (msg:"ET EXPLOIT Zilab Chat and Instant Messaging User Info BoF Vulnerability"; flow:established; content:"|61 00 09 00 08 00 07 00 21 03|"; fast_pattern:only; pcre:"/[0-9a-zA-Z]{10,}/R"; reference:url,aluigi.altervista.org/adv/zilabzcsx-adv.txt; reference:bugtraq,27940; reference:url,doc.emergingthreats.net/bin/view/Main/2007934; classtype:misc-attack; sid:2007934; rev:7;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 7700 (msg:"ET EXPLOIT Zilab Chat and Instant Messaging User Info BoF Vulnerability"; flow:established; content:"|61 00 09 00 08 00 07 00 21 03|"; pcre:"/[0-9a-zA-Z]{10}/R"; reference:url,aluigi.altervista.org/adv/zilabzcsx-adv.txt; reference:bugtraq,27940; reference:url,doc.emergingthreats.net/bin/view/Main/2007934; classtype:misc-attack; sid:2007934; rev:7;)
#by evilghost
#
@@ -3150,7 +3151,7 @@
#Matt Jonkman
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions (Zango) Spyware Installer Config 2"; flow:to_server,established; content:"config.aspx"; nocase; http_uri; content:"?ver="; nocase; http_uri; content:"HTTP"; nocase; content:!"User-Agent|3a| "; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003217; classtype:trojan-activity; sid:2003217; rev:8;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions (Zango) Spyware Installer Config 2"; flow:to_server,established; content:"config.aspx"; nocase; http_uri; content:"?ver="; nocase; http_uri; content:!"User-Agent|3a| "; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003217; classtype:trojan-activity; sid:2003217; rev:9;)
#more from the spywarelp
#Matt jonkman
@@ -3172,7 +3173,7 @@
#Submitted by Jason Haar
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 2020search Update Engine"; flow: to_server,established; content:"POST"; nocase; http_method; content:"srng/reg.php HTTP"; content:"|0d0a|Host|3a|"; http_header; content:"2020search.com"; http_header; content:"IpAddr="; nocase; http_client_body; reference:url,www.safer-networking.org/index.php?page=updatehistory&detail=2004-03-04; reference:url,doc.emergingthreats.net/bin/view/Main/2000934; classtype:trojan-activity; sid:2000934; rev:13;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED 2020search Update Engine"; flow: to_server,established; content:"POST"; nocase; http_method; content:"srng/reg.php HTTP"; content:"|0d0a|Host|3a|"; http_header; content:"2020search.com"; http_header; content:"IpAddr="; nocase; http_client_body; reference:url,www.safer-networking.org/index.php?page=updatehistory&detail=2004-03-04; reference:url,doc.emergingthreats.net/bin/view/Main/2000934; classtype:trojan-activity; sid:2000934; rev:14;)
#by: Jeremy Conway at sudosecure.net
#ref: 2b8175726f2dde727132299992dafbe9
@@ -3185,11 +3186,11 @@
#by matt jonkman
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 360safe.com related Fake Security Product Update"; flow:established,to_server; content:"/?fixtool="; nocase; http_uri; content:"GET"; nocase; http_method; content:"/?fixtool="; http_uri; content:!"User-Agent|3a| "; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008036; classtype:trojan-activity; sid:2008036; rev:8;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 360safe.com related Fake Security Product Update"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/?fixtool="; http_uri; content:!"User-Agent|3a| "; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008036; classtype:trojan-activity; sid:2008036; rev:9;)
#by matt jonkman
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 360safe.com related Fake Security Product Update (KillerSet)"; flow:established,to_server; content:"/?KillerSet="; nocase; http_uri; content:"GET"; nocase; http_method; content:"/?KillerSet="; http_uri; content:!"User-Agent|3a| "; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008149; classtype:trojan-activity; sid:2008149; rev:7;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 360safe.com related Fake Security Product Update (KillerSet)"; flow:established,to_server; content:"/?KillerSet="; nocase; http_uri; content:"GET"; nocase; http_method; content:!"User-Agent|3a| "; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008149; classtype:trojan-activity; sid:2008149; rev:9;)
#from spyware listening post data, by matt Jonkman
#
@@ -3222,7 +3223,7 @@
#by Matt Jonkman from Listening Post Data
#Disabling, obsoleting. To be delleted in a month or so
#
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AdultfriendFinder.com Spyware Iframe Download"; flow:to_server,established; content:"/promo/affiframe.jsp?Pid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002353; classtype:trojan-activity; sid:2002353; rev:5;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED AdultfriendFinder.com Spyware Iframe Download"; flow:to_server,established; content:"/promo/affiframe.jsp?Pid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002353; classtype:trojan-activity; sid:2002353; rev:5;)
#by Philipp Bescht
#
@@ -3240,7 +3241,7 @@
#by Matt Jonkman
#spyware, from the sandnet
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Advertisementserver.com Spyware Checkin"; flow:to_server,established; content:"monitor.php"; nocase; http_uri; content:"?UID="; nocase; http_uri; pcre:"/UID=\d+/Ui"; content:"User-Agent|3a| Microsoft URL Control"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007602; classtype:trojan-activity; sid:2007602; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Advertisementserver.com Spyware Checkin"; flow:to_server,established; content:"monitor.php"; nocase; http_uri; content:"?UID="; nocase; http_uri; pcre:"/UID=\d/Ui"; content:"User-Agent|3a| Microsoft URL Control"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007602; classtype:trojan-activity; sid:2007602; rev:7;)
#Submitted by Matt Jonkman
#
@@ -3313,7 +3314,7 @@
#fake antispyware package, sig by matt jonkman
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Anti-virus-pro.com Fake AV Checkin"; flow:established,to_server; content:"/stat.php?machine_id={"; nocase; http_uri; pcre:"/machine_id={[A-F0-9]+-[A-F0-9]+-[A-F0-9]+-[A-F0-9]+-[A-F0-9]+}/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2007886; classtype:trojan-activity; sid:2007886; rev:3;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Anti-virus-pro.com Fake AV Checkin"; flow:established,to_server; content:"/stat.php?machine_id={"; nocase; http_uri; pcre:"/machine_id={[A-F0-9]+-[A-F0-9]+-[A-F0-9]+-[A-F0-9]+-[A-F0-9]+}/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2007886; classtype:trojan-activity; sid:2007886; rev:4;)
#Submitted by Matt Jonkman
#
@@ -3439,7 +3440,7 @@
#by Jeffrey Brown
#
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Borlander Adware Checkin"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?t="; nocase; http_uri; content:"&i="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"&d="; nocase; http_uri; content:"&a="; nocase; http_uri; content:"&n="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008736; classtype:bad-unknown; sid:2008736; rev:3;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Borlander Adware Checkin"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?t="; nocase; http_uri; content:"&i="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"&d="; nocase; http_uri; content:"&a="; nocase; http_uri; content:"&n="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008736; classtype:bad-unknown; sid:2008736; rev:4;)
#Matt Jonkman
#
@@ -3488,7 +3489,7 @@
#from sandnet analysis, called CASClient by Kaspersky
#by Matt Jonkman
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CASClient Spyware/Adware Install Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ctrl/chkmac.php?mac="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2006403; classtype:trojan-activity; sid:2006403; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN General Trojan Checkin by MAC chkmac.php"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ctrl/chkmac.php?mac="; nocase; http_uri; classtype:trojan-activity; sid:2006403; rev:6;)
#from sandnet analysis, called CASClient by Kaspersky
#by Matt Jonkman
@@ -3634,7 +3635,7 @@
#from Lance James and Secure Science www.securescience.net -- Thanks Lance!
#too many falses...
#
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Corpsespyware.net Blind Data Upload"; flow:to_server,established; content:"/images/data.php?"; http_uri; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002774; classtype:trojan-activity; sid:2002774; rev:4;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Corpsespyware.net Blind Data Upload"; flow:to_server,established; content:"/images/data.php?"; http_uri; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002774; classtype:trojan-activity; sid:2002774; rev:5;)
#from Lance James and Secure Science www.securescience.net -- Thanks Lance!
#too many falses...
@@ -3685,7 +3686,7 @@
#From Vernon Stark
#
-#alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Windows executable sent when remote host claims to send an image"; flow: established,from_server; content:"Content-Type|3a| image"; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2001683; classtype:trojan-activity; sid:2001683; rev:9;)
+#alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Windows executable sent when remote host claims to send an image"; flow: established,from_server; content:"Content-Type|3a| image"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2001683; classtype:trojan-activity; sid:2001683; rev:11;)
#From Vernon Stark
#
@@ -3701,11 +3702,11 @@
#deapesh misra
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send a Text File"; flow:established,from_server; content:"Content-Type|3a| text/plain"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2008438; classtype:trojan-activity; sid:2008438; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send a Text File"; flow:established,from_server; content:"Content-Type|3a| text/plain"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2008438; classtype:trojan-activity; sid:2008438; rev:6;)
#deapesh misra
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send html content"; flow:established,from_server; content:"Content-Type|3a| text/html|0d 0a|"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; reference:url,doc.emergingthreats.net/2009897; classtype:trojan-activity; sid:2009897; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send html content"; flow:established,from_server; content:"Content-Type|3a| text/html|0d 0a|"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; reference:url,doc.emergingthreats.net/2009897; classtype:trojan-activity; sid:2009897; rev:6;)
#from vienna
#
@@ -3713,7 +3714,7 @@
#by: Deapesh Misra
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send HTML/CSS Content"; flow:established,to_client; content:"Content-Type|3a| text/css"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2009909; classtype:trojan-activity; sid:2009909; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send HTML/CSS Content"; flow:established,to_client; content:"Content-Type|3a| text/css"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; fast_pattern; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2009909; classtype:trojan-activity; sid:2009909; rev:4;)
#by evilghost
#
@@ -3725,7 +3726,7 @@
#By Matt Jonkman
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CrazyWinnings.com Activity"; flow: established,to_server; content:"/scripts/protect.php?promo=promo"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001733; classtype:trojan-activity; sid:2001733; rev:6;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CrazyWinnings.com Activity"; flow: established,to_server; content:"/scripts/protect.php?promo=promo"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001733; classtype:trojan-activity; sid:2001733; rev:7;)
#Submitted by Matt Jonkman
#
@@ -3817,7 +3818,7 @@
#matt Jonkman
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE E2give Related Downloading IeBHOs.dll"; flow: to_server,established; content:"/downloads/IeBHOs.dll"; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001415; classtype:trojan-activity; sid:2001415; rev:8;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED E2give Related Downloading IeBHOs.dll"; flow: to_server,established; content:"/downloads/IeBHOs.dll"; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001415; classtype:trojan-activity; sid:2001415; rev:10;)
#matt Jonkman
#
@@ -3958,7 +3959,7 @@
#Submitted by Matt Jonkman
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products Agent Traffic"; flow: to_server,established; content:"FunWebProducts|3b|"; nocase; http_header; threshold: type limit, track by_src, count 2, seconds 360; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001034; classtype:policy-violation; sid:2001034; rev:20;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products Adware Agent Traffic"; flow: to_server,established; content:"FunWebProducts|3b|"; nocase; fast_pattern:only; http_header; threshold: type limit, track by_src, count 2, seconds 360; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001034; classtype:policy-violation; sid:2001034; rev:22;)
#Submitted by Matt Jonkman
#
@@ -3978,7 +3979,7 @@
#From Listening Post data
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products Stampchooser Spyware"; flow: to_server,established; content:"/StampChooser.html?"; nocase; http_uri; content: "v="; nocase; http_uri; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002307; classtype:policy-violation; sid:2002307; rev:6;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Fun Web Products Stampchooser Spyware"; flow: to_server,established; content:"/StampChooser.html?"; nocase; http_uri; content: "v="; nocase; http_uri; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002307; classtype:policy-violation; sid:2002307; rev:7;)
#by Shirkdog
#
@@ -3998,7 +3999,7 @@
#Submitted by Matt Jonkman
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gator Checkin"; flow: to_server,established; content:"/gbsf/"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2000595; classtype:policy-violation; sid:2000595; rev:9;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Gator Checkin"; flow: to_server,established; content:"/gbsf/"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2000595; classtype:policy-violation; sid:2000595; rev:10;)
#Submitted by Matt Jonkman
#
@@ -4187,7 +4188,7 @@
#by: Jeremy Conway at sudosecure.net
#ref: b5880918affcbb25120b431a45b99429
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Adware Istbar Search Hijacker and Downloader"; flow:established,to_client; content:"200"; http_stat_code; content:"OK"; nocase; http_stat_msg; content:"Content-Type|3a| qvod_update"; nocase; http_header; content:"|5b|AGENTLIST|5d 0d 0a|ip0="; nocase; content:"|0d 0a|port0="; nocase; within:25; content:"|0d 0a 0d 0a|ip1="; nocase; content:"|0d 0a|port1="; nocase; within:25; reference:url,www.pctools.com/mrc/infections/id/Trojan.ISTbar/; reference:url,www.threatexpert.com/reports.aspx?find=Trojan.ISTbar; reference:url,doc.emergingthreats.net/2009597; classtype:trojan-activity; sid:2009597; rev:5;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Adware Istbar Search Hijacker and Downloader"; flow:established,to_client; content:"200"; http_stat_code; content:"OK"; nocase; http_stat_msg; content:"Content-Type|3a| qvod_update"; nocase; http_header; content:"|5b|AGENTLIST|5d 0d 0a|ip0="; nocase; content:"|0d 0a|port0="; nocase; within:25; content:"|0d 0a 0d 0a|ip1="; nocase; content:"|0d 0a|port1="; nocase; within:25; reference:url,www.pctools.com/mrc/infections/id/Trojan.ISTbar/; reference:url,www.threatexpert.com/reports.aspx?find=Trojan.ISTbar; reference:url,doc.emergingthreats.net/2009597; classtype:trojan-activity; sid:2009597; rev:6;)
#By Matt Jonkman
#
@@ -4407,11 +4408,11 @@
#Matt Jonkman
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyGlobalSearch Spyware bar update"; flow:established,to_server; content:"/images/mysearchbar/highlight"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003351; classtype:trojan-activity; sid:2003351; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyGlobalSearch Spyware bar update"; flow:established,to_server; content:"/images/mysearchbar/highlight"; http_uri; content:" MySearch)"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003351; classtype:trojan-activity; sid:2003351; rev:5;)
#Matt Jonkman
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyGlobalSearch Spyware bar update 2"; flow:established,to_server; content:"/images/mysearchbar/customize"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003352; classtype:trojan-activity; sid:2003352; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyGlobalSearch Spyware bar update 2"; flow:established,to_server; content:"/images/mysearchbar/customize"; http_uri; content:" MySearch)"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003352; classtype:trojan-activity; sid:2003352; rev:5;)
#by Akash Mahajan
#
@@ -4581,7 +4582,7 @@
#by Matt Jonkman
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Rabio Spyware/Adware Initial Registration"; flow:established,to_server; dsize:<200; content:"POST"; nocase; http_method; content:"REGISTER|7c|"; depth:9; http_client_body; pcre:"/REGISTER\x7c\d+\x7c\d+\x7c\d+\x7c\d+/"; reference:url,www.spywareguide.com/product_show.php?id=3770; reference:url,www.rabio.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007820; classtype:trojan-activity; sid:2007820; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Rabio Spyware/Adware Initial Registration"; flow:established,to_server; dsize:<200; content:"POST"; nocase; http_method; content:"REGISTER|7c|"; depth:9; http_client_body; pcre:"/REGISTER\x7c\d+\x7c\d+\x7c\d+\x7c\d/P"; reference:url,www.spywareguide.com/product_show.php?id=3770; reference:url,www.rabio.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007820; classtype:trojan-activity; sid:2007820; rev:7;)
#by Matt Jonkman
#
@@ -4682,7 +4683,7 @@
#By Matt Jonkman
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmiracle.com Access, Likely Spyware"; flow: to_server,established; content:"Host|3a|"; nocase; http_header; content:".searchmiracle.com"; nocase; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.elitebar.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001532; classtype:trojan-activity; sid:2001532; rev:12;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Searchmiracle.com Access, Likely Spyware"; flow: to_server,established; content:"Host|3a|"; nocase; http_header; content:".searchmiracle.com"; nocase; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.elitebar.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001532; classtype:trojan-activity; sid:2001532; rev:12;)
#By Matt Jonkman
#
@@ -5030,7 +5031,7 @@
#Matt Jonkman
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Spambot Checking in to Spam"; flow:established,to_server; content:"/devrandom/"; nocase; http_uri; content:"dev"; nocase; content:!"User-Agent|3a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002988; classtype:trojan-activity; sid:2002988; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Spambot Checking in to Spam"; flow:established,to_server; content:"/devrandom/"; nocase; http_uri; fast_pattern:only; content:!"User-Agent|3a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002988; classtype:trojan-activity; sid:2002988; rev:8;)
#Matt Jonkman
#
@@ -5038,7 +5039,7 @@
#Matt Jonkman
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Spambot getting new exe url"; flow:established,to_server; content:"404.txt"; nocase; http_uri; content:"404"; content:!"User-Agent|3a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002989; classtype:trojan-activity; sid:2002989; rev:6;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Spambot getting new exe url"; flow:established,to_server; content:"404.txt"; nocase; http_uri; content:"404"; content:!"User-Agent|3a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002989; classtype:trojan-activity; sid:2002989; rev:7;)
#Matt Jonkman
#
@@ -5094,7 +5095,7 @@
#By Matt Jonkman
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spygalaxy.ws Activity"; flow: to_server,established; content:"/install.php?id="; nocase; http_uri; content:"Host|3a| spygalaxy.ws"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001489; classtype:trojan-activity; sid:2001489; rev:7;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spygalaxy.ws Spyware Checkin"; flow: to_server,established; content:"/install.php?id="; nocase; http_uri; content:"Host|3a| spygalaxy.ws|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001489; classtype:trojan-activity; sid:2001489; rev:8;)
#from sandnet data
#by matt jonkman
@@ -5127,7 +5128,7 @@
#Submitted by Matt Jonkman
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Statblaster Receiving New configuration (update)"; flow: to_server,established; content:"/updatestats/update"; nocase; http_uri; content:".xml"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.statblaster.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001225; classtype:policy-violation; sid:2001225; rev:9;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Statblaster Receiving New configuration (update)"; flow: to_server,established; content:"/updatestats/update"; nocase; http_uri; content:".xml"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.statblaster.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001225; classtype:policy-violation; sid:2001225; rev:9;)
#Submitted by Matt Jonkman
#
@@ -5328,7 +5329,7 @@
#Added by Frank Knobbe on 2006-03-12
#
-##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious POST to ROBOTS.TXT"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/robots.txt"; nocase; http_uri; pcre:"/^\s?\+x=[0-9]*\;\ +y=[0-9]+/C"; reference:url,doc.emergingthreats.net/bin/view/Main/2002856; classtype:unknown; sid:2002856; rev:7;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious POST to ROBOTS.TXT"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/robots.txt"; nocase; http_uri; pcre:"/^\s?\+x=[0-9]*\;\ +y=[0-9]/C"; reference:url,doc.emergingthreats.net/bin/view/Main/2002856; classtype:unknown; sid:2002856; rev:8;)
#Added by Frank Knobbe on 2006-07-02
#
@@ -5341,7 +5342,7 @@
#Matt Jonkman
#This appears to be a controller the above trojan uses
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Unknown Web Bot Controller Accessed"; flow:to_server,established; content:"/stata/index.php?tr=ok"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003025; classtype:trojan-activity; sid:2003025; rev:4;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown Web Bot Controller Accessed"; flow:to_server,established; content:"/stata/index.php?tr=ok"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003025; classtype:trojan-activity; sid:2003025; rev:5;)
#by L0rd Ch0de1m0rt
#
@@ -5349,11 +5350,11 @@
#by matt jonkman
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sidelinker.com-Upspider.com Spyware Checkin"; flow:established,to_server; content:"/Pro/pro.php?mac="; nocase; http_uri; content:"&key="; nocase; http_uri; pcre:"/\/Pro\/pro\.php\?mac=\d\d-\d\d-\d\d-\d\d-\d\d-\d\d\&key=\d+/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2008157; classtype:trojan-activity; sid:2008157; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sidelinker.com-Upspider.com Spyware Checkin"; flow:established,to_server; content:"/Pro/pro.php?mac="; nocase; http_uri; content:"&key="; nocase; http_uri; pcre:"/\/Pro\/pro\.php\?mac=\d\d-\d\d-\d\d-\d\d-\d\d-\d\d\&key=\d/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2008157; classtype:trojan-activity; sid:2008157; rev:5;)
#by matt jonkman
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sidelinker.com-Upspider.com Spyware Count"; flow:established,to_server; content:"/Pro/cnt.php?mac="; nocase; http_uri; content:"&key="; nocase; http_uri; content:"&pid="; nocase; http_uri; pcre:"/\/Pro\/cnt\.php\?mac=\d\d-\d\d-\d\d-\d\d-\d\d-\d\d\&key=\d+/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2008158; classtype:trojan-activity; sid:2008158; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sidelinker.com-Upspider.com Spyware Count"; flow:established,to_server; content:"/Pro/cnt.php?mac="; nocase; http_uri; content:"&key="; nocase; http_uri; content:"&pid="; nocase; http_uri; pcre:"/\/Pro\/cnt\.php\?mac=\d\d-\d\d-\d\d-\d\d-\d\d-\d\d\&key=\d/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2008158; classtype:trojan-activity; sid:2008158; rev:5;)
#by matt jonkman
#
@@ -5569,7 +5570,7 @@
#by matt jonkman
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winquickupdates.com/Mycashloads.com Related Trojan Install Report"; flow:established,to_server; content:"/newuser.php?saff="; http_uri; pcre:"/\/newuser\.php.saff=(\d+|x.+)/U"; reference:url,doc.emergingthreats.net/bin/view/Main/2008012; classtype:trojan-activity; sid:2008012; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Winquickupdates.com/Mycashloads.com Related Trojan Install Report"; flow:established,to_server; content:"/newuser.php?saff="; http_uri; pcre:"/\/newuser\.php\?saff=(\d+|x.+)/U"; reference:url,doc.emergingthreats.net/bin/view/Main/2008012; classtype:trojan-activity; sid:2008012; rev:5;)
#by matt jonkman
#
@@ -5629,7 +5630,7 @@
#By Matt Jonkman
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Install Code Download"; flow: to_server,established; content:"/install.gz"; nocase; http_uri; content:"Host|3a| xpire.info"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001491; classtype:trojan-activity; sid:2001491; rev:9;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Spyware Checkin"; flow: to_server,established; content:"/install.gz"; nocase; http_uri; content:"Host|3a| xpire.info|0d 0a|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001491; classtype:trojan-activity; sid:2001491; rev:10;)
#By Matt Jonkman
#
@@ -5673,7 +5674,7 @@
#Matt Jonkman
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE General Malware Checkin HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"uid="; http_client_body; depth:4; content:"&ref="; http_client_body; content:"&clid="; http_client_body; content:"&commode="; http_client_body; content:"&cmd="; http_client_body; reference:url,doc.emergingthreats.net/bin/view/Main/2008757; classtype:trojan-activity; sid:2008757; rev:8;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zenosearch Malware Checkin HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"uid="; http_client_body; depth:4; content:"&ref="; http_client_body; content:"&clid="; http_client_body; content:"&commode="; http_client_body; content:"&cmd="; http_client_body; reference:url,doc.emergingthreats.net/bin/view/Main/2008757; classtype:trojan-activity; sid:2008757; rev:9;)
#Matt Jonkman
#
@@ -6123,7 +6124,7 @@
#by Matt Jonkman
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE 404 Response with an EXE Attached - Likely Malware Drop"; flow:established,from_server; content:"404"; http_stat_code; content:"Not Found"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2009028; classtype:attempted-admin; sid:2009028; rev:10;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE 404 Response with an EXE Attached - Likely Malware Drop"; flow:established,from_server; content:"404"; http_stat_code; content:"Not Found"; http_stat_msg; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2009028; classtype:attempted-admin; sid:2009028; rev:13;)
#by Matt Jonkman, from qru
#
@@ -6194,7 +6195,7 @@
#Submitted by Joseph Gama
#Good rules, turn them on if you are interested. They are accurate.
#
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY PE EXE or DLL Windows file download"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2000419; classtype:policy-violation; sid:2000419; rev:15;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY PE EXE or DLL Windows file download"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; flowbits:set,ET.http.binary; reference:url,doc.emergingthreats.net/bin/view/Main/2000419; classtype:policy-violation; sid:2000419; rev:17;)
#Submitted by Joseph Gama
#Good rules, turn them on if you are interested. They are accurate.
@@ -6257,7 +6258,7 @@
#this sig JUST gets updates from external_net
#
-alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"ET POLICY DNS Update From External net"; byte_test:1,&,40,2; reference:url,doc.emergingthreats.net/2009702; classtype:policy-violation; sid:2009702; rev:4;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"ET POLICY DNS Update From External net"; byte_test:1,!&,128,2; byte_test:1,!&,64,2; byte_test:1,&,32,2; byte_test:1,!&,16,2; byte_test:1,&,8,2; reference:url,doc.emergingthreats.net/2009702; classtype:policy-violation; sid:2009702; rev:5;)
#Idea by David Glosser, sig by Matt Jonkman
#
@@ -6320,7 +6321,7 @@
#by Kevin Ross
#
-#alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"ET TELNET External Telnet Login To Cisco Device"; flow:from_server,established; content:"User Access Verification"; depth:24; reference:url,articles.techrepublic.com.com/5100-10878_11-5875046.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008861; classtype:misc-activity; sid:2008861; rev:5;)
+#alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"ET TELNET External Telnet Login To Cisco Device"; flow:from_server,established; pcre:"/^(\r\n)*/"; content:"User Access Verification"; within:24; reference:url,articles.techrepublic.com.com/5100-10878_11-5875046.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008861; classtype:misc-activity; sid:2008861; rev:4;)
#by Kevin Ross
#
@@ -7281,7 +7282,7 @@
#by Jack Pepper
#
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Gteko User-Agent Detected - Dell Remote Access"; flow:established,to_server; content:"User-Agent|3a| "; http_header; content:"Windows 98"; http_header; content:"GtekClient"; http_header; pcre:"/User-Agent\x3a[^\n]+Windows 98[^\n]+GtekClient/iH"; reference:url,doc.emergingthreats.net/bin/view/Main/Windows98UA; classtype:policy-violation; sid:2008037; rev:5;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Gteko User-Agent Detected - Dell Remote Access"; flow:established,to_server; content:"User-Agent|3a| "; http_header; content:"Windows 98"; http_header; content:"GtekClient"; fast_pattern:only; http_header; pcre:"/User-Agent\x3a[^\n]+Windows 98[^\n]+GtekClient/iH"; reference:url,doc.emergingthreats.net/bin/view/Main/Windows98UA; classtype:policy-violation; sid:2008037; rev:6;)
#by Jack Pepper
#
@@ -7320,15 +7321,15 @@
#by dxp
#
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Suspicious Executable (Win exe under 128)"; flow:established,from_server; file_data; content:"MZ"; within:2; byte_test:4,<,128,58,relative,little; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; reference:url,doc.emergingthreats.net/2009033; classtype:policy-violation; sid:2009033; rev:4;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Suspicious Executable (Win exe under 128)"; flow:established,from_server; file_data; content:"MZ"; within:2; byte_test:4,<,128,58,relative,little; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,doc.emergingthreats.net/2009033; classtype:policy-violation; sid:2009033; rev:5;)
#by dxp
#
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Suspicious Executable (PE offset 160)"; flow:established,from_server; file_data; content:"MZ"; within:2; byte_test:4,=,160,58,relative,little; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; reference:url,doc.emergingthreats.net/2009034; classtype:policy-violation; sid:2009034; rev:4;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Suspicious Executable (PE offset 160)"; flow:established,from_server; file_data; content:"MZ"; within:2; byte_test:4,=,160,58,relative,little; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,doc.emergingthreats.net/2009034; classtype:policy-violation; sid:2009034; rev:5;)
#by dxp
#
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Suspicious Executable (PE offset 512)"; flow:established,from_server; file_data; content:"MZ"; within:2; byte_test:4,=,512,58,relative,little; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; reference:url,doc.emergingthreats.net/2009035; classtype:policy-violation; sid:2009035; rev:4;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Suspicious Executable (PE offset 512)"; flow:established,from_server; file_data; content:"MZ"; within:2; byte_test:4,=,512,58,relative,little; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,doc.emergingthreats.net/2009035; classtype:policy-violation; sid:2009035; rev:5;)
#Matt Jonkman
#To catch generic exe downloads via http. This does not mean it's a problem, just of interest.
@@ -7346,11 +7347,11 @@
#by RPG, intended to catch exe's being hidden as requested BMPs
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Set flow on bmp file get"; flow:established,to_server; content:"GET"; http_method; content:".bmp"; http_uri; content:".bmp HTTP/1."; flowbits:set,ET.bmp_seen; flowbits:noalert; reference:url,doc.emergingthreats.net/2009083; classtype:not-suspicious; sid:2009083; rev:4;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Set flow on bmp file get"; flow:established,to_server; content:"GET"; http_method; content:".bmp"; http_uri; content:".bmp HTTP/1."; flowbits:set,ET.bmp_seen; flowbits:noalert; reference:url,doc.emergingthreats.net/2009083; classtype:not-suspicious; sid:2009083; rev:6;)
#by RPG, intended to catch exe's being hidden as requested BMPs
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible Trojan File Download - BMP Requested but not received"; flow:established,from_server; flowbits:isset,ET.bmp_seen; flowbits:unset,ET.bmp_seen; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:"Content-Type|3a| application|2f|octet-stream"; http_header; content:!"BM"; content:!"|00 00 00 00|"; within:4; reference:url,doc.emergingthreats.net/2009084; classtype:trojan-activity; sid:2009084; rev:3;)
+##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Possible Trojan File Download - BMP Requested but not received"; flow:established,from_server; flowbits:isset,ET.bmp_seen; flowbits:unset,ET.bmp_seen; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:"Content-Type|3a| application|2f|octet-stream"; http_header; content:!"BM"; content:!"|00 00 00 00|"; within:4; reference:url,doc.emergingthreats.net/2009084; classtype:trojan-activity; sid:2009084; rev:4;)
#From Charles Lacroix
#All form elements are encoded before they are sent to the server
@@ -7775,7 +7776,7 @@
#Submitted by Joel Esler
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CHAT Yahoo IM successful logon"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 01|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001253; classtype:policy-violation; sid:2001253; rev:8;)
+#alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"ET DELETED Yahoo IM successful logon"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 01|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001253; classtype:policy-violation; sid:2001253; rev:10;)
#Submitted by Joel Esler
#
@@ -7811,7 +7812,7 @@
#Commenting out, duplicated in Snort.org set
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CHAT Yahoo IM successful chat join"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 98|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001261; classtype:policy-violation; sid:2001261; rev:7;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Yahoo IM successful chat join"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"|00 98|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001261; classtype:policy-violation; sid:2001261; rev:8;)
#Commenting out, duplicated in Snort.org set
#
@@ -7863,7 +7864,7 @@
#by matt jonkman
#these services aren't bad inherently, but are often used by trojans to get their external IP
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Internal Host Retrieving External IP via cmyip.com - Possible Infection"; flow:established,to_server; content:"GET"; http_method; content:".cmyip."; http_header; reference:url,doc.emergingthreats.net/2008988; classtype:attempted-recon; sid:2008988; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Internal Host Retrieving External IP via cmyip.com - Possible Infection"; flow:established,to_server; content:"GET"; http_method; content:"cmyip."; http_header; reference:url,doc.emergingthreats.net/2008988; classtype:attempted-recon; sid:2008988; rev:4;)
#by matt jonkman
#these services aren't bad inherently, but are often used by trojans to get their external IP
@@ -8042,7 +8043,7 @@
#installs are malicious. Storm, rbn, etc. Use this rule if you are interested
#disabling by default, falses a lot but may be of interest to some folks
#
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Nginx Server with no version string - Often Hostile Traffic"; flow:established,from_server; content:"Server|3a| nginx|0d 0a|"; nocase; http_header; threshold:type limit, seconds 60, count 3, track by_src; reference:url,doc.emergingthreats.net/2008064; classtype:bad-unknown; sid:2008064; rev:4;)
+##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Nginx Server with no version string - Often Hostile Traffic"; flow:established,from_server; content:"Server|3a| nginx|0d 0a|"; nocase; http_header; threshold:type limit, seconds 60, count 3, track by_src; reference:url,doc.emergingthreats.net/2008064; classtype:bad-unknown; sid:2008064; rev:5;)
#by matt jonkman
#nginx is an open http server. It's quite good, but seems an extremely high number of it's
@@ -8117,7 +8118,7 @@
#by evilghost
#
-#alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET POLICY Exchange 2003 OWA plain-text E-Mail message access not SSL"; flow:established,from_server; file_data; content:"var g_szURL = \"http|3a|//"; distance:0; content:"var g_szFolder = \""; content:"varg_szVirtualRoot = \"http\|3a|//"; content:"Microsoft Corporation."; reference:url,support.microsoft.com/kb/321832; classtype:web-application-activity; sid:2010030; rev:4;)
+#alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET POLICY Exchange 2003 OWA plain-text E-Mail message access not SSL"; flow:established,from_server; file_data; content:"var g_szURL = |22|http|3a 2f 2f|"; distance:0; content:"var g_szFolder = |22|"; content:"varg_szVirtualRoot = |22|http|3a 2f 2f|"; content:"Microsoft Corporation."; reference:url,support.microsoft.com/kb/321832; classtype:web-application-activity; sid:2010030; rev:6;)
#by Christopher Campesi
#
@@ -8591,7 +8592,7 @@
#By Robert Grabowsky
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Skype User-Agent detected"; flow:to_server,established; content:"Skype"; http_header; pcre:"/User-Agent\x3a[^(\n|\r)]+Skype/Hi"; reference:url,doc.emergingthreats.net/2002157; classtype:policy-violation; sid:2002157; rev:9;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Skype User-Agent detected"; flow:to_server,established; content:"Skype"; http_header; pcre:"/User-Agent\x3a[^\n\r]+Skype/Hi"; reference:url,doc.emergingthreats.net/2002157; classtype:policy-violation; sid:2002157; rev:10;)
#by Reg Quinton
#
@@ -8607,7 +8608,7 @@
#next we check that the content-length is less than 7 digits, thus under 1,000,000 bytes.
#note: I re-check for the leading HTTP/1 to make sure we're still in the header packet, not in the rest of the binary stream
#
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Binary Download Smaller than 1 MB Likely Hostile"; flow:established,from_server; content:"HTTP/1"; depth:6; file_data; content:"MZ"; within:2; fast_pattern; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; pcre:"/\x0d\x0aContent-Length\x3a \d{0,6}\x0d\x0a/"; reference:url,doc.emergingthreats.net/2007671; classtype:policy-violation; sid:2007671; rev:12;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Binary Download Smaller than 1 MB Likely Hostile"; flow:established,from_server; content:"HTTP/1"; depth:6; file_data; content:"MZ"; within:2; fast_pattern; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; pcre:"/\x0d\x0aContent-Length\x3a \d{0,6}\x0d\x0a/"; reference:url,doc.emergingthreats.net/2007671; classtype:policy-violation; sid:2007671; rev:13;)
#by evilghost
#
@@ -8820,7 +8821,7 @@
#Submitted by Erik Vincent
#
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Proxy Connection detected"; flow:established; content:"Proxy-Connection"; http_header; reference:url,doc.emergingthreats.net/2001449; classtype:attempted-user; sid:2001449; rev:7;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Proxy Connection detected"; flow:established; content:"Proxy-Connection|3a| "; http_header; reference:url,doc.emergingthreats.net/2001449; classtype:attempted-user; sid:2001449; rev:8;)
#You MUST add the SMTP_SERVERS var to your snort.conf!!!!
#
@@ -8854,7 +8855,7 @@
#By Robert Grabowsky
#Updated to have a more unique match than User-Agent.
#
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY WebshotsNetClient"; flow: to_server,established; content:"WebshotsNetClient"; http_header; nocase; reference:url,www.webshots.com; reference:url,doc.emergingthreats.net/2002407; classtype:policy-violation; sid:2002407; rev:7;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED WebshotsNetClient"; flow: to_server,established; content:"WebshotsNetClient"; http_header; nocase; reference:url,www.webshots.com; reference:url,doc.emergingthreats.net/2002407; classtype:policy-violation; sid:2002407; rev:8;)
#by Jacob Kitchel of infotex
#These are of particular use in detecting recon for phishing, etc.
@@ -8910,7 +8911,7 @@
#These aren't security issues necessarily, but you may be interested in seeing how often these crawlers hit you
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Msnbot Crawl"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"msnbot"; nocase; http_header; fast_pattern; threshold: type both, track by_src, count 10, seconds 60; reference:url,search.msn.com/msnbot.htm; reference:url,doc.emergingthreats.net/2002831; classtype:attempted-recon; sid:2002831; rev:7;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Msnbot Crawl"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"msnbot"; nocase; http_header; fast_pattern; distance:0; threshold: type both, track by_src, count 10, seconds 60; reference:url,search.msn.com/msnbot.htm; reference:url,doc.emergingthreats.net/2002831; classtype:attempted-recon; sid:2002831; rev:8;)
#These aren't security issues necessarily, but you may be interested in seeing how often these crawlers hit you
#
@@ -8930,11 +8931,11 @@
#by Jacob Kitchel
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Java Url Lib User Agent"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"Java/"; nocase; http_header; fast_pattern; pcre:"/User-Agent\:[^\n]+Java/\d\.\d+/i"; reference:url,www.mozilla.org/docs/netlib/seealso/netmods.html; reference:url,doc.emergingthreats.net/2002946; classtype:attempted-recon; sid:2002946; rev:7;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Java Url Lib User Agent"; flow:established,to_server; content:"User-Agent|3a| "; nocase; http_header; content:"Java/"; nocase; http_header; fast_pattern; pcre:"/^User-Agent\:[^\n]+Java\/\d\.\d/Hmi"; reference:url,www.mozilla.org/docs/netlib/seealso/netmods.html; reference:url,doc.emergingthreats.net/2002946; classtype:attempted-recon; sid:2002946; rev:8;)
#by Jacob Kitchel
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Java Url Lib User Agent Web Crawl"; flow:established,to_server; content:"Java/"; nocase; http_header; fast_pattern; pcre:"/User-Agent\x3a[^\n]+Java/\d\.\d+/Hi"; threshold: type both, track by_src, count 10, seconds 60; reference:url,www.mozilla.org/docs/netlib/seealso/netmods.html; reference:url,doc.emergingthreats.net/2002945; classtype:attempted-recon; sid:2002945; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Java Url Lib User Agent Web Crawl"; flow:established,to_server; content:"Java/"; nocase; http_header; fast_pattern; pcre:"/User-Agent\x3a[^\n]+Java/\d\.\d/Hi"; threshold: type both, track by_src, count 10, seconds 60; reference:url,www.mozilla.org/docs/netlib/seealso/netmods.html; reference:url,doc.emergingthreats.net/2002945; classtype:attempted-recon; sid:2002945; rev:10;)
#Originally posted by Matt Jonkman, major tweaks by Matt Watchinski.
#Less useful rules are disabled, feel free to enable if you require the information. They are functional and accurate
@@ -8959,7 +8960,7 @@
#Originally posted by Matt Jonkman, major tweaks by Matt Watchinski.
#Less useful rules are disabled, feel free to enable if you require the information. They are functional and accurate
#
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Yahoo Mail Message Send Info Capture"; flow: to_server,established; content:"crumb="; nocase; content:"Subject="; nocase; reference:url,doc.emergingthreats.net/2000045; classtype:policy-violation; sid:2000045; rev:11;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Yahoo Mail Message Send Info Capture"; flow: to_server,established; content:"crumb="; nocase; content:"Subject="; nocase; reference:url,doc.emergingthreats.net/2000045; classtype:policy-violation; sid:2000045; rev:12;)
#Originally posted by Matt Jonkman, major tweaks by Matt Watchinski.
#Less useful rules are disabled, feel free to enable if you require the information. They are functional and accurate
@@ -8999,7 +9000,7 @@
#You may also use this to catch any local win98 machines if they're no longer supposed to be in production
#(which for goodness sake they shouldn't!! Haven't been patched for years!)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System"; flow:established,to_server; content:"User-Agent|3a| "; http_header; content:"Windows 98"; fast_pattern; http_header; pcre:"/User-Agent\x3a[^\n]+Windows 98/Hi"; reference:url,doc.emergingthreats.net/bin/view/Main/Windows98UA; classtype:policy-violation; sid:2007695; rev:16;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System"; flow:established,to_server; content:"Windows 98"; fast_pattern:only; http_header; pcre:"/^User-Agent\x3a[^\n]+Windows 98/Hmi"; reference:url,doc.emergingthreats.net/bin/view/Main/Windows98UA; classtype:policy-violation; sid:2007695; rev:17;)
#this sig is to catch HTTP User agents that specify Windows 98 as the platform
#Mostly to catch spyware and auto-downloaders that still use these as fake User Agent strings
@@ -9135,7 +9136,7 @@
#by Kevin Ross
#CISCO TORCH SCAN DETECTION RULES
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Cisco Torch IOS HTTP Scan"; flow:to_server,established; content:"User-Agent|3a| Cisco-torch"; http_header; fast_pattern:only; reference:url,www.hackingexposedcisco.com/?link=tools; reference:url,www.securiteam.com/tools/5EP0F1FEUA.html; reference:url,doc.emergingthreats.net/2008415; classtype:attempted-recon; sid:2008415; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Cisco Torch IOS HTTP Scan"; flow:to_server,established; content:"User-Agent|3a| Cisco-torch"; http_header; fast_pattern:12,10; reference:url,www.hackingexposedcisco.com/?link=tools; reference:url,www.securiteam.com/tools/5EP0F1FEUA.html; reference:url,doc.emergingthreats.net/2008415; classtype:attempted-recon; sid:2008415; rev:9;)
#by Kevin Ross
#CISCO TORCH SCAN DETECTION RULES
@@ -9144,7 +9145,7 @@
#by Jack Pepper
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Core-Project Scanning Bot UA Detected"; flow:established,to_server; content:"User-Agent|3a| core-project/1.0"; fast_pattern:only; http_header; reference:url,doc.emergingthreats.net/2008529; classtype:web-application-activity; sid:2008529; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Core-Project Scanning Bot UA Detected"; flow:established,to_server; content:"User-Agent|3a| core-project/1.0"; fast_pattern:12,11; http_header; reference:url,doc.emergingthreats.net/2008529; classtype:web-application-activity; sid:2008529; rev:6;)
#Submitted 2006-10-30 by Frank Knobbe
#
@@ -9502,7 +9503,7 @@
#by Dennis Distler
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN ProxyReconBot POST method to Mail"; flow:established,to_server; content:"POST"; http_method; content:"|3A|25 HTTP/"; depth:200; reference:url,doc.emergingthreats.net/2003870; classtype:misc-attack; sid:2003870; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN ProxyReconBot POST method to Mail"; flow:established,to_server; content:"POST"; http_method; content:"|3A|25 HTTP/"; fast_pattern; depth:200; reference:url,doc.emergingthreats.net/2003870; classtype:misc-attack; sid:2003870; rev:8;)
#by Kevin Ross
#
@@ -9593,7 +9594,7 @@
#These Detect the Latest Sipvious Scanner Version (0.2.6)
#
-alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sipvicious User-Agent Detected (friendly-scanner)"; content:"|0d 0a|User-Agent|3A| friendly-scanner"; fast_pattern:only; reference:url,code.google.com/p/sipvicious/; reference:url,blog.sipvicious.org/; reference:url,doc.emergingthreats.net/2011716; classtype:attempted-recon; sid:2011716; rev:3;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sipvicious User-Agent Detected (friendly-scanner)"; content:"|0d 0a|User-Agent|3A| friendly-scanner"; fast_pattern:only; threshold: type limit, track by_src, count 5, seconds 120; reference:url,code.google.com/p/sipvicious/; reference:url,blog.sipvicious.org/; reference:url,doc.emergingthreats.net/2011716; classtype:attempted-recon; sid:2011716; rev:4;)
#These Detect the Latest Sipvious Scanner Version (0.2.6)
#
@@ -9851,15 +9852,15 @@
#New from Chris Taylor and the User agents project
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Toplist.cz Related Spyware User-Agent (BWL Toplist)"; flow:to_server,established; content:"User-Agent|3a| BWL Toplist"; nocase; http_header; reference:url,doc.emergingthreats.net/2003505; classtype:trojan-activity; sid:2003505; rev:8;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Toplist.cz Related Spyware Checkin"; flow:to_server,established; content:"User-Agent|3a| BWL"; http_header; pcre:"/BWL(\sToplist|\d_UPDATE)/H"; classtype:trojan-activity; sid:2003505; rev:10;)
#by evilghost
#
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Non-Escaping backslash in User-Agent Outbound"; flow:established,to_server; content:"User-Agent|3a|"; nocase; http_header; content:"|5C|"; http_header; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; http_header; pcre:"/User-Agent\:.*[^\x5c]\x5c[^\x5c\x3d\x2f\x3b\x28\x29]+/iH"; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec14.html; reference:url,mws.amazon.com/docs/devGuide/UserAgent.html; reference:url,doc.emergingthreats.net/2010721; classtype:bad-unknown; sid:2010721; rev:6;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Non-Escaping backslash in User-Agent Outbound"; flow:established,to_server; content:"User-Agent|3a|"; nocase; http_header; content:"|5C|"; http_header; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; http_header; pcre:"/User-Agent\:.*[^\x5c]\x5c[^\x5c\x3d\x2f\x3b\x28\x29]/iH"; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec14.html; reference:url,mws.amazon.com/docs/devGuide/UserAgent.html; reference:url,doc.emergingthreats.net/2010721; classtype:bad-unknown; sid:2010721; rev:7;)
#by evilghost
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Non-Escaping backslash in User-Agent Inbound"; flow:established,to_server; content:"User-Agent|3a|"; nocase; http_header; content:"|5C|"; http_header; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; http_header; pcre:"/User-Agent\:.*[^\x5c]\x5c[^\x5c\x3d\x2f\x3b\x28\x29]+/iH"; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec14.html; reference:url,mws.amazon.com/docs/devGuide/UserAgent.html; reference:url,doc.emergingthreats.net/2010722; classtype:bad-unknown; sid:2010722; rev:6;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Non-Escaping backslash in User-Agent Inbound"; flow:established,to_server; content:"User-Agent|3a|"; nocase; http_header; content:"|5C|"; http_header; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; http_header; pcre:"/User-Agent\:.*[^\x5c]\x5c[^\x5c\x3d\x2f\x3b\x28\x29]/iH"; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec14.html; reference:url,mws.amazon.com/docs/devGuide/UserAgent.html; reference:url,doc.emergingthreats.net/2010722; classtype:bad-unknown; sid:2010722; rev:7;)
#by evilghost
#
@@ -10281,7 +10282,7 @@
#by pedro marinho
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (InfoBot)"; flow:to_server,established; content:"User-Agent|3a| InfoBot"; http_header; reference:url,doc.emergingthreats.net/2011276; classtype:trojan-activity; sid:2011276; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (InfoBot)"; flow:to_server,established; content:"User-Agent|3a| InfoBot"; http_header; reference:url,doc.emergingthreats.net/2011276; classtype:trojan-activity; sid:2011276; rev:7;)
#matt jonkman
#
@@ -10321,7 +10322,7 @@
#Matt Jonkman
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fake AV av1-site.info Related User-Agent (AV1)"; flow: established,to_server; content:"User-Agent|3a| AV1"; http_header; reference:url,doc.emergingthreats.net/2009223; classtype:trojan-activity; sid:2009223; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fake AV Downloader.Onestage/FakeAlert.ZR User-Agent (AV1)"; flow: established,to_server; content:"User-Agent|3a| AV1|0d 0a|"; http_header; reference:md5,208e5551efce47ac6c95691715c12e46; reference:md5,735dff747d0c7ce74dde31547b2b5750; reference:md5,a84a144677a786c6855fd4899d024948; classtype:trojan-activity; sid:2009223; rev:8;)
#matt jonkman
#
@@ -10769,7 +10770,7 @@
#by evilghost
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; content:!"Host|3a| www|2e|google|2e|com|0d 0a|"; nocase; http_header; content:!"Cookie|3a| PREF|3d|ID|3d|"; nocase; http_header; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:12;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; nocase; http_header; fast_pattern:5,20; content:!"/CallParrotWebClient/"; http_uri; content:!"Host|3a| www|2e|google|2e|com|0d 0a|"; nocase; http_header; content:!"PREF|3d|ID|3d|"; nocase; http_cookie; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:13;)
#by evilghost
#
@@ -10789,7 +10790,7 @@
#Pluses in a UA, suspicious as well
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (downloader) - Used by Winfixmaster.com Fake Anti-Spyware and Others"; flow:to_server,established; content:"User-Agent|3a| downloader|0d 0a|"; http_header; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2003546; classtype:trojan-activity; sid:2003546; rev:10;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious User-Agent (downloader) - Used by Winfixmaster.com Fake Anti-Spyware and Others"; flow:to_server,established; content:"User-Agent|3a| downloader|0d 0a|"; http_header; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2003546; classtype:trojan-activity; sid:2003546; rev:11;)
#Pluses in a UA, suspicious as well
#
@@ -10845,7 +10846,7 @@
#Pluses in a UA, suspicious as well
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Huai_Huai) - Likely Webhancer Related Spyware"; flow:to_server,established; content:"User-Agent|3a| Huai_Huai|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2006361; classtype:trojan-activity; sid:2006361; rev:7;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (Huai_Huai)"; flow:to_server,established; content:"User-Agent|3a| Huai_Huai|0d 0a|"; http_header; reference:md5,ee600bdcc45989750dee846b5049f935; reference:md5,91b9aa25563ae524d3ca4582630eb8eb; reference:md5,1051f7176fe0a50414649d369e752e98; classtype:trojan-activity; sid:2006361; rev:8;)
#Pluses in a UA, suspicious as well
#
@@ -10903,9 +10904,8 @@
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Example)"; flow:to_server,established; content:"User-Agent|3a| Example|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007884; classtype:trojan-activity; sid:2007884; rev:6;)
-#Pluses in a UA, suspicious as well
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (downloader)"; flow:to_server,established; content:"User-Agent|3a| downloader|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007885; classtype:trojan-activity; sid:2007885; rev:7;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (downloader)"; flow:to_server,established; content:"User-Agent|3a| downloader|0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007885; classtype:trojan-activity; sid:2007885; rev:8;)
#Pluses in a UA, suspicious as well
#
@@ -10949,7 +10949,7 @@
#Pluses in a UA, suspicious as well
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:7;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent|3a 20 0d 0a|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:8;)
#Pluses in a UA, suspicious as well
#
@@ -10981,7 +10981,7 @@
#Pluses in a UA, suspicious as well
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (App4)"; flow:to_server,established; content:"User-Agent|3a| App"; http_header; content:!"Host|3a| liveupdate.symantecliveupdate.com|0d 0a|"; http_header; pcre:"/User-Agent\x3a App\d+/Hi"; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008073; classtype:trojan-activity; sid:2008073; rev:10;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (App4)"; flow:to_server,established; content:"User-Agent|3a| App"; http_header; content:!"Host|3a| liveupdate.symantecliveupdate.com|0d 0a|"; http_header; pcre:"/^User-Agent\x3a App\d/Hm"; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008073; classtype:trojan-activity; sid:2008073; rev:12;)
#Pluses in a UA, suspicious as well
#
@@ -11013,7 +11013,7 @@
#Pluses in a UA, suspicious as well
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (QQ)"; flow:to_server,established; content:"User-Agent|3a| QQ|0d 0a|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008199; classtype:trojan-activity; sid:2008199; rev:9;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (QQ)"; flow:to_server,established; content:"User-Agent|3a| QQ|0d 0a|"; http_header; content:!"|0d 0a|Q-UA|3a 20|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008199; classtype:trojan-activity; sid:2008199; rev:14;)
#Pluses in a UA, suspicious as well
#
@@ -11105,7 +11105,7 @@
#Pluses in a UA, suspicious as well
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (Playtech Downloader)"; flow:to_server,established; content:"User-Agent|3a| Playtech "; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008365; classtype:trojan-activity; sid:2008365; rev:7;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Playtech Downloader Online Gaming Checkin"; flow:to_server,established; content:"/client_update_urls.php"; http_uri; content:"User-Agent|3a| Playtech "; http_header; reference:md5,00740d7d15862efb30629ab1fd7b8242; classtype:trojan-activity; sid:2008365; rev:8;)
#Pluses in a UA, suspicious as well
#
@@ -11249,7 +11249,7 @@
#Pluses in a UA, suspicious as well
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (bdwinrun) - Possible Admoke Admware"; flow: to_server,established; content:"User-Agent|3a| bdwinrun"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008742; classtype:trojan-activity; sid:2008742; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Admoke/Adload.AFB!tr.dldr Checkin"; flow: to_server,established; content:"/keyword.html"; http_uri; content:"User-Agent|3a| bdwinrun"; nocase; http_header; reference:md5,6085f2ff15282611fd82f9429d82912b; classtype:trojan-activity; sid:2008742; rev:7;)
#Pluses in a UA, suspicious as well
#
@@ -11349,7 +11349,7 @@
#Pluses in a UA, suspicious as well
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Macrovision_DM)"; flow:established,to_server; content:"User-Agent|3a| Macrovision_DM"; http_header; reference:url,doc.emergingthreats.net/2009445; classtype:trojan-activity; sid:2009446; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY trymedia.com User-Agent (Macrovision_DM)"; flow:established,to_server; content:"User-Agent|3a| Macrovision_DM"; http_header; content:"trymedia.com|0d 0a|"; http_header; pcre:"/Host\x3a.+trymedia\.com\r$/Hm"; reference:url,doc.emergingthreats.net/2009445; classtype:trojan-activity; sid:2009446; rev:7;)
#Pluses in a UA, suspicious as well
#
@@ -11377,7 +11377,7 @@
#Pluses in a UA, suspicious as well
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (PCFlashBangA)"; flow:to_server,established; content:"User-Agent|3a| PCFlashBangA|0d 0a|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453113169; reference:url,doc.emergingthreats.net/2009540; classtype:trojan-activity; sid:2009540; rev:7;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PCFlashbang.com Spyware Checkin (PCFlashBangA)"; flow:to_server,established; content:"User-Agent|3a| PCFlashBang"; http_header; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453113169; reference:url,doc.emergingthreats.net/2009540; classtype:trojan-activity; sid:2009540; rev:8;)
#Pluses in a UA, suspicious as well
#
@@ -11508,11 +11508,11 @@
#cd025fbeb51e2a02793f2c60a2777aa8
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (SeFastSetup)"; flow:to_server,established; content:"User-Agent|3a| SeFastSetup"; http_header; reference:url,doc.emergingthreats.net/2011225; classtype:trojan-activity; sid:2011226; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sogou Toolbar Checkin"; flow:to_server,established; content:"/seversion.txt"; http_uri; content:"User-Agent|3a| SeFastSetup"; http_header; reference:url,doc.emergingthreats.net/2011225; classtype:trojan-activity; sid:2011226; rev:3;)
#cd025fbeb51e2a02793f2c60a2777aa8
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (NSIS_Inetc (Mozilla))"; flow:to_server,established; content:"User-Agent|3a| NSIS|5f|Inetc |28|Mozilla|29|"; http_header; reference:url,doc.emergingthreats.net/2011227; classtype:trojan-activity; sid:2011227; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers"; flow:to_server,established; content:"User-Agent|3a| NSIS|5f|Inetc |28|Mozilla|29|"; http_header; reference:url,doc.emergingthreats.net/2011227; classtype:trojan-activity; sid:2011227; rev:3;)
#by pedro marinho
#
@@ -11644,7 +11644,7 @@
#Matt Jonkman, From spyware listening post data
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Zango Toolbar Spyware User Agent (ZangoToolbar )"; flow:to_server,established; content:"ZangoToolbar"; http_header; fast_pattern:only; reference:url,doc.emergingthreats.net/2003365; classtype:trojan-activity; sid:2003365; rev:10;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Zango Toolbar Spyware User Agent (ZangoToolbar )"; flow:to_server,established; content:"ZangoToolbar"; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a.+ZangoToolbar.+\r$/Hmi"; reference:url,doc.emergingthreats.net/2003365; classtype:trojan-activity; sid:2003365; rev:11;)
#Matt Jonkman, From spyware listening post data
#
@@ -11724,7 +11724,7 @@
#From Chris Norton.
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS Generic Downloader Outbound HTTP connection - Downloading Code"; flow:established,to_server; content:"User-Agent|3A| PE-"; http_header; reference:url,doc.emergingthreats.net/2002695; classtype:trojan-activity; sid:2002695; rev:8;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Generic Downloader Outbound HTTP connection - Downloading Code"; flow:established,to_server; content:"User-Agent|3A| PE-"; http_header; reference:url,doc.emergingthreats.net/2002695; classtype:trojan-activity; sid:2002695; rev:9;)
#BugBear
#Submitted by Brad Doctor, 3/8/2005, for BugBear@MM
@@ -11734,7 +11734,7 @@
#BugBear
#Submitted by Brad Doctor, 3/8/2005, for BugBear@MM
#
-#alert tcp $HOME_NET any -> any 139 (msg:"ET VIRUS BugBear@MM virus in Network share"; flow: established; content:"|24 48 fb bb ff e6 63 02 3a 20 41 70 61 63 68 65|"; fast_pattern:only; reference:url,www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html; reference:url,doc.emergingthreats.net/2001765; classtype:misc-activity; sid:2001765; rev:7;)
+##alert tcp $HOME_NET any -> any 139 (msg:"ET DELETED BugBear@MM virus in Network share"; flow: established; content:"|24 48 fb bb ff e6 63 02 3a 20 41 70 61 63 68 65|"; fast_pattern:only; reference:url,www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html; reference:url,doc.emergingthreats.net/2001765; classtype:misc-activity; sid:2001765; rev:8;)
#BugBear
#Submitted by Brad Doctor, 3/8/2005, for BugBear@MM
@@ -11759,19 +11759,19 @@
#by Jonathan Gross. Experimental
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET VIRUS WinUpack Modified PE Header Inbound"; flow:established; content:"|4d 5a 4b 45 52 4e 45 4c 33 32 2e 44 4c 4c 00 00|"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/WinPEHeaders; classtype:bad-unknown; sid:2003614; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO WinUpack Modified PE Header Inbound"; flow:established; content:"|4d 5a 4b 45 52 4e 45 4c 33 32 2e 44 4c 4c 00 00|"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/WinPEHeaders; classtype:bad-unknown; sid:2003614; rev:6;)
#by Jonathan Gross. Experimental
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET VIRUS WinUpack Modified PE Header Outbound"; flow:established; content:"|4d 5a 4b 45 52 4e 45 4c 33 32 2e 44 4c 4c 00 00|"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/WinPEHeaders; classtype:bad-unknown; sid:2003615; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO WinUpack Modified PE Header Outbound"; flow:established; content:"|4d 5a 4b 45 52 4e 45 4c 33 32 2e 44 4c 4c 00 00|"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/WinPEHeaders; classtype:bad-unknown; sid:2003615; rev:6;)
#by Dan Clemens of packetninjas.net
#
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN UpackbyDwing in HTTP Download Possibly Hostile"; flow:from_server,established; content:"UpackByDwing|40|"; content:"PE|00 00|"; within:20; reference:url,www.packetninjas.net; reference:url,doc.emergingthreats.net/2008946; classtype:trojan-activity; sid:2008946; rev:2;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN UpackbyDwing binary in HTTP Download Possibly Hostile"; flow:from_server,established; content:"UpackByDwing|40|"; content:"PE|00 00|"; within:20; reference:url,www.packetninjas.net; reference:url,doc.emergingthreats.net/2008946; classtype:trojan-activity; sid:2008946; rev:2;)
#by Dan Clemens of packetninjas.net
#
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN UpackbyDwing in HTTP (2) Possibly Hostile"; flow:from_server,established; content:"PE|00 00|"; content:"Upack|00 00|"; within:255; reference:url,www.packetninjas.net; reference:url,doc.emergingthreats.net/2008947; classtype:trojan-activity; sid:2008947; rev:2;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN UpackbyDwing binary in HTTP (2) Possibly Hostile"; flow:from_server,established; content:"PE|00 00|"; content:"Upack|00 00|"; within:255; reference:url,www.packetninjas.net; reference:url,doc.emergingthreats.net/2008947; classtype:trojan-activity; sid:2008947; rev:2;)
#matt jonkman/wes brown
#falsing, needs adjustment
@@ -11782,29 +11782,29 @@
#more information at http://toorcon.org/2006/conference.html?id=29
#These are disabled by default until we learn more about them.
#
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET VIRUS SHELLCODE CLET polymorphic payload"; dsize: >40; content: "|74 07 eb|"; content: "|e8|"; distance: 1; within: 1; pcre: "/\xeb.[\x58-\x5b]\x31[\xc0\xc9\xd2\xdb][\xb0-\xb3].\x8b.[\x05\x2d\x35\x81\xc1]/sm"; pcre: "/[\x40-\x43\xfd\xff][\x40-\x43\xff][\x40-\x43\x80\xff][\x40-\x43\xe9-\xeb\xff\x80\x2c][\x40-\x43\x48-\x4b\xe9-\xeb\x01\x2c\x80][\x48-\x4c\xe9-\xeb\x02\x2c][\x03\x48-\x4b][\x48-\x4b]\x74\x07\xeb.\xe8.\xff\xff\xff/smR"; reference:url,toorcon.org/2006/conference.html?id=29; reference:url,doc.emergingthreats.net/2003117; classtype:shellcode-detect; sid:2003117; rev:3;)
+##alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED SHELLCODE CLET polymorphic payload"; dsize: >40; content: "|74 07 eb|"; content: "|e8|"; distance: 1; within: 1; pcre: "/\xeb.[\x58-\x5b]\x31[\xc0\xc9\xd2\xdb][\xb0-\xb3].\x8b.[\x05\x2d\x35\x81\xc1]/sm"; pcre: "/[\x40-\x43\xfd\xff][\x40-\x43\xff][\x40-\x43\x80\xff][\x40-\x43\xe9-\xeb\xff\x80\x2c][\x40-\x43\x48-\x4b\xe9-\xeb\x01\x2c\x80][\x48-\x4c\xe9-\xeb\x02\x2c][\x03\x48-\x4b][\x48-\x4b]\x74\x07\xeb.\xe8.\xff\xff\xff/smR"; reference:url,toorcon.org/2006/conference.html?id=29; reference:url,doc.emergingthreats.net/2003117; classtype:shellcode-detect; sid:2003117; rev:4;)
#These are by Vlad Tsyrklevich during presentation at Toorcon 06. These are experimental and will likely be high load.
#more information at http://toorcon.org/2006/conference.html?id=29
#These are disabled by default until we learn more about them.
#
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET VIRUS SHELLCODE Shikata Ga Nai polymorphic payload"; dsize: >26; content: "|d9 74 24 f4|"; pcre: "/[\x29\x2b\x31\x33]\xc9/sm"; pcre: "/[\xd9-\xdb\xdd].{1,11}\xd9\x74\x24\xf4.{0,10}[\x58\x5a\x5b\x5d-\x5f]/sm"; pcre: "/([\x29\x2b\x31\x33\xb8\xba\xbb\xbe\xbf\xd9-\xdb\xdd][^\x00\xff][^\x00\xff][^\x00][^\x00\xff][^\x00][^\x00\xff][^\x00\xff][^\x00][^\x00][^\x00][^\x00\xff][^\x00\xff][^\x00\xff][^\x00][^\x00][\x31\x83][\x42\x43\x46\x47\x50\x53\x56-\x58\x5a\x5e\x5f\x70\x72\x73\x77\x78\x7a\x7b\x7e\xc0\xc2\xc3\xc6\xc7\xe8\xea\xeb\xee\xef][\x04\x0e\x10\x12\x13\x15\x17\xfc][\x03\x31\x83][\x42\x43\x46\x47\x50\x53\x56-\x58\x5a\x5e\x5f\x70\x72\x73\x77\x78\x7a\x7b\x7e\xc0\xc2\xc3\xc6\xc7\xe8\xea\xeb\xee\xef][\x04\x0a\x0c\x0e-\x13\x15\x17\xfc][\x03\x83]..[^\x1d\xe2][^\x0a\xf5])|([\x29\x2b\x31\x33\xb8\xba\xbb\xbd-\xbf\xd9-\xdb\xdd][^\x00][^\x00][^\x00][^\x00][^\x00][^\x00][^\x00][^\x00][\x24\xb1\xd9-\xdb\xdd][^\x00][\x58\x5a\x5b\x5d-\x5f\xb8\xba\xbb\xbd-\xbf\xd9][^\x00][^\x00][^\x00][^\x00][\x31\x83][\x42\x43\x45-\x47\x50\x53\x55-\x58\x5a\x5d-\x5f\x68\x6a\x6b\x6e-\x70\x72\x73\x75\x77\x78\x7a\x7b\x7d\x7e\xc0\xc2\xc3\xc5-\xc7\xe8\xea\xeb\xed-\xef][\x04\x0e\x12\x17\xfc][\x03\x31\x83][\x42\x43\x45-\x47\x50\x53\x55-\x58\x5a\x5d-\x5f\x68\x6a\x6b\x6e-\x70\x72\x73\x75\x77\x78\x7a\x7b\x7d\x7e\xc0\xc2\xc3\xc5-\xc7\xe8\xea\xeb\xed-\xef][\x04\x0a\x0e\x12\x13\x17\xfc][\x03\x83]..[^\xe2][^\xf5])/sm"; reference:url,toorcon.org/2006/conference.html?id=29; reference:url,doc.emergingthreats.net/2003118; classtype:shellcode-detect; sid:2003118; rev:3;)
+##alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED SHELLCODE Shikata Ga Nai polymorphic payload"; dsize: >26; content: "|d9 74 24 f4|"; pcre: "/[\x29\x2b\x31\x33]\xc9/sm"; pcre: "/[\xd9-\xdb\xdd].{1,11}\xd9\x74\x24\xf4.{0,10}[\x58\x5a\x5b\x5d-\x5f]/sm"; pcre: "/([\x29\x2b\x31\x33\xb8\xba\xbb\xbe\xbf\xd9-\xdb\xdd][^\x00\xff][^\x00\xff][^\x00][^\x00\xff][^\x00][^\x00\xff][^\x00\xff][^\x00][^\x00][^\x00][^\x00\xff][^\x00\xff][^\x00\xff][^\x00][^\x00][\x31\x83][\x42\x43\x46\x47\x50\x53\x56-\x58\x5a\x5e\x5f\x70\x72\x73\x77\x78\x7a\x7b\x7e\xc0\xc2\xc3\xc6\xc7\xe8\xea\xeb\xee\xef][\x04\x0e\x10\x12\x13\x15\x17\xfc][\x03\x31\x83][\x42\x43\x46\x47\x50\x53\x56-\x58\x5a\x5e\x5f\x70\x72\x73\x77\x78\x7a\x7b\x7e\xc0\xc2\xc3\xc6\xc7\xe8\xea\xeb\xee\xef][\x04\x0a\x0c\x0e-\x13\x15\x17\xfc][\x03\x83]..[^\x1d\xe2][^\x0a\xf5])|([\x29\x2b\x31\x33\xb8\xba\xbb\xbd-\xbf\xd9-\xdb\xdd][^\x00][^\x00][^\x00][^\x00][^\x00][^\x00][^\x00][^\x00][\x24\xb1\xd9-\xdb\xdd][^\x00][\x58\x5a\x5b\x5d-\x5f\xb8\xba\xbb\xbd-\xbf\xd9][^\x00][^\x00][^\x00][^\x00][\x31\x83][\x42\x43\x45-\x47\x50\x53\x55-\x58\x5a\x5d-\x5f\x68\x6a\x6b\x6e-\x70\x72\x73\x75\x77\x78\x7a\x7b\x7d\x7e\xc0\xc2\xc3\xc5-\xc7\xe8\xea\xeb\xed-\xef][\x04\x0e\x12\x17\xfc][\x03\x31\x83][\x42\x43\x45-\x47\x50\x53\x55-\x58\x5a\x5d-\x5f\x68\x6a\x6b\x6e-\x70\x72\x73\x75\x77\x78\x7a\x7b\x7d\x7e\xc0\xc2\xc3\xc5-\xc7\xe8\xea\xeb\xed-\xef][\x04\x0a\x0e\x12\x13\x17\xfc][\x03\x83]..[^\xe2][^\xf5])/sm"; reference:url,toorcon.org/2006/conference.html?id=29; reference:url,doc.emergingthreats.net/2003118; classtype:shellcode-detect; sid:2003118; rev:4;)
#These are by Vlad Tsyrklevich during presentation at Toorcon 06. These are experimental and will likely be high load.
#more information at http://toorcon.org/2006/conference.html?id=29
#These are disabled by default until we learn more about them.
#
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET VIRUS SHELLCODE ADMutate polymorphic payload"; dsize: >45; content: "|e8|"; content: "|ff ff ff|"; distance: 1; within: 3; pcre: "/\xeb[\x26-\x7a].{0,20}(\x5e|\x58\x96|\x58\x89\xc6|\x8b\x34\x24\x83\xec\x04).{0,20}(((\xbb....|\x68....\x5b).{0,20}(\x31\xc9|\x31\xc0\x91))|((\x31\xc9|\x31\xc0\x91).{0,20}(\xbb....|\x68....\x5b))).{0,20}(\xb1.|\x6a.\x58\x89\xc1|\x6a.\x66\x59).{0,20}(\x31\x1e|\x93\x31\x06\x93|\x8b\x06\x09\xd8\x21\x1e\xf7\x16\x21\x06).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}\xe2[\xa0-\xf9].{0,20}\xeb[\x06-\x20].{0,20}\xe8[\x7f-\xff]\xff\xff\xff/sm"; reference:url,toorcon.org/2006/conference.html?id=29; reference:url,doc.emergingthreats.net/2003119; classtype:shellcode-detect; sid:2003119; rev:3;)
+##alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED SHELLCODE ADMutate polymorphic payload"; dsize: >45; content: "|e8|"; content: "|ff ff ff|"; distance: 1; within: 3; pcre: "/\xeb[\x26-\x7a].{0,20}(\x5e|\x58\x96|\x58\x89\xc6|\x8b\x34\x24\x83\xec\x04).{0,20}(((\xbb....|\x68....\x5b).{0,20}(\x31\xc9|\x31\xc0\x91))|((\x31\xc9|\x31\xc0\x91).{0,20}(\xbb....|\x68....\x5b))).{0,20}(\xb1.|\x6a.\x58\x89\xc1|\x6a.\x66\x59).{0,20}(\x31\x1e|\x93\x31\x06\x93|\x8b\x06\x09\xd8\x21\x1e\xf7\x16\x21\x06).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}\xe2[\xa0-\xf9].{0,20}\xeb[\x06-\x20].{0,20}\xe8[\x7f-\xff]\xff\xff\xff/sm"; reference:url,toorcon.org/2006/conference.html?id=29; reference:url,doc.emergingthreats.net/2003119; classtype:shellcode-detect; sid:2003119; rev:4;)
#Sobig
#Unknown submitter - Sobig E-F downloading goodies
#
-#alert udp $HOME_NET any -> $EXTERNAL_NET 8998 (msg:"ET VIRUS Sobig.E-F Trojan Site Download Request"; dsize: 8; content:"|5c bf 01 29 ca 62 eb f1|"; fast_pattern:only; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sobig.e@mm.html; reference:url,doc.emergingthreats.net/2001547; classtype:trojan-activity; sid:2001547; rev:8;)
+##alert udp $HOME_NET any -> $EXTERNAL_NET 8998 (msg:"ET DELETED Sobig.E-F Trojan Site Download Request"; dsize: 8; content:"|5c bf 01 29 ca 62 eb f1|"; fast_pattern:only; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sobig.e@mm.html; reference:url,doc.emergingthreats.net/2001547; classtype:trojan-activity; sid:2001547; rev:9;)
#Spy.Win32.Bancos Trojan
#Submitted by Matt Jonkman for Spy.Win32.Bancos Trojan
#
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET VIRUS Trojan-Spy.Win32.Bancos Download"; flow: established,from_server; content:"[AspackDie!]"; content:"|0f 6d 07 9e 6c 62 6c 68 00 d2 2f 63 6d 64 9d 11 af af 45 c7 72 ac 5f 3138 d0|"; fast_pattern:only; reference:url,securityresponse.symantec.com/avcenter/venc/data/pwsteal.bancos.b.html; reference:url,doc.emergingthreats.net/2001726; classtype:trojan-activity; sid:2001726; rev:9;)
+##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Trojan-Spy.Win32.Bancos Download"; flow: established,from_server; content:"[AspackDie!]"; content:"|0f 6d 07 9e 6c 62 6c 68 00 d2 2f 63 6d 64 9d 11 af af 45 c7 72 ac 5f 3138 d0|"; fast_pattern:only; reference:url,securityresponse.symantec.com/avcenter/venc/data/pwsteal.bancos.b.html; reference:url,doc.emergingthreats.net/2001726; classtype:trojan-activity; sid:2001726; rev:10;)
#from sandnet data
#Disabling by default, hits on the VB api, not unique to this virus.
@@ -11813,11 +11813,11 @@
#from castlecops research, http://www.castlecops.com, sig by Matt Jonkman
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS AV-Killer.Win32 User Agent Detected (p4r4z1t3v3.one14.J)"; flow:established,to_server; content:"User-Agent|3a| p4r4z1t3v3"; http_header; nocase; reference:url,doc.emergingthreats.net/2003638; classtype:trojan-activity; sid:2003638; rev:5;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED AV-Killer.Win32 User Agent Detected (p4r4z1t3v3.one14.J)"; flow:established,to_server; content:"User-Agent|3a| p4r4z1t3v3"; http_header; nocase; reference:url,doc.emergingthreats.net/2003638; classtype:trojan-activity; sid:2003638; rev:6;)
#by mr Magic Pants
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET VIRUS Win32.SMTP-Mailer SMTP Outbound"; flow:to_server,established; content:"Subject|3a 20 3a 20|ZOMBIE"; nocase; content:"X-Library|3a| Indy 9.00.10"; nocase; distance:0; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Win32.SMTP-Mailer&threatid=48095; reference:url,www.hauri.net/virus/virusinfo_read.php?code=TRW3000774&start=1; reference:url,doc.emergingthreats.net/2003041; classtype:trojan-activity; sid:2003041; rev:6;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET DELETED Win32.SMTP-Mailer SMTP Outbound"; flow:to_server,established; content:"Subject|3a 20 3a 20|ZOMBIE"; nocase; content:"X-Library|3a| Indy 9.00.10"; nocase; distance:0; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Win32.SMTP-Mailer&threatid=48095; reference:url,www.hauri.net/virus/virusinfo_read.php?code=TRW3000774&start=1; reference:url,doc.emergingthreats.net/2003041; classtype:trojan-activity; sid:2003041; rev:7;)
#by dn1nj4
#
@@ -11868,7 +11868,7 @@
#by dxp
#
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Armitage Exploit Request"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/bof.php"; http_uri; reference:url,doc.emergingthreats.net/2009032; classtype:trojan-activity; sid:2009032; rev:7;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Armitage Exploit Request"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/bof.php"; http_uri; reference:url,doc.emergingthreats.net/2009032; classtype:trojan-activity; sid:2009032; rev:8;)
#by dxp
#
@@ -12029,7 +12029,7 @@
#by matt jonkman and victor julien
#
-alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Backdoor.Win32.VB.brg C&C Kill Command Send"; flow:established,from_server; dsize:<35; content:"kill-"; offset:0; depth:5; pcre:"/kill\-\d+.\d+.\d+.\d+\:\d+%\d+/"; reference:url,doc.emergingthreats.net/2007980; classtype:trojan-activity; sid:2007980; rev:3;)
+alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Backdoor.Win32.VB.brg C&C Kill Command Send"; flow:established,from_server; dsize:<35; content:"kill-"; offset:0; depth:5; pcre:"/kill\-\d+.\d+.\d+.\d+\:\d+%\d/"; reference:url,doc.emergingthreats.net/2007980; classtype:trojan-activity; sid:2007980; rev:4;)
#by matt jonkman and victor julien
#
@@ -12302,7 +12302,7 @@
#by jerry at cybercave
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bebloh C&C HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ff.ie?rnd="; http_uri; nocase; pcre:"/\/ff\.ie\?rnd=\d+/Ui"; content:"p="; http_client_body; nocase; content:"&ot="; nocase; distance:0; content:"&njeb="; distance:0; reference:url,doc.emergingthreats.net/2010565; classtype:trojan-activity; sid:2010565; rev:7;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bebloh C&C HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ff.ie?rnd="; http_uri; nocase; pcre:"/\/ff\.ie\?rnd=\d/Ui"; content:"p="; http_client_body; nocase; content:"&ot="; nocase; distance:0; content:"&njeb="; distance:0; reference:url,doc.emergingthreats.net/2010565; classtype:trojan-activity; sid:2010565; rev:8;)
#by deapesh misra
#
@@ -12330,7 +12330,7 @@
#analysis by Jose Nazario at arbor networks. Sig by matt jonkman
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blackenergy Bot Checkin to C&C"; flow:established,to_server; dsize:<400; content:"POST"; nocase; http_method; content:"Cache-Control|3a| no-cache"; http_header; content:"id="; http_client_body; content:"&build_id="; http_client_body; fast_pattern; pcre:"/id=x.+_[0-9A-F]{8}&build_id=.+/P"; reference:url,asert.arbornetworks.com/2007/10/blackenergy-ddos-bot-analysis-available; reference:url,doc.emergingthreats.net/2007668; classtype:trojan-activity; sid:2007668; rev:13;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blackenergy Bot Checkin to C&C"; flow:established,to_server; dsize:<400; content:"POST"; nocase; http_method; content:"Cache-Control|3a| no-cache"; http_header; content:"id="; http_client_body; content:"&build_id="; http_client_body; fast_pattern; pcre:"/id=x.+_[0-9A-F]{8}&build_id=./P"; reference:url,asert.arbornetworks.com/2007/10/blackenergy-ddos-bot-analysis-available; reference:url,doc.emergingthreats.net/2007668; classtype:trojan-activity; sid:2007668; rev:14;)
#by Jaime Blasco
#
@@ -12443,7 +12443,7 @@
#by Darren Spruell
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Bredolab Downloader Response Binaries from Controller"; flow:established,from_server; content:"|0d 0a|Entity-Info|3a|"; nocase; content:"|0d 0a|Magic-Number|3a|"; nocase; pcre:"/\x0d\x0aEntity-Info\x3a\s+\d+\x3a\d+/"; pcre:"/\x0d\x0aMagic-Number\x3a\s+\d+\|\d+/"; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=TrojanDownloader%3aWin32/Bredolab.B; reference:url,doc.emergingthreats.net/2009388; classtype:trojan-activity; sid:2009388; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Bredolab Downloader Response Binaries from Controller"; flow:established,from_server; content:"|0d 0a|Entity-Info|3a|"; nocase; content:"|0d 0a|Magic-Number|3a|"; nocase; pcre:"/\x0d\x0aEntity-Info\x3a\s+\d+\x3a\d/"; pcre:"/\x0d\x0aMagic-Number\x3a\s+\d+\|\d/"; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=TrojanDownloader%3aWin32/Bredolab.B; reference:url,doc.emergingthreats.net/2009388; classtype:trojan-activity; sid:2009388; rev:4;)
#Bredolab Infection
#
@@ -12503,7 +12503,7 @@
#by Jeffrey Brown at synacktip
#
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Ceckno Reporting to Controller"; flow:established,to_server; dsize:<30; content:"\:2|7c|"; depth:10; content:"|7c|"; distance:0; content:"|7c|"; distance:0; pcre:"/^\d+\x3a\d\x7c\d+\x7c[0-9a-z]+\x7c\d+/i"; flowbits:set,ET.cekno.initial; reference:url,doc.emergingthreats.net/2008177; classtype:trojan-activity; sid:2008177; rev:4;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Ceckno Reporting to Controller"; flow:established,to_server; dsize:<30; content:"\:2|7c|"; depth:10; content:"|7c|"; distance:0; content:"|7c|"; distance:0; pcre:"/^\d+\x3a\d\x7c\d+\x7c[0-9a-z]+\x7c\d/i"; flowbits:set,ET.cekno.initial; reference:url,doc.emergingthreats.net/2008177; classtype:trojan-activity; sid:2008177; rev:5;)
#by Jeffrey Brown at synacktip
#
@@ -12559,7 +12559,7 @@
#By RPG and Jack Pepper, modified by thierry chich and darren spruell
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downadup/Conficker A Worm reporting"; flow:to_server,established; content:"/search?q="; http_uri; content:"&aq="; http_uri; pcre:"/\/search\?q\=\d+&aq=\d/mi"; reference:url,www.f-secure.com/weblog/archives/00001584.html; reference:url,doc.emergingthreats.net/bin/view/Main/2009114; classtype:trojan-activity; sid:2009114; rev:4;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downadup/Conficker A Worm reporting"; flow:to_server,established; content:"/search?q="; http_uri; content:"&aq="; http_uri; pcre:"/\/search\?q\=\d+&aq=\d/mi"; reference:url,www.f-secure.com/weblog/archives/00001584.html; reference:url,doc.emergingthreats.net/bin/view/Main/2009114; classtype:trojan-activity; sid:2009114; rev:5;)
#by Tillman Werner
#
@@ -12619,7 +12619,7 @@
#matt jonkman
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CoreFlooder C&C Checkin (2)"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/index.php"; http_uri; nocase; content:"r="; http_client_body; content:"&i="; http_client_body; distance:0; content:"&v="; http_client_body; distance:0; content:"&os="; http_client_body; distance:0; content:"&panic="; http_client_body; distance:0; content:"&input="; http_client_body; distance:0; reference:url,doc.emergingthreats.net/2009287; classtype:trojan-activity; sid:2009287; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CoreFlooder C&C Checkin (2)"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/index.php"; http_uri; nocase; content:"r="; http_client_body; content:"&i="; http_client_body; distance:0; content:"&v="; http_client_body; distance:0; content:"&os="; http_client_body; distance:0; content:"&panic="; fast_pattern; http_client_body; distance:0; content:"&input="; http_client_body; distance:0; reference:url,doc.emergingthreats.net/2009287; classtype:trojan-activity; sid:2009287; rev:5;)
#by matt jonkman, Proxy.Corpes.j 0fe727c2779b6891697db8f768b6d34b
#
@@ -12784,7 +12784,7 @@
#by matt jonkman
#re sample 41c62970ea34413c4011b220724bf029
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Delf Checkin via HTTP (8)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; nocase; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; fast_pattern:30,20; http_header; content:"name="; http_client_body; depth:5; reference:url,doc.emergingthreats.net/2008268; classtype:trojan-activity; sid:2008268; rev:9;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Delf Checkin via HTTP (8)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; nocase; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; fast_pattern:30,20; http_header; content:"name="; http_client_body; depth:5; reference:url,doc.emergingthreats.net/2008268; classtype:trojan-activity; sid:2008268; rev:10;)
#matt jonkman
#
@@ -12823,11 +12823,11 @@
#re 146244b0d5cce3d21719ad94d650a82f
#traffic was on port 2009 in sample, since it is a new year. Maybe use it as the source
#
-alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET TROJAN Delfsnif/Buzus.fte Remote Response"; flow:established,from_server; dsize:9; content:"|05 00 00 00|"; depth:4; content:"|cd|"; distance:4; within:1; reference:url,www.threatexpert.com/threats/virtool-win32-delfsnif-gen.html; reference:url,doc.emergingthreats.net/2009079; classtype:trojan-activity; sid:2009079; rev:2;)
+#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET TROJAN Delfsnif/Buzus.fte Remote Response"; flow:established,from_server; dsize:9; content:"|05 00 00 00|"; depth:4; content:"|cd|"; distance:4; within:1; reference:url,www.threatexpert.com/threats/virtool-win32-delfsnif-gen.html; reference:url,doc.emergingthreats.net/2009079; classtype:trojan-activity; sid:2009079; rev:3;)
#by matt jonkman
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Densmail.com Related Trojan Checkin"; flow:established,to_server; content:"/cc.php"; nocase; http_uri; content:"v="; nocase; http_uri; content:"&rnd="; http_uri; nocase; pcre:"/v=\d+&rnd=\d+/Ui"; reference:url,doc.emergingthreats.net/2007822; classtype:trojan-activity; sid:2007822; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Densmail.com Related Trojan Checkin"; flow:established,to_server; content:"/cc.php"; nocase; http_uri; content:"v="; nocase; http_uri; content:"&rnd="; http_uri; nocase; pcre:"/v=\d+&rnd=\d/Ui"; reference:url,doc.emergingthreats.net/2007822; classtype:trojan-activity; sid:2007822; rev:4;)
#By Scott Melnick
#
@@ -12930,7 +12930,7 @@
#Sigs for general downloader trojans and worms. Not all get unique names
#by Matt Jonkman. Saw a downloader appending ver7 to the end of a regular UA. No spaces. very unique
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc)"; flow:established,to_server; content:"User-Agent|3a| "; http_header; nocase; content:")ver"; http_header; fast_pattern; pcre:"/^User-Agent\:[^\n]+\)ver\d/Hmi"; reference:url,doc.emergingthreats.net/2003380; classtype:trojan-activity; sid:2003380; rev:9;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc)"; flow:established,to_server; content:"User-Agent|3a| "; http_header; nocase; content:")ver"; http_header; fast_pattern; distance:0; pcre:"/^User-Agent\:[^\n]+\)ver\d/Hmi"; reference:url,doc.emergingthreats.net/2003380; classtype:trojan-activity; sid:2003380; rev:10;)
#from castlecops research, http://www.castlecops.com, sig by Matt Jonkman
#
@@ -12938,7 +12938,7 @@
#Reports of falsing here, the UA is legit within MS VB stuff. Scheduled to be deleted in a week or so. Do not recommend using this
#
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.VB.TX User Agent Detected (Microsoft URL Control)"; flow:established,to_server; content:"User-Agent|3a| Microsoft URL Control -"; nocase; http_header; reference:url,doc.emergingthreats.net/2003646; classtype:trojan-activity; sid:2003646; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.VB.TX/Backdoor.Win32.DSSdoor!IK Checkin"; flow:established,to_server; content:"/tx.txt"; http_uri; content:" Microsoft URL Control -"; http_header; reference:url,doc.emergingthreats.net/2003646; classtype:trojan-activity; sid:2003646; rev:8;)
#Reports of falsing here, the UA is legit within MS VB stuff. Scheduled to be deleted in a week or so. Do not recommend using this
#
@@ -12978,7 +12978,7 @@
#from sandnet data, by matt jonkman
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.Win32.Agent.cav Url Pattern Detected (ping)"; flow:established,to_server; content:"/ping/"; nocase; http_uri; pcre:"/\/ping\/[0-9a-fA-F]{64}\/[0-9a-fA-F]+\/[0-9a-fA-F]+/Ui"; reference:url,doc.emergingthreats.net/2007284; classtype:trojan-activity; sid:2007284; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.Win32.Agent.cav Url Pattern Detected (ping)"; flow:established,to_server; content:"/ping/"; nocase; http_uri; pcre:"/\/ping\/[0-9a-fA-F]{64}\/[0-9a-fA-F]+\/[0-9a-fA-F]/Ui"; reference:url,doc.emergingthreats.net/2007284; classtype:trojan-activity; sid:2007284; rev:5;)
#matt jonkman, from sandnet data
#
@@ -13125,11 +13125,11 @@
#matt jonkman
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN General Downloader URL - Post Infection"; flow:established,to_server; content:"/count.jsp?id="; http_uri; content:"&mac=0"; http_uri; content:"te="; http_uri; reference:url,doc.emergingthreats.net/2008728; classtype:trojan-activity; sid:2008728; rev:3;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED General Downloader URL - Post Infection"; flow:established,to_server; content:"/count.jsp?id="; http_uri; content:"&mac=0"; http_uri; content:"te="; http_uri; reference:url,doc.emergingthreats.net/2008728; classtype:trojan-activity; sid:2008728; rev:4;)
#matt jonkman
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Downloader Checkin Url Detected"; flow:established,to_server; content:"??IP|3a|"; depth:100; content:"??IP|3a|"; distance:0; content:"????|3a|"; distance:0; pcre:"/IP\:\d[1,3]\.\d[1,3]\.\d[1,3]\.\d[1,3]/U"; reference:url,doc.emergingthreats.net/2008766; classtype:trojan-activity; sid:2008766; rev:3;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Generic Downloader Checkin Url Detected"; flow:established,to_server; content:"??IP|3a|"; depth:100; content:"??IP|3a|"; distance:0; content:"????|3a|"; distance:0; pcre:"/IP\:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/U"; reference:url,doc.emergingthreats.net/2008766; classtype:trojan-activity; sid:2008766; rev:5;)
#by robert grabowsky
#
@@ -13167,12 +13167,12 @@
#by: Jeremy Conway at sudosecure.net
#ref: 0f79f76f0ea1d53690ed916142f94083
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Downloader Check-in"; flow:established,to_server; content:"GET"; nocase; http_method; content:"htm?mac="; nocase; http_uri; content:"&os="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&id="; http_uri; pcre:"/\?mac=[0-9]*&os=[a-z]*&ver=[0-9]{8}&id=[0-9\.]*/Ui"; reference:url,doc.emergingthreats.net/2009704; classtype:trojan-activity; sid:2009704; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Hupigon.dkwt Related Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"htm?mac="; nocase; http_uri; content:"&os="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&id="; http_uri; pcre:"/\?mac=[0-9]*?&os=[a-z]*?&ver=[0-9]{8}&id=/Ui"; reference:url,doc.emergingthreats.net/2009704; classtype:trojan-activity; sid:2009704; rev:8;)
#by: Jeremy Conway at sudosecure.net
#ref: 59c9112d9d39c3051f0c6ae1dd499d97
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader Generic - GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?mode="; nocase; http_uri; content:"&port="; nocase; http_uri; content:"&id="; nocase; http_uri; content:"<ime="; nocase; http_uri; reference:url,doc.emergingthreats.net/2009803; classtype:trojan-activity; sid:2009803; rev:4;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Downloader Generic - GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?mode="; nocase; http_uri; content:"&port="; nocase; http_uri; content:"&id="; nocase; http_uri; content:"<ime="; nocase; http_uri; reference:url,doc.emergingthreats.net/2009803; classtype:trojan-activity; sid:2009803; rev:5;)
#by jerry
#
@@ -13230,7 +13230,7 @@
#by Jaime Blasco
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Downloader checkin (3)"; flow:established,to_server; content:".php?"; http_uri; uricontent:"c_pcode="; http_uri;content:"c_pid="; http_uri; content:"c_kind="; http_uri; content:"c_mac="; http_uri; reference:url,doc.emergingthreats.net/2010888; classtype:trojan-activity; sid:2010888; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Downloader checkin (3)"; flow:established,to_server; content:".php?"; http_uri; content:"c_pcode="; http_uri; content:"c_pid="; http_uri; content:"c_kind="; http_uri; content:"c_mac="; http_uri; reference:url,doc.emergingthreats.net/2010888; classtype:trojan-activity; sid:2010888; rev:5;)
#Submitted by Tom Fischer, 2006-01-08, updated 4/22/06
#
@@ -13390,7 +13390,7 @@
#by matt jonkman
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Emogen Reporting via HTTP"; flow:established,to_server; content:".asp?"; nocase; http_uri; content:"mac="; nocase; http_uri; content:"&name="; nocase; http_uri; content:"&p="; nocase; http_uri; content:"&id="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007986; classtype:trojan-activity; sid:2007986; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Emogen Reporting via HTTP"; flow:established,to_server; content:".asp?"; nocase; http_uri; content:"mac="; fast_pattern; nocase; http_uri; content:"&name="; nocase; http_uri; content:"&p="; nocase; http_uri; content:"&id="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007986; classtype:trojan-activity; sid:2007986; rev:4;)
#another one. Fortinet calls it emogen, others call it a dropper
#
@@ -13443,7 +13443,7 @@
#by evilghost
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential FakeAV HTTP POST Check-IN (?r=)"; flow:established,to_server; content:"POST"; nocase; http_method; content:!"Referer|3a| "; http_header; nocase; content:"User-Agent|3a| Microsoft Internet Explorer|0d 0a|"; http_header; nocase; content:"loads2.php?r="; nocase; http_uri; fast_pattern; pcre:"/loads2\.php\?r=[0-9]{2}\.[0-9]+/Ui"; reference:url,www.threatexpert.com/report.aspx?md5=94e13e13c6da5e32bde00bc527475bd2; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3190.420; reference:url,doc.emergingthreats.net/2010594; classtype:trojan-activity; sid:2010594; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential FakeAV HTTP POST Check-IN (?r=)"; flow:established,to_server; content:"POST"; nocase; http_method; content:!"Referer|3a| "; http_header; nocase; content:"User-Agent|3a| Microsoft Internet Explorer|0d 0a|"; http_header; nocase; content:"loads2.php?r="; nocase; http_uri; fast_pattern; pcre:"/loads2\.php\?r=[0-9]{2}\.[0-9]/Ui"; reference:url,www.threatexpert.com/report.aspx?md5=94e13e13c6da5e32bde00bc527475bd2; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3190.420; reference:url,doc.emergingthreats.net/2010594; classtype:trojan-activity; sid:2010594; rev:6;)
#by evilghost
#
@@ -13485,7 +13485,7 @@
#by Jeffrey Brown
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Farfli HTTP Checkin Activity"; flow: to_server,established; content:"/getmac.asp"; nocase; http_uri; content:"x="; nocase; http_uri; content:"&y="; nocase; content:"&z="; pcre:"/x=[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-/Ui"; reference:url,www.virustotal.com/analisis/3b532a7bf7850483882024652f6c8a8b; reference:url,doc.emergingthreats.net/2009215; classtype:trojan-activity; sid:2009215; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Farfli HTTP Checkin Activity"; flow: to_server,established; content:"/getmac.asp?x="; fast_pattern:only; http_uri; content:"&y="; http_uri; pcre:"/x=[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}/Ui"; reference:url,www.virustotal.com/analisis/3b532a7bf7850483882024652f6c8a8b; reference:url,doc.emergingthreats.net/2009215; classtype:trojan-activity; sid:2009215; rev:6;)
#by: Jeremy Conway at sudosecure.net
#ref: a93af8f350689c700ee3fde7442a956e
@@ -13550,11 +13550,11 @@
#by marcus at unsober
#re: ee1539a7b6b7012a68b986262f01756c
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gamania Trojan Check-in"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php"; http_uri; content:"?p4="; http_uri; content:"&p5="; http_uri; fast_pattern; content:"&hs="; http_uri; pcre:"/p4=\d+&p5=\d+&hs=\d+/Ui"; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=166939; reference:url,doc.emergingthreats.net/2009531; classtype:trojan-activity; sid:2009531; rev:8;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gamania Trojan Check-in"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php"; http_uri; content:"?p4="; http_uri; content:"&p5="; http_uri; fast_pattern; content:"&hs="; http_uri; pcre:"/p4=\d+&p5=\d+&hs=\d/Ui"; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=166939; reference:url,doc.emergingthreats.net/2009531; classtype:trojan-activity; sid:2009531; rev:9;)
#by evilghost
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential Gemini Malware Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?cmd=getFile&counter="; http_uri; pcre:"/\.php\?cmd=getFile&counter=\d+/U"; reference:url,www.virustotal.com/analisis/c36e206c6dfe88345815da41c1b14b4f33a9636ad94dd46ce48f5b367f1c736c-1254242791; reference:url,doc.emergingthreats.net/2010007; classtype:trojan-activity; sid:2010007; rev:10;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential Gemini Malware Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?cmd=getFile&counter="; http_uri; pcre:"/\.php\?cmd=getFile&counter=\d/U"; reference:url,www.virustotal.com/analisis/c36e206c6dfe88345815da41c1b14b4f33a9636ad94dd46ce48f5b367f1c736c-1254242791; reference:url,doc.emergingthreats.net/2010007; classtype:trojan-activity; sid:2010007; rev:11;)
#by Mike Cox
#
@@ -13594,7 +13594,7 @@
#by victort julien
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Malformed Double Accept header - Likely Trojan-PWS.Win32.QQPass"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Accept|3a| Accept|3a| "; http_header; pcre:"/^Accept\x3A\sAccept\x3A[^\r\n]*\d+,\s/[A-z0-9\.]+,\s[A-z0-9\.]+/Hmi"; reference:url,doc.emergingthreats.net/2008975; classtype:trojan-activity; sid:2008975; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious Malformed Double Accept Header"; flow:established,to_server; content:"Accept|3a| Accept|3a| "; http_header; reference:url,doc.emergingthreats.net/2008975; classtype:trojan-activity; sid:2008975; rev:8;)
#by joe stewart and bojan zdrjna
#
@@ -13602,7 +13602,7 @@
#by bojan
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Murlo Trojan Checkin"; flow: to_server,established; content:"GET"; nocase; http_method; content: ".asp?mac="; nocase; http_uri; pcre:"/mac=[a-f0-9]+/iU"; content: "&ver="; nocase; http_uri; content: "&os="; nocase; http_uri; reference:url,doc.emergingthreats.net/2009442; classtype:trojan-activity; sid:2009442; rev:8;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Murlo Trojan Checkin"; flow: to_server,established; content:"GET"; nocase; http_method; content: ".asp?mac="; nocase; http_uri; pcre:"/mac=[a-f0-9]/iU"; content: "&ver="; nocase; http_uri; content: "&os="; nocase; http_uri; reference:url,doc.emergingthreats.net/2009442; classtype:trojan-activity; sid:2009442; rev:9;)
#by: Jeremy Conway at sudosecure.net
#ref: 0e94639577df8c4b684b42d2acaa4417
@@ -13670,27 +13670,27 @@
#by steven Adair of shadowserver.org
#
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Gh0st Remote Access Trojan Client Connect"; flow:to_server,established; content:"Gh0st"; depth:5; nocase; content:"|00 00 00|"; within:5; dsize:<180; flowbits:set,ET.ghost; reference:url,doc.emergingthreats.net/2008888; classtype:trojan-activity; sid:2008888; rev:5;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Gh0st Remote Access Trojan Client Connect"; flow:to_server,established; content:"Gh0st"; depth:5; nocase; content:"|00 00 00|"; within:5; dsize:<180; flowbits:set,ET.ghost; reference:url,doc.emergingthreats.net/2008888; classtype:trojan-activity; sid:2008888; rev:5;)
#by steven Adair of shadowserver.org
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Gh0st Remote Access Trojan Server Response"; flowbits:isset,ET.ghost; flow:to_client,established; content:"Gh0st"; depth:5; nocase; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081211; reference:url,doc.emergingthreats.net/2008889; classtype:trojan-activity; sid:2008889; rev:5;)
+##alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Gh0st Remote Access Trojan Server Response"; flowbits:isset,ET.ghost; flow:to_client,established; content:"Gh0st"; depth:5; nocase; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081211; reference:url,doc.emergingthreats.net/2008889; classtype:trojan-activity; sid:2008889; rev:5;)
#Jason aka dn1nj4 at shadowserver dot org
#ref: 4e224c80f62c1b3dc74d295d0633e699
#also re 53c26839720c9b3e9c6ed9f0d288d288
#
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Gh0st Trojan CnC"; flow:established,to_server; content:"Gh0st"; depth:5; flowbits:set,ET.gh0st_client; reference:url,doc.emergingthreats.net/2010859; classtype:trojan-activity; sid:2010859; rev:5;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Gh0st Trojan CnC"; flow:established,to_server; content:"Gh0st"; depth:5; flowbits:set,ET.gh0st_client; reference:url,doc.emergingthreats.net/2010859; classtype:trojan-activity; sid:2010859; rev:5;)
#Jason aka dn1nj4 at shadowserver dot org
#ref: 4e224c80f62c1b3dc74d295d0633e699
#also re 53c26839720c9b3e9c6ed9f0d288d288
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Gh0st Trojan CnC Response"; flow:established,from_server; content:"Gh0st"; depth:5; flowbits:isset,ET.gh0st_client; reference:url,doc.emergingthreats.net/2010860; classtype:trojan-activity; sid:2010860; rev:5;)
+##alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Gh0st Trojan CnC Response"; flow:established,from_server; content:"Gh0st"; depth:5; flowbits:isset,ET.gh0st_client; reference:url,doc.emergingthreats.net/2010860; classtype:trojan-activity; sid:2010860; rev:5;)
#by Martin Holste
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN GhostNet Trojan Reporting"; flow:established,to_server; content:"/microsoft/v2/update/upgrade.aspx?hostname="; http_uri; content:"&ostype="; http_uri; content:"&macaddr="; http_uri; content:"&ipaddr="; http_uri; content:"&owner="; http_uri; threshold: type limit, track by_src, count 1, seconds 300; reference:url,www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network; reference:url,doc.emergingthreats.net/2009202; classtype:trojan-activity; sid:2009202; rev:6;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED GhostNet Trojan Reporting"; flow:established,to_server; content:"/microsoft/v2/update/upgrade.aspx?hostname="; http_uri; content:"&ostype="; http_uri; content:"&macaddr="; http_uri; content:"&ipaddr="; http_uri; content:"&owner="; http_uri; threshold: type limit, track by_src, count 1, seconds 300; reference:url,www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network; reference:url,doc.emergingthreats.net/2009202; classtype:trojan-activity; sid:2009202; rev:7;)
#by michael sconzo
#
@@ -13718,7 +13718,7 @@
#by matt jonkman
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Goldun Reporting Install"; flow:established,to_server; content:".php?codec="; http_uri; pcre:"/codec=\d+D\d+D\d+/U"; reference:url,doc.emergingthreats.net/2007965; classtype:trojan-activity; sid:2007965; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Goldun Reporting Install"; flow:established,to_server; content:".php?codec="; http_uri; pcre:"/codec=\d+D\d+D\d/U"; reference:url,doc.emergingthreats.net/2007965; classtype:trojan-activity; sid:2007965; rev:4;)
#by dxp and Darren Spruell. Compilation of former sids 2003509-2003511 and 2002854
#
@@ -13775,39 +13775,39 @@
#by Don Jackson of Secureworks
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN HotLan.C Spambot Trojan Activity"; flow:to_server,established; content:"GET|20|"; offset:0; depth:4; content:"|3F|mod|3D|"; offset:5; depth:40; pcre:"/^GET\s+[^\x0A\x0D]+\x3Fmod\x3D\w*\x26id\x3D[^\x26\s]+\x5F\w+\x26up\x3D[^\x26]+\x26mid\x3D[^\x26\s]+/"; reference:url,doc.emergingthreats.net/2008473; classtype:trojan-activity; sid:2008473; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN HotLan.C Spambot Trojan Activity"; flow:to_server,established; content:"GET"; http_method; content:"|3F|mod|3D|"; fast_pattern:only; http_uri; content:"&id="; http_uri; content:"&up="; http_uri; content:"&mid="; http_uri; pcre:"/\x3Fmod\x3D\w*?\x26id\x3D[^\x26\s]+?\x5F\w+?\x26up\x3D[^\x26]+?\x26mid\x3D[^\x26\s]/Ui"; reference:url,doc.emergingthreats.net/2008473; classtype:trojan-activity; sid:2008473; rev:7;)
#Matt Jonkman
#
-alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg:"ET VIRUS Hotword Trojan in Transit"; flow: established,from_server; content:"|63 6f 6d 66 69 64 65 6e 74 69 61 6c 20 64 6f 63 75 6d 65 6e 74 20 28 57 6f 72 64 29 20 66 72 6f 6d 20 44 69 67 69 44 6f 63 00 43 4d 20 25 73 20|"; fast_pattern:only; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001959; classtype:trojan-activity; sid:2001959; rev:8;)
+#alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Hotword Trojan in Transit"; flow: established,from_server; content:"|63 6f 6d 66 69 64 65 6e 74 69 61 6c 20 64 6f 63 75 6d 65 6e 74 20 28 57 6f 72 64 29 20 66 72 6f 6d 20 44 69 67 69 44 6f 63 00 43 4d 20 25 73 20|"; fast_pattern:only; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001959; classtype:trojan-activity; sid:2001959; rev:9;)
#Matt Jonkman
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET VIRUS Hotword Trojan inbound via http"; flow: established,from_server; content:"|63 6f 6d 66 69 64 65 6e 74 69 61 6c 20 64 6f 63 75 6d 65 6e 74 20 28 57 6f 72 64 29 20 66 72 6f 6d 20 44 69 67 69 44 6f 63 00 43 4d 20 25 73 20|"; fast_pattern:only; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001960; classtype:trojan-activity; sid:2001960; rev:7;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Hotword Trojan inbound via http"; flow: established,from_server; content:"|63 6f 6d 66 69 64 65 6e 74 69 61 6c 20 64 6f 63 75 6d 65 6e 74 20 28 57 6f 72 64 29 20 66 72 6f 6d 20 44 69 67 69 44 6f 63 00 43 4d 20 25 73 20|"; fast_pattern:only; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001960; classtype:trojan-activity; sid:2001960; rev:8;)
#Matt Jonkman
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET VIRUS Hotword Trojan - Possible File Upload CHJO"; flow: to_server,established; content:"STOR __"; content:"-CHJO.DRV"; nocase; within: 100; fast_pattern; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001961; classtype:trojan-activity; sid:2001961; rev:12;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED Hotword Trojan - Possible File Upload CHJO"; flow: to_server,established; content:"STOR __"; content:"-CHJO.DRV"; nocase; within: 100; fast_pattern; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001961; classtype:trojan-activity; sid:2001961; rev:13;)
#Matt Jonkman
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET VIRUS Hotword Trojan - Possible File Upload CFXP"; flow: to_server,established; content:"STOR __"; content:"-CFXP.DRV"; nocase; within: 100; fast_pattern; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001962; classtype:trojan-activity; sid:2001962; rev:10;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED Hotword Trojan - Possible File Upload CFXP"; flow: to_server,established; content:"STOR __"; content:"-CFXP.DRV"; nocase; within: 100; fast_pattern; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001962; classtype:trojan-activity; sid:2001962; rev:11;)
#Matt Jonkman
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET VIRUS Hotword Trojan - Possible FTP File Request pspv.exe"; flow: to_server,established; content:"SIZE pspv.exe"; fast_pattern:only; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001963; classtype:trojan-activity; sid:2001963; rev:10;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED Hotword Trojan - Possible FTP File Request pspv.exe"; flow: to_server,established; content:"SIZE pspv.exe"; fast_pattern:only; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001963; classtype:trojan-activity; sid:2001963; rev:11;)
#Matt Jonkman
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET VIRUS Hotword Trojan - Possible FTP File Request .tea"; flow: to_server,established; content:"LIST "; content:".tea"; nocase; within: 50; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001964; classtype:trojan-activity; sid:2001964; rev:9;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED Hotword Trojan - Possible FTP File Request .tea"; flow: to_server,established; content:"LIST "; content:".tea"; nocase; within: 50; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001964; classtype:trojan-activity; sid:2001964; rev:10;)
#Matt Jonkman
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET VIRUS Hotword Trojan - Possible FTP File Status Upload ___"; flow: to_server,established; content:"|53 54 4f 52 20 5f 5f 5f 0d 0a|"; fast_pattern:only; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001965; classtype:trojan-activity; sid:2001965; rev:10;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED Hotword Trojan - Possible FTP File Status Upload ___"; flow: to_server,established; content:"|53 54 4f 52 20 5f 5f 5f 0d 0a|"; fast_pattern:only; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001965; classtype:trojan-activity; sid:2001965; rev:11;)
#Matt Jonkman
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET VIRUS Hotword Trojan - Possible FTP File Status Check ___"; flow: to_server,established; content:"|53 49 5a 45 20 5f 5f 5f 0d 0a|"; fast_pattern:only; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001966; classtype:trojan-activity; sid:2001966; rev:10;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED Hotword Trojan - Possible FTP File Status Check ___"; flow: to_server,established; content:"|53 49 5a 45 20 5f 5f 5f 0d 0a|"; fast_pattern:only; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001966; classtype:trojan-activity; sid:2001966; rev:11;)
#from castlecops research, http://www.castlecops.com, sig by Matt Jonkman
#
@@ -13973,7 +13973,7 @@
#Bot potty
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN IRC channel topic misc bot commands"; flowbits:isset,is_proto_irc; flow:established,from_server; content:"|3a|"; content:"|20|332|20|"; within:50; content:"|2023|"; within:20; content:"|203a|"; pcre:"/(\.aim\w*|ascanall)\s+\w+/i"; reference:url,doc.emergingthreats.net/2002386; classtype:trojan-activity; sid:2002386; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN IRC channel topic misc bot commands"; flowbits:isset,is_proto_irc; flow:established,from_server; content:"|3a|"; content:"|20|332|20|"; within:50; content:"|2023|"; within:20; content:"|203a|"; pcre:"/(\.aim\w*|ascanall)\s+\w/i"; reference:url,doc.emergingthreats.net/2002386; classtype:trojan-activity; sid:2002386; rev:12;)
#Bot potty
#
@@ -14285,7 +14285,7 @@
#by Darren Spruell
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Koobface HTTP Request (2)"; flow:established,to_server; content:"?action="; nocase; http_uri; content:"&v="; nocase; http_uri; pcre:"/\?action=\w+gen&v=\d+/U"; reference:url,ddanchev.blogspot.com/2009/09/koobface-botnets-scareware-business.html; reference:url,doc.emergingthreats.net/2010150; classtype:trojan-activity; sid:2010150; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Koobface HTTP Request (2)"; flow:established,to_server; content:"?action="; nocase; http_uri; content:"&v="; nocase; http_uri; pcre:"/\?action=\w+gen&v=\d/U"; reference:url,ddanchev.blogspot.com/2009/09/koobface-botnets-scareware-business.html; reference:url,doc.emergingthreats.net/2010150; classtype:trojan-activity; sid:2010150; rev:4;)
#by jerry at cybercave
#
@@ -14333,7 +14333,7 @@
#By matt Jonkman
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Lager Trojan Reporting (gcu)"; flow:established,to_server; content:"/cp/rule.php?"; nocase; http_uri; pcre:"/\/cp\/rule\.php\?gcu=\d+/Ui"; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=87732; reference:url,doc.emergingthreats.net/2003189; classtype:trojan-activity; sid:2003189; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Lager Trojan Reporting (gcu)"; flow:established,to_server; content:"/cp/rule.php?"; nocase; http_uri; pcre:"/\/cp\/rule\.php\?gcu=\d/Ui"; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=87732; reference:url,doc.emergingthreats.net/2003189; classtype:trojan-activity; sid:2003189; rev:5;)
#By matt Jonkman
#
@@ -14346,7 +14346,7 @@
#by Shirkdog
#re 8888fcb5020d1295f4343f601263306a
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor Lanfiltrator Checkin"; flow:established,to_server; content:"/ralog.cgi"; http_uri; content:"&ip="; http_uri; content:"&servertype=lanfiltrator"; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Backdoor.Win32.LanFiltrator.3b&threatid=51642; reference:url,doc.emergingthreats.net/2009078; classtype:trojan-activity; sid:2009078; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor Lanfiltrator Checkin"; flow:established,to_server; content:"/ralog.cgi"; nocase; http_uri; content:"&ip="; nocase; http_uri; content:"&servertype=lanfiltrator"; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Backdoor.Win32.LanFiltrator.3b&threatid=51642; reference:url,doc.emergingthreats.net/2009078; classtype:trojan-activity; sid:2009078; rev:4;)
#by matt jonkman
#
@@ -14431,7 +14431,7 @@
#by matt jonkman
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Lydra.hj HTTP Checkin"; flow:established,to_server; content:"/NewsFolder/News00"; http_uri; content:".ASP?id="; http_uri; pcre:"/\/NewsFolder\/News00\d\d\.ASP\?id=/U"; pcre:"/Host\: \d+\.\d+\.\d+\.\d+/"; reference:url,doc.emergingthreats.net/2008130; classtype:trojan-activity; sid:2008130; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Lydra.hj HTTP Checkin"; flow:established,to_server; content:"/NewsFolder/News00"; http_uri; content:".ASP?id="; http_uri; pcre:"/\/NewsFolder\/News00\d\d\.ASP\?id=/U"; pcre:"/Host\: \d+\.\d+\.\d+\.\d/"; reference:url,doc.emergingthreats.net/2008130; classtype:trojan-activity; sid:2008130; rev:4;)
#by Matt Jonkman, MBR Virus related
#
@@ -14441,13 +14441,13 @@
#Ikarus: AdWare.Win32.MWGuide,
#re a98bb554bf012dd25d94b764bc4a0678
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN AdWare.Win32.MWGuide checkin"; flow:established,to_server; content:"/sidebar_load.php?maddr="; http_uri; content:"ipaddr="; http_uri; content:"aff_id="; http_uri; reference:url,doc.emergingthreats.net/2008839; classtype:trojan-activity; sid:2008839; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AdWare.Win32.MWGuide checkin"; flow:established,to_server; content:"/sidebar_load.php?maddr="; http_uri; content:"ipaddr="; http_uri; content:"aff_id="; http_uri; reference:url,doc.emergingthreats.net/2008839; classtype:trojan-activity; sid:2008839; rev:6;)
#by Victor Julien
#Ikarus: AdWare.Win32.MWGuide,
#re a98bb554bf012dd25d94b764bc4a0678
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN AdWare.Win32.MWGuide keepalive"; flow:established,to_server; content:"/alive.php?aff_id="; http_uri; reference:url,doc.emergingthreats.net/2008840; classtype:trojan-activity; sid:2008840; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AdWare.Win32.MWGuide keepalive"; flow:established,to_server; content:"/alive.php?aff_id="; http_uri; reference:url,doc.emergingthreats.net/2008840; classtype:trojan-activity; sid:2008840; rev:5;)
#info from Bojan at ISC and Russell Fulton
#sig by Russell and Matt Jonkman
@@ -14464,7 +14464,7 @@
#by Chuck Conn at the World Bank
#
-alert udp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET TROJAN Palevo/BFBot/Mariposa client join attempt"; dsize:7; content:"|61|"; depth:1; flowbits:noalert; flowbits:set,ET.MariposaJoin; reference:url,defintel.com/docs/Mariposa_Analysis.pdf; reference:url,defintel.blogspot.com/2009/09/half-of-fortune-100-companies.html; reference:url,doc.emergingthreats.net/2010100; reference:url,blogs.pcmag.com/securitywatch/2009/09/botnet_reported_loose_in_fortu.php; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2009-093006-0442-99&tabid=2; reference:url,www.symantec.com/connect/blogs/mariposa-butterfly; classtype:trojan-activity; sid:2010100; rev:6;)
+alert udp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET TROJAN Palevo/BFBot/Mariposa client join attempt"; dsize:7; content:"|61|"; depth:1; flowbits:set,ET.MariposaJoin; reference:url,defintel.com/docs/Mariposa_Analysis.pdf; reference:url,defintel.blogspot.com/2009/09/half-of-fortune-100-companies.html; reference:url,doc.emergingthreats.net/2010100; reference:url,blogs.pcmag.com/securitywatch/2009/09/botnet_reported_loose_in_fortu.php; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2009-093006-0442-99&tabid=2; reference:url,www.symantec.com/connect/blogs/mariposa-butterfly; classtype:trojan-activity; sid:2010100; rev:7;)
#by Chuck Conn at the World Bank
#
@@ -14492,7 +14492,7 @@
#Added 2005-10-04 in response to ISC diary
#
-##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Mitglieder Proxy Bot Checking In"; flow:established,to_server; content:"/scr5.php"; nocase; http_uri; pcre:"/\/scr5\.php\?p=\d+&id=\d+/Ui"; reference:url,isc.sans.org/diary.php?storyid=722; reference:url,doc.emergingthreats.net/2002387; classtype:trojan-activity; sid:2002387; rev:8;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Mitglieder Proxy Bot Checking In"; flow:established,to_server; content:"/scr5.php"; nocase; http_uri; pcre:"/\/scr5\.php\?p=\d+&id=\d/Ui"; reference:url,isc.sans.org/diary.php?storyid=722; reference:url,doc.emergingthreats.net/2002387; classtype:trojan-activity; sid:2002387; rev:9;)
#by Marcus of unsober
#ref: 7d5651c19e316480971eb5406727f720
@@ -14588,7 +14588,7 @@
##by darren spruell
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Oficla Downloader Activity Observed"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?id="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"&tm="; nocase; http_uri; fast_pattern:only; content:"&b="; nocase; http_uri; pcre:"/\x2Ephp\x3Fid\x3D\d*\x26v\x3D\d*\x26tm\x3D\d*\x26b\x3D\d*/iU"; reference:url,www.threatexpert.com/report.aspx?md5=38e1d644e2a16041b5ec1a02826df280; reference:url,www.threatexpert.com/report.aspx?md5=1db0c8d48a76662496af7faf581b1cf0; reference:url,doc.emergingthreats.net/2009776; classtype:trojan-activity; sid:2009776; rev:7;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Oficla Downloader Activity Observed"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?id="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"&tm="; nocase; http_uri; fast_pattern:only; content:"&b="; nocase; http_uri; pcre:"/\x2Ephp\x3Fid\x3D\d*\x26v\x3D\d*\x26tm\x3D\d*\x26b\x3D/iU"; reference:url,www.threatexpert.com/report.aspx?md5=38e1d644e2a16041b5ec1a02826df280; reference:url,www.threatexpert.com/report.aspx?md5=1db0c8d48a76662496af7faf581b1cf0; reference:url,doc.emergingthreats.net/2009776; classtype:trojan-activity; sid:2009776; rev:8;)
#by evilghost and darren spruell and mike cox and crew
#
@@ -14640,15 +14640,15 @@
#by Russ McRee of expedia.com
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN - Trojan.Proxy.PPAgent.t (updatea)"; flow:to_server,established; content:"/updatea.php?p="; nocase; http_uri; pcre:"/updatea.php?p=\d+/Ui"; flowbits:set,BT.ppagent.updatea; flowbits:noalert; reference:url,original.avira.com/en/threats/vdf_history.html?id_vdf=2738; reference:url,doc.emergingthreats.net/2003115; classtype:trojan-activity; sid:2003115; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN - Trojan.Proxy.PPAgent.t (updatea)"; flow:to_server,established; content:"/updatea.php?p="; nocase; http_uri; pcre:"/updatea.php?p=\d/Ui"; flowbits:set,BT.ppagent.updatea; flowbits:noalert; reference:url,original.avira.com/en/threats/vdf_history.html?id_vdf=2738; reference:url,doc.emergingthreats.net/2003115; classtype:trojan-activity; sid:2003115; rev:5;)
#by Russ McRee of expedia.com
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN - Trojan.Proxy.PPAgent.t (updateb)"; flowbits:isset,BT.ppagent.updatea; flow:to_server,established; content:"/updateb.php?p="; nocase; http_uri; pcre:"/updateb.php?p=\d+/Ui"; flowbits:unset,BT.ppagent.updatea; reference:url,original.avira.com/en/threats/vdf_history.html?id_vdf=2738; reference:url,doc.emergingthreats.net/2003116; classtype:trojan-activity; sid:2003116; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN - Trojan.Proxy.PPAgent.t (updateb)"; flowbits:isset,BT.ppagent.updatea; flow:to_server,established; content:"/updateb.php?p="; nocase; http_uri; pcre:"/updateb.php?p=\d/Ui"; flowbits:unset,BT.ppagent.updatea; reference:url,original.avira.com/en/threats/vdf_history.html?id_vdf=2738; reference:url,doc.emergingthreats.net/2003116; classtype:trojan-activity; sid:2003116; rev:5;)
#by Lance James and Michael Ligh, referenced in paper at http://www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET TROJAN Prg Trojan v0.1-v0.3 Data Upload"; flow:to_server,established; content:"POST"; nocase; http_method; content:"php?"; http_uri; content:"Content-Type|3a20|binary"; http_header; content:"LLAH"; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; reference:url,doc.emergingthreats.net/2003182; classtype:trojan-activity; sid:2003182; rev:9;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET DELETED Prg Trojan v0.1-v0.3 Data Upload"; flow:to_server,established; content:"POST"; nocase; http_method; content:"php?"; http_uri; content:"Content-Type|3a20|binary"; http_header; content:"LLAH"; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; reference:url,doc.emergingthreats.net/2003182; classtype:trojan-activity; sid:2003182; rev:11;)
#by Lance James and Michael Ligh, referenced in paper at http://www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf
#
@@ -14689,11 +14689,11 @@
#New by Matt Jonkman, re 0a7b2d160c90af079dbe560b38c89d3f in sandnet
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PWS-LDPinch posting data"; flow:established,to_server; dsize:>400; content:"POST"; nocase; http_method; content:"a="; http_client_body; nocase; content:"&b="; http_client_body; nocase; content:"&d="; http_client_body; nocase; content:".bin&"; http_client_body; nocase; content:"u="; http_client_body; nocase; content:"&c="; nocase; http_client_body; reference:url,doc.emergingthreats.net/2006385; classtype:trojan-activity; sid:2006385; rev:7;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PWS-LDPinch posting data"; flow:established,to_server; dsize:>400; content:"POST"; nocase; http_method; content:"a="; http_client_body; nocase; content:"&b="; http_client_body; nocase; content:"&d="; http_client_body; nocase; content:".bin&"; fast_pattern; http_client_body; nocase; content:"u="; http_client_body; nocase; content:"&c="; nocase; http_client_body; reference:url,doc.emergingthreats.net/2006385; classtype:trojan-activity; sid:2006385; rev:8;)
#New by Matt Jonkman, re 0a7b2d160c90af079dbe560b38c89d3f in sandnet
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PWS-LDPinch posting data (2)"; flow:established,to_server; dsize:>400; content:"POST / HTTP/1.1"; depth:15; content:"a="; http_client_body; content:"&b="; distance:0; http_client_body; content:"&c="; distance:0; http_client_body; reference:url,doc.emergingthreats.net/2007756; classtype:trojan-activity; sid:2007756; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PWS-LDPinch posting data (2)"; flow:established,to_server; dsize:>400; content:"POST / HTTP/1.1"; depth:15; content:!"User-Agent|3a| BDNC"; http_header; content:"a="; http_client_body; content:"&b="; distance:0; http_client_body; content:"&c="; distance:0; http_client_body; reference:url,doc.emergingthreats.net/2007756; classtype:trojan-activity; sid:2007756; rev:6;)
#more pinch
#
@@ -14821,7 +14821,7 @@
#by: Jeremy Conway at sudosecure.net
#ref: 030500a6ef292ecf6fc4e2a5bf5a424c
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS Parite.B GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| gomtour"; http_header; reference:url,www.pandasecurity.com/homeusers/security-info/18181/information/Parite.B; reference:url,www.pctools.com/mrc/infections/id/Virus.Parite.B/; reference:url,www.threatexpert.com/threats/w32-parite-b.html; reference:url,doc.emergingthreats.net/2009454; classtype:trojan-activity; sid:2009454; rev:4;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Parite.B GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| gomtour"; http_header; reference:url,www.pandasecurity.com/homeusers/security-info/18181/information/Parite.B; reference:url,www.pctools.com/mrc/infections/id/Virus.Parite.B/; reference:url,www.threatexpert.com/threats/w32-parite-b.html; reference:url,doc.emergingthreats.net/2009454; classtype:trojan-activity; sid:2009454; rev:5;)
#Submitted 2006-03-20 by Tom Fischer
#
@@ -14833,7 +14833,7 @@
#by Paul Dokas
#
-##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Password Stealer Reporting - ?a=%NN&b="; flow:to_server,established; content:"POST"; http_method; nocase; content:"a=%"; http_raw_uri; fast_pattern; content:"&b="; http_uri; pcre:"/a=\%[0-9a-fA-F]{2}\&b/Ii"; reference:url,doc.emergingthreats.net/2009082; classtype:trojan-activity; sid:2009082; rev:8;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Password Stealer Reporting - ?a=%NN&b="; flow:to_server,established; content:"POST"; http_method; nocase; content:"a=%"; http_raw_uri; content:"&b="; http_uri; pcre:"/a=\%[0-9a-fA-F]{2}\&b/Ii"; reference:url,doc.emergingthreats.net/2009082; classtype:trojan-activity; sid:2009082; rev:9;)
#by: Jeremy Conway at sudosecure.net
#ref: a03cadd15d8f658ee73c8829fb4a3019
@@ -14844,7 +14844,7 @@
#by dn1nj4
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Paymilon-A HTTP POST"; flow:established,to_server; content:"POST http|3a|//"; depth:12; content:"C|3a|\\"; distance:0; nocase; content:".exe|00 00|"; distance:0; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/malpaymilona.html; reference:url,doc.emergingthreats.net/2010918; classtype:trojan-activity; sid:2010918; rev:4;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Paymilon-A HTTP POST"; flow:established,to_server; content:"POST http|3a|//"; depth:12; content:"C|3a|\\"; distance:0; nocase; content:".exe|00 00|"; distance:0; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/malpaymilona.html; reference:url,doc.emergingthreats.net/2010918; classtype:trojan-activity; sid:2010918; rev:5;)
#by pedro marinho
#
@@ -14868,7 +14868,7 @@
#by matt jonkman
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN Perfect Keylogger Install Email Report"; flow:established,to_server; content:"Subject|3a| Perfect Keylogger was installed successfully|3a|"; reference:url,doc.emergingthreats.net/2008893; classtype:trojan-activity; sid:2008893; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587,2525] (msg:"ET TROJAN Perfect Keylogger Install Email Report"; flow:established,to_server; content:"Subject|3a| Perfect Keylogger was installed successfully|3a|"; fast_pattern:7,20; reference:url,doc.emergingthreats.net/2008893; classtype:trojan-activity; sid:2008893; rev:8;)
#by matt jonkman
#
@@ -14955,7 +14955,7 @@
#by: Jeremy Conway at sudosecure.net
#ref: b853a0bc503b0e35959601cca79ec809
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Poisionivy RAT/Backdoor follow on POST Data PUSH Packet"; flow:established,to_server; flags:AP,12; content:"op="; depth:3; nocase; content:"&servidor="; nocase; content:"&senha="; nocase; content:"&usuario="; nocase; content:"&base="; nocase; content:"&sgdb="; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPoisonivy.I&ThreatID=-2147363597; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=133781; reference:url,doc.emergingthreats.net/2009806; classtype:trojan-activity; sid:2009806; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Poison Ivy RAT/Backdoor follow on POST Data PUSH Packet"; flow:established,to_server; flags:AP,12; content:"op="; depth:3; nocase; content:"&servidor="; nocase; content:"&senha="; nocase; content:"&usuario="; nocase; content:"&base="; nocase; content:"&sgdb="; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPoisonivy.I&ThreatID=-2147363597; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=133781; reference:url,doc.emergingthreats.net/2009806; classtype:trojan-activity; sid:2009806; rev:3;)
#by anonymous submitter #2
#
@@ -14968,12 +14968,12 @@
#by Jaime Blasco, updates by evilghost
#these sigs are intended to catch post data to images. This is suspicious and often trojan or spyware
#
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Data POST to an image file (gif)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".gif"; nocase; http_uri; content:".gif HTTP"; nocase; pcre:"/\.gif$/Ui"; reference:url,doc.emergingthreats.net/2010066; classtype:trojan-activity; sid:2010066; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Data POST to an image file (gif)"; flow:to_server,established; content:"POST"; http_method; content:".gif"; http_uri; fast_pattern:only; pcre:"/\.gif$/U"; pcre:"/POST\s[^\r\n]+?(?<!__utm)\.gif HTTP\/1\./"; reference:url,doc.emergingthreats.net/2010066; classtype:trojan-activity; sid:2010066; rev:9;)
#by Jaime Blasco, updates by evilghost
#these sigs are intended to catch post data to images. This is suspicious and often trojan or spyware
#
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Data POST to an image file (jpg)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".jpg"; nocase; http_uri; content:".jpg HTTP"; nocase; pcre:"/\.jpg$/i"; reference:url,doc.emergingthreats.net/2010067; classtype:trojan-activity; sid:2010067; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Data POST to an image file (jpg)"; flow:to_server,established; content:"POST"; http_method; content:".jpg"; http_uri; fast_pattern:only; pcre:"/\.jpg$/U"; pcre:"/POST\s[^\r\n]+?\.jpg HTTP\/1\./"; reference:url,doc.emergingthreats.net/2010067; classtype:trojan-activity; sid:2010067; rev:8;)
#by Jaime Blasco, updates by evilghost
#these sigs are intended to catch post data to images. This is suspicious and often trojan or spyware
@@ -14992,15 +14992,15 @@
#Submitted by Brad Doctor
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET VIRUS Greeting card gif.exe email incoming SMTP"; flow: established,to_server; content:"postcard.gif.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/vbs.postcard@mm.html; reference:url,doc.emergingthreats.net/2001919; classtype:trojan-activity; sid:2001919; rev:7;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET DELETED Greeting card gif.exe email incoming SMTP"; flow: established,to_server; content:"postcard.gif.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/vbs.postcard@mm.html; reference:url,doc.emergingthreats.net/2001919; classtype:trojan-activity; sid:2001919; rev:8;)
#Submitted by Brad Doctor
#
-alert tcp $EXTERNAL_NET 110:220 -> $HOME_NET any (msg:"ET VIRUS Greeting card gif.exe email incoming POP3/IMAP"; flow: established,from_server; content:"postcard.gif.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/vbs.postcard@mm.html; reference:url,doc.emergingthreats.net/2001920; classtype:trojan-activity; sid:2001920; rev:7;)
+#alert tcp $EXTERNAL_NET 110:220 -> $HOME_NET any (msg:"ET DELETED Greeting card gif.exe email incoming POP3/IMAP"; flow: established,from_server; content:"postcard.gif.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/vbs.postcard@mm.html; reference:url,doc.emergingthreats.net/2001920; classtype:trojan-activity; sid:2001920; rev:8;)
#Submitted by Brad Doctor
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET VIRUS Greeting card gif.exe email incoming HTTP"; flow: established,from_server; content:"postcard.gif.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/vbs.postcard@mm.html; reference:url,doc.emergingthreats.net/2001921; classtype:trojan-activity; sid:2001921; rev:7;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Greeting card gif.exe email incoming HTTP"; flow: established,from_server; content:"postcard.gif.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/vbs.postcard@mm.html; reference:url,doc.emergingthreats.net/2001921; classtype:trojan-activity; sid:2001921; rev:8;)
#Created by Jeremy Conway with contributions from Steven Adair
#
@@ -15026,7 +15026,7 @@
#from sandnet analysis, looking for User Agents like bL0j3jKdUwy3kUCZnsqaHlFTNEU4Ik8IhfG5kpu1Up9qFuqAtSnmqDYUHgAWPsjf1soqBMqxqts1OkiavJn05uGl38NIw4lPZHKHvO36WFcSNu81CJx
#
#
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN QQPass Related User-Agent Infection Checkin (App4)"; flow:to_server,established; content:"User-Agent|3a| App"; http_header; content:!"Host|3a| liveupdate.symantecliveupdate.com|0d 0a|"; http_header; pcre:"/^User-Agent\: App\d+/Hmi"; reference:url,doc.emergingthreats.net/2007569; classtype:trojan-activity; sid:2007569; rev:8;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED QQPass Related User-Agent Infection Checkin (App4)"; flow:to_server,established; content:"User-Agent|3a| App"; http_header; content:!"Host|3a| liveupdate.symantecliveupdate.com|0d 0a|"; http_header; pcre:"/^User-Agent\: App\d/Hmi"; reference:url,doc.emergingthreats.net/2007569; classtype:trojan-activity; sid:2007569; rev:10;)
#by Marcus at unsober.org
#re: 1c3ead1c4a033b6af8f29e53fedd96c1
@@ -15065,7 +15065,7 @@
#by Don Jackson of Secureworks. RE: US courts related phishes
#
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN RhiFrem Trojan Activity - cmd"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?mod=cmd&user="; http_uri; content:"User-Agent|3A| Mozilla/5.0 Gecko/20050212 Firefox/1.5.0.2"; http_header; pcre:"/^GET\x20[^\x0D\x0A]+\x3Fmod\x3Dcmd\x26user\x3D\w+[^\x0D\x0A]*\x20HTTP\x2F1\x2E0\x0D\x0A.*\x0D\x0AHost\x3A\x20\w+/"; reference:url,www.castlecops.com/U_S_Courts_phish792683.html; reference:url,doc.emergingthreats.net/2008139; classtype:trojan-activity; sid:2008139; rev:7;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN RhiFrem Trojan Activity - cmd"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?mod=cmd&user="; http_uri; content:"User-Agent|3A| Mozilla/5.0 Gecko/20050212 Firefox/1.5.0.2"; http_header; pcre:"/^GET\x20[^\x0D\x0A]+\x3Fmod\x3Dcmd\x26user\x3D\w+[^\x0D\x0A]*\x20HTTP\x2F1\x2E0\x0D\x0A.*\x0D\x0AHost\x3A\x20\w/"; reference:url,www.castlecops.com/U_S_Courts_phish792683.html; reference:url,doc.emergingthreats.net/2008139; classtype:trojan-activity; sid:2008139; rev:8;)
#by Don Jackson of Secureworks. RE: US courts related phishes
#
@@ -15074,7 +15074,7 @@
#by: Jeremy Conway at sudosecure.net
#ref: 14d98e50d25dfc3c1bc011c2856ac1a8
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Runner (Often Rootkit) - POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"G="; http_client_body; nocase; content:"&PG="; http_client_body; nocase; content:"&EPBB="; http_client_body; nocase; content:!"User-Agent|3a|"; http_header; reference:url,www.spywarecease.com/spyware-list/Spyware_Trojan.Win32.Runner.s.html; reference:url,www.threatexpert.com/threats/trojan-win32-runner.html; reference:url,doc.emergingthreats.net/2009711; classtype:trojan-activity; sid:2009711; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Runner/Bublik Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"G="; http_client_body; nocase; content:"&PG="; http_client_body; nocase; content:"&EPBB="; http_client_body; nocase; content:!"User-Agent|3a|"; http_header; reference:url,www.spywarecease.com/spyware-list/Spyware_Trojan.Win32.Runner.s.html; reference:url,www.threatexpert.com/threats/trojan-win32-runner.html; reference:md5,6d2919a92d7dda22f4bc7f9a9b15739f; classtype:trojan-activity; sid:2009711; rev:6;)
#by Jaime Blasco
#
@@ -15092,7 +15092,7 @@
#Matt Jonkman
#
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS Sality Trojan Web Update"; flow:to_server,established; content:"/new_array2.php?speed="; nocase; http_uri; reference:url,www.sophos.com/security/analyses/w32salityu.html; reference:url,doc.emergingthreats.net/2003424; classtype:trojan-activity; sid:2003424; rev:4;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Sality Trojan Web Update"; flow:to_server,established; content:"/new_array2.php?speed="; nocase; http_uri; reference:url,www.sophos.com/security/analyses/w32salityu.html; reference:url,doc.emergingthreats.net/2003424; classtype:trojan-activity; sid:2003424; rev:5;)
#from castlecops research, http://www.castlecops.com, sig by Matt Jonkman
#
@@ -15135,7 +15135,7 @@
#by Tom Fisher
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SickleBot Reporting User Activity"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"id="; nocase; http_uri; content:"User-Agent|3a| SickleBot"; http_header; reference:url,doc.emergingthreats.net/2002776; classtype:trojan-activity; sid:2002776; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SickleBot Reporting User Activity"; flow:established,to_server; content:"GET"; http_method; content:"id="; nocase; http_uri; content:"User-Agent|3a| SickleBot"; http_header; reference:url,doc.emergingthreats.net/2002776; classtype:trojan-activity; sid:2002776; rev:7;)
#by Darren Spruell
#
@@ -15159,7 +15159,7 @@
#by Marcus at unsober.org
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Small.zon checkin"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"?n="; http_uri; content:"&id="; http_uri; content:"&t="; http_uri; content:"&i="; http_uri; pcre:"/\?n=\d+&id=.+&t=.+&i=\d+/Ui"; reference:url,doc.emergingthreats.net/2009300; classtype:trojan-activity; sid:2009300; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Small.zon checkin"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"?n="; http_uri; content:"&id="; http_uri; content:"&t="; http_uri; content:"&i="; http_uri; pcre:"/\?n=\d+&id=.+&t=.+&i=\d/Ui"; reference:url,doc.emergingthreats.net/2009300; classtype:trojan-activity; sid:2009300; rev:5;)
#y Tom Fischer
#
@@ -15191,7 +15191,7 @@
#re: 7596ec9308082edec613ac8d78ee4fe6
#updates by darren spruell
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zalupko/Koceg/Mandaph HTTP Checkin (2)"; flow:established,to_server; content:"/manda.php?"; http_uri; content:"id="; nocase; http_uri; content:"&v="; nocase; http_uri; pcre:"/\/manda\.php\?id=(-)?\d{10}&v=[\w\.]+/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3aWin32%2fKoceg.gen!B; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-042816-0445-99&tabid=2; reference:url,www.threatexpert.com/report.aspx?md5=b2aad8e259cbfdd2ba1fcbf22bcee2e9; reference:url,doc.emergingthreats.net/2010765; classtype:trojan-activity; sid:2010765; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zalupko/Koceg/Mandaph HTTP Checkin (2)"; flow:established,to_server; content:"/manda.php?"; http_uri; content:"id="; nocase; http_uri; content:"&v="; nocase; http_uri; pcre:"/\/manda\.php\?id=(-)?\d{9,10}&v=\w/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3aWin32%2fKoceg.gen!B; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-042816-0445-99&tabid=2; reference:url,www.threatexpert.com/report.aspx?md5=b2aad8e259cbfdd2ba1fcbf22bcee2e9; reference:url,doc.emergingthreats.net/2010765; classtype:trojan-activity; sid:2010765; rev:7;)
#This is a new type of proxying via port 80. Tha agent opens up a conn to the controller, then repeats whatever the controller tells it to do
#the initial 2 packets seem to be a checkin, then a command of the host and port to connect to.
@@ -15327,24 +15327,24 @@
#more storm, uses a tcp connection now for some specialized commands. reversed by Joe Stewart
#temporarily disabling for falses
#
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Storm Making initial outbound connection"; flowbits:isnotset,BE.stormtcp.init; flow:established,to_server; dsize:4; flowbits:noalert; flowbits:set,BE.stormtcp.init; reference:url,doc.emergingthreats.net/bin/view/Main/StormWorm; classtype:trojan-activity; sid:2007640; rev:5;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED Storm Making initial outbound connection"; flowbits:isnotset,BE.stormtcp.init; flow:established,to_server; dsize:4; flowbits:noalert; flowbits:set,BE.stormtcp.init; reference:url,doc.emergingthreats.net/bin/view/Main/StormWorm; classtype:trojan-activity; sid:2007640; rev:6;)
#more storm, uses a tcp connection now for some specialized commands. reversed by Joe Stewart
#temporarily disabling for falses
#
-#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET TROJAN Storm Controller Response to Drone via tcp"; flowbits:isset,BE.stormtcp.init; flow:established,from_server; dsize:4; reference:url,doc.emergingthreats.net/bin/view/Main/StormWorm; classtype:trojan-activity; sid:2007641; rev:5;)
+##alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET DELETED Storm Controller Response to Drone via tcp"; flowbits:isset,BE.stormtcp.init; flow:established,from_server; dsize:4; reference:url,doc.emergingthreats.net/bin/view/Main/StormWorm; classtype:trojan-activity; sid:2007641; rev:6;)
#adding these for a specific storm variant that is encrypting traffic.
#Temporary, there has so far been only one key used, no others have been detected here. This has remained for
#at last a month, so may stay a while. These sigs are for THIS VARIANT'S KEY ONLY
#
-alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Storm Worm Encrypted Variant 1 Traffic (1)"; dsize:25; content:"|10 a6|"; depth:2; threshold: type both, count 2, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2007701; classtype:trojan-activity; sid:2007701; rev:4;)
+##alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED Storm Worm Encrypted Variant 1 Traffic (1)"; dsize:25; content:"|10 a6|"; depth:2; threshold: type both, count 2, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2007701; classtype:trojan-activity; sid:2007701; rev:5;)
#adding these for a specific storm variant that is encrypting traffic.
#Temporary, there has so far been only one key used, no others have been detected here. This has remained for
#at last a month, so may stay a while. These sigs are for THIS VARIANT'S KEY ONLY
#
-alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Storm Worm Encrypted Variant 1 Traffic (2)"; dsize:25; content:"|10 a0|"; depth:2; threshold: type both, count 2, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2007702; classtype:trojan-activity; sid:2007702; rev:4;)
+##alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED Storm Worm Encrypted Variant 1 Traffic (2)"; dsize:25; content:"|10 a0|"; depth:2; threshold: type both, count 2, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2007702; classtype:trojan-activity; sid:2007702; rev:5;)
#storm c&c with a typo'd UA
#
@@ -15454,7 +15454,7 @@
#by darren spruell
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Tibs/Harnig Downloader Activity"; flow:established,to_server; content:".php?adv="; nocase; http_uri; content:"&code1="; nocase; http_uri; content:"&code2="; nocase; http_uri; pcre:"/\.php\?adv=adv\d+&code1=\w+&code2=\d+&id=-?\d+&p=\d+/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fHarnig; reference:url,www.threatexpert.com/report.aspx?md5=2ce9c871a8a217cafcdce15c6c1e8dfc; reference:url,doc.emergingthreats.net/2010165; classtype:trojan-activity; sid:2010165; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Tibs/Harnig Downloader Activity"; flow:to_server,established; content:".php?adv=adv"; http_uri; content:"User-Agent|3a| "; http_header; nocase; content:")ver"; distance:0; http_header; fast_pattern; pcre:"/^User-Agent\x3a[^\r\n]+\)ver\d+\r?$/Hmi"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fHarnig; reference:url,www.threatexpert.com/report.aspx?md5=2ce9c871a8a217cafcdce15c6c1e8dfc; reference:url,doc.emergingthreats.net/2010165; classtype:trojan-activity; sid:2010165; rev:6;)
#matt jonkman
#
@@ -15470,7 +15470,7 @@
#by dxp
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Tornado Pack Binary Request"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"?o="; http_uri; fast_pattern; content:"&t="; http_uri; content:"&i="; http_uri; content:"&e="; http_uri; reference:url,dxp2532.blogspot.com/2009/05/tornado-exploit-pack.html; reference:url,doc.emergingthreats.net/2009389; classtype:trojan-activity; sid:2009389; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Tornado Pack Binary Request"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"?o="; http_uri; fast_pattern; content:"&t="; http_uri; content:"&i="; http_uri; content:"&e="; http_uri; reference:url,dxp2532.blogspot.com/2009/05/tornado-exploit-pack.html; classtype:trojan-activity; sid:2009389; rev:5;)
#Description of parameters:
#?o= integer value to identify attacker
@@ -15587,12 +15587,12 @@
#by matt jonkman and victor julien
#Backdoor.Win32.Turkojan.jv or Turkojan.gen1 or GenPack:Trojan.Agent.AHAB
#
-alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Turkojan C&C Info Command (MINFO)"; flow:established,from_server; dsize:5; content:"MINFO"; reference:url,doc.emergingthreats.net/2008022; classtype:trojan-activity; sid:2008022; rev:3;)
+alert tcp $EXTERNAL_NET 81: -> $HOME_NET any (msg:"ET TROJAN Turkojan C&C Info Command (MINFO)"; flow:established,from_server; dsize:5; content:"MINFO"; reference:url,doc.emergingthreats.net/2008022; classtype:trojan-activity; sid:2008022; rev:4;)
#by matt jonkman and victor julien
#Backdoor.Win32.Turkojan.jv or Turkojan.gen1 or GenPack:Trojan.Agent.AHAB
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Turkojan C&C Info Command Response (MINFO)"; flow:established,to_server; dsize:<100; content:"MINFO|7c|"; depth:6; reference:url,doc.emergingthreats.net/2008023; classtype:trojan-activity; sid:2008023; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 81: (msg:"ET TROJAN Turkojan C&C Info Command Response (MINFO)"; flow:established,to_server; dsize:<100; content:"MINFO|7c|"; depth:6; reference:url,doc.emergingthreats.net/2008023; classtype:trojan-activity; sid:2008023; rev:5;)
#by matt jonkman and victor julien
#Backdoor.Win32.Turkojan.jv or Turkojan.gen1 or GenPack:Trojan.Agent.AHAB
@@ -15642,7 +15642,7 @@
#by marcus at unsober
#re: 1331ffcae4e8d1de36a708db0e30346b
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Password Stealing Trojan Check-in"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?action=add&a="; http_uri; content:"&c="; http_uri; content:"&u="; http_uri; content:"&l="; http_uri; content:"&p="; http_uri; content:!"Host|3a| whos.amung.us"; reference:url,doc.emergingthreats.net/2009458; classtype:trojan-activity; sid:2009458; rev:7;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Sisron/BackDoor.Cybergate.1 Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?action=add&a="; http_uri; content:"&c="; http_uri; content:"&u="; http_uri; content:"&l="; http_uri; content:"&p="; http_uri; content:!"Host|3a| whos.amung.us"; reference:url,doc.emergingthreats.net/2009458; classtype:trojan-activity; sid:2009458; rev:8;)
#by marcus at unsober
#re: 2cb21d88a0217595455591c7345c0395
@@ -15788,7 +15788,7 @@
#by Marcus at unsober
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Virut Counter/Check-in "; flow:established,to_server; content:"GET"; depth:3; http_method; content:".asp?mac="; http_uri; content:"&ver="; http_uri; pcre:"/.asp\?mac=([0-9A-F]{2}-){5}([0-9A-F]{2})+&ver=\d+/Ui"; reference:url,www.threatexpert.com/reports.aspx?find=ipk8888.cn&x=0&y=0; reference:url,doc.emergingthreats.net/2009374; classtype:trojan-activity; sid:2009374; rev:7;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Virut Counter/Check-in "; flow:established,to_server; content:"GET"; http_method; content:".asp?mac="; http_uri; content:"&ver="; http_uri; pcre:"/.asp\?mac=([0-9A-F]{2}-){5}([0-9A-F]{2})+&ver=\d/Ui"; reference:url,www.threatexpert.com/reports.aspx?find=ipk8888.cn&x=0&y=0; reference:url,doc.emergingthreats.net/2009374; classtype:trojan-activity; sid:2009374; rev:9;)
#by Marcus at unsober
#
@@ -15820,7 +15820,7 @@
#by Matt Jonkman
#from sandnet analysis
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Vundo.dam http Checkin after infection"; flow:established,to_server; content:"install.php?"; nocase; http_uri; content:"afid="; nocase; http_uri; content:"&user_id="; nocase; http_uri; content:"&version="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007572; classtype:trojan-activity; sid:2007572; rev:4;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Vundo.dam http Checkin after infection"; flow:established,to_server; content:"install.php?"; nocase; http_uri; content:"afid="; nocase; http_uri; content:"&user_id="; nocase; http_uri; content:"&version="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007572; classtype:trojan-activity; sid:2007572; rev:5;)
#by Matt Jonkman
#from sandnet analysis
@@ -15952,7 +15952,7 @@
#also seeing the same on 443
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Win32.Inject.ajq Initial Checkin to CnC port 443"; flow:established,to_server; dsize:1; content:"|c8|"; flowbits:set,ET.inj.ajq.1; flowbits:noalert; reference:url,doc.emergingthreats.net/2008058; classtype:trojan-activity; sid:2008058; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Win32.Inject.ajq Initial Checkin to CnC port 443"; flow:established,to_server; dsize:1; content:"|c8|"; flowbits:set,ET.inj.ajq.1; flowbits:noalert; reference:url,doc.emergingthreats.net/2008058; classtype:trojan-activity; sid:2008058; rev:6;)
#also seeing the same on 443
#
@@ -16004,12 +16004,12 @@
#by Matt Jonkman, from sandnet analysis
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Small.qh/xSock Checkin URL Detected"; flow:established,to_server; content:"port="; nocase; http_uri; content:"&id="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"&sm="; nocase; http_uri; pcre:"/port=\d+/Ui"; pcre:"/id=[a-f0-9-]+&/Ui"; reference:url,doc.emergingthreats.net/2007610; classtype:trojan-activity; sid:2007610; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Small.qh/xSock Checkin URL Detected"; flow:established,to_server; content:"port="; nocase; http_uri; content:"&id="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"&sm="; nocase; http_uri; pcre:"/port=\d/Ui"; pcre:"/id=[a-f0-9-]+&/Ui"; reference:url,doc.emergingthreats.net/2007610; classtype:trojan-activity; sid:2007610; rev:5;)
#by: Jeremy Conway at sudosecure.net
#ref: 2e79af552fa6d3bd2cb654cc0f15cd76
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.VB.tdq - Fake User-Agent"; flow:established,to_server; content:"GET"; http_method; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 5.0|3b| Windows NT 2.1|3b| SV3)|0d0a|"; fast_pattern:21,20; http_header; reference:url,vil.nai.com/vil/content/v_187654.htm; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=187654; reference:url,doc.emergingthreats.net/2009825; classtype:trojan-activity; sid:2009825; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.VB.tdq - Fake User-Agent"; flow:established,to_server; content:"GET"; http_method; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 5.0|3b| Windows NT 2.1|3b| SV3)|0d0a|"; fast_pattern:47,15; http_header; reference:url,vil.nai.com/vil/content/v_187654.htm; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=187654; reference:url,doc.emergingthreats.net/2009825; classtype:trojan-activity; sid:2009825; rev:7;)
#by shirkdog, from sandnet analysis
#
@@ -16037,11 +16037,11 @@
#by evilghost
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WindowsEnterpriseSuite FakeAV Reporting via POST"; flow:established,to_server; content:"POST"; depth:4; http_method; content:"verint="; http_client_body; content:"&uid="; http_client_body; content:"&wv="; http_client_body; content:"&report="; http_client_body; content:"&abbr="; http_client_body; content:"&pid="; http_client_body; pcre:"/verint=\d+&uid=\d+&wv=[A-Za-z0-9]+&report=\d+&abbr=[A-Za-z0-9]+&pid=\d+/P"; reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; reference:url,doc.emergingthreats.net/2010247; classtype:trojan-activity; sid:2010247; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WindowsEnterpriseSuite FakeAV Reporting via POST"; flow:established,to_server; content:"POST"; http_method; content:"verint="; http_client_body; content:"&uid="; http_client_body; content:"&wv="; http_client_body; content:"&report="; http_client_body; content:"&abbr="; http_client_body; content:"&pid="; http_client_body; pcre:"/verint=\d+&uid=\d+&wv=[A-Za-z0-9]+&report=\d+&abbr=[A-Za-z0-9]+&pid=\d/P"; reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; reference:url,doc.emergingthreats.net/2010247; classtype:trojan-activity; sid:2010247; rev:6;)
#by evilghost
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WindowsEnterpriseSuite FakeAV Reporting via POST initial check-in"; flow:established,to_server; content:"POST"; depth:4; content:"/MicroinstallServiceReport.php"; http_uri; content:"report="; http_client_body; content:"&pid="; http_client_body; content:"&wv="; http_client_body; pcre:"/report=\d+&pid=\d+&wv=[A-Za-z0-9]+/P"; reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; reference:url,doc.emergingthreats.net/2010246; classtype:trojan-activity; sid:2010246; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WindowsEnterpriseSuite FakeAV Reporting via POST initial check-in"; flow:established,to_server; content:"POST"; http_method; content:"/MicroinstallServiceReport.php"; http_uri; content:"report="; http_client_body; content:"&pid="; http_client_body; content:"&wv="; http_client_body; pcre:"/report=\d+&pid=\d+&wv=[A-Za-z0-9]/P"; reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; reference:url,doc.emergingthreats.net/2010246; classtype:trojan-activity; sid:2010246; rev:7;)
#by evilghost
#
@@ -16077,7 +16077,7 @@
#matt jonkman
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Yahoo550.com Related Downloader/Trojan Checkin"; flow:established,to_server; content:"/image/logo.jpg?queryid="; http_uri; pcre:"/queryid=\d+/U"; reference:url,doc.emergingthreats.net/2008049; classtype:trojan-activity; sid:2008049; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Yahoo550.com Related Downloader/Trojan Checkin"; flow:established,to_server; content:"/image/logo.jpg?queryid="; http_uri; pcre:"/queryid=\d+$/U"; reference:url,doc.emergingthreats.net/2008049; classtype:trojan-activity; sid:2008049; rev:5;)
#by Jaime Blasco
#
@@ -16141,15 +16141,15 @@
#by axn jxn
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS Zlob User Agent - updating (internetsecurity)"; flow:established,to_server; content:"User-Agent|3a| internetsecurity"; http_header; reference:url,secubox.aldria.com/topic-post1618.html#post1618; reference:url,doc.emergingthreats.net/2003632; classtype:trojan-activity; sid:2003632; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zlob User Agent - updating (internetsecurity)"; flow:established,to_server; content:"User-Agent|3a| internetsecurity"; http_header; reference:url,secubox.aldria.com/topic-post1618.html#post1618; reference:url,doc.emergingthreats.net/2003632; classtype:trojan-activity; sid:2003632; rev:7;)
#by axn jxn
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS Zlob User Agent - updating (Winlogon)"; flow:established,to_server; content:"User-Agent|3a| Winlogon"; http_header; reference:url,doc.emergingthreats.net/2006441; classtype:trojan-activity; sid:2006441; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zlob User Agent - updating (Winlogon)"; flow:established,to_server; content:"User-Agent|3a| Winlogon"; http_header; reference:url,doc.emergingthreats.net/2006441; classtype:trojan-activity; sid:2006441; rev:6;)
#from sandnet data
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS Zlob User Agent - updating (unknown)"; flow:established,to_server; content:"User-Agent|3a| unknown"; http_header; content:!".real.com|0d 0a|"; http_header; content:!".rhapsody.com|0D 0A|"; http_header; reference:url,doc.emergingthreats.net/2007567; classtype:trojan-activity; sid:2007567; rev:8;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zlob User Agent - updating (unknown)"; flow:established,to_server; content:"User-Agent|3a| unknown"; http_header; content:!".real.com|0d 0a|"; http_header; content:!".rhapsody.com|0D 0A|"; http_header; reference:url,doc.emergingthreats.net/2007567; classtype:trojan-activity; sid:2007567; rev:9;)
#from sandnet data
#
@@ -16157,11 +16157,11 @@
#from sandnet data
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zlob Updating via HTTP (v2)"; flow:established,to_server; content:".php?Code="; nocase; http_uri; content:"&V="; nocase; http_uri; content:"&ID="; nocase; http_uri; pcre:"/Code=\d+/Ui"; pcre:"/ID=.{40}&.{6}/Ui"; reference:url,doc.emergingthreats.net/2007620; classtype:trojan-activity; sid:2007620; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zlob Updating via HTTP (v2)"; flow:established,to_server; content:".php?Code="; nocase; http_uri; content:"&V="; nocase; http_uri; content:"&ID="; nocase; http_uri; pcre:"/Code=\d/Ui"; pcre:"/ID=.{40}&.{6}/Ui"; reference:url,doc.emergingthreats.net/2007620; classtype:trojan-activity; sid:2007620; rev:5;)
#from sandnet data
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User Agent (Zlob Related) (UA00000)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible"; http_header; content:"|3b| UA"; http_header; fast_pattern; pcre:"/User-Agent\:[^\n]+\; UA\d\d\d\d\d\;/H"; reference:url,doc.emergingthreats.net/2008083; classtype:trojan-activity; sid:2008083; rev:10;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious User Agent (Zlob Related) (UA00000)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0 (compatible"; http_header; content:"|3b| UA"; http_header; fast_pattern; pcre:"/User-Agent\:[^\n]+\; UA\d\d\d\d\d\;/H"; reference:url,doc.emergingthreats.net/2008083; classtype:trojan-activity; sid:2008083; rev:11;)
#by Philipp Betch
#
@@ -16173,11 +16173,11 @@
#By Darren Spruell and dxp
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS Zlob User Agent - Likely Zlob (securityinternet)"; flow:established,to_server; content:"User-Agent|3a| securityinternet"; http_header; reference:url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html; reference:url,doc.emergingthreats.net/2009022; classtype:trojan-activity; sid:2009022; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zlob User Agent (securityinternet)"; flow:established,to_server; content:"User-Agent|3a| securityinternet"; http_header; reference:url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html; reference:url,doc.emergingthreats.net/2009022; classtype:trojan-activity; sid:2009022; rev:7;)
#marcus at unsober
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zlob post installation checkin (.php?inst_result=&hwid)"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"inst_result="; http_uri; content:"&hwid="; http_uri; pcre:"/\.php\?inst_result=.+&hwid=/Ui"; reference:url,www.threatexpert.com/report.aspx?md5=1ca433d3f5538fda49c5defb59232f9d; reference:url,doc.emergingthreats.net/2009305; classtype:trojan-activity; sid:2009305; rev:3;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Adware.AdzgaloreBiz/AdRotator!IK Install/Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?inst_result="; http_uri; content:"&hwid="; http_uri; content:"User-Agent|3a| NSISDL/1.2 (Mozilla)|0d 0a|"; http_header; pcre:"/\.php\?inst_result=.+&hwid=/Ui"; reference:url,www.threatexpert.com/report.aspx?md5=1ca433d3f5538fda49c5defb59232f9d; reference:url,doc.emergingthreats.net/2009305; classtype:trojan-activity; sid:2009305; rev:6;)
#by Pedro Marinho
#ref 483dbf6dd97ec249b0ec84a358e39260
@@ -16295,7 +16295,7 @@
#Rbot trojan
#by M Shirk
#
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET VIRUS HTTP RBOT Challenge/Response Authentication"; flow: to_server,established; content:"Host|3A 20|"; nocase; content:"|3A 20|Negotiate|20|YIIQegYGKwYBBQUCoIIQbjCCEGqhghBmI4IQYgOCBAEAQUFBQUFBQUFBQUFBQUFB"; nocase; reference:url,isc.sans.org/diary.php?date=2005-06-03; reference:url,www.phreedom.org/solar/exploits/msasn1-bitstring; reference:url,doc.emergingthreats.net/2001985; classtype:trojan-activity; sid:2001985; rev:7;)
+##alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED HTTP RBOT Challenge/Response Authentication"; flow: to_server,established; content:"Host|3A 20|"; nocase; content:"|3A 20|Negotiate|20|YIIQegYGKwYBBQUCoIIQbjCCEGqhghBmI4IQYgOCBAEAQUFBQUFBQUFBQUFBQUFB"; nocase; reference:url,isc.sans.org/diary.php?date=2005-06-03; reference:url,www.phreedom.org/solar/exploits/msasn1-bitstring; reference:url,doc.emergingthreats.net/2001985; classtype:trojan-activity; sid:2001985; rev:8;)
#by matt jonkman
#
@@ -16348,11 +16348,11 @@
#Submitted by Joseph Gama
#
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN UPX compressed file download possible malware"; flow:established,from_server; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; content:"UPX0"; content:"UPX1"; content:"UPX!"; reference:url,doc.emergingthreats.net/2001046; classtype:misc-activity; sid:2001046; rev:11;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN UPX compressed file download possible malware"; flow:established,from_server; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"UPX0"; content:"UPX1"; content:"UPX!"; reference:url,doc.emergingthreats.net/2001046; classtype:misc-activity; sid:2001046; rev:12;)
#Submitted by Joseph Gama
#
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE UPX encrypted file download possible malware"; flow:established,from_server; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; content:"|00|code|00|"; content:"|00 C0|text|00|"; reference:url,doc.emergingthreats.net/2001047; classtype:misc-activity; sid:2001047; rev:8;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE UPX encrypted file download possible malware"; flow:established,from_server; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"|00|code|00|"; content:"|00 C0|text|00|"; reference:url,doc.emergingthreats.net/2001047; classtype:misc-activity; sid:2001047; rev:9;)
#from Jack Pepper
#Disabling, tends to false
@@ -16512,7 +16512,7 @@
#by Akash Mahajan
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Apple QuickTime <= 7.4.1 QTPlugin.ocx Multiple Remote Stack Overflow"; flow:to_client,established; file_data; content:"02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"; nocase; distance:0; content:"String"; nocase; distance:0; pcre:"/[0-9]{4,}/"; pcre:"/(SetBgColor|SetMovieName|SetTarget|SetMatrix|SetHREF)/i"; reference:bugtraq,27769; reference:cve,CVE-2008-0778; reference:url,www.milw0rm.com/exploits/5110; reference:url,doc.emergingthreats.net/2007878; classtype:web-application-attack; sid:2007878; rev:13;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Apple QuickTime <= 7.4.1 QTPlugin.ocx Multiple Remote Stack Overflow"; flow:to_client,established; file_data; content:"02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"; nocase; distance:0; content:"String("; nocase; distance:0; pcre:"/^\s*?[0-9]{4}/R"; pcre:"/(SetBgColor|SetMovieName|SetTarget|SetMatrix|SetHREF)/Ri"; reference:bugtraq,27769; reference:cve,CVE-2008-0778; reference:url,www.milw0rm.com/exploits/5110; reference:url,doc.emergingthreats.net/2007878; classtype:web-application-attack; sid:2007878; rev:15;)
#by stillsecure
#
@@ -17985,7 +17985,7 @@
#by Kevin Ross
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Suspicious Chmod Usage in URI"; flow:to_server,established; content:"chmod"; fast_pattern:only; nocase; http_uri; pcre:"/chmod.([r|w|x|1-7])/Ui"; reference:url,doc.emergingthreats.net/2009363; classtype:attempted-admin; sid:2009363; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Suspicious Chmod Usage in URI"; flow:to_server,established; content:"chmod"; fast_pattern:only; nocase; http_uri; pcre:"/chmod\s+([+-][rwx]|[0-7])/Ui"; reference:url,doc.emergingthreats.net/2009363; classtype:attempted-admin; sid:2009363; rev:7;)
#by kevin ross
#
@@ -18022,7 +18022,7 @@
#Submitted by Matt Jonkman
#
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER IIS ASP.net Auth Bypass / Canonicalization"; flow: to_server,established; content:".aspx"; nocase; http_uri; content:"GET"; nocase; http_method; content:"|5C|"; content:"aspx"; nocase; within: 100; reference:url,doc.emergingthreats.net/2001342; reference:cve,CVE-2004-0847; classtype:web-application-attack; sid:2001342; rev:24;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER IIS ASP.net Auth Bypass / Canonicalization"; flow: to_server,established; content:"GET"; nocase; http_method; content:"|5C|"; http_uri; content:".aspx"; within:100; nocase; http_uri; reference:url,doc.emergingthreats.net/2001342; reference:cve,CVE-2004-0847; classtype:web-application-attack; sid:2001342; rev:25;)
#Submitted by Matt Jonkman
#
@@ -18061,7 +18061,7 @@
#by David Maciejak
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Light Weight Calendar 'date' Arbitrary Remote Code Execution"; flow: to_server,established; content:"/index.php?"; nocase; http_uri; content:"date="; http_uri; pcre:"/date=\d{8}\)\;.+/Ui"; reference:url,doc.emergingthreats.net/2002777; classtype:web-application-attack; sid:2002777; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Light Weight Calendar 'date' Arbitrary Remote Code Execution"; flow: to_server,established; content:"/index.php?"; nocase; http_uri; content:"date="; http_uri; pcre:"/date=\d{8}\)\;./Ui"; reference:url,doc.emergingthreats.net/2002777; classtype:web-application-attack; sid:2002777; rev:7;)
#Submitted by bdoctor
#
@@ -18316,7 +18316,7 @@
#by kevin ross
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SQL Injection BULK INSERT in URI to Insert File Content into Database Table"; flow:established,to_server; content:"BULK"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/BULK.+INSERT/Ui"; reference:url,msdn.microsoft.com/en-us/library/ms188365.aspx; reference:url,msdn.microsoft.com/en-us/library/ms175915.aspx; reference:url,www.sqlteam.com/article/using-bulk-insert-to-load-a-text-file; reference:url,doc.emergingthreats.net/2011035; classtype:web-application-attack; sid:2011035; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SQL Injection BULK INSERT in URI to Insert File Content into Database Table"; flow:established,to_server; content:"BULK"; nocase; http_uri; content:"INSERT"; nocase; http_uri; distance:0; reference:url,msdn.microsoft.com/en-us/library/ms188365.aspx; reference:url,msdn.microsoft.com/en-us/library/ms175915.aspx; reference:url,www.sqlteam.com/article/using-bulk-insert-to-load-a-text-file; reference:url,doc.emergingthreats.net/2011035; classtype:web-application-attack; sid:2011035; rev:4;)
#by kevin ross
#
@@ -18404,7 +18404,7 @@
#this is disabled because it doesn't work for some reason.
#
-#alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Tilde in URI after file, potential source disclosure vulnerability"; flow:established,from_server; pcre:"/^HTTP\x2f1\.[01] 200/"; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009954; classtype:web-application-attack; sid:2009954; rev:8;)
+##alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET DELETED Tilde in URI after file, potential source disclosure vulnerability"; flow:established,from_server; pcre:"/^HTTP\x2f1\.[01] 200/"; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009954; classtype:web-application-attack; sid:2009954; rev:9;)
#By Blake Hartstein
#Detects uri evasions too
@@ -20039,7 +20039,7 @@
#Submitted to Snort-Sigs by Chas Tomlin, with additions by David Maciejak
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Awstats Remote Code Execution Attempt"; flow: established,from_client; content:"/awstats.pl?"; nocase; http_uri; pcre:"/(configdir|update|pluginmode)=.*(\|.+\||system).*/Ui"; reference:url,www.k-otik.com/exploits/20050124.awexpl.c.php; reference:url,www.k-otik.com/exploits/20050302.awstats_shell.c.php; reference:url,awstats.sourceforge.net; reference:url,www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false; reference:bugtraq,12298; reference:cve,CAN-2005-0116; reference:url,doc.emergingthreats.net/2001686; classtype:web-application-attack; sid:2001686; rev:15;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Awstats Remote Code Execution Attempt"; flow: established,from_client; content:"/awstats.pl?"; nocase; http_uri; pcre:"/(configdir|update|pluginmode)=.*(\|.+\||system)/Ui"; reference:url,www.k-otik.com/exploits/20050124.awexpl.c.php; reference:url,www.k-otik.com/exploits/20050302.awstats_shell.c.php; reference:url,awstats.sourceforge.net; reference:url,www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false; reference:bugtraq,12298; reference:cve,CAN-2005-0116; reference:url,doc.emergingthreats.net/2001686; classtype:web-application-attack; sid:2001686; rev:16;)
#by stillsecure
#
@@ -20607,7 +20607,7 @@
#by Nagraj S
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"id_menu="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/id_menu\x3d.+INSERT.+INTO/Ui"; reference:cve,CVE-2009-3326; reference:url,www.milw0rm.com/exploits/9727; reference:url,doc.emergingthreats.net/2009978; classtype:web-application-attack; sid:2009978; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"id_menu="; fast_pattern; distance:0; nocase; http_uri; content:"INSERT"; distance:0; nocase; http_uri; content:"INTO"; distance:0; nocase; http_uri; reference:cve,CVE-2009-3326; reference:url,www.milw0rm.com/exploits/9727; reference:url,doc.emergingthreats.net/2009978; classtype:web-application-attack; sid:2009978; rev:6;)
#by Nagraj S
#
@@ -20615,7 +20615,7 @@
#by Nagraj S
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"id_menu="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/id_menu\x3d.+UNION.+SELECT.+FROM/Ui"; reference:cve,CVE-2009-3326; reference:url,www.milw0rm.com/exploits/9727; reference:url,doc.emergingthreats.net/2009980; classtype:web-application-attack; sid:2009980; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"id_menu="; fast_pattern; nocase; http_uri; distance:0; content:"SELECT"; nocase; http_uri; distance:0; content:"FROM"; nocase; http_uri; distance:0; reference:cve,CVE-2009-3326; reference:url,www.milw0rm.com/exploits/9727; reference:url,doc.emergingthreats.net/2009980; classtype:web-application-attack; sid:2009980; rev:6;)
#By David Maciejak
#
@@ -21051,7 +21051,7 @@
#by tinytwitty
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort UNION SELECT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"AlphaSort="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007266; classtype:web-application-attack; sid:2007266; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort UNION SELECT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"AlphaSort="; fast_pattern; distance:0; nocase; http_uri; content:"UNION"; nocase; http_uri; distance:0; content:"SELECT"; nocase; http_uri; distance:0; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007266; classtype:web-application-attack; sid:2007266; rev:6;)
#by tinytwitty
#
@@ -21511,11 +21511,11 @@
#By David Maciejak, 2005-11-03
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CutePHP CuteNews directory traversal vulnerability - show_news"; flow:to_server,established; content:"/show_news.php"; nocase; http_uri; content:"template="; nocase; http_uri; pcre:"/template=[./]+/Ui"; reference:bugtraq,15295; reference:url,doc.emergingthreats.net/2002668; classtype:misc-activity; sid:2002668; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CutePHP CuteNews directory traversal vulnerability - show_news"; flow:to_server,established; content:"/show_news.php"; nocase; http_uri; content:"template="; nocase; http_uri; pcre:"/template=[./]/Ui"; reference:bugtraq,15295; reference:url,doc.emergingthreats.net/2002668; classtype:misc-activity; sid:2002668; rev:9;)
#By David Maciejak, 2005-11-03
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CutePHP CuteNews directory traversal vulnerability - show_archives"; flow:to_server,established; content:"/show_archives.php"; nocase; http_uri; content:"template="; nocase; http_uri; pcre:"/template=[./]+/Ui"; reference:bugtraq,15295; reference:url,doc.emergingthreats.net/2003152; classtype:misc-activity; sid:2003152; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CutePHP CuteNews directory traversal vulnerability - show_archives"; flow:to_server,established; content:"/show_archives.php"; nocase; http_uri; content:"template="; nocase; http_uri; pcre:"/template=[./]/Ui"; reference:bugtraq,15295; reference:url,doc.emergingthreats.net/2003152; classtype:misc-activity; sid:2003152; rev:6;)
#by stillsecure
#
@@ -21523,7 +21523,7 @@
#Submitted by David Maciejak on 2005-11-15
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cyphor show.php SQL injection attempt"; flow:to_server,established; content:"/show.php?"; nocase; http_uri; pcre:"/id=-?\d+\s+UNION\s+/Ui"; reference:bugtraq,15418; reference:url,doc.emergingthreats.net/2002678; classtype:web-application-attack; sid:2002678; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cyphor show.php SQL injection attempt"; flow:to_server,established; content:"/show.php?"; nocase; http_uri; pcre:"/id=-?\d+\s+UNION\s/Ui"; reference:bugtraq,15418; reference:url,doc.emergingthreats.net/2002678; classtype:web-application-attack; sid:2002678; rev:7;)
#by stillsecure
#
@@ -24175,7 +24175,7 @@
#Submitted 2006-06-29 by Frank Knobbe
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GeekLog Remote File Include Vulnerability"; flow:established,to_server; content:".php?"; nocase; http_uri; content:"_CONF"; nocase; http_uri; pcre:"/_CONF\[.*\]=(http|ftps?|php)\:\//Ui"; reference:url,securitydot.net/xpl/exploits/vulnerabilities/articles/1122/exploit.html; reference:url,doc.emergingthreats.net/2002996; classtype:web-application-attack; sid:2002996; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GeekLog Remote File Include Vulnerability"; flow:established,to_server; content:".php?"; nocase; http_uri; content:"_CONF"; nocase; http_uri; pcre:"/_CONF\[.*\]=(data|https?|ftps?|php)\:\//Ui"; reference:url,securitydot.net/xpl/exploits/vulnerabilities/articles/1122/exploit.html; reference:url,doc.emergingthreats.net/2002996; classtype:web-application-attack; sid:2002996; rev:8;)
#by tinytwitty
#
@@ -27590,7 +27590,7 @@
#by kevin ross
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Mambo Cache_Lite Class mosConfig_absolute_path Remote File Inclusion Attempt"; flow:established,to_server; content:"/includes/Cache/Lite/Output.php?mosConfig_absolute_path="; nocase; http_uri; pcre:"/=\s*(https|ftps|php|http|ftp)\x3A\x2F\x2F/Ui"; reference:url,www.securityfocus.com/bid/29716/info; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/29716.rb; reference:url,doc.emergingthreats.net/2010223; classtype:web-application-attack; sid:2010223; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Mambo Cache_Lite Class mosConfig_absolute_path Remote File Inclusion Attempt"; flow:established,to_server; content:"/includes/Cache/Lite/Output.php?mosConfig_absolute_path="; nocase; http_uri; pcre:"/=\s*(https|ftps|php|http|ftp)\x3A\x2F/Ui"; reference:url,www.securityfocus.com/bid/29716/info; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/29716.rb; reference:url,doc.emergingthreats.net/2010223; classtype:web-application-attack; sid:2010223; rev:4;)
#by mike cox
#
@@ -31502,7 +31502,7 @@
#by stillsecure
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SaschArt SasCam Webcam Server ActiveX Buffer Overflow Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"XHTTP.HTTP"; nocase; distance:0; content:"Head"; nocase; reference:url,exploit-db.com/exploits/14215/; reference:bugtraq,41343; reference:url,doc.emergingthreats.net/2011208; classtype:attempted-user; sid:2011208; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SaschArt SasCam Webcam Server ActiveX Buffer Overflow Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"XHTTP.HTTP"; fast_pattern; nocase; distance:0; content:"Head"; nocase; reference:url,exploit-db.com/exploits/14215/; reference:bugtraq,41343; reference:url,doc.emergingthreats.net/2011208; classtype:attempted-user; sid:2011208; rev:3;)
#by stillsecure
#
@@ -31970,7 +31970,7 @@
#by tinytwitty
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"us="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005526; classtype:web-application-attack; sid:2005526; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"us="; distance:0; nocase; http_uri; content:"INSERT"; nocase; http_uri; distance:0; content:"INTO"; nocase; http_uri; distance:0; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005526; classtype:web-application-attack; sid:2005526; rev:8;)
#by tinytwitty
#
@@ -32554,7 +32554,7 @@
#by tinytwitty
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"board["; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0340; reference:url,www.milw0rm.com/exploits/3124; reference:url,doc.emergingthreats.net/2005570; classtype:web-application-attack; sid:2005570; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"board["; fast_pattern; http_uri; nocase; content:"DELETE"; http_uri; nocase; content:"FROM"; http_uri; nocase; distance:0; reference:cve,CVE-2007-0340; reference:url,www.milw0rm.com/exploits/3124; reference:url,doc.emergingthreats.net/2005570; classtype:web-application-attack; sid:2005570; rev:7;)
#by tinytwitty
#
@@ -35698,7 +35698,7 @@
#by tinytwitty
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"gruppe_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006959; classtype:web-application-attack; sid:2006959; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"gruppe_id="; http_uri; fast_pattern; distance:0; nocase; content:"INSERT"; http_uri; distance:0; nocase; content:"INTO"; http_uri; distance:0; nocase; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006959; classtype:web-application-attack; sid:2006959; rev:6;)
#by tinytwitty
#
@@ -36286,7 +36286,7 @@
#by tinytwitty
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"cat_id="; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004492; classtype:web-application-attack; sid:2004492; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"cat_id="; nocase; distance:0; http_uri; content:"SELECT"; http_uri; nocase; distance:0; content:"FROM"; http_uri; nocase; distance:0; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004492; classtype:web-application-attack; sid:2004492; rev:7;)
#by Stillsecure
#
@@ -37319,34 +37319,34 @@
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE AIX NOOP"; content:"O|FF FB 82|O|FF FB 82|O|FF FB 82|O|FF FB 82|"; fast_pattern:only; classtype:shellcode-detect; sid:2100640; rev:8;)
#
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE Digital UNIX NOOP"; content:"G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|"; fast_pattern:only; reference:arachnids,352; classtype:shellcode-detect; sid:641; rev:7;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE Digital UNIX NOOP"; content:"G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|"; fast_pattern:only; reference:arachnids,352; classtype:shellcode-detect; sid:2100641; rev:8;)
#
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE HP-UX NOOP"; content:"|08|!|02 80 08|!|02 80 08|!|02 80 08|!|02 80|"; fast_pattern:only; reference:arachnids,358; classtype:shellcode-detect; sid:642; rev:7;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE HP-UX NOOP"; content:"|08|!|02 80 08|!|02 80 08|!|02 80 08|!|02 80|"; fast_pattern:only; reference:arachnids,358; classtype:shellcode-detect; sid:2100642; rev:8;)
#
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE HP-UX NOOP"; content:"|0B|9|02 80 0B|9|02 80 0B|9|02 80 0B|9|02 80|"; fast_pattern:only; reference:arachnids,359; classtype:shellcode-detect; sid:643; rev:8;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE HP-UX NOOP"; content:"|0B|9|02 80 0B|9|02 80 0B|9|02 80 0B|9|02 80|"; fast_pattern:only; reference:arachnids,359; classtype:shellcode-detect; sid:2100643; rev:9;)
#
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE Linux shellcode"; content:"|90 90 90 E8 C0 FF FF FF|/bin/sh"; fast_pattern:only; reference:arachnids,343; classtype:shellcode-detect; sid:652; rev:10;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE Linux shellcode"; content:"|90 90 90 E8 C0 FF FF FF|/bin/sh"; fast_pattern:only; reference:arachnids,343; classtype:shellcode-detect; sid:2100652; rev:11;)
#
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE SGI NOOP"; content:"|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%"; fast_pattern:only; reference:arachnids,356; classtype:shellcode-detect; sid:638; rev:6;)
+#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE SGI NOOP"; content:"|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%"; fast_pattern:only; reference:arachnids,356; classtype:shellcode-detect; sid:2100638; rev:7;)
#
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE SGI NOOP"; content:"|24 0F 12|4|24 0F 12|4|24 0F 12|4|24 0F 12|4"; fast_pattern:only; reference:arachnids,357; classtype:shellcode-detect; sid:639; rev:6;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE SGI NOOP"; content:"|24 0F 12|4|24 0F 12|4|24 0F 12|4|24 0F 12|4"; fast_pattern:only; reference:arachnids,357; classtype:shellcode-detect; sid:2100639; rev:7;)
#
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"|13 C0 1C A6 13 C0 1C A6 13 C0 1C A6 13 C0 1C A6|"; fast_pattern:only; reference:arachnids,345; classtype:shellcode-detect; sid:644; rev:6;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"|13 C0 1C A6 13 C0 1C A6 13 C0 1C A6 13 C0 1C A6|"; fast_pattern:only; reference:arachnids,345; classtype:shellcode-detect; sid:2100644; rev:7;)
#
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"|80 1C|@|11 80 1C|@|11 80 1C|@|11 80 1C|@|11|"; fast_pattern:only; reference:arachnids,353; classtype:shellcode-detect; sid:645; rev:6;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"|80 1C|@|11 80 1C|@|11 80 1C|@|11 80 1C|@|11|"; fast_pattern:only; reference:arachnids,353; classtype:shellcode-detect; sid:2100645; rev:7;)
#
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"|A6 1C C0 13 A6 1C C0 13 A6 1C C0 13 A6 1C C0 13|"; fast_pattern:only; reference:arachnids,355; classtype:shellcode-detect; sid:646; rev:6;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"|A6 1C C0 13 A6 1C C0 13 A6 1C C0 13 A6 1C C0 13|"; fast_pattern:only; reference:arachnids,355; classtype:shellcode-detect; sid:2100646; rev:7;)
#
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc setuid 0"; content:"|82 10| |17 91 D0| |08|"; fast_pattern:only; reference:arachnids,282; classtype:system-call-detect; sid:647; rev:7;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc setuid 0"; content:"|82 10| |17 91 D0| |08|"; fast_pattern:only; reference:arachnids,282; classtype:system-call-detect; sid:2100647; rev:8;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x71FB7BAB NOOP unicode"; content:"q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|"; fast_pattern:only; classtype:shellcode-detect; sid:2102313; rev:4;)
@@ -37361,28 +37361,28 @@
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x90 unicode NOOP"; content:"|90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:653; rev:9;)
#
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0xEB0C NOOP"; content:"|EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C|"; fast_pattern:only; classtype:shellcode-detect; sid:1424; rev:7;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0xEB0C NOOP"; content:"|EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C|"; fast_pattern:only; classtype:shellcode-detect; sid:2101424; rev:8;)
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 NOOP"; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; depth:128; reference:arachnids,181; classtype:shellcode-detect; sid:648; rev:7;)
#
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; fast_pattern:only; classtype:shellcode-detect; sid:1390; rev:6;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; fast_pattern:only; classtype:shellcode-detect; sid:2101390; rev:7;)
#
-#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 setgid 0"; content:"|B0 B5 CD 80|"; fast_pattern:only; reference:arachnids,284; classtype:system-call-detect; sid:649; rev:9;)
+#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 setgid 0"; content:"|B0 B5 CD 80|"; fast_pattern:only; reference:arachnids,284; classtype:system-call-detect; sid:2100649; rev:10;)
#
-#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 setuid 0"; content:"|B0 17 CD 80|"; fast_pattern:only; reference:arachnids,436; classtype:system-call-detect; sid:650; rev:9;)
+#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 setuid 0"; content:"|B0 17 CD 80|"; fast_pattern:only; reference:arachnids,436; classtype:system-call-detect; sid:2100650; rev:10;)
#
-alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 stealth NOOP"; content:"|EB 02 EB 02 EB 02|"; fast_pattern:only; reference:arachnids,291; classtype:shellcode-detect; sid:651; rev:9;)
+alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 stealth NOOP"; content:"|EB 02 EB 02 EB 02|"; fast_pattern:only; reference:arachnids,291; classtype:shellcode-detect; sid:2100651; rev:10;)
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL POLICY TRAFFIC Non-Standard IP protocol"; ip_proto:!1; ip_proto:!2; ip_proto:!47; ip_proto:!50; ip_proto:!51; ip_proto:!6; ip_proto:!89; ip_proto:!17; classtype:non-standard-protocol; sid:2101620; rev:7;)
#
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC 0 ttl"; ttl:0; reference:url,support.microsoft.com/default.aspx?scid=kb#-#-EN-US#-#-q138268; reference:url,www.isi.edu/in-notes/rfc1122.txt; classtype:misc-activity; sid:1321; rev:8;)
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC 0 ttl"; ttl:0; reference:url,support.microsoft.com/default.aspx?scid=kb#-#-EN-US#-#-q138268; reference:url,www.isi.edu/in-notes/rfc1122.txt; classtype:misc-activity; sid:2101321; rev:9;)
#
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC Unassigned/Reserved IP protocol"; ip_proto:>134; reference:url,www.iana.org/assignments/protocol-numbers; classtype:non-standard-protocol; sid:2101627; rev:4;)
@@ -37391,13 +37391,13 @@
#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC ip reserved bit set"; fragbits:R; classtype:misc-activity; sid:2100523; rev:6;)
#
-alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DOS IGMP dos attack"; fragbits:M+; ip_proto:2; reference:bugtraq,514; reference:cve,1999-0918; reference:url,www.microsoft.com/technet/security/bulletin/MS99-034.mspx; classtype:attempted-dos; sid:272; rev:10;)
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DOS IGMP dos attack"; fragbits:M+; ip_proto:2; reference:bugtraq,514; reference:cve,1999-0918; reference:url,www.microsoft.com/technet/security/bulletin/MS99-034.mspx; classtype:attempted-dos; sid:2100272; rev:11;)
#
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DOS Jolt attack"; dsize:408; fragbits:M; reference:cve,1999-0345; classtype:attempted-dos; sid:268; rev:4;)
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DOS Jolt attack"; dsize:408; fragbits:M; reference:cve,1999-0345; classtype:attempted-dos; sid:2100268; rev:5;)
#
-#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC source route ssrr"; ipopts:ssrr ; reference:arachnids,422; classtype:bad-unknown; sid:502; rev:2;)
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC source route ssrr"; ipopts:ssrr ; reference:arachnids,422; classtype:bad-unknown; sid:2100502; rev:3;)
#
#alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE id check returned userid"; content:"uid="; byte_test:5,<,65537,0,relative,string; content:" gid="; within:15; byte_test:5,<,65537,0,relative,string; classtype:bad-unknown; sid:2101882; rev:11;)
@@ -37433,13 +37433,13 @@
#alert ip any any -> any any (msg:"GPL SCAN same SRC/DST"; sameip; reference:bugtraq,2666; reference:cve,1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:2100527; rev:9;)
#
-#alert ip any any -> any any (msg:"GPL EXPLOIT EIGRP prefix length overflow attempt"; ip_proto:88; byte_test:1,>,32,44; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2464; rev:7;)
+#alert ip any any -> any any (msg:"GPL EXPLOIT EIGRP prefix length overflow attempt"; ip_proto:88; byte_test:1,>,32,44; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2102464; rev:8;)
#
-#alert ip any any -> any any (msg:"GPL EXPLOIT IGMP IGAP account overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,16,12; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2462; rev:7;)
+#alert ip any any -> any any (msg:"GPL EXPLOIT IGMP IGAP account overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,16,12; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2102462; rev:8;)
#
-#alert ip any any -> any any (msg:"GPL EXPLOIT IGMP IGAP message overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,64,13; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2463; rev:7;)
+#alert ip any any -> any any (msg:"GPL EXPLOIT IGMP IGAP message overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,64,13; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2102463; rev:8;)
#
#alert ip any any <> 127.0.0.0/8 any (msg:"GPL SCAN loopback traffic"; reference:url,rr.sans.org/firewall/egress.php; classtype:bad-unknown; sid:2100528; rev:6;)
@@ -37448,10 +37448,10 @@
alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"GPL CHAT AIM receive message"; flow:to_client; content:"*|02|"; depth:2; content:"|00 04 00 07|"; depth:4; offset:6; classtype:policy-violation; sid:2101633; rev:7;)
#
-alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"GPL CHAT AIM AddExternalApp attempt"; flow:to_client,established; content:"aim|3A|AddExternalApp?"; nocase; reference:url,www.w00w00.org/files/w00aimexp/; classtype:misc-attack; sid:2101752; rev:5;)
+#alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"GPL DELETED AIM AddExternalApp attempt"; flow:to_client,established; content:"aim|3A|AddExternalApp?"; nocase; reference:url,www.w00w00.org/files/w00aimexp/; classtype:misc-attack; sid:2101752; rev:6;)
#
-#alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"GPL CHAT AIM AddGame attempt"; flow:to_client,established; content:"aim|3A|AddGame?"; nocase; reference:bugtraq,3769; reference:cve,2002-0005; reference:url,www.w00w00.org/files/w00aimexp/; classtype:misc-attack; sid:1393; rev:12;)
+##alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"GPL DELETED AIM AddGame attempt"; flow:to_client,established; content:"aim|3A|AddGame?"; nocase; reference:bugtraq,3769; reference:cve,2002-0005; reference:url,www.w00w00.org/files/w00aimexp/; classtype:misc-attack; sid:2101393; rev:13;)
#
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL WEB_CLIENT Internet Explorer URLMON.DLL Content-Encoding Overflow Attempt"; flow:to_client,established; content:"Content-Encoding|3A|"; nocase; pcre:"/Content-Encoding\x3A[^\r\n]{300,}/i"; reference:bugtraq,7419; reference:cve,2003-0113; reference:url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx; classtype:attempted-admin; sid:100000119; rev:3;)
@@ -37460,7 +37460,7 @@
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL WEB_CLIENT Mozilla Firefox DOMNodeRemoved attack attempt"; flow:to_client,established; content:"document|2e|addEventListener|28 22|DOMNodeRemoved|22|"; nocase; content:"document|2e|body|2e|appendChild|28|document|2e|getElementById|28|"; reference:bugtraq,18228; reference:cve,2006-2779; classtype:attempted-user; sid:100000447; rev:2;)
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL WEB_CLIENT RealMedia invalid chunk size heap overflow attempt"; flow:to_client,established; content:"Transfer-Encoding|3a|"; nocase; content:"chunked"; nocase; content:"Content-Type|3a|"; nocase; distance:0; content:"realvideo"; nocase; pcre:"/\r\n[0-9A-Fa-f]{9}/Ri"; reference:bugtraq,17202; reference:cve,2005-2922; reference:url,service.real.com/realplayer/security/03162006_player/en/; classtype:attempted-user; sid:100000284; rev:3;)
+##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL DELETED RealMedia invalid chunk size heap overflow attempt"; flow:to_client,established; content:"Transfer-Encoding|3a|"; nocase; content:"chunked"; nocase; content:"Content-Type|3a|"; nocase; distance:0; content:"realvideo"; nocase; pcre:"/\r\n[0-9A-Fa-f]{9}/Ri"; reference:bugtraq,17202; reference:cve,2005-2922; reference:url,service.real.com/realplayer/security/03162006_player/en/; classtype:attempted-user; sid:100000284; rev:5;)
#
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL WEB_CLIENT Winamp PlayList buffer overflow attempt"; flow:from_server,established; content:"playlist"; nocase; content:"\\\\"; reference:bugtraq,16410; reference:cve,2006-0476; reference:url,www.frsirt.com/english/advisories/2006/0361; classtype:attempted-admin; sid:100000228; rev:3;)
@@ -37562,13 +37562,13 @@
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL ACTIVEX winhelp clsid attempt"; flow:from_server,established; file_data; content:"adb880a6-d8ff-11cf-9377-00aa003b7a11"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*adb880a6-d8ff-11cf-9377-00aa003b7a11/si"; reference:bugtraq,4857; reference:cve,2002-0823; reference:url,www.ngssoftware.com/advisories/ms-winhlp.txt; classtype:attempted-user; sid:2103148; rev:7;)
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL WEB_CLIENT server negative Content-Length attempt"; flow:from_server,established; content:"Content-Length|3A|"; http_header; nocase; content:"-"; within:3; http_header; reference:cve,2004-0492; reference:url,www.guninski.com/modproxy1.html; classtype:attempted-admin; sid:2102580; rev:9;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL WEB_CLIENT server negative Content-Length attempt"; flow:from_server,established; content:"Content-Length|3A| -"; http_header; fast_pattern:only; reference:cve,2004-0492; reference:url,www.guninski.com/modproxy1.html; classtype:attempted-admin; sid:2102580; rev:10;)
#
-#alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg:"GPL SCAN myscan"; flow:stateless; ack:0; flags:S; ttl:>220; reference:arachnids,439; classtype:attempted-recon; sid:613; rev:6;)
+#alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg:"GPL SCAN myscan"; flow:stateless; ack:0; flags:S; ttl:>220; reference:arachnids,439; classtype:attempted-recon; sid:2100613; rev:7;)
#
-alert tcp $EXTERNAL_NET 113 -> $SMTP_SERVERS 25 (msg:"GPL SMTP sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|D/"; reference:arachnids,140; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-admin; sid:655; rev:8;)
+##alert tcp $EXTERNAL_NET 113 -> $SMTP_SERVERS 25 (msg:"GPL DELETED sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|D/"; reference:arachnids,140; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-admin; sid:2100655; rev:9;)
#
#alert tcp $EXTERNAL_NET 119 -> $HOME_NET any (msg:"GPL MISC NNTP Lynx overflow attempt"; flow:to_client,established; content:"Subject"; nocase; isdataat:100,relative; pcre:"/^Subject\x3a[^\r\n]{100,}/smi"; reference:cve,2005-3120; reference:bugtraq,15117; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=20019; reference:nessus,20035; classtype:attempted-admin; sid:100000172; rev:4;)
@@ -37583,7 +37583,7 @@
alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"GPL CHAT MSN outbound file transfer rejected"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A| application/x-msnmsgrp2p"; distance:0; nocase; content:"MSNSLP/1.0 603 Decline"; distance:0; nocase; classtype:policy-violation; sid:2101989; rev:7;)
#
-#alert tcp $EXTERNAL_NET 20 -> $HOME_NET :1023 (msg:"GPL MISC Source Port 20 to <1024"; flow:stateless; flags:S,12; reference:arachnids,06; classtype:bad-unknown; sid:503; rev:7;)
+#alert tcp $EXTERNAL_NET 20 -> $HOME_NET :1023 (msg:"GPL MISC Source Port 20 to <1024"; flow:stateless; flags:S,12; reference:arachnids,06; classtype:bad-unknown; sid:2100503; rev:8;)
#
#alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"GPL FTP NextFTP client overflow"; flow:to_client,established; content:"|B4| |B4|!|8B CC 83 E9 04 8B 19|3|C9|f|B9 10|"; fast_pattern:only; reference:bugtraq,572; reference:cve,1999-0671; classtype:attempted-user; sid:2100308; rev:10;)
@@ -37592,25 +37592,25 @@
#alert tcp $EXTERNAL_NET 22 -> $HOME_NET any (msg:"GPL EXPLOIT SSH server banner overflow"; flow:established,from_server; content:"SSH-"; nocase; isdataat:200,relative; pcre:"/^SSH-\s[^\n]{200}/ism"; reference:bugtraq,5287; reference:cve,2002-1059; classtype:misc-attack; sid:2101838; rev:9;)
#
-alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM conference invitation"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 18|"; depth:2; offset:10; classtype:policy-violation; sid:2453; rev:3;)
+alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM conference invitation"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 18|"; depth:2; offset:10; classtype:policy-violation; sid:2102453; rev:4;)
#
-alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM conference logon success"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 19|"; depth:2; offset:10; classtype:policy-violation; sid:2454; rev:3;)
+alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM conference logon success"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 19|"; depth:2; offset:10; classtype:policy-violation; sid:2102454; rev:4;)
#
-alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM successful chat join"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 98|"; depth:2; offset:10; classtype:policy-violation; sid:2458; rev:3;)
+alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM successful chat join"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 98|"; depth:2; offset:10; classtype:policy-violation; sid:2102458; rev:5;)
#
-alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM successful logon"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 01|"; depth:2; offset:10; classtype:policy-violation; sid:2450; rev:3;)
+##alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL DELETED Yahoo IM successful logon"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 01|"; depth:2; offset:10; classtype:policy-violation; sid:2102450; rev:4;)
#
-alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM voicechat"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00|J"; depth:2; offset:10; classtype:policy-violation; sid:2451; rev:3;)
+alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM voicechat"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00|J"; depth:2; offset:10; classtype:policy-violation; sid:2102451; rev:4;)
#
-alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo Messenger File Transfer Receive Request"; flow:established; content:"YMSG"; depth:4; content:"|00|M"; depth:2; offset:10; classtype:policy-violation; sid:2456; rev:4;)
+alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo Messenger File Transfer Receive Request"; flow:established; content:"YMSG"; depth:4; content:"|00|M"; depth:2; offset:10; classtype:policy-violation; sid:2102456; rev:5;)
#
-alert tcp $EXTERNAL_NET 5100 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM conference watch"; flow:from_server,established; content:"|0D 00 05 00|"; depth:4; classtype:policy-violation; sid:2461; rev:4;)
+alert tcp $EXTERNAL_NET 5100 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM conference watch"; flow:from_server,established; content:"|0D 00 05 00|"; depth:4; classtype:policy-violation; sid:2102461; rev:5;)
#
alert tcp $EXTERNAL_NET 5222 -> $HOME_NET any (msg:"GPL CHAT Jabber/Google Talk Incoming Message"; flow:to_client,established; content:"<message"; offset:0; nocase; reference:url,www.google.com/talk/; classtype:policy-violation; sid:100000236; rev:2;)
@@ -37619,19 +37619,19 @@
alert tcp $EXTERNAL_NET 5222 -> $HOME_NET any (msg:"GPL CHAT Jabber/Google Talk Logon Success"; flow:to_client,established; content:"<success"; offset:0; nocase; reference:url,www.google.com/talk/; classtype:policy-violation; sid:100000235; rev:2;)
#
-#alert tcp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"GPL MISC source port 53 to <1024"; flow:stateless; flags:S,12; reference:arachnids,07; classtype:bad-unknown; sid:504; rev:7;)
+#alert tcp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"GPL MISC source port 53 to <1024"; flow:stateless; flags:S,12; reference:arachnids,07; classtype:bad-unknown; sid:2100504; rev:8;)
#
#alert tcp $EXTERNAL_NET 6666:6669 -> $HOME_NET any (msg:"GPL P2P eMule buffer overflow attempt"; flow:to_client,established; content:"PRIVMSG"; nocase; content:"|01|SENDLINK|7c|"; distance:0; pcre:"/^PRIVMSG\s+[^\s]+\s+\x3a\s*\x01SENDLINK\x7c[^\x7c]{69}/smi"; reference:bugtraq,10039; reference:nessus,12233; classtype:attempted-user; sid:2102584; rev:5;)
#
-#alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"GPL MISC Connection Closed MSG from Port 80"; flow:from_server,established; content:"Connection closed by foreign host"; nocase; classtype:unknown; sid:488; rev:4;)
+#alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"GPL MISC Connection Closed MSG from Port 80"; flow:from_server,established; content:"Connection closed by foreign host"; nocase; classtype:unknown; sid:2100488; rev:5;)
#
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL POLICY Windows Media Video download"; flow:from_server,established; content:"Content-type|3A| video/x-ms-asf"; nocase; http_header; classtype:policy-violation; sid:2101438; rev:11;)
#
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL POLICY Windows Media download"; flow:from_server,established; content:"Content-Type|3A|"; nocase; http_header; pcre:"/^Content-Type\x3a\s*(?=[av])(video\/x\-ms\-(w[vm]x|asf)|a(udio\/x\-ms\-w(m[av]|ax)|pplication\/x\-ms\-wm[zd]))/smi"; classtype:policy-violation; sid:2101437; rev:9;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL POLICY Windows Media download"; flow:from_server,established; content:"Content-Type|3A|"; nocase; http_header; pcre:"/^Content-Type\x3a\s*(?=[av])(video\/x\-ms\-(w[vm]x|asf)|a(udio\/x\-ms\-w(m[av]|ax)|pplication\/x\-ms\-wm[zd]))/Hmi"; classtype:policy-violation; sid:2101437; rev:10;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"GPL WEB_SERVER WEB-IIS Remote IIS Server Name spoof attempt loopback IP"; flow:to_server,established; content:"http|3a|//127.0.0.1"; fast_pattern:only; pcre:"/http\x3A\/\/127\.0\.0\.1\/.*\.asp/i"; reference:cve,2005-2678; classtype:web-application-activity; sid:100000139; rev:4;)
@@ -37640,7 +37640,7 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"GPL WEB_SERVER WEB-PHP phpinfo access"; flow:to_server,established; content:"/phpinfo.php"; fast_pattern:only; http_uri; nocase; reference:bugtraq,5789; reference:cve,2002-1149; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=3356; classtype:successful-recon-limited; sid:100000186; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"GPL SCAN NetGear router default password login attempt admin/password"; flow:to_server,established; content:"Authorization|3A|"; http_header; nocase; content:"YWRtaW46cGFzc3dvcmQ"; http_header; distance:0; pcre:"/^Authorization\x3a\s*Basic\s+YWRtaW46cGFzc3dvcmQ/smi"; reference:nessus,11737; classtype:default-login-attempt; sid:2230; rev:8;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"GPL SCAN NetGear router default password login attempt admin/password"; flow:to_server,established; content:"Authorization|3A|"; http_header; nocase; content:"YWRtaW46cGFzc3dvcmQ"; http_header; distance:0; pcre:"/^Authorization\x3a\s*Basic\s+YWRtaW46cGFzc3dvcmQ/smi"; reference:nessus,11737; classtype:default-login-attempt; sid:2102230; rev:9;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"GPL WEB_SERVER TRACE attempt"; flow:to_server,established; content:"TRACE"; http_method; reference:bugtraq,9561; reference:nessus,11213; reference:url,www.whitehatsec.com/press_releases/WH-PR-20030120.pdf; classtype:web-application-attack; sid:2102056; rev:6;)
@@ -37661,13 +37661,16 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS PHPNuke Forum viewtopic SQL insertion attempt"; flow:to_server,established; uricontent:"/modules.php"; nocase; content:"name=Forums"; content:"file=viewtopic"; pcre:"/forum=.*'/"; reference:bugtraq,7193; classtype:web-application-attack; sid:2654; rev:2;)
#
+##alert tcp $EXTERNAL_NET any -> $HOME_NET 1020 (msg:"GPL DELETED Vampire 1.2 connection request"; flow:to_server,established; content:"Hello..."; depth:8; flowbits:set,backdoor.vampire_12.connect; flowbits:noalert; classtype:misc-activity; sid:2103063; rev:4;)
+
+#
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"GPL NETBIOS DCERPC Workstation Service direct service bind attempt"; flow:to_server,established; content:"|05 00 0B|"; depth:3; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2102315; rev:7;)
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"GPL RPC status GHBN format string attack"; flow:to_server, established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x %x"; within:256; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1480; reference:cve,2000-0666; classtype:misc-attack; sid:2101891; rev:9;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"GPL POLICY SOCKS Proxy attempt"; flags:S,12; flow:stateless; reference:url,help.undernet.org/proxyscan/; classtype:attempted-recon; sid:615; rev:9;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"GPL POLICY SOCKS Proxy attempt"; flags:S,12; flow:stateless; reference:url,help.undernet.org/proxyscan/; classtype:attempted-recon; sid:2100615; rev:10;)
#
##alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"GPL DELETED FOLD arbitrary file attempt"; flow:established,to_server; content:"FOLD"; nocase; pcre:"/^FOLD\s+\//smi"; classtype:misc-attack; sid:2101935; rev:6;)
@@ -37694,19 +37697,19 @@
#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 DELE overflow attempt"; flow:to_server,established; content:"DELE"; nocase; isdataat:10,relative; pcre:"/^DELE\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2102111; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 qpopper overflow"; flow:to_server,established; content:"|E8 D9 FF FF FF|/bin/sh"; reference:bugtraq,830; reference:cve,1999-0822; reference:nessus,10184; classtype:attempted-admin; sid:290; rev:10;)
+##alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL DELETED qpopper overflow"; flow:to_server,established; content:"|E8 D9 FF FF FF|/bin/sh"; reference:bugtraq,830; reference:cve,1999-0822; reference:nessus,10184; classtype:attempted-admin; sid:2100290; rev:11;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 x86 BSD overflow"; flow:to_server,established; content:"^|0E|1|C0 B0 3B 8D|~|0E 89 FA 89 F9|"; reference:bugtraq,133; reference:cve,1999-0006; reference:nessus,10196; classtype:attempted-admin; sid:286; rev:12;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 x86 BSD overflow"; flow:to_server,established; content:"^|0E|1|C0 B0 3B 8D|~|0E 89 FA 89 F9|"; reference:bugtraq,133; reference:cve,1999-0006; reference:nessus,10196; classtype:attempted-admin; sid:2100286; rev:13;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 x86 BSD overflow 2"; flow:to_server,established; content:"h]^|FF D5 FF D4 FF F5 8B F5 90|f1"; classtype:attempted-admin; sid:287; rev:7;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 x86 BSD overflow 2"; flow:to_server,established; content:"h]^|FF D5 FF D4 FF F5 8B F5 90|f1"; classtype:attempted-admin; sid:2100287; rev:8;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 x86 Linux overflow"; flow:to_server,established; content:"|D8|@|CD 80 E8 D9 FF FF FF|/bin/sh"; classtype:attempted-admin; sid:288; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 x86 Linux overflow"; flow:to_server,established; content:"|D8|@|CD 80 E8 D9 FF FF FF|/bin/sh"; classtype:attempted-admin; sid:2100288; rev:8;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 x86 SCO overflow"; flow:to_server,established; content:"V|0E|1|C0 B0 3B 8D|~|12 89 F9 89 F9|"; reference:bugtraq,156; reference:cve,1999-0006; classtype:attempted-admin; sid:289; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 x86 SCO overflow"; flow:to_server,established; content:"V|0E|1|C0 B0 3B 8D|~|12 89 F9 89 F9|"; reference:bugtraq,156; reference:cve,1999-0006; classtype:attempted-admin; sid:2100289; rev:11;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 LIST overflow attempt"; flow:to_server,established; content:"LIST"; nocase; isdataat:10,relative; pcre:"/^LIST\s[^\n]{10}/smi"; reference:bugtraq,948; reference:cve,2000-0096; reference:nessus,10197; classtype:attempted-admin; sid:2101937; rev:8;)
@@ -37766,13 +37769,13 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap cmsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,17; classtype:rpc-portmap-decode; sid:1265; rev:9;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap espd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|u"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-portmap-decode; sid:595; rev:16;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap espd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|u"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-portmap-decode; sid:2100595; rev:17;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap kcms_server request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2102006; rev:11;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap listing TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,428; classtype:rpc-portmap-decode; sid:598; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap listing TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,428; classtype:rpc-portmap-decode; sid:2100598; rev:13;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap mountd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,13; classtype:rpc-portmap-decode; sid:1266; rev:10;)
@@ -37817,13 +37820,13 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap selection_svc request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,25; classtype:rpc-portmap-decode; sid:1273; rev:10;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap snmpXdmi request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:593; rev:18;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap snmpXdmi request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:2100593; rev:19;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap status request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,15; classtype:rpc-portmap-decode; sid:2102016; rev:7;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ttdbserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,24; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1274; rev:17;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ttdbserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,24; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:2101274; rev:19;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap yppasswd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,14; classtype:rpc-portmap-decode; sid:1275; rev:10;)
@@ -37832,52 +37835,52 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ypserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,12; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:1276; rev:14;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ypupdated request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,125; classtype:rpc-portmap-decode; sid:591; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ypupdated request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,125; classtype:rpc-portmap-decode; sid:2100591; rev:11;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (msg:"GPL MISC ident version request"; flow:to_server,established; content:"VERSION|0A|"; depth:16; reference:arachnids,303; classtype:attempted-recon; sid:616; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (msg:"GPL MISC ident version request"; flow:to_server,established; content:"VERSION|0A|"; depth:16; reference:arachnids,303; classtype:attempted-recon; sid:2100616; rev:5;)
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC AUTHINFO USER overflow attempt"; flow:to_server,established; content:"AUTHINFO"; nocase; content:"USER"; distance:0; nocase; isdataat:200,relative; pcre:"/^AUTHINFO\s+USER\s[^\n]{200}/smi"; reference:arachnids,274; reference:bugtraq,1156; reference:cve,2000-0341; classtype:attempted-admin; sid:2101538; rev:14;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC Cassandra Overflow"; dsize:>512; flow:to_server,established; content:"AUTHINFO USER"; depth:16; nocase; reference:arachnids,274; reference:bugtraq,1156; reference:cve,2000-0341; classtype:attempted-user; sid:291; rev:12;)
+##alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL DELETED Cassandra Overflow"; dsize:>512; flow:to_server,established; content:"AUTHINFO USER"; depth:16; nocase; reference:arachnids,274; reference:bugtraq,1156; reference:cve,2000-0341; classtype:attempted-user; sid:2100291; rev:13;)
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC nntp SEARCH pattern overflow attempt"; flow:to_server,established; content:"SEARCH"; nocase; pcre:"/^SEARCH\s+[^\n]{1024}/smi"; reference:cve,2004-0574; reference:url,www.microsoft.com/technet/security/bulletin/MS04-036.mspx; classtype:attempted-admin; sid:2103078; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP XPAT pattern overflow attempt"; flow:to_server,established; content:"PAT"; nocase; pcre:"/^X?PAT\s+[^\n]{1024}/smi"; reference:cve,2004-0574; reference:url,www.microsoft.com/technet/security/bulletin/MS04-036.mspx; classtype:attempted-admin; sid:2927; rev:4;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP XPAT pattern overflow attempt"; flow:to_server,established; content:"PAT"; nocase; isdataat:1024,relative; pcre:"/^X?PAT\s+[^\n]{1024}/smi"; reference:cve,2004-0574; reference:url,www.microsoft.com/technet/security/bulletin/MS04-036.mspx; classtype:attempted-admin; sid:2102927; rev:5;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP article post without path attempt"; flow:to_server,established; content:"takethis"; nocase; pcre:!"/^takethis.*?Path\x3a.*?[\r]{0,1}?\n[\r]{0,1}\n/si"; classtype:attempted-admin; sid:2432; rev:3;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP article post without path attempt"; flow:to_server,established; content:"takethis"; nocase; pcre:!"/^takethis.*?Path\x3a.*?[\r]{0,1}?\n[\r]{0,1}\n/si"; classtype:attempted-admin; sid:2102432; rev:4;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP checkgroups overflow attempt"; flow:to_server,established; content:"checkgroups"; nocase; pcre:"/^checkgroups\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2427; rev:5;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP checkgroups overflow attempt"; flow:to_server,established; content:"checkgroups"; nocase; pcre:"/^checkgroups\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102427; rev:6;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP ihave overflow attempt"; flow:to_server,established; content:"ihave"; nocase; pcre:"/^ihave\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2428; rev:5;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP ihave overflow attempt"; flow:to_server,established; content:"ihave"; nocase; pcre:"/^ihave\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102428; rev:6;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP newgroup overflow attempt"; flow:to_server,established; content:"newgroup"; nocase; pcre:"/^newgroup\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2430; rev:5;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP newgroup overflow attempt"; flow:to_server,established; content:"newgroup"; nocase; isdataat:21,relative; pcre:"/^newgroup\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102430; rev:6;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC Nntp rmgroup overflow attempt"; flow:to_server,established; content:"rmgroup"; nocase; pcre:"/^rmgroup\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2431; rev:5;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC Nntp rmgroup overflow attempt"; flow:to_server,established; content:"rmgroup"; nocase; pcre:"/^rmgroup\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102431; rev:6;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP sendme overflow attempt"; flow:to_server,established; content:"sendme"; nocase; pcre:"/^sendme\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2429; rev:5;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP sendme overflow attempt"; flow:to_server,established; content:"sendme"; nocase; pcre:"/^sendme\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102429; rev:6;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP sendsys overflow attempt"; flow:to_server,established; content:"sendsys"; nocase; pcre:"/^sendsys\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2424; rev:5;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP sendsys overflow attempt"; flow:to_server,established; content:"sendsys"; nocase; pcre:"/^sendsys\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102424; rev:6;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP senduuname overflow attempt"; flow:to_server,established; content:"senduuname"; nocase; pcre:"/^senduuname\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2425; rev:5;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP senduuname overflow attempt"; flow:to_server,established; content:"senduuname"; nocase; pcre:"/^senduuname\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102425; rev:6;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP version overflow attempt"; flow:to_server,established; content:"version"; nocase; pcre:"/^version\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2426; rev:5;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP version overflow attempt"; flow:to_server,established; content:"version"; nocase; pcre:"/^version\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102426; rev:6;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 12345:12346 (msg:"GPL TROJAN netbus getinfo"; flow:to_server,established; content:"GetInfo|0D|"; reference:arachnids,403; classtype:misc-activity; sid:110; rev:4;)
+##alert tcp $EXTERNAL_NET any -> $HOME_NET 12345:12346 (msg:"GPL DELETED netbus getinfo"; flow:to_server,established; content:"GetInfo|0D|"; reference:arachnids,403; classtype:misc-activity; sid:2100110; rev:5;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCEPRC ORPCThis request flood attempt"; flow:to_server,established; content:"|05|"; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|05|"; within:1; distance:21; content:"MEOW"; flowbits:isset,dce.isystemactivator.bind.call.attempt; threshold:type both, track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:misc-attack; sid:2494; rev:8;)
@@ -37946,7 +37949,7 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"GPL NETBIOS name query overflow attempt TCP"; flow:to_server,established; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; classtype:attempted-admin; sid:2103195; rev:5;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS x86 Linux samba overflow"; flow:to_server,established; content:"|EB|/_|EB|J^|89 FB 89|>|89 F2|"; reference:bugtraq,1816; reference:bugtraq,536; reference:cve,1999-0182; reference:cve,1999-0811; classtype:attempted-admin; sid:292; rev:8;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS x86 Linux samba overflow"; flow:to_server,established; content:"|EB|/_|EB|J^|89 FB 89|>|89 F2|"; reference:bugtraq,1816; reference:bugtraq,536; reference:cve,1999-0182; reference:cve,1999-0811; classtype:attempted-admin; sid:2100292; rev:9;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS DOS RFPoison"; flow:to_server,established; content:"|5C 00 5C 00|*|00|S|00|M|00|B|00|S|00|E|00|R|00|V|00|E|00|R|00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00|"; reference:arachnids,454; classtype:attempted-dos; sid:2100529; rev:8;)
@@ -38024,7 +38027,7 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:2103432; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3183; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|01 00|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103183; rev:4;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|04 00|"; within:2; distance:19; content:"|5C 00 5C 00|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:2103428; rev:4;)
@@ -38135,25 +38138,25 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ISystemActivator unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103396; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2992; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102992; rev:5;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102942; rev:6;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2993; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102993; rev:5;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102943; rev:6;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2994; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102994; rev:5;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown unicode attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102944; rev:6;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2995; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102995; rev:6;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown unicode little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102945; rev:6;)
@@ -38183,10 +38186,10 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning unicode little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103259; rev:5;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2964; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102964; rev:5;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2965; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102965; rev:5;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102946; rev:7;)
@@ -38195,10 +38198,10 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102936; rev:6;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2966; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102966; rev:5;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2967; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102967; rev:5;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102947; rev:6;)
@@ -38255,7 +38258,7 @@
#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; isdataat:4,relative; content:!"|00 00 00 00|"; within:4; distance:20; byte_jump:4,20,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103053; rev:5;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; isdataat:4,relative; byte_test:4,>,1024,40,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3021; rev:3;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; isdataat:4,relative; byte_test:4,>,1024,40,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103021; rev:4;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|01 00|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103044; rev:6;)
@@ -38267,7 +38270,7 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103020; rev:5;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|00 00 00|b|06 83 00 00 06|+|06 01 05 05 02|"; within:15; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A3|>0<|A0|0"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; reference:nessus,12065; classtype:attempted-dos; sid:2384; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|00 00 00|b|06 83 00 00 06|+|06 01 05 05 02|"; within:15; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A3|>0<|A0|0"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; reference:nessus,12065; classtype:attempted-dos; sid:2102384; rev:11;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB OpenKey andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0F|"; within:2; distance:19; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103222; rev:4;)
@@ -38327,7 +38330,7 @@
#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Session Setup AndX request unicode username overflow attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,!&,2147483648,21,relative,little; content:!"|00 00|"; within:510; distance:29; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:protocol-command-decode; sid:2102403; rev:7;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Session Setup AndX request username overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"|00 00 00 00|"; within:4; distance:42; byte_test:2,>,255,8,relative,little; content:!"|00|"; within:255; distance:10; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2401; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Session Setup AndX request username overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"|00 00 00 00|"; within:4; distance:42; byte_test:2,>,255,8,relative,little; content:!"|00|"; within:255; distance:10; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2102401; rev:5;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Session Setup NTMLSSP andx asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2103001; rev:5;)
@@ -38342,16 +38345,16 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_test:4,&,2147483648,48,relative,little; content:!"NTLMSSP"; within:7; distance:54; asn1:double_overflow, bitstring_overflow, relative_offset 54, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2103000; rev:7;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Trans2 FIND_FIRST2 andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103140; rev:3;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Trans2 FIND_FIRST2 andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103140; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Trans2 FIND_FIRST2 attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; content:"|01 00|"; within:2; distance:56; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103139; rev:4;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Trans2 FIND_FIRST2 attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; content:"|01 00|"; within:2; distance:56; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103139; rev:5;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Trans2 QUERY_FILE_INFO andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103136; rev:3;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Trans2 QUERY_FILE_INFO andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103136; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Trans2 QUERY_FILE_INFO attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; content:"|07 00|"; within:2; distance:56; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103135; rev:4;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Trans2 QUERY_FILE_INFO attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; content:"|07 00|"; within:2; distance:56; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103135; rev:5;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB irot andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103244; rev:4;)
@@ -38462,10 +38465,10 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB msqueue unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103163; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2960; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102960; rev:5;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|nddeapi|00|"; within:9; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2956; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|nddeapi|00|"; within:9; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102956; rev:4;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102932; rev:6;)
@@ -38474,10 +38477,10 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|5C|nddeapi|00|"; within:9; distance:78; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102928; rev:5;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2961; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102961; rev:5;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; within:18; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2957; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; within:18; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102957; rev:4;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi unicode bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102933; rev:6;)
@@ -38492,7 +38495,7 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB startup folder unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|5C 00|S|00|t|00|a|00|r|00|t|00| |00|M|00|e|00|n|00|u|00 5C 00|P|00|r|00|o|00|g|00|r|00|a|00|m|00|s|00 5C 00|S|00|t|00|a|00|r|00|t|00|u|00|p"; distance:0; nocase; classtype:attempted-recon; sid:2102177; rev:5;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB too many stacked requests"; flow:to_server,established; content:"|FF|SMB"; pcre:"/^\x00.{3}\xFFSMB(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f).{28}(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f)/"; byte_jump:2,39,little; content:!"|FF|"; within:1; distance:-36; classtype:protocol-command-decode; sid:2950; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB too many stacked requests"; flow:to_server,established; content:"|FF|SMB"; pcre:"/^\x00.{3}\xFFSMB(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f).{28}(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f)/"; byte_jump:2,39,little; content:!"|FF|"; within:1; distance:-36; classtype:protocol-command-decode; sid:2102950; rev:3;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB trans2open buffer overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|00 14|"; depth:2; offset:60; byte_test:2,>,256,0,relative,little; reference:bugtraq,7294; reference:cve,2003-0201; reference:url,www.digitaldefense.net/labs/advisories/DDI-1013.txt; classtype:attempted-admin; sid:2102103; rev:10;)
@@ -38501,10 +38504,10 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103206; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2988; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102988; rev:5;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|winreg|00|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2984; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|winreg|00|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102984; rev:4;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103202; rev:4;)
@@ -38525,10 +38528,10 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103208; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2989; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102989; rev:5;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2985; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102985; rev:4;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103204; rev:5;)
@@ -38546,34 +38549,34 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103205; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP GNU Mailutils imap4d hex attempt"; flow:established,to_server; content:"SEARCH TOPIC %"; reference:cve,2005-2878; reference:bugtraq,14794; reference:nessus,19605; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19306; classtype:misc-attack; sid:100000207; rev:3;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP GNU Mailutils imap4d hex attempt"; flow:established,to_server; content:"SEARCH TOPIC %"; reference:cve,2005-2878; reference:bugtraq,14794; reference:nessus,19605; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19306; classtype:misc-attack; sid:100000207; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP GNU imapd search format string attempt"; flow:established,to_server; pcre:"/\sSEARCH.*\%/smi"; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19306; reference:cve,2005-2878; classtype:misc-attack; sid:100000136; rev:2;)
+##alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL DELETED GNU imapd search format string attempt"; flow:established,to_server; pcre:"/\sSEARCH.*\%/smi"; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19306; reference:cve,2005-2878; classtype:misc-attack; sid:100000136; rev:3;)
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP MDaemon authentication multiple packet overflow attempt"; flow:to_server,established; flowbits:isset,community_imap.auth; isdataat:342; pcre:"/[^\x0A]{342,}/"; reference:bugtraq,14317; classtype:attempted-admin; sid:100000153; rev:4;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP MDaemon authentication overflow single packet attempt"; flow:to_server,established; content:"AUTHENTICATE"; nocase; pcre:"/\sAUTHENTICATE\s[CRAM-MD5|LOGIN][^\n]*\n[^\n]{342}/smi"; reference:bugtraq,14317; classtype:attempted-admin; sid:100000155; rev:2;)
+##alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL DELETED MDaemon authentication overflow single packet attempt"; flow:to_server,established; content:"AUTHENTICATE"; nocase; pcre:"/\sAUTHENTICATE\s[CRAM-MD5|LOGIN][^\n]*\n[^\n]{342}/smi"; reference:bugtraq,14317; classtype:attempted-admin; sid:100000155; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP MDaemon authentication protocol decode"; flow:to_server,established; content:"AUTHENTICATE"; nocase; pcre:"/\sAUTHENTICATE\s[CRAM-MD5|LOGIN]/smi"; flowbits:set,community_imap.auth; flowbits:noalert; classtype:protocol-command-decode; sid:100000152; rev:3;)
+##alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL DELETED MDaemon authentication protocol decode"; flow:to_server,established; content:"AUTHENTICATE"; nocase; pcre:"/\sAUTHENTICATE\s[CRAM-MD5|LOGIN]/smi"; flowbits:set,community_imap.auth; flowbits:noalert; classtype:protocol-command-decode; sid:100000152; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP Qualcomm WorldMail SELECT dot dot attempt"; flow:established,to_server; content:"SELECT"; content:"|2E 2E|"; nocase; pcre:"/^\d*\s*SELECT\s*\.\./smi"; reference:cve,2005-3189; reference:bugtraq,15488; classtype:misc-attack; sid:100000196; rev:2;)
+##alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL DELETED Qualcomm WorldMail SELECT dot dot attempt"; flow:established,to_server; content:"SELECT"; content:"|2E 2E|"; nocase; pcre:"/^\d*\s*SELECT\s*\.\./smi"; reference:cve,2005-3189; reference:bugtraq,15488; classtype:misc-attack; sid:100000196; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP EXPLOIT overflow"; flow:to_server,established; content:"|E8 C0 FF FF FF|/bin/sh"; classtype:attempted-admin; sid:293; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP Overflow Attempt"; flow:to_server,established; content:"|E8 C0 FF FF FF|/bin/sh"; classtype:attempted-admin; sid:2100293; rev:8;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP EXPLOIT partial body overflow attempt"; dsize:>1092; flow:to_server,established; content:" x PARTIAL 1 BODY["; reference:bugtraq,4713; reference:cve,2002-0379; classtype:misc-attack; sid:2101780; rev:10;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP append overflow attempt"; flow:established,to_server; content:"APPEND"; nocase; isdataat:100,relative; pcre:"/\sAPPEND\s[^\n]{256}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:3066; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP append overflow attempt"; flow:established,to_server; content:"APPEND"; nocase; isdataat:100,relative; pcre:"/\sAPPEND\s[^\n]{256}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:2103066; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP auth literal overflow attempt"; flow:established,to_server; content:"AUTH"; nocase; pcre:"/({(?=\d+}[^\n]*?\sAUTH)|AUTH\s[^\n]*?{(?=\d+}))/smi"; byte_test:5,>,256,0,string,dec,relative; reference:cve,1999-0005; classtype:misc-attack; sid:2101930; rev:6;)
+##alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL DELETED auth literal overflow attempt"; flow:established,to_server; content:"AUTH"; nocase; pcre:"/({(?=\d+}[^\n]*?\sAUTH)|AUTH\s[^\n]*?{(?=\d+}))/smi"; byte_test:5,>,256,0,string,dec,relative; reference:cve,1999-0005; classtype:misc-attack; sid:2101930; rev:7;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP auth overflow attempt"; flow:established,to_server; content:"AUTH"; nocase; isdataat:100,relative; pcre:"/AUTH\s[^\n]{100}/smi"; reference:bugtraq,8861; classtype:misc-attack; sid:2102330; rev:3;)
@@ -38585,28 +38588,28 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP authenticate overflow attempt"; flow:established,to_server; content:"AUTHENTICATE"; nocase; isdataat:100,relative; pcre:"/\sAUTHENTICATE\s[^\n]{100}/smi"; reference:bugtraq,12995; reference:bugtraq,130; reference:cve,1999-0005; reference:cve,1999-0042; reference:nessus,10292; classtype:misc-attack; sid:2101844; rev:12;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP copy literal overflow attempt"; flow:established,to_server; content:"COPY"; nocase; pcre:"/\sCOPY\s[^\n]*?\{/smi"; byte_test:5,>,1024,0,string,dec,relative; reference:bugtraq,1110; classtype:misc-attack; sid:3058; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP copy literal overflow attempt"; flow:established,to_server; content:"COPY"; fast_pattern:only; nocase; pcre:"/\sCOPY\s[^\n]*?\{/smi"; byte_test:5,>,1024,0,string,dec,relative; reference:bugtraq,1110; classtype:misc-attack; sid:2103058; rev:3;)
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP create buffer overflow attempt"; flow:to_server,established; content:"CREATE"; isdataat:1024,relative; pcre:"/\sCREATE\s[^\n]{1024}/smi"; reference:bugtraq,7446; classtype:misc-attack; sid:2102107; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP create literal buffer overflow attempt"; flow:to_server,established; content:"CREATE"; nocase; content:"{"; distance:1; pcre:"/\sCREATE\s*\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,7446; classtype:misc-attack; sid:2102120; rev:4;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP create literal buffer overflow attempt"; flow:to_server,established; content:"CREATE"; nocase; content:"{"; distance:1; pcre:"/\sCREATE\s*\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,7446; classtype:misc-attack; sid:2102120; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP delete literal overflow attempt"; flow:established,to_server; content:"DELETE"; nocase; pcre:"/\sDELETE\s[^\n]*?\{/smi"; byte_test:5,>,100,0,string,dec,relative; reference:bugtraq,11675; classtype:misc-attack; sid:3008; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP delete literal overflow attempt"; flow:established,to_server; content:"DELETE"; fast_pattern:only; nocase; pcre:"/\sDELETE\s[^\n]*?\{/smi"; byte_test:5,>,100,0,string,dec,relative; reference:bugtraq,11675; classtype:misc-attack; sid:2103008; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP delete overflow attempt"; flow:established,to_server; content:"DELETE"; nocase; isdataat:100,relative; pcre:"/\sDELETE\s[^\n]{100}/smi"; reference:bugtraq,11675; classtype:misc-attack; sid:3007; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP delete overflow attempt"; flow:established,to_server; content:"DELETE"; nocase; isdataat:100,relative; pcre:"/\sDELETE\s[^\n]{100}/smi"; reference:bugtraq,11675; classtype:misc-attack; sid:2103007; rev:2;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP examine literal overflow attempt"; flow:established,to_server; content:"EXAMINE"; nocase; pcre:"/\sEXAMINE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:3067; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP examine literal overflow attempt"; flow:established,to_server; content:"EXAMINE"; fast_pattern:only; nocase; pcre:"/\sEXAMINE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:2103067; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP examine overflow attempt"; flow:established,to_server; content:"EXAMINE"; nocase; isdataat:100,relative; pcre:"/\sEXAMINE\s[^\n]{100}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:3068; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP examine overflow attempt"; flow:established,to_server; content:"EXAMINE"; nocase; isdataat:100,relative; pcre:"/\sEXAMINE\s[^\n]{100}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:2103068; rev:2;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP fetch literal overflow attempt"; flow:established,to_server; content:"FETCH"; nocase; pcre:"/\sFETCH\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:3069; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP fetch literal overflow attempt"; flow:established,to_server; content:"FETCH"; fast_pattern:only; nocase; pcre:"/\sFETCH\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:2103069; rev:3;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP fetch overflow attempt"; flow:established,to_server; content:"FETCH"; nocase; isdataat:500,relative; pcre:"/\sFETCH\s[^\n]{500}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:2103070; rev:3;)
@@ -38615,7 +38618,7 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP find overflow attempt"; flow:established,to_server; content:"FIND"; nocase; isdataat:100,relative; pcre:"/\sFIND\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2101904; rev:8;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP list literal overflow attempt"; flow:established,to_server; content:"LIST"; nocase; pcre:"/\sLIST\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2101845; rev:16;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP list literal overflow attempt"; flow:established,to_server; content:"LIST"; nocase; pcre:"/\sLIST\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2101845; rev:16;)
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP list overflow attempt"; flow:established,to_server; content:"LIST"; nocase; isdataat:100,relative; pcre:"/\sLIST\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2102118; rev:7;)
@@ -38624,61 +38627,61 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP login buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; isdataat:100,relative; pcre:"/\sLOGIN\s[^\n]{100}/smi"; reference:bugtraq,13727; reference:bugtraq,502; reference:cve,1999-0005; reference:cve,1999-1557; reference:cve,2005-1255; reference:nessus,10123; reference:cve,2007-2795; reference:nessus,10125; classtype:attempted-user; sid:2101842; rev:16;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP login format string attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s[^\n]*?%/smi"; reference:bugtraq,10976; classtype:attempted-admin; sid:2664; rev:2;)
+##alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL DELETED login format string attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s[^\n]*?%/smi"; reference:bugtraq,10976; classtype:attempted-admin; sid:2102664; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP login literal buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,6298; classtype:misc-attack; sid:2101993; rev:5;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP login literal buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,6298; classtype:misc-attack; sid:2101993; rev:5;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP login literal format string attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s\w+\s\{\d+\}[\r]?\n[^\n]*?%/smi"; reference:bugtraq,10976; classtype:attempted-admin; sid:2665; rev:2;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP login literal format string attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s\w+\s\{\d+\}[\r]?\n[^\n]*?%/smi"; reference:bugtraq,10976; classtype:attempted-admin; sid:2102665; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP lsub literal overflow attempt"; flow:to_server,established; content:"LSUB"; nocase; pcre:"/\sLSUB\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2101902; rev:10;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP lsub literal overflow attempt"; flow:to_server,established; content:"LSUB"; nocase; pcre:"/\sLSUB\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2101902; rev:10;)
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP lsub overflow attempt"; flow:to_server,established; content:"LSUB"; isdataat:100,relative; pcre:"/\sLSUB\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2102106; rev:8;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP partial body buffer overflow attempt"; flow:to_server,established; content:"PARTIAL"; nocase; content:"BODY["; distance:0; nocase; pcre:"/\sPARTIAL.*BODY\[[^\]]{1024}/smi"; reference:bugtraq,4713; reference:cve,2002-0379; classtype:misc-attack; sid:2101755; rev:15;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP partial body buffer overflow attempt"; flow:to_server,established; content:"PARTIAL"; nocase; content:"BODY["; distance:0; nocase; pcre:"/\sPARTIAL.*BODY\[[^\]]{1024}/smi"; reference:bugtraq,4713; reference:cve,2002-0379; classtype:misc-attack; sid:2101755; rev:15;)
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP partial body.peek buffer overflow attempt"; flow:to_server,established; content:"PARTIAL"; nocase; content:"BODY.PEEK["; isdataat:1024,relative; distance:0; nocase; pcre:"/\sPARTIAL.*BODY\.PEEK\[[^\]]{1024}/smi"; reference:bugtraq,4713; reference:cve,2002-0379; classtype:misc-attack; sid:2102046; rev:7;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP rename literal overflow attempt"; flow:established,to_server; content:"RENAME"; nocase; content:"{"; distance:1; pcre:"/\sRENAME\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2102119; rev:6;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP rename literal overflow attempt"; flow:established,to_server; content:"RENAME"; nocase; content:"{"; distance:1; pcre:"/\sRENAME\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2102119; rev:6;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP rename overflow attempt"; flow:established,to_server; content:"RENAME"; nocase; isdataat:100,relative; pcre:"/\sRENAME\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2101903; rev:9;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP status literal overflow attempt"; flow:established,to_server; content:"STATUS"; nocase; pcre:"/\sSTATUS\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:3071; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP status literal overflow attempt"; flow:established,to_server; content:"STATUS"; fast_pattern:only; nocase; pcre:"/\sSTATUS\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:2103071; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP status overflow attempt"; flow:established,to_server; content:"STATUS"; nocase; isdataat:100,relative; pcre:"/\sSTATUS\s[^\n]{100}/smi"; reference:bugtraq,11775; reference:bugtraq,13727; reference:cve,2005-1256; classtype:misc-attack; sid:3072; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP status overflow attempt"; flow:established,to_server; content:"STATUS"; nocase; isdataat:100,relative; pcre:"/\sSTATUS\s[^\n]{100}/smi"; reference:bugtraq,11775; reference:bugtraq,13727; reference:cve,2005-1256; classtype:misc-attack; sid:2103072; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP subscribe literal overflow attempt"; flow:established,to_server; content:"SUBSCRIBE"; nocase; pcre:"/\sSUBSCRIBE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:3073; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP subscribe literal overflow attempt"; flow:established,to_server; content:"SUBSCRIBE"; fast_pattern:only; nocase; pcre:"/\sSUBSCRIBE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:2103073; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP subscribe overflow attempt"; flow:established,to_server; content:"SUBSCRIBE"; nocase; isdataat:100,relative; pcre:"/\sSUBSCRIBE\s[^\n]{100}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:3074; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP subscribe overflow attempt"; flow:established,to_server; content:"SUBSCRIBE"; nocase; isdataat:100,relative; pcre:"/\sSUBSCRIBE\s[^\n]{100}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:2103074; rev:2;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP unsubscribe literal overflow attempt"; flow:established,to_server; content:"UNSUBSCRIBE"; nocase; pcre:"/\sUNSUBSCRIBE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:3075; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP unsubscribe literal overflow attempt"; flow:established,to_server; content:"UNSUBSCRIBE"; fast_pattern:only; nocase; pcre:"/\sUNSUBSCRIBE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:2103075; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP unsubscribe overflow attempt"; flow:established,to_server; content:"UNSUBSCRIBE"; nocase; isdataat:100,relative; pcre:"/\sUNSUBSCRIBE\s[^\n]{100}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:3076; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP unsubscribe overflow attempt"; flow:established,to_server; content:"UNSUBSCRIBE"; nocase; isdataat:100,relative; pcre:"/\sUNSUBSCRIBE\s[^\n]{100}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:2103076; rev:2;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL MISC private access tcp"; flow:to_server,established; content:"private"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1414; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP private access tcp"; flow:to_server,established; content:"private"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101414; rev:12;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL MISC public access tcp"; flow:to_server,established; content:"public"; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,7212; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1412; rev:13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP public access tcp"; flow:to_server,established; content:"public"; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,7212; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101412; rev:14;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP request tcp"; flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1418; rev:11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP request tcp"; flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101418; rev:13;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"GPL SNMP trap tcp"; flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1420; rev:11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"GPL SNMP trap tcp"; flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101420; rev:12;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"GPL VOIP Q.931 Invalid Call Reference Length Buffer Overflow"; flow:established; content:"|08|"; depth:1; byte_test:1,>,4,1; reference:url,www.ethereal.com/news/item_20050504_01.html; reference:url,www.elook.org/internet/126.html; classtype:attempted-dos; sid:100000892; rev:2;)
@@ -38708,7 +38711,7 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP CMD overflow attempt"; flow:to_server,established; content:"CMD"; nocase; isdataat:100,relative; pcre:"/^CMD\s[^\n]{100}/smi"; classtype:attempted-admin; sid:2101621; rev:11;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP CWD ..."; flow:to_server,established; content:"CWD"; nocase; content:"..."; distance:0; pcre:"/^CWD\s[^\n]*?\.\.\./smi"; reference:bugtraq,9237; classtype:bad-unknown; sid:1229; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP CWD ..."; flow:to_server,established; content:"CWD"; nocase; content:"..."; distance:0; pcre:"/^CWD\s[^\n]*?\.\.\./smi"; reference:bugtraq,9237; classtype:bad-unknown; sid:2101229; rev:8;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP CWD .... attempt"; flow:to_server,established; content:"CWD "; content:" ...."; reference:bugtraq,4884; classtype:denial-of-service; sid:2101779; rev:4;)
@@ -38726,7 +38729,7 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP CWD ~<CR><NEWLINE> attempt"; flow:to_server,established; content:"CWD "; content:" ~|0D 0A|"; reference:bugtraq,2601; reference:cve,2001-0421; classtype:denial-of-service; sid:2101728; rev:8;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP CWD ~root attempt"; flow:to_server,established; content:"CWD"; nocase; content:"~root"; distance:1; nocase; pcre:"/^CWD\s+~root/smi"; reference:arachnids,318; reference:cve,1999-0082; classtype:bad-unknown; sid:336; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP CWD ~root attempt"; flow:to_server,established; content:"CWD"; nocase; content:"~root"; distance:1; nocase; pcre:"/^CWD\s+~root/smi"; reference:arachnids,318; reference:cve,1999-0082; classtype:bad-unknown; sid:2100336; rev:11;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP DELE overflow attempt"; flow:to_server,established; content:"DELE"; nocase; isdataat:100,relative; pcre:"/^DELE\s[^\n]{100}/smi"; reference:bugtraq,2972; reference:cve,2001-0826; reference:cve,2001-1021; classtype:attempted-admin; sid:2101975; rev:9;)
@@ -38777,7 +38780,7 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP LIST directory traversal attempt"; flow:to_server,established; content:"LIST"; nocase; content:".."; distance:1; content:".."; distance:1; reference:bugtraq,2618; reference:cve,2001-0680; reference:cve,2002-1054; reference:nessus,11112; classtype:protocol-command-decode; sid:2101992; rev:9;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP LIST integer overflow attempt"; flow:to_server,established; content:"LIST"; nocase; pcre:"/^LIST\s+\x22-W\s+\d+/smi"; reference:bugtraq,8875; reference:cve,2003-0853; reference:cve,2003-0854; classtype:misc-attack; sid:2102272; rev:5;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP LIST integer overflow attempt"; flow:to_server,established; content:"LIST"; nocase; pcre:"/^LIST\s+\x22-W\s+\d/smi"; reference:bugtraq,8875; reference:cve,2003-0853; reference:cve,2003-0854; classtype:misc-attack; sid:2102272; rev:6;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP MDTM overflow attempt"; flow:to_server,established; content:"MDTM"; nocase; isdataat:100,relative; pcre:"/^MDTM\s[^\n]{100}/smi"; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; reference:nessus,12080; classtype:attempted-admin; sid:2102546; rev:6;)
@@ -38789,7 +38792,7 @@
#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP MKDIR format string attempt"; flow:to_server,established; content:"MKDIR"; nocase; pcre:"/^MKDIR\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,9262; classtype:misc-attack; sid:2102332; rev:2;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP NLST overflow attempt"; flow:to_server,established; content:"NLST"; nocase; isdataat:100,relative; pcre:"/^NLST\s[^\n]{100}/smi"; reference:bugtraq,10184; reference:bugtraq,7909; reference:bugtraq,9675; reference:cve,1999-1544; classtype:attempted-admin; sid:2374; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP NLST overflow attempt"; flow:to_server,established; content:"NLST"; nocase; isdataat:100,relative; pcre:"/^NLST\s[^\n]{100}/smi"; reference:bugtraq,10184; reference:bugtraq,7909; reference:bugtraq,9675; reference:cve,1999-1544; classtype:attempted-admin; sid:2102374; rev:7;)
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP PASS format string attempt"; flow:to_server,established; content:"PASS"; nocase; pcre:"/^PASS\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,7474; reference:bugtraq,9262; reference:bugtraq,9800; reference:cve,2000-0699; classtype:misc-attack; sid:2102179; rev:7;)
@@ -38798,7 +38801,7 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP PASS overflow attempt"; flow:to_server,established,no_stream; content:"PASS"; nocase; isdataat:100,relative; pcre:"/^PASS\s[^\n]{100}/smi"; reference:bugtraq,10078; reference:bugtraq,10720; reference:bugtraq,1690; reference:bugtraq,3884; reference:bugtraq,8601; reference:bugtraq,9285; reference:cve,1999-1519; reference:cve,1999-1539; reference:cve,2000-1035; reference:cve,2002-0126; reference:cve,2002-0895; classtype:attempted-admin; sid:2101972; rev:17;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP PORT bounce attempt"; flow:to_server,established; content:"PORT"; nocase; ftpbounce; pcre:"/^PORT/smi"; classtype:misc-attack; sid:3441; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP PORT bounce attempt"; flow:to_server,established; content:"PORT"; nocase; ftpbounce; pcre:"/^PORT/smi"; classtype:misc-attack; sid:2103441; rev:2;)
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RENAME format string attempt"; flow:to_server,established; content:"RENAME"; nocase; pcre:"/^RENAME\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,9262; classtype:misc-attack; sid:2102333; rev:2;)
@@ -38807,13 +38810,13 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP REST overflow attempt"; flow:to_server,established; content:"REST"; nocase; isdataat:100,relative; pcre:"/^REST\s[^\n]{100}/smi"; reference:bugtraq,2972; reference:cve,2001-0826; classtype:attempted-admin; sid:2101974; rev:7;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP REST with numeric argument"; flow:to_server,established; content:"REST"; nocase; pcre:"/REST\s+[0-9]+\n/i"; reference:bugtraq,7825; classtype:attempted-recon; sid:3460; rev:2;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP REST with numeric argument"; flow:to_server,established; content:"REST"; nocase; pcre:"/REST\s+[0-9]+\n/i"; reference:bugtraq,7825; classtype:attempted-recon; sid:2103460; rev:3;)
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RETR format string attempt"; flow:to_server,established; content:"RETR"; nocase; pcre:"/^RETR\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,9800; classtype:attempted-admin; sid:2102574; rev:2;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RETR overflow attempt"; flow:to_server,established; content:"RETR"; nocase; isdataat:100,relative; pcre:"/^RETR\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2003-0466; reference:cve,2004-0287; reference:cve,2004-0298; classtype:attempted-admin; sid:2392; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RETR overflow attempt"; flow:to_server,established; content:"RETR"; nocase; isdataat:100,relative; pcre:"/^RETR\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2003-0466; reference:cve,2004-0287; reference:cve,2004-0298; classtype:attempted-admin; sid:2102392; rev:8;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RMD overflow attempt"; flow:to_server,established; content:"RMD"; nocase; isdataat:100,relative; pcre:"/^RMD\s[^\n]{100}/smi"; reference:bugtraq,2972; reference:cve,2000-0133; reference:cve,2001-0826; reference:cve,2001-1021; classtype:attempted-admin; sid:2101976; rev:10;)
@@ -38825,10 +38828,10 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RNFR ././ attempt"; flow:to_server,established; content:"RNFR "; nocase; content:" ././"; nocase; classtype:misc-attack; sid:2101622; rev:6;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RNFR overflow attempt"; flow:to_server,established; content:"RNFR"; nocase; isdataat:100,relative; pcre:"/^RNFR\s[^\n]{100}/smi"; classtype:attempted-admin; sid:3077; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RNFR overflow attempt"; flow:to_server,established; content:"RNFR"; nocase; isdataat:100,relative; pcre:"/^RNFR\s[^\n]{100}/smi"; classtype:attempted-admin; sid:2103077; rev:2;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RNTO overflow attempt"; flow:to_server,established; content:"RNTO"; nocase; isdataat:100,relative; pcre:"/^RNTO\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2000-0133; reference:cve,2001-1021; reference:cve,2003-0466; classtype:attempted-admin; sid:2389; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RNTO overflow attempt"; flow:to_server,established; content:"RNTO"; nocase; isdataat:100,relative; pcre:"/^RNTO\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2000-0133; reference:cve,2001-1021; reference:cve,2003-0466; classtype:attempted-admin; sid:2102389; rev:8;)
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP SITE CHMOD overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"CHMOD"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+CHMOD\s[^\n]{100}/smi"; reference:bugtraq,10181; reference:bugtraq,9483; reference:bugtraq,9675; reference:cve,1999-0838; reference:nessus,12037; classtype:attempted-admin; sid:2102340; rev:8;)
@@ -38858,13 +38861,13 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP SITE overflow attempt"; flow:to_server,established; content:"SITE"; nocase; isdataat:100,relative; pcre:"/^SITE\s[^\n]{100}/smi"; reference:cve,1999-0838; reference:cve,2001-0755; reference:cve,2001-0770; classtype:attempted-admin; sid:2101529; rev:11;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; isdataat:100,relative; pcre:"/^STAT\s[^\n]{100}/smi"; reference:bugtraq,3507; reference:bugtraq,8542; reference:cve,2001-0325; reference:cve,2001-1021; reference:url,labs.defcom.com/adv/2001/def-2001-31.txt; classtype:attempted-admin; sid:1379; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; isdataat:100,relative; pcre:"/^STAT\s[^\n]{100}/smi"; reference:bugtraq,3507; reference:bugtraq,8542; reference:cve,2001-0325; reference:cve,2001-1021; reference:url,labs.defcom.com/adv/2001/def-2001-31.txt; classtype:attempted-admin; sid:2101379; rev:13;)
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP STOR overflow attempt"; flow:to_server,established; content:"STOR"; nocase; isdataat:100,relative; pcre:"/^STOR\s[^\n]{100}/smi"; reference:bugtraq,8668; reference:cve,2000-0133; classtype:attempted-admin; sid:2102343; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP STOU overflow attempt"; flow:to_server,established; content:"STOU"; nocase; isdataat:100,relative; pcre:"/^STOU\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2003-0466; classtype:attempted-admin; sid:2390; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP STOU overflow attempt"; flow:to_server,established; content:"STOU"; nocase; isdataat:100,relative; pcre:"/^STOU\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2003-0466; classtype:attempted-admin; sid:2102390; rev:5;)
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP USER format string attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,7474; reference:bugtraq,7776; reference:bugtraq,9262; reference:bugtraq,9402; reference:bugtraq,9600; reference:bugtraq,9800; reference:cve,2004-0277; reference:nessus,10041; reference:nessus,11687; classtype:misc-attack; sid:2102178; rev:17;)
@@ -38876,7 +38879,7 @@
#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP XCWD overflow attempt"; flow:to_server,established; content:"XCWD"; nocase; isdataat:100,relative; pcre:"/^XCWD\s[^\n]{100}/smi"; reference:bugtraq,11542; reference:bugtraq,8704; classtype:attempted-admin; sid:2102344; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP XMKD overflow attempt"; flow:to_server,established; content:"XMKD"; nocase; isdataat:100,relative; pcre:"/^XMKD\s[^\n]{100}/smi"; reference:bugtraq,7909; reference:cve,2000-0133; reference:cve,2001-1021; classtype:attempted-admin; sid:2373; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP XMKD overflow attempt"; flow:to_server,established; content:"XMKD"; nocase; isdataat:100,relative; pcre:"/^XMKD\s[^\n]{100}/smi"; reference:bugtraq,7909; reference:cve,2000-0133; reference:cve,2001-1021; classtype:attempted-admin; sid:2102373; rev:5;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL SCAN adm scan"; flow:to_server,established; content:"PASS ddd@|0A|"; reference:arachnids,332; classtype:suspicious-login; sid:2100353; rev:7;)
@@ -38888,13 +38891,13 @@
#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP command overflow attempt"; flow:to_server,established,no_stream; dsize:>100; reference:bugtraq,4638; reference:cve,2002-0606; classtype:protocol-command-decode; sid:2101748; rev:9;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP format string attempt"; flow:to_server,established; content:"%"; fast_pattern:only; pcre:"/\s+.*?%.*?%/smi"; classtype:string-detect; sid:2417; rev:2;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP format string attempt"; flow:to_server,established; content:"%"; fast_pattern:only; pcre:"/\s+.*?%.*?%/smi"; classtype:string-detect; sid:2102417; rev:3;)
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP format string attempt"; flow:to_server,established; content:"%p"; fast_pattern:only; nocase; reference:nessus,10452; reference:bugtraq,1387; reference:bugtraq,2240; reference:bugtraq,726; reference:cve,2000-0573; reference:cve,1999-0997; classtype:attempted-admin; sid:2101530; rev:14;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP invalid MDTM command attempt"; flow:to_server,established; content:"MDTM"; fast_pattern:only; nocase; pcre:"/^MDTM \d+[-+]\D/smi"; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; classtype:attempted-admin; sid:2416; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP invalid MDTM command attempt"; flow:to_server,established; content:"MDTM"; fast_pattern:only; nocase; pcre:"/^MDTM \d+[-+]\D/smi"; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; classtype:attempted-admin; sid:2102416; rev:7;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP invalid MODE"; flow:to_server,established; content:"MODE"; fast_pattern:only; nocase; pcre:"/^MODE\s+[^ABSC]{1}/msi"; classtype:protocol-command-decode; sid:2101623; rev:8;)
@@ -38912,7 +38915,7 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP pass wh00t"; flow:to_server,established; content:"pass wh00t"; fast_pattern:only; nocase; reference:arachnids,324; classtype:suspicious-login; sid:2100355; rev:7;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP passwd retrieval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"passwd"; reference:arachnids,213; classtype:suspicious-filename-detect; sid:356; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP passwd retrieval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"passwd"; reference:arachnids,213; classtype:suspicious-filename-detect; sid:2100356; rev:6;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP piss scan"; flow:to_server,established; content:"pass -cklaus"; fast_pattern:only; classtype:suspicious-login; sid:2100357; rev:7;)
@@ -38933,13 +38936,13 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP tar parameters"; flow:to_server,established; content:" --use-compress-program "; fast_pattern:only; nocase; reference:arachnids,134; reference:bugtraq,2240; reference:cve,1999-0202; reference:cve,1999-0997; classtype:bad-unknown; sid:2100362; rev:14;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP wu-ftp bad file completion attempt"; flow:to_server,established; content:"~"; content:"["; distance:0; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; classtype:misc-attack; sid:1377; rev:16;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP wu-ftp bad file completion attempt"; flow:to_server,established; content:"~"; content:"["; distance:0; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; classtype:misc-attack; sid:2101377; rev:17;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP wu-ftp bad file completion attempt {"; flow:to_server,established; content:"~"; content:"{"; distance:0; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; classtype:misc-attack; sid:1378; rev:15;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP wu-ftp bad file completion attempt {"; flow:to_server,established; content:"~"; content:"{"; distance:0; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; classtype:misc-attack; sid:2101378; rev:16;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP FTP no password"; flow:from_client,established; content:"PASS"; nocase; fast_pattern:only; pcre:"/^PASS\s*\n/smi"; reference:arachnids,322; classtype:unknown; sid:489; rev:8;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP FTP no password"; flow:from_client,established; content:"PASS"; nocase; fast_pattern:only; pcre:"/^PASS\s*\n/smi"; reference:arachnids,322; classtype:unknown; sid:2100489; rev:9;)
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP FTP 'CWD ' possible warez site"; flow:to_server,established; content:"CWD "; depth:5; nocase; classtype:misc-activity; sid:2100546; rev:7;)
@@ -38954,7 +38957,7 @@
#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP FTP 'MKD .' possible warez site"; flow:to_server,established; content:"MKD ."; depth:5; nocase; classtype:misc-activity; sid:2100548; rev:7;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP MKD / possible warez site"; flow:to_server,established; content:"MKD"; nocase; content:"/ "; distance:1; classtype:misc-activity; sid:554; rev:7;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP MKD / possible warez site"; flow:to_server,established; content:"MKD"; nocase; content:"/ "; distance:1; classtype:misc-activity; sid:2100554; rev:8;)
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP FTP 'RETR 1MB' possible warez site"; flow:to_server,established; content:"RETR"; nocase; content:"1MB"; fast_pattern; distance:1; nocase; classtype:misc-activity; sid:2100544; rev:8;)
@@ -38963,31 +38966,31 @@
#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP FTP 'STOR 1MB' possible warez site"; flow:to_server,established; content:"STOR"; nocase; content:"1MB"; fast_pattern; distance:1; nocase; classtype:misc-activity; sid:2100543; rev:8;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP FTP anonymous ftp login attempt"; flow:to_server,established; content:"USER"; nocase; content:" ftp|0D 0A|"; nocase; classtype:misc-activity; sid:1449; rev:7;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP FTP anonymous ftp login attempt"; flow:to_server,established; content:"USER"; nocase; content:" ftp|0D 0A|"; nocase; classtype:misc-activity; sid:2101449; rev:8;)
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP FTP anonymous login attempt"; flow:to_server,established; content:"USER "; nocase; depth:5; content:"anon"; distance:0; classtype:misc-activity; sid:2100553; rev:8;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP FTP file_id.diz access possible warez site"; flow:to_server,established; content:"RETR"; nocase; content:"file_id.diz"; distance:1; nocase; classtype:suspicious-filename-detect; sid:1445; rev:5;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP FTP file_id.diz access possible warez site"; flow:to_server,established; content:"RETR"; nocase; content:"file_id.diz"; distance:1; nocase; classtype:suspicious-filename-detect; sid:2101445; rev:6;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SHELLCODE ssh CRC32 overflow /bin/sh"; flow:to_server,established; content:"/bin/sh"; fast_pattern:only; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1324; rev:7;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SHELLCODE ssh CRC32 overflow /bin/sh"; flow:to_server,established; content:"/bin/sh"; fast_pattern:only; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:2101324; rev:8;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SHELLCODE ssh CRC32 overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; fast_pattern:only; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1326; rev:7;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SHELLCODE ssh CRC32 overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:2101326; rev:7;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL EXPLOIT ssh CRC32 overflow"; flow:to_server,established; content:"|00 01|W|00 00 00 18|"; depth:7; content:"|FF FF FF FF 00 00|"; depth:14; offset:8; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1327; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL EXPLOIT ssh CRC32 overflow"; flow:to_server,established; content:"|00 01|W|00 00 00 18|"; depth:7; content:"|FF FF FF FF 00 00|"; depth:14; offset:8; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:2101327; rev:8;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SCAN SSH Version map attempt"; flow:to_server,established; content:"Version_Mapper"; fast_pattern:only; nocase; classtype:network-scan; sid:2101638; rev:7;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SCAN ssh-research-scanner"; flow:to_server,established; content:"|00 00 00|`|00 00 00 00 00 00 00 00 01 00 00 00|"; fast_pattern:only; classtype:attempted-recon; sid:617; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SCAN ssh-research-scanner"; flow:to_server,established; content:"|00 00 00|`|00 00 00 00 00 00 00 00 01 00 00 00|"; fast_pattern:only; classtype:attempted-recon; sid:2100617; rev:6;)
#modified due to some fp's. - duc
-alert tcp $EXTERNAL_NET any -> $HOME_NET 2301 (msg:"GPL WEB_SERVER Compaq Insight directory traversal"; flow:to_server,established; content:"../../../"; reference:arachnids,244; reference:bugtraq,282; reference:cve,1999-0771; classtype:web-application-attack; sid:1199; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 2301 (msg:"GPL WEB_SERVER Compaq Insight directory traversal"; flow:to_server,established; content:"../../../"; reference:arachnids,244; reference:bugtraq,282; reference:cve,1999-0771; classtype:web-application-attack; sid:2101199; rev:13;)
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"GPL DELETED CVS Max-dotdot integer overflow attempt"; flow:to_server,established; content:"Max-dotdot"; nocase; pcre:"/^Max-dotdot[\s\r\n]*\d{3,}/msi"; reference:bugtraq,10499; reference:cve,2004-0417; classtype:misc-attack; sid:2102583; rev:3;)
@@ -38996,13 +38999,13 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"GPL EXPLOIT CVS non-relative path access attempt"; flow:to_server,established; content:"Argument "; content:"Directory"; distance:0; pcre:"/^Argument\s+\//smi"; pcre:"/^Directory/smiR"; reference:bugtraq,9178; reference:cve,2003-0977; classtype:misc-attack; sid:2102318; rev:5;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 3127:3198 (msg:"GPL WORM mydoom.a backdoor upload/execute attempt"; flow:to_server,established; content:"|85 13|<|9E A2|"; depth:5; classtype:trojan-activity; sid:3272; rev:2;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 3127:3198 (msg:"GPL WORM mydoom.a backdoor upload/execute attempt"; flow:to_server,established; content:"|85 13|<|9E A2|"; depth:5; classtype:trojan-activity; sid:2103272; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"GPL EXPLOIT EXPLOIT ttdbserv Solaris overflow"; dsize:>999; flow:to_server,established; content:"|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"; fast_pattern:only; reference:arachnids,242; reference:bugtraq,122; reference:cve,1999-0003; reference:url,www.cert.org/advisories/CA-2001-27.html; classtype:attempted-admin; sid:571; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"GPL EXPLOIT ttdbserv Solaris overflow"; dsize:>999; flow:to_server,established; content:"|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"; fast_pattern:only; reference:arachnids,242; reference:bugtraq,122; reference:cve,1999-0003; reference:url,www.cert.org/advisories/CA-2001-27.html; classtype:attempted-admin; sid:2100571; rev:10;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"GPL EXPLOIT EXPLOIT ttdbserv solaris overflow"; dsize:>999; flow:to_server,established; content:"|C0 22|?|FC A2 02| |09 C0|,|7F FF E2 22|?|F4|"; fast_pattern:only; reference:arachnids,242; reference:bugtraq,122; reference:cve,1999-0003; reference:url,www.cert.org/advisories/CA-2001-27.html; classtype:attempted-admin; sid:570; rev:11;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"GPL EXPLOIT EXPLOIT ttdbserv solaris overflow"; dsize:>999; flow:to_server,established; content:"|C0 22|?|FC A2 02| |09 C0|,|7F FF E2 22|?|F4|"; fast_pattern:only; reference:arachnids,242; reference:bugtraq,122; reference:cve,1999-0003; reference:url,www.cert.org/advisories/CA-2001-27.html; classtype:attempted-admin; sid:2100570; rev:12;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"GPL RPC kcms_server directory traversal attempt"; flow:to_server,established; content:"|00 01 87|}"; depth:4; offset:16; byte_jump:4,20,relative,align; byte_jump:4,4,relative,align; content:"/../"; distance:0; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:misc-attack; sid:2102007; rev:11;)
@@ -39020,43 +39023,46 @@
##alert tcp $EXTERNAL_NET any -> $HOME_NET 3535 (msg:"GPL DELETED RMD / attempt"; flow:to_server,established; content:"RMD"; nocase; pcre:"/^RMD\s+\x2f$/smi"; reference:bugtraq,9159; classtype:attempted-dos; sid:2102335; rev:3;)
#
+##alert tcp $EXTERNAL_NET any -> $HOME_NET 3632 (msg:"GPL DELETED distccd command execution attempt"; flow:to_server,established; content:"DIST00000001"; depth:12; nocase; reference:url,distcc.samba.org/security.html; classtype:misc-activity; sid:2103061; rev:3;)
+
+#
alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"GPL EXPLOIT MISC Lotus Domino LDAP attack"; flow:established; content:"|30 0c 02 01 01 60 07 02 00 03 04 00 80 00|"; fast_pattern:only; reference:bugtraq,16523; reference:cve,2006-0580; reference:url,lists.immunitysec.com/pipermail/dailydave/2006-February/002896.html; classtype:misc-attack; sid:100000229; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"GPL EXPLOIT WINS name query overflow attempt TCP"; flow:established; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; reference:url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx; classtype:attempted-admin; sid:3199; rev:3;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"GPL EXPLOIT WINS name query overflow attempt TCP"; flow:established; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; reference:url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx; classtype:attempted-admin; sid:2103199; rev:5;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"GPL EXPLOIT WINS overflow attempt"; flow:to_server,established; byte_test:1,&,64,6; byte_test:1,&,32,6; byte_test:1,&,16,6; byte_test:1,&,8,6; pcre:!"/^.{8}(\x05\x37(\x1E[\x90-\xFF]|[\x1F-\x2F].|\x30[\x00-\x70])|\x00\x00\x00[\x00-\x65]|\x02\x68\x05\xC0)/s"; reference:bugtraq,11763; reference:cve,2004-1080; reference:url,www.immunitysec.com/downloads/instantanea.pdf; reference:url,www.microsoft.com/technet/security/bulletin/MS04-045.mspx; classtype:misc-attack; sid:3017; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"GPL EXPLOIT WINS overflow attempt"; flow:to_server,established; byte_test:1,&,64,6; byte_test:1,&,32,6; byte_test:1,&,16,6; byte_test:1,&,8,6; pcre:!"/^.{8}(\x05\x37(\x1E[\x90-\xFF]|[\x1F-\x2F].|\x30[\x00-\x70])|\x00\x00\x00[\x00-\x65]|\x02\x68\x05\xC0)/s"; reference:bugtraq,11763; reference:cve,2004-1080; reference:url,www.immunitysec.com/downloads/instantanea.pdf; reference:url,www.microsoft.com/technet/security/bulletin/MS04-045.mspx; classtype:misc-attack; sid:2103017; rev:7;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 4242 (msg:"GPL EXPLOIT AIX pdnsd overflow"; flow:to_server,established; dsize:>1000; content:"|7F FF FB|x|7F FF FB|x|7F FF FB|x|7F FF FB|x"; content:"@|8A FF C8|@|82 FF D8 3B|6|FE 03 3B|v|FE 02|"; reference:bugtraq,3237; reference:bugtraq,590; reference:cve,1999-0745; classtype:attempted-user; sid:1261; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 4242 (msg:"GPL EXPLOIT AIX pdnsd overflow"; flow:to_server,established; dsize:>1000; content:"|7F FF FB|x|7F FF FB|x|7F FF FB|x|7F FF FB|x"; content:"@|8A FF C8|@|82 FF D8 3B|6|FE 03 3B|v|FE 02|"; reference:bugtraq,3237; reference:bugtraq,590; reference:cve,1999-0745; classtype:attempted-user; sid:2101261; rev:12;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 4321 (msg:"GPL MISC rwhoisd format string attempt"; flow:to_server,established; content:"-soa %p"; reference:bugtraq,3474; reference:cve,2001-0838; classtype:misc-attack; sid:1323; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 4321 (msg:"GPL MISC rwhoisd format string attempt"; flow:to_server,established; content:"-soa %p"; reference:bugtraq,3474; reference:cve,2001-0838; classtype:misc-attack; sid:2101323; rev:7;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB DCERPC invalid bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00|"; within:1; distance:21; classtype:attempted-dos; sid:2102191; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ADMIN$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"ADMIN|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2982; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ADMIN$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"ADMIN|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102982; rev:4;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ADMIN$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"ADMIN|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102474; rev:9;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ADMIN$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2983; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ADMIN$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102983; rev:4;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ADMIN$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102475; rev:9;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS C$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C|24 00|"; distance:2; nocase; content:!"IPC|24 00|"; within:5; distance:-5; nocase; classtype:protocol-command-decode; sid:2978; rev:3;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS C$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C|24 00|"; distance:2; nocase; content:!"IPC|24 00|"; within:5; distance:-5; nocase; classtype:protocol-command-decode; sid:2102978; rev:4;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS C$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"C|24 00|"; distance:2; nocase; content:!"IPC|24 00|"; within:5; distance:-5; nocase; classtype:protocol-command-decode; sid:2102471; rev:12;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS C$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C|00 24 00 00 00|"; distance:2; nocase; content:!"I|00|P|00|C|00 24 00 00 00|"; within:10; distance:-10; nocase; classtype:protocol-command-decode; sid:2979; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS C$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C|00 24 00 00 00|"; distance:2; nocase; content:!"I|00|P|00|C|00 24 00 00 00|"; within:10; distance:-10; nocase; classtype:protocol-command-decode; sid:2102979; rev:4;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS C$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"C|00 24 00 00 00|"; distance:2; nocase; content:!"I|00|P|00|C|00 24 00 00 00|"; within:10; distance:-10; nocase; classtype:protocol-command-decode; sid:2102472; rev:11;)
@@ -39110,25 +39116,25 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 01|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103186; rev:4;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS D$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2974; rev:3;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS D$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102974; rev:4;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS D$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"D|24 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102468; rev:9;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS D$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2975; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS D$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102975; rev:4;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS D$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"D|00 24 00 00 00|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102469; rev:9;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt"; flow:to_server,established; content:"|05|"; depth:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|05|"; within:1; distance:21; content:"MEOW"; flowbits:isset,dce.isystemactivator.bind.call.attempt; threshold:type both, track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:misc-attack; sid:2496; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt"; flow:to_server,established; content:"|05|"; depth:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|05|"; within:1; distance:21; content:"MEOW"; flowbits:isset,dce.isystemactivator.bind.call.attempt; threshold:type both, track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:misc-attack; sid:2102496; rev:9;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2102193; rev:12;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC ISystemActivator unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2491; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC ISystemActivator unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102491; rev:8;)
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt"; flow:to_server,established; flowbits:isset,netbios.lsass.bind.attempt; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; distance:59; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2102514; rev:8;)
@@ -39146,7 +39152,7 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|04 00|"; within:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx; classtype:attempted-admin; sid:2102258; rev:10;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|00 00 00|b|06 83 00 00 06|+|06 01 05 05 02|"; within:15; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A3|>0<|A0|0"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; reference:nessus,12065; classtype:attempted-dos; sid:2385; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|00 00 00|b|06 83 00 00 06|+|06 01 05 05 02|"; within:15; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A3|>0<|A0|0"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; reference:nessus,12065; classtype:attempted-dos; sid:2102385; rev:12;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2102252; rev:15;)
@@ -39188,13 +39194,13 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IActivation unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103388; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IPC$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"IPC|24 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2954; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IPC$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"IPC|24 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2102954; rev:4;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IPC$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"IPC|24 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2102465; rev:9;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IPC$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2955; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IPC$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2102955; rev:4;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IPC$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2102466; rev:9;)
@@ -39224,25 +39230,25 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ISystemActivator unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103404; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2996; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102996; rev:6;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102482; rev:10;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2997; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102997; rev:6;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102483; rev:9;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2998; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102998; rev:6;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown unicode attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 18|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102480; rev:10;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2999; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; within:1; distance:4; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102999; rev:7;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown unicode little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|18 00|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102481; rev:10;)
@@ -39272,10 +39278,10 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning unicode little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|02 00|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103267; rev:5;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2968; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102968; rev:5;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2969; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102969; rev:5;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102948; rev:7;)
@@ -39284,10 +39290,10 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:256,relative; content:!"|00|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102938; rev:6;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2970; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|00 0C|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102970; rev:5;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2971; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102971; rev:5;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"|00|"; within:1; distance:1; content:"|0C 00|"; within:2; distance:19; isdataat:512,relative; content:!"|00 00|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102949; rev:7;)
@@ -39407,7 +39413,7 @@
#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,!&,2147483648,21,relative,little; content:!"|00 00|"; within:510; distance:29; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:protocol-command-decode; sid:2102404; rev:7;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Session Setup AndX request username overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"|00 00 00 00|"; within:4; distance:42; byte_test:2,>,255,8,relative,little; content:!"|00|"; within:255; distance:10; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2402; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Session Setup AndX request username overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"|00 00 00 00|"; within:4; distance:42; byte_test:2,>,255,8,relative,little; content:!"|00|"; within:255; distance:10; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2102402; rev:6;)
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Session Setup NTMLSSP andx asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2103004; rev:5;)
@@ -39425,13 +39431,13 @@
#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103142; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; content:"|01 00|"; within:2; distance:56; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103141; rev:4;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; content:"|01 00|"; within:2; distance:56; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103141; rev:5;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Trans2 QUERY_FILE_INFO andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103138; rev:3;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Trans2 QUERY_FILE_INFO andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103138; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Trans2 QUERY_FILE_INFO attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; content:"|07 00|"; within:2; distance:56; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103137; rev:4;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Trans2 QUERY_FILE_INFO attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; content:"|07 00|"; within:2; distance:56; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103137; rev:5;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS irot andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"`|9E E7 B9|R=|CE 11 AA A1 00 00|i|01 29|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103252; rev:4;)
@@ -39542,10 +39548,10 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS msqueue unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"|05|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|B0 01|R|97 CA|Y|D0 11 A8 D5 00 A0 C9 0D 80|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103171; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2962; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102962; rev:5;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|nddeapi|00|"; within:9; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2958; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|nddeapi|00|"; within:9; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102958; rev:4;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102934; rev:6;)
@@ -39554,10 +39560,10 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"|5C|nddeapi|00|"; within:9; distance:78; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102930; rev:5;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2963; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102963; rev:5;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; within:18; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2959; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; within:18; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102959; rev:4;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi unicode bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:" 2_/&|C1|v|10 B5|I|07|M|07 86 19 DA|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102935; rev:7;)
@@ -39566,16 +39572,16 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"|5C 00|n|00|d|00|d|00|e|00|a|00|p|00|i|00 00 00|"; within:18; distance:78; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102931; rev:5;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS too many stacked requests"; flow:to_server,established; content:"|FF|SMB"; pcre:"/^\x00.{3}\xFFSMB(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f).{28}(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f)/"; byte_jump:2,39,little; content:!"|FF|"; within:1; distance:-36; classtype:protocol-command-decode; sid:2951; rev:2;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS too many stacked requests"; flow:to_server,established; content:"|FF|SMB"; pcre:"/^\x00.{3}\xFFSMB(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f).{28}(\x73|\x74|\x75|\xa2|\x24|\x2d|\x2e|\x2f)/"; byte_jump:2,39,little; content:!"|FF|"; within:1; distance:-36; classtype:protocol-command-decode; sid:2102951; rev:3;)
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103214; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2990; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102990; rev:5;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|winreg|00|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2986; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C|winreg|00|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102986; rev:4;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103210; rev:4;)
@@ -39596,10 +39602,10 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode andx bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103216; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2991; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&|00|"; within:2; distance:29; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"|05|"; distance:4; within:1; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102991; rev:5;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2987; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A2|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102987; rev:4;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,!&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103212; rev:4;)
@@ -39617,7 +39623,7 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode little endian bind attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"|05|"; byte_test:1,&,16,3,relative; content:"|0B|"; within:1; distance:1; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103213; rev:4;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 457 (msg:"GPL EXPLOIT Netscape Unixware overflow"; flow:to_server,established; content:"|EB|_|9A FF FF FF FF 07 FF C3|^1|C0 89|F|9D|"; fast_pattern:only; reference:arachnids,180; reference:bugtraq,908; reference:cve,1999-0744; classtype:attempted-recon; sid:1132; rev:9;)
+##alert tcp $EXTERNAL_NET any -> $HOME_NET 457 (msg:"GPL DELETED Netscape Unixware overflow"; flow:to_server,established; content:"|EB|_|9A FF FF FF FF 07 FF C3|^1|C0 89|F|9D|"; fast_pattern:only; reference:arachnids,180; reference:bugtraq,908; reference:cve,1999-0744; classtype:attempted-recon; sid:2101132; rev:11;)
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"GPL RPC rexec password overflow attempt"; flow:to_server,established; content:"|00|"; content:"|00|"; distance:33; content:"|00|"; distance:0; classtype:attempted-admin; sid:2102114; rev:4;)
@@ -39626,31 +39632,31 @@
#alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"GPL EXPLOIT rexec username overflow attempt"; flow:to_server,established; content:"|00|"; offset:9; content:"|00|"; distance:0; content:"|00|"; distance:0; classtype:attempted-admin; sid:2102113; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL RPC rlogin LinuxNIS"; flow:to_server,established; content:"|3A 3A 3A 3A 3A 3A 3A 3A 00 3A 3A 3A 3A 3A 3A 3A 3A|"; classtype:bad-unknown; sid:601; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL RPC rlogin LinuxNIS"; flow:to_server,established; content:"|3A 3A 3A 3A 3A 3A 3A 3A 00 3A 3A 3A 3A 3A 3A 3A 3A|"; classtype:bad-unknown; sid:2100601; rev:7;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL MISC rlogin bin"; flow:to_server,established; content:"bin|00|bin|00|"; reference:arachnids,384; classtype:attempted-user; sid:602; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL MISC rlogin bin"; flow:to_server,established; content:"bin|00|bin|00|"; reference:arachnids,384; classtype:attempted-user; sid:2100602; rev:6;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL MISC rlogin echo++"; flow:to_server,established; content:"echo |22| + + |22|"; reference:arachnids,385; classtype:bad-unknown; sid:603; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL MISC rlogin echo++"; flow:to_server,established; content:"echo |22| + + |22|"; reference:arachnids,385; classtype:bad-unknown; sid:2100603; rev:6;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL MISC rlogin root"; flow:to_server,established; content:"root|00|root|00|"; reference:arachnids,389; classtype:attempted-admin; sid:606; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL MISC rlogin root"; flow:to_server,established; content:"root|00|root|00|"; reference:arachnids,389; classtype:attempted-admin; sid:2100606; rev:6;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL EXPLOIT rsh froot"; flow:to_server,established; content:"-froot|00|"; fast_pattern:only; reference:arachnids,387; classtype:attempted-admin; sid:604; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL EXPLOIT rsh froot"; flow:to_server,established; content:"-froot|00|"; fast_pattern:only; reference:arachnids,387; classtype:attempted-admin; sid:2100604; rev:7;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"GPL EXPLOIT rsh bin"; flow:to_server,established; content:"bin|00|bin|00|"; reference:arachnids,390; classtype:attempted-user; sid:607; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"GPL EXPLOIT rsh bin"; flow:to_server,established; content:"bin|00|bin|00|"; reference:arachnids,390; classtype:attempted-user; sid:2100607; rev:6;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"GPL MISC rsh echo + +"; flow:to_server,established; content:"echo |22|+ +|22|"; reference:arachnids,388; classtype:attempted-user; sid:608; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"GPL MISC rsh echo + +"; flow:to_server,established; content:"echo |22|+ +|22|"; reference:arachnids,388; classtype:attempted-user; sid:2100608; rev:6;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"GPL MISC rsh froot"; flow:to_server,established; content:"-froot|00|"; reference:arachnids,387; classtype:attempted-admin; sid:609; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"GPL MISC rsh froot"; flow:to_server,established; content:"-froot|00|"; reference:arachnids,387; classtype:attempted-admin; sid:2100609; rev:6;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"GPL MISC rsh root"; flow:to_server,established; content:"root|00|root|00|"; reference:arachnids,391; classtype:attempted-admin; sid:610; rev:5;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"GPL MISC rsh root"; flow:to_server,established; content:"root|00|root|00|"; reference:arachnids,391; classtype:attempted-admin; sid:2100610; rev:6;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"GPL EXPLOIT EXPLOIT HPUX LPD overflow attempt"; flow:to_server,established; content:"|24 7B 49 46 53 7D|"; reference:cve,2005-3277; reference:bugtraq,15136; classtype:attempted-dos; sid:100000176; rev:1;)
@@ -39659,43 +39665,43 @@
#alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"GPL EXPLOIT LPD dvips remote command execution attempt"; flow:to_server,established; content:"psfile=|22 60|"; reference:bugtraq,3241; reference:cve,2001-1002; reference:nessus,11023; classtype:system-call-detect; sid:2101821; rev:9;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"GPL EXPLOIT Redhat 7.0 lprd overflow"; flow:to_server,established; content:"XXXX%.172u%300|24|n"; reference:bugtraq,1712; reference:cve,2000-0917; classtype:attempted-admin; sid:302; rev:9;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"GPL EXPLOIT Redhat 7.0 lprd overflow"; flow:to_server,established; content:"XXXX%.172u%300|24|n"; reference:bugtraq,1712; reference:cve,2000-0917; classtype:attempted-admin; sid:2100302; rev:10;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS EXPLOIT named 8.2->8.2.1"; flow:to_server,established; content:"../../../"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:258; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS EXPLOIT named 8.2->8.2.1"; flow:to_server,established; content:"../../../"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:2100258; rev:7;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS EXPLOIT named overflow ADM"; flow:to_server,established; content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:259; rev:7;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named overflow ADM"; flow:to_server,established; content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:2100259; rev:8;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS EXPLOIT named overflow attempt"; flow:to_server,established; content:"|CD 80 E8 D7 FF FF FF|/bin/sh"; reference:url,www.cert.org/advisories/CA-1998-05.html; classtype:attempted-admin; sid:261; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named overflow attempt"; flow:to_server,established; content:"|CD 80 E8 D7 FF FF FF|/bin/sh"; reference:url,www.cert.org/advisories/CA-1998-05.html; classtype:attempted-admin; sid:2100261; rev:7;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS TCP inverse query overflow"; flow:to_server,established; byte_test:1,<,16,4; byte_test:1,&,8,4; isdataat:400; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:3153; rev:2;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS TCP inverse query overflow"; flow:to_server,established; byte_test:1,<,16,4; byte_test:1,&,8,4; isdataat:400; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:2103153; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named authors attempt"; flow:to_server,established; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,480; reference:nessus,10728; classtype:attempted-recon; sid:1435; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named authors attempt"; flow:to_server,established; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,480; reference:nessus,10728; classtype:attempted-recon; sid:2101435; rev:8;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named version attempt"; flow:to_server,established; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; reference:arachnids,278; reference:nessus,10028; classtype:attempted-recon; sid:2100257; rev:10;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS zone transfer TCP"; flow:to_server,established; content:"|00 00 FC|"; offset:15; reference:arachnids,212; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:255; rev:13;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS zone transfer TCP"; flow:to_server,established; content:"|00 00 FC|"; offset:15; reference:arachnids,212; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:2100255; rev:14;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 5631 (msg:"GPL POLICY PCAnywhere Attempted Administrator Login"; flow:to_server,established; content:"ADMINISTRATOR"; classtype:attempted-admin; sid:507; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 5631 (msg:"GPL POLICY PCAnywhere Attempted Administrator Login"; flow:to_server,established; content:"ADMINISTRATOR"; classtype:attempted-admin; sid:2100507; rev:5;)
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET 5800:5802 (msg:"GPL POLICY vncviewer Java applet download attempt"; flow:to_server,established; content:"/vncviewer.jar"; reference:nessus,10758; classtype:misc-activity; sid:2101846; rev:5;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 6112 (msg:"GPL EXPLOIT CDE dtspcd exploit attempt"; flow:to_server,established; content:"1"; depth:1; offset:10; content:!"000"; depth:3; offset:11; reference:bugtraq,3517; reference:cve,2001-0803; reference:url,www.cert.org/advisories/CA-2002-01.html; classtype:misc-attack; sid:1398; rev:10;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 6112 (msg:"GPL EXPLOIT CDE dtspcd exploit attempt"; flow:to_server,established; content:"1"; depth:1; offset:10; content:!"000"; depth:3; offset:11; reference:bugtraq,3517; reference:cve,2001-0803; reference:url,www.cert.org/advisories/CA-2002-01.html; classtype:misc-attack; sid:2101398; rev:11;)
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"GPL EXPLOIT Arkeia client backup system info probe"; flow:established,to_server; content:"ARKADMIN_GET_"; nocase; pcre:"/^(CLIENT|MACHINE)_INFO/Ri"; reference:bugtraq,12594; classtype:attempted-recon; sid:2103453; rev:2;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 6373 (msg:"GPL EXPLOIT SCO calserver overflow"; flow:to_server,established; content:"|EB 7F|]U|FE|M|98 FE|M|9B|"; reference:bugtraq,2353; reference:cve,2000-0306; classtype:attempted-admin; sid:304; rev:9;)
+##alert tcp $EXTERNAL_NET any -> $HOME_NET 6373 (msg:"GPL DELETED SCO calserver overflow"; flow:to_server,established; content:"|EB 7F|]U|FE|M|98 FE|M|9B|"; reference:bugtraq,2353; reference:cve,2000-0306; classtype:attempted-admin; sid:2100304; rev:10;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 7100 (msg:"GPL EXPLOIT xfs overflow attempt"; flow:to_server,established; dsize:>512; content:"B|00 02|"; depth:3; reference:bugtraq,6241; reference:cve,2002-1317; reference:nessus,11188; classtype:misc-activity; sid:2101987; rev:8;)
@@ -39791,7 +39797,7 @@
#alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN Finger Version Query"; flow:to_server,established; content:"version"; classtype:attempted-recon; sid:2101541; rev:6;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"GPL SCAN cybercop os probe"; flow:stateless; dsize:0; flags:SF12; reference:arachnids,146; classtype:attempted-recon; sid:619; rev:6;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"GPL SCAN cybercop os probe"; flow:stateless; dsize:0; flags:SF12; reference:arachnids,146; classtype:attempted-recon; sid:2100619; rev:7;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"GPL MISC HP Web JetAdmin file write attempt"; flow:to_server,established; content:"/plugins/framework/script/tree.xms"; nocase; content:"WriteToFile"; nocase; reference:bugtraq,9973; classtype:web-application-activity; sid:2102549; rev:2;)
@@ -39818,19 +39824,19 @@
#alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"GPL MISC rsyncd overflow attempt"; flow:to_server; byte_test:2,>,4000,0; content:"|00 00|"; depth:2; offset:2; reference:bugtraq,9153; reference:cve,2003-0962; reference:nessus,11943; classtype:misc-activity; sid:2102048; rev:7;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"GPL RPC kerberos principal name overflow TCP"; flow:to_server,established; content:"j"; depth:1; offset:4; content:"|01 A1|"; asn1:oversize_length 1024,relative_offset -1; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; classtype:attempted-admin; sid:2102579; rev:3;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"GPL RPC kerberos principal name overflow TCP"; flow:to_server,established; content:"j"; depth:1; offset:4; content:"|01 A1|"; asn1:oversize_length 1024,relative_offset -1; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; classtype:attempted-admin; sid:2102579; rev:4;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"GPL POLICY Sun JavaServer default password login attempt"; flow:to_server,established; content:"/servlet/admin"; content:"ae9f86d6beaa3f9ecb9a5b7e072a4138"; reference:cve,1999-0508; reference:nessus,10995; classtype:default-login-attempt; sid:2101859; rev:6;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL P2P Outbound GNUTella client request"; flow:established; content:"GNUTELLA OK"; depth:40; classtype:misc-activity; sid:558; rev:5;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED Outbound GNUTella client request"; flow:established; content:"GNUTELLA OK"; depth:40; classtype:misc-activity; sid:2100558; rev:6;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL P2P Inbound GNUTella client request"; flags:A+; flow:established; content:"GNUTELLA CONNECT"; depth:40; classtype:misc-activity; sid:559; rev:6;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED Inbound GNUTella client request"; flags:A+; flow:established; content:"GNUTELLA CONNECT"; depth:40; classtype:misc-activity; sid:2100559; rev:7;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL POLICY VNC server response"; flow:established; content:"RFB 0"; depth:5; content:".0"; depth:2; offset:7; classtype:misc-activity; sid:560; rev:6;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL POLICY VNC server response"; flow:established; content:"RFB 0"; depth:5; content:".0"; depth:2; offset:7; classtype:misc-activity; sid:2100560; rev:7;)
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC CMSD TCP CMSD_CREATE array buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,5356; reference:cve,2002-0391; classtype:attempted-admin; sid:2102095; rev:7;)
@@ -39842,7 +39848,7 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC CMSD TCP CMSD_INSERT buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 06|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,524; reference:cve,1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack; sid:2101909; rev:13;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL EXPLOIT EXPLOIT statdx"; flow:to_server,established; content:"/bin|C7|F|04|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:600; rev:7;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL EXPLOIT EXPLOIT statdx"; flow:to_server,established; content:"/bin|C7|F|04|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:2100600; rev:8;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC STATD TCP monitor mon_name format string exploit attempt"; flow:to_server,established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:2101916; rev:10;)
@@ -39854,7 +39860,7 @@
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd TCP dump request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:attempted-recon; sid:2102018; rev:5;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd TCP export request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,26; classtype:attempted-recon; sid:574; rev:8;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd TCP export request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,26; classtype:attempted-recon; sid:2100574; rev:9;)
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd TCP exportall request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 06|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,26; classtype:attempted-recon; sid:2101925; rev:7;)
@@ -39887,7 +39893,7 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC sadmind query with root credentials attempt TCP"; flow:to_server,established; content:"|00 01 87 88|"; fast_pattern; depth:4; offset:16; content:"|00 00 00 01 00 00 00 01|"; within:8; distance:4; byte_jump:4,8,relative,align; content:"|00 00 00 00|"; within:4; classtype:misc-attack; sid:2102255; rev:5;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC snmpXdmi overflow attempt TCP"; flow:to_server,established; content:"|00 01 87 99|"; depth:4; offset:16; content:"|00 00 01 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:569; rev:14;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC snmpXdmi overflow attempt TCP"; flow:to_server,established; content:"|00 01 87 99|"; depth:4; offset:16; content:"|00 00 01 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:2100569; rev:15;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC tooltalk TCP overflow attempt"; flow:to_server,established; content:"|00 01 86 F3|"; depth:4; offset:16; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,122; reference:cve,1999-0003; classtype:misc-attack; sid:2101965; rev:9;)
@@ -39911,49 +39917,49 @@
##alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED ypupdated arbitrary command attempt TCP"; flow:to_server,established; content:"|00 01 86 BC|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|7C|"; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:misc-attack; sid:2102089; rev:6;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN NULL"; flow:stateless; ack:0; flags:0; seq:0; reference:arachnids,4; classtype:attempted-recon; sid:623; rev:6;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN NULL"; flow:stateless; ack:0; flags:0; seq:0; reference:arachnids,4; classtype:attempted-recon; sid:2100623; rev:7;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN SYN FIN"; flow:stateless; flags:SF,12; reference:arachnids,198; classtype:attempted-recon; sid:624; rev:7;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN SYN FIN"; flow:stateless; flags:SF,12; reference:arachnids,198; classtype:attempted-recon; sid:2100624; rev:8;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN XMAS"; flow:stateless; flags:SRAFPU,12; reference:arachnids,144; classtype:attempted-recon; sid:625; rev:7;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN XMAS"; flow:stateless; flags:SRAFPU,12; reference:arachnids,144; classtype:attempted-recon; sid:2100625; rev:8;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN cybercop os PA12 attempt"; flow:stateless; flags:PA12; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,149; classtype:attempted-recon; sid:626; rev:8;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN cybercop os PA12 attempt"; flow:stateless; flags:PA12; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,149; classtype:attempted-recon; sid:2100626; rev:9;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN cybercop os SFU12 probe"; flow:stateless; ack:0; flags:SFU12; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,150; classtype:attempted-recon; sid:627; rev:8;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN cybercop os SFU12 probe"; flow:stateless; ack:0; flags:SFU12; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,150; classtype:attempted-recon; sid:2100627; rev:9;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN nmap TCP"; ack:0; flags:A,12; flow:stateless; reference:arachnids,28; classtype:attempted-recon; sid:628; rev:7;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN nmap TCP"; ack:0; flags:A,12; flow:stateless; reference:arachnids,28; classtype:attempted-recon; sid:2100628; rev:8;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN nmap XMAS"; flow:stateless; flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:1228; rev:7;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN nmap XMAS"; flow:stateless; flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:2101228; rev:8;)
#
-#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN nmap fingerprint attempt"; flags:SFPU; flow:stateless; reference:arachnids,05; classtype:attempted-recon; sid:629; rev:6;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN nmap fingerprint attempt"; flags:SFPU; flow:stateless; reference:arachnids,05; classtype:attempted-recon; sid:2100629; rev:7;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL SCAN sensepost.exe command shell attempt"; flow:to_server,established; content:"/sensepost.exe"; http_uri; nocase; reference:nessus,11003; classtype:web-application-activity; sid:989; rev:12;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL SCAN sensepost.exe command shell attempt"; flow:to_server,established; content:"/sensepost.exe"; http_uri; nocase; reference:nessus,11003; classtype:web-application-activity; sid:2100989; rev:13;)
#
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS SAP WAS syscmd access"; flow:to_server,established; content:"/sap/bc/BSp/sap/menu/frameset.htm"; http_uri; nocase; content:"sap-syscmd"; http_uri; nocase; reference:url,www.cybsec.com/vuln/CYBSEC_Security_Advisory_Multiple_XSS_in_SAP_WAS.pdf; classtype:web-application-activity; sid:100000183; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS BASE base_include.inc.php remote file include"; flow:to_server,established; content:"/base_include.inc.php"; http_uri; nocase; content:"BASE_path="; http_uri; nocase; pcre:"/BASE_path=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20300/; classtype:web-application-attack; sid:100000358; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS BASE base_include.inc.php remote file include"; flow:to_server,established; content:"/base_include.inc.php"; http_uri; nocase; content:"BASE_path="; http_uri; nocase; pcre:"/BASE_path=(?:(?:ht|f)tps?|data|php)/Ui"; reference:url,secunia.com/advisories/20300/; classtype:web-application-attack; sid:100000358; rev:5;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS BASE base_qry_common.php remote file include"; flow:to_server,established; content:"/base_qry_common.php"; http_uri; nocase; content:"BASE_path="; http_uri; nocase; pcre:"/BASE_path=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20300/; classtype:web-application-attack; sid:100000356; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS BASE base_qry_common.php remote file include"; flow:to_server,established; content:"/base_qry_common.php"; http_uri; nocase; fast_pattern:only; content:"BASE_path="; http_uri; nocase; pcre:"/BASE_path=(?:(?:ht|f)tps?|data|php)/Ui"; reference:url,secunia.com/advisories/20300/; classtype:web-application-attack; sid:100000356; rev:5;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS BASE base_stat_common.php remote file include"; flow:to_server,established; content:"/base_stat_common.php"; nocase; http_uri; content:"BASE_path="; http_uri; nocase; pcre:"/BASE_path=(https?|ftp)/Ui"; reference:url,secunia.com/advisories/20300/; classtype:web-application-attack; sid:100000357; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS BASE base_stat_common.php remote file include"; flow:to_server,established; content:"/base_stat_common.php"; nocase; http_uri; content:"BASE_path="; http_uri; nocase; pcre:"/BASE_path=(?:(?:ht|f)tps?|data|php)/Ui"; reference:url,secunia.com/advisories/20300/; classtype:web-application-attack; sid:100000357; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT WEB-MISC JBoss web-console access"; flow:to_server,established; content:"/web-console"; http_uri; reference:url,www.jboss.org/wiki/Wiki.jsp?page=WebConsole; classtype:misc-activity; sid:100000429; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER WEB-MISC JBoss web-console access"; flow:to_server,established; content:"/web-console"; http_uri; reference:url,www.jboss.org/wiki/Wiki.jsp?page=WebConsole; classtype:misc-activity; sid:100000429; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS Geeklog BlackList.Examine.class.php remote file include"; flow:to_server,established; uricontent:"plugins/spamx/BlackList.Examine.class.php"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000730; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS Geeklog BlackList.Examine.class.php remote file include"; flow:to_server,established; content:"plugins/spamx/BlackList.Examine.class.php"; nocase; http_uri; content:"$_CONF[path]="; nocase; http_uri; pcre:"/\$_CONF\[path\]=(?:(?:ht|f)tps?|data|php)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000730; rev:4;)
#
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS Geeklog DeleteComment.Action.class.php remote file include"; flow:to_server,established; uricontent:"plugins/spamx/DeleteComment.Action.class.php"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000731; rev:3;)
@@ -39989,10 +39995,10 @@
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS Geeklog MassDelete.Admin.class.php remote file include"; flow:to_server,established; uricontent:"plugins/spamx/MassDelete.Admin.class.php"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000734; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS Geeklog functions.inc remote file include"; flow:to_server,established; uricontent:"plugins/links/functions.inc"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000728; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS Geeklog functions.inc remote file include"; flow:to_server,established; content:"plugins/links/functions.inc"; nocase; http_uri; fast_pattern:7,20; content:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(?:(?:ht|f)tps?|data|php)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000728; rev:5;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS Geeklog functions.inc remote file include"; flow:to_server,established; uricontent:"plugins/polls/functions.inc"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000729; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS Geeklog functions.inc remote file include"; flow:to_server,established; content:"plugins/polls/functions.inc"; nocase; http_uri; fast_pattern:7,20; content:"$_CONF[path]="; nocase; http_uri; pcre:"/\$_CONF\[path\]=(?:(?:ht|f)tps?|data|php)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000729; rev:4;)
#
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS Geeklog functions.inc remote file include"; flow:to_server,established; uricontent:"plugins/staticpages/functions.inc"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000742; rev:3;)
@@ -40001,46 +40007,49 @@
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS WEB-PHP phpMyWebmin create_file script remote file include"; flow:to_server,established; content:"create_file.php?"; http_uri; nocase; content:"target="; http_uri; nocase; pcre:"/target=(https?|ftp)/Ui"; reference:url,www.securityfocus.com/bid/20281/info; classtype:web-application-attack; sid:100000908; rev:2;)
#
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL SCAN cybercop os probe"; flow:stateless; ack:0; flags:SFP; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,145; classtype:attempted-recon; sid:1133; rev:12;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL SCAN cybercop os probe"; flow:stateless; ack:0; flags:SFP; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,145; classtype:attempted-recon; sid:2101133; rev:13;)
+
+#
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /bin/ls command attempt"; flow:to_server,established; content:"/bin/ls"; http_uri; nocase; classtype:web-application-attack; sid:2101369; rev:7;)
#
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /bin/ls command attempt"; flow:to_server,established; content:"/bin/ls"; http_uri; nocase; classtype:web-application-attack; sid:1369; rev:6;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /bin/ls| command attempt"; flow:to_server,established; content:"/bin/ls|7C|"; http_uri; nocase; classtype:web-application-attack; sid:2101368; rev:8;)
#
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /bin/ls| command attempt"; flow:to_server,established; content:"/bin/ls|7C|"; http_uri; nocase; classtype:web-application-attack; sid:1368; rev:7;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /bin/ps command attempt"; flow:to_server,established; content:"/bin/ps"; http_uri; nocase; classtype:web-application-attack; sid:2101328; rev:8;)
#
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /bin/ps command attempt"; flow:to_server,established; uricontent:"/bin/ps"; nocase; classtype:web-application-attack; sid:1328; rev:6;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /etc/inetd.conf access"; flow:to_server,established; content:"/etc/inetd.conf"; http_uri; nocase; classtype:web-application-activity; sid:2101370; rev:7;)
#
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /etc/inetd.conf access"; flow:to_server,established; content:"/etc/inetd.conf"; nocase; classtype:web-application-activity; sid:1370; rev:5;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /etc/motd access"; flow:to_server,established; content:"/etc/motd"; nocase; http_uri; classtype:web-application-activity; sid:2101371; rev:7;)
#
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /etc/motd access"; flow:to_server,established; content:"/etc/motd"; nocase; http_uri; classtype:web-application-activity; sid:1371; rev:6;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED /etc/shadow access"; flow:to_server,established; content:"/etc/shadow"; http_uri; nocase; classtype:web-application-activity; sid:2101372; rev:7;)
#
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED /etc/shadow access"; flow:to_server,established; content:"/etc/shadow"; fast_pattern:only; nocase; classtype:web-application-activity; sid:1372; rev:6;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /usr/bin/id command attempt"; flow:to_server,established; content:"/usr/bin/id"; http_uri; nocase; classtype:web-application-attack; sid:2101332; rev:7;)
#
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /usr/bin/id command attempt"; flow:to_server,established; content:"/usr/bin/id"; nocase; classtype:web-application-attack; sid:1332; rev:5;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /usr/bin/perl execution attempt"; flow:to_server,established; content:"/usr/bin/perl"; http_uri; nocase; classtype:web-application-attack; sid:2101355; rev:7;)
#
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /usr/bin/perl execution attempt"; flow:to_server,established; content:"/usr/bin/perl"; http_uri; nocase; classtype:web-application-attack; sid:1355; rev:6;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER bin/python access attempt"; flow:to_server,established; content:"bin/python"; http_uri; nocase; classtype:web-application-attack; sid:2101349; rev:7;)
#
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER bin/python access attempt"; flow:to_server,established; content:"bin/python"; http_uri; nocase; classtype:web-application-attack; sid:1349; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT echo command attempt"; flow:to_server,established; content:"/bin/echo"; fast_pattern:only; nocase; classtype:web-application-attack; sid:2101334; rev:7;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT echo command attempt"; flow:to_server,established; content:"/bin/echo"; fast_pattern:only; nocase; classtype:web-application-attack; sid:1334; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER python access attempt"; flow:to_server,established; content:"python "; http_uri; nocase; classtype:web-application-attack; sid:2101350; rev:9;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER python access attempt"; flow:to_server,established; content:"python%20"; http_uri; nocase; classtype:web-application-attack; sid:1350; rev:7;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT tftp command attempt"; flow:to_server,established; content:"tftp%20"; fast_pattern:only; nocase; classtype:web-application-attack; sid:2101340; rev:7;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT tftp command attempt"; flow:to_server,established; content:"tftp%20"; fast_pattern:only; nocase; classtype:web-application-attack; sid:1340; rev:6;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS NetScreen SA 5000 delhomepage.cgi access"; flow:to_server,established; content:"/delhomepage.cgi"; http_uri; fast_pattern:only; reference:bugtraq,9791; classtype:web-application-activity; sid:2103062; rev:5;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT formmail access"; flow:to_server,established; content:"/formmail"; nocase; http_uri; reference:arachnids,226; reference:bugtraq,1187; reference:bugtraq,2079; reference:cve,1999-0172; reference:cve,2000-0411; reference:nessus,10076; reference:nessus,10782; classtype:web-application-activity; sid:884; rev:15;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT formmail access"; flow:to_server,established; content:"/formmail"; nocase; http_uri; reference:arachnids,226; reference:bugtraq,1187; reference:bugtraq,2079; reference:cve,1999-0172; reference:cve,2000-0411; reference:nessus,10076; reference:nessus,10782; classtype:web-application-activity; sid:2100884; rev:16;)
#
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT formmail arbitrary command execution attempt"; flow:to_server,established; content:"/formmail"; nocase; http_uri; content:"%0a"; nocase; reference:arachnids,226; reference:bugtraq,1187; reference:bugtraq,2079; reference:cve,1999-0172; reference:cve,2000-0411; reference:nessus,10076; reference:nessus,10782; classtype:web-application-attack; sid:2101610; rev:13;)
@@ -40049,76 +40058,76 @@
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER perl command attempt"; flow:to_server,established; content:"/perl?"; http_uri; nocase; reference:arachnids,219; reference:cve,1999-0509; reference:nessus,10173; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:2101649; rev:9;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT php.cgi access"; flow:to_server,established; content:"/php.cgi"; nocase; http_uri; reference:arachnids,232; reference:bugtraq,2250; reference:bugtraq,712; reference:cve,1999-0238; reference:cve,1999-058; reference:nessus,10178; classtype:attempted-recon; sid:824; rev:14;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT php.cgi access"; flow:to_server,established; content:"/php.cgi"; nocase; http_uri; reference:arachnids,232; reference:bugtraq,2250; reference:bugtraq,712; reference:cve,1999-0238; reference:cve,1999-058; reference:nessus,10178; classtype:attempted-recon; sid:2100824; rev:15;)
#
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER printenv access"; flow:to_server,established; content:"/printenv"; http_uri; reference:bugtraq,1658; reference:cve,2000-0868; reference:nessus,10188; reference:nessus,10503; classtype:web-application-activity; sid:2101877; rev:9;)
#
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER datasource attempt"; flow:to_server,established; content:"CF_ISCOLDFUSIONDATASOURCE|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:920; rev:7;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER datasource attempt"; flow:to_server,established; content:"CF_ISCOLDFUSIONDATASOURCE|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:2100920; rev:8;)
#
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER datasource password attempt"; flow:to_server,established; content:"CF_SETDATASOURCEPASSWORD|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:919; rev:8;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER datasource password attempt"; flow:to_server,established; content:"CF_SETDATASOURCEPASSWORD|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:2100919; rev:9;)
#
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER datasource username attempt"; flow:to_server,established; content:"CF_SETDATASOURCEUSERNAME|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:909; rev:6;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER datasource username attempt"; flow:to_server,established; content:"CF_SETDATASOURCEUSERNAME|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:2100909; rev:7;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT evaluate.cfm access"; flow:to_server,established; content:"/cfdocs/snippets/evaluate.cfm"; nocase; http_uri; reference:bugtraq,550; classtype:attempted-recon; sid:915; rev:6;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED evaluate.cfm access"; flow:to_server,established; content:"/cfdocs/snippets/evaluate.cfm"; nocase; http_uri; reference:bugtraq,550; classtype:attempted-recon; sid:2100915; rev:7;)
#
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER getodbcin attempt"; flow:to_server,established; content:"CFUSION_GETODBCINI|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:923; rev:7;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER getodbcin attempt"; flow:to_server,established; content:"CFUSION_GETODBCINI|28 29|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:2100923; rev:8;)
#
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /_vti_bin/ access"; flow:to_server,established; content:"/_vti_bin/"; http_uri; nocase; reference:nessus,11032; classtype:web-application-activity; sid:1288; rev:9;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /_vti_bin/ access"; flow:to_server,established; content:"/_vti_bin/"; http_uri; nocase; reference:nessus,11032; classtype:web-application-activity; sid:2101288; rev:11;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER _vti_rpc access"; flow:to_server,established; content:"/_vti_rpc"; http_uri; nocase; reference:bugtraq,2144; reference:cve,2001-0096; reference:nessus,10585; classtype:web-application-activity; sid:937; rev:11;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER _vti_rpc access"; flow:to_server,established; content:"/_vti_rpc"; http_uri; nocase; reference:bugtraq,2144; reference:cve,2001-0096; reference:nessus,10585; classtype:web-application-activity; sid:2100937; rev:12;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT administrators.pwd access"; flow:to_server,established; content:"/administrators.pwd"; nocase; http_uri; reference:bugtraq,1205; classtype:web-application-activity; sid:953; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT administrators.pwd access"; flow:to_server,established; content:"/administrators.pwd"; nocase; http_uri; reference:bugtraq,1205; classtype:web-application-activity; sid:2100953; rev:9;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER author.exe access"; flow:to_server,established; content:"/_vti_bin/_vti_aut/author.exe"; http_uri; nocase; classtype:web-application-activity; sid:952; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER author.exe access"; flow:to_server,established; content:"/_vti_bin/_vti_aut/author.exe"; http_uri; nocase; classtype:web-application-activity; sid:2100952; rev:8;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER authors.pwd access"; flow:to_server,established; content:"/authors.pwd"; http_uri; nocase; reference:bugtraq,989; reference:cve,1999-0386; reference:nessus,10078; classtype:web-application-activity; sid:951; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER authors.pwd access"; flow:to_server,established; content:"/authors.pwd"; http_uri; nocase; reference:bugtraq,989; reference:cve,1999-0386; reference:nessus,10078; classtype:web-application-activity; sid:2100951; rev:12;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER service.cnf access"; flow:to_server,established; content:"/_vti_pvt/service.cnf"; http_uri; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:958; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER service.cnf access"; flow:to_server,established; content:"/_vti_pvt/service.cnf"; http_uri; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:2100958; rev:11;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER service.pwd"; flow:to_server,established; content:"/service.pwd"; http_uri; nocase; reference:bugtraq,1205; classtype:web-application-activity; sid:959; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER service.pwd"; flow:to_server,established; content:"/service.pwd"; http_uri; nocase; reference:bugtraq,1205; classtype:web-application-activity; sid:2100959; rev:8;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER services.cnf access"; flow:to_server,established; content:"/_vti_pvt/services.cnf"; http_uri; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:961; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER services.cnf access"; flow:to_server,established; content:"/_vti_pvt/services.cnf"; http_uri; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:2100961; rev:11;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER writeto.cnf access"; flow:to_server,established; uricontent:"/_vti_pvt/writeto.cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:965; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER writeto.cnf access"; flow:to_server,established; content:"/_vti_pvt/writeto.cnf"; nocase; http_uri; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:2100965; rev:11;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT .cmd executable file parsing attack"; flow:established,to_server; content:".cmd|22|"; nocase; http_uri; pcre:"/.cmd\x22.*\x26.*/smi"; reference:bugtraq,1912; reference:cve,2000-0886; classtype:web-application-attack; sid:3193; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT .cmd executable file parsing attack"; flow:established,to_server; content:".cmd|22|"; nocase; http_uri; pcre:"/\.cmd\x22.*?\x26/Ui"; reference:bugtraq,1912; reference:cve,2000-0886; classtype:web-application-attack; sid:2103193; rev:6;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT .cnf access"; flow:to_server,established; content:".cnf"; nocase; http_uri; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:977; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT .cnf access"; flow:to_server,established; content:".cnf"; nocase; http_uri; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:2100977; rev:13;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT .htr access"; flow:to_server,established; content:".htr"; nocase; http_uri; reference:bugtraq,1488; reference:cve,2000-0630; reference:nessus,10680; classtype:web-application-activity; sid:987; rev:15;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT .htr access"; flow:to_server,established; content:".htr"; nocase; http_uri; reference:bugtraq,1488; reference:cve,2000-0630; reference:nessus,10680; classtype:web-application-activity; sid:2100987; rev:16;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT /iisadmpwd/aexp2.htr access"; flow:to_server,established; content:"/iisadmpwd/aexp2.htr"; http_uri; reference:bugtraq,2110; reference:bugtraq,4236; reference:cve,1999-0407; reference:cve,2002-0421; reference:nessus,10371; classtype:web-application-activity; sid:1487; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT /iisadmpwd/aexp2.htr access"; flow:to_server,established; content:"/iisadmpwd/aexp2.htr"; http_uri; reference:bugtraq,2110; reference:bugtraq,4236; reference:cve,1999-0407; reference:cve,2002-0421; reference:nessus,10371; classtype:web-application-activity; sid:2101487; rev:12;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT /msadc/samples/ access"; flow:to_server,established; content:"/msadc/samples/"; http_uri; nocase; reference:bugtraq,167; reference:cve,1999-0736; reference:nessus,1007; classtype:web-application-attack; sid:1401; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT /msadc/samples/ access"; flow:to_server,established; content:"/msadc/samples/"; http_uri; nocase; reference:bugtraq,167; reference:cve,1999-0736; reference:nessus,1007; classtype:web-application-attack; sid:2101401; rev:10;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /scripts/iisadmin/default.htm access"; flow:to_server,established; content:"/scripts/iisadmin/default.htm"; http_uri; nocase; classtype:web-application-attack; sid:994; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /scripts/iisadmin/default.htm access"; flow:to_server,established; content:"/scripts/iisadmin/default.htm"; http_uri; nocase; classtype:web-application-attack; sid:2100994; rev:9;)
#
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT Alternate Data streams ASP file access attempt"; flow:to_server,established; content:".asp|3A 3A 24|DATA"; nocase; http_uri; reference:bugtraq,149; reference:cve,1999-0278; reference:nessus,10362; reference:url,support.microsoft.com/default.aspx?scid=kb#-#-EN-US#-#-q188806; classtype:web-application-attack; sid:2100975; rev:14;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT CodeRed v2 root.exe access"; flow:to_server,established; content:"/root.exe"; nocase; http_uri; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT CodeRed v2 root.exe access"; flow:to_server,established; content:"/root.exe"; nocase; http_uri; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:2101256; rev:10;)
#
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER IISProtect access"; flow:to_server,established; content:"/iisprotect/admin/"; http_uri; nocase; reference:nessus,11661; classtype:web-application-activity; sid:2102131; rev:4;)
@@ -40127,19 +40136,19 @@
##alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED IISProtect globaladmin.asp access"; flow:to_server,established; uricontent:"/iisprotect/admin/GlobalAdmin.asp"; nocase; reference:nessus,11661; classtype:web-application-activity; sid:2102157; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT ISAPI .ida access"; flow:to_server,established; content:".ida"; nocase; http_uri; reference:arachnids,552; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:1242; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT ISAPI .ida access"; flow:to_server,established; content:".ida"; nocase; http_uri; pcre:"/\.ida$/iU"; reference:arachnids,552; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:2101242; rev:13;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT ISAPI .ida attempt"; flow:to_server,established; content:".ida?"; nocase; http_uri; reference:arachnids,552; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-attack; sid:1243; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT ISAPI .ida attempt"; flow:to_server,established; content:".ida?"; nocase; http_uri; reference:arachnids,552; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-attack; sid:2101243; rev:13;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT ISAPI .idq access"; flow:to_server,established; content:".idq"; nocase; http_uri; reference:arachnids,553; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:1245; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT ISAPI .idq access"; flow:to_server,established; content:".idq"; nocase; http_uri; reference:arachnids,553; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:2101245; rev:12;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT ISAPI .idq attempt"; flow:to_server,established; content:".idq?"; nocase; http_uri; reference:arachnids,553; reference:bugtraq,1065; reference:bugtraq,968; reference:cve,2000-0071; reference:cve,2000-0126; reference:nessus,10115; classtype:web-application-attack; sid:1244; rev:15;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT ISAPI .idq attempt"; flow:to_server,established; content:".idq?"; nocase; http_uri; reference:arachnids,553; reference:bugtraq,1065; reference:bugtraq,968; reference:cve,2000-0071; reference:cve,2000-0126; reference:nessus,10115; classtype:web-application-attack; sid:2101244; rev:16;)
#
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER ISAPI .printer access"; flow:to_server,established; uricontent:".printer"; nocase; reference:arachnids,533; reference:bugtraq,2674; reference:cve,2001-0241; reference:nessus,10661; reference:url,www.microsoft.com/technet/security/bulletin/MS01-023.mspx; classtype:web-application-activity; sid:971; rev:10;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER ISAPI .printer access"; flow:to_server,established; content:".printer"; http_uri; nocase; reference:arachnids,533; reference:bugtraq,2674; reference:cve,2001-0241; reference:nessus,10661; reference:url,www.microsoft.com/technet/security/bulletin/MS01-023.mspx; classtype:web-application-activity; sid:2100971; rev:12;)
#
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER MS Site Server admin attempt"; flow:to_server,established; content:"/Site Server/Admin/knowledge/persmbr/"; nocase; http_uri; reference:nessus,11018; classtype:web-application-attack; sid:2101818; rev:4;)
@@ -40148,10 +40157,10 @@
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER MS Site Server default login attempt"; flow:to_server,established; content:"/SiteServer/Admin/knowledge/persmbr/"; nocase; http_uri; content:"TERBUF9Bbm9ueW1vdXM6TGRhcFBhc3N3b3JkXzE"; pcre:"/^Authorization|3A|\s*Basic\s+TERBUF9Bbm9ueW1vdXM6TGRhcFBhc3N3b3JkXzE=/smi"; reference:nessus,11018; classtype:web-application-attack; sid:2101817; rev:7;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT NTLM ASN.1 vulnerability scan attempt"; flow:to_server,established; content:"Authorization|3A| Negotiate YIQAAABiBoMAAAYrBgEFBQKgggBTMIFQoA4wDAYKKwYBBAGCNwICCqM"; http_header; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12055; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:attempted-dos; sid:2386; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT NTLM ASN.1 vulnerability scan attempt"; flow:to_server,established; content:"Authorization|3A| Negotiate YIQAAABiBoMAAAYrBgEFBQKgggBTMIFQoA4wDAYKKwYBBAGCNwICCqM"; http_header; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12055; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:attempted-dos; sid:2102386; rev:11;)
#
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER SAM Attempt"; flow:to_server,established; content:"sam._"; nocase; reference:url,www.ciac.org/ciac/bulletins/h-45.shtml; classtype:web-application-attack; sid:988; rev:7;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER SAM Attempt"; flow:to_server,established; content:"sam._"; http_uri; nocase; reference:url,www.ciac.org/ciac/bulletins/h-45.shtml; classtype:web-application-attack; sid:2100988; rev:8;)
#
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT WEBDAV exploit attempt"; flow:to_server,established; content:"HTTP/1.1|0A|Content-type|3A| text/xml|0A|HOST|3A|"; fast_pattern:32,4; content:"Accept|3A| */*|0A|Translate|3A| f|0A|Content-length|3A|5276|0A 0A|"; distance:1; reference:bugtraq,7116; reference:bugtraq,7716; reference:cve,2003-0109; reference:nessus,11413; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx; classtype:attempted-admin; sid:2102090; rev:12;)
@@ -40160,13 +40169,13 @@
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER WEBDAV nessus safe scan attempt"; flow:to_server,established; content:"SEARCH"; http_method; content:"/"; http_uri; urilen:1; content:" HTTP/1.1|0D 0A|Host|3A|"; content:"|0D 0A 0D 0A|"; within:255; reference:bugtraq,7116; reference:cve,2003-0109; reference:nessus,11412; reference:nessus,11413; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx; classtype:attempted-admin; sid:2102091; rev:10;)
#
-##alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED cmd.exe access"; flow:to_server,established; content:"cmd.exe"; nocase; http_uri; classtype:web-application-attack; sid:1002; rev:8;)
+##alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED cmd.exe access"; flow:to_server,established; content:"cmd.exe"; nocase; http_uri; classtype:web-application-attack; sid:2101002; rev:9;)
#
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT cmd32.exe access"; flow:to_server,established; content:"cmd32.exe"; nocase; classtype:web-application-attack; sid:2101661; rev:5;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT cmd? access"; flow:to_server,established; content:".cmd?&"; nocase; http_uri; classtype:web-application-attack; sid:1003; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT cmd? access"; flow:to_server,established; content:".cmd?&"; nocase; http_uri; classtype:web-application-attack; sid:2101003; rev:10;)
#
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL ATTACK_RESPONSE del attempt"; flow:to_server,established; content:"&del+/s+c|3A 5C|*.*"; fast_pattern:only; nocase; classtype:web-application-attack; sid:2101008; rev:9;)
@@ -40175,19 +40184,19 @@
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL ATTACK_RESPONSE directory listing"; flow:to_server,established; content:"/ServerVariables_Jscript.asp"; http_uri; nocase; reference:nessus,10573; classtype:web-application-attack; sid:2101009; rev:8;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT fpcount access"; flow:to_server,established; content:"/fpcount.exe"; nocase; http_uri; reference:bugtraq,2252; reference:cve,1999-1376; classtype:web-application-activity; sid:1013; rev:10;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT fpcount access"; flow:to_server,established; content:"/fpcount.exe"; nocase; http_uri; reference:bugtraq,2252; reference:cve,1999-1376; classtype:web-application-activity; sid:2101013; rev:11;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER global.asa access"; flow:to_server,established; content:"/global.asa"; http_uri; nocase; reference:cve,2000-0778; reference:nessus,10491; reference:nessus,10991; classtype:web-application-activity; sid:1016; rev:13;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER global.asa access"; flow:to_server,established; content:"/global.asa"; http_uri; nocase; reference:cve,2000-0778; reference:nessus,10491; reference:nessus,10991; classtype:web-application-activity; sid:2101016; rev:14;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER iisadmin access"; flow:to_server,established; content:"/iisadmin"; nocase; http_uri; reference:bugtraq,189; reference:cve,1999-1538; reference:nessus,11032; classtype:web-application-attack; sid:993; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER iisadmin access"; flow:to_server,established; content:"/iisadmin"; nocase; http_uri; reference:bugtraq,189; reference:cve,1999-1538; reference:nessus,11032; classtype:web-application-attack; sid:2100993; rev:12;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT iisadmpwd attempt"; flow:to_server,established; content:"/iisadmpwd/aexp"; nocase; http_uri; reference:bugtraq,2110; reference:cve,1999-0407; classtype:web-application-attack; sid:1018; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT iisadmpwd attempt"; flow:to_server,established; content:"/iisadmpwd/aexp"; nocase; http_uri; reference:bugtraq,2110; reference:cve,1999-0407; classtype:web-application-attack; sid:2101018; rev:12;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT iissamples access"; flow:to_server,established; content:"/iissamples/"; nocase; http_uri; reference:nessus,11032; classtype:web-application-attack; sid:1402; rev:7;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT iissamples access"; flow:to_server,established; content:"/iissamples/"; nocase; http_uri; reference:nessus,11032; classtype:web-application-attack; sid:2101402; rev:8;)
#
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER msadcs.dll access"; flow:to_server,established; content:"/msadcs.dll"; http_uri; nocase; reference:bugtraq,529; reference:cve,1999-1011; reference:nessus,10357; classtype:web-application-activity; sid:2101023; rev:13;)
@@ -40196,25 +40205,25 @@
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER msdac access"; flow:to_server,established; content:"/msdac/"; nocase; http_uri; reference:nessus,11032; classtype:web-application-activity; sid:2101285; rev:9;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT site/iisamples access"; flow:to_server,established; content:"/site/iisamples"; nocase; http_uri; reference:nessus,10370; classtype:web-application-activity; sid:1046; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT site/iisamples access"; flow:to_server,established; content:"/site/iisamples"; nocase; http_uri; reference:nessus,10370; classtype:web-application-activity; sid:2101046; rev:10;)
#
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER unicode directory traversal attempt"; flow:to_server,established; content:"/..%255c.."; nocase; reference:bugtraq,1806; reference:cve,2000-0884; reference:nessus,10537; classtype:web-application-attack; sid:2101945; rev:7;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT unicode directory traversal attempt"; flow:to_server,established; content:"/..%c0%af../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; reference:nessus,10537; classtype:web-application-attack; sid:981; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT unicode directory traversal attempt"; flow:to_server,established; content:"/..%c0%af../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; reference:nessus,10537; classtype:web-application-attack; sid:2100981; rev:14;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT unicode directory traversal attempt"; flow:to_server,established; content:"/..%c1%1c../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; reference:nessus,10537; classtype:web-application-attack; sid:982; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT unicode directory traversal attempt"; flow:to_server,established; content:"/..%c1%1c../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; reference:nessus,10537; classtype:web-application-attack; sid:2100982; rev:12;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT unicode directory traversal attempt"; flow:to_server,established; content:"/..%c1%9c../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; reference:nessus,10537; classtype:web-application-attack; sid:983; rev:11;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT unicode directory traversal attempt"; flow:to_server,established; content:"/..%c1%9c../"; reference:bugtraq,1806; reference:cve,2000-0884; reference:nessus,10537; classtype:web-application-attack; sid:2100983; rev:15;)
#
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER .htaccess access"; flow:to_server,established; content:".htaccess"; nocase; http_uri; classtype:attempted-recon; sid:2101129; rev:7;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER .htpasswd access"; flow:to_server,established; content:".htpasswd"; nocase; classtype:web-application-attack; sid:1071; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER .htpasswd access"; flow:to_server,established; content:".htpasswd"; nocase; classtype:web-application-attack; sid:2101071; rev:7;)
#
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /etc/passwd"; flow:to_server,established; content:"/etc/passwd"; fast_pattern:only; nocase; classtype:attempted-recon; sid:2101122; rev:8;)
@@ -40223,7 +40232,7 @@
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /~ftp access"; flow:to_server,established; content:"/~ftp"; http_uri; nocase; classtype:attempted-recon; sid:2101662; rev:7;)
#
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /~nobody access"; flow:to_server,established; content:"/~nobody"; http_uri; reference:nessus,10484; classtype:web-application-attack; sid:2101489; rev:9;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /~nobody access"; flow:to_server,established; content:"/~nobody"; http_uri; reference:nessus,10484; classtype:web-application-attack; sid:2101489; rev:10;)
#
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /~root access"; flow:to_server,established; content:"/~root"; http_uri; nocase; classtype:attempted-recon; sid:2101145; rev:9;)
@@ -40238,7 +40247,7 @@
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER Oracle Java Process Manager access"; flow:to_server,established; content:"/oprocmgr-status"; http_uri; reference:nessus,10851; classtype:web-application-activity; sid:2101874; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL SQL Oracle iSQLPlus login.uix username overflow attempt"; flow:to_server,established; content:"/login.uix"; fast_pattern:only; http_uri; nocase; content:"username="; nocase; isdataat:250,relative; content:!"|0A|"; within:250; pcre:"/username=[^&\x3b\r\n]{250}/smi"; reference:bugtraq,10871; reference:url,www.nextgenss.com/advisories/ora-isqlplus.txt; classtype:web-application-attack; sid:2703; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL SQL Oracle iSQLPlus login.uix username overflow attempt"; flow:to_server,established; content:"/login.uix"; fast_pattern:only; http_uri; nocase; content:"username="; nocase; isdataat:250,relative; content:!"|0A|"; within:250; pcre:"/username=[^&\x3b\r\n]{250}/smi"; reference:bugtraq,10871; reference:url,www.nextgenss.com/advisories/ora-isqlplus.txt; classtype:web-application-attack; sid:2102703; rev:4;)
#
##alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED Samba SWAT Authorization overflow attempt"; flow:to_server,established; content:"Authorization|3A| Basic"; nocase; http_header; pcre:"/^Authorization\x3a Basic\s+=/smi"; reference:bugtraq,10780; classtype:web-application-attack; sid:2102597; rev:5;)
@@ -40247,7 +40256,7 @@
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER Tomcat directory traversal attempt"; flow:to_server,established; content:"|00|.jsp"; http_uri; reference:bugtraq,2518; classtype:web-application-attack; sid:2101055; rev:11;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT Tomcat server exploit access"; flow:to_server,established; content:"/contextAdmin/contextAdmin.html"; nocase; http_uri; reference:bugtraq,1548; reference:cve,2000-0672; reference:nessus,10477; classtype:attempted-recon; sid:1111; rev:11;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT Tomcat server exploit access"; flow:to_server,established; content:"/contextAdmin/contextAdmin.html"; nocase; http_uri; reference:bugtraq,1548; reference:cve,2000-0672; reference:nessus,10477; classtype:attempted-recon; sid:2101111; rev:12;)
#
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER Tomcat server snoop access"; flow:to_server,established; content:"/jsp/snp/"; http_uri; content:".snp"; http_uri; reference:bugtraq,1532; reference:cve,2000-0760; classtype:attempted-recon; sid:2101108; rev:12;)
@@ -40271,28 +40280,28 @@
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT apache chunked encoding memory corruption exploit attempt"; flow:established,to_server; content:"|C0|PR|89 E1|PQRP|B8 3B 00 00 00 CD 80|"; reference:bugtraq,5033; reference:cve,2002-0392; classtype:web-application-activity; sid:2101808; rev:7;)
#
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER apache directory disclosure attempt"; flow:to_server,established; content:"////////"; depth:200; reference:bugtraq,2503; classtype:attempted-dos; sid:1156; rev:10;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER apache directory disclosure attempt"; flow:to_server,established; content:"////////"; depth:200; reference:bugtraq,2503; classtype:attempted-dos; sid:2101156; rev:11;)
#
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER apache source.asp file access"; flow:to_server,established; uricontent:"/site/eg/source.asp"; nocase; reference:bugtraq,1457; reference:cve,2000-0628; reference:nessus,10480; classtype:attempted-recon; sid:1110; rev:9;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER apache source.asp file access"; flow:to_server,established; content:"/site/eg/source.asp"; http_uri; nocase; reference:bugtraq,1457; reference:cve,2000-0628; reference:nessus,10480; classtype:attempted-recon; sid:2101110; rev:11;)
#
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL SCAN cybercop scan"; flow:to_server,established; uricontent:"/cybercop"; nocase; reference:arachnids,374; classtype:web-application-activity; sid:1099; rev:6;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL SCAN cybercop scan"; flow:to_server,established; content:"/cybercop"; http_uri; nocase; reference:arachnids,374; classtype:web-application-activity; sid:2101099; rev:8;)
#
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER global.inc access"; flow:to_server,established; content:"/global.inc"; http_uri; nocase; reference:bugtraq,4612; reference:cve,2002-0614; classtype:web-application-attack; sid:2101738; rev:7;)
#
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER ls%20-l"; flow:to_server,established; content:"ls%20-l"; nocase; classtype:attempted-recon; sid:1118; rev:5;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER ls%20-l"; flow:to_server,established; content:"ls%20-l"; nocase; classtype:attempted-recon; sid:2101118; rev:6;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL SCAN nessus 1.X 404 probe"; flow:to_server,established; uricontent:"/nessus_is_probing_you_"; depth:32; reference:arachnids,301; classtype:web-application-attack; sid:1102; rev:8;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL SCAN nessus 1.X 404 probe"; flow:to_server,established; content:"/nessus_is_probing_you_"; http_uri; reference:arachnids,301; classtype:web-application-attack; sid:2101102; rev:10;)
#
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL SCAN nessus 2.x 404 probe"; flow:to_server,established; content:"/NessusTest"; http_uri; nocase; reference:nessus,10386; classtype:attempted-recon; sid:2102585; rev:2;)
#
-#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS oracle web arbitrary command execution attempt"; flow:to_server,established; content:"/ows-bin/"; nocase; http_uri; content:"?&"; http_uri; reference:bugtraq,1053; reference:cve,2000-0169; reference:nessus,10348; classtype:web-application-attack; sid:1193; rev:11;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS oracle web arbitrary command execution attempt"; flow:to_server,established; content:"/ows-bin/"; nocase; http_uri; content:"?&"; http_uri; reference:bugtraq,1053; reference:cve,2000-0169; reference:nessus,10348; classtype:web-application-attack; sid:2101193; rev:12;)
#
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER robot.txt access"; flow:to_server,established; content:"/robot.txt"; http_uri; nocase; reference:nessus,10302; classtype:web-application-activity; sid:2101857; rev:5;)
@@ -40301,28 +40310,31 @@
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER robots.txt access"; flow:to_server,established; content:"/robots.txt"; http_uri; nocase; reference:nessus,10302; classtype:web-application-activity; sid:2101852; rev:5;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER viewcode access"; flow:to_server,established; uricontent:"/viewcode"; reference:cve,1999-0737; reference:nessus,10576; reference:nessus,12048; classtype:web-application-attack; sid:1403; rev:9;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER viewcode access"; flow:to_server,established; content:"/viewcode"; http_uri; reference:cve,1999-0737; reference:nessus,10576; reference:nessus,12048; classtype:web-application-attack; sid:2101403; rev:11;)
#
#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER webalizer access"; flow:established,to_server; content:"/webalizer/"; nocase; http_uri; reference:bugtraq,3473; reference:cve,2001-0835; reference:nessus,10816; classtype:web-application-activity; sid:2101847; rev:11;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL SCAN whisker HEAD/./"; flow:to_server,established; content:"HEAD/./"; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; classtype:attempted-recon; sid:1139; rev:7;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL SCAN whisker HEAD/./"; flow:to_server,established; content:"HEAD/./"; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; classtype:attempted-recon; sid:2101139; rev:8;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT xp_availablemedia attempt"; flow:to_server,established; content:"xp_availablemedia"; nocase; classtype:web-application-attack; sid:1060; rev:6;)
+##alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED xp_availablemedia attempt"; flow:to_server,established; content:"xp_availablemedia"; nocase; classtype:web-application-attack; sid:2101060; rev:7;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT xp_cmdshell attempt"; flow:to_server,established; content:"xp_cmdshell"; nocase; classtype:web-application-attack; sid:1061; rev:6;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED xp_cmdshell attempt"; flow:to_server,established; content:"xp_cmdshell"; nocase; classtype:web-application-attack; sid:2101061; rev:7;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT xp_enumdsn attempt"; flow:to_server,established; content:"xp_enumdsn"; nocase; classtype:web-application-attack; sid:1058; rev:6;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED xp_enumdsn attempt"; flow:to_server,established; content:"xp_enumdsn"; nocase; classtype:web-application-attack; sid:2101058; rev:7;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT xp_filelist attempt"; flow:to_server,established; content:"xp_filelist"; nocase; classtype:web-application-attack; sid:1059; rev:6;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT xp_filelist attempt"; flow:to_server,established; content:"xp_filelist"; nocase; classtype:web-application-attack; sid:2101059; rev:7;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT xp_regread attempt"; flow:to_server,established; content:"xp_regread"; nocase; classtype:web-application-activity; sid:1069; rev:6;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED xp_regread attempt"; flow:to_server,established; content:"xp_regread"; nocase; classtype:web-application-activity; sid:2101069; rev:7;)
+
+#
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"GPL DELETED TLSv1 Client_Hello via SSLv2 handshake request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; content:"|03 01|"; depth:2; offset:3; flowbits:set,tlsv1.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2103059; rev:3;)
#
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8080 (msg:"GPL EXPLOIT WEB-MISC JBoss JMXInvokerServlet access"; flow:to_server,established; content:"/invoker/JMXInvokerServlet"; http_uri; reference:url,online.securityfocus.com/archive/1/415707; classtype:misc-activity; sid:100000184; rev:2;)
@@ -40346,1015 +40358,1015 @@
#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP MAIL FROM overflow attempt"; flow:to_server,established; content:"MAIL FROM"; nocase; isdataat:260; content:!"|0A|"; within:256; reference:bugtraq,10290; reference:bugtraq,7506; reference:cve,2004-0399; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2102590; rev:5;)
#
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP RCPT TO overflow"; flow:to_server,established; content:"rcpt to|3A|"; nocase; isdataat:300,relative; pcre:"/^RCPT TO\x3a\s[^\n]{300}/ism"; reference:bugtraq,2283; reference:bugtraq,9696; reference:cve,2001-0260; classtype:attempted-admin; sid:654; rev:14;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP RCPT TO overflow"; flow:to_server,established; content:"rcpt to|3A|"; nocase; isdataat:300,relative; pcre:"/^RCPT TO\x3a\s[^\n]{300}/ism"; reference:bugtraq,2283; reference:bugtraq,9696; reference:cve,2001-0260; classtype:attempted-admin; sid:2100654; rev:15;)
#
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP ehlo cybercop attempt"; flow:to_server,established; content:"ehlo cybercop|0A|quit|0A|"; reference:arachnids,372; classtype:protocol-command-decode; sid:631; rev:6;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP ehlo cybercop attempt"; flow:to_server,established; content:"ehlo cybercop|0A|quit|0A|"; reference:arachnids,372; classtype:protocol-command-decode; sid:2100631; rev:7;)
#
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP expn *@"; flow:to_server,established; content:"expn"; nocase; content:"*@"; pcre:"/^expn\s+\*@/smi"; reference:cve,1999-1200; classtype:misc-attack; sid:1450; rev:5;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP expn *@"; flow:to_server,established; content:"expn"; nocase; content:"*@"; pcre:"/^expn\s+\*@/smi"; reference:cve,1999-1200; classtype:misc-attack; sid:2101450; rev:6;)
#
-#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP expn cybercop attempt"; flow:to_server,established; content:"expn cybercop"; reference:arachnids,371; classtype:protocol-command-decode; sid:632; rev:5;)
+#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP expn cybercop attempt"; flow:to_server,established; content:"expn cybercop"; reference:arachnids,371; classtype:protocol-command-decode; sid:2100632; rev:6;)
#
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP expn decode"; flow:to_server,established; content:"expn"; nocase; content:"decode"; nocase; pcre:"/^expn\s+decode/smi"; reference:arachnids,32; reference:cve,1999-0096; reference:nessus,10248; classtype:attempted-recon; sid:659; rev:9;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP expn decode"; flow:to_server,established; content:"expn"; nocase; content:"decode"; nocase; pcre:"/^expn\s+decode/smi"; reference:arachnids,32; reference:cve,1999-0096; reference:nessus,10248; classtype:attempted-recon; sid:2100659; rev:10;)
#
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP expn root"; flow:to_server,established; content:"expn"; nocase; content:"root"; fast_pattern; distance:0; nocase; pcre:"/^expn\s+root/smi"; reference:arachnids,31; reference:cve,1999-0531; reference:nessus,10249; classtype:attempted-recon; sid:660; rev:12;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP expn root"; flow:to_server,established; content:"expn"; nocase; content:"root"; fast_pattern; distance:0; nocase; pcre:"/^expn\s+root/smi"; reference:arachnids,31; reference:cve,1999-0531; reference:nessus,10249; classtype:attempted-recon; sid:2100660; rev:13;)
#
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP vrfy decode"; flow:to_server,established; content:"vrfy"; nocase; content:"decode"; distance:1; nocase; pcre:"/^vrfy\s+decode/smi"; reference:arachnids,373; reference:bugtraq,10248; reference:cve,1999-0096; classtype:attempted-recon; sid:672; rev:9;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP vrfy decode"; flow:to_server,established; content:"vrfy"; nocase; content:"decode"; distance:1; nocase; pcre:"/^vrfy\s+decode/smi"; reference:arachnids,373; reference:bugtraq,10248; reference:cve,1999-0096; classtype:attempted-recon; sid:2100672; rev:10;)
#
-alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP vrfy root"; flow:to_server,established; content:"vrfy"; nocase; content:"root"; distance:1; nocase; pcre:"/^vrfy\s+root/smi"; classtype:attempted-recon; sid:1446; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP vrfy root"; flow:to_server,established; content:"vrfy"; nocase; content:"root"; distance:1; nocase; pcre:"/^vrfy\s+root/smi"; classtype:attempted-recon; sid:2101446; rev:7;)
#
#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL EXECUTE_SYSTEM attempt"; flow:to_server,established; content:"EXECUTE_SYSTEM"; fast_pattern:only; nocase; classtype:system-call-detect; sid:2101673; rev:5;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL TO_CHAR buffer overflow attempt"; flow:to_server,established; content:"TO_CHAR"; fast_pattern:only; nocase; pcre:"/TO_CHAR\s*\(\s*SYSTIMESTAMP\s*,\s*(\x27[^\x27]{256}|\x22[^\x22]{256})/smi"; classtype:attempted-user; sid:2699; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL TO_CHAR buffer overflow attempt"; flow:to_server,established; content:"TO_CHAR"; nocase; pcre:"/TO_CHAR\s*\(\s*SYSTIMESTAMP\s*,\s*(\x27[^\x27]{256}|\x22[^\x22]{256})/smi"; classtype:attempted-user; sid:2102699; rev:2;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL add_grouped_column ordered sname/oname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_grouped_column"; fast_pattern:only; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))|((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22 ]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2600; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL add_grouped_column ordered sname/oname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_grouped_column"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))|((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000})|(\x22[^\x22 ]{1000})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2102600; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL alter file buffer overflow attempt"; flow:to_server,established; content:"alter"; fast_pattern:only; nocase; pcre:"/ALTER\s.*?FILE\s+((AS|MEMBER|TO)\s+)?(\x27[^\x27]{512}|\x22[^\x22]{512})/smi"; classtype:attempted-user; sid:2697; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL alter file buffer overflow attempt"; flow:to_server,established; content:"alter"; nocase; fast_pattern:only; pcre:"/ALTER\s.*?FILE\s+((AS|MEMBER|TO)\s+)?(\x27[^\x27]{512}|\x22[^\x22]{512})/smi"; classtype:attempted-user; sid:2102697; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL alter_mview_propagation ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_mview_propagation"; fast_pattern:only; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2618; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL alter_mview_propagation ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_mview_propagation"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102618; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL cancel_statistics ordered sname/oname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.cancel_statistics"; fast_pattern:only; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))|((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2610; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL cancel_statistics ordered sname/oname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.cancel_statistics"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))|((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2102610; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL comment_on_repobject ordered type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repobject"; fast_pattern:only; nocase; pcre:"/\((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){2}\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2607; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL comment_on_repobject ordered type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repobject"; nocase; pcre:"/\((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){2}\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2102607; rev:3;)
#
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL connect_data remote version detection attempt"; flow:to_server,established; content:"connect_data|28|command=version|29|"; fast_pattern:only; nocase; classtype:protocol-command-decode; sid:2101674; rev:7;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL create file buffer overflow attempt"; flow:to_server,established; content:"create"; nocase; content:"file "; nocase; isdataat:512; pcre:"/CREATE\s.*?FILE\s+((AS|MEMBER|TO)\s+)?(\x27[^\x27]{512}|\x22[^\x22]{512})/smi"; classtype:attempted-user; sid:2698; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL create file buffer overflow attempt"; flow:to_server,established; content:"create"; nocase; content:"file "; nocase; isdataat:512; pcre:"/CREATE\s.*?FILE\s+((AS|MEMBER|TO)\s+)?(\x27[^\x27]{512}|\x22[^\x22]{512})/smi"; classtype:attempted-user; sid:2102698; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL create_mview_repgroup ordered fname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repgroup"; fast_pattern:only; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){4}\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2604; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL create_mview_repgroup ordered fname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){4}\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2102604; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL ctx_output.start_log buffer overflow attempt"; flow:to_server,established; content:"ctx_output.start_log"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*logfile[\r\n\s]*=>[\r\n\s]*\2|logfile\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2678; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL ctx_output.start_log buffer overflow attempt"; flow:to_server,established; content:"ctx_output.start_log"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*logfile[\r\n\s]*=>[\r\n\s]*\2|logfile\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102678; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL ctxsys.driddlr.subindexpopulate buffer overflow attempt"; flow:to_server,established; content:"ctxsys.driddlr.subindexpopulate"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*logfile[\r\n\s]*=>[\r\n\s]*\2|logfile\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\d+\s*,\s*){3}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2680; rev:2;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL ctxsys.driddlr.subindexpopulate buffer overflow attempt"; flow:to_server,established; content:"ctxsys.driddlr.subindexpopulate"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*logfile[\r\n\s]*=>[\r\n\s]*\2|logfile\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\d+\s*,\s*){3}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102680; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.begin_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_flavor_change"; fast_pattern:only; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2708; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.begin_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_flavor_change"; fast_pattern:only; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102708; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.begin_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_instantiation"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2709; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.begin_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_instantiation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102709; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2652; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102652; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2710; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102710; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.end_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_flavor_change"; fast_pattern:only; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2711; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.end_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_flavor_change"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102711; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.end_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_instantiation"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2712; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.end_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_instantiation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102712; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_load"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2713; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_load"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102713; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.resume_subset_of_masters buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.resume_subset_of_masters"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2714; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.resume_subset_of_masters buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.resume_subset_of_masters"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102714; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_snapshot.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.begin_load"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2715; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_snapshot.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.begin_load"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102715; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_snapshot.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2635; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_snapshot.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102635; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_snapshot.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2716; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_snapshot.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102716; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_rectifier_diff.differences buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff.differences"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(missing_rows_oname1|missing_rows_oname2)[\r\n\s]*=>[\r\n\s]*\2|(missing_rows_oname1|missing_rows_oname2)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){10}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2717; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_rectifier_diff.differences buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff.differences"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(missing_rows_oname1|missing_rows_oname2)[\r\n\s]*=>[\r\n\s]*\2|(missing_rows_oname1|missing_rows_oname2)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){10}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102717; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_rectifier_diff.rectify buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff.rectify"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(missing_rows_oname1|missing_rows_oname2)[\r\n\s]*=>[\r\n\s]*\2|(missing_rows_oname1|missing_rows_oname2)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){8}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2718; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_rectifier_diff.rectify buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff.rectify"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(missing_rows_oname1|missing_rows_oname2)[\r\n\s]*=>[\r\n\s]*\2|(missing_rows_oname1|missing_rows_oname2)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){8}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102718; rev:2;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.abort_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.abort_flavor_definition"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2719; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.abort_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.abort_flavor_definition"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102719; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_column_group_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_column_group_to_flavor"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2720; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_column_group_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_column_group_to_flavor"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102720; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_columns_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_columns_to_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2721; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_columns_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_columns_to_flavor"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102721; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_delete_resolution"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2674; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_delete_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102674; rev:2;)
#
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_grouped_column buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_grouped_column"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102599; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_object_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_object_to_flavor"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2722; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_object_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_object_to_flavor"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102722; rev:2;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_char"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2723; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_char"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102723; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_date"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2724; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_date"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102724; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_nchar"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2725; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_nchar"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102725; rev:3;)
#
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_number"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2726; rev:2;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_nvarchar2"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2727; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_nvarchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102727; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_raw"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2728; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_raw"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102728; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_varchar2"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2729; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_varchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102729; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_site_priority_site"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2730; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_site_priority_site"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102730; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_unique_resolution"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2731; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_unique_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102731; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_update_resolution"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2732; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_update_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102732; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_master_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_propagation"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2733; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_master_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_propagation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102733; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_repobject"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2619; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2102619; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_mview_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_mview_propagation"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2734; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_mview_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_mview_propagation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102734; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2741; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102741; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_char"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2735; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_char"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102735; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_date"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2736; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_date"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102736; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_nchar"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2737; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_nchar"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102737; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_number"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2738; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_number"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102738; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_nvarchar2"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2739; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_nvarchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102739; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_raw"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2740; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_raw"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102740; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_varchar2"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2742; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_varchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102742; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_site_priority"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2744; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_site_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102744; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_site_priority_site"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2743; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_site_priority_site"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102743; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_snapshot_propagation"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2745; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_snapshot_propagation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102745; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.begin_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.begin_flavor_definition"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2747; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.begin_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.begin_flavor_definition"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102747; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.cancel_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.cancel_statistics"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2609; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.cancel_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.cancel_statistics"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102609; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_column_group"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2748; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_column_group"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102748; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_delete_resolution"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2749; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_delete_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102749; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_mview_repsites buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_mview_repsites"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gowner|gname)[\r\n\s]*=>[\r\n\s]*\2|(gowner|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2750; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_mview_repsites buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_mview_repsites"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gowner|gname)[\r\n\s]*=>[\r\n\s]*\2|(gowner|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102750; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_priority_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_priority_group"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2751; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_priority_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_priority_group"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102751; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repgroup"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2752; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102752; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repobject"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2606; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2102606; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_repsites buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repsites"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2753; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_repsites buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repsites"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102753; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_site_priority"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2754; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_site_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102754; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_unique_resolution"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2755; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_unique_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102755; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_update_resolution"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2756; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_update_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102756; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.compare_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.compare_old_values"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*operation[\r\n\s]*=>[\r\n\s]*\2|operation\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck91.html; classtype:attempted-user; sid:2605; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.compare_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.compare_old_values"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*operation[\r\n\s]*=>[\r\n\s]*\2|operation\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck91.html; classtype:attempted-user; sid:2102605; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_master_repgroup"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2757; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_master_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102757; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_master_repobject"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2758; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_master_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102758; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repgroup"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*fname[\r\n\s]*=>[\r\n\s]*\2|fname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2603; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*fname[\r\n\s]*=>[\r\n\s]*\2|fname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2102603; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_mview_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repobject"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){7}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2850; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_mview_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){7}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102850; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_snapshot_repgroup"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2759; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102759; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_snapshot_repobject"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2851; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_snapshot_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102851; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.define_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_column_group"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2760; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.define_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_column_group"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102760; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.define_priority_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_priority_group"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2761; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.define_priority_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_priority_group"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102761; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.define_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_site_priority"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2762; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.define_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_site_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102762; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.do_deferred_repcat_admin buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.do_deferred_repcat_admin"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2763; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.do_deferred_repcat_admin buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.do_deferred_repcat_admin"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102763; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2765; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_column_group"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102765; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_column_group_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_column_group_from_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2764; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_column_group_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_column_group_from_flavor"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102764; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_columns_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_columns_from_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2766; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_columns_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_columns_from_flavor"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102766; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2767; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_delete_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102767; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_grouped_column buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_grouped_column"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2768; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_grouped_column buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_grouped_column"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102768; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2601; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102601; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2637; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2102637; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2639; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102639; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_mview_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2769; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_mview_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102769; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_object_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_object_from_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2770; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_object_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_object_from_flavor"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102770; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2777; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102777; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2771; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_char"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102771; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2772; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_date"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102772; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2773; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_nchar"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102773; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2774; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_number"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102774; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2775; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_nvarchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102775; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2776; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_raw"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102776; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2778; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_varchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102778; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2780; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_site_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102780; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_site_priority_site"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2779; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_site_priority_site"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102779; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_snapshot_repgroup"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2781; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102781; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_snapshot_repobject"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2782; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_snapshot_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102782; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_unique_resolution"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2783; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_unique_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102783; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_update_resolution"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2784; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_update_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102784; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.execute_ddl buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.execute_ddl"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2785; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.execute_ddl buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.execute_ddl"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102785; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_mview_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_mview_support"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2852; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_mview_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_mview_support"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102852; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_replication_package buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_package"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2786; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_replication_package buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_package"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102786; rev:3;)
#
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_replication_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_support"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*package_prefix[\r\n\s]*=>[\r\n\s]*\2|package_prefix\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*procedure_prefix[\r\n\s]*=>[\r\n\s]*\2|procedure_prefix\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck93.html; classtype:attempted-user; sid:2102576; rev:7;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_replication_trigger buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_trigger"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|gname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2853; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_replication_trigger buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_trigger"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|gname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102853; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_snapshot_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_snapshot_support"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2854; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_snapshot_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_snapshot_support"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102854; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.make_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.make_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2788; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.make_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.make_column_group"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102788; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.obsolete_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.obsolete_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2789; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.obsolete_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.obsolete_flavor_definition"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102789; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.publish_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.publish_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2790; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.publish_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.publish_flavor_definition"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102790; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.purge_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2791; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.purge_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_flavor_definition"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102791; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.purge_master_log buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_master_log"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2792; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.purge_master_log buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_master_log"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102792; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.purge_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2793; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.purge_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_statistics"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102793; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.refresh_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(true|false)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2631; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.refresh_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(true|false)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102631; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.refresh_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2794; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.refresh_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102794; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2795; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102795; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.register_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2796; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.register_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_mview_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102796; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2797; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102797; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.register_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2798; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.register_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_statistics"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102798; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.relocate_masterdef buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.relocate_masterdef"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2799; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.relocate_masterdef buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.relocate_masterdef"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102799; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.remove_master_databases buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.remove_master_databases"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2855; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.remove_master_databases buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.remove_master_databases"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102855; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.rename_shadow_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.rename_shadow_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2800; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.rename_shadow_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.rename_shadow_column_group"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102800; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.repcat_import_check"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2627; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.repcat_import_check"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102627; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.resume_master_activity buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.resume_master_activity"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2801; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.resume_master_activity buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.resume_master_activity"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102801; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.send_and_compare_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.send_and_compare_old_values"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2804; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.send_and_compare_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.send_and_compare_old_values"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102804; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.send_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.send_old_values"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*operation[\r\n\s]*=>[\r\n\s]*\2|operation\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck91.html; classtype:attempted-user; sid:2626; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.send_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.send_old_values"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*operation[\r\n\s]*=>[\r\n\s]*\2|operation\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck91.html; classtype:attempted-user; sid:2102626; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.set_columns buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.set_columns"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2805; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.set_columns buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.set_columns"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102805; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.set_local_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2806; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.set_local_flavor"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102806; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.specify_new_masters buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.specify_new_masters"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2807; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.specify_new_masters buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.specify_new_masters"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102807; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.suspend_master_activity buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.suspend_master_activity"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2808; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.suspend_master_activity buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.suspend_master_activity"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102808; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.switch_mview_master buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.switch_mview_master"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2856; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.switch_mview_master buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.switch_mview_master"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102856; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.switch_snapshot_master"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1073,}\x27|\x22[^\x22]{1073,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1073,}|\x22[^\x22]{1073,})|\(\s*(\x27[^\x27]{1073,}|\x22[^\x22]{1073,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2857; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.switch_snapshot_master"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1073,}\x27|\x22[^\x22]{1073,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1073,}|\x22[^\x22]{1073,})|\(\s*(\x27[^\x27]{1073,}|\x22[^\x22]{1073,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102857; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.unregister_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.unregister_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2809; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.unregister_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.unregister_mview_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102809; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.unregister_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2810; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.unregister_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102810; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.validate_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.validate_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2811; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.validate_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.validate_flavor_definition"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102811; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.validate_for_local_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2812; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.validate_for_local_flavor"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102812; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_admin.register_user_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.register_user_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2629; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_admin.register_user_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.register_user_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2102629; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_admin.unregister_user_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.unregister_user_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2624; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_admin.unregister_user_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.unregister_user_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2102624; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.revoke_surrogate_repcat"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2746; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.revoke_surrogate_repcat"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102746; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_instantiate.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.drop_site_instantiation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2641; rev:3;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_instantiate.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.drop_site_instantiation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102641; rev:5;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_instantiate.instantiate_offline buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_offline"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2645; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_instantiate.instantiate_offline buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_offline"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102645; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_instantiate.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_online"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2647; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_instantiate.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_online"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102647; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_instantiate.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_online"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2787; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_instantiate.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_online"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102787; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.check_ddl_text buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.check_ddl_text"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(object_type|user_name)[\r\n\s]*=>[\r\n\s]*\2|(object_type|user_name)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2802; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.check_ddl_text buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.check_ddl_text"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(object_type|user_name)[\r\n\s]*=>[\r\n\s]*\2|(object_type|user_name)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102802; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.drop_site_instantiation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2676; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.drop_site_instantiation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102676; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.drop_site_instantiation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(refresh_template_name|user_name)[\r\n\s]*=>[\r\n\s]*\2|(refresh_template_name|user_name)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2803; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.drop_site_instantiation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(refresh_template_name|user_name)[\r\n\s]*=>[\r\n\s]*\2|(refresh_template_name|user_name)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102803; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.instantiate_offline buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.instantiate_offline"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2675; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.instantiate_offline buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.instantiate_offline"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102675; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.instantiate_online"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2677; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.instantiate_online"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102677; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_sna_utl.create_snapshot_repgroup"; nocase; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2623; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_sna_utl.create_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102623; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_sna_utl.register_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_sna_utl.register_flavor_change"; nocase; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2621; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_sna_utl.register_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_sna_utl.register_flavor_change"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102621; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_utl.drop_an_object buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_utl.drop_an_object"; nocase; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2622; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_utl.drop_an_object buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_utl.drop_an_object"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102622; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL drop_master_repgroup ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repgroup"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck87.html; classtype:attempted-user; sid:2602; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL drop_master_repgroup ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repgroup"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck87.html; classtype:attempted-user; sid:2102602; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL drop_master_repobject ordered type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repobject"; nocase; pcre:"/\((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){2}\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2638; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL drop_master_repobject ordered type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repobject"; nocase; pcre:"/\((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,){2}\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2102638; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL drop_mview_repgroup ordered gowner/gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repgroup"; nocase; pcre:"/\(\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2640; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL drop_mview_repgroup ordered gowner/gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repgroup"; nocase; pcre:"/\(\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102640; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL drop_site_instantiate ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"drop_site_instantiation"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck629.html; classtype:attempted-user; sid:2642; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL drop_site_instantiate ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"drop_site_instantiation"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck629.html; classtype:attempted-user; sid:2102642; rev:3;)
#
#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL execute_system attempt"; flow:to_server,established; content:"EXECUTE_SYSTEM"; nocase; classtype:protocol-command-decode; sid:2101698; rev:5;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL from_tz buffer overflow attempt"; flow:to_server,established; content:"FROM_TZ"; nocase; pcre:"/\(\s*TIMESTAMP\s*(\s*(\x27[^\x27]+'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.nextgenss.com/advisories/ora_from_tz.txt; classtype:attempted-user; sid:2644; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL from_tz buffer overflow attempt"; flow:to_server,established; content:"FROM_TZ"; nocase; pcre:"/\(\s*TIMESTAMP\s*(\s*(\x27[^\x27]+'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.nextgenss.com/advisories/ora_from_tz.txt; classtype:attempted-user; sid:2102644; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL grant_surrogate_repcat ordered userid buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.grant_surrogate_repcat"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2616; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL grant_surrogate_repcat ordered userid buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.grant_surrogate_repcat"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102616; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL instantiate_offline ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"instantiate_offline"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck630.html; classtype:attempted-user; sid:2646; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL instantiate_offline ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"instantiate_offline"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck630.html; classtype:attempted-user; sid:2102646; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL instantiate_online ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"instantiate_online"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck631.html; classtype:attempted-user; sid:2648; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL instantiate_online ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"instantiate_online"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck631.html; classtype:attempted-user; sid:2102648; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL mdsys.md2.sdo_code_size buffer overflow attempt"; flow:to_server,established; content:"mdsys.md2.sdo_code_size"; nocase; isdataat:512,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{512,}\x27|\x22[^\x22]{512,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,})|\(\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,}))/si"; classtype:attempted-user; sid:2683; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL mdsys.md2.sdo_code_size buffer overflow attempt"; flow:to_server,established; content:"mdsys.md2.sdo_code_size"; nocase; isdataat:512,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{512,}\x27|\x22[^\x22]{512,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,})|\(\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,}))/si"; classtype:attempted-user; sid:2102683; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL mdsys.md2.validate_geom buffer overflow attempt"; flow:to_server,established; content:"mdsys.md2.validate_geom"; nocase; isdataat:500,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{128,}\x27|\x22[^\x22]{128,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{128,}|\x22[^\x22]{128,})|\(\s*(\x27[^\x27]{128,}|\x22[^\x22]{128,}))/si"; classtype:attempted-user; sid:2682; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL mdsys.md2.validate_geom buffer overflow attempt"; flow:to_server,established; content:"mdsys.md2.validate_geom"; nocase; isdataat:500,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{128,}\x27|\x22[^\x22]{128,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{128,}|\x22[^\x22]{128,})|\(\s*(\x27[^\x27]{128,}|\x22[^\x22]{128,}))/si"; classtype:attempted-user; sid:2102682; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL mdsys.sdo_admin.sdo_code_size buffer overflow attempt"; flow:to_server,established; content:"mdsys.sdo_admin.sdo_code_size"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2681; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL mdsys.sdo_admin.sdo_code_size buffer overflow attempt"; flow:to_server,established; content:"mdsys.sdo_admin.sdo_code_size"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102681; rev:3;)
#
#alert tcp $SQL_SERVERS $ORACLE_PORTS -> $EXTERNAL_NET any (msg:"GPL SQL Oracle misparsed login response"; flow:to_server,established; content:"description=|28|"; nocase; content:!"connect_data=|28|sid="; nocase; content:!"address=|28|protocol=tcp"; nocase; classtype:suspicious-login; sid:2101675; rev:7;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL numtoyminterval buffer overflow attempt"; flow:to_server,established; content:"numtoyminterval"; nocase; pcre:"/numtoyminterval\s*\(\s*\d+\s*,\s*(\x27[^\x27]{32}|\x22[^\x22]{32})/smi"; classtype:attempted-user; sid:2700; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL numtoyminterval buffer overflow attempt"; flow:to_server,established; content:"numtoyminterval"; nocase; pcre:"/numtoyminterval\s*\(\s*\d+\s*,\s*(\x27[^\x27]{32}|\x22[^\x22]{32})/smi"; classtype:attempted-user; sid:2102700; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL og.begin_load ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2653; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL og.begin_load ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102653; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL rectifier_diff ordered sname1 buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2634; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL rectifier_diff ordered sname1 buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102634; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL refresh_mview_repgroup ordered gowner buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; pcre:"/\(\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,(\s*(true|false)\s*,\s*){3}((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2632; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL refresh_mview_repgroup ordered gowner buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; pcre:"/\(\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,(\s*(true|false)\s*,\s*){3}((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102632; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL register_user_repgroup ordered privilege_type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.register_user_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2630; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL register_user_repgroup ordered privilege_type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.register_user_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2102630; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL repcat_import_check ordered gowner/gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.repcat_import_check"; nocase; pcre:"/\((\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))|\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2628; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL repcat_import_check ordered gowner/gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.repcat_import_check"; nocase; pcre:"/\((\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))|\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102628; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL service_name buffer overflow attempt"; flow:to_server,established; content:"connect_data"; nocase; content:"|28|service_name="; nocase; isdataat:1000,relative; content:!"|22|"; within:1000; reference:url,www.appsecinc.com/Policy/PolicyCheck52.html; classtype:attempted-user; sid:2649; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL service_name buffer overflow attempt"; flow:to_server,established; content:"connect_data"; nocase; content:"|28|service_name="; nocase; isdataat:1000,relative; content:!"|22|"; within:1000; reference:url,www.appsecinc.com/Policy/PolicyCheck52.html; classtype:attempted-user; sid:2102649; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL snapshot.end_load ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2636; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL snapshot.end_load ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; pcre:"/\(\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102636; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_aq_import_internal.aq_table_defn_update buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aq_import_internal.aq_table_defn_update"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*qt_name[\r\n\s]*=>[\r\n\s]*\2|qt_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2695; rev:2;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_aq_import_internal.aq_table_defn_update buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aq_import_internal.aq_table_defn_update"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*qt_name[\r\n\s]*=>[\r\n\s]*\2|qt_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102695; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_aqadm.verify_queue_types_get_nrp buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm.verify_queue_types_get_nrp"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2694; rev:2;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_aqadm.verify_queue_types_get_nrp buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm.verify_queue_types_get_nrp"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102694; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_aqadm.verify_queue_types_no_queue buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm.verify_queue_types_no_queue"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2693; rev:2;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_aqadm.verify_queue_types_no_queue buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm.verify_queue_types_no_queue"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102693; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_aqadm_sys.verify_queue_types buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm_sys.verify_queue_types"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2692; rev:2;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_aqadm_sys.verify_queue_types buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm_sys.verify_queue_types"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102692; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_defer_internal_sys.parallel_push_recovery buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_defer_internal_sys.parallel_push_recovery"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*destination[\r\n\s]*=>[\r\n\s]*\2|destination\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2691; rev:2;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_defer_internal_sys.parallel_push_recovery buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_defer_internal_sys.parallel_push_recovery"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*destination[\r\n\s]*=>[\r\n\s]*\2|destination\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102691; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_defer_repcat.enable_propagation_to_dblink buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_defer_repcat.enable_propagation_to_dblink"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*dblink[\r\n\s]*=>[\r\n\s]*\2|dblink\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2690; rev:2;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_defer_repcat.enable_propagation_to_dblink buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_defer_repcat.enable_propagation_to_dblink"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*dblink[\r\n\s]*=>[\r\n\s]*\2|dblink\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102690; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_internal_repcat.disable_receiver_trace buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.disable_receiver_trace"; nocase; isdataat:1024; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2689; rev:2;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_internal_repcat.disable_receiver_trace buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.disable_receiver_trace"; nocase; isdataat:1024; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102689; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_internal_repcat.enable_receiver_trace buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.enable_receiver_trace"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2688; rev:2;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_internal_repcat.enable_receiver_trace buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.enable_receiver_trace"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102688; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_internal_repcat.validate buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.validate"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2687; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_internal_repcat.validate buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.validate"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102687; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_rectifier_diff.differences buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_rectifier_diff.differences"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*missing_rows_oname1[\r\n\s]*=>[\r\n\s]*\2|missing_rows_oname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname1[\r\n\s]*=>[\r\n\s]*\2|sname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2686; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_rectifier_diff.differences buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_rectifier_diff.differences"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*missing_rows_oname1[\r\n\s]*=>[\r\n\s]*\2|missing_rows_oname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname1[\r\n\s]*=>[\r\n\s]*\2|sname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102686; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_rectifier_diff.rectify buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_rectifier_diff.rectify"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*missing_rows_oname1[\r\n\s]*=>[\r\n\s]*\2|missing_rows_oname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname1[\r\n\s]*=>[\r\n\s]*\2|sname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2633; rev:2;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_rectifier_diff.rectify buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_rectifier_diff.rectify"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*missing_rows_oname1[\r\n\s]*=>[\r\n\s]*\2|missing_rows_oname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname1[\r\n\s]*=>[\r\n\s]*\2|sname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102633; rev:4;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat.alter_mview_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat.alter_mview_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2617; rev:2;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat.alter_mview_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat.alter_mview_propagation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102617; rev:4;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_auth.grant_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_auth.grant_surrogate_repcat"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2615; rev:2;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_auth.grant_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_auth.grant_surrogate_repcat"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102615; rev:4;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_auth.revoke_surrogate_repcat"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2612; rev:2;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_auth.revoke_surrogate_repcat"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102612; rev:4;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2858; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_delete_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102858; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2859; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_char"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102859; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2860; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_date"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102860; rev:4;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2861; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_nchar"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102861; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2862; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_number"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102862; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2863; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_nvarchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102863; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2864; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_raw"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102864; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2865; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_varchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102865; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2866; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_site_priority_site"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102866; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2867; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_unique_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102867; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2868; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_update_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102868; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2875; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102875; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2869; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_char"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102869; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2870; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_date"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102870; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2871; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_nchar"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102871; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2872; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_number"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102872; rev:3;)
#
#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2873; rev:1;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2874; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_raw"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102874; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2876; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_varchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102876; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2878; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_site_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102878; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2877; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_site_priority_site"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102877; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.cancel_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.cancel_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2879; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.cancel_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.cancel_statistics"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102879; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.comment_on_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2880; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.comment_on_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_delete_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102880; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.comment_on_priority_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_priority_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2881; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.comment_on_priority_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_priority_group"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102881; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.comment_on_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2882; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.comment_on_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_site_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102882; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.comment_on_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2883; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.comment_on_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_unique_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102883; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.comment_on_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2884; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.comment_on_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_update_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102884; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.define_priority_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.define_priority_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2885; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.define_priority_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.define_priority_group"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102885; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.define_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.define_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2886; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.define_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.define_site_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102886; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2887; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_delete_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102887; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2894; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102894; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2888; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_char"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102888; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2889; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_date"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102889; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2890; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_nchar"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102890; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2891; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_number"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102891; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2892; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_nvarchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102892; rev:5;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2893; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_raw"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102893; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2895; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_varchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102895; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2897; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_site_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102897; rev:4;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2896; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_site_priority_site"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102896; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2898; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_unique_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102898; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2899; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_update_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102899; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.purge_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.purge_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2900; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.purge_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.purge_statistics"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102900; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.register_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.register_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2901; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.register_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.register_statistics"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102901; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.abort_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.abort_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2813; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.abort_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.abort_flavor_definition"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102813; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.add_object_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.add_object_to_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2814; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.add_object_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.add_object_to_flavor"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102814; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.begin_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.begin_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2815; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.begin_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.begin_flavor_definition"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102815; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.drop_object_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.drop_object_from_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2816; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.drop_object_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.drop_object_from_flavor"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102816; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.ensure_not_published buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.ensure_not_published"; nocase; pcre:"/\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck96.html; classtype:attempted-user; sid:2643; rev:2;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.ensure_not_published buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.ensure_not_published"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck96.html; classtype:attempted-user; sid:2102643; rev:4;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.set_local_flavor"; nocase; pcre:"/(\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2824; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.set_local_flavor"; nocase; fast_pattern:only; pcre:"/(\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102824; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.validate_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.validate_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2825; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.validate_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.validate_flavor_definition"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102825; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.validate_for_local_flavor"; nocase; pcre:"/(\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2826; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.validate_for_local_flavor"; nocase; fast_pattern:only; pcre:"/(\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102826; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.add_column_group_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.add_column_group_to_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2817; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.add_column_group_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.add_column_group_to_flavor"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102817; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.add_columns_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.add_columns_to_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2818; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.add_columns_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.add_columns_to_flavor"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102818; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.drop_column_group_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.drop_column_group_from_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2819; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.drop_column_group_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.drop_column_group_from_flavor"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102819; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.drop_columns_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.drop_columns_from_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2820; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.drop_columns_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.drop_columns_from_flavor"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102820; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.obsolete_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.obsolete_flavor_definition"; nocase; isdataat:1075,relative; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2821; rev:2;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.obsolete_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.obsolete_flavor_definition"; nocase; isdataat:1075,relative; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102821; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.publish_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.publish_flavor_definition"; nocase; isdataat:1075,relative; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2822; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.publish_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.publish_flavor_definition"; nocase; isdataat:1075,relative; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102822; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.purge_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.purge_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2823; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.purge_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.purge_flavor_definition"; nocase; fast_pattern:only; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102823; rev:2;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.alter_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.alter_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2827; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.alter_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.alter_master_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102827; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.comment_on_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.comment_on_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2828; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.comment_on_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.comment_on_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102828; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.comment_on_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.comment_on_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2829; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.comment_on_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.comment_on_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102829; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.create_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.create_master_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2830; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.create_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.create_master_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102830; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.create_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.create_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2831; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.create_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.create_master_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102831; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.do_deferred_repcat_admin buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.do_deferred_repcat_admin"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2832; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.do_deferred_repcat_admin buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.do_deferred_repcat_admin"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102832; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.drop_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.drop_master_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2833; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.drop_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.drop_master_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102833; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.generate_replication_package buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.generate_replication_package"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2834; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.generate_replication_package buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.generate_replication_package"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102834; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.purge_master_log buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.purge_master_log"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2835; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.purge_master_log buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.purge_master_log"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102835; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.relocate_masterdef buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.relocate_masterdef"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2836; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.relocate_masterdef buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.relocate_masterdef"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102836; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.rename_shadow_column_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.rename_shadow_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2837; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.rename_shadow_column_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.rename_shadow_column_group"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102837; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.resume_master_activity buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.resume_master_activity"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2838; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.resume_master_activity buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.resume_master_activity"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102838; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.suspend_master_activity buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.suspend_master_activity"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2839; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.suspend_master_activity buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.suspend_master_activity"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102839; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_rq.add_column buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_rq.add_column"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*SCHEMA_NAME[\r\n\s]*=>[\r\n\s]*\2|SCHEMA_NAME\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2685; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_rq.add_column buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_rq.add_column"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*SCHEMA_NAME[\r\n\s]*=>[\r\n\s]*\2|SCHEMA_NAME\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102685; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.alter_snapshot_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2902; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.alter_snapshot_propagation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102902; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2903; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102903; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.create_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){7}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2904; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.create_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){7}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102904; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.create_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repschema"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2905; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.create_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repschema"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102905; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2906; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102906; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2907; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102907; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.drop_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repschema"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2908; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.drop_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repschema"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102908; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.generate_snapshot_support buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.generate_snapshot_support"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2909; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.generate_snapshot_support buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.generate_snapshot_support"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102909; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.refresh_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2910; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.refresh_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102910; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.refresh_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.refresh_snapshot_repschema"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2911; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.refresh_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.refresh_snapshot_repschema"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102911; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.register_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2912; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.register_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102912; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.repcat_import_check"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2913; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.repcat_import_check"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102913; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.set_local_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2914; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.set_local_flavor"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102914; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.switch_snapshot_master"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2915; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.switch_snapshot_master"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102915; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.unregister_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2916; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.unregister_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102916; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.validate_for_local_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2918; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.validate_for_local_flavor"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102918; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.alter_snapshot_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2840; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.alter_snapshot_propagation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102840; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.create_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2841; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.create_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102841; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.drop_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2842; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.drop_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102842; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.drop_snapshot_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2843; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.drop_snapshot_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102843; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2844; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102844; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.register_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2845; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.register_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102845; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.repcat_import_check"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2846; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.repcat_import_check"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102846; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.switch_snapshot_master"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2917; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.switch_snapshot_master"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102917; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2847; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102847; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_untrusted.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_untrusted.register_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2919; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_untrusted.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_untrusted.register_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102919; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_utl.drop_an_object buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl.drop_an_object"; nocase; pcre:"/(\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2849; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_utl.drop_an_object buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl.drop_an_object"; nocase; fast_pattern:only; pcre:"/(\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102849; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_utl.is_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl.is_master"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*CANON_GNAME[\r\n\s]*=>[\r\n\s]*\2|CANON_GNAME\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2696; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_utl.is_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl.is_master"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*CANON_GNAME[\r\n\s]*=>[\r\n\s]*\2|CANON_GNAME\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102696; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_utl4.drop_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl4.drop_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2848; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_utl4.drop_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl4.drop_master_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102848; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_system.ksdwrt buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_system.ksdwrt"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*tst[\r\n\s]*=>[\r\n\s]*\2|tst\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*\d+\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2679; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_system.ksdwrt buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_system.ksdwrt"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*tst[\r\n\s]*=>[\r\n\s]*\2|tst\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*\d+\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102679; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.ltutil.pushdeferredtxns buffer overflow attempt"; flow:to_server,established; content:"sys.ltutil.pushdeferredtxns"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{512,}\x27|\x22[^\x22]{512,}\x22)[\r\n\s]*\x3b.*repgrpname[\r\n\s]*=>[\r\n\s]*\2|repgrpname\s*=>\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,})|\(\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,}))/si"; classtype:attempted-user; sid:2684; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.ltutil.pushdeferredtxns buffer overflow attempt"; flow:to_server,established; content:"sys.ltutil.pushdeferredtxns"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{512,}\x27|\x22[^\x22]{512,}\x22)[\r\n\s]*\x3b.*repgrpname[\r\n\s]*=>[\r\n\s]*\2|repgrpname\s*=>\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,})|\(\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,}))/si"; classtype:attempted-user; sid:2102684; rev:3;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sysdbms_repcat_rgt.check_ddl_text buffer overflow attempt"; flow:to_server,established; content:"sysdbms_repcat_rgt.check_ddl_text"; nocase; isdataat:1024,relative; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2608; rev:3;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sysdbms_repcat_rgt.check_ddl_text buffer overflow attempt"; flow:to_server,established; content:"sysdbms_repcat_rgt.check_ddl_text"; nocase; isdataat:1024,relative; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102608; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL time_zone buffer overflow attempt"; flow:to_server,established; content:"TIME_ZONE"; nocase; isdataat:1000,relative; pcre:"/TIME_ZONE\s*=\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/msi"; reference:bugtraq,9587; reference:url,www.nextgenss.com/advisories/ora_time_zone.txt; classtype:attempted-user; sid:2614; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL time_zone buffer overflow attempt"; flow:to_server,established; content:"TIME_ZONE"; nocase; isdataat:1000,relative; pcre:"/TIME_ZONE\s*=\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/msi"; reference:bugtraq,9587; reference:url,www.nextgenss.com/advisories/ora_time_zone.txt; classtype:attempted-user; sid:2102614; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL unregister_user_repgroup ordered privilege_type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.unregister_user_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2625; rev:1;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL unregister_user_repgroup ordered privilege_type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.unregister_user_repgroup"; nocase; pcre:"/\(((\s*(\x27[^\x27]*'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2102625; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL user name buffer overflow attempt"; flow:to_server,established; content:"connect_data"; nocase; content:"|28|user="; nocase; isdataat:1000,relative; content:!"|22|"; within:1000; reference:url,www.appsecinc.com/Policy/PolicyCheck62.html; classtype:attempted-user; sid:2650; rev:2;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL user name buffer overflow attempt"; flow:to_server,established; content:"connect_data"; nocase; content:"|28|user="; nocase; isdataat:1000,relative; content:!"|22|"; within:1000; reference:url,www.appsecinc.com/Policy/PolicyCheck62.html; classtype:attempted-user; sid:2102650; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; classtype:shellcode-detect; sid:692; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; classtype:shellcode-detect; sid:2100692; rev:7;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL shellcode attempt"; flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; classtype:attempted-user; sid:694; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL shellcode attempt"; flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; classtype:attempted-user; sid:2100694; rev:7;)
#
-#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL EXPLOIT sp_adduser database user creation"; flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; depth:32; offset:32; nocase; classtype:attempted-user; sid:679; rev:6;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL EXPLOIT sp_adduser database user creation"; flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; depth:32; offset:32; nocase; classtype:attempted-user; sid:2100679; rev:7;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL sp_delete_alert log file deletion"; flow:to_server,established; content:"s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|"; nocase; classtype:attempted-user; sid:678; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL sp_delete_alert log file deletion"; flow:to_server,established; content:"s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|"; nocase; classtype:attempted-user; sid:2100678; rev:7;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL sp_password password change"; flow:to_server,established; content:"s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; nocase; classtype:attempted-user; sid:677; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL sp_password password change"; flow:to_server,established; content:"s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; nocase; classtype:attempted-user; sid:2100677; rev:7;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL EXPLOIT sp_start_job - program execution"; flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; depth:32; offset:32; nocase; classtype:attempted-user; sid:676; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL EXPLOIT sp_start_job - program execution"; flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; depth:32; offset:32; nocase; classtype:attempted-user; sid:2100676; rev:7;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL xp_cmdshell program execution"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; offset:32; nocase; classtype:attempted-user; sid:681; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL xp_cmdshell program execution"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; offset:32; nocase; classtype:attempted-user; sid:2100681; rev:7;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL xp_displayparamstmt possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|d|00|i|00|s|00|p|00|l|00|a|00|y|00|p|00|a|00|r|00|a|00|m|00|s|00|t|00|m|00|t|00|"; offset:32; nocase; reference:bugtraq,2030; reference:cve,2000-1081; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:702; rev:10;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_displayparamstmt possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|d|00|i|00|s|00|p|00|l|00|a|00|y|00|p|00|a|00|r|00|a|00|m|00|s|00|t|00|m|00|t|00|"; offset:32; nocase; reference:bugtraq,2030; reference:cve,2000-1081; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100702; rev:11;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL xp_enumresultset possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|t|00|"; offset:32; nocase; reference:bugtraq,2031; reference:cve,2000-1082; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:708; rev:10;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_enumresultset possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|t|00|"; offset:32; nocase; reference:bugtraq,2031; reference:cve,2000-1082; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100708; rev:11;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL xp_peekqueue possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e|00|"; offset:32; nocase; reference:bugtraq,2040; reference:cve,2000-1085; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:697; rev:10;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_peekqueue possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e|00|"; offset:32; nocase; reference:bugtraq,2040; reference:cve,2000-1085; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100697; rev:11;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL xp_printstatements possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|n|00|t|00|s|00|"; offset:32; nocase; reference:bugtraq,2041; reference:cve,2000-1086; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:690; rev:9;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL xp_printstatements possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|n|00|t|00|s|00|"; offset:32; nocase; reference:bugtraq,2041; reference:cve,2000-1086; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100690; rev:10;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL xp_proxiedmetadata possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|a|00|t|00|a|00|"; offset:32; nocase; reference:bugtraq,2042; reference:cve,2000-1087; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:698; rev:10;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_proxiedmetadata possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|a|00|t|00|a|00|"; offset:32; nocase; reference:bugtraq,2042; reference:cve,2000-1087; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100698; rev:11;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL NETBIOS xp_reg* registry access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|g|00|"; depth:32; offset:32; nocase; reference:bugtraq,5205; reference:cve,2002-0642; reference:nessus,10642; reference:url,www.microsoft.com/technet/security/bulletin/MS02-034; classtype:attempted-user; sid:689; rev:11;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL NETBIOS xp_reg* registry access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|g|00|"; depth:32; offset:32; nocase; reference:bugtraq,5205; reference:cve,2002-0642; reference:nessus,10642; reference:url,www.microsoft.com/technet/security/bulletin/MS02-034; classtype:attempted-user; sid:2100689; rev:12;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL xp_setsqlsecurity possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|e|00|t|00|s|00|q|00|l|00|s|00|e|00|c|00|u|00|r|00|i|00|t|00|y|00|"; offset:32; nocase; reference:bugtraq,2043; reference:cve,2000-1088; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:703; rev:10;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_setsqlsecurity possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|e|00|t|00|s|00|q|00|l|00|s|00|e|00|c|00|u|00|r|00|i|00|t|00|y|00|"; offset:32; nocase; reference:bugtraq,2043; reference:cve,2000-1088; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100703; rev:11;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL xp_showcolv possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v|00|"; offset:32; nocase; reference:bugtraq,2038; reference:cve,2000-1083; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:696; rev:10;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_showcolv possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v|00|"; offset:32; nocase; reference:bugtraq,2038; reference:cve,2000-1083; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100696; rev:11;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL EXPLOIT xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; offset:32; nocase; reference:bugtraq,1204; reference:url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx; classtype:attempted-user; sid:695; rev:9;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL EXPLOIT xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; offset:32; nocase; reference:bugtraq,1204; reference:url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx; classtype:attempted-user; sid:2100695; rev:10;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL xp_updatecolvbm possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m|00|"; offset:32; nocase; reference:bugtraq,2039; reference:cve,2000-1084; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:700; rev:10;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_updatecolvbm possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m|00|"; offset:32; nocase; reference:bugtraq,2039; reference:cve,2000-1084; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100700; rev:11;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SHELLCODE MSSQL shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; fast_pattern:only; classtype:shellcode-detect; sid:691; rev:7;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SHELLCODE MSSQL shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; fast_pattern:only; classtype:shellcode-detect; sid:2100691; rev:8;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL MSSQL shellcode attempt 2"; flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; classtype:shellcode-detect; sid:693; rev:6;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL MSSQL shellcode attempt 2"; flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; classtype:shellcode-detect; sid:2100693; rev:7;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL sp_adduser - database user creation"; flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; nocase; classtype:attempted-user; sid:685; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL sp_adduser - database user creation"; flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; nocase; classtype:attempted-user; sid:2100685; rev:6;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL sp_delete_alert log file deletion"; flow:to_server,established; content:"s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|r|00|t|00|"; nocase; classtype:attempted-user; sid:684; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL sp_delete_alert log file deletion"; flow:to_server,established; content:"s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|r|00|t|00|"; nocase; classtype:attempted-user; sid:2100684; rev:6;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL sp_password - password change"; flow:to_server,established; content:"s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; nocase; classtype:attempted-user; sid:683; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL sp_password - password change"; flow:to_server,established; content:"s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; nocase; classtype:attempted-user; sid:2100683; rev:6;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL sp_start_job - program execution"; flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; nocase; classtype:attempted-user; sid:673; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL sp_start_job - program execution"; flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; nocase; classtype:attempted-user; sid:2100673; rev:6;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL EXPLOIT xp_cmdshell - program execution"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; classtype:attempted-user; sid:687; rev:5;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL EXPLOIT xp_cmdshell - program execution"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; classtype:attempted-user; sid:2100687; rev:6;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL xp_displayparamstmt possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|d|00|i|00|s|00|p|00|l|00|a|00|y|00|p|00|a|00|r|00|a|00|m|00|s|00|t|00|m|00|t"; nocase; reference:bugtraq,2030; reference:cve,2000-1081; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:674; rev:8;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_displayparamstmt possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|d|00|i|00|s|00|p|00|l|00|a|00|y|00|p|00|a|00|r|00|a|00|m|00|s|00|t|00|m|00|t"; nocase; reference:bugtraq,2030; reference:cve,2000-1081; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100674; rev:9;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL xp_enumresultset possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|t|00|"; nocase; reference:bugtraq,2031; reference:cve,2000-1082; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:682; rev:10;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_enumresultset possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|t|00|"; nocase; reference:bugtraq,2031; reference:cve,2000-1082; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100682; rev:11;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL xp_peekqueue possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e|00|"; nocase; reference:bugtraq,2040; reference:cve,2000-1085; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:706; rev:9;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_peekqueue possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e|00|"; nocase; reference:bugtraq,2040; reference:cve,2000-1085; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100706; rev:10;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL xp_printstatements possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|n|00|t|00|s|00|"; nocase; reference:bugtraq,2041; reference:cve,2000-1086; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:699; rev:9;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_printstatements possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|n|00|t|00|s|00|"; nocase; reference:bugtraq,2041; reference:cve,2000-1086; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100699; rev:10;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL xp_proxiedmetadata possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|a|00|t|00|a|00|"; nocase; reference:bugtraq,2024; reference:cve,1999-0287; reference:cve,2000-1087; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:707; rev:10;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_proxiedmetadata possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|a|00|t|00|a|00|"; nocase; reference:bugtraq,2024; reference:cve,1999-0287; reference:cve,2000-1087; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100707; rev:11;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL NETBIOS xp_reg* - registry access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|g|00|"; nocase; reference:bugtraq,5205; reference:cve,2002-0642; reference:nessus,10642; reference:url,www.microsoft.com/technet/security/bulletin/MS02-034; classtype:attempted-user; sid:686; rev:10;)
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL NETBIOS xp_reg* - registry access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|g|00|"; nocase; reference:bugtraq,5205; reference:cve,2002-0642; reference:nessus,10642; reference:url,www.microsoft.com/technet/security/bulletin/MS02-034; classtype:attempted-user; sid:2100686; rev:11;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL xp_setsqlsecurity possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|e|00|t|00|s|00|q|00|l|00|s|00|e|00|c|00|u|00|r|00|i|00|t|00|y|00|"; nocase; reference:bugtraq,2043; reference:cve,2000-1088; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:675; rev:9;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_setsqlsecurity possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|e|00|t|00|s|00|q|00|l|00|s|00|e|00|c|00|u|00|r|00|i|00|t|00|y|00|"; nocase; reference:bugtraq,2043; reference:cve,2000-1088; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100675; rev:10;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL xp_showcolv possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v|00|"; nocase; reference:bugtraq,2038; reference:cve,2000-1083; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:705; rev:9;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_showcolv possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v|00|"; nocase; reference:bugtraq,2038; reference:cve,2000-1083; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100705; rev:10;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; nocase; reference:bugtraq,1204; reference:cve,2001-0542; reference:url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx; classtype:attempted-user; sid:704; rev:9;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; nocase; reference:bugtraq,1204; reference:cve,2001-0542; reference:url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx; classtype:attempted-user; sid:2100704; rev:10;)
#
-alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL xp_updatecolvbm possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m|00|"; nocase; reference:bugtraq,2039; reference:cve,2000-1084; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:701; rev:9;)
+#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_updatecolvbm possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m|00|"; nocase; reference:bugtraq,2039; reference:cve,2000-1084; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100701; rev:10;)
#
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"GPL SQL MYSQL root login attempt"; flow:to_server,established; content:"|0A 00 00 01 85 04 00 00 80|root|00|"; classtype:protocol-command-decode; sid:2101775; rev:4;)
@@ -41369,7 +41381,7 @@
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 445 (msg:"GPL EXPLOIT xp_cmdshell program execution 445"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; classtype:attempted-user; sid:2101759; rev:6;)
#
-alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"GPL EXPLOIT login buffer non-evasive overflow attempt"; flow:to_server,established; flowbits:isnotset,ttyprompt; content:"|FF FA|'|00 00|"; rawbytes; pcre:"/T.*?T.*?Y.*?P.*?R.*?O.*?M.*?P.*?T/RBi"; flowbits:set,ttyprompt; reference:bugtraq,3681; reference:cve,2001-0797; classtype:attempted-admin; sid:3274; rev:3;)
+alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"GPL EXPLOIT login buffer non-evasive overflow attempt"; flow:to_server,established; flowbits:isnotset,ttyprompt; content:"|FF FA|'|00 00|"; rawbytes; pcre:"/T.*?T.*?Y.*?P.*?R.*?O.*?M.*?P.*?T/RBi"; flowbits:set,ttyprompt; reference:bugtraq,3681; reference:cve,2001-0797; classtype:attempted-admin; sid:2103274; rev:4;)
#
#alert tcp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"GPL POLICY tcp port 0 traffic"; flow:stateless; classtype:misc-activity; sid:2100524; rev:9;)
@@ -41381,22 +41393,25 @@
#alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"GPL MISC BGP invalid type 0"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; depth:16; content:"|00|"; within:1; distance:2; reference:bugtraq,6213; reference:cve,2002-1350; classtype:bad-unknown; sid:2102159; rev:12;)
#
-alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"GPL EXPLOIT Microsoft cmd.exe banner"; flow:established; content:"Microsoft Windows |5b|Version "; content:"Copyright"; within:12; content:"Microsoft Corp"; within:16; reference:nessus,11633; classtype:successful-admin; sid:2102123; rev:6;)
+alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"GPL EXPLOIT Microsoft cmd.exe banner"; flow:established; content:"Microsoft Windows "; content:"Copyright |28|c|29| 20"; distance:0; content:"Microsoft Corp"; distance:0; reference:nessus,11633; classtype:successful-admin; sid:2102123; rev:7;)
+
+#
+##alert tcp $HOME_NET 1020 -> $EXTERNAL_NET any (msg:"GPL DELETED Vampire 1.2 connection confirmation"; flow:from_server,established; flowbits:isset,backdoor.vampire_12.connect; content:"Vampire v1.2 Server On-Line....."; depth:32; classtype:misc-activity; sid:2103064; rev:3;)
#
-alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB Trans2 FIND_FIRST2 response andx overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:2103144; rev:3;)
+#alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB Trans2 FIND_FIRST2 response andx overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:2103144; rev:4;)
#
-alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB Trans2 FIND_FIRST2 response overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:2103143; rev:3;)
+#alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB Trans2 FIND_FIRST2 response overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; flowbits:unset,smb.trans2; byte_test:2,>,15,34,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:2103143; rev:5;)
#
-alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB repeated logon failure"; flow:from_server,established; content:"|FF|SMB"; depth:4; offset:4; content:"s"; within:1; content:"m|00 00 C0|"; within:4; threshold:type threshold,track by_dst,count 10,seconds 60; classtype:unsuccessful-user; sid:2923; rev:3;)
+alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB repeated logon failure"; flow:from_server,established; content:"|FF|SMB"; depth:4; offset:4; content:"s"; within:1; content:"m|00 00 C0|"; within:4; threshold:type threshold,track by_dst,count 10,seconds 60; classtype:unsuccessful-user; sid:2102923; rev:4;)
#
-#alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"GPL FTP FTP Bad login"; flow:from_server,established; content:"530 "; depth:4; pcre:"/^530\s+(Login|User)/smi"; classtype:bad-unknown; sid:491; rev:9;)
+#alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"GPL FTP FTP Bad login"; flow:from_server,established; content:"530 "; depth:4; pcre:"/^530\s+(Login|User)/smi"; classtype:bad-unknown; sid:2100491; rev:11;)
#
-alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"GPL TELNET Bad Login"; flow:from_server,established; content:"Login incorrect"; fast_pattern:only; nocase; classtype:bad-unknown; sid:1251; rev:8;)
+ alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"GPL TELNET Bad Login"; flow:from_server,established; content:"Login incorrect"; fast_pattern:only; nocase; classtype:bad-unknown; sid:2101251; rev:10;)
#
alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"GPL MISC CVS double free exploit attempt response"; flow:from_server,established; content:"free|28 29 3A| warning|3A| chunk is already free"; reference:bugtraq,6650; reference:cve,2003-0015; classtype:misc-attack; sid:2102010; rev:5;)
@@ -41420,13 +41435,13 @@
alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"GPL MISC CVS non-relative path error response"; flow:from_server,established; content:"E cvs server|3A| warning|3A| cannot make directory CVS in /"; reference:bugtraq,9178; reference:cve,2003-0977; classtype:misc-attack; sid:2102317; rev:5;)
#
-alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 response andx overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:2103146; rev:3;)
+#alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 response andx overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:2103146; rev:4;)
#
-alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 response overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:2103145; rev:3;)
+#alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 response overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; flowbits:unset,smb.trans2; byte_test:2,>,15,34,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:2103145; rev:5;)
#
-alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB-DS repeated logon failure"; flow:from_server,established; content:"|FF|SMB"; depth:4; offset:4; content:"s"; within:1; content:"m|00 00 C0|"; within:4; threshold:type threshold,track by_dst,count 10,seconds 60; classtype:unsuccessful-user; sid:2924; rev:3;)
+alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB-DS repeated logon failure"; flow:from_server,established; content:"|FF|SMB"; depth:4; offset:4; content:"s"; within:1; content:"m|00 00 C0|"; within:4; threshold:type threshold,track by_dst,count 10,seconds 60; classtype:unsuccessful-user; sid:2102924; rev:4;)
#
alert tcp any 4711 -> $HOME_NET any (msg:"GPL P2P eDonkey server response"; flow:established,from_server; content:"Server|3A| eMule"; reference:url,www.emule-project.net; classtype:policy-violation; sid:2102587; rev:4;)
@@ -41435,10 +41450,10 @@
alert tcp $HOME_NET 512 -> $EXTERNAL_NET any (msg:"GPL RPC rexec username too long response"; flow:from_server,established; content:"username too long"; depth:17; reference:bugtraq,7459; classtype:unsuccessful-user; sid:2102104; rev:6;)
#
-alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"GPL RPC rlogin login failure"; flow:from_server,established; content:"login incorrect"; reference:arachnids,393; classtype:unsuccessful-user; sid:605; rev:6;)
+alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"GPL RPC rlogin login failure"; flow:from_server,established; content:"login incorrect"; reference:arachnids,393; classtype:unsuccessful-user; sid:2100605; rev:7;)
#
-alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"GPL RPC rlogin login failure"; flow:from_server,established; content:"|01|rlogind|3A| Permission denied."; reference:arachnids,392; classtype:unsuccessful-user; sid:611; rev:7;)
+alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"GPL RPC rlogin login failure"; flow:from_server,established; content:"|01|rlogind|3A| Permission denied."; reference:arachnids,392; classtype:unsuccessful-user; sid:2100611; rev:8;)
#
alert tcp $HOME_NET 5631 -> $EXTERNAL_NET any (msg:"GPL MISC Invalid PCAnywhere Login"; flow:from_server,established; content:"Invalid login"; depth:13; offset:5; classtype:unsuccessful-user; sid:2100511; rev:6;)
@@ -41471,22 +41486,22 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"GPL CHAT MSN user search"; flow:to_server,established; content:"CAL "; depth:4; nocase; classtype:policy-violation; sid:2101990; rev:2;)
#
-#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"GPL SMTP OUTBOUND bad file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; content:"filename"; distance:0; pcre:"/filename\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|s[dfx])|c([ho]m|li|md|pp)|d(iz|ll|ot)|e(m[fl]|xe)|h(lp|sq|ta)|jse?|m(d[abew]|s[ip])|p(p[st]|if|[lm]|ot)|r(eg|tf)|s(cr|[hy]s|wf)|v(b[es]?|cf|xd)|w(m[dfsz]|p[dmsz]|s[cfh])|xl[tw]|bat|ini|lnk|nws|ocx)[\x27\x22\n\r\s]/iR"; classtype:suspicious-filename-detect; sid:721; rev:9;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"GPL SMTP OUTBOUND bad file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; content:"filename"; distance:0; pcre:"/filename\s*=\s*.*?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|s[dfx])|c([ho]m|li|md|pp)|d(iz|ll|ot)|e(m[fl]|xe)|h(lp|sq|ta)|jse?|m(d[abew]|s[ip])|p(p[st]|if|[lm]|ot)|r(eg|tf)|s(cr|[hy]s|wf)|v(b[es]?|cf|xd)|w(m[dfsz]|p[dmsz]|s[cfh])|xl[tw]|bat|ini|lnk|nws|ocx)[\x27\x22\n\r\s]/iR"; classtype:suspicious-filename-detect; sid:2100721; rev:10;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET 4242 (msg:"GPL P2P eDonkey transfer"; flow:to_server,established; content:"|E3|"; depth:1; reference:url,www.kom.e-technik.tu-darmstadt.de/publications/abstracts/HB02-1.html; classtype:policy-violation; sid:2102586; rev:3;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"GPL CHAT Yahoo IM conference message"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00 1D|"; depth:2; offset:10; classtype:policy-violation; sid:2455; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"GPL CHAT Yahoo IM conference message"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00 1D|"; depth:2; offset:10; classtype:policy-violation; sid:2102455; rev:4;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"GPL CHAT Yahoo IM conference offer invitation"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00|P"; depth:2; offset:10; classtype:policy-violation; sid:2459; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"GPL CHAT Yahoo IM conference offer invitation"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00|P"; depth:2; offset:10; classtype:policy-violation; sid:2102459; rev:5;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"GPL CHAT Yahoo IM ping"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00 12|"; depth:2; offset:10; classtype:policy-violation; sid:2452; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"GPL CHAT Yahoo IM ping"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00 12|"; depth:2; offset:10; classtype:policy-violation; sid:2102452; rev:5;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET 5100 (msg:"GPL CHAT Yahoo IM conference request"; flow:to_server,established; content:"<R"; depth:2; pcre:"/^\x3c(REQIMG|RVWCFG)\x3e/ism"; classtype:policy-violation; sid:2460; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 5100 (msg:"GPL CHAT Yahoo IM conference request"; flow:to_server,established; content:"<R"; depth:2; pcre:"/^\x3c(REQIMG|RVWCFG)\x3e/ism"; classtype:policy-violation; sid:2102460; rev:5;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"GPL CHAT Google Talk Logon"; flow:to_server,established; content:"<stream|3a|stream to=\"gmail.com\""; nocase; reference:url,www.google.com/talk/; classtype:policy-violation; sid:100000232; rev:3;)
@@ -41531,19 +41546,19 @@
#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL P2P Fastrack kazaa/morpheus traffic"; flow:to_server,established; content:"GET "; depth:4; content:"UserAgent|3A| KazaaClient"; reference:url,www.kazaa.com; classtype:policy-violation; sid:2101699; rev:11;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA OK"; depth:40; classtype:policy-violation; sid:557; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA OK"; depth:40; classtype:policy-violation; sid:2100557; rev:7;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA"; depth:8; classtype:policy-violation; sid:1432; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA"; depth:8; classtype:policy-violation; sid:2101432; rev:7;)
#
-#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL P2P Outbound GNUTella client request"; flow:to_server,established; content:"GNUTELLA CONNECT"; depth:40; classtype:policy-violation; sid:556; rev:5;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL P2P Outbound GNUTella client request"; flow:to_server,established; content:"GNUTELLA CONNECT"; depth:40; classtype:policy-violation; sid:2100556; rev:6;)
#
alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"GPL CHAT MSN message"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A|"; nocase; content:"text/plain"; distance:1; classtype:policy-violation; sid:2100540; rev:12;)
#
-alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"GPL WEB_SERVER 403 Forbidden"; flow:from_server,established; content:"HTTP/1.1 403"; depth:12; classtype:attempted-recon; sid:1201; rev:7;)
+alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"GPL WEB_SERVER 403 Forbidden"; flow:from_server,established; content:"403"; http_stat_code; classtype:attempted-recon; sid:2101201; rev:9;)
#
#alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE Invalid URL"; flow:from_server,established; content:"Invalid URL"; fast_pattern:only; nocase; reference:url,www.microsoft.com/technet/security/bulletin/MS00-063.mspx; classtype:attempted-recon; sid:2101200; rev:12;)
@@ -41573,34 +41588,34 @@
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE index of /cgi-bin/ response"; flow:from_server,established; content:"Index of /cgi-bin/"; fast_pattern:only; nocase; reference:nessus,10039; classtype:bad-unknown; sid:2101666; rev:7;)
#
-#alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"GPL SMTP SMTP relaying denied"; flow:established,from_server; content:"550 5.7.1"; depth:70; reference:arachnids,249; reference:url,mail-abuse.org/tsi/ar-fix.html; classtype:misc-activity; sid:567; rev:11;)
+#alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"GPL SMTP SMTP relaying denied"; flow:established,from_server; content:"550 5.7.1"; depth:70; reference:arachnids,249; reference:url,mail-abuse.org/tsi/ar-fix.html; classtype:misc-activity; sid:2100567; rev:12;)
#
alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"GPL SMTP AUTH LOGON brute force attempt"; flow:from_server,established; content:"Authentication unsuccessful"; offset:54; nocase; threshold:type threshold, track by_dst, count 5, seconds 60; classtype:suspicious-login; sid:2102275; rev:3;)
#
-alert tcp $SQL_SERVERS 139 -> $EXTERNAL_NET any (msg:"GPL SQL sa login failed"; flow:from_server,established; content:"Login failed for user 'sa'"; offset:83; reference:bugtraq,4797; reference:cve,2000-1209; classtype:attempted-user; sid:680; rev:9;)
+alert tcp $SQL_SERVERS 139 -> $EXTERNAL_NET any (msg:"GPL SQL sa login failed"; flow:from_server,established; content:"Login failed for user 'sa'"; offset:83; reference:bugtraq,4797; reference:cve,2000-1209; classtype:attempted-user; sid:2100680; rev:10;)
#
alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"GPL SQL sa brute force failed login attempt"; flow:from_server,established; content:"Login failed for user 'sa'"; threshold:type threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:2103152; rev:4;)
#
-alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"GPL SQL sa brute force failed login unicode attempt"; flow:from_server,established; content:"L|00|o|00|g|00|i|00|n|00| |00|f|00|a|00|i|00|l|00|e|00|d|00| |00|f|00|o|00|r|00| |00|u|00|s|00|e|00|r|00| |00|'|00|s|00|a|00|'|00|"; threshold:type threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:3273; rev:3;)
+alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"GPL SQL sa brute force failed login unicode attempt"; flow:from_server,established; content:"L|00|o|00|g|00|i|00|n|00| |00|f|00|a|00|i|00|l|00|e|00|d|00| |00|f|00|o|00|r|00| |00|u|00|s|00|e|00|r|00| |00|'|00|s|00|a|00|'|00|"; threshold:type threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:2103273; rev:4;)
#
-alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"GPL SQL sa login failed"; flow:from_server,established; content:"Login failed for user 'sa'"; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:688; rev:10;)
+alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"GPL SQL sa login failed"; flow:from_server,established; content:"Login failed for user 'sa'"; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:2100688; rev:11;)
#
-#alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"GPL TELNET TELNET access"; flow:from_server,established; content:"|FF FD|"; rawbytes; content:"|FF FD|"; distance:0; rawbytes; content:"|FF FD|"; distance:0; rawbytes; reference:arachnids,08; reference:cve,1999-0619; reference:nessus,10280; classtype:not-suspicious; sid:716; rev:13;)
+#alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"GPL TELNET TELNET access"; flow:from_server,established; content:"|FF FD|"; rawbytes; content:"|FF FD|"; distance:0; rawbytes; content:"|FF FD|"; distance:0; rawbytes; reference:arachnids,08; reference:cve,1999-0619; reference:nessus,10280; classtype:not-suspicious; sid:2100716; rev:14;)
#
-alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"GPL TELNET TELNET login failed"; flow:from_server,established; content:"Login failed"; fast_pattern:only; nocase; classtype:bad-unknown; sid:492; rev:10;)
+alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"GPL TELNET TELNET login failed"; flow:from_server,established; content:"Login failed"; fast_pattern:only; nocase; classtype:bad-unknown; sid:2100492; rev:11;)
#
-alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"GPL TELNET Telnet Root not on console"; flow:from_server,established; content:"not on system console"; fast_pattern:only; nocase; reference:arachnids,365; classtype:bad-unknown; sid:717; rev:8;)
+alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"GPL TELNET Telnet Root not on console"; flow:from_server,established; content:"not on system console"; fast_pattern:only; nocase; reference:arachnids,365; classtype:bad-unknown; sid:2100717; rev:9;)
#
-alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"GPL TELNET root login"; flow:from_server,established; content:"login|3A| root"; fast_pattern:only; classtype:suspicious-login; sid:719; rev:8;)
+alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"GPL TELNET root login"; flow:from_server,established; content:"login|3A| root"; fast_pattern:only; classtype:suspicious-login; sid:2100719; rev:9;)
#
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS Linksys apply.cgi overflow attempt"; flow:to_server,established; content:"/apply.cgi"; http_uri; fast_pattern:only; content:"Content-Length|3A|"; isdataat:1000,relative; pcre:"/Content-Length\x3A\s*[^\r\n]{1000,}/smi"; reference:bugtraq,14822; reference:cve,2005-2799; reference:nessus,20096; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19389; classtype:web-application-attack; sid:100000177; rev:4;)
@@ -41612,10 +41627,10 @@
alert udp $EXTERNAL_NET 137 -> $HOME_NET any (msg:"GPL NETBIOS NS lookup response name overflow attempt"; byte_test:1,>,127,2; content:"|00 01|"; depth:2; offset:6; byte_test:1,>,32,12; reference:bugtraq,10333; reference:bugtraq,10334; reference:cve,2004-0444; reference:cve,2004-0445; reference:url,www.eeye.com/html/Research/Advisories/AD20040512A.html; classtype:attempted-admin; sid:2102563; rev:6;)
#
-#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"GPL DNS SPOOF query response PTR with TTL of 1 min. and no authority"; content:"|85 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 0C 00 01 00 00 00|<|00 0F|"; classtype:bad-unknown; sid:253; rev:4;)
+#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"GPL DNS SPOOF query response PTR with TTL of 1 min. and no authority"; content:"|85 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 0C 00 01 00 00 00|<|00 0F|"; classtype:bad-unknown; sid:2100253; rev:5;)
#
-#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"GPL DNS SPOOF query response with TTL of 1 min. and no authority"; content:"|81 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 01 00 01 00 00 00|<|00 04|"; classtype:bad-unknown; sid:254; rev:4;)
+#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"GPL DNS SPOOF query response with TTL of 1 min. and no authority"; content:"|81 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 01 00 01 00 00 00|<|00 04|"; classtype:bad-unknown; sid:2100254; rev:5;)
#
alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"GPL NETBIOS DCERPC Workstation Service direct service access attempt"; content:"|04 00|"; depth:2; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2102316; rev:7;)
@@ -41633,19 +41648,19 @@
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap UNSET attempt UDP 111"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1892; classtype:rpc-portmap-decode; sid:2102015; rev:6;)
#
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap admind request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,18; classtype:rpc-portmap-decode; sid:575; rev:8;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap admind request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,18; classtype:rpc-portmap-decode; sid:2100575; rev:9;)
#
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap amountd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,19; classtype:rpc-portmap-decode; sid:576; rev:8;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap amountd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,19; classtype:rpc-portmap-decode; sid:2100576; rev:9;)
#
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap bootparam request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,16; reference:cve,1999-0647; classtype:rpc-portmap-decode; sid:577; rev:13;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap bootparam request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,16; reference:cve,1999-0647; classtype:rpc-portmap-decode; sid:2100577; rev:14;)
#
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap cachefsd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,4674; reference:cve,2002-0033; reference:cve,2002-0084; classtype:rpc-portmap-decode; sid:2101746; rev:12;)
#
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap cmsd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,17; classtype:rpc-portmap-decode; sid:578; rev:8;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap cmsd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,17; classtype:rpc-portmap-decode; sid:2100578; rev:9;)
#
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap espd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|u"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-portmap-decode; sid:2102017; rev:13;)
@@ -41654,22 +41669,22 @@
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap kcms_server request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2102005; rev:11;)
#
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap listing UDP 111"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,428; classtype:rpc-portmap-decode; sid:1280; rev:9;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap listing UDP 111"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,428; classtype:rpc-portmap-decode; sid:2101280; rev:10;)
#
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap mountd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,13; classtype:rpc-portmap-decode; sid:579; rev:8;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap mountd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,13; classtype:rpc-portmap-decode; sid:2100579; rev:9;)
#
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap network-status-monitor request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D|p"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2102035; rev:7;)
#
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap nisd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 CC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,21; classtype:rpc-portmap-decode; sid:580; rev:9;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap nisd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 CC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,21; classtype:rpc-portmap-decode; sid:2100580; rev:10;)
#
#alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap nlockmgr request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1372; reference:cve,2000-0508; classtype:rpc-portmap-decode; sid:2102079; rev:7;)
#
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap pcnfsd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02|I|F1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,22; classtype:rpc-portmap-decode; sid:581; rev:9;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap pcnfsd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02|I|F1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,22; classtype:rpc-portmap-decode; sid:2100581; rev:10;)
#
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap proxy attempt UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2101923; rev:7;)
@@ -41678,46 +41693,46 @@
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL EXPLOIT portmap proxy integer overflow attempt UDP"; content:"|00 01 86 A0 00|"; depth:5; offset:12; content:"|00 00 00 05|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,7123; reference:cve,2003-0028; classtype:rpc-portmap-decode; sid:2102092; rev:6;)
#
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rexd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,23; classtype:rpc-portmap-decode; sid:582; rev:8;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rexd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,23; classtype:rpc-portmap-decode; sid:2100582; rev:9;)
#
#alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rpc.xfsmd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|h"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2102081; rev:10;)
#
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rstatd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,10; classtype:rpc-portmap-decode; sid:583; rev:9;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rstatd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,10; classtype:rpc-portmap-decode; sid:2100583; rev:10;)
#
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rusers request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,133; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:584; rev:11;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rusers request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,133; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:2100584; rev:12;)
#
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rwalld request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2101732; rev:10;)
#
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap sadmind request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,20; classtype:rpc-portmap-decode; sid:585; rev:7;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap sadmind request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,20; classtype:rpc-portmap-decode; sid:2100585; rev:8;)
#
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap selection_svc request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,25; classtype:rpc-portmap-decode; sid:586; rev:8;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap selection_svc request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,25; classtype:rpc-portmap-decode; sid:2100586; rev:9;)
#
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap snmpXdmi request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1279; rev:14;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap snmpXdmi request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:2101279; rev:15;)
#
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap status request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,15; classtype:rpc-portmap-decode; sid:587; rev:8;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap status request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,15; classtype:rpc-portmap-decode; sid:2100587; rev:9;)
#
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ttdbserv request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,24; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:588; rev:17;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ttdbserv request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,24; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:2100588; rev:18;)
#
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap yppasswd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,14; classtype:rpc-portmap-decode; sid:589; rev:8;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap yppasswd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,14; classtype:rpc-portmap-decode; sid:2100589; rev:9;)
#
-alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ypserv request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,12; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:590; rev:12;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ypserv request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,12; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:2100590; rev:13;)
#
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ypupdated request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2101277; rev:10;)
#
-alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"GPL EXPLOIT ntpdx overflow attempt"; dsize:>128; reference:bugtraq,2540; reference:cve,2001-0414; classtype:attempted-admin; sid:2100312; rev:7;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"GPL EXPLOIT ntpdx overflow attempt"; dsize:>128; reference:bugtraq,2540; reference:cve,2001-0414; classtype:attempted-admin; sid:2100312; rev:7;)
#
alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC Messenger Service buffer overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx; classtype:attempted-admin; sid:2102257; rev:10;)
@@ -41738,7 +41753,7 @@
#alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"GPL SQL ping attempt"; content:"|02|"; depth:1; reference:nessus,10674; classtype:misc-activity; sid:2102049; rev:5;)
#
-alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP SNMP NT UserList"; content:"+|06 10|@|14 D1 02 19|"; fast_pattern:only; reference:nessus,10546; classtype:attempted-recon; sid:516; rev:7;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP SNMP NT UserList"; content:"+|06 10|@|14 D1 02 19|"; fast_pattern:only; reference:nessus,10546; classtype:attempted-recon; sid:2100516; rev:8;)
#
alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP missing community string attempt"; content:"|04 00|"; depth:15; offset:5; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:2101893; rev:5;)
@@ -41747,28 +41762,28 @@
alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP null community string attempt"; content:"|04 01 00|"; depth:15; offset:5; reference:bugtraq,2112; reference:bugtraq,8974; reference:cve,1999-0517; classtype:misc-attack; sid:2101892; rev:7;)
#
-alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP private access udp"; content:"private"; fast_pattern:only; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:bugtraq,7212; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1413; rev:11;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP private access udp"; content:"private"; fast_pattern:only; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:bugtraq,7212; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101413; rev:12;)
#
-alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP public access udp"; content:"public"; fast_pattern:only; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1411; rev:11;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP public access udp"; content:"public"; fast_pattern:only; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101411; rev:12;)
#
-#alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP request udp"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1417; rev:10;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP request udp"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101417; rev:11;)
#
-#alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"GPL SNMP community string buffer overflow attempt with evasion"; content:" |04 82 01 00|"; depth:5; offset:7; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:1422; rev:10;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"GPL SNMP community string buffer overflow attempt with evasion"; content:" |04 82 01 00|"; depth:5; offset:7; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:2101422; rev:11;)
#
-#alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"GPL EXPLOIT community string buffer overflow attempt"; content:"|02 01 00 04 82 01 00|"; offset:4; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:1409; rev:10;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"GPL SNMP SNMP community string buffer overflow attempt"; content:"|02 01 00 04 82 01 00|"; offset:4; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:2101409; rev:11;)
#
alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"GPL SNMP SNMP trap Format String detected"; content:"%s"; fast_pattern:only; reference:bugtraq,16267; reference:cve,2006-0250; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=22493; classtype:attempted-recon; sid:100000227; rev:3;)
#
-alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"GPL SNMP PROTOS test-suite-trap-app attempt"; content:"08|02 01 00 04 06|public|A4|+|06|"; fast_pattern:only; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html; classtype:misc-attack; sid:1427; rev:5;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"GPL SNMP PROTOS test-suite-trap-app attempt"; content:"08|02 01 00 04 06|public|A4|+|06|"; fast_pattern:only; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html; classtype:misc-attack; sid:2101427; rev:6;)
#
-alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"GPL SNMP trap udp"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1419; rev:9;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"GPL SNMP trap udp"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101419; rev:10;)
#
alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"GPL RPC xdmcp info query"; content:"|00 01 00 02 00 01 00|"; reference:nessus,10891; classtype:attempted-recon; sid:2101867; rev:2;)
@@ -41777,16 +41792,16 @@
#alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"GPL MISC xdmcp query"; content:"|00 01 00 03 00 01 00|"; classtype:attempted-recon; sid:2100517; rev:2;)
#
-alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"GPL MISC UPnP Location overflow"; content:"Location|3A|"; nocase; pcre:"/^Location\:[^\n]{128}/smi"; reference:bugtraq,3723; reference:cve,2001-0876; classtype:misc-attack; sid:1388; rev:12;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"GPL MISC UPnP Location overflow"; content:"Location|3A|"; nocase; isdataat:128,relative; pcre:"/^Location\x3a[^\n]{128}/smi"; reference:bugtraq,3723; reference:cve,2001-0876; classtype:misc-attack; sid:2101388; rev:14;)
#
-alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"GPL MISC UPnP malformed advertisement"; content:"NOTIFY * "; nocase; reference:bugtraq,3723; reference:cve,2001-0876; reference:cve,2001-0877; reference:url,www.microsoft.com/technet/security/bulletin/MS01-059.mspx; classtype:misc-attack; sid:1384; rev:8;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"GPL MISC UPnP malformed advertisement"; content:"NOTIFY * "; nocase; reference:bugtraq,3723; reference:cve,2001-0876; reference:cve,2001-0877; reference:url,www.microsoft.com/technet/security/bulletin/MS01-059.mspx; classtype:misc-attack; sid:2101384; rev:9;)
#
#alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"GPL MISC UPnP service discover attempt"; content:"M-SEARCH "; depth:9; content:"ssdp|3A|discover"; classtype:network-scan; sid:2101917; rev:7;)
#
-#alert udp $EXTERNAL_NET any -> $HOME_NET 2048 (msg:"GPL MISC squid WCCP I_SEE_YOU message overflow attempt"; content:"|00 00 00 08|"; depth:4; byte_test:4,>,32,16; reference:bugtraq,12275; reference:cve,2005-0095; classtype:attempted-user; sid:3089; rev:2;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 2048 (msg:"GPL MISC squid WCCP I_SEE_YOU message overflow attempt"; content:"|00 00 00 08|"; depth:4; byte_test:4,>,32,16; reference:bugtraq,12275; reference:cve,2005-0095; classtype:attempted-user; sid:2103089; rev:3;)
#
#alert udp $EXTERNAL_NET any -> $HOME_NET 2305 (msg:"GPL GAMES Halocon Denial of Service Empty UDP Packet"; dsize:0; reference:bugtraq,12281; classtype:attempted-dos; sid:100000102; rev:2;)
@@ -41798,7 +41813,7 @@
#alert udp $EXTERNAL_NET any -> $HOME_NET 29000 (msg:"GPL GAMES FlatFrag game dos exploit"; fragbits:D; id:1; content:"|61 61 61|"; dsize:99; reference:bugtraq,15287; reference:cve,2005-3492; classtype:attempted-dos; sid:100000181; rev:2;)
#
-#alert udp $EXTERNAL_NET any -> $HOME_NET 31337 (msg:"GPL TROJAN BackOrifice access"; content:"|CE|c|D1 D2 16 E7 13 CF|9|A5 A5 86|"; reference:arachnids,399; classtype:misc-activity; sid:116; rev:5;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 31337 (msg:"GPL TROJAN BackOrifice access"; content:"|CE|c|D1 D2 16 E7 13 CF|9|A5 A5 86|"; reference:arachnids,399; classtype:misc-activity; sid:2100116; rev:6;)
#
#alert udp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"GPL RPC portmap listing UDP 32771"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2101281; rev:9;)
@@ -41810,28 +41825,28 @@
#alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg:"GPL DELETED xtacacs login attempt"; content:"|80 01|"; depth:2; content:"|00|"; distance:4; classtype:misc-activity; sid:2102040; rev:4;)
#
-#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP invalid identification payload attempt"; content:"|05|"; depth:1; offset:16; byte_test:2,>,4,30; byte_test:2,<,8,30; reference:bugtraq,10004; reference:cve,2004-0184; classtype:attempted-dos; sid:2486; rev:5;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP invalid identification payload attempt"; content:"|05|"; depth:1; offset:16; byte_test:2,>,4,30; byte_test:2,<,8,30; reference:bugtraq,10004; reference:cve,2004-0184; classtype:attempted-dos; sid:2102486; rev:6;)
#
-alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP delete hash with empty hash attempt"; content:"|08|"; depth:1; offset:16; content:"|0C|"; depth:1; offset:28; content:"|00 04|"; depth:2; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2413; rev:9;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP delete hash with empty hash attempt"; content:"|08|"; depth:1; offset:16; content:"|0C|"; depth:1; offset:28; content:"|00 04|"; depth:2; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2102413; rev:10;)
#
-#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP fifth payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; byte_jump:2,-2,relative; byte_jump:2,-2,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2380; rev:4;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP fifth payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; byte_jump:2,-2,relative; byte_jump:2,-2,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2102380; rev:5;)
#
-#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP first payload certificate request length overflow attempt"; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:16; byte_test:2,>,2043,30; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2376; rev:3;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP first payload certificate request length overflow attempt"; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:16; byte_test:2,>,2043,30; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2102376; rev:4;)
#
-#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP forth payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2379; rev:6;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP forth payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2102379; rev:7;)
#
-#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP initial contact notification without SPI attempt"; content:"|0B|"; depth:1; offset:16; content:"|00 0C 00 00 00 01 01 00 06 02|"; depth:10; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2414; rev:9;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP initial contact notification without SPI attempt"; content:"|0B|"; depth:1; offset:16; content:"|00 0C 00 00 00 01 01 00 06 02|"; depth:10; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2102414; rev:10;)
#
-#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP second payload certificate request length overflow attempt"; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:28; byte_jump:2,30; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2377; rev:3;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP second payload certificate request length overflow attempt"; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:28; byte_jump:2,30; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2102377; rev:4;)
#
-#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP second payload initial contact notification without SPI attempt"; content:"|0B|"; depth:1; offset:28; byte_jump:2,30; content:"|00 0C 00 00 00 01 01 00|`|02|"; within:10; distance:-2; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2415; rev:9;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP second payload initial contact notification without SPI attempt"; content:"|0B|"; depth:1; offset:28; byte_jump:2,30; content:"|00 0C 00 00 00 01 01 00|`|02|"; within:10; distance:-2; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2102415; rev:10;)
#
#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL POLICY IPSec PGPNet connection attempt"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 10 02 00 00 00 00 00 00 00 00 88 0D 00 00 5C 00 00 00 01 00 00 00 01 00 00 00|P|01 01 00 02 03 00 00 24 01 01 00 00 80 01 00 06 80 02 00 02 80 03 00 03 80 04 00 05 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 24 02 01 00 00 80 01 00 05 80 02 00 01 80 03 00 03 80 04 00 02 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 10|"; classtype:protocol-command-decode; sid:2101771; rev:7;)
@@ -41861,10 +41876,10 @@
alert udp $EXTERNAL_NET any -> $HOME_NET 5632 (msg:"GPL POLICY PCAnywhere server response"; content:"ST"; depth:2; classtype:misc-activity; sid:2100566; rev:5;)
#
-alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"GPL EXPLOIT x86 Linux mountd overflow"; content:"^|B0 02 89 06 FE C8 89|F|04 B0 06 89|F"; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:315; rev:6;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"GPL EXPLOIT x86 Linux mountd overflow"; content:"^|B0 02 89 06 FE C8 89|F|04 B0 06 89|F"; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:2100315; rev:7;)
#
-alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"GPL EXPLOIT bootp x86 linux overflow"; content:"A90|C0 A8 01 01|/bin/sh|00|"; reference:cve,1999-0389; reference:cve,1999-0798; reference:cve,1999-0799; classtype:attempted-admin; sid:319; rev:5;)
+alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"GPL EXPLOIT bootp x86 linux overflow"; content:"A90|C0 A8 01 01|/bin/sh|00|"; reference:cve,1999-0389; reference:cve,1999-0798; reference:cve,1999-0799; classtype:attempted-admin; sid:2100319; rev:6;)
#
alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"GPL MISC bootp hardware address length overflow"; content:"|01|"; depth:1; byte_test:1,>,6,2; reference:cve,1999-0798; classtype:misc-activity; sid:2101939; rev:5;)
@@ -41879,7 +41894,7 @@
alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"GPL TFTP MISC TFTP32 Get Format string attempt"; content:"|00 01 25 2E|"; depth:4; reference:url,www.securityfocus.com/archive/1/422405/30/0/threaded; reference:url,www.critical.lt/?vulnerabilities/200; classtype:attempted-admin; sid:100000222; rev:1;)
#
-#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"GPL TFTP Get"; content:"|00 01|"; depth:2; classtype:bad-unknown; sid:1444; rev:3;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"GPL TFTP Get"; content:"|00 01|"; depth:2; classtype:bad-unknown; sid:2101444; rev:4;)
#
#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"GPL TFTP NULL command attempt"; content:"|00 00|"; depth:2; reference:bugtraq,7575; classtype:bad-unknown; sid:2102336; rev:4;)
@@ -41900,16 +41915,16 @@
alert udp $EXTERNAL_NET any -> $HOME_NET 7649 (msg:"GPL GAMES Breed Game Server Denial of Service Empty UDP Packet"; dsize:0; reference:bugtraq,12262; classtype:attempted-dos; sid:100000103; rev:2;)
#
-#alert udp $EXTERNAL_NET any -> $HOME_NET 7787 (msg:"GPL GAMES Unreal Tournament secure overflow attempt"; content:"|5C|secure|5C|"; nocase; pcre:"/\x5csecure\x5c[^\x00]{50}/smi"; reference:bugtraq,10570; reference:cve,2004-0608; classtype:misc-attack; sid:3080; rev:2;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 7787 (msg:"GPL GAMES Unreal Tournament secure overflow attempt"; content:"|5C|secure|5C|"; nocase; pcre:"/\x5csecure\x5c[^\x00]{50}/smi"; reference:bugtraq,10570; reference:cve,2004-0608; classtype:misc-attack; sid:2103080; rev:3;)
#
-alert udp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"GPL RPC kerberos principal name overflow UDP"; content:"j"; depth:1; content:"|01 A1|"; asn1:oversize_length 1024,relative_offset -1; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; classtype:attempted-admin; sid:2102578; rev:3;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"GPL RPC kerberos principal name overflow UDP"; content:"j"; depth:1; content:"|01 A1|"; asn1:oversize_length 1024,relative_offset -1; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; classtype:attempted-admin; sid:2102578; rev:4;)
#
#alert udp $EXTERNAL_NET any -> $HOME_NET 9 (msg:"GPL MISC Ascend Route"; content:"NAMENAME"; depth:50; offset:25; reference:bugtraq,714; reference:cve,1999-0060; classtype:attempted-dos; sid:2100281; rev:6;)
#
-#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC Teardrop attack"; fragbits:M; id:242; reference:bugtraq,124; reference:cve,1999-0015; reference:nessus,10279; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:attempted-dos; sid:270; rev:6;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC Teardrop attack"; fragbits:M; id:242; reference:bugtraq,124; reference:cve,1999-0015; reference:nessus,10279; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:attempted-dos; sid:2100270; rev:7;)
#
#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC CMSD UDP CMSD_CREATE array buffer overflow attempt"; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,5356; reference:cve,2002-0391; classtype:attempted-admin; sid:2102094; rev:7;)
@@ -41951,7 +41966,7 @@
#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC rpc.xfsmd xfs_export attempt UDP"; content:"|00 05 F7|h"; depth:4; offset:12; content:"|00 00 00 0D|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2102083; rev:9;)
#
-#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN rusers query UDP"; content:"|00 01 86 A2|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:cve,1999-0626; classtype:attempted-recon; sid:612; rev:6;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN rusers query UDP"; content:"|00 01 86 A2|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:cve,1999-0626; classtype:attempted-recon; sid:2100612; rev:7;)
#
#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC sadmind UDP PING"; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 00|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,866; classtype:attempted-admin; sid:2101957; rev:6;)
@@ -41981,7 +41996,7 @@
#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC ypupdated arbitrary command attempt UDP"; content:"|00 01 86 BC|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|7C|"; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:misc-attack; sid:2102088; rev:6;)
#
-alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN Webtrends Scanner UDP Probe"; content:"|0A|help|0A|quite|0A|"; classtype:attempted-recon; sid:2100637; rev:4;)
+#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN Webtrends Scanner UDP Probe"; content:"|0A|help|0A|quite|0A|"; classtype:attempted-recon; sid:2100637; rev:4;)
#
#alert udp $EXTERNAL_NET any -> $SQL_SERVERS any (msg:"GPL SQL probe response overflow attempt"; content:"|05|"; depth:1; byte_test:2,>,512,1; content:"|3B|"; distance:0; isdataat:512,relative; content:!"|3B|"; within:512; reference:bugtraq,9407; reference:cve,2003-0903; reference:url,www.microsoft.com/technet/security/bulletin/MS04-003.mspx; classtype:attempted-user; sid:2102329; rev:7;)
@@ -41999,33 +42014,36 @@
alert udp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"GPL WORM Slammer Worm propagation attempt OUTBOUND"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1|"; content:"sock"; content:"send"; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:nessus,11214; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; sid:2102004; rev:8;)
#
-#alert udp any any -> 255.255.255.255 161 (msg:"GPL SNMP Broadcast request"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1415; rev:9;)
+#alert udp any any -> 255.255.255.255 161 (msg:"GPL SNMP Broadcast request"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101415; rev:10;)
#
-#alert udp any any -> 255.255.255.255 162 (msg:"GPL SNMP broadcast trap"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1416; rev:9;)
+#alert udp any any -> 255.255.255.255 162 (msg:"GPL SNMP broadcast trap"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101416; rev:10;)
#
#alert udp any any -> any 53 (msg:"GPL POLICY MISC Tunneling IP over DNS with NSTX"; byte_test: 1,>,32,12; content: "|00 10 00 01|"; offset: 12; rawbytes; threshold: type threshold, track by_src, count 50, seconds 60; reference:url,nstx.dereference.de/nstx/; reference:url,slashdot.org/articles/00/09/10/2230242.shtml; classtype:policy-violation; sid:100000208; rev:1;)
#
-alert udp any any -> any 69 (msg:"GPL TFTP GET Admin.dll"; content:"|00 01|"; depth:2; content:"admin.dll"; offset:2; nocase; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:successful-admin; sid:1289; rev:4;)
+alert udp any any -> any 69 (msg:"GPL TFTP GET Admin.dll"; content:"|00 01|"; depth:2; content:"admin.dll"; offset:2; nocase; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:successful-admin; sid:2101289; rev:5;)
#
alert udp any any -> any 69 (msg:"GPL TFTP GET filename overflow attempt"; content:"|00 01|"; depth:2; isdataat:100,relative; content:!"|00|"; within:100; reference:bugtraq,5328; reference:cve,2002-0813; classtype:attempted-admin; sid:2101941; rev:10;)
#
-alert udp any any -> any 69 (msg:"GPL TFTP GET nc.exe"; content:"|00 01|"; depth:2; content:"nc.exe"; offset:2; nocase; classtype:successful-admin; sid:1441; rev:4;)
+alert udp any any -> any 69 (msg:"GPL TFTP GET nc.exe"; content:"|00 01|"; depth:2; content:"nc.exe"; offset:2; nocase; classtype:successful-admin; sid:2101441; rev:5;)
#
-alert udp any any -> any 69 (msg:"GPL TFTP GET passwd"; content:"|00 01|"; depth:2; content:"passwd"; offset:2; nocase; classtype:successful-admin; sid:1443; rev:4;)
+alert udp any any -> any 69 (msg:"GPL TFTP GET passwd"; content:"|00 01|"; depth:2; content:"passwd"; offset:2; nocase; classtype:successful-admin; sid:2101443; rev:5;)
#
-alert udp any any -> any 69 (msg:"GPL TFTP GET shadow"; content:"|00 01|"; depth:2; content:"shadow"; offset:2; nocase; classtype:successful-admin; sid:1442; rev:4;)
+alert udp any any -> any 69 (msg:"GPL TFTP GET shadow"; content:"|00 01|"; depth:2; content:"shadow"; offset:2; nocase; classtype:successful-admin; sid:2101442; rev:5;)
#
#alert udp any any -> any 69 (msg:"GPL TFTP PUT filename overflow attempt"; content:"|00 02|"; depth:2; isdataat:100,relative; content:!"|00|"; within:100; reference:bugtraq,7819; reference:bugtraq,8505; reference:cve,2003-0380; classtype:attempted-admin; sid:2102337; rev:9;)
#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Adobe PDF in HTTP Flowbit Set"; flow:from_server,established; file_data; content:"%PDF-"; within:5; flowbits:set,ET.pdf.in.http; flowbits:noalert; reference:cve,CVE-2008-2992; reference:bugtraq,30035; reference:secunia,29773; classtype:not-suspicious; sid:2015671; rev:6;)
+
+#
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT HP OpenView NNM snmpviewer.exe CGI Stack Buffer Overflow 1"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/OvCgi/snmpviewer.exe"; http_uri; nocase; content:"act="; nocase; content:"app="; nocase; isdataat:257,relative; content:!"|0A|"; within:257; pcre:"/app\x3D[^\x26\s\r\n]{257}/i"; reference:cve,CVE-2010-1552; reference:bugtraq,40068; classtype:attempted-admin; sid:2012682; rev:7;)
#
@@ -42050,7 +42068,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Vulnerable Java Version 1.5.x Detected"; flow:established,to_server; content:" Java/1.5."; nocase; http_header; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,javatester.org/version.html; classtype:bad-unknown; sid:2011581; rev:9;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Vulnerable Java Version 1.6.x Detected"; flow:established,to_server; content:" Java/1.6.0_"; http_header; content:!"31"; within:2; http_header; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,javatester.org/version.html; classtype:bad-unknown; sid:2011582; rev:19;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Vulnerable Java Version 1.6.x Detected"; flow:established,to_server; content:" Java/1.6.0_"; http_header; content:!"37"; within:2; http_header; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,javatester.org/version.html; classtype:bad-unknown; sid:2011582; rev:23;)
#
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Euchia CMS catalogo.php id_livello Parameter Cross Site Scripting Attempt"; flow:established,to_server; uricontent:"/catalogo.php?"; nocase; uricontent:"id_livello="; nocase; pcre:"/id_livello\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,inj3ct0r.com/exploits/13028; classtype:web-application-attack; sid:2011571; rev:1;)
@@ -42251,19 +42269,19 @@
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Group Office json.php fingerprint Parameter Remote Command Execution Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/modules/gnupg/json.php?"; nocase; uricontent:"task=send_key"; nocase; uricontent:"fingerprint="; nocase; pcre:"/fingerprint=\w*\;/Ui"; reference:url,inj3ct0r.com/exploits/13365; classtype:web-application-attack; sid:2011413; rev:1;)
#
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .com.ru Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|com|02|ru"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011407; rev:2;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .com.ru Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|com|02|ru|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011407; rev:3;)
#
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .com.cn Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|com|02|cn"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011408; rev:2;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .com.cn Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|com|02|cn|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011408; rev:3;)
#
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .co.cc Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|co|02|cc"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011409; rev:2;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .co.cc Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|co|02|cc|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011409; rev:3;)
#
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .cz.cc Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|cz|02|cc"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011410; rev:2;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .cz.cc Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|cz|02|cc|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011410; rev:3;)
#
-#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .co.kr Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|co|02|kr"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011411; rev:2;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .co.kr Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|co|02|kr|00|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011411; rev:3;)
#
alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET SCAN w3af Scan Remote File Include Retrieval"; flow:established,to_server; content:"/w3af/remoteFileInclude.html"; http_uri; nocase; content:"Host|3A| w3af.sourceforge.net"; http_header; nocase; reference:url,w3af.sourceforge.net; classtype:web-application-activity; sid:2011389; rev:3;)
@@ -42383,7 +42401,7 @@
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (KRMAK) Butterfly Bot download"; flow:to_server,established; content:"User-Agent|3a| KRMAK"; http_header; classtype:trojan-activity; sid:2011297; rev:2;)
#
-alert udp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET TROJAN Butterfly/Mariposa Bot client init connection"; dsize:21; content:"|18|"; depth:1; content:"|00 00|"; distance:16; flowbits:set,ET.ButterflyJoin; flowbits:noalert; classtype:trojan-activity; sid:2011295; rev:5;)
+alert udp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET TROJAN Butterfly/Mariposa Bot client init connection"; dsize:21; content:"|18|"; depth:1; content:"|00 00|"; distance:16; flowbits:set,ET.ButterflyJoin; classtype:trojan-activity; sid:2011295; rev:7;)
#
alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET TROJAN Butterfly/Mariposa Bot Join Acknowledgment"; dsize:21; content:"|38|"; depth:1; flowbits:isset,ET.ButterflyJoin; classtype:trojan-activity; sid:2011296; rev:2;)
@@ -42500,10 +42518,10 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a *.cz.cc domain"; flow: to_server,established; content:".cz.cc|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2011375; rev:4;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN indux.php check-in"; flow:established,to_server; content:"/indux.php?U="; nocase; http_uri; content:"@"; http_uri; content:"Referer|3a| http|3a|//www.google.com|0d 0a|"; nocase; http_header; classtype:trojan-activity; sid:2011387; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN indux.php check-in"; flow:established,to_server; content:"/indux.php?U="; nocase; http_uri; fast_pattern:only; content:"@"; http_uri; content:"Referer|3a| http|3a|//www.google.com|0d 0a|"; nocase; http_header; classtype:trojan-activity; sid:2011387; rev:3;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE web shell detected"; flow:established,to_server; content:"POST"; nocase; http_method; content:"|0d 0a 0d 0a|command="; content:"&result="; within:12; classtype:trojan-activity; sid:2011391; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE web shell detected"; flow:established,to_server; content:"POST"; nocase; http_method; content:"|0d 0a 0d 0a|command="; fast_pattern; content:"&result="; within:12; classtype:trojan-activity; sid:2011391; rev:6;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (http-get-demo) Possible Reverse Web Shell"; flow:established,to_server; content:"User-Agent|3a| http-get-demo"; http_header; classtype:trojan-activity; sid:2011392; rev:2;)
@@ -42533,10 +42551,10 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET TROJAN Yoyo-DDoS Bot Unknown Command From CnC Server"; flow:established,from_server; dsize:124; content:"|C1 00 00 00|"; nocase; depth:4; reference:url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/; classtype:trojan-activity; sid:2011401; rev:1;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET TROJAN Yoyo-DDoS Bot HTTP Flood Attack Inbound"; flow:established,to_server; content:"|0d 0a|Accept-Encoding|3A| g|7b|ip|2C| deflate|0d 0a|"; content:"|0d 0a|Connection|3A| Keep|2D|Alivf|0d 0a|"; threshold:type limit, count 5, seconds 60, track by_src; reference:url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/; classtype:denial-of-service; sid:2011402; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET TROJAN Yoyo-DDoS Bot HTTP Flood Attack Inbound"; flow:established,to_server; content:"|0d 0a|Accept-Encoding|3A| g|7b|ip|2C| deflate|0d 0a|"; http_header; content:"|0d 0a|Connection|3A| Keep|2D|Alivf|0d 0a|"; fast_pattern:14,12; http_header; threshold:type limit, count 5, seconds 60, track by_src; reference:url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/; classtype:denial-of-service; sid:2011402; rev:3;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Yoyo-DDoS Bot HTTP Flood Attack Outbound"; flow:established,to_server; content:"|0d 0a|Accept-Encoding|3A| g|7b|ip|2C| deflate|0d 0a|"; content:"|0d 0a|Connection|3A| Keep|2D|Alivf|0d 0a|"; threshold:type limit, count 5, seconds 60, track by_src; reference:url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/; classtype:denial-of-service; sid:2011403; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Yoyo-DDoS Bot HTTP Flood Attack Outbound"; flow:established,to_server; content:"|0d 0a|Accept-Encoding|3A| g|7b|ip|2C| deflate|0d 0a|"; http_header; content:"|0d 0a|Connection|3A| Keep|2D|Alivf|0d 0a|"; fast_pattern:14,12; http_header; threshold:type limit, count 5, seconds 60, track by_src; reference:url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/; classtype:denial-of-service; sid:2011403; rev:3;)
#
##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED General Trojan Downloader Request Observed"; flow:established,to_server; content:".php?id="; http_uri; nocase; content:"&x="; nocase; http_uri; content:"&os="; nocase; http_uri; content:"&n="; http_uri; nocase; reference:url,www.threatexpert.com/report.aspx?md5=3dd8193692b62a875985349b67da38c6; reference:url,www.threatexpert.com/report.aspx?md5=6c9ad4d06f72edcd2b301d66b25ad101; reference:url,www.threatexpert.com/report.aspx?md5=91fa03240b5a59853d0dad708055a7a8; classtype:trojan-activity; sid:2011415; rev:3;)
@@ -42602,7 +42620,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_CLIENT PROPFIND Flowbit Set"; flow:established,to_server; content:"PROPFIND"; http_method; nocase; flowbits:set,ET_PROPFIND; flowbits:noalert; classtype:misc-activity; sid:2011456; rev:3;)
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT DLL or EXE File From Possible WebDAV Share, Possible DLL Preloading Exploit Attempt"; flowbits:isset,ET_PROPFIND; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; reference:url,blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html; reference:url,www.us-cert.gov/cas/techalerts/TA10-238A.html; reference:url,www.microsoft.com/technet/security/advisory/2269637.mspx; reference:url,blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx; reference:url,blog.metasploit.com/2010/08/better-faster-stronger.html; reference:url,blog.rapid7.com/?p=5325; classtype:attempted-user; sid:2011457; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT DLL or EXE File From Possible WebDAV Share, Possible DLL Preloading Exploit Attempt"; flowbits:isset,ET_PROPFIND; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html; reference:url,www.us-cert.gov/cas/techalerts/TA10-238A.html; reference:url,www.microsoft.com/technet/security/advisory/2269637.mspx; reference:url,blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx; reference:url,blog.metasploit.com/2010/08/better-faster-stronger.html; reference:url,blog.rapid7.com/?p=5325; classtype:attempted-user; sid:2011457; rev:3;)
#
##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALVERTISING trafficbiztds.com - client requesting redirect to exploit kit"; flow:established,to_server; content:"/tds/in.cgi?"; http_uri; depth:12; classtype:bad-unknown; sid:2011468; rev:3;)
@@ -42752,7 +42770,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Carberp checkin task"; flow:established,to_server; content:"/task.php?id="; http_uri; content:"&task="; http_uri; pcre:"/\/task.php\?id=[^&]{32,64}&task=\d/U"; reference:url,www.trustdefender.com/blog/2010/10/06/carberp-%E2%80%93-a-new-trojan-in-the-making/; reference:url,www.honeynet.org/node/578; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2010-101313-5632-99&tabid=2; reference:url,www.eset.com/threat-center/encyclopedia/threats/win32trojandownloadercarberpb; reference:url,www.threatexpert.com/report.aspx?md5=31a4bc4e9a431d91dc0b368f4a76ee85; reference:url,www.threatexpert.com/report.aspx?md5=1d0d38dd63551a30eda664611ed4958b; reference:url,www.threatexpert.com/report.aspx?md5=6f89b98729483839283d04b82055dc44; reference:url,www.threatexpert.com/report.aspx?md5=07d3fbb124ff39bd5c1045599f719e36; classtype:trojan-activity; sid:2011799; rev:6;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Abnormal User-Agent No space after colon - Likely Hostile"; flow:established,to_server; content:"User-Agent|3A|Mozilla"; http_header; content:!"BlackBerry|3b|"; http_header; content:!"PlayBook|3b|"; http_header; content:!"master conn.qq.com"; http_header; content:!"Konfabulator"; http_header; classtype:trojan-activity; sid:2011800; rev:7;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Abnormal User-Agent No space after colon - Likely Hostile"; flow:established,to_server; content:"User-Agent|3A|Mozilla"; http_header; content:!"BlackBerry|3b|"; http_header; content:!"PlayBook|3b|"; http_header; content:!"masterconn.qq.com"; http_header; content:!"Konfabulator"; http_header; classtype:trojan-activity; sid:2011800; rev:8;)
#
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX AoA Audio Extractor ActiveX Control Buffer Overflow Attempt"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"125C3F0B-1073-4783-9A7B-D33E54269CA5"; nocase; distance:0; content:"InitLicenKeys"; nocase; reference:url,exploit-db.com/exploits/14599/; reference:url,packetstormsecurity.org/1010-exploits/aoaae-rop.txt; classtype:web-application-attack; sid:2011801; rev:1;)
@@ -42770,7 +42788,7 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER ScriptResource.axd access without t (time) parameter - possible ASP padding-oracle exploit"; flow:established,to_server; content:"GET"; http_method; content:"ScriptResource.axd"; http_uri; nocase; fast_pattern; content:!"&t="; http_uri; nocase; content:!"&|3b|t="; http_uri; nocase; detection_filter:track by_src,count 15,seconds 2; reference:url,netifera.com/research/; reference:url,www.microsoft.com/technet/security/advisory/2416728.mspx; classtype:web-application-attack; sid:2011806; rev:6;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER WebResource.axd access without t (time) parameter - possible ASP padding-oracle exploit"; flow:established,to_server; content:"GET"; http_method; content:"WebResource.axd"; http_uri; nocase; fast_pattern; content:!"&t="; http_uri; nocase; content:!"&|3b|t="; http_uri; nocase; detection_filter:track by_src,count 15,seconds 2; reference:url,netifera.com/research/; reference:url,www.microsoft.com/technet/security/advisory/2416728.mspx; classtype:web-application-attack; sid:2011807; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER WebResource.axd access without t (time) parameter - possible ASP padding-oracle exploit"; flow:established,to_server; content:"GET"; http_method; content:"/WebResource.axd"; http_uri; nocase; fast_pattern; content:!"&t="; http_uri; nocase; content:!"&|3b|t="; http_uri; nocase; detection_filter:track by_src,count 15,seconds 2; reference:url,netifera.com/research/; reference:url,www.microsoft.com/technet/security/advisory/2416728.mspx; classtype:web-application-attack; sid:2011807; rev:4;)
#by kevin ross
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Inspathx Path Disclosure Scanner User-Agent Detected"; flow:established,to_server; content:"User-Agent|3A| inspath [path disclosure finder"; http_header; threshold:type limit, count 1, seconds 30, track by_src; reference:url,code.google.com/p/inspathx/; reference:url,www.darknet.org.uk/2010/09/inspathx-tool-for-finding-path-disclosure-vulnerabilities/; classtype:attempted-recon; sid:2011808; rev:2;)
@@ -43004,6 +43022,9 @@
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGaming CMS loadplugin.php load Parameter Local File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/admin/loadplugin.php?"; nocase; http_uri; content:"load="; nocase; http_uri; content:"../"; depth:200; reference:url,packetstormsecurity.org/1010-exploits/igamingcms-lfi.txt; classtype:web-application-attack; sid:2011884; rev:2;)
#
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Logmein.com/Join.me SSL Remote Control Access"; flow:established,from_server; content:"|16 03|"; depth:2; content:"|55 04 0a|"; distance:0; content:"|0d|LogMeIn, Inc."; distance:1; within:14; content:".app"; classtype:policy-violation; sid:2014756; rev:5;)
+
+#
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Webspell wCMS-Clanscript staticID Parameter SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"site=static"; nocase; http_uri; content:"staticID="; nocase; http_uri; content:"ASCII"; nocase; http_uri; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:url,exploit-db.com/exploits/15152/; classtype:web-application-attack; sid:2011886; rev:2;)
#
@@ -43025,7 +43046,7 @@
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Firefox Interleaving document.write and appendChild Overflow (POC SPECIFIC)"; flow:from_server,established; content:"document.body.appendChild(cobj)"; content:"document.getElementById|28 22|suv|22 29|.innerHTML"; content:"new|20|Array|28|"; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=607222; reference:url,blog.mozilla.com/security/2010/10/26/critical-vulnerability-in-firefox-3-5-and-firefox-3-6/; classtype:attempted-user; sid:2011893; rev:1;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TDSS/TDL/Alureon MBR rootkit Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:" HTTP/1."; content:"|0d 0a|Accept-Language|3a| "; distance:1; within:19; content:"User-Agent|3a| Mozilla/4.0 |28|compatible|3b| MSIE"; fast_pattern:23,18; http_header; content:"Host|3a| "; distance:0; http_header; content:"|3a| no-cache"; distance:0; http_header; content:!"Accept|3a| "; http_header; pcre:"/^\/[a-z0-9+\/=]{16,400}$/Ui"; classtype:trojan-activity; sid:2011894; rev:15;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TDSS/TDL/Alureon MBR rootkit Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"Accept|3a| "; http_header; content:" HTTP/1."; content:"|0d 0a|Accept-Language|3a| "; distance:1; within:19; content:"User-Agent|3a| Mozilla/4.0 |28|compatible|3b| MSIE"; fast_pattern:23,18; http_header; content:"Host|3a| "; distance:0; http_header; content:"|3a| no-cache"; distance:0; http_header; pcre:"/^\/[a-z0-9+\/=]{16,400}$/Ui"; classtype:trojan-activity; sid:2011894; rev:16;)
#
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Driveby leads to exploits aaitsol1/networks.php"; flow:established,to_server; content:"GET"; http_method; content:"~aaitsol1/networks.php"; nocase; http_uri; classtype:bad-unknown; sid:2011895; rev:1;)
@@ -43115,7 +43136,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET SCAN Havij SQL Injection Tool User-Agent Outbound"; flow:established,to_server; content:"|29| Havij|0d 0a|Connection|3a| "; http_header; reference:url,itsecteam.com/en/projects/project1.htm; classtype:web-application-attack; sid:2011924; rev:2;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Rogue AV Downloader concat URI"; flow:established,to_server; content:".php?id="; http_uri; content:"x="; http_uri; content:"os="; http_uri; content:"n="; http_uri; pcre:"/\.php\?id=[a-zA-Z]{15,}&?x=\d+&?os=[0-9.]+&?n=\d+/U"; reference:url,malwareurl.com; classtype:trojan-activity; sid:2011925; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Rogue AV Downloader concat URI"; flow:established,to_server; content:".php?id="; http_uri; content:"x="; http_uri; content:"os="; http_uri; content:"n="; http_uri; pcre:"/\.php\?id=[a-zA-Z]{15,}&?x=\d+&?os=[0-9.]+&?n=\d/U"; reference:url,malwareurl.com; classtype:trojan-activity; sid:2011925; rev:4;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN X-Tag Zeus Mitmo user agent"; flow:established,to_server; content:"|29 20|X-Tag/"; nocase; reference:url,eternal-todo.com/blog/thoughts-facts-zeus-mitmo; classtype:trojan-activity; sid:2011926; rev:4;)
@@ -43226,7 +43247,7 @@
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FAKEAV client requesting fake scanner page"; flow:established,to_server; content:"/scaner/?id="; http_uri; depth:12; classtype:bad-unknown; sid:2011962; rev:1;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Fynloski.A Checkin Outbound"; flow:to_server,established; content:"KEEPALIVE"; depth:9; pcre:"/^KEEPALIVE\x7c?\d+/"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fFynloski.A&ThreatID=-2147327112; reference:url,www.contextis.com/research/blog/darkcometrat/; classtype:trojan-activity; sid:2013090; rev:7;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Fynloski.A/DarkRat Checkin Outbound"; flow:to_server,established; content:"KEEPALIVE"; depth:9; pcre:"/^\x7c?\d/R"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fFynloski.A&ThreatID=-2147327112; reference:url,www.contextis.com/research/blog/darkcometrat/; reference:url,www.eff.org/deeplinks/2012/08/syrian-malware-post; reference:md5,a2f58a4215441276706f18519dae9102; classtype:trojan-activity; sid:2013090; rev:8;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Trojan downloader (AS8514)"; flow:established,to_server; content:"GET"; http_method; content:"/tube/Adobe__Flash__Player.exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=1001jimm.ru; classtype:trojan-activity; sid:2011966; rev:1;)
@@ -43469,7 +43490,7 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET SMTP Potential Exim HeaderX with run exploit attempt"; flow:established,to_server; content:"|0d 0a|HeaderX|3a 20|"; nocase; content:"run{"; distance:0; reference:url,www.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html; reference:url,eclists.org/fulldisclosure/2010/Dec/221; classtype:attempted-admin; sid:2012054; rev:3;)
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft OLE Compound File Magic Bytes Flowbit Set"; flow:to_client,established; file_data; content:"|d0 cf 11 e0 a1 b1 1a e1|"; distance:0; content:!".msi"; flowbits:set,OLE.CompoundFile; flowbits:noalert; classtype:protocol-command-decode; sid:2012520; rev:6;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft OLE Compound File Magic Bytes Flowbit Set"; flow:to_client,established; file_data; content:"|d0 cf 11 e0 a1 b1 1a e1|"; within:8; content:!".msi"; flowbits:set,OLE.CompoundFile; flowbits:noalert; classtype:protocol-command-decode; sid:2012520; rev:7;)
#
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Microsoft Publisher Array Indexing Memory Corruption SET"; flow:from_server,established; flowbits:isset,OLE.CompoundFile; content:"MSPublisher"; flowbits:set,ms.publisher.file; flowbits:noalert; reference:cve,2010-3995; reference:url,www.microsoft.com/technet/security/bulletin/MS10-103.mspx; classtype:attempted-user; sid:2012519; rev:4;)
@@ -43604,7 +43625,7 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET 8899 (msg:"ET EXPLOIT Oracle Virtual Server Agent Command Injection Attempt"; flow: to_server,established; content:"POST"; http_method; content:"|0d 0a 0d 0a 3c 3f|xml|20|version"; nocase; content:"|3c|methodCall|3e|"; distance:0; content:"|3c|methodName|3e|"; distance:0; within:25; content:"|3c|params|3e|"; content:"|3c 2f|value|3e|"; distance:0; within:400; content:"|3c|param| 3e|"; distance:0; content:"|3c|value|3e|"; within:50; content:"|3c|string|3e|"; content:"|27|"; distance:0; within:50; content:"|3b|"; within:10; content:"|3b|"; content:"|27|"; distance:0; within:100; reference:url,exploit-db.com/exploits/15244/; classtype:attempted-user; sid:2012101; rev:2;)
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Image Viewer CP Gold Image2PDF Buffer Overflow"; flow:established,to_client; content:"clsid"; nocase; content:"E589DA78-AD4C-4FC5-B6B9-9E47B110679E"; nocase; content:"|2e|Image2PDF"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22|\x27]\s*clsid\s*\x3a\s*{?\s*E589DA78-AD4C-4FC5-B6B9-9E47B110679E\s*}?\s*(.*)(\s|>)/si"; reference:url,www.exploit-db.com/exploits/15658/; classtype:attempted-user; sid:2012102; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Image Viewer CP Gold Image2PDF Buffer Overflow"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"E589DA78-AD4C-4FC5-B6B9-9E47B110679E"; nocase; content:"|2e|Image2PDF"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*E589DA78-AD4C-4FC5-B6B9-9E47B110679E\s*}?\s*(.*)(\s|>)/si"; reference:url,www.exploit-db.com/exploits/15658/; classtype:attempted-user; sid:2012102; rev:3;)
#
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT D-Link bsc_wlan.php Security Bypass"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/bsc_wlan.php"; nocase; http_uri; content:"ACTION_POST=final&"; nocase; http_client_body; content:"&f_ssid="; nocase; http_client_body; content:"&f_authentication=7&"; nocase; http_client_body; within:135; content:"f_cipher=2&"; nocase; http_client_body; content:"f_wep_len=&f_wep_format=&f_wep_def_key=&"; nocase; http_client_body; within:40; content:"&f_wep=&f_wpa_psk_type=1&f_wpa_psk="; nocase; http_client_body; content:"&f_radius_ip1=&f_radius_port1=&f_radius_secret1="; nocase; http_client_body; within:70; reference:url,packetstormsecurity.org/files/view/96100/dlinkwlan-bypass.txt; classtype:web-application-attack; sid:2012103; rev:5;)
@@ -43613,7 +43634,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (AdVantage)"; flow:established,to_server; content:"User-Agent|3A| AdVantage"; http_header; reference:url,www.siteadvisor.com/sites/config.poweredbyadvantage.com; classtype:trojan-activity; sid:2012104; rev:3;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN AdVantage Malware URL Infection Report"; flow:established,to_server; content:"cfg_ver="; http_uri; nocase; content:"hwd="; http_uri; nocase; content:"campaign="; http_uri; nocase; content:"ver="; http_uri; nocase; reference:url,www.siteadvisor.com/sites/config.poweredbyadvantage.com; classtype:trojan-activity; sid:2012105; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AdVantage Malware URL Infection Report"; flow:established,to_server; content:"cfg_ver="; http_uri; nocase; content:"hwd="; http_uri; nocase; content:"campaign="; http_uri; nocase; content:"ver="; http_uri; nocase; reference:url,www.siteadvisor.com/sites/config.poweredbyadvantage.com; classtype:trojan-activity; sid:2012105; rev:2;)
#
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of arguments.callee %u UTF-16 Encoding"; flow:established,to_client; content:"%u6172%u6775%u6d65%u6e74%u732e%u6361%u6c6c%u6565"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012106; rev:2;)
@@ -43721,22 +43742,22 @@
#alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Possible Malware Related Numerical .co Domain Lookup"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|co|00|"; fast_pattern; nocase; distance:0; pcre:"/\x00[0-9]{4,7}\x02co\x00/i"; reference:url,sign.kaffenews.com/?p=104; reference:url,www.isc.sans.org/diary.html?storyid=10165; classtype:bad-unknown; sid:2012144; rev:3;)
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Netcraft Toolbar Remote Code Execution"; flow:established,to_client; content:"clsid"; nocase; content:"73F57628-B458-11D4-9673-00A0D212FC63"; nocase; distance:0; content:"document|2e|getElementById|28|"; distance:0; content:"|2e|MapZone|28|"; distance:0; within:20; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22|\x27]\s*clsid\s*\x3a\s*{?\s*73F57628-B458-11D4-9673-00A0D212FC63\s*}?\s*(.*)\>/si"; reference:url,www.exploit-db.com/exploits/15600; classtype:attempted-user; sid:2012145; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Netcraft Toolbar Remote Code Execution"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"73F57628-B458-11D4-9673-00A0D212FC63"; nocase; distance:0; content:"document|2e|getElementById|28|"; distance:0; content:"|2e|MapZone|28|"; distance:0; within:20; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*73F57628-B458-11D4-9673-00A0D212FC63\s*}?\s*(.*)\>/si"; reference:url,www.exploit-db.com/exploits/15600; classtype:attempted-user; sid:2012145; rev:3;)
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ImageShack Toolbar Remote Code Execution"; flow:established,to_client; content:"clsid"; nocase; content:"DC922B67-FF61-455E-9D79-959925B6695C"; nocase; distance:0; content:"javascript|3a|document|2e|getElementById|28 27|"; content:"|2e|strategy"; distance:0; within:20; content:"javascript|3a|document.getElementById|28 27|"; distance:0; content:"|2e|target"; distance:0; within:20; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22|\x27]\s*clsid\s*\x3a\s*{?\s*DC922B67-FF61-455E-9D79-959925B6695C\s*}?\s*(.*)\>/si"; reference:url,www.exploit-db.com/exploits/15601; classtype:attempted-user; sid:2012146; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ImageShack Toolbar Remote Code Execution"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"DC922B67-FF61-455E-9D79-959925B6695C"; nocase; distance:0; content:"javascript|3a|document|2e|getElementById|28 27|"; content:"|2e|strategy"; distance:0; within:20; content:"javascript|3a|document.getElementById|28 27|"; distance:0; content:"|2e|target"; distance:0; within:20; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*DC922B67-FF61-455E-9D79-959925B6695C\s*}?\s*(.*)\>/si"; reference:url,www.exploit-db.com/exploits/15601; classtype:attempted-user; sid:2012146; rev:7;)
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Advanced File Vault Activex Heap Spray Attempt"; flow:established,to_client; content:"|2e|GetWebStoreURL"; content:"clsid"; nocase; content:"25982EAA-87CC-4747-BE09-9913CF7DD2F1"; nocase; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22|\x27]\s*clsid\s*\x3a\s*{?\s*25982EAA-87CC-4747-BE09-9913CF7DD2F1\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/14580/; classtype:attempted-user; sid:2012147; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Advanced File Vault Activex Heap Spray Attempt"; flow:established,to_client; file_data; content:"|2e|GetWebStoreURL"; content:"clsid"; nocase; content:"25982EAA-87CC-4747-BE09-9913CF7DD2F1"; nocase; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*25982EAA-87CC-4747-BE09-9913CF7DD2F1\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/14580/; classtype:attempted-user; sid:2012147; rev:6;)
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX dBpowerAMP Audio Player 2 FileExists Method ActiveX Buffer Overflow"; flow:established,to_client; content:"clsid"; nocase; content:"BECB8EE1-6BBB-4A85-8DFD-099B7A60903A"; nocase; distance:0; content:"|2e|Enque"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22|\x27]\s*clsid\s*\x3a\s*{?\s*BECB8EE1-6BBB-4A85-8DFD-099B7A60903A\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/14586/; classtype:attempted-user; sid:2012148; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX dBpowerAMP Audio Player 2 FileExists Method ActiveX Buffer Overflow"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"BECB8EE1-6BBB-4A85-8DFD-099B7A60903A"; nocase; distance:0; content:"|2e|Enque"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*BECB8EE1-6BBB-4A85-8DFD-099B7A60903A\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/14586/; classtype:attempted-user; sid:2012148; rev:5;)
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX FathFTP 1.8 EnumFiles Method ActiveX Buffer Overflow"; flow:established,to_client; content:"clsid"; nocase; content:"62A989CE-D39A-11D5-86F0-B9C370762176"; nocase; distance:0; content:"|2e|EnumFiles"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22|\x27]\s*clsid\s*\x3a\s*{?\s*62A989CE-D39A-11D5-86F0-B9C370762176\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/14552/; classtype:attempted-user; sid:2012133; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX FathFTP 1.8 EnumFiles Method ActiveX Buffer Overflow"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"62A989CE-D39A-11D5-86F0-B9C370762176"; nocase; distance:0; content:"|2e|EnumFiles"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*62A989CE-D39A-11D5-86F0-B9C370762176\s*}?(.*)\>/si"; reference:url,www.exploit-db.com/exploits/14552/; classtype:attempted-user; sid:2012133; rev:3;)
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SigPlus Pro 3.74 ActiveX LCDWriteString Method Remote Buffer Overflow"; flow:established,to_client; content:"clsid"; nocase; content:"69A40DA3-4D42-11D0-86B0-0000C025864A"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; distance:0; content:"|2e|LCDWriteString"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22|\x27]\s*clsid\s*\x3a\s*{?\s*69A40DA3-4D42-11D0-86B0-0000C025864A\s*}?(.*)\>/si"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22|\x27]\s*clsid\s*\x3a\s*{?\s*D27CDB6E-AE6D-11cf-96B8-444553540000\s*}?(.*)\>/si"; reference:cve,2010-2931; reference:url,www.exploit-db.com/exploits/14514/; classtype:attempted-user; sid:2012134; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SigPlus Pro 3.74 ActiveX LCDWriteString Method Remote Buffer Overflow"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"69A40DA3-4D42-11D0-86B0-0000C025864A"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; distance:0; content:"|2e|LCDWriteString"; distance:0; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22|\x27]\s*clsid\s*\x3a\s*{?\s*69A40DA3-4D42-11D0-86B0-0000C025864A\s*}?(.*)\>/si"; pcre:"/<object\s*[^>]*\s*classid\s*=\s*[\x22\x27]\s*clsid\s*\x3a\s*{?\s*D27CDB6E-AE6D-11cf-96B8-444553540000\s*}?(.*)\>/si"; reference:cve,2010-2931; reference:url,www.exploit-db.com/exploits/14514/; classtype:attempted-user; sid:2012134; rev:3;)
#
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET SMTP IBM Lotus Domino iCalendar Email Address Stack Buffer Overflow Attempt"; flow:to_server,established; content:"|0d 0a|ORGANIZER"; content:"mailto|3a|"; nocase; within:50; isdataat:2000,relative; content:!"|0a|"; within:2000; reference:url,www.exploit-db.com/exploits/15005/; reference:cve,2010-3407; classtype:attempted-user; sid:2012135; rev:3;)
@@ -43805,7 +43826,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET GAMES Blizzard Web Downloader Install Detected"; flow: established,to_server; content: "User-Agent|3a| Blizzard Web Client"; nocase; classtype:policy-violation; sid:2012170; rev:2;)
#
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY DYNAMIC_DNS Lookup of Chinese Dynamic DNS Provider 3322.org Likely Malware Related"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|3322|03|org"; fast_pattern; distance:0; nocase; reference:url,isc.sans.edu/diary.html?storyid=3266; reference:url,isc.sans.edu/diary.html?storyid=5710; reference:url,google.com/safebrowsing/diagnostic?site=3322.org/; reference:url,www.mywot.com/en/scorecard/3322.org; classtype:misc-activity; sid:2012171; rev:4;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to 3322.org Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|3322|03|org"; fast_pattern; distance:0; nocase; reference:url,isc.sans.edu/diary.html?storyid=3266; reference:url,isc.sans.edu/diary.html?storyid=5710; reference:url,google.com/safebrowsing/diagnostic?site=3322.org/; reference:url,www.mywot.com/en/scorecard/3322.org; classtype:misc-activity; sid:2012171; rev:6;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (mrgud)"; flow:established,to_server; content:"User-Agent|3a| mrgud"; http_header; nocase; classtype:trojan-activity; sid:2012172; rev:3;)
@@ -43841,6 +43862,9 @@
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nucleus media.php Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/nucleus/media.php?"; http_uri; nocase; content:"DIR_LIBS="; http_uri; nocase; pcre:"/DIR_LIBS=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/15907/; classtype:web-application-attack; sid:2012182; rev:3;)
#
+alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Possible Open SIP Relay scanner Fake Eyebeam User-Agent Detected"; content:"User-Agent|3A| eyeBeam release"; nocase; reference:url,honeynet.org.au/?q=open_sip_relay_scanner; classtype:attempted-recon; sid:2012183; rev:2;)
+
+#
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nucleus server.php Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/nucleus/xmlrpc/server.php?"; nocase; http_uri; content:"DIR_LIBS="; nocase; http_uri; pcre:"/DIR_LIBS=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/15907/; classtype:web-application-attack; sid:2012184; rev:2;)
#
@@ -43988,6 +44012,9 @@
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Oracle Document Capture File Overwrite or Buffer Overflow Attempt"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"NCSECWLib.NCSRenderer"; nocase; distance:0; content:"WriteJPG"; nocase; distance:0; reference:cve,2010-3599; classtype:attempted-user; sid:2012234; rev:1;)
#
+##alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED UPS Spam Inbound Variant 4"; flow:established,to_server; content:"Content-Disposition|3a| attachment|3b|"; nocase; content:"filename=|22|UPS_AIR_CARGO_bar-coded-lot-labels-EXAMPLE.zip|22|"; nocase; within:100; classtype:trojan-activity; sid:2012235; rev:3;)
+
+#
alert tcp $EXTERNAL_NET 900:11000 -> $HOME_NET any (msg:"ET TROJAN x0Proto Init"; flow:established,from_server; dsize:2; content:"x0"; depth:2; flowbits:noalert; flowbits:set,et.x0proto; classtype:trojan-activity; sid:2012236; rev:1;)
#
@@ -44030,7 +44057,7 @@
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Win32 User Agent"; flow:to_server,established; content:"User-Agent|3a| Win32"; http_header; classtype:trojan-activity; sid:2012249; rev:1;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Unknown Web Backdoor Keep-Alive"; flow:established,to_server; content:"POST /bbs/info.asp "; depth:19; dsize:<170; classtype:trojan-activity; sid:2012250; rev:1;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Unknown Web Backdoor Keep-Alive"; flow:established,to_server; content:"POST /bbs/info.asp "; depth:19; dsize:<170; classtype:trojan-activity; sid:2012250; rev:1;)
#
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Google Android Device HTTP Request"; flow:established,to_server; content:"|3B 20|Android|20|"; http_header; classtype:policy-violation; sid:2012251; rev:6;)
@@ -44117,16 +44144,16 @@
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SpyEye Post_Express_Label infection activity multi-stage download request"; flow:established,to_server; content:"/forum/load.php?file="; http_uri; content:!"Referer|3a| "; http_header; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012281; rev:1;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SpyEye Post_Express_Label infection activity multi-stage download confirmed success"; flow:established,to_server; content:"/load.php?file="; http_uri; content:"&luck="; http_uri; content:!"Referer|3a| "; http_header; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012282; rev:1;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SpyEye Post_Express_Label infection activity multi-stage download confirmed success"; flow:established,to_server; content:"/load.php?file="; http_uri; content:"&luck="; http_uri; content:!"Referer|3a| "; http_header; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012282; rev:2;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SpyEye Post_Express_Label infection check-in"; flow:established,to_server; content:"/inst.php?id="; http_uri; content:"&lang="; http_uri; content:!"Referer|3a| "; http_header; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012283; rev:1;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SpyEye Post_Express_Label infection check-in"; flow:established,to_server; content:"/inst.php?id="; http_uri; content:"&lang="; http_uri; content:!"Referer|3a| "; http_header; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012283; rev:2;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SpyEye Post_Express_Label ftpgrabber check-in"; flow:established,to_server; content:"grabbers.php"; http_uri; content:"&module=ftpgrabber"; http_client_body; content:!"Referer|3a| "; http_header; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012284; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SpyEye Post_Express_Label ftpgrabber check-in"; flow:established,to_server; content:"grabbers.php"; http_uri; content:"&module=ftpgrabber"; http_client_body; content:!"Referer|3a| "; http_header; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012284; rev:3;)
#
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan/Win32.CodecPack Reporting"; flow:to_server,established; content:"GET"; nocase; http_method; content:"ADTECH|3b|"; http_uri; content:"loc=100|3b|"; http_uri; content:"target=_blank|3b|"; http_uri; content:"grp|3d 5b|group|5d 3b|"; http_uri; content:"misc="; classtype:trojan-activity; sid:2012285; rev:3;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan/Win32.CodecPack Reporting"; flow:to_server,established; content:"GET"; nocase; http_method; content:"ADTECH|3b|"; http_uri; content:"loc=100|3b|"; http_uri; content:"target=_blank|3b|"; http_uri; content:"grp|3d 5b|group|5d 3b|"; http_uri; content:"misc="; classtype:trojan-activity; sid:2012285; rev:3;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Automated Site Scanning for backupdata"; flow:established,to_server; content:"backupdata"; nocase; http_uri; content:"|0d 0a|User-Agent|3a| Mozilla/4.0|0d 0a|"; http_header; classtype:attempted-recon; sid:2012286; rev:3;)
@@ -44234,7 +44261,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a *.rr.nu domain"; flow:established,to_server; content:".rr.nu|0D 0A|"; http_header; classtype:bad-unknown; sid:2012330; rev:3;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible TDSS User-Agent CMD3"; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 1.0|3b| Windows NT|3b| CMD"; http_header; fast_pattern:36,20; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=19; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:2012322; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible TDSS User-Agent CMD"; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 1.0|3b| Windows NT|3b| CMD"; http_header; fast_pattern:36,20; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=19; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:2012322; rev:6;)
#
##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Malicious Advertizing URL in.cgi/antibot_hash"; flow:to_server,established; content:"/in.cgi?"; nocase; http_uri; content:"ab_iframe="; nocase; http_uri; content:"ab_badtraffic="; nocase; http_uri; content:"antibot_hash="; nocase; http_uri; content:"ur="; nocase; http_uri; content:"HTTP_REFERER="; nocase; http_uri; classtype:bad-unknown; sid:2012323; rev:2;)
@@ -44243,7 +44270,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT Unknown Exploit Pack URL Detected"; flow:to_server,established; content:"/imgurl"; nocase; http_uri; content:".php"; distance:0; nocase; http_uri; content:"hl="; distance:0; nocase; http_uri; classtype:bad-unknown; sid:2012324; rev:2;)
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Obfuscated Javascript // ptth"; flow:from_server,established; content:"200"; http_stat_code; content:"//|3a|ptth"; classtype:bad-unknown; sid:2012325; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Obfuscated Javascript // ptth"; flow:from_server,established; content:"200"; http_stat_code; file_data; content:"//|3a|ptth"; classtype:bad-unknown; sid:2012325; rev:3;)
#
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Obfuscated Javascript // ptth (escaped)"; flow:from_server,established; content:"200"; http_stat_code; content:"%2F%2F%3A%70%74%74%68"; classtype:bad-unknown; sid:2012326; rev:2;)
@@ -44411,16 +44438,16 @@
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ITechBids productid Parameter Blind SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/itechd.php?"; nocase; http_uri; content:"productid="; nocase; http_uri; content:"and"; nocase; http_uri; content:"substring"; nocase; http_uri; pcre:"/and.*substring\(/Ui"; reference:url,exploit-db.com/exploits/9497; classtype:web-application-attack; sid:2012381; rev:2;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery output Parameter Remote Command Execution Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/include/picmgmt.inc.php?"; nocase; http_uri; content:"output="; nocase; http_uri; pcre:"/output=\w*/Ui"; reference:url,packetstormsecurity.org/files/view/98347/cpg15x-exec.txt; classtype:web-application-attack; sid:2012382; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery output Parameter Remote Command Execution Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/include/picmgmt.inc.php?"; nocase; http_uri; content:"output="; nocase; http_uri; pcre:"/output=\w/Ui"; reference:url,packetstormsecurity.org/files/view/98347/cpg15x-exec.txt; classtype:web-application-attack; sid:2012382; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery retva Parameter Remote Command Execution Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/include/picmgmt.inc.php?"; nocase; http_uri; content:"retva="; nocase; http_uri; pcre:"/retva=\w*/Ui"; reference:url,packetstormsecurity.org/files/view/98347/cpg15x-exec.txt; classtype:web-application-attack; sid:2012383; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery retva Parameter Remote Command Execution Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/include/picmgmt.inc.php?"; nocase; http_uri; content:"retva="; nocase; http_uri; pcre:"/retva=\w/Ui"; reference:url,packetstormsecurity.org/files/view/98347/cpg15x-exec.txt; classtype:web-application-attack; sid:2012383; rev:3;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Purported MSIE 7 with terse HTTP Headers GET to PHP likely check-in to CnC"; flow:established,to_server; content:".php"; http_uri; nocase; content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 5.1)|0d 0a|Host|3a 20|"; fast_pattern; content:"|0d 0a|Cache-Control|3a 20|no-cache|0d 0a 0d 0a|"; within:50; classtype:trojan-activity; sid:2012384; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Suspicious Purported MSIE 7 with terse HTTP Headers GET to PHP"; flow:established,to_server; content:".php"; http_uri; nocase; content:"|20|HTTP/1.1|0d 0a|User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b 20|Windows NT 5.1)|0d 0a|Host|3a 20|"; fast_pattern; content:"|0d 0a|Cache-Control|3a 20|no-cache|0d 0a 0d 0a|"; within:50; classtype:trojan-activity; sid:2012384; rev:3;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Likely Infected HTTP POST to PHP with User-Agent of HTTP Client"; flow:established,to_server; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"User-Agent|3a 20|HTTP Client|0d 0a|"; http_header; fast_pattern; classtype:trojan-activity; sid:2012385; rev:1;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Likely Infected HTTP POST to PHP with User-Agent of HTTP Client"; flow:established,to_server; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"User-Agent|3a 20|HTTP Client|0d 0a|"; http_header; fast_pattern; classtype:trojan-activity; sid:2012385; rev:2;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent VCTestClient"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| VCTestClient"; nocase; http_header; classtype:trojan-activity; sid:2012386; rev:1;)
@@ -44492,7 +44519,7 @@
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/options-view_log-iframe.php?wpabs=/"; nocase; http_uri; content:"%00&logfile=/"; depth:250; reference:url,lists.grok.org.uk/pipermail/full-disclosure/2011-February/079568.html; classtype:web-application-attack; sid:2012408; rev:2;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Avzhan DDoS Bot User-Agent MyIE"; flow:established,to_server; content:"User-Agent|3a| "; http_header; content:"|3b| MyIE "; fast_pattern; http_header; within:100; reference:url,asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/; reference:url,blog.fireeye.com/research/2010/10/avzhan-botnet-the-story-of-evolution.html; classtype:trojan-activity; sid:2013258; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Avzhan DDoS Bot User-Agent MyIE"; flow:established,to_server;content:"User-Agent|3a|Mozilla"; http_header; content:"|3b| MyIE "; fast_pattern; http_header; within:100; reference:url,asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/; reference:url,blog.fireeye.com/research/2010/10/avzhan-botnet-the-story-of-evolution.html; classtype:trojan-activity; sid:2013258; rev:8;)
#
#alert tcp $HOME_NET any -> $EXTERNAL_NET 81 (msg:"ET DELETED Unknown Malware Keepalive"; flow:established,to_server; content:"keepalive"; nocase; depth:9; pcre:"/keepalive([0-9]{4}|\x7c[0-9]{4})/i"; threshold: type limit, track by_src, count 1, seconds 60; classtype:trojan-activity; sid:2012409; rev:3;)
@@ -44594,6 +44621,9 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.Win32.Banload Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/avisa.php?"; nocase; http_uri; content:"usuario="; nocase; http_uri; content:"pc="; nocase; http_uri; content:"serial="; nocase; http_uri; content:"versao="; nocase; http_uri; reference:url,threatexpert.com/report.aspx?md5=43b0ddf87c66418053ee055501193abf; reference:url,scumware.org/report/89.108.68.81; classtype:trojan-activity; sid:2012441; rev:3;)
#
+##alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED UPS Inbound bad attachment v.4"; flow:established,to_server; content:"Content-Disposition|3a| attachment|3b|"; nocase; content:"filename=|22|UPS_AIR_CARGO_bar-coded-lot-labels-EXAMPLE.zip|22| "; nocase; within:100; classtype:trojan-activity; sid:2012442; rev:2;)
+
+#
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS UPS Inbound bad attachment v.6"; flow:established,to_server; content:"From|3a| |22|United Parcel Service|22|"; nocase; content:"|40|ups.com"; nocase; content:"Content-Disposition|3a| attachment|3b|"; nocase; content:"filename=|22|document.zip|22|"; nocase; classtype:trojan-activity; sid:2012444; rev:2;)
#
@@ -44681,7 +44711,7 @@
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin folder.php type Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/1-flash-gallery/folder.php?"; nocase; http_uri; content:"type="; nocase; http_uri; pcre:"/type\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,htbridge.ch/advisory/xss_in_1_flash_gallery_wordpress_plugin.html; reference:url,packetstormsecurity.org/files/view/99086/1flashgal-sqlxss.txt; classtype:web-application-attack; sid:2012476; rev:2;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id SELECT"; flow:established,to_server; content:"/wp-content/plugins/1-flash-gallery/massedit_album.php?"; nocase; http_uri; content:"gall_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,htbridge.ch/advisory/sql_injection_in_1_flash_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2012477; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id SELECT"; flow:established,to_server; content:"/wp-content/plugins/1-flash-gallery/massedit_album.php?"; fast_pattern:35,20; nocase; http_uri; content:"gall_id="; distance:0; nocase; http_uri; content:"SELECT"; nocase; http_uri; distance:0; content:"FROM"; nocase; http_uri; distance:0; reference:url,htbridge.ch/advisory/sql_injection_in_1_flash_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2012477; rev:6;)
#
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id UNION SELECT"; flow:established,to_server; content:"/wp-content/plugins/1-flash-gallery/massedit_album.php?"; nocase; http_uri; content:"gall_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,htbridge.ch/advisory/sql_injection_in_1_flash_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2012478; rev:2;)
@@ -44756,7 +44786,7 @@
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Constructr CMS SQL Injection Attempt -- constructrXmlOutput.content.xml.php page_id ASCII"; flow:established,to_server; content:"/xmlOutput/constructrXmlOutput.content.xml.php?"; nocase; http_uri; content:"page_id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:bugtraq,46842; reference:url,packetstormsecurity.org/files/99204; reference:url,exploit-db.com/exploits/16963/; classtype:web-application-attack; sid:2012502; rev:2;)
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Compressed Adobe Flash File Embedded in XLS FILE Caution - Could be Exploit"; flow:established,from_server; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; within:8; content:"|45 57 73 09|"; reference:url,blogs.adobe.com/asset/2011/03/background-on-apsa11-01-patch-schedule.html; reference:url,bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html; reference:bid,46860; reference:cve,2011-0609; classtype:attempted-user; sid:2012503; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Compressed Adobe Flash File Embedded in XLS FILE Caution - Could be Exploit"; flow:established,from_server; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; within:8; content:"|45 57 73 09|"; distance:0; reference:url,blogs.adobe.com/asset/2011/03/background-on-apsa11-01-patch-schedule.html; reference:url,bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html; reference:bid,46860; reference:cve,2011-0609; classtype:attempted-user; sid:2012503; rev:4;)
#
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Excel with Embedded .emf object downloaded"; flow:established,to_client; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; within:8; content:"| 50 4B 03 04 |"; content:"|2F 6D 65 64 69 61 2F 69 6D 61 67 65 |"; within:64; content:"| 2E 65 6D 66 |"; within:15; rawbytes; classtype:bad-unknown; sid:2012504; rev:6;)
@@ -44768,7 +44798,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Driveby Exploit Attempt Often to Install Monkif"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/frame.php?pl=Win32"; nocase; http_uri; classtype:trojan-activity; sid:2012506; rev:5;)
#
-##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Monkif CnC response in fake JPEG"; flow:established,from_server; content:"JFIF|00 01 01 01 00|"; content:"|7c 30 7c 30 7c 30 7c|"; fast_pattern; classtype:trojan-activity; sid:2012507; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Monkif CnC response in fake JPEG"; flow:established,from_server; file_data; content:"|ff d8 ff e0|"; within:4; content:"JFIF|00 01 01|"; distance:2; content:"lppt>++"; fast_pattern; within:50; content:"bm|60|95"; distance:0; content:"|7c|0"; distance:0; reference:url,2009.brucon.org/material/Julia_Wolf_Brucon_final.pdf; reference:url,research.zscaler.com/2010/03/trojan-monkif-is-still-active-and.html; reference:url,blogs.mcafee.com/mcafee-labs/monkif-botnet-hides-commands-in-jpegs; classtype:trojan-activity; sid:2012507; rev:4;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Akamai NetSession Interface PUTing data"; flow:established,to_server; content:"PUT|20|"; depth:4; content:"user-agent|3a|netsession_win_"; fast_pattern; reference:url,www.akamai.com/html/misc/akamai_client/netsession_interface_faq.html; classtype:policy-violation; sid:2012508; rev:1;)
@@ -44810,10 +44840,10 @@
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY DNS Query For XXX Adult Site Top Level Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|xxx|00|"; fast_pattern; nocase; distance:0; reference:url,mashable.com/2011/03/19/xxx-tld-porn/; reference:url,mashable.com/2010/06/24/dot-xxx-porn-domain/; classtype:policy-violation; sid:2012522; rev:1;)
#
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Executable Download From Russian Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| ru"; nocase; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; classtype:trojan-activity; sid:2012523; rev:3;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Executable Download From Russian Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| ru"; nocase; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2012523; rev:4;)
#
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Executable Download From Chinese Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| zh-cn"; nocase; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; classtype:trojan-activity; sid:2012524; rev:2;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Executable Download From Chinese Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| zh-cn"; nocase; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2012524; rev:3;)
#
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download of Microsft Office File From Russian Content-Language Website"; flow:established,to_client; content:"Content-Language|3A| ru"; nocase; http_header; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; distance:0; classtype:trojan-activity; sid:2012525; rev:1;)
@@ -45047,7 +45077,7 @@
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ardeaCore PHP Framework CURRENT_BLOG_PATH Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/ardeaCore/lib/core/ardeaBlog.php?"; nocase; http_uri; content:"CURRENT_BLOG_PATH="; http_uri; nocase; pcre:"/CURRENT_BLOG_PATH=\s*(ftps?|https?|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/15840/; reference:url,securityreason.com/wlb_show/WLB-2011010005; classtype:web-application-attack; sid:2012605; rev:2;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Backdoor.Win32.Vertexbot.A Checkin UA"; flow:to_server,established; content:"User-Agent|3a| VERTEXNET"; http_header; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2011-032315-2902-99&tabid=2; classtype:trojan-activity; sid:2012740; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Backdoor.Win32.Vertexbot.A User-Agent (VERTEXNET)"; flow:to_server,established; content:"User-Agent|3a| VERTEXNET"; http_header; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2011-032315-2902-99&tabid=2; classtype:trojan-activity; sid:2012740; rev:6;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Havij SQL Injection Tool User-Agent Inbound"; flow:established,to_server; content:"|29| Havij|0d 0a|Connection|3a| "; http_header; reference:url,itsecteam.com/en/projects/project1.htm; classtype:web-application-attack; sid:2012606; rev:2;)
@@ -45059,7 +45089,7 @@
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Java Exploit Attempt applet via file URI"; flow:established,from_server;content:"applet|20|"; nocase; content:"codebase"; nocase; distance:0; content:"|3a|C|3a 5c|Progra"; fast_pattern; nocase; distance:0; content:"|5c|java|5c|jre6|5c|lib|5c|ext"; nocase; distance:0; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012608; rev:6;)
#
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Phoenix Java Exploit Attempt Request for .class from octal host"; flow:established,to_server; content:".class|20|HTTP/1.1|0d 0a|"; fast_pattern; content:"|20|Java/"; http_header; content:"Host|3a 20|"; pcre:"/Host\x3a \d{4,}[^A-Za-z\.]+/D"; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012609; rev:4;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Phoenix Java Exploit Attempt Request for .class from octal host"; flow:established,to_server; content:".class|20|HTTP/1.1|0d 0a|"; fast_pattern; content:"|20|Java/"; http_header; content:"Host|3a 20|"; pcre:"/Host\x3a \d{4,}[^A-Za-z\.]/D"; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012609; rev:5;)
#
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Java Exploit io.exe download served"; flow:established,from_server; content:"|3b 20|filename=io.exe|0d 0a|"; fast_pattern; classtype:trojan-activity; sid:2012610; rev:1;)
@@ -45113,7 +45143,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV Check-in purporting to be MSIE with invalid terse HTTP headers"; flow:established,to_server; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded|0d 0a|Host|3a 20|"; content:"|0d 0a|User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE|20|"; distance:0; content:")|0d 0a|Content-Length"; distance:0; content:"|0d 0a 0d 0a|data="; fast_pattern; classtype:trojan-activity; sid:2012627; rev:1;)
#
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Java Exploit Attempt Request for .id from octal host"; flow:established,to_server; content:".id|20|HTTP/1.1|0d 0a|"; fast_pattern; content:"|20|Java/"; http_header; content:"Host|3a 20|"; pcre:"/Host\x3a \d{4,}[^A-Za-z\.]+/D"; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012628; rev:3;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Java Exploit Attempt Request for .id from octal host"; flow:established,to_server; content:".id|20|HTTP/1.1|0d 0a|"; fast_pattern; content:"|20|Java/"; http_header; content:"Host|3a 20|"; pcre:"/Host\x3a \d{4,}[^A-Za-z\.]/D"; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012628; rev:4;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Unknown Trojan User-Agent IE6 on Windows XP"; flow:established,to_server; content:"User-Agent|3a| IE6 on Windows XP"; fast_pattern:12,10; http_header; classtype:trojan-activity; sid:2012629; rev:3;)
@@ -45182,7 +45212,7 @@
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Malware Related Numerical .cn Domain"; flow:established,to_server; content:"Host|3a| "; http_header; content:".cn|0d 0a|"; within:25; http_header; fast_pattern; pcre:"/Host\x3A\x20[^a-z]*[0-9]{4,30}\x2Ecn\x0D\x0A/Hi"; classtype:misc-activity; sid:2012650; rev:7;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE All Numerical .ru Domain HTTP Request Likely Malware Related"; flow:established,to_server; content:"Host|3a| "; http_header; content:".ru|0d 0a|"; within:25; http_header; fast_pattern; pcre:"/Host\x3A\x20[^a-z]*[0-9]{2,30}\x2Eru\x0d\x0a/Hi"; classtype:misc-activity; sid:2012649; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE All Numerical .ru Domain HTTP Request Likely Malware Related"; flow:established,to_server; content:"Host|3a| "; http_header; content:".ru|0d 0a|"; within:25; http_header; fast_pattern; pcre:"/Host\x3A\x20[^a-z]*?[0-9]{2,30}\x2Eru\x0d\x0a/Hi"; classtype:misc-activity; sid:2012649; rev:3;)
#
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Andy PHP Knowledgebase SQL Injection Attempt pdfgen.php pdfa SELECT"; flow:established,to_server; content:"/plugins/pdfClasses/pdfgen.php?"; nocase; http_uri; content:"pdfa="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,exploit-db.com/exploits/17061/; reference:url,vupen.com/english/advisories/2011/0823; classtype:web-application-attack; sid:2012672; rev:3;)
@@ -45227,7 +45257,7 @@
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke Surveys pollID parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules/Surveys/modules.php?"; nocase; http_uri; content:"name=Surveys"; nocase; http_uri; content:"op="; nocase; http_uri; content:"pollID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/files/view/100119/phpnukesurveys-sql.txt; classtype:web-application-attack; sid:2012654; rev:2;)
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Office File With Embedded Executable"; flow:established,to_client; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; within:8; content:"MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; classtype:trojan-activity; sid:2012684; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Office File With Embedded Executable"; flow:established,to_client; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; within:8; content:"MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:trojan-activity; sid:2012684; rev:5;)
#
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke Surveys pollID parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules/Surveys/modules.php?"; nocase; http_uri; content:"name=Surveys"; nocase; http_uri; content:"op="; nocase; http_uri; content:"pollID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/view/100119/phpnukesurveys-sql.txt; classtype:web-application-attack; sid:2012655; rev:2;)
@@ -45296,7 +45326,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Internal Host visiting Showmyipaddress.com - Possible Trojan"; flow:established,to_server; content:"Host|3a| www.showmyipaddress.com"; nocase; http_header; classtype:policy-violation; sid:2012691; rev:1;)
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Microsoft user-agent automated process response to infected request"; flow:established,from_server; file_data; content:"<p>Your current User-Agent string appears to be from an automated process,"; distance:0; classtype:trojan-activity; sid:2012692; rev:6;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Microsoft user-agent automated process response to automated request"; flow:established,from_server; file_data; content:"<p>Your current User-Agent string appears to be from an automated process,"; distance:0; classtype:trojan-activity; sid:2012692; rev:7;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE overtls.com adware request"; flow:to_server,established; content:"/sidebar.asp?bn=0&qy="; http_uri; content:"EmbeddedWB"; http_header; classtype:trojan-activity; sid:2012693; rev:2;)
@@ -45383,7 +45413,7 @@
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS I-Escorts Directory country_id parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/country_escorts.php?"; nocase; http_uri; content:"country_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,exploit-db.com/exploits/10809; classtype:web-application-attack; sid:2012719; rev:2;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simploo CMS x parameter Remote PHP Code Execution Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/config/custom/base.ini.php?"; nocase; http_uri; content:"x="; nocase; http_uri; pcre:"/x=\w*/Ui"; reference:url,exploit-db.com/exploits/16016; classtype:web-application-attack; sid:2012720; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simploo CMS x parameter Remote PHP Code Execution Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/config/custom/base.ini.php?"; nocase; http_uri; content:"x="; nocase; http_uri; pcre:"/x=\w/Ui"; reference:url,exploit-db.com/exploits/16016; classtype:web-application-attack; sid:2012720; rev:3;)
#
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LightNEasy File Manager language Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/plugins/filemanager/get_file.php?"; nocase; http_uri; content:"language="; nocase; http_uri; content:"../"; depth:200; reference:url,secunia.com/advisories/39517; classtype:web-application-attack; sid:2012721; rev:2;)
@@ -45434,13 +45464,13 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a *.cw.cm domain"; flow:established,to_server; content:".cw.cm|0d 0a|"; http_header; classtype:bad-unknown; sid:2012737; rev:2;)
#
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY DYNAMIC_DNS Lookup of Chinese Dynamic DNS Provider 8866.org Likely Malware Related"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|8866|03|org"; fast_pattern; distance:0; nocase; reference:url,isc.sans.edu/diary.html?storyid=6739; reference:url,google.com/safebrowsing/diagnostic?site=8866.org/; reference:url,www.mywot.com/en/scorecard/8866.org; classtype:misc-activity; sid:2012738; rev:4;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain *.8866.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|8866|03|org"; fast_pattern; distance:0; nocase; reference:url,isc.sans.edu/diary.html?storyid=6739; reference:url,google.com/safebrowsing/diagnostic?site=8866.org/; reference:url,www.mywot.com/en/scorecard/8866.org; classtype:misc-activity; sid:2012738; rev:6;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WORM Rimecud Worm checkin"; flow:established,to_server; content:"GET"; http_method; content:"User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; http_header; content:"/taskx.txt"; http_uri; fast_pattern; reference:url,www.threatexpert.com/report.aspx?md5=9623efa133415d19c941ef92a4f921fc; classtype:trojan-activity; sid:2012739; rev:1;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Vertex Trojan UA (VERTEXNET)"; flow:to_server,established; content:"User-Agent|3a| VERTEXNET"; http_header; classtype:trojan-activity; sid:2012752; rev:2;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Vertex Trojan UA (VERTEXNET)"; flow:to_server,established; content:"User-Agent|3a| VERTEXNET"; http_header; classtype:trojan-activity; sid:2012752; rev:3;)
#
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Gesytec ElonFmt ActiveX Component GetItem1 member Buffer Overflow Attempt"; flow:to_client,established; file_data; content:"<OBJECT"; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"824C4DC5-8DA4-11D6-A01F-00E098177CDC"; nocase; distance:0; content:".GetItem1"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*824C4DC5-8DA4-11D6-A01F-00E098177CDC/si"; reference:url,exploit-db.com/exploits/17196; classtype:web-application-attack; sid:2012741; rev:2;)
@@ -45482,7 +45512,7 @@
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Possible SQLMAP Scan"; flow:established,to_server; content:"UNION ALL SELECT NULL, NULL, NULL, NULL"; http_uri; content:"-- AND"; http_uri; detection_filter:track by_dst, count 4, seconds 20; reference:url,sqlmap.sourceforge.net; reference:url,www.darknet.org.uk/2011/04/sqlmap-0-9-released-automatic-blind-sql-injection-tool/; classtype:attempted-recon; sid:2012754; rev:1;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Possible SQLMAP Scan"; flow:established,to_server; content:" AND "; http_uri; content:"AND ("; http_uri; pcre:"/\x20AND\x20[0-9[{6}\x3D[0-9]{4}/U"; detection_filter:track by_dst, count 4, seconds 20; reference:url,sqlmap.sourceforge.net; reference:url,www.darknet.org.uk/2011/04/sqlmap-0-9-released-automatic-blind-sql-injection-tool/; classtype:attempted-recon; sid:2012755; rev:1;)
+#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Possible SQLMAP Scan"; flow:established,to_server; content:" AND "; http_uri; content:"AND ("; http_uri; pcre:"/\x20AND\x20[0-9]{6}\x3D[0-9]{4}/U"; detection_filter:track by_dst, count 4, seconds 20; reference:url,sqlmap.sourceforge.net; reference:url,www.darknet.org.uk/2011/04/sqlmap-0-9-released-automatic-blind-sql-injection-tool/; classtype:attempted-recon; sid:2012755; rev:3;)
#
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Windows Help and Support Center XSS Attempt"; flow:established,to_client; content:"hcp|3A|//"; fast_pattern; nocase; content:"script"; nocase; distance:0; content:"defer"; nocase; reference:cve,2010-1885; classtype:attempted-user; sid:2012756; rev:1;)
@@ -45491,7 +45521,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS suspicious user agent string (CholTBAgent)"; flow:to_server,established; content:"User-Agent|3a 20|CholTBAgent"; http_header; detection_filter:track by_dst, count 4, seconds 20; classtype:trojan-activity; sid:2012757; rev:4;)
#
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY DYNAMIC_DNS .dyndns.org DNS Lookup - Possible Malware"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|dyndns|03|"; fast_pattern; distance:0; nocase; classtype:misc-activity; sid:2012758; rev:2;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to *.dyndns. Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|dyndns|03|"; fast_pattern; distance:0; nocase; classtype:misc-activity; sid:2012758; rev:4;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cisco Unified Communications Manager xmldirectorylist.jsp SQL Injection Attempt"; flow:established,to_server; content:"/ccmcip/xmldirectorylist.jsp?f=vsr|27 7C 7C|"; nocase; http_uri; pcre:"/f\x3Dvsr\x27\x7C\x7C.+(or|and|select|delete|union|delete|update|insert)/Ui"; reference:url,www.cisco.com/en/US/products/products_security_advisory09186a0080b79904.shtml; reference:bid,47607; reference:cve,2011-1609; classtype:web-application-attack; sid:2012760; rev:2;)
@@ -45617,7 +45647,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spoofed MSIE 8 User-Agent Likely Ponmocup"; flow:established,to_server; content:"User-Agent|3a 20|Mozilla/5.0 (Windows|3b| U|3b| MSIE 8.0|3b| Windows NT 6.0|3b| en-US)|0d 0a|"; http_header; fast_pattern:20,20; reference:url,malwaresurvival.net/2011/04/21/media-site-pimping-malware/; reference:url,community.websense.com/forums/p/10728/23862.aspx; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?ThreatID=146443; classtype:trojan-activity; sid:2012802; rev:3;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Delf Alms backdoor checkin"; flow:to_server,established; content:"/getnewv.php?keyword=google&id="; http_uri; content:"Mozilla/5.0 (Windows|3b| U|3b| Windows NT 5.1|3b| en-US)"; http_header; classtype:trojan-activity; sid:2012803; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Delf Alms backdoor checkin"; flow:to_server,established; content:"/getnewv.php?keyword=google&id="; http_uri; fast_pattern; content:"Mozilla/5.0 (Windows|3b| U|3b| Windows NT 5.1|3b| en-US)"; http_header; classtype:trojan-activity; sid:2012803; rev:4;)
#
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent ASCII-hex-encoded"; flow:established,from_server; content:"ascii"; http_header; nocase; file_data; content:"4d5a"; within:4; nocase; reference:url,www.xanalysis.blogspot.com/2008/11/cve-2008-2992-adobe-pdf-exploitation.html; reference:url,www.threatexpert.com/report.aspx?md5=513077916da4e86827a6000b40db95d5; classtype:trojan-activity; sid:2012804; rev:3;)
@@ -45653,7 +45683,7 @@
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Adobe Audition Session File Handling Memory Corruption Attempt"; flow:established,to_client; flowbits:isset,ET_Assassin.ses; content:"|43 4F 4F 4C 4E 45 53 53 50 F2 08 00|"; fast_pattern:only; reference:url,exploit-db.com/exploits/17278/; reference:url,securitytracker.com/id/1025530; classtype:attempted-user; sid:2012814; rev:1;)
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN EXE Using Suspicious IAT ZwUnmapViewOfSection Possible Malware Process Hollowing"; flow:established,to_client; file_data; content:"MZ"; distance:0; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"ZwUnmapViewOfSection"; nocase; distance:0; reference:url,blog.spiderlabs.com/2011/05/analyzing-malware-hollow-processes.html; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:bad-unknown; sid:2012816; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN EXE Using Suspicious IAT ZwUnmapViewOfSection Possible Malware Process Hollowing"; flow:established,to_client; file_data; content:"MZ"; distance:0; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"ZwUnmapViewOfSection"; fast_pattern; nocase; distance:0; reference:url,blog.spiderlabs.com/2011/05/analyzing-malware-hollow-processes.html; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:bad-unknown; sid:2012816; rev:4;)
#
##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED EXE Using Suspicious IAT NtUnmapViewOfSection Possible Malware Process Hollowing"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"NtUnmapViewOfSection"; nocase; fast_pattern:only; reference:url,blog.spiderlabs.com/2011/05/analyzing-malware-hollow-processes.html; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:bad-unknown; sid:2012817; rev:3;)
@@ -45692,7 +45722,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a *.vv.cc domain"; flow:to_server,established; content:".vv.cc|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2012827; rev:2;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Fareit.A/Zeus POST Checkin"; flow:to_server,established; content:"CRYPTED0"; depth:8; nocase; http_client_body; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3aWin32%2fFareit.A; classtype:trojan-activity; sid:2013934; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Fareit.A/Pony Downloader Checkin"; flow:to_server,established; content:"CRYPTED0"; depth:8; nocase; http_client_body; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3aWin32%2fFareit.A; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3aWin32%2fFareit; reference:url,www.threatexpert.com/report.aspx?md5=99fab94fd824737393f5184685e8edf2; reference:url,www.threatexpert.com/report.aspx?md5=9544c681ae5c4fe3fdbd4d5c6c90e38e; reference:url,www.threatexpert.com/report.aspx?md5=d50c39753ba88daa00bc40848f174168; reference:url,www.threatexpert.com/report.aspx?md5=bf422f3aa215d896f55bbe2ebcd25d17; classtype:trojan-activity; sid:2013934; rev:5;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Rimecud download"; flow:established,to_server; content:"/peca"; nocase; http_uri; content:".exe"; nocase; http_uri; content:"User-Agent|3a 20|SKOLOVANI"; nocase; http_header; pcre:"/\x2fpeca\d+\x2eexe/Ui"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan%3aWin32/Rimecud.A; classtype:trojan-activity; sid:2012828; rev:2;)
@@ -45719,13 +45749,13 @@
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS f-fileman direkt Parameter Directory Traversal Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/ffileman.cgi?"; nocase; http_uri; content:"direkt="; nocase; http_uri; content:"../"; depth:200; reference:url,packetstormsecurity.org/files/view/101212/ffileman-traversal.txt; classtype:web-application-attack; sid:2012835; rev:1;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Slooze Web Photo Album file Parameter Command Execution Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/src/slooz.php?"; nocase; http_uri; content:"file="; nocase; http_uri; pcre:"/file=\w*/Ui"; reference:url,1337day.com/exploits/12148; classtype:web-application-attack; sid:2012836; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Slooze Web Photo Album file Parameter Command Execution Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/src/slooz.php?"; nocase; http_uri; content:"file="; nocase; http_uri; pcre:"/file=\w/Ui"; reference:url,1337day.com/exploits/12148; classtype:web-application-attack; sid:2012836; rev:2;)
#
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_mgm Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/components/com_mgm/help.mgm.php?"; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; http_uri; pcre:"/mosConfig_absolute_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/94593/joomlamgm-rfi.txt; reference:url,securityreason.com/wlb_show/WLB-2010100045; classtype:web-application-attack; sid:2012837; rev:1;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Plugin Is-human type Parameter Remote Code Execution Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/plugins/is-human/engine.php?"; nocase; http_uri; content:"action="; nocase; http_uri; content:"type="; nocase; http_uri; pcre:"/type=\w*/Ui"; reference:url,exploit-db.com/exploits/17299; classtype:web-application-attack; sid:2012838; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Plugin Is-human type Parameter Remote Code Execution Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/plugins/is-human/engine.php?"; nocase; http_uri; content:"action="; nocase; http_uri; content:"type="; nocase; http_uri; pcre:"/type=\w/Ui"; reference:url,exploit-db.com/exploits/17299; classtype:web-application-attack; sid:2012838; rev:2;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET 27889 (msg:"ET TROJAN Trojan-Downloader.Win32.Small Checkin"; flow:to_server,established; content:"GET"; nocase; http_method; content:"|2e|ashx|3f|m|3d|"; content:"|2d|"; distance:2; within:1; content:"|26|mid|3d|"; distance:0; content:"|26|tid|3d|"; distance:0; content:"|26|d|3d|"; distance:0; content:"|26|uid|3d|"; distance:0; content:"|26|t|3d|"; distance:0; reference:url,threatexpert.com/report.aspx?md5=48432bdd116dccb684c8cef84579b963; classtype:trojan-activity; sid:2012839; rev:3;)
@@ -45788,7 +45818,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS.Sagasi.a Worm Sending Data to Server"; flow:established,to_server; content:"/cot?ID="; http_uri; content:"&DLType="; http_uri; content:"&SD="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:trojan-activity; sid:2012859; rev:2;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS.Sagasi.a User Agent SimpleClient 1.0"; flow:established,to_server; content:"User-Agent|3A| SimpleClient "; http_header; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:trojan-activity; sid:2012860; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent SimpleClient 1.0"; flow:established,to_server; content:"User-Agent|3A| SimpleClient "; http_header; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:bad-unknown; sid:2012860; rev:3;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS.Sagasi.a User Agent LARK/1.3.0"; flow:established,to_server; content:"User-Agent|3A| LARK/"; http_header; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:trojan-activity; sid:2012861; rev:3;)
@@ -45854,7 +45884,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Poison.AU checkin"; flow:established,to_server; content:"|4D 53 47 20 35 20 4E 20 31 33 30 0D 0A 4D 49 4d 45 2d 56 65 72 73 69 6f 6e 3a 20 31 2e 30 0d 0a|"; depth:32; fast_pattern; content:"|f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6|"; reference:url,www.threatexpert.com/report.aspx?md5=4b8adc7612e984d12b77f197c59827a2; classtype:trojan-activity; sid:2012882; rev:4;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALVERTISING Malicious Advertizing URL in.cgi"; flow:to_server,established; content:"/in.cgi?"; http_uri; classtype:bad-unknown; sid:2012883; rev:4;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALVERTISING Malicious Advertizing URL in.cgi"; flow:to_server,established; content:"/in.cgi?"; http_uri; classtype:bad-unknown; sid:2012883; rev:5;)
#
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Java Exploit Attempt applet via file URI param"; flow:established,from_server; content:"applet"; nocase; content:"file|3a|C|3a 5c|Progra"; fast_pattern; nocase; distance:0; content:"java"; nocase; distance:0; content:"jre6"; nocase; distance:0; content:"lib"; nocase; distance:0; content:"ext"; nocase; distance:0; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012884; rev:2;)
@@ -45911,7 +45941,7 @@
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for a Suspicious *.noc.su domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|noc|02|su"; fast_pattern:only; classtype:bad-unknown; sid:2012901; rev:2;)
#
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for a Suspicious *.be.ma domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|be|02|ma"; fast_pattern:only; classtype:bad-unknown; sid:2012902; rev:1;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for a Suspicious *.be.ma domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|be|02|ma"; fast_pattern; distance:0; classtype:bad-unknown; sid:2012902; rev:2;)
#
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for a Suspicious *.qc.cx domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|qc|02|cx"; fast_pattern:only; classtype:bad-unknown; sid:2012903; rev:1;)
@@ -45983,10 +46013,10 @@
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Javascript Split String Unicode Heap Spray Attempt"; flow:established,to_client; content:"|22|u|22 20|+|20 22|0|22 20|+|20 22|"; content:"|22 20|+|20 22|"; distance:1; within:5; pcre:"/\x220\x22\x20\x2B\x20\x22[a-d]\x22\x20\x2B\x20\x22/smi"; classtype:shellcode-detect; sid:2012925; rev:1;)
#
-##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a *.dyndns-*.com domain"; flow:established,to_server; content:".dyndns-"; http_header; nocase; pcre:"/\.dyndns-(?=(at-home|at-work|blog|free|home|ip|mail|office|pics|remote|server|web|wiki|work))\.com\x0d\x0a/iH"; classtype:bad-unknown; sid:2012928; rev:5;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DYNAMIC_DNS HTTP Request to a *.dyndns-*.com domain"; flow:established,to_server; content:".dyndns-"; http_header; nocase; pcre:"/\.dyndns-(?=(at-home|at-work|blog|free|home|ip|mail|office|pics|remote|server|web|wiki|work))\.com\x0d\x0a/iH"; classtype:bad-unknown; sid:2012928; rev:7;)
#
-##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a *.dyndns.* domain"; flow:established,to_server; content:".dyndns."; http_header; nocase; pcre:"/\.dyndns\.(?=(biz|info|org|tv))\x0d\x0a/iH"; classtype:bad-unknown; sid:2012927; rev:2;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DYNAMIC_DNS HTTP Request to a *.dyndns.* domain"; flow:established,to_server; content:".dyndns."; http_header; nocase; pcre:"/\.dyndns\.(?=(biz|info|org|tv))\x0d\x0a/iH"; classtype:bad-unknown; sid:2012927; rev:3;)
#
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Cisco AnyConnect VPN Secure Mobility Client Arbitrary Program Execution Attempt"; flow:established,to_client; file_data; content:"55963676-2F5E-4BAF-AC28-CF26AA587566"; nocase; distance:0; content:"url"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*55963676-2F5E-4BAF-AC28-CF26AA587566/si"; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=909; reference:bid,48081; reference:cve,2011-2039; reference:cve,2011-2040; classtype:attempted-user; sid:2012929; rev:1;)
@@ -46043,7 +46073,7 @@
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress inline-gallery do parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/plugins/inline-gallery/browser/browser.php?"; nocase; http_uri; content:"do="; nocase; http_uri; pcre:"/do\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:bugtraq,46781; classtype:web-application-attack; sid:2012946; rev:1;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebC.be Fichier_a_telecharger Parameter Local File Disclosure Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/telecharger.php?"; nocase; http_uri; content:"Fichier_a_telecharger="; nocase; http_uri; pcre:"/Fichier_a_telecharger=\w*/Ui"; reference:url,1337day.com/exploits/16237; classtype:web-application-attack; sid:2012947; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebC.be Fichier_a_telecharger Parameter Local File Disclosure Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/telecharger.php?"; nocase; http_uri; content:"Fichier_a_telecharger="; nocase; http_uri; pcre:"/Fichier_a_telecharger=\w/Ui"; reference:url,1337day.com/exploits/16237; classtype:web-application-attack; sid:2012947; rev:2;)
#
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_jmsfileseller view Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_jmsfileseller"; nocase; http_uri; content:"view="; nocase; http_uri; content:"../"; depth:200; reference:url,exploit-db.com/exploits/17338; classtype:web-application-attack; sid:2012948; rev:1;)
@@ -46085,7 +46115,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MacShield User-Agent Likely Malware"; flow:established,to_server; content:"User-Agent|3a 20|MacShield"; http_header; reference:url,blog.spiderlabs.com/2011/06/analysis-and-evolution-of-macdefender-os-x-fake-av-scareware.html; classtype:trojan-activity; sid:2012959; rev:2;)
#
-alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Vaklik.kku Checkin Request"; flow:to_server,established; content:"1.rar"; http_uri; flowbits:set,et.trojan.valkik.kku; flowbits:noalert; reference:url,threatexpert.com/report.aspx?md5=47a6dd02ee197f82b28cee0ab2b9bd35; reference:url,threatexpert.com/report.aspx?md5=81d8a235cb5f7345b5796483abe8145f; reference:url,www.threatexpert.com/report.aspx?md5=9688d1d37a7ced200c53ec2b9332a0ad; classtype:trojan-activity; sid:2012960; rev:5;)
+alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Vaklik.kku Checkin Request"; flow:to_server,established; content:".rar HTTP/1."; pcre:"/\x2f\d+?\x2erar$/U"; flowbits:set,et.trojan.valkik.kku; flowbits:noalert; reference:url,threatexpert.com/report.aspx?md5=47a6dd02ee197f82b28cee0ab2b9bd35; reference:url,threatexpert.com/report.aspx?md5=81d8a235cb5f7345b5796483abe8145f; reference:url,www.threatexpert.com/report.aspx?md5=9688d1d37a7ced200c53ec2b9332a0ad; classtype:trojan-activity; sid:2012960; rev:8;)
#
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET 1024: (msg:"ET TROJAN Trojan.Vaklik.kku Checkin Response"; flow:from_server,established; flowbits:isset,et.trojan.valkik.kku; content:"Content-Length|3a 20|88|0d 0a|"; nocase; content:"|0d 0a 0d 0a|"; distance:0; content:"|48 00 00 00|"; distance:4; within:4; flowbits:unset,et.trojan.valkik.kku; reference:url,threatexpert.com/report.aspx?md5=81d8a235cb5f7345b5796483abe8145f; reference:url,www.threatexpert.com/report.aspx?md5=9688d1d37a7ced200c53ec2b9332a0ad; classtype:trojan-activity; sid:2012961; rev:2;)
@@ -46184,10 +46214,10 @@
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS People Joomla Component controller Parameter Local File Inclusion Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_people"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"../"; depth:200; reference:url,exploit-db.com/exploits/16001; classtype:web-application-attack; sid:2012995; rev:1;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AWStats Totals sort parameter Remote Code Execution Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/awstatstotals.php?"; nocase; http_uri; content:"sort="; nocase; http_uri; pcre:"/sort=\w*/Ui"; reference:url,packetstormsecurity.org/files/view/101698/awstatstotals_multisort.rb.txt; classtype:web-application-attack; sid:2012996; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AWStats Totals sort parameter Remote Code Execution Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/awstatstotals.php?"; nocase; http_uri; content:"sort="; nocase; http_uri; pcre:"/sort=\w/Ui"; reference:url,packetstormsecurity.org/files/view/101698/awstatstotals_multisort.rb.txt; classtype:web-application-attack; sid:2012996; rev:2;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Request to malicious info.php drive-by landing"; flow:established,to_server; content:"/info.php?n="; http_uri; fast_pattern:only; content:!"&"; http_uri; content:!"|0d 0a|Referer|3a|"; pcre:"/\/info.php\?n=\d+/U"; classtype:trojan-activity; sid:2013010; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Request to malicious info.php drive-by landing"; flow:established,to_server; content:"/info.php?n="; http_uri; fast_pattern:only; content:!"&"; http_uri; content:!"|0d 0a|Referer|3a|"; pcre:"/\/info.php\?n=\d/U"; classtype:trojan-activity; sid:2013010; rev:2;)
#
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious PHP 302 redirect response with avtor URI and cookie"; flow:established,from_server; content:"302"; http_stat_code; content:".php?avtor="; http_header; fast_pattern:only; content:"Set-Cookie|3a| "; http_header; content:"avtor="; http_header; within:40; classtype:trojan-activity; sid:2013011; rev:2;)
@@ -46286,7 +46316,7 @@
##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Java User Agent"; flow:established,to_server; content:"User-Agent|3a| Java/"; nocase; http_header; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013029; rev:1;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY libww-perl User-Agent"; flow:established,to_server; content:"User-Agent|3a| libww-perl/"; nocase; http_header; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013030; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY libwww-perl User-Agent"; flow:established,to_server; content:"User-Agent|3a| libwww-perl/"; nocase; http_header; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013030; rev:2;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Python-urllib/ Suspicious User Agent"; flow:established,to_server; content:"User-Agent|3a| Python-urllib/"; nocase; http_header; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013031; rev:1;)
@@ -46307,7 +46337,7 @@
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_client; file_data; content:"MZ"; within:2; content:"|00 00|"; distance:0; content:"PE|00|"; distance:0; threshold:type limit,track by_src,count 1,seconds 3; classtype:trojan-activity; sid:2013036; rev:2;)
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Java EXE Download"; flowbits:isset,ET.http.javaclient; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; threshold:type limit,track by_src,count 1,seconds 3; classtype:trojan-activity; sid:2013037; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Java EXE Download"; flowbits:isset,ET.http.javaclient; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; threshold:type limit,track by_src,count 1,seconds 3; classtype:trojan-activity; sid:2013037; rev:4;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake Shipping Invoice Request to JPG.exe Executable"; flow:established,to_server; content:"/invoice"; nocase; http_uri; content:".JPG.exe"; nocase; fast_pattern; classtype:trojan-activity; sid:2013048; rev:4;)
@@ -46415,13 +46445,13 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Meredrop Checkin"; flow:established, to_server; content:"POST"; nocase; http_method; content:"praquem="; http_client_body; content:"&titulo="; http_client_body; reference:url,www.virustotal.com/file-scan/report.html?id=14c8e9f054d6f7ff4d59b71b65933d73027fe39a2a62729257712170e36f32c5-1308250070; classtype:trojan-activity; sid:2013073; rev:3;)
#
-alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Large DNS Query possible covert channel"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; dsize:>300; content:!"youtube|03|com|00|"; content:!"sophosxl|03|net|00|"; content:!"|0a|hashserver|02|cs|0a|trendmicro|03|com|00|"; classtype:bad-unknown; sid:2013075; rev:5;)
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Large DNS Query possible covert channel"; content:"|01 00 00 01 00 00 00 00 00 00|"; fast_pattern; depth:10; offset:2; dsize:>300; content:!"youtube|03|com|00|"; content:!"sophosxl|03|net|00|"; content:!"|0a|hashserver|02|cs|0a|trendmicro|03|com|00|"; content:!"spamhaus|03|org|00|"; classtype:bad-unknown; sid:2013075; rev:7;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus Bot GET to Google checking Internet connectivity"; flow:established,to_server; content:"GET"; nocase; http_method; content:" HTTP/1."; content:"|0d 0a|Accept|3a| */*|0d 0a|Connection|3a| Close|0d 0a|User-Agent|3a| "; distance:1; within:46; content:"|0d 0a|Host|3a| "; distance:0; content:!"|0d 0a|Referer|3a| "; nocase; content:"/webhp"; http_uri; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:trojan-activity; sid:2013076; rev:6;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP overflow Media Player lt 10"; flow:established,to_server; content:"/hcp_asx.php?f="; http_uri; pcre:"/hcp_asx\.php\?f=\d+$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013077; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP overflow Media Player lt 10"; flow:established,to_server; content:"/hcp_asx.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013077; rev:3;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android.YzhcSms CnC Keepalive Message"; flow:established,to_server; content:"/android/android.dbug.php?action=heart"; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_yzhcsms.a!tr.html; classtype:trojan-activity; sid:2013078; rev:1;)
@@ -46460,7 +46490,7 @@
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS impressCMS dhtmltextarea root_path Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/editors/dhtmltextarea/editor_registry.php?"; nocase; http_uri; content:"root_path="; nocase; http_uri; pcre:"/root_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,1337day.com/exploits/16001; classtype:web-application-attack; sid:2013089; rev:1;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Backdoor.Win32.Fynloski.A Checkin Inbound"; flow:from_server,established; content:"KEEPALIVE"; depth:9; pcre:"/^KEEPALIVE\x7c?\d+/"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fFynloski.A&ThreatID=-2147327112; reference:url,www.contextis.com/research/blog/darkcometrat/; classtype:trojan-activity; sid:2013091; rev:4;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Backdoor.Win32.Fynloski.A Checkin Inbound"; flow:from_server,established; content:"KEEPALIVE"; depth:9; pcre:"/^KEEPALIVE\x7c?\d/"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fFynloski.A&ThreatID=-2147327112; reference:url,www.contextis.com/research/blog/darkcometrat/; classtype:trojan-activity; sid:2013091; rev:5;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN VBKrypt.cmtp Login to Server"; flow:to_server,established; content:"USER|20|lodosxxx"; reference:url,vil.nai.com/vil/content/v_377875.htm; classtype:trojan-activity; sid:2013092; rev:4;)
@@ -46475,10 +46505,10 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nagios Expand Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/nagios/cgi-bin/config.cgi"; nocase; http_uri; content:"type=command&expand="; fast_pattern; http_uri; nocase; pcre:"/expand\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange)/Ui"; reference:bid,48087; reference:cve,2011-2179; classtype:web-application-attack; sid:2013095; rev:1;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a *.dyndns-*.com domain"; flow:established,to_server; content:".dyndns-"; http_header; pcre:"/\.dyndns-(at-home|at-work|blog|free|home|ip|mail|office|pics|remote|server|web|wiki|work)\.com\x0d\x0a/iH"; classtype:bad-unknown; sid:2013096; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns-*.com domain"; flow:established,to_server; content:".dyndns-"; http_header; pcre:"/\.dyndns-(at-home|at-work|blog|free|home|ip|mail|office|pics|remote|server|web|wiki|work)\.com\x0d\x0a/iH"; classtype:bad-unknown; sid:2013096; rev:3;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a *.dyndns.* domain"; flow:established,to_server; content:".dyndns."; fast_pattern; http_header; content:!" checkip.dyndns."; http_header; pcre:"/Host\x3a [^\n]+\.dyndns\.(biz|info|org|tv)\x0d\x0a/iH"; classtype:bad-unknown; sid:2013097; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns.* domain"; flow:established,to_server; content:".dyndns."; fast_pattern; http_header; content:!" checkip.dyndns."; http_header; pcre:"/Host\x3a [^\n]+\.dyndns\.(biz|info|org|tv)\x0d\x0a/iH"; classtype:bad-unknown; sid:2013097; rev:5;)
#
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Driveby Exploit Kit Browser Progress Checkin - Binary Likely Previously Downloaded"; flow:established,to_server; content:"/?"; http_uri; content:!" Java/"; http_header; pcre:"/\/\?[a-f0-9]{64}\;\d\;\d/U"; classtype:trojan-activity; sid:2013098; rev:2;)
@@ -46646,10 +46676,10 @@
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat Reader FlateDecode Stream Predictor Exploit Attempt"; flow:established,to_client; content:"Colors 1073741838"; fast_pattern:only; pcre:"/<<[^>]*\x2FPredictor[^>]*\x2FColors\x201073741838/smi"; reference:url,www.fortiguard.com/analysis/pdfanalysis.html; reference:bid,36600; reference:cve,2009-3459; classtype:attempted-user; sid:2013153; rev:1;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SpyEye POSTing data"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Opera/"; http_header; content:"Presto/"; http_header; content:!"Accept|3a| "; http_header; content:"a="; http_client_body; content:"&b="; http_client_body; content:"&c="; http_client_body; classtype:trojan-activity; sid:2013154; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Win32.Gbod.dv Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Opera/"; http_header; content:"Presto/"; http_header; content:!"Accept|3a| "; http_header; content:"a="; http_client_body; content:"&b="; http_client_body; content:"&c="; http_client_body; classtype:trojan-activity; sid:2013154; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/flash-album-gallery/lib/hitcounter.php?"; nocase; http_uri; content:"pid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,htbridge.ch/advisory/sql_injection_in_grand_flash_album_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2013155; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/flash-album-gallery/lib/hitcounter.php?"; nocase; http_uri; fast_pattern:19,20; content:"pid="; distance:0; nocase; http_uri; content:"SELECT"; nocase; http_uri; distance:0; content:"FROM"; nocase; http_uri; distance:0; reference:url,htbridge.ch/advisory/sql_injection_in_grand_flash_album_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2013155; rev:3;)
#
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/flash-album-gallery/lib/hitcounter.php?"; nocase; http_uri; content:"pid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,htbridge.ch/advisory/sql_injection_in_grand_flash_album_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2013156; rev:1;)
@@ -46709,7 +46739,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Atomic_Email_Hunter User-Agent Outbound"; flow:established,to_server; content:"User-Agent|3a| Atomic_Email_Hunter/"; fast_pattern:12,20; http_header; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013174; rev:2;)
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely EgyPack Exploit kit landing page (EGYPACK_CRYPT)"; flow:established,from_server; content:"EGYPACK_CRYPT"; pcre:"/EGYPACK_CRYPT\d+/"; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; classtype:trojan-activity; sid:2013175; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely EgyPack Exploit kit landing page (EGYPACK_CRYPT)"; flow:established,from_server; content:"EGYPACK_CRYPT"; pcre:"/EGYPACK_CRYPT\d/"; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; classtype:trojan-activity; sid:2013175; rev:3;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN EgyPack Exploit Kit Post-Infection Request"; flow:established,to_server; content:"User-Agent|3a| Egypack"; nocase; http_header; flowbits:set,et.exploitkitlanding; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; reference:url,www.vbulletin.com/forum/showthread.php/338741-vBulletin-Footer-SQL-Injection-Hack; classtype:trojan-activity; sid:2013176; rev:4;)
@@ -46733,7 +46763,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sidetab or Related Trojan Checkin"; flow:established,to_server; content:"/install.asp?"; http_uri; content:"version="; http_uri; content:"&id="; http_uri; content:"&mac="; http_uri; content:".co.kr|0d 0a|"; http_header; classtype:trojan-activity; sid:2013182; rev:2;)
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Known Facebook Iframe Phishing Attempt"; flow:established,to_client; content:"FB.IframeUtil.CanvasUtil"; nocase; content:"iframe_canvas"; nocase; distance:0; content:"action=|5C 22|http|3A|"; nocase; distance:0; content:"canvas_iframe_post"; nocase; distance:0; content:"onsubmit="; nocase; distance:0; reference:url,www.f-secure.com/weblog/archives/00002196.html; classtype:bad-unknown; sid:2013183; rev:2;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Known Facebook Iframe Phishing Attempt"; flow:established,to_client; content:"FB.IframeUtil.CanvasUtil"; nocase; content:"iframe_canvas"; nocase; distance:0; content:"action=|5C 22|http|3A|"; nocase; distance:0; content:"canvas_iframe_post"; nocase; distance:0; content:"onsubmit="; nocase; distance:0; reference:url,www.f-secure.com/weblog/archives/00002196.html; classtype:bad-unknown; sid:2013183; rev:3;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan-Banker.Win32.Agent Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| ICS)"; fast_pattern:20,20; http_header; content:"para="; http_client_body; depth:5; content:"&subject="; http_client_body; content:"&dados="; http_client_body; reference:url,www.sunbeltsecurity.com/partnerresources/cwsandbox/md5.aspx?id=1bcc87209703cf73c80f9772935e47b0; reference:url,www.threatexpert.com/report.aspx?md5=c8b3d2bc407b0260b40b7f97e504faa5; classtype:trojan-activity; sid:2013185; rev:5;)
@@ -46817,7 +46847,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Meciv Checkin"; flow:established,to_server; content:"/trandocs/netstat"; nocase; http_uri; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-070516-5325-99&tabid=2; reference:url,www.secureworks.com/research/threats/sindigoo/; classtype:trojan-activity; sid:2013212; rev:2;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY DYNAMIC_DNS HTTP Connection to 3322.org Possible Malware Related"; flow:established,to_server; content:"Host|3a| "; http_header; content:".3322.org|0D 0A|"; within:50; http_header; classtype:misc-activity; sid:2013213; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.3322.org"; flow:established,to_server; content:"Host|3a| "; http_header; content:".3322.org|0D 0A|"; within:50; http_header; classtype:misc-activity; sid:2013213; rev:4;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN GhOst Remote Access Trojan Encrypted Session To CnC Server"; flow:established,to_server; content:"GhOst"; depth:5; reference:url,www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network; reference:url,www.symantec.com/connect/blogs/inside-back-door-attack; classtype:trojan-activity; sid:2013214; rev:1;)
@@ -46832,16 +46862,16 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Specfix Checkin"; flow:established,to_server; content:"/AWS"; http_uri; content:".jsp?"; http_uri; content:"x-bigfix-client-string|3A|"; http_header; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-062203-3150-99&tabid=2; classtype:trojan-activity; sid:2013218; rev:1;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android.Ggtracker Ggtrack.org Checkin"; flow:established,to_server; content:"device_id="; nocase; http_uri; content:"adv_sub="; nocase; http_uri; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-062208-5013-99&tabid=2; classtype:trojan-activity; sid:2013219; rev:1;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Android.Ggtracker Ggtrack.org Checkin"; flow:established,to_server; content:"device_id="; nocase; http_uri; content:"adv_sub="; nocase; http_uri; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-062208-5013-99&tabid=2; classtype:trojan-activity; sid:2013219; rev:2;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY DYNAMIC_DNS HTTP Connection to 8866.org Possible Malware Related"; flow:established,to_server; content:"8866.org"; nocase; http_header; fast_pattern:only; pcre:"/Host\x3A[^\r\n]*\x2E8866.org/Hi"; reference:url,www.mywot.com/en/scorecard/8866.org; classtype:misc-activity; sid:2013220; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.8866.org"; flow:established,to_server; content:"8866.org"; nocase; http_header; fast_pattern:only; pcre:"/Host\x3A[^\r\n]*\x2E8866.org/Hi"; reference:url,www.mywot.com/en/scorecard/8866.org; classtype:misc-activity; sid:2013220; rev:3;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Sefnit Initial Checkin"; flow:established,to_server; content:"/version.php?ver="; http_uri; content:"&app="; http_uri; content:"User-Agent|3A| NSISDL"; http_header; classtype:trojan-activity; sid:2013221; rev:1;)
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt"; flow:established,to_client; content:"Heap|2E|"; nocase; content:"Heap|2E|"; nocase; distance:0; content:"Heap|2E|"; nocase; distance:0; classtype:shellcode-detect; sid:2013222; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt"; flow:established,to_client; file_data; content:"Heap|2E|"; nocase; distance:0; content:"Heap|2E|"; nocase; distance:0; content:"Heap|2E|"; nocase; distance:0; classtype:shellcode-detect; sid:2013222; rev:2;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Suspicious User-Agent Containing .exe"; flow:to_server,established; content:"User-Agent|3a|"; http_header; content:".exe|0d 0a|"; fast_pattern; http_header; within:50; pcre:"/User-Agent\x3a[^\n]+\.exe/iH"; content:!"|5C|Citrix|5C|ICA Client|5C|"; nocase; http_header; content:!"vsee.exe|0d 0a|"; nocase; http_header; classtype:trojan-activity; sid:2013224; rev:5;)
@@ -46877,7 +46907,7 @@
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActivDesk cid Parameter Blind SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/kbcat.cgi?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"or"; nocase; http_uri; content:"substring"; nocase; http_uri; pcre:"/or.*substring\(/Ui"; reference:url,packetstormsecurity.org/files/view/102537/activdesk-sqlxss.txt; classtype:web-application-attack; sid:2013234; rev:1;)
#
-alert udp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Palevo (OUTBOUND)"; dsize:21; content:"|18|"; depth:1; content:"|80 00 00|"; reference:url,threatexpert.com/report.aspx?md5=5f1296995c7ccba13c0c0655baf03a3a; classtype:trojan-activity; sid:2013236; rev:1;)
+#alert udp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Palevo (OUTBOUND)"; dsize:21; content:"|18|"; depth:1; content:"|80 00 00|"; reference:url,threatexpert.com/report.aspx?md5=5f1296995c7ccba13c0c0655baf03a3a; classtype:trojan-activity; sid:2013236; rev:2;)
#
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Javascript Often Used in Drivebys"; flow:established,from_server; content:"Content-Type|3a 20|text/html"; content:"|0d 0a|<html><body><div|20|"; fast_pattern; within:500; pcre:"/\x7b?(visibility\x3ahidden|display\x3anone)\x3b?\x7d?\x22><div>\d{16}/R"; classtype:trojan-activity; sid:2013237; rev:6;)
@@ -46913,7 +46943,7 @@
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a *.uni.cc domain"; flow:to_server,established; content:".uni.cc|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013248; rev:2;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Vega Web Application Scan"; flow:established,to_server; content:"Vega/"; http_header; pcre:"/User-Agent\x3A[^\r\n]Vega\x2F/H"; detection_filter:track by_src, count 5, seconds 40; reference:url,www.subgraph.com/products.html; reference:url,www.darknet.org.uk/2011/07/vega-open-source-cross-platform-web-application-security-assessment-platform/; classtype:attempted-recon; sid:2013249; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Vega Web Application Scan"; flow:established,to_server; content:"Vega/"; http_header; pcre:"/User-Agent\x3A[^\r\n]+Vega\x2F/H"; detection_filter:track by_src, count 5, seconds 40; reference:url,www.subgraph.com/products.html; reference:url,www.darknet.org.uk/2011/07/vega-open-source-cross-platform-web-application-security-assessment-platform/; classtype:attempted-recon; sid:2013249; rev:2;)
#
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Word RTF pFragments Stack Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; within:8; content:"|5C|sp"; nocase; content:"|5C|sn"; nocase; within:80; content:"pFragments"; nocase; within:80; content:"|5C|sv"; nocase; within:80; isdataat:100,relative; content:!"|0A|"; distance:1; within:100; reference:url,labs.m86security.com/2011/07/resurrection-of-cve-2010-3333-in-the-wild/; reference:bid,44652; reference:cve,2010-3333; classtype:attempted-user; sid:2013250; rev:2;)
@@ -46925,7 +46955,7 @@
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Internet Explorer Time Element Uninitialized Memory Remote Code Execution Attempt"; flow:established,to_client; content:"|2e|location|2e|reload|28 29|"; content:"implementation=|22 23|default|23|time"; nocase; content:"contenteditable=|22|true|22|"; nocase; distance:0; reference:url,labs.m86security.com/2011/06/0-day-exploit-used-in-a-targeted-attack-cve-2011-1255/; reference:bid,48206; reference:cve,2011-1255; classtype:attempted-user; sid:2013252; rev:2;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (Agent and 5 or 6 digits)"; flow:established,to_server; content:"User-Agent|3a| Agent"; http_header; pcre:"/User-Agent\x3a Agent\d{5,6}$/Hi"; classtype:trojan-activity; sid:2013315; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (Agent and 5 or 6 digits)"; flow:established,to_server; content:"User-Agent|3a| Agent"; http_header; pcre:"/^User-Agent\x3a Agent\d{5,6}\r?$/Hmi"; classtype:trojan-activity; sid:2013315; rev:10;)
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Yandexbot Request Inbound"; flow:established,to_server; content:"User-Agent|3a| YandexBot"; http_header; classtype:policy-violation; sid:2013253; rev:3;)
@@ -47081,7 +47111,7 @@
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin page Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/php_speedy_wp/libs/php_speedy/view/admin_container.php?"; nocase; http_uri; content:"page="; nocase; http_uri; content:"../"; depth:200; reference:url,secunia.com/advisories/43652; classtype:web-application-attack; sid:2013309; rev:2;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin title parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/php_speedy_wp/libs/php_speedy/view/admin_container.php?"; nocase; http_uri; content:"title="; nocase; http_uri; pcre:"/title\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,secunia.com/advisories/43652; classtype:web-application-attack; sid:2013310; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin title parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/php_speedy_wp/libs/php_speedy/view/admin_container.php?"; fast_pattern:55,20; nocase; http_uri; content:"title="; nocase; http_uri; pcre:"/title\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,secunia.com/advisories/43652; classtype:web-application-attack; sid:2013310; rev:2;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a *.dlinkddns.com domain"; flow:established,to_server; content:".dlinkddns.com|0d 0a|"; http_header; nocase; classtype:bad-unknown; sid:2013311; rev:2;)
@@ -47231,7 +47261,7 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS HTran/SensLiceld.A Checkin 2 (unicode)"; flow:established,from_server; dsize:<120; content:"|5b00|S|00|E|00|R|00|V|00|E|00|R|005d00|c|00|o|00|n|00|n|00|e|00|c|00|t|00|i|00|o|00|n|002000|t|00|o|002000|"; depth:44; reference:url,www.secureworks.com/research/threats/htran/; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2010-120716-4344-99&tabid=2; reference:url,www.securelist.com/en/descriptions/10120120/Trojan-Spy.Win32.Agent.bptu; classtype:trojan-activity; sid:2013362; rev:6;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blackhole Exploit Kit Request tkr"; flow:established,to_server; content:".php?"; http_uri; content:"src="; http_uri; distance:0; content:"&gpr="; http_uri; distance:0; content:"&tkr="; http_uri; fast_pattern; distance:0; pcre:"/[\?&]src=\d+&gpr=\d+&tkr[ib]?=[a-f0-9]+/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013363; rev:3;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Exploit Kit Request tkr"; flow:established,to_server; content:".php?"; http_uri; content:"src="; http_uri; distance:0; content:"&gpr="; http_uri; distance:0; content:"&tkr="; http_uri; fast_pattern; distance:0; pcre:"/[\?&]src=\d+&gpr=\d+&tkr[ib]?=[a-f0-9]+/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013363; rev:3;)
#
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS windows_security_update Fake AV download"; flow:established,from_server; file_data; content:"filename=|22|windows_security_update_"; distance:0; classtype:trojan-activity; sid:2013364; rev:4;)
@@ -47303,7 +47333,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User Agent Ryeol HTTP Client Class"; flow:established,to_server; content:"User-Agent|3A 20|Ryeol HTTP Client Class"; http_header; classtype:trojan-activity; sid:2013387; rev:1;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User Agent MM 1.0"; flow:established,to_server; content:"User-Agent|3A| MM "; http_header; classtype:trojan-activity; sid:2013388; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adrevmedia Related Media Manager Spyware Checkin"; flow:established,to_server; content:"User-Agent|3A| MM "; http_header; pcre:"/User-Agent\x3a MM \d\.\d+\x0d\x0a/H"; classtype:trojan-activity; sid:2013388; rev:3;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware/CommonName Reporting"; flow:established,to_server; content:"/report.asp?TB="; http_uri; content:"&status="; http_uri; content:"&data="; http_uri; content:"&BABE="; http_uri; content:"&BATCH="; http_uri; content:"&UDT="; http_uri; content:"&GRP="; http_uri; classtype:trojan-activity; sid:2013389; rev:1;)
@@ -47357,7 +47387,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User Agent ksdl_1_0"; flow:established,to_server; content:"User-Agent|3A 20|ksdl_"; http_header; classtype:trojan-activity; sid:2013404; rev:1;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Baigoo User Agent"; flow:established,to_server; content:"User-Agent|3A 20|BaiGoo Agent"; http_header; classtype:trojan-activity; sid:2013405; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/Baigoo User Agent"; flow:established,to_server; content:"User-Agent|3A 20|BaiGoo Agent"; http_header; classtype:trojan-activity; sid:2013405; rev:2;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY SSL MiTM Vulnerable or EOL iOS 3.x device"; flow:established,to_server; content:"Mozilla/5.0 |28|iP"; http_header; content:" OS 3_"; http_header; distance:0; threshold: type limit, count 1, seconds 600, track by_src; reference:url,support.apple.com/kb/HT1222; reference:url,support.apple.com/kb/HT4824; reference:url,en.wikipedia.org/wiki/IOS_version_history; reference:url,github.com/jan0/isslfix; reference:cve,CVE-2011-0228; classtype:not-suspicious; sid:2013406; rev:4;)
@@ -47387,7 +47417,7 @@
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FakeAV Landing Page Checking firewall status"; flow:established,from_server; content:"|5c|r|5c|n Checking firewall status|5c|r|5c|n"; fast_pattern:only; classtype:trojan-activity; sid:2013413; rev:1;)
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Executable served from Amazon S3"; flow:established,to_client; content:"Server|3A| AmazonS3"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; reference:url,blog.trendmicro.com/cybercriminals-using-amazon-web-services-aws-to-host-malware/; reference:url,www.securelist.com/en/blog/208188099/Financial_data_stealing_Malware_now_on_Amazon_Web_Services_Cloud; classtype:bad-unknown; sid:2013414; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Executable served from Amazon S3"; flow:established,to_client; content:"Server|3A| AmazonS3"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,blog.trendmicro.com/cybercriminals-using-amazon-web-services-aws-to-host-malware/; reference:url,www.securelist.com/en/blog/208188099/Financial_data_stealing_Malware_now_on_Amazon_Web_Services_Cloud; classtype:bad-unknown; sid:2013414; rev:5;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a *.cz.tf domain"; flow:to_server,established; content:".cz.tf|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013415; rev:1;)
@@ -47459,10 +47489,10 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a *.uni.cc domain"; flow:to_server,established; content:".uni.cc|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013438; rev:1;)
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN W32/DirtJumper CnC Server Providing DDOS Targets"; flow:established,from_server; file_data; content:"|7C|"; distance:2; within:1; content:"|7c|"; distance:2; within:4; content:"http|3A 2F 2F|"; distance:3; within:7; pcre:"/\d{2}\x7C\d{1,3}\x7C\d{1,3}http\x3A\x2F\x2F/Ai"; reference:url,asert.arbornetworks.com/2011/08/dirt-jumper-caught/; classtype:trojan-activity; sid:2013440; rev:2;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN W32/DirtJumper CnC Server Providing DDOS Targets"; flow:established,from_server; file_data; content:"|7C|"; distance:2; within:1; content:"|7c|"; distance:2; within:4; content:"http|3A 2F 2F|"; distance:3; within:7; pcre:"/\d{2}\x7C\d{1,3}\x7C\d{1,3}http\x3A\x2F\x2F/Ai"; reference:url,asert.arbornetworks.com/2011/08/dirt-jumper-caught/; classtype:trojan-activity; sid:2013440; rev:3;)
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE EXE Download When Server Claims To Send Audio File - Must Be Win32"; flow:established,to_client; content:"Content-Type|3A 20|audio|2F|"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; classtype:trojan-activity; sid:2013441; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE EXE Download When Server Claims To Send Audio File - Must Be Win32"; flow:established,to_client; content:"Content-Type|3A 20|audio|2F|"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; classtype:trojan-activity; sid:2013441; rev:4;)
#
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED EXE Download When Server Claims To Send Audio File - DOS Mode"; flow:established,to_client; content:"Content-Type|3A 20|audio|2F|"; http_header; nocase; file_data; content:"MZ"; within:2; content:"This program cannot be run in DOS mode"; distance:0; content:"PE"; distance:0; classtype:trojan-activity; sid:2013442; rev:2;)
@@ -47573,7 +47603,7 @@
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY SUSPICIOUS *.doc.exe in HTTP HEADER"; flow:from_server,established; content:"Content-Disposition|3a| attachment|3b| filename="; nocase; http_header; content:".doc.exe"; nocase; distance:0; http_header; classtype:bad-unknown; sid:2013477; rev:6;)
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY SUSPICIOUS *.pdf.exe in HTTP HEADER"; flow:from_server,established; content:"Content-Disposition|3a| attachment|3b| filename="; nocase; http_header; content:".pdf.exe"; nocase; distance:0; http_header; classtype:bad-unknown; sid:2013478; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY SUSPICIOUS *.pdf.exe in HTTP HEADER"; flow:from_server,established; content:"Content-Disposition|3a| attachment|3b| filename="; nocase; http_header; content:".pdf.exe"; nocase; distance:0; http_header; fast_pattern; classtype:bad-unknown; sid:2013478; rev:5;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET 3389 (msg:"ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection"; flags: S,12; threshold: type both, track by_src, count 20, seconds 360; reference:url,threatpost.com/en_us/blogs/new-worm-morto-using-rdp-infect-windows-pcs-082811; classtype:misc-activity; sid:2013479; rev:2;)
@@ -47636,7 +47666,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Netflix Streaming Player Access"; flow:to_server,established; content:"/WiPlayer?movieid="; http_uri; content:"Host|3a| movies.netflix.com|0d 0a|"; http_header; nocase; reference:url,netflix.com; classtype:policy-violation; sid:2013498; rev:1;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY IncrediMail Install Callback"; flow:established,to_server; content:"POST"; http_method; content:"s=PFNCIHhtbG5zPSJTdGF0aXN0aWNzTlMiPjxBIGlkPSIxIj4"; reference:url,www.incredimail.com; classtype:policy-violation; sid:2013499; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY IncrediMail Install Callback"; flow:established,to_server; content:"POST"; http_method; content:"s=PFNCIHhtbG5zPSJTdGF0aXN0aWNzTlMiPjxBIGlkPSIxIj4"; fast_pattern; reference:url,www.incredimail.com; classtype:policy-violation; sid:2013499; rev:2;)
#
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Known Fraudulent DigiNotar SSL Certificate for google.com"; flow:established,from_server; content:"|0C 76 DA 9C 91 0C 4E 2C 9E FE 15 D0 58 93 3C 4C|"; content:"google.com"; within:250; reference:url,www.vasco.com/company/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx; classtype:misc-activity; sid:2013500; rev:2;)
@@ -47651,7 +47681,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY OS X Software Update Request Outbound"; flow:established,to_server; content:"User-Agent|3A| Software Update|2F|"; http_header; content:" Darwin|2F|"; http_header; within:48; reference:url,www.apple.com/softwareupdate/; classtype:policy-violation; sid:2013503; rev:3;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management"; flow:established,to_server; content:"APT-HTTP|2F|"; http_header; reference:url,help.ubuntu.com/community/AptGet/Howto; classtype:policy-violation; sid:2013504; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management"; flow:established,to_server; content:"APT-HTTP|2F|"; http_header; reference:url,help.ubuntu.com/community/AptGet/Howto; classtype:not-suspicious; sid:2013504; rev:3;)
#
alert tcp $HOME_NET any -> 11.11.11.11 55611 (msg:"ET TROJAN W32/Badlib Connectivity Check To Department of Defense Intelligence Information Systems"; flow:to_server; flags:S; reference:url,blog.eset.com/2011/08/03/win32delf-qcztrust-me-i%E2%80%99m-your-anti-virus; reference:url,www.eset.com/about/blog/blog/article/win32delf-qcz-additional-details; classtype:trojan-activity; sid:2013506; rev:1;)
@@ -47699,7 +47729,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Driveby Loader Request sn.php"; flow:established,to_server; content:"/sn.php?c="; http_uri; depth:10; content:"&t="; http_uri; pcre:"/c\x3d[0-9a-f]{100}/Ui"; classtype:trojan-activity; sid:2013519; rev:1;)
#
-#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown Loader *.jpg?t=0.* in http_uri"; flow:established,to_server; content:".jpg?t=0."; http_uri; pcre:"/\.jpg\?t\x3d\d\.\d+/U"; classtype:trojan-activity; sid:2013520; rev:2;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown Loader *.jpg?t=0.* in http_uri"; flow:established,to_server; content:".jpg?t=0."; http_uri; pcre:"/\.jpg\?t\x3d\d\.\d/U"; classtype:trojan-activity; sid:2013520; rev:3;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Spyeye Data Exfiltration 0"; flow:established,to_server; content:"|B4 B4 B4 B4 BC BF BF BF BF BD BD BD BD B3 B3 B3 B3|"; offset:5; depth:17; classtype:trojan-activity; sid:2013521; rev:4;)
@@ -47741,7 +47771,7 @@
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.Win32.Fynloski.A Command Response"; flow:to_server,established; content:"#botCommand%"; depth:12; pcre:"/^\x23botCommand\x25(close\x20command|Error|Finish|Http\x20Flood|Mass\x20Download|Respond\x20\x5bOK|Syn\x20Flood|UDP\x20Flood|uninstall|Update|)/i"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fFynloski.A&ThreatID=-2147327112; reference:url,home.mcafee.com/virusinfo/virusprofile.aspx?key=570863; classtype:trojan-activity; sid:2013533; rev:2;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS VirTool.Win32/VBInject.gen!DM Checkin"; flow:established,to_server; content:"/iLog.php?dl="; http_uri; content:"&log="; http_uri; content:"User-Agent|3a| IE7.0"; http_header; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=VirTool%3aWin32/VBInject.gen!DM; classtype:trojan-activity; sid:2013534; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN VirTool.Win32/VBInject.gen!DM Checkin"; flow:established,to_server; content:"/iLog.php?dl="; fast_pattern:only; http_uri; content:"&log="; http_uri; content:"User-Agent|3a| IE"; http_header; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=VirTool%3aWin32/VBInject.gen!DM; classtype:trojan-activity; sid:2013534; rev:8;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a *.tc domain"; flow:to_server,established; content:".tc|0d 0a|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013535; rev:1;)
@@ -47759,7 +47789,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN BKDR_BTMINE.MNR BitCoin Miner Server Checkin"; flow:established,to_server; content:"knock.php?ver="; http_uri; content:"&sid="; http_uri; content:" HTTP/1.1|0d 0a|Connection|3a| close|0d 0a|Host|3a| "; content:!"User-Agent|3a| "; http_header; reference:url,about-threats.trendmicro.com/malware.aspx?language=us&name=BKDR_BTMINE.MNR; classtype:trojan-activity; sid:2013539; rev:1;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/OpenCapture CnC Checkin"; flow:established,to_server; content:"/check_counter.php?pi="; http_uri; content:"&gu="; http_uri; content:"&ac="; http_uri; classtype:trojan-activity; sid:2013540; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/Adware.Kraddare.FJ Checkin"; flow:to_server,established; content:".php?pi="; fast_pattern:only; http_uri; content:"&gu="; http_uri; content:"&ac="; http_uri; content:"User-Agent|3a| Mozilla/4.0(compatible|3b| MSIE 6.0)|0d 0a|"; http_header; classtype:trojan-activity; sid:2013540; rev:7;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Daemonize Trojan Proxy Initial Checkin"; flow:established,to_server; content:"/command.php?IP="; http_uri; content:"&P1="; http_uri; content:"&P2="; http_uri; content:"&ID="; http_uri; content:"&SP="; http_uri; content:"&CT="; http_uri; content:"&L1="; http_uri; content:"&L2="; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanProxy%3AWin32%2FDaemonize.A&ThreatID=-2147464655; classtype:trojan-activity; sid:2013541; rev:1;)
@@ -47774,7 +47804,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TROJ_VB.FJP Generic Dowbnloader Connectivity Check to Google"; flow:established,to_server; content:"/whatever.exe"; fast_pattern; http_uri; content:"Host|3A 20|google.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2013544; rev:1;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Helpexpress Spyware User-Agent HXLogOnly"; flow:established,to_server; content:"User-Agent|3A 20|HXLogOnly"; http_header; classtype:trojan-activity; sid:2013545; rev:1;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Helpexpress Spyware User-Agent HXLogOnly"; flow:established,to_server; content:"User-Agent|3A 20|HXLogOnly"; http_header; classtype:trojan-activity; sid:2013545; rev:2;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Gagolino Banking Trojan Reporting to CnC"; flow:established,to_server; content:"?op="; http_uri; content:"&macaddress="; http_uri; content:"&pcname="; http_uri; content:"&nomeusuario="; http_uri; content:"&serialhd="; http_uri; content:"&versaowindows="; http_uri; content:"&versaoatual="; http_uri; content:"&arquivosplugins="; http_uri; content:"&origem="; http_uri; classtype:trojan-activity; sid:2013546; rev:1;)
@@ -47789,7 +47819,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP exploit 2"; flow:established,to_server; content:"/hcp_vbs.php?f="; http_uri; pcre:"/hcp_vbs\.php\?f=\d+&d=\d+$/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2013549; rev:2;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential Blackhole Exploit Pack Binary Load Request 2"; flow:established,to_server; content:".php?e="; fast_pattern; nocase; http_uri; content:"&f="; nocase; http_uri; content:!"Referer|3a|"; http_header; content:"User-Agent|3a|"; http_header; content:"Host|3a|"; http_header; distance:0; pcre:"/\.php\?e=\d+&f=\d+$/U"; flowbits:set,et.exploitkitlanding; reference:url,krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/; classtype:bad-unknown; sid:2013550; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential Blackhole Exploit Pack Binary Load Request 2"; flow:established,to_server; content:".php?e="; fast_pattern; nocase; http_uri; content:"&f="; nocase; http_uri; content:!"Referer|3a|"; http_header; content:"User-Agent|3a|"; http_header; content:"Host|3a|"; http_header; distance:0; pcre:"/\.php\?e=\w+&f=\w+$/U"; flowbits:set,et.exploitkitlanding; reference:url,krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/; classtype:bad-unknown; sid:2013550; rev:4;)
#
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Driveby Generic Java Exploit Attempt"; flow:established,to_client; content:" codebase=|22|C|3a 5c|Program Files|5c|java|5c|jre6|5c|lib|5c|ext|22| code="; nocase; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2013551; rev:2;)
@@ -47855,19 +47885,19 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit Landing Reporting Successful Java Compromise"; flow:established,to_server; content:".php?spl="; fast_pattern:only; http_uri; pcre:"/\.php\?spl=[A-Z]{3}/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2013652; rev:4;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Shady RAT Get File Command"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"gf|3a|{"; fast_pattern:only; content:"}"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013653; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Shady RAT Get File Command"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"gf|3a|{"; content:"}"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013653; rev:2;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Shady RAT Put File Command"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"pf|3a|{"; fast_pattern:only; content:"}"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013654; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Shady RAT Put File Command"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"pf|3a|{"; content:"}"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013654; rev:2;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Shady RAT Retrieve and Execute Command"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"http|3a|{"; fast_pattern:only; content:"}.exe"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013655; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Shady RAT Retrieve and Execute Command"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"http|3a|{"; content:"}.exe"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013655; rev:2;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Shady RAT Relay Command"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"taxi|3a|"; fast_pattern:only; content:"}"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013656; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Shady RAT Relay Command"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"taxi|3a|"; content:"}"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013656; rev:2;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Shady RAT Send Status Result"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"slp|3a|{"; fast_pattern:only; content:"}"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013657; rev:1;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Shady RAT Send Status Result"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"slp|3a|{"; content:"}"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013657; rev:2;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zugo Toolbar Spyware/Adware download request"; flow:established,to_server; content:".exe?filename="; http_uri; content:"&dddno="; http_uri; fast_pattern; content:"&channel="; http_uri; content:"&go="; http_uri; reference:url,zugo.com/privacy-policy/; classtype:bad-unknown; sid:2013658; rev:1;)
@@ -47933,7 +47963,7 @@
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_jr_questionnaire Directory Traversal Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_jr_questionnaire"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/view/102784/joomlajrqn-traversal.txt; classtype:web-application-attack; sid:2013678; rev:2;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BbZL.PhP lien_2 Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"type="; http_uri; content:"lien_2="; nocase; http_uri; pcre:"/lien_2=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/17495; classtype:web-application-attack; sid:2013679; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BbZL.PhP lien_2 Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"type="; http_uri; content:"lien_2="; fast_pattern:only; nocase; http_uri; pcre:"/lien_2=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/17495; classtype:web-application-attack; sid:2013679; rev:4;)
#
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla EZ Realty id Parameter Blind SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_ezrealty"; nocase; http_uri; content:"task="; nocase; http_uri; content:"id="; nocase; http_uri; content:"and"; nocase; http_uri; content:"substring"; nocase; http_uri; pcre:"/and.*substring\(/Ui"; reference:url,packetstormsecurity.org/files/view/104017/joomlarealestate-sql.txt; classtype:web-application-attack; sid:2013680; rev:2;)
@@ -47957,12 +47987,15 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ZeroAccess/Max++ Rootkit C&C Activity 2"; flow:established,to_server; content:".php?w="; http_uri; content:"&fail="; http_uri; content:"&i="; http_uri; pcre:"/\.php\?w=\d+&fail=\d+&i=[0-9a-f]{32}$/U"; reference:url,resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-071314-0410-99&tabid=2; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper%3aWin32%2fSirefef.B; classtype:trojan-activity; sid:2013686; rev:1;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Shylock Module Data POST"; flow:established,to_server; content:"id="; http_client_body; content:"&bid="; http_client_body; content:"&query="; http_client_body; content:"&data="; http_client_body; pcre:"/id=\d+&bid=[^&]+&query=\w+&data=\w+/P"; reference:url,anubis.iseclab.org/index.php?action=result&task_id=86c6da9437e65c94990ddd85d87299f1; reference:url,www.threatexpert.com/report.aspx?md5=4fda5e7e8e682870e993f97ad26ba6b2; classtype:trojan-activity; sid:2013687; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Shylock Module Data POST"; flow:established,to_server; content:"id="; http_client_body; content:"&bid="; http_client_body; content:"&query="; http_client_body; content:"&data="; http_client_body; pcre:"/id=\d+&bid=[^&]+&query=\w+&data=\w/P"; reference:url,anubis.iseclab.org/index.php?action=result&task_id=86c6da9437e65c94990ddd85d87299f1; reference:url,www.threatexpert.com/report.aspx?md5=4fda5e7e8e682870e993f97ad26ba6b2; classtype:trojan-activity; sid:2013687; rev:3;)
#
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Shylock Module Server Response"; flow:established,from_server; content:"|0d 0a 0d 0a 23 23 23|ERROR_SRC|23 23 23|"; content:"|23 23 23|ERROR_SRC_END|23 23 23|"; distance:0; reference:url,anubis.iseclab.org/index.php?action=result&task_id=86c6da9437e65c94990ddd85d87299f1; reference:url,www.threatexpert.com/report.aspx?md5=4fda5e7e8e682870e993f97ad26ba6b2; classtype:trojan-activity; sid:2013688; rev:1;)
#
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Gh0st Checkin (5-12 Byte keyword)"; flow:to_server,established; dsize:<900; content:"|00 00|"; offset:7; depth:9; content:"|00 00 78 9C|"; distance:2; within:4; pcre:"/^[a-z0-9\x40\x2d\x5f]{5,12}..\x00\x00..\x00\x00\x78\x9c/i"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:url,labs.alienvault.com/labs/index.php/2012/new-macontrol-variant-targeting-uyghur-users-the-windows-version-using-gh0st-rat/; reference:url,www.infowar-monitor.net/2009/09/tracking-ghostnet-investigating-a-cyber-espionage-network/; reference:url,blogs.rsa.com/will-gragido/lions-at-the-watering-hole-the-voho-affair/; reference:url,www.norman.com/about_norman/press_center/news_archive/2012/the_many_faces_of_gh0st_rat/en; classtype:trojan-activity; sid:2015624; rev:8;)
+
+#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Win32.Aldibot.A Checkin"; flow:to_server,established; content:"/gate.php?hwid="; nocase; http_uri; content:"&pc="; nocase; http_uri; content:"&localip="; nocase; http_uri; content:"&winver="; nocase; http_uri; reference:url,www.asert.arbornetworks.com/2011/10/ddos-aldi-bot/; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fAbot.gen!A; classtype:trojan-activity; sid:2013748; rev:3;)
#
@@ -47984,7 +48017,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/Netisend.A Posting Information to CnC"; flow:established,to_server; content:"POST"; http_method; content:"/netsend/nmsm_json.jsp"; http_uri; content:"|22|model|22 3A|"; http_client_body; content:"|22|imsi|22 3A|"; within:50; http_client_body; content:"|22|manufacture|22 3A|"; within:50; http_client_body; content:"|22|imei|22 3A|"; within:50; http_client_body; reference:url,www.fortiguard.com/latest/mobile/2959807; classtype:trojan-activity; sid:2013694; rev:2;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit cc exploit progress status cookie"; flow:established,to_server; content:"%3D|3b 20|cc2="; http_raw_cookie; content:"%3D|3b 20|cc3="; http_raw_cookie; content:"%3D|3b 20|cc4="; http_raw_cookie; content:"|20|Java/"; http_header; classtype:trojan-activity; sid:2013695; rev:2;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown Java Exploit Kit cc exploit progress status cookie"; flow:established,to_server; content:"%3D|3b 20|cc2="; http_raw_cookie; content:"%3D|3b 20|cc3="; http_raw_cookie; content:"%3D|3b 20|cc4="; http_raw_cookie; content:"|20|Java/"; http_header; classtype:trojan-activity; sid:2013695; rev:3;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit x.jar?o="; flow:established,to_server; content:"/x.jar?o="; http_uri; content:"|20|Java/"; http_header; classtype:trojan-activity; sid:2013696; rev:2;)
@@ -47999,7 +48032,7 @@
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit applet landing"; flow:established,from_server; file_data; content:"<html>|0d 0a|<body>|0d 0a|<applet archive="; distance:0; content:"width=|22|0|22| height=|22|0|22|></applet>|0d 0a|</body>|0d 0a|</body></html>"; distance:0; classtype:trojan-activity; sid:2013699; rev:2;)
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole landing page with malicious Java applet"; flow:established,from_server; file_data; content:"<applet"; distance:0; content:"code="; distance:0; content:".jar"; distance:0; content:"e00oMDD"; distance:0; content:"</applet>"; distance:0; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2013700; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole landing page with malicious Java applet"; flow:established,from_server; file_data; content:"<applet"; distance:0; content:"code="; distance:0; content:".jar"; distance:0; content:"e00oMDD"; distance:0; fast_pattern; content:"</applet>"; distance:0; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2013700; rev:4;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Agent-TMF Checkin"; flow:to_server,established; content:!"User-Agent|3a 20|"; http_header; content:!"Referer|3a 20|"; http_header; content:"GET"; http_method; nocase; content:".php?gd="; http_uri; pcre:"/.php\?gd=\d+_\d+_\d+$/U"; classtype:trojan-activity; sid:2013701; rev:4;)
@@ -48029,7 +48062,7 @@
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Annonces Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/annonces/includes/lib/photo/uploadPhoto.php?"; nocase; http_uri; content:"abspath="; nocase; http_uri; pcre:"/abspath=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/105224/wpannonces-rfi.txt; classtype:web-application-attack; sid:2013709; rev:2;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TrojWare.Win32.Trojan.Agent.Gen Reporting"; flow:to_server,established; content:"/do/SDM"; nocase; http_uri; content:"action="; nocase; http_uri; content:"User-Agent|3a| AHTTPConnection"; nocase; http_header; reference:url,forums.comodo.com/av-false-positivenegative-detection-reporting/trojwarewin32trojanagentgen-t55152.0.html; classtype:trojan-activity; sid:2013710; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY FreeRide Games Some AVs report as TrojWare.Win32.Trojan.Agent.Gen"; flow:to_server,established; content:"/do/SDM"; nocase; http_uri; content:"action="; nocase; http_uri; content:"User-Agent|3a| AHTTPConnection"; nocase; http_header; reference:url,forums.comodo.com/av-false-positivenegative-detection-reporting/trojwarewin32trojanagentgen-t55152.0.html; classtype:trojan-activity; sid:2013710; rev:6;)
#
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TinyWebGallery workaround_dir parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/admin/upload/tfu_upload.php?"; nocase; http_uri; content:"workaround_dir="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/view/104631/tinywebgallery-lfishellsql.txt; classtype:web-application-attack; sid:2013711; rev:2;)
@@ -48068,7 +48101,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (WindowsNT) With No Separating Space"; flow:established,to_server; content:"WindowsNT"; http_header; pcre:"/User-Agent\x3A[^\r\n]*WindowsNT/H"; classtype:trojan-activity; sid:2013721; rev:1;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/OpenCapture CnC Checkin"; flow:established,to_server; content:"/check_counter.php?pi="; http_uri; content:"&gu="; http_uri; content:"&ac="; http_uri; classtype:trojan-activity; sid:2013722; rev:1;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32/OpenCapture CnC Checkin"; flow:established,to_server; content:"/check_counter.php?pi="; http_uri; content:"&gu="; http_uri; content:"&ac="; http_uri; classtype:trojan-activity; sid:2013722; rev:1;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/OnlineGames User-Agent (LockXLS)"; flow:established,to_server; content:"User-Agent|3A 20|LockXLS"; http_header; classtype:trojan-activity; sid:2013724; rev:1;)
@@ -48128,10 +48161,10 @@
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Google Chrome Multiple Iframe PDF File Handling Memory Corruption Attempt"; flow:established,to_client; content:".pdf|22|><|2F|iframe>"; nocase; content:".pdf|22|><|2F|iframe>"; nocase; distance:0; content:".pdf|22|><|2F|iframe>"; nocase; distance:0; content:".pdf|22|><|2F|iframe>"; nocase; distance:0; content:".pdf|22|><|2F|iframe>"; nocase; distance:0; content:".pdf|22|><|2F|iframe>"; nocase; distance:0; reference:bid,49933; reference:cve,2011-2841; classtype:attempted-user; sid:2013742; rev:2;)
#
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for a Suspicious no-ip Dynamic DNS Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|no-ip|03|"; distance:0; fast_pattern; classtype:bad-unknown; sid:2013743; rev:2;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|no-ip|03|"; distance:0; fast_pattern; classtype:bad-unknown; sid:2013743; rev:3;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a no-ip Dynamic DNS Domain"; flow:established,to_server; content:".no-ip.com|0d 0a|"; http_header; nocase; content:!"www.no-ip.com|0d 0a|"; http_header; nocase; classtype:bad-unknown; sid:2013744; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNMAIC_DNS HTTP Request to a no-ip Domain"; flow:established,to_server; content:".no-ip.com|0d 0a|"; http_header; nocase; content:!"www.no-ip.com|0d 0a|"; http_header; nocase; classtype:bad-unknown; sid:2013744; rev:6;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Double HTTP/1.1 Header Outbound - Likely Infected or Hostile Traffic"; flow:established,to_server; content:" HTTP/1.1|20|HTTP/1.1|0d 0a|"; depth:300; classtype:bad-unknown; sid:2013745; rev:3;)
@@ -48230,7 +48263,7 @@
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN NMAP SQL Spider Scan"; flow:established,to_server; content:"GET"; http_method; content:" OR sqlspider"; http_uri; reference:url,nmap.org/nsedoc/scripts/sql-injection.html; classtype:web-application-attack; sid:2013778; rev:1;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Positive Technologies XSpider Security Scanner User-Agent (PTX)"; flow:to_server,established; content:"PTX"; http_header; fast_pattern:only; pcre:"/User-Agent\x3a[^\n]+PTX/H"; reference:url,www.securitylab.ru/forum/forum16/topic26800/; classtype:attempted-recon; sid:2013779; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Positive Technologies XSpider Security Scanner User-Agent (PTX)"; flow:to_server,established; content:"PTX|0d 0a|"; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a[^\n]+PTX\r$/Hm"; reference:url,www.securitylab.ru/forum/forum16/topic26800/; classtype:attempted-recon; sid:2013779; rev:3;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious HTTP Request for gift.exe"; flow:established,to_server; content:"/gift.exe"; http_uri; classtype:trojan-activity; sid:2013780; rev:1;)
@@ -48242,7 +48275,7 @@
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32.Duqu User-Agent"; flow:to_server,established; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| Windows NT 6.0|3B| en-US|3B| rv|3A|1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)"; http_header; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf; classtype:trojan-activity; sid:2013782; rev:3;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32.Duqu UA and Filename Requested"; flow:to_server,established; content:"User-Agent|3a| Mozilla/5.0 (Windows|3b| U|3b| Windows NT 6.0|3b| en-US|3b| rv|3a|1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)"; http_header; fast_pattern:20,20; content:"Content-Disposition|3A| form-data|3b| name=|22|DSC00001.jpg|22|"; http_header; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf; classtype:policy-violation; sid:2013783; rev:3;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32.Duqu UA and Filename Requested"; flow:to_server,established; content:"User-Agent|3a| Mozilla/5.0 (Windows|3b| U|3b| Windows NT 6.0|3b| en-US|3b| rv|3a|1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)"; http_header; fast_pattern:20,20; content:"Content-Disposition|3A| form-data|3b| name=|22|DSC00001.jpg|22|"; http_header; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf; classtype:policy-violation; sid:2013783; rev:4;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Windows Mobile 7.0 User-Agent detected"; flow:to_server,established; content:"User-Agent|3A| ZDM/4.0|3B| Windows Mobile 7.0|3B|"; http_header; classtype:not-suspicious; sid:2013784; rev:2;)
@@ -48278,10 +48311,10 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bifrose/Cycbot Checkin"; flow:established,to_server; content:"?sv="; fast_pattern; http_uri; content:"&tq="; http_uri; content:"User-Agent|3A 20|chrome/9.0|0D 0A|"; http_header; pcre:"/\x2e(png|gif|jpeg|jpg)\x3fsv\x3d/U"; classtype:trojan-activity; sid:2013795; rev:5;)
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS W32/Bifrose Second Stage Obfuscated Binary Download Claiming to Be JPEG"; flow:established,to_client; content:"Content-Type|3A 20|image/jpeg"; http_header; file_data; content:"|54 48 00 F7 20 10 72 6F 67 52|"; distance:0; content:"|61 6E 6E 4F 1D A4 62 05 20 72 75 4E 49 ED 6E 40 44 4F 53|"; within:50; classtype:trojan-activity; sid:2013796; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS W32/Bifrose Second Stage Obfuscated Binary Download Claiming to Be JPEG"; flow:established,to_client; content:"Content-Type|3A 20|image/jpeg"; http_header; file_data; content:"|54 48 00 F7 20 10 72 6F 67 52|"; distance:0; content:"|61 6E 6E 4F 1D A4 62 05 20 72 75 4E 49 ED 6E 40 44 4F 53|"; fast_pattern; within:50; classtype:trojan-activity; sid:2013796; rev:2;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.PEx.Delphi.307674628 Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/LogProc.php?mac="; nocase; http_uri; content:"&mode="; nocase; http_uri; content:"&pCode="; nocase; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=2700d3fcdd4b8a7c22788db1658d9163; reference:url,www.threatcenter.crdf.fr/?More&ID=46606&D=CRDF.Malware.Win32.PEx.Delphi.307674628; classtype:trojan-activity; sid:2013797; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/Adware.Winggo.AB Checkin"; flow:established,to_server; content:"/LogProc.php?"; fast_pattern:only; http_uri; content:"mac="; http_uri; content:"mode="; http_uri; content:"&pCode="; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=2700d3fcdd4b8a7c22788db1658d9163; reference:url,www.threatcenter.crdf.fr/?More&ID=46606&D=CRDF.Malware.Win32.PEx.Delphi.307674628; classtype:trojan-activity; sid:2013797; rev:4;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.PEx.Delphi.1151005043 Post-infection Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/boot.php?ptr="; nocase; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=b58485c9a221e8bd5b4725e7e19988b0; reference:url,www.threatcenter.crdf.fr/?More&ID=49992&D=CRDF.Malware.Win32.PEx.Delphi.1151005043; classtype:trojan-activity; sid:2013798; rev:2;)
@@ -48344,19 +48377,25 @@
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WHMCompleteSolution templatefile Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/cart.php?"; nocase; http_uri; content:"a="; nocase; http_uri; content:"templatefile="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,dl.packetstormsecurity.net/1110-exploits/whmcompletesolution-disclose.txt; classtype:web-application-attack; sid:2013818; rev:2;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Kexject.A Checkin"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/cgi-bin/g.php"; http_uri; content:!"User-Agent|3a|"; http_header; content:"|CE FA AD DE 03 00|"; http_client_body; depth:6; classtype:trojan-activity; sid:2013819; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Tatanga/Win32.Kexject.A Checkin"; flow:to_server,established; content:"POST"; nocase; http_method; content:".php"; http_uri; content:!"User-Agent|3a|"; http_header; content:"|CE FA AD DE 03 00|"; http_client_body; depth:6; reference:url,securityblog.s21sec.com/2011/02/tatanga-new-banking-trojan-with-mitb.html; classtype:trojan-activity; sid:2013819; rev:4;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Kryptik/proscan.co.kr Checkin"; flow:established,to_server; content:"User-Agent|3a| proscan-down"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=bf156b649cb5da6603a5f665a7d8f13b; classtype:trojan-activity; sid:2013821; rev:1;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Kryptik/proscan.co.kr Checkin 2"; flow:established,to_server; content:"User-Agent|3a| test_hInternet"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=bf156b649cb5da6603a5f665a7d8f13b; classtype:trojan-activity; sid:2013822; rev:1;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan.Kryptik/proscan.co.kr Checkin 2"; flow:established,to_server; content:"User-Agent|3a| test_hInternet"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=bf156b649cb5da6603a5f665a7d8f13b; classtype:trojan-activity; sid:2013822; rev:2;)
#
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to a Suspicious *.myftp.biz Dynamic DNS Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|myftp|03|biz"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013823; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN VBS/Wimmie.A Set"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/count.php?m=c&n="; http_uri; content:"_"; distance:0; http_uri; content:"@"; distance:0; http_uri; content:"|0D 0A|Content-Length|3a| 0|0D 0A|"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=6fd7493e56fdc3b0dd8ecd24aea20da1; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AVBS%2FWimmie.A; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf; reference:md5,61474931882dce7b1c67e1f22d26187e; classtype:trojan-activity; sid:2014803; rev:6;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a *.myftp.biz Dynamic DNS Domain"; flow:established,to_server; content:".myftp.biz|0d 0a|"; http_header; nocase; classtype:bad-unknown; sid:2013824; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN VBS/Wimmie.A Checkin"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/count.php?m=w&n="; http_uri; content:"_"; distance:0; http_uri; content:"@."; distance:0; http_uri; content:"|16 00 00 00|down"; http_client_body; depth:8; reference:url,www.threatexpert.com/report.aspx?md5=6fd7493e56fdc3b0dd8ecd24aea20da1; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AVBS%2FWimmie.A; reference:md5,61474931882dce7b1c67e1f22d26187e; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf; classtype:trojan-activity; sid:2014804; rev:5;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious *.myftp.biz Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|myftp|03|biz"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013823; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.myftp.biz Domain"; flow:established,to_server; content:".myftp.biz|0d 0a|"; http_header; nocase; classtype:bad-unknown; sid:2013824; rev:3;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a *.eu.tf domain"; flow: to_server,established; content:".eu.tf|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013828; rev:1;)
@@ -48368,7 +48407,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a *.int.tf domain"; flow:to_server,established; content:".int.tf|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013829; rev:1;)
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN AntiVirus exe Download Likely FakeAV Install"; flow:established,from_server; content:"|0D 0A|Content-Disposition|3a| attachment|3B| filename=|22|"; http_header; content:"AntiVirus"; nocase; http_header; within:24; content:".exe"; http_header; within:24; classtype:trojan-activity; sid:2013827; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN AntiVirus exe Download Likely FakeAV Install"; flow:established,from_server; content:"|0D 0A|Content-Disposition|3a| attachment|3B| filename=|22|"; http_header; content:"AntiVirus"; nocase; http_header; within:24; content:".exe"; http_header; within:24; http_header; classtype:trojan-activity; sid:2013827; rev:3;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a *.edu.tf domain"; flow:to_server,established; content:".edu.tf|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013830; rev:1;)
@@ -48416,10 +48455,10 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a *.orge.pl Domain"; flow:established,to_server; content:".orge.pl|0d 0a|"; http_header; nocase; classtype:bad-unknown; sid:2013844; rev:2;)
#
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to a Suspicious *.ez-dns.com Dynamic DNS Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|ez-dns|03|com"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013845; rev:1;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious *.ez-dns.com Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|ez-dns|03|com"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013845; rev:2;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a *.ez-dns.com Dynamic DNS Domain"; flow:established,to_server; content:".ez-dns.com|0d 0a|"; http_header; classtype:bad-unknown; sid:2013846; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.ez-dns.com Domain"; flow:established,to_server; content:".ez-dns.com|0d 0a|"; http_header; classtype:bad-unknown; sid:2013846; rev:2;)
#
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .net.tf Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|net|02|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013847; rev:1;)
@@ -48470,10 +48509,10 @@
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .xe.cx Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|xe|02|cx"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013862; rev:1;)
#
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query to a Suspicious *.dyndns-web.com Dynamic DNS Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|dyndns-web|03|com"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013863; rev:2;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious *.dyndns-web.com Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0a|dyndns-web|03|com"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013863; rev:3;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a *.dyndns-web.com Dynamic DNS Domain"; flow:to_server,established; content:".dyndns-web.com|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013864; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns-web.com Domain"; flow:to_server,established; content:".dyndns-web.com|0D 0A|"; http_header; classtype:bad-unknown; sid:2013864; rev:2;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Kazy/Kryptor/Cycbot Trojan Checkin 2"; flow:established,to_server; content:"GET"; nocase; http_method; content:"?tq="; http_uri; content:!"Accept|3a|"; http_header; pcre:"/\.(jpg|png|gif|cgi)\?tq=/U"; classtype:trojan-activity; sid:2013865; rev:4;)
@@ -48542,7 +48581,7 @@
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress disclosure policy plugin Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/wp-content/plugins/disclosure-policy-plugin/functions/action.php?"; nocase; http_uri; pcre:"/abspath=\s*(ftps?|https?|php)\:\//Ui"; reference:url,exploit-db.com/exploits/17865; classtype:web-application-attack; sid:2013886; rev:2;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Fullstuff Initial Checkin"; flow:established,to_server; content:"/version.txt?type="; http_uri; content:"&GUID="; http_uri; content:"&rfr="; http_uri; content:"&bgn="; http_uri; classtype:trojan-activity; sid:2013887; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Fullstuff Initial Checkin"; flow:established,to_server; content:"/version.txt?type="; http_uri; content:"&GUID="; http_uri; content:"&rfr="; http_uri; content:"&bgn="; http_uri; content:"User-Agent|3a| FULLSTUFF"; http_header; classtype:trojan-activity; sid:2013887; rev:2;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Cnet App Download and Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/v"; http_uri; content:"/?v="; http_uri; content:"&c="; http_uri; pcre:"/\/v\d\.\d\.\d/U"; pcre:"/\/\?v=\d/U"; classtype:trojan-activity; sid:2013888; rev:6;)
@@ -48599,7 +48638,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User Agent banderas"; flow:established,to_server; content:"User-Agent|3A 20|banderas"; http_header; classtype:trojan-activity; sid:2013905; rev:1;)
#
-#alert udp !$DNS_SERVERS any -> [85.255.112.0/20,67.210.0.0/20,93.188.160.0/21,77.67.83.0/24,213.109.64.0/20,64.28.176.0/20] 53 (msg:"ET CURRENT_EVENTS Ghost Click DNSChanger DNS Request (UDP)"; threshold:type threshold, track by_src, seconds 2, count 2; reference:url,www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf; classtype:trojan-activity; sid:2013906; rev:3;)
+##alert udp !$DNS_SERVERS any -> [85.255.112.0/20,67.210.0.0/20,93.188.160.0/21,77.67.83.0/24,213.109.64.0/20,64.28.176.0/20] 53 (msg:"ET DELETED Ghost Click DNSChanger DNS Request (UDP)"; threshold:type threshold, track by_src, seconds 2, count 2; reference:url,www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf; classtype:trojan-activity; sid:2013906; rev:4;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ZAccess/Sirefef/MAX++/Jorik/Smadow Checkin"; flow:established,to_server; content:"/stat"; http_uri; content:".php?w="; http_uri; content:"&i=00000000000"; http_uri; fast_pattern; content:"&a="; http_uri; content:"User-Agent|3a 20|Opera/6 (Windows NT 5.1|3b 20|"; http_header; classtype:trojan-activity; sid:2013907; rev:3;)
@@ -48614,7 +48653,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES Second Life setup download"; flow:established,to_server; content:"/Second_Life_Setup.exe"; reference:url,en.wikifur.com/wiki/Second_Life; reference:url,wiki.secondlife.com/wiki/Furry; classtype:policy-violation; sid:2013910; rev:2;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN P2P Zeus Request To CnC"; flow:established,to_server; dsize:20; content:"|E5 AA C0 31|"; depth:4; content:"|5B 74 08 4D 9B 39 C1|"; distance:5; within:7; reference:url,www.abuse.ch/?p=3499; classtype:trojan-activity; sid:2013911; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN P2P Zeus or ZeroAccess Request To CnC"; flow:established,to_server; dsize:20; content:"|E5 AA C0 31|"; depth:4; content:"|5B 74 08 4D 9B 39 C1|"; distance:5; within:7; reference:url,www.abuse.ch/?p=3499; reference:url,www.kindsight.net/sites/default/files/Kindsight_Malware_Analysis-ZeroAcess-Botnet-final.pdf; classtype:trojan-activity; sid:2013911; rev:9;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN P2P Zeus Response From CnC"; flow:established,from_server; content:"|E5 AA C0 31|"; depth:4; content:"|5B 74|"; distance:5; within:2; content:"|C1|"; distance:4; within:2; reference:url,www.abuse.ch/?p=3499; classtype:trojan-activity; sid:2013912; rev:4;)
@@ -48758,7 +48797,7 @@
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit Delivering Java Exploit to Client"; flowbits:isset,et.exploitkitlanding; flow:established,to_client; file_data; content:"<applet"; nocase; distance:0; reference:url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079; classtype:trojan-activity; sid:2013961; rev:2;)
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit Delivering Executable to Client"; flowbits:isset,et.exploitkitlanding; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; reference:url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079; classtype:trojan-activity; sid:2013962; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit Delivering Executable to Client"; flowbits:isset,et.exploitkitlanding; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; reference:url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079; classtype:trojan-activity; sid:2013962; rev:5;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Mozilla / 4.0 CNC traffic"; flow:to_server,established; content:"User-Agent|3a| Mozilla / 4.0|0d 0a|"; http_header; classtype:trojan-activity; sid:2013964; rev:2;)
@@ -48770,7 +48809,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/Ozotshielder.A Checkin"; flow:established,to_server; content:"/AndroidService.aspx?imsi="; http_uri; content:"&mobile="; http_uri; content:"&pid="; http_uri; content:"&ownerid="; http_uri; content:"&testchlid="; http_uri; content:"&androidver="; http_uri; reference:url,www.fortiguard.com/latest/mobile/3302951; classtype:trojan-activity; sid:2013966; rev:1;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/KungFu User-Agent (adlib)"; flow:established,to_server; content:"User-Agent|3A 20|adlib/"; http_header; reference:url,blog.trendmicro.com/connections-between-droiddreamlight-and-droidkungfu/; classtype:trojan-activity; sid:2013967; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (adlib)"; flow:established,to_server; content:"User-Agent|3A 20|adlib/"; http_header; reference:url,blog.trendmicro.com/connections-between-droiddreamlight-and-droidkungfu/; classtype:trojan-activity; sid:2013967; rev:2;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/KungFu Package Delete Command"; flow:established,to_server; content:"/search/isavailable"; http_uri; content:".php?imei="; http_uri; content:"&ch="; http_uri; content:"&ver="; http_uri; content:"User-Agent|3A 20|adlib/"; http_header; reference:url,blog.trendmicro.com/connections-between-droiddreamlight-and-droidkungfu/; classtype:trojan-activity; sid:2013968; rev:1;)
@@ -48782,7 +48821,7 @@
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .noip.cn Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|03|noip|02|cn|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013970; rev:1;)
#
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .dyndns-at-home.com Dynamic DNS Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|dyndns-at-home|03|com|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013971; rev:2;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query for Suspicious .dyndns-at-home.com Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|dyndns-at-home|03|com|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013971; rev:3;)
#
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Initial Blackhole Landing Loading... Wait Please"; flow:established,from_server; content:"Wait Please"; fast_pattern:only; content:">Loading..."; content:"<script"; distance:0; reference:url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079; classtype:trojan-activity; sid:2013972; rev:4;)
@@ -48791,10 +48830,10 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Suspicious Invalid HTTP Accept Header of ?"; flow:established,to_server; content:"Accept|3a 20|?"; http_header; classtype:trojan-activity; sid:2013974; rev:2;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit request to /? plus hex 32"; flow:established,to_server; content:"/?"; http_uri; fast_pattern; content:" Java/"; http_header; pcre:"/^\/\?[a-f0-9]{32}$/U"; classtype:trojan-activity; sid:2013975; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Neosploit Java Exploit Kit request to /? plus hex 32"; flow:established,to_server; content:"/?"; http_uri; fast_pattern; content:" Java/"; http_header; pcre:"/^\/\?[a-f0-9]{32}$/U"; classtype:trojan-activity; sid:2013975; rev:2;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus POST Request to CnC - URL agnostic"; flow:established,to_server; content:"POST"; nocase; http_method; content:" HTTP/1."; content:"|0D 0A|Accept|3a| */*|0D 0A|User-Agent|3a| Mozilla"; distance:1; within:34; fast_pattern; content:"|0D 0A|"; distance:0; content:"Content-Length|3a| "; distance:0; content:!"0"; within:1; content:"Connection|3a| Keep-Alive|0D 0A|"; distance:0; content:"|3a| no-cache"; distance:0; content:"|0D 0A 0D 0A|"; distance:0; content:!"Content-Type|3a| "; http_header; content:!"NetflixId="; http_header; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:trojan-activity; sid:2013976; rev:10;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus POST Request to CnC - URL agnostic"; flow:established,to_server; content:"POST"; nocase; http_method; content:" HTTP/1."; content:"|0D 0A|Accept|3a| */*|0D 0A|User-Agent|3a| Mozilla"; distance:1; within:34; fast_pattern; content:"|0D 0A|"; distance:0; content:"Content-Length|3a| "; distance:0; content:!"0"; within:1; content:"Connection|3a| Keep-Alive|0D 0A|"; distance:0; content:"|3a| no-cache"; distance:0; content:"|0D 0A 0D 0A|"; distance:0; content:!"Content-Type|3a| "; http_header; content:!"NetflixId="; http_header; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:trojan-activity; sid:2013976; rev:11;)
#
alert udp $HOME_NET any -> 8.8.8.8 53 (msg:"ET TROJAN TDSS DNS Based Internet Connectivity Check"; dsize:34; content:"|33 33 01 00 00 01 00 00 00 00 00 00 07|counter|05|yadro|02|ru|00 00 01 00 01|"; classtype:trojan-activity; sid:2013977; rev:1;)
@@ -48851,7 +48890,7 @@
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Embedded U3D"; flow:established,to_client; file_data; content:"obj"; distance:0; content:"<<"; within:4; content:"/U3D"; within:64; reference:url,www.adobe.com/support/security/advisories/apsa11-04.html; classtype:bad-unknown; sid:2013995; rev:2;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/SWInformer.B Checkin"; flow:to_server,established; content:"log.php?u="; http_uri; content:"&first_run="; http_uri; content:"User-Agent|3a| FDMuiless|0d 0a|"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=0f90568d86557d62f7d4e1c0f7167431; classtype:trojan-activity; sid:2014004; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/SWInformer.B Checkin"; flow:to_server,established; content:"log.php?"; http_uri; content:"User-Agent|3a| FDMuiless|0d 0a|"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=0f90568d86557d62f7d4e1c0f7167431; classtype:trojan-activity; sid:2014004; rev:3;)
#
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe PDF Universal 3D file corrupted download 1"; flow:established,from_server; file_data; content:"/Subtype /U3D"; distance:0; content:"<</Author (Fo) /email (fo@gmail.com) /web (fo.googlepages.com)"; distance:0; reference:url,www.adobe.com/support/security/advisories/apsa11-04.html; classtype:bad-unknown; sid:2013996; rev:1;)
@@ -48896,9 +48935,6 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Smokeloader getload Command"; flow:established,to_server; content:"cmd=getload&login="; http_uri; classtype:trojan-activity; sid:2014012; rev:1;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/SWInformer.B User-Agent (FDMuiless)"; flow:to_server,established; content:"User-Agent|3a| FDMuiless|0d 0a|"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=0f90568d86557d62f7d4e1c0f7167431; classtype:trojan-activity; sid:2014013; rev:1;)
-
-#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus Checkin Header Pattern"; flow:established,to_server; content:"POST"; nocase; http_method; content:"HTTP/1.1|0d 0a|Accept|3a 20|*/*|0d 0a|X-ID|3a 20|"; fast_pattern:23,6; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b 20|MSIE"; distance:0; pcre:"/^X-ID\x3a\x20\d+$/H"; classtype:trojan-activity; sid:2014014; rev:4;)
#
@@ -48914,7 +48950,7 @@
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Kargany Loader Obfuscated Payload Download"; flow:established,from_server; content:"Content-Disposition|3a| "; http_header; nocase; content:"windows-update-"; distance:0; http_header; content:".exe"; distance:0; http_header; file_data; content:!"MZ"; within:2; classtype:trojan-activity; sid:2014019; rev:2;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Wordpress Login Bruteforcing Detected"; flow:to_server,established; content:"/wp-login.php"; nocase; fast_pattern; http_uri; content:"POST"; http_method; content:"log|3d|"; content:"pwd|3d|"; threshold: type both, track by_src, count 5, seconds 60; classtype:attempted-recon; sid:2014020; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Wordpress Login Bruteforcing Detected"; flow:to_server,established; content:"/wp-login.php"; nocase; fast_pattern; http_uri; content:"POST"; http_method; content:"log|3d|"; http_client_body; content:"pwd|3d|"; http_client_body; threshold: type both, track by_src, count 5, seconds 60; classtype:attempted-recon; sid:2014020; rev:3;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gootkit Checkin User-Agent 2"; flow:established,to_server; content:"Gootkit ldr"; http_header; classtype:trojan-activity; sid:2014021; rev:1;)
@@ -48962,7 +48998,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole PDF Exploit Request /fdp2.php"; flow:established,to_server; content:"/fdp2.php?f="; http_uri; reference:md5,8a33d1d36d097ca13136832aa10ae5ca; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014035; rev:2;)
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic Java Exploit Obfuscated With Allatori"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:"Allatori"; nocase; classtype:bad-unknown; sid:2014036; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic Java Exploit Obfuscated With Allatori"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:"Allatori"; nocase; fast_pattern:only; classtype:bad-unknown; sid:2014036; rev:5;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a *.osa.pl domain"; flow:established,to_server; content:".osa.pl|0D 0A|"; http_header; classtype:bad-unknown; sid:2014037; rev:1;)
@@ -48989,7 +49025,7 @@
#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Generic Web Server Hashing Collision Attack"; flow:established,to_server; content:"Content-Type|3A| application|2F|x-www-form-urlencoded"; nocase; http_header; isdataat:1500; pcre:"/([\w\x25]+=[\w\x25]*&){500}/OPsmi"; reference:cve,2011-3414; reference:url,events.ccc.de/congress/2011/Fahrplan/events/4680.en.html; reference:url,technet.microsoft.com/en-us/security/advisory/2659883; reference:url,blogs.technet.com/b/srd/archive/2011/12/29/asp-net-security-update-is-live.aspx; classtype:attempted-dos; sid:2014045; rev:2;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Generic Web Server Hashing Collision Attack 2"; flow:established,to_server; content:"Content-Type|3A| multipart/form-data"; nocase; http_header; isdataat:5000; pcre:"/(\r\nContent-Disposition\x3a\s+form-data\x3b[^\r\n]+\r\n\r\n.+?){250}/OPsmi"; reference:cve,2011-3414; reference:url,events.ccc.de/congress/2011/Fahrplan/events/4680.en.html; reference:url,technet.microsoft.com/en-us/security/advisory/2659883; reference:url,blogs.technet.com/b/srd/archive/2011/12/29/asp-net-security-update-is-live.aspx; classtype:attempted-dos; sid:2014046; rev:2;)
+#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Generic Web Server Hashing Collision Attack 2"; flow:established,to_server; content:"Content-Type|3A| multipart/form-data"; nocase; http_header; isdataat:5000; pcre:"/(\r\nContent-Disposition\x3a\s+form-data\x3b[^\r\n]+\r\n\r\n.+?){250}/OPsmi"; reference:cve,2011-3414; reference:url,events.ccc.de/congress/2011/Fahrplan/events/4680.en.html; reference:url,technet.microsoft.com/en-us/security/advisory/2659883; reference:url,blogs.technet.com/b/srd/archive/2011/12/29/asp-net-security-update-is-live.aspx; classtype:attempted-dos; sid:2014046; rev:2;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET TROJAN Double HTTP/1.1 Header Inbound - Likely Hostile Traffic"; flow:established,to_server; content:" HTTP/1.1|20|HTTP/1.1|0d 0a|"; depth:300; classtype:bad-unknown; sid:2014047; rev:1;)
@@ -49001,7 +49037,7 @@
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Bluecoat Proxy in use"; flow:established,to_server; content:"X-BlueCoat-Via|3A|"; http_header; classtype:not-suspicious; sid:2014049; rev:1;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Rhino Java Exploit request to /content/v1.jar"; flow:established,to_server; content:"/content/v1.jar"; http_uri; reference:md5,8a33d1d36d097ca13136832aa10ae5ca; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014050; rev:1;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Rhino Java Exploit request to /content/v1.jar"; flow:established,to_server; content:"/content/v1.jar"; http_uri; reference:md5,8a33d1d36d097ca13136832aa10ae5ca; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014050; rev:2;)
#
##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Acrobat 8/9.3 PDF exploit download request 3"; flow:established,to_server; content:"/fdp2.php?f="; http_uri; reference:md5,8a33d1d36d097ca13136832aa10ae5ca; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014051; rev:2;)
@@ -49022,10 +49058,10 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN PoisonIvy.Eu5 Keepalive from CnC"; flow:established,from_server; content:"|3a 62 26 fd 44 34 01 ed a1 ed 88 48 7e f4 6e ca 0d 81 aa 70 c7 da e0 1c fc f2 f1 d2 94 f6 d9 44 f6 c1 92 c4 4f d4 2d 53 a7 5f 59 fd f6 1e 9b 6f|"; depth:48; dsize:48; reference:md5,d8edad03f5524369e60c69a7483f8365; classtype:trojan-activity; sid:2014057; rev:2;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Loader EXE Payload Request"; flow:established,to_server; urilen:34; content:"/?"; depth:2; http_uri; pcre:"/^\/\?[a-f0-9]{32}$/U"; content:!"User-Agent|3a| "; http_header; content:" HTTP/1.1|0d 0a|Host|3a| "; classtype:trojan-activity; sid:2014058; rev:1;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown Loader EXE Payload Request"; flow:established,to_server; urilen:34; content:"/?"; depth:2; http_uri; pcre:"/^\/\?[a-f0-9]{32}$/U"; content:!"User-Agent|3a| "; http_header; content:" HTTP/1.1|0d 0a|Host|3a| "; classtype:trojan-activity; sid:2014058; rev:2;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan-Dropper.Win32.Agent.elbb Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/GAME/36/LavaGame_2.2.exe"; nocase; http_uri; reference:url,securelist.com/en/descriptions/17601150/Trojan-Dropper.Win32.Agent.elbb?print_mode=1; classtype:trojan-activity; sid:2014059; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Spyware.Agent.elbb lava.cn Game Exe Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/LavaGame_"; http_uri; nocase; content:".exe"; nocase; http_uri; reference:url,securelist.com/en/descriptions/17601150/Trojan-Dropper.Win32.Agent.elbb?print_mode=1; reference:md5,c2b4f8abc742bf048f3856525c1b2800; reference:md5,4937dc6e111996dbe331327e7e9a4a12; reference:url,www.amada.abuse.ch/?search=download.lava.cn; classtype:trojan-activity; sid:2014059; rev:7;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Tool.InstallToolbar.24 Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/cr_confirm.asmx/GetXMLLog?"; nocase; http_uri; content:"TbId="; nocase; http_uri; content:"TUID="; nocase; http_uri; content:"Action_Type="; nocase; http_uri; reference:url,virustotal.com/file-scan/report.html?id=1439d4061659a8534435352274b72dc2fe03c3deeb84e32fc90d40380c35cab1-1322189076; classtype:trojan-activity; sid:2014060; rev:3;)
@@ -49049,7 +49085,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan-Clicker.Win32.VB.gnf Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/channel/onSale.htm?"; nocase; http_uri; content:"pid="; nocase; http_uri; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanClicker%3AWin32%2FVB.GE; classtype:trojan-activity; sid:2014066; rev:3;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Plone and Zope cmd Parameter Remote Command Execution Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/xmltools/minidom/xml/sax/saxutils/os/popen2?"; nocase; http_uri; content:"cmd="; nocase; http_uri; pcre:"/cmd=\w*/Ui"; reference:url,exploit-db.com/exploits/18262; classtype:web-application-attack; sid:2014068; rev:3;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Plone and Zope cmd Parameter Remote Command Execution Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/xmltools/minidom/xml/sax/saxutils/os/popen2?"; nocase; http_uri; content:"cmd="; nocase; http_uri; pcre:"/cmd=\w/Ui"; reference:url,exploit-db.com/exploits/18262; classtype:web-application-attack; sid:2014068; rev:4;)
#
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Booking Calendar page_info_message parameter Cross-Site Scripting Vulnerability "; flow:established,to_server; content:"/details_view.php?"; nocase; http_uri; content:"event_id="; nocase; http_uri; content:"date="; nocase; http_uri; content:"view="; nocase; http_uri; content:"loc="; nocase; http_uri; content:"page_info_message="; nocase; http_uri; pcre:"/page_info_message\x3d.+(script|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/107995; classtype:web-application-attack; sid:2014067; rev:2;)
@@ -49106,7 +49142,7 @@
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo Zorder zorder Parameter UPDATE SET SQL Injection Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/administrator/index2.php?"; nocase; http_uri; content:"limit="; nocase; http_uri; content:"limitstart="; nocase; http_uri; content:"zorder="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,dl.packetstormsecurity.net/1111-exploits/zorder-sql.txt; classtype:web-application-attack; sid:2014080; rev:2;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo Zorder zorder Parameter INSERT INTO SQL Injection Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/administrator/index2.php?"; nocase; http_uri; content:"limit="; nocase; uricontent:"limitstart="; nocase; http_uri; content:"zorder="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,dl.packetstormsecurity.net/1111-exploits/zorder-sql.txt; classtype:web-application-attack; sid:2014081; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo Zorder zorder Parameter INSERT INTO SQL Injection Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/administrator/index2.php?"; nocase; http_uri; content:"limit="; nocase; content:"limitstart="; nocase; http_uri; content:"zorder="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,dl.packetstormsecurity.net/1111-exploits/zorder-sql.txt; classtype:web-application-attack; sid:2014081; rev:3;)
#
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SourceBans ajaxargs Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"xajax=SelTheme"; nocase; http_uri; content:"ajaxargs[]="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,dl.packetstormsecurity.net/1112-exploits/sourcebans-lfisql.txt; classtype:web-application-attack; sid:2014082; rev:2;)
@@ -49130,16 +49166,16 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole-like Java Exploit request to .jar?t="; flow:established,to_server; content:".jar?t="; http_uri; nocase; fast_pattern; content:"&h="; http_uri; distance:0; content:"|29| Java/1."; http_header; pcre:"/\.jar\?t=\d+&h=[^&]+$/Ui"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014094; rev:4;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Kindle Fire Browser User-Agent Outbound"; flow:from_client,established; content:"|3b| Silk/"; http_header; fast_pattern:only; pcre:"/User-Agent\x3a [^\n]+ Silk\/\d+\.\d+/Hi"; reference:url,www.amazon.com/gp/product/B0051VVOB2%23silk; classtype:policy-violation; sid:2014095; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Kindle Fire Browser User-Agent Outbound"; flow:from_client,established; content:"|3b| Silk/"; http_header; fast_pattern:only; pcre:"/User-Agent\x3a [^\n]+ Silk\/\d+\.\d/Hi"; reference:url,www.amazon.com/gp/product/B0051VVOB2%23silk; classtype:policy-violation; sid:2014095; rev:2;)
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Document.write Long Backslash UTF-16 Encoded Content - Exploit Kit Behavior Flowbit Set"; flow:established,to_client; content:"document.write|28 22 5C|u"; nocase; fast_pattern:only; isdataat:100,relative; content:!"|29|"; within:100; content:"|5C|u"; nocase; distance:4; within:2; content:"|5C|u"; nocase; distance:4; within:2; content:"|5C|u"; nocase; distance:4; within:2; content:"|5C|u"; nocase; distance:70; content:"|5C|u"; nocase; distance:4; within:2; flowbits:set,et.exploitkitlanding; flowbits:noalert; reference:url,www.kahusecurity.com/2011/elaborate-black-hole-infection/; classtype:bad-unknown; sid:2014096; rev:5;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Document.write Long Backslash UTF-16 Encoded Content - Exploit Kit Behavior Flowbit Set"; flow:established,to_client; content:"document.write|28 22 5C|u"; nocase; isdataat:100,relative; content:!"|29|"; within:100; content:"|5C|u"; nocase; distance:4; within:2; content:"|5C|u"; nocase; distance:4; within:2; content:"|5C|u"; nocase; distance:4; within:2; content:"|5C|u"; nocase; distance:70; content:"|5C|u"; nocase; distance:4; within:2; flowbits:set,et.exploitkitlanding; flowbits:noalert; reference:url,www.kahusecurity.com/2011/elaborate-black-hole-infection/; classtype:bad-unknown; sid:2014096; rev:6;)
#
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Excessive new Array With Newline - Exploit Kit Behavior Flowbit Set"; flow:established,to_client; content:" = new Array|28 29 3B|"; fast_pattern:only; nocase; content:" = new Array|28 29 3B|"; nocase; within:100; content:" = new Array|28 29 3B|"; nocase; content:" = new Array|28 29 3B|"; nocase; within:100; content:" = new Array|28 29 3B|"; nocase; content:" = new Array|28 29 3B|"; nocase; within:100; flowbits:set,et.exploitkitlanding; flowbits:noalert; reference:url,www.kahusecurity.com/2011/elaborate-black-hole-infection/; classtype:bad-unknown; sid:2014097; rev:2;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Excessive new Array With Newline - Exploit Kit Behavior Flowbit Set"; flow:established,to_client; content:" = new Array|28 29 3B|"; fast_pattern; nocase; content:" = new Array|28 29 3B|"; nocase; within:100; content:" = new Array|28 29 3B|"; nocase; content:" = new Array|28 29 3B|"; nocase; within:100; content:" = new Array|28 29 3B|"; nocase; content:" = new Array|28 29 3B|"; nocase; within:100; flowbits:set,et.exploitkitlanding; flowbits:noalert; reference:url,www.kahusecurity.com/2011/elaborate-black-hole-infection/; classtype:bad-unknown; sid:2014097; rev:3;)
#
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Excessive JavaScript replace /g - Exploit Kit Behavior Flowbit Set"; flow:established,to_client; file_data; content:"replace|28 2F|"; nocase; distance:0; content:"|2F|g"; distance:1; within:5; content:"replace|28 2F|"; within:80; nocase; content:"|2F|g"; distance:1; within:5; content:"replace|28 2F|"; within:80; nocase; content:"|2F|g"; distance:1; within:5; content:"replace|28 2F|"; within:80; nocase; content:"|2F|g"; distance:1; within:5; flowbits:set,et.exploitkitlanding; flowbits:noalert; classtype:bad-unknown; sid:2014098; rev:2;)
+##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Excessive JavaScript replace /g - Exploit Kit Behavior Flowbit Set"; flow:established,to_client; file_data; content:"replace|28 2F|"; nocase; distance:0; content:"|2F|g"; distance:1; within:5; content:"replace|28 2F|"; within:80; nocase; content:"|2F|g"; distance:1; within:5; content:"replace|28 2F|"; within:80; nocase; content:"|2F|g"; distance:1; within:5; content:"replace|28 2F|"; within:80; nocase; content:"|2F|g"; distance:1; within:5; classtype:bad-unknown; sid:2014098; rev:5;)
#
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Exploit Kit Delivering Office File to Client"; flowbits:isset,et.exploitkitlanding; flow:established,to_client; file_data; content:"|d0 cf 11 e0 a1 b1 1a e1|"; distance:0; content:!".msi"; content:!"This program cannot"; classtype:trojan-activity; sid:2014099; rev:1;)
@@ -49157,7 +49193,7 @@
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zeus POST Request to CnC - content-type variation"; flow:established,to_server; content:"POST"; http_method; content:"|20|HTTP/1."; content:"|0d 0a|Accept|3a 20|*/*|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded"; distance:1; within:62; content:"|3a 20|no-cache|0d 0a|User-Agent|3a 20|Mozilla"; distance:0; content:"|0d 0a|Host|3a 20|"; distance:0; content:"Content-Length|3a 20|"; distance:0; content:!"0"; within:1; content:"|0d 0a 0d 0a|"; distance:0; content:!"Referer|3a 20|"; http_header; content:!"Accept-Language|3a 20|"; http_header; classtype:trojan-activity; sid:2014104; rev:1;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus Bot GET to Google checking Internet connectivity using proxy"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/webhp"; http_uri; depth:6; content:"|0d 0a|Accept|3a| */*|0d 0a|Pragma|3a| no-cache|0d 0a|User-Agent|3a| "; depth:65; content:"|0d 0a|Host|3a| "; distance:0; content:!"Referer|3a| "; http_header; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:trojan-activity; sid:2014105; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus Bot GET to Google checking Internet connectivity using proxy"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/webhp"; http_uri; fast_pattern:only; content:"Accept|3a| */*|0d 0a|Pragma|3a| no-cache|0d 0a|User-Agent|3a| "; depth:43; http_header; content:"|0d 0a|Host|3a| "; distance:0; http_header; content:!"Referer|3a| "; http_header; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:trojan-activity; sid:2014105; rev:5;)
#
##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zeus POST Request to CnC - content-type variation"; flow:established,to_server; content:"POST"; http_method; content:"|20|HTTP/1."; content:"|0d 0a|Accept|3a 20|*/*|0d 0a|Content-Type|3a 20|application/x-www-form-urlencoded"; distance:1; within:62; content:"|3a 20|no-cache|0d 0a|User-Agent|3a 20|Mozilla"; distance:0; content:"|0d 0a|Host|3a 20|"; distance:0; content:"Content-Length|3a 20|"; distance:0; content:!"0"; within:1; content:"|0d 0a 0d 0a|"; distance:0; content:!"Referer|3a 20|"; http_header; content:!"Accept-Language|3a 20|"; http_header; content:!"Host|3a 20|update.cooliris.com|0d 0a|"; http_header; classtype:trojan-activity; sid:2014106; rev:3;)
@@ -49169,10 +49205,10 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.Eu6 Keepalive to CnC"; flow:established,to_server; content:"|29 a7 7b 28 9b c5 b8 b6 10 d7 d7 6b e1 3e 62 f1|"; offset:16; depth:16; dsize:48; classtype:trojan-activity; sid:2014108; rev:1;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Gh0st.QQ Checkin"; flow:to_server,established; content:"QQ|3a|124971919"; depth:12; content:"|00 00|"; distance:2; within:2; content:"|00 00 78 9C|"; distance:2; within:4; reference:url,www.threatexpert.com/report.aspx?md5=899feda736be77a39d05f0a5002048f0; classtype:trojan-activity; sid:2014109; rev:1;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Gh0st.QQ Checkin"; flow:to_server,established; content:"QQ|3a|124971919"; depth:12; content:"|00 00|"; distance:2; within:2; content:"|00 00 78 9C|"; distance:2; within:4; reference:url,www.threatexpert.com/report.aspx?md5=899feda736be77a39d05f0a5002048f0; classtype:trojan-activity; sid:2014109; rev:2;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Gh0st.QQ Checkin 2"; flow:to_server,established; content:"|00 00|"; offset:14; depth:2; content:"|00 00 78 9C|"; distance:2; within:4; byte_test:2,>,15,12,little; reference:url,www.threatexpert.com/report.aspx?md5=899feda736be77a39d05f0a5002048f0; classtype:trojan-activity; sid:2014110; rev:2;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Gh0st.QQ Checkin 2"; flow:to_server,established; content:"QQ|3a|"; depth:3; content:"|00 00|"; distance:11; within:2; content:"|00 00 78 9C|"; distance:2; within:4; byte_test:2,>,15,12,little; reference:url,www.threatexpert.com/report.aspx?md5=899feda736be77a39d05f0a5002048f0; classtype:trojan-activity; sid:2014110; rev:4;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32.Menti/TrojanClicker.Agent.NII Checkin"; flow:established,to_server; content:"/njob.php?num="; http_uri; content:"&rev="; http_uri; content:"&ncrp="; http_uri; reference:url,blog.eset.com/2012/03/17/drive-by-ftp-a-new-view-of-cve-2011-3544; classtype:trojan-activity; sid:2014112; rev:2;)
@@ -49187,7 +49223,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Delf/Troxen/Zema Reporting 2"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?s="; http_uri; content:"&m="; http_uri; content:"User-Agent|3a| build"; http_header; pcre:"/\.php\?s=\d&m=[A-F0-9]{16}$/Ui"; reference:md5,3d18363a20882bd74ae7e0f68d3ed8ef; classtype:trojan-activity; sid:2014115; rev:2;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent build - possibly Delf/Troxen/Zema"; flow:established,to_server; content:"User-Agent|3a| build"; http_header; pcre:"/User-Agent\x3a build\d+/H"; reference:md5,3d18363a20882bd74ae7e0f68d3ed8ef; classtype:trojan-activity; sid:2014116; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent build - possibly Delf/Troxen/Zema"; flow:established,to_server; content:"User-Agent|3a| build"; http_header; pcre:"/User-Agent\x3a build\d/H"; reference:md5,3d18363a20882bd74ae7e0f68d3ed8ef; classtype:trojan-activity; sid:2014116; rev:2;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan-Dropper.Win32.Dapato Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent|3a| tabtoolbarup"; http_header; content:"/ins_proc.asp?kind="; http_uri; content:"&ist_yn="; http_uri; content:"&ptn_name="; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=8eaf3b7b72a9af5a85d01b674653ccac; reference:url,camas.comodo.com/cgi-bin/submit?file=31c027c13105e23af64b1b02882fb2b8300fdf7f511bb4c63c71f9b09c75dd6c; classtype:trojan-activity; sid:2014117; rev:2;)
@@ -49238,10 +49274,10 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Common Adware Library ISX User Agent Detected"; flow:established,to_server; content:"User-Agent|3A 20|ISX Download DLL"; fast_pattern:12,16; http_header; reference:url,www.dateiliste.com/d3files/tools/mphider/isxdl.htm; classtype:trojan-activity; sid:2014137; rev:2;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus/Reveton checkin to /images.rar"; flow:established,to_server; content:"/images.rar"; fast_pattern; depth:11; http_uri; content:"User-Agent|3a 20|Internet Explorer"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/Host\x3a (\d+\.){3}\d+/D"; reference:md5,2697e2b81ba1c90fcd32e24715fcf40a; classtype:trojan-activity; sid:2014135; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus/Reveton checkin to /images.rar"; flow:established,to_server; content:"/images.rar"; fast_pattern; depth:11; http_uri; content:"User-Agent|3a 20|Internet Explorer"; http_header; content:!"Referer|3a 20|"; http_header; pcre:"/^Host\x3a (\d+\.){3}\d+$/Dm"; reference:md5,2697e2b81ba1c90fcd32e24715fcf40a; classtype:trojan-activity; sid:2014135; rev:3;)
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Java Exploit Version Check with hidden applet"; flow:established,from_server; file_data; content:"deployJava.versionCheck|28|"; distance:0; content:"<applet"; nocase; distance:0; content:"hidden"; within:200; nocase; pcre:"/\x3capplet[^\x3e]+visibility[^\x3e]+hidden[^\x3e]+/i"; classtype:trojan-activity; sid:2014136; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Java Exploit Version Check with hidden applet"; flow:established,from_server; file_data; content:"deployJava.versionCheck|28|"; distance:0; content:"<applet"; nocase; distance:0; content:"hidden"; within:200; nocase; pcre:"/\x3capplet[^\x3e]+visibility[^\x3e]+hidden[^\x3e]/i"; classtype:trojan-activity; sid:2014136; rev:4;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY IP Geo Location Request"; flow:to_server,established; content:"/geo/txt/city.php"; http_uri; flowbits:set,ETPRO.IP.geo.loc; reference:md5,0e2c46dc89dceb14e7add66cbfe8a2f8; classtype:policy-violation; sid:2014264; rev:5;)
@@ -49253,7 +49289,7 @@
##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested class.class"; flow:established,to_server; content:" Java/1"; http_header; content:"/class.class"; http_uri; classtype:trojan-activity; sid:2014138; rev:1;)
#
-alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Query to Known CnC Domain msnsolution.nicaze.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"nicaze|03|net"; distance:0; reference:md5,89332c92d0360095e2dda8385d400258; classtype:trojan-activity; sid:2014139; rev:2;)
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Query to Known CnC Domain msnsolution.nicaze.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"nicaze|03|net"; fast_pattern; distance:0; reference:md5,89332c92d0360095e2dda8385d400258; classtype:trojan-activity; sid:2014139; rev:3;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AdWare.Win32.Sushi.au Checkin"; flow:to_server,established; content:"/inst.php?"; http_uri; content:"User-Agent|3a| psi"; http_header; reference:md5,3aad2075e00d5169299a0a8889afa30b; reference:url,www.securelist.com/en/descriptions/24412036/not-a-virus%3aAdWare.Win32.Sushi.au; classtype:trojan-activity; sid:2014262; rev:3;)
@@ -49274,7 +49310,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sakura Exploit Kit Binary Load Request"; flow:established,to_server; content:"/load.php?spl="; http_uri; pcre:"/\/load\.php\?spl=[-_\w]+$/U"; classtype:attempted-user; sid:2014148; rev:1;)
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Clickfraud List Delivered To Client"; flow:established,from_server; file_data; content:"http|3a|//"; within:7; content:"|7C|http|3a|//"; distance:0; content:"|0D 0A|http|3a|//"; distance:0; content:"|7C|http|3a|//"; distance:0; classtype:trojan-activity; sid:2014149; rev:1;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Possible URL List or Clickfraud URLs Delivered To Client"; flow:established,from_server; file_data; content:"http|3a|//"; within:7; content:"|7C|http|3a|//"; distance:0; content:"|0D 0A|http|3a|//"; distance:0; content:"|7C|http|3a|//"; distance:0; classtype:trojan-activity; sid:2014149; rev:2;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Suspicious executable download possible Trojan NgrBot"; flow:established,to_server; content:"GET"; http_method; content:"/adobe-flash.exe"; http_uri; classtype:bad-unknown; sid:2014150; rev:1;)
@@ -49289,10 +49325,10 @@
#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS High Orbit Ion Cannon (HOIC) Attack Inbound Generic Detection Double Spaced UA"; flow:established,to_server; content:"User-Agent|3a 20 20|"; http_header; fast_pattern:9,4; content:"HTTP/1|2e|0"; threshold: type both, track by_src, count 15, seconds 30; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:attempted-dos; sid:2014153; rev:2;)
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY PDF Containing Subform with JavaScript"; flow:established,to_client; file_data; content:"%PDF"; within:4; content:"<subform"; nocase; distance:0; fast_pattern; content:"javascript"; nocase; distance:0; classtype:attempted-user; sid:2014154; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY PDF Containing Subform with JavaScript"; flow:established,to_client; file_data; content:"%PDF"; within:4; content:"subform"; nocase; distance:0; fast_pattern; content:"script"; nocase; distance:0; classtype:attempted-user; sid:2014154; rev:3;)
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS JavaScript Obfuscation Using Dadong JSXX Script"; flow:established,to_client; file_data; content:"Encrypt By Dadong|27|s JS"; distance:0; reference:cve,2012-0003; classtype:attempted-user; sid:2014155; rev:2;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS JavaScript Obfuscation JSXX Script"; flow:established,to_client; file_data; content:"Encrypt "; content:"JSXX"; fast_pattern; distance:0; content:"VIP"; within:100; reference:cve,2012-0003; reference:url,eromang.zataz.com/2012/10/22/gong-da-gondad-exploit-pack-evolutions/; classtype:attempted-user; sid:2014155; rev:4;)
#
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Windows Media component specific exploit"; flow:established,to_client; file_data; content:"bang()"; distance:0; content:"cloned"; distance:0; content:"unescape(|22|%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c|22|)"; distance:0; reference:cve,2012-0003; classtype:attempted-user; sid:2014156; rev:3;)
@@ -49304,10 +49340,10 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Acrobat 1-7 PDF exploit download request 4"; flow:established,to_server; content:"/addfp1.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014158; rev:2;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Rhino Java Exploit request to /content/rino.jar"; flow:established,to_server; content:"/content/rino.jar"; http_uri; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014159; rev:2;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Rhino Java Exploit request to /content/rino.jar"; flow:established,to_server; content:"/content/rino.jar"; http_uri; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014159; rev:3;)
#
-##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole OBE Java Exploit request to /content/obe.jar"; flow:established,to_server; content:"/content/obe.jar"; http_uri; reference:cve,CVE-2010-0840; reference:cve,CVE-2010-0842; classtype:trojan-activity; sid:2014160; rev:2;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole OBE Java Exploit request to /content/obe.jar"; flow:established,to_server; content:"/content/obe.jar"; http_uri; reference:cve,CVE-2010-0840; reference:cve,CVE-2010-0842; classtype:trojan-activity; sid:2014160; rev:3;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/FakeTimer.A Reporting to CnC"; flow:established,to_server; content:"/send.php?a_id="; http_uri; content:"&telno="; http_uri; content:"&m_addr="; http_uri; content:"&usr_id="; http_uri; reference:url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_FAKETIMER.A; classtype:trojan-activity; sid:2014161; rev:1;)
@@ -49316,7 +49352,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/SndApps.SM Sending Information to CnC"; flow:established,to_server; content:"/android_notifier/notifier.php?h="; http_uri; reference:url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_SNDAPPS.SM; classtype:trojan-activity; sid:2014162; rev:1;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ET TROJAN Bifrose/Cycbot Checkin 2"; flow:established,to_server; content:"?pr="; http_uri; fast_pattern; content:"User-Agent|3A 20|chrome/9.0"; http_header; pcre:"/\x2E(png|gif|jpeg)\x3Fpr\x3D/U"; reference:md5,8c4f90bb59c05269c6c6990ec434eab6; classtype:trojan-activity; sid:2014163; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bifrose/Cycbot Checkin 2"; flow:established,to_server; content:"?pr="; http_uri; fast_pattern; content:"User-Agent|3A 20|chrome/9.0"; http_header; pcre:"/\x2E(png|gif|jpeg)\x3Fpr\x3D/U"; reference:md5,8c4f90bb59c05269c6c6990ec434eab6; classtype:trojan-activity; sid:2014163; rev:3;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/DelfInject.A CnC Checkin 2"; flow:established,to_server; content:"/gate.php?username="; http_uri; content:"&country="; http_uri; content:"&OS="; http_uri; reference:md5,d8c2f31493692895c45d620723e9a8c3; classtype:trojan-activity; sid:2014164; rev:1;)
@@ -49355,10 +49391,10 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.MSUpdater C&C traffic GET"; flow:from_client,established; content:".aspx?ID="; http_uri; content:"para1="; distance:0; http_uri; content:"para2="; distance:0; http_uri; content:"para3="; distance:0; http_uri; reference:url,www.seculert.com/reports/MSUpdaterTrojanWhitepaper.pdf; reference:url,research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html; reference:url,blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html; classtype:trojan-activity; sid:2014175; rev:1;)
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Incognito/Sakura exploit kit landing page with obfuscated URLs"; flow:established,from_server; file_data; content:"<applet"; within:500; content:"lxxt>33"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014176; rev:4;)
+##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Incognito/Sakura exploit kit landing page with obfuscated URLs"; flow:established,from_server; file_data; content:"<applet"; within:500; content:"lxxt>33"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014176; rev:5;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Incognito/Sakura exploit kit binary download request"; flow:established,to_server; content:"/load.php?showforum="; http_uri; pcre:"/^\/load.php\?showforum=(ato|obe|rhino|lib)$/U"; classtype:trojan-activity; sid:2014177; rev:7;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Incognito/Sakura exploit kit binary download request"; flow:established,to_server; content:"/load.php?showforum="; http_uri; pcre:"/^\/load.php\?showforum=(ato|obe|rhino|lib)$/U"; classtype:trojan-activity; sid:2014177; rev:8;)
#
##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown Malware Checkin Possibly ZeuS"; flow:established,to_server; content:"POST"; http_method; content:"/rssfeed.php"; http_uri; content:"bn1="; http_client_body; content:"&sk1="; http_client_body; reference:url,anubis.iseclab.org/?action=result&task_id=1c19710e150ee00941148dee842a02976; classtype:trojan-activity; sid:2014178; rev:2;)
@@ -49370,7 +49406,7 @@
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SAPID get_infochannel.inc.php Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/usr/extensions/get_infochannel.inc.php?"; nocase; http_uri; content:"root_path="; nocase; http_uri; pcre:"/root_path=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/108488/sapidstable-rfi.txt; classtype:web-application-attack; sid:2014180; rev:2;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS Malicious file BaiduPlayer1.0.21.25.exe download"; flow:established,to_server; content:"GET"; http_method; content:"/BaiduPlayer/BaiduPlayer1.0.21.25.exe"; nocase; http_uri; content:"dl.client.baidu.com"; http_header; nocase; classtype:trojan-activity; sid:2014181; rev:2;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Malicious file BaiduPlayer1.0.21.25.exe download"; flow:established,to_server; content:"GET"; http_method; content:"/BaiduPlayer/BaiduPlayer1.0.21.25.exe"; nocase; http_uri; content:"dl.client.baidu.com"; http_header; nocase; classtype:trojan-activity; sid:2014181; rev:3;)
#
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Malicious getpvstat.php file Reporting"; flow:established,to_server; content:"GET"; http_method; content:"/getpvstat.php"; nocase; http_uri; content:"p="; nocase; http_uri; content:"jss.155game.com"; http_header; nocase; classtype:trojan-activity; sid:2014182; rev:2;)
@@ -49391,7 +49427,7 @@
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IBBY nouvelles.php id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/nouvelles.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/files/109169/IBBY-SQL-Injection.html; classtype:web-application-attack; sid:2014187; rev:2;)
#
-alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IBBY nouvelles.php id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/nouvelles.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; uricontent:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/109169/IBBY-SQL-Injection.html; classtype:web-application-attack; sid:2014188; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IBBY nouvelles.php id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/nouvelles.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/109169/IBBY-SQL-Injection.html; classtype:web-application-attack; sid:2014188; rev:3;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Likely Blackhole Exploit Kit Driveby ?id Download Secondary Request"; flow:established,to_server; content:".php?id"; http_uri; pcre:"/^[^?#]+?\.php\?id[a-z0-9]*=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014189; rev:1;)
@@ -49406,7 +49442,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Acrobat 8/9.3 PDF exploit download request 5"; flow:established,to_server; content:"/adp"; http_uri; content:".php?f="; http_uri; pcre:"/\/adp\d\.php\?=[0-9a-z]{2,6}/Ui"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014195; rev:2;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Java Exploit request to /content/rin.jar"; flow:established,to_server; content:"/content/rin.jar"; http_uri; classtype:trojan-activity; sid:2014196; rev:1;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Java Exploit request to /content/rin.jar"; flow:established,to_server; content:"/content/rin.jar"; http_uri; classtype:trojan-activity; sid:2014196; rev:2;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/118GotYourNo Reporting to CnC"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/count"; http_uri; content:"appTitle="; http_client_body; content:"&strLink="; distance:0; content:"&proFirstTime="; distance:0; content:"&proLastTime="; distance:0; content:"&appName="; distance:0; content:"&KillList="; distance:0; classtype:trojan-activity; sid:2014191; rev:2;)
@@ -49421,7 +49457,7 @@
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Yang Pack Exploit Kit Landing Page Known JavaScript Function Detected"; flow:established,to_client; content:"function booom"; nocase; fast_pattern:only; pcre:"/function\x20booom[1-3]{1}\x28\x29/smi"; reference:url,www.kahusecurity.com/2012/chinese-exploit-packs/; classtype:trojan-activity; sid:2014197; rev:1;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN ZeuS - ICE-IX cid= in cookie"; flow:established,to_server; content:"POST "; nocase; depth:5; content:"|0D 0A|Cookie|3a| cid="; pcre:"/cid=\d\d\d\d/"; classtype:trojan-activity; sid:2014198; rev:5;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN ZeuS - ICE-IX cid= in cookie"; flow:established,to_server; content:"POST "; nocase; depth:5; content:"|0D 0A|Cookie|3a| cid="; pcre:"/^\d{4}\r$/Rm"; classtype:trojan-activity; sid:2014198; rev:6;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dapato/Cleaman Checkin"; flow:established,to_server; content:".php?rnd="; http_uri; fast_pattern; content:"GET"; http_method; pcre:"/\?rnd=\d{5,7}\x20HTTP1\/1\.[01]\x0d\x0aHost\x3a\x20/"; content:!"User-Agent|3a|"; http_header; content:!"Accept|3a|"; http_header; reference:md5,1d26f4c1cfedd3d34b5067726a0460b0d; reference:md5,45b3b6fcb666c93e305dba35832e1d42; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FCleaman.G; classtype:trojan-activity; sid:2014200; rev:3;)
@@ -49481,7 +49517,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TSPY_SPCESEND.A Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/log.php"; http_uri; content:"id="; depth:3; http_client_body; content:"&link="; http_client_body; content:"&password="; http_client_body; content:"&debug="; http_client_body; content:!"User-Agent|3a 20|"; http_header; reference:url,blog.trendmicro.com/malware-uses-sendspace-to-store-stolen-documents/; classtype:trojan-activity; sid:2014219; rev:2;)
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS TDS Sutra Exploit Kit Redirect Received"; flow:established,from_server; content:"302"; http_stat_code; content:"=_"; http_header; content:"_|3b| domain="; http_header; distance:1; within:10; pcre:"/^[a-z]{5}\d=\x5f\d\x5f/C"; classtype:trojan-activity; sid:2014220; rev:5;)
+##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED TDS Sutra Exploit Kit Redirect Received"; flow:established,from_server; content:"302"; http_stat_code; content:"=_"; http_header; content:"_|3b| domain="; http_header; distance:1; within:10; pcre:"/^[a-z]{5}\d=\x5f\d\x5f/C"; classtype:trojan-activity; sid:2014220; rev:6;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Graybird Checkin"; flow:to_server,established; content:"/count.asp?mac="; http_uri; content:"&os="; http_uri; content:"&av="; http_uri; content:"User-Agent|3a| Post|0d 0a|"; http_header; reference:md5,0fd68129ecbf68ad1290a41429ee3e73; reference:md5,11353f5bdbccdd59d241644701e858e6; classtype:trojan-activity; sid:2014365; rev:2;)
@@ -49520,13 +49556,13 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET TROJAN UPDATE Protocol Trojan Communication detected on non-http ports 2"; flow:to_server,established; content:"POST "; nocase; depth:5; content:"/update?id="; distance:0; content:"X-Status|3A|"; offset:16; content:"X-Size|3A|"; offset:16; content:"X-Sn|3A|"; fast_pattern; offset:16; content:"User-Agent|3a| Mozilla/4.0 |28|compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b|SV1|3b 0d 0a|"; offset:16; classtype:trojan-activity; sid:2014231; rev:5;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN UPDATE Protocol Trojan Communication detected on http ports 2"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/update?id="; http_uri; content:"X-Status|3A|"; http_header; content:"X-Size|3A|"; http_header; content:"X-Sn|3A|"; http_header; fast_pattern; content:"User-Agent|3a| Mozilla/4.0 |28|compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b|SV1|3b 0d 0a|"; http_header; classtype:trojan-activity; sid:2014232; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN UPDATE Protocol Trojan Communication detected on http ports 2"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/update?id="; http_uri; content:"X-Status|3A|"; http_header; content:"X-Size|3A|"; http_header; content:"X-Sn|3A|"; http_header; fast_pattern; classtype:trojan-activity; sid:2014232; rev:4;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY ASafaWeb Scan User-Agent (asafaweb.com)"; flow:established,to_server; content:"User-Agent|3a| asafaweb.com|0d 0a|"; http_header; reference:url,asafaweb.com; classtype:network-scan; sid:2014233; rev:2;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fareit!IK/Kazy/PWS.Siggen.33210 Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"|20|HTTP/1.0|0d 0a|Host|3a 20|"; content:"Accept|3a 20|*/*|0d 0a|"; http_header; content:"Connection|3a| close|0d 0a|User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 5.0"; http_header; content:"|3b| Windows 98)"; within:13; fast_pattern; http_header; reference:md5,dcc2c110e509fa777ab1460f665bd137; classtype:trojan-activity; sid:2014234; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fareit/Pony Downloader Checkin 3"; flow:established,to_server; content:"GET"; nocase; http_method; content:"|20|HTTP/1.0|0d 0a|Host|3a 20|"; content:"Accept|3a 20|*/*|0d 0a|"; http_header; content:"Connection|3a| close|0d 0a|User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 5.0"; http_header; content:"|3b| Windows 98)"; within:13; fast_pattern; http_header; reference:md5,dcc2c110e509fa777ab1460f665bd137; reference:url,www.threatexpert.com/report.aspx?md5=9544c681ae5c4fe3fdbd4d5c6c90e38e; reference:url,www.threatexpert.com/report.aspx?md5=d50c39753ba88daa00bc40848f174168; reference:url,www.threatexpert.com/report.aspx?md5=bf422f3aa215d896f55bbe2ebcd25d17; classtype:trojan-activity; sid:2014234; rev:8;)
#
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download - info.exe"; flow:established,to_client; content:"attachment|3b|"; http_header; content:"info.exe"; http_header; distance:0; content:"|0d 0a|"; http_header; within:3; classtype:bad-unknown; sid:2014235; rev:4;)
@@ -49547,7 +49583,7 @@
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Win32/Cridex.B Self Signed SSL Certificate (root@ks310208.kimsufi.com)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"root@ks310208.kimsufi.com"; content:"SomeOrganizationalUnit1"; classtype:trojan-activity; sid:2014240; rev:3;)
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic - Java Exploit Obfuscated With Allatori"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:"Allatori"; nocase; classtype:bad-unknown; sid:2014241; rev:5;)
+##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY Generic - Java Exploit Obfuscated With Allatori"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:"Allatori"; nocase; classtype:bad-unknown; sid:2014241; rev:5;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS TDS Trojan Stream request /stream?"; flow:established,to_server; urilen:9; content:"/stream?"; http_uri; pcre:"/^\/stream\?\d$/U"; classtype:bad-unknown; sid:2014242; rev:5;)
@@ -49559,10 +49595,10 @@
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL 2"; flow:established,from_server; content:"<applet"; depth:500; content:"vssMlgg"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014244; rev:2;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Java Exploit request similar to /content/jav.jar"; flow:established,to_server; content:"/content/jav"; http_uri; content:".jar"; http_uri; pcre:"/\/content\/jav\d?\.jar$/U"; classtype:trojan-activity; sid:2014245; rev:3;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Java Exploit request similar to /content/jav.jar"; flow:established,to_server; content:"/content/jav"; http_uri; content:".jar"; http_uri; pcre:"/\/content\/jav\d?\.jar$/U"; classtype:trojan-activity; sid:2014245; rev:4;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sefnit Checkin 3"; flow:established,to_server; content:"?re="; http_uri; content:"&r="; distance:0; http_uri; content:"&u="; distance:0; http_uri; content:"&cid="; distance:0; http_uri; content:"&rc="; distance:0; http_uri; content:"&pa="; distance:0; http_uri; content:"&ref1="; distance:0; http_uri; content:"&ref2="; distance:0; http_uri; classtype:trojan-activity; sid:2014246; rev:1;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Sefnit Checkin 3"; flow:established,to_server; content:"?re="; http_uri; content:"&r="; distance:0; http_uri; content:"&u="; distance:0; http_uri; content:"&cid="; distance:0; http_uri; content:"&rc="; distance:0; http_uri; content:"&pa="; distance:0; http_uri; content:"&ref1="; distance:0; http_uri; content:"&ref2="; distance:0; http_uri; classtype:trojan-activity; sid:2014246; rev:2;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sefnit Checkin 4"; flow:established,to_server; content:"?aid="; http_uri; content:"&url="; http_uri; pcre:"/\?aid=\d{9}&url=[\w\.\-]{23}$/Ui"; classtype:trojan-activity; sid:2014247; rev:1;)
@@ -49631,6 +49667,9 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Cutwail.BE Checkin 2"; flow:established,from_client; dsize:32; content:"|00 00 00 00 FF FF FF FF 3F 57|"; depth:10; content:"|FE FF FF FF FF FF FF FF FF FF FF|"; distance:3; within:11; reference:md5,3d766c4d53188eb8173a5dc3cfc4e317; reference:md5,289f457083e8f59520b31a7ea13d16ec; classtype:trojan-activity; sid:2014272; rev:1;)
#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Rogue.Win32/Winwebsec Install"; flow:to_server,established; content:"/api/stats/install/?affid="; content:"&ver=30"; http_uri; content:"&group="; http_uri; reference:md5,c527fb441e204baa28a7dcbcd3d91cd1; classtype:trojan-activity; sid:2015653; rev:3;)
+
+#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS W32/DarkComet Second Stage Download Request"; flow:established,to_server; content:"GET"; http_method; content:"/Update/Update.bin"; http_uri; reference:url,blog.trendmicro.com/darkcomet-surfaced-in-the-targeted-attacks-in-syrian-conflict/; classtype:trojan-activity; sid:2014273; rev:1;)
#
@@ -49646,7 +49685,7 @@
alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query for try2check.me Carder Tool"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|try2check|02|me|00|"; fast_pattern; nocase; reference:url,cert.xmco.fr/blog/index.php?post/2012/02/23/Try2check.me%2C-le-maillon-fort; classtype:bad-unknown; sid:2014277; rev:2;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Java Exploit request to /content/jav2.jar"; flow:established,to_server; content:"/content/jav2.jar"; http_uri; classtype:trojan-activity; sid:2014278; rev:2;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Java Exploit request to /content/jav2.jar"; flow:established,to_server; content:"/content/jav2.jar"; http_uri; classtype:trojan-activity; sid:2014278; rev:3;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Acrobat 8/9.3 PDF exploit download request 6"; flow:established,to_server; content:"/data/ap2.php"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014279; rev:4;)
@@ -49667,7 +49706,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP exploit 4"; flow:established,to_server; content:"/hhcp.php?c="; http_uri; pcre:"/hhcp.php?c=[a-f0-9]{5}$/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014284; rev:2;)
#
-alert udp $HOME_NET any -> any 53 (msg:"ET DNS DNS Query for Suspicious .ch.vu Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ch|02|vu"; nocase; distance:0; reference:url,google.com/safebrowsing/diagnostic?site=ch.vu; classtype:bad-unknown; sid:2014285; rev:3;)
+alert udp $HOME_NET any -> any 53 (msg:"ET DNS DNS Query for Suspicious .ch.vu Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ch|02|vu"; fast_pattern; nocase; distance:0; reference:url,google.com/safebrowsing/diagnostic?site=ch.vu; classtype:bad-unknown; sid:2014285; rev:4;)
#
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Java Archive sent when remote host claims to send an image"; flow:established,from_server; content:"Content-Type|3a| image"; nocase; http_header; content:"|0d 0a 0d 0a|PK"; fast_pattern; content:"META-INF/MANIFEST"; distance:0; classtype:trojan-activity; sid:2014288; rev:1;)
@@ -49706,13 +49745,13 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FlashBack Mac OSX malware Checkin"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/aaupdate/"; fast_pattern; http_uri; content:"User-Agent|3a| "; http_header; content:!"Mozilla"; within:7; http_header; content:!"|0d 0a|"; within:124; http_header; reference:url,blog.intego.com/flashback-mac-trojan-horse-infections-increasing-with-new-variant/; classtype:trojan-activity; sid:2014596; rev:4;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Vulnerable Java Version 1.7.x Detected"; flow:established,to_server; content:" Java/1.7.0_0"; http_header; content:!"3"; within:1; http_header; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,javatester.org/version.html; classtype:bad-unknown; sid:2014297; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Vulnerable Java Version 1.7.x Detected"; flow:established,to_server; content:" Java/1.7.0_0"; http_header; content:!"9"; within:1; http_header; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,javatester.org/version.html; classtype:bad-unknown; sid:2014297; rev:12;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.Yakes.pwo Checkin"; flow:to_server,established; content:"/stat.php?w="; http_uri; content:"&i="; http_uri; content:"&a="; http_uri; content:"User-Agent|3A| Opera/6"; http_header; content:"|3B| LangID="; http_header; reference:md5,d40927e8c4b59a1c2af4f981ef295321; classtype:trojan-activity; sid:2014604; rev:2;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Java Exploit request to /content/viewer.jar"; flow:established,to_server; content:"/content/viewer.jar"; http_uri; classtype:trojan-activity; sid:2014299; rev:3;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Java Exploit request to /content/viewer.jar"; flow:established,to_server; content:"/content/viewer.jar"; http_uri; classtype:trojan-activity; sid:2014299; rev:4;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Kryptik.ABUD Checkin"; flow:established,to_server; content:"/imagedump/image.php?size="; http_uri; content:"&thumbnail="; http_uri; reference:md5,00b714468f1bc2254559dd8fd84186f1; classtype:trojan-activity; sid:2014300; rev:2;)
@@ -49745,7 +49784,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/LockScreen Scareware Geolocation Request"; flow:established,to_server; content:"/loc/gate.php?getpic=getpic"; http_uri; reference:url,www.abuse.ch/?p=3610; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_police_trojan.pdf; classtype:trojan-activity; sid:2014309; rev:2;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN RegSubsDat Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"000000/log"; http_uri; pcre:"/\/\d\d[A-F0-9]000000\/log$/U"; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; http_header; reference:url,www.secureworks.com/research/threats/sindigoo/; classtype:trojan-activity; sid:2014310; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN RegSubsDat Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"000000/log"; http_uri; fast_pattern:only; pcre:"/\/\d\d[A-F0-9]000000\/log$/U"; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; http_header; reference:url,www.secureworks.com/research/threats/sindigoo/; classtype:trojan-activity; sid:2014310; rev:4;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN RegSubsDat Checkin Off Ports"; flow:established,to_server; content:"POST "; nocase; depth:5; content:"000000/log"; fast_pattern; pcre:"/\/\d\d[A-F0-9]000000\/log /"; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; reference:url,www.secureworks.com/research/threats/sindigoo/; classtype:trojan-activity; sid:2014311; rev:3;)
@@ -49754,7 +49793,7 @@
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN W32/NSIS.TrojanDownloader Second Stage Download Instructions from Server"; flow:established,to_client; file_data; content:"|3B 20|Ini download file modue"; nocase; distance:0; content:"DownUrl="; nocase; distance:0; content:"FileName="; nocase; distance:0; content:"SaveType="; nocase; distance:0; pcre:"/FileName\x3D[^\r\n]*\x2E(dll|exe)/i"; reference:md5,3ce5da32903b52394cff2517df51f599; classtype:trojan-activity; sid:2014312; rev:1;)
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Executable Download From DropBox"; flow:established,to_client; content:"Server|3A 20|dbws|0d 0a|"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; classtype:not-suspicious; sid:2014313; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Executable Download From DropBox"; flow:established,to_client; content:"Server|3A 20|dbws|0d 0a|"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; classtype:not-suspicious; sid:2014313; rev:4;)
#
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Incognito Payload Download /load/*exe"; flow:established,from_server; content:"Content-Disposition|3a| inline"; nocase; http_header; content:".exe"; http_header; content:"load/"; http_header; fast_pattern; file_data; content:"MZ"; within:2; classtype:attempted-user; sid:2014314; rev:4;)
@@ -49769,7 +49808,7 @@
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN ZeuS Clickfraud List Delivered To Client"; flow:established,from_server; file_data; content:"<xml>"; within:5; content:"<time>"; distance:0; content:"<doc>"; distance:0; content:"<url>http|3a|//"; distance:0; content:"<ref>"; distance:0; content:"<n>"; distance:0; classtype:trojan-activity; sid:2014317; rev:1;)
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Clickpayz redirection to *.clickpayz.com"; flow:established,from_server; content:"30"; http_stat_code; within:2; content:"clickpayz.com/"; http_header; classtype:bad-unknown; sid:2014318; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Clickpayz redirection to *.clickpayz.com"; flow:established,from_server; content:"30"; http_stat_code; depth:2; content:"clickpayz.com/"; http_header; classtype:bad-unknown; sid:2014318; rev:2;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Dadong Java Exploit Requested"; flow:established,to_server; content:"/Gondad.jpg"; nocase; http_uri; content:" Java/1"; http_header; classtype:bad-unknown; sid:2014319; rev:1;)
@@ -49841,7 +49880,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent Toys File"; flow:established,to_server; content:"User-Agent|3A 20|toys|3A 3A|file"; http_header; reference:md5,22d3165c0e80ba50bc6a42a2e82b2874; classtype:trojan-activity; sid:2014341; rev:1;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Snad User-Agent"; flow:established,to_server; content:"User-Agent|3A 20|SnadBoy"; http_header; reference:md5,26a813eadbf11a1dfc2e63dc7dc87480; classtype:trojan-activity; sid:2014342; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Snadboy.com Products User-Agent"; flow:established,to_server; content:"User-Agent|3A 20|SnadBoy"; http_header; reference:md5,26a813eadbf11a1dfc2e63dc7dc87480; classtype:trojan-activity; sid:2014342; rev:2;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN SMTP Subject Line Contains C Path and EXE Possible Trojan Reporting Execution Path/Binary Name"; flow:established,to_server; content:"Subject|3A 20|"; content:"C|3A 5C|"; nocase; fast_pattern; within:100; content:".exe"; within:40; pcre:"/Subject\x3A\x20[^\r\n]*C\x3A\x5C[^\r\n]*\x2Eexe/i"; reference:md5,24e937b9f3fd6a04dde46a2bc75d4b18; classtype:bad-unknown; sid:2014343; rev:2;)
@@ -49859,7 +49898,16 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Peed Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"|20|HTTP/1.1|0d 0a|Host|3a 20|"; content:"Content-Type|3a| application/x-www-form-urlencoded|3b 20|charset=UTF-8|0d 0a|Connection|3a| close|0d 0a 0d 0a|"; http_header; content:!"User-Agent|3a|"; http_header; content:"aa1020R0="; depth:9; fast_pattern; http_client_body; content:"%3D%0D%0A"; offset:109; http_client_body; reference:md5,142ff7d3d931ecfa9a06229842ceefc4; reference:md5,df690cbf6e33e9ee53fdcfc456dc4c1f; classtype:trojan-activity; sid:2014347; rev:4;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN RevProxy CnC List Request"; flow:established,to_server; content:"?net=gnutella2&get=1&client=RAZA2.5.0.0"; http_uri; reference:md5,5d6f186f10acf5f21a3498601465cf40; classtype:trojan-activity; sid:2014351; rev:1;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN RevProxy ClientHello"; flow:established,to_server; dsize:13; content:"|04 00 00 01 05 00 00 00 00 07 00 01 00|"; reference:md5,5d6f186f10acf5f21a3498601465cf40; classtype:trojan-activity; sid:2014348; rev:2;)
+
+#
+##alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET DELETED RevProxy ServerRespone"; flow:established,to_client; dsize:9; content:"|04 00 00 01 01 00 00 00 04|"; reference:md5,5d6f186f10acf5f21a3498601465cf40; classtype:trojan-activity; sid:2014349; rev:2;)
+
+#
+##alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED RevProxy ClientPing"; flow:established,to_server; dsize:9; content:"|04 00 00 01 01 00 00 00 05|"; reference:md5,5d6f186f10acf5f21a3498601465cf40; classtype:trojan-activity; sid:2014350; rev:2;)
+
+#
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED RevProxy CnC List Request"; flow:established,to_server; content:"?net=gnutella2&get=1&client=RAZA2.5.0.0"; http_uri; reference:md5,5d6f186f10acf5f21a3498601465cf40; classtype:trojan-activity; sid:2014351; rev:2;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection Attempt char() Danmec related"; flow:established,to_server; content:"CHAR("; http_uri; nocase; pcre:"/CHAR\([0-9]{2,3}\)char\([^\x0d\x0a\x20]{98,}/Ui"; classtype:attempted-admin; sid:2014352; rev:1;)
@@ -49886,7 +49934,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,443] (msg:"ET TROJAN Win32/Protux.B Download Update"; flow:from_client,established; content:"Mozilla/4.2.20 (compatible|3B| MSIE 5.0.2|3B| Win32)|0D 0A|"; http_header; reference:md5,53105ecf3cf6040039e16abb382fb836; classtype:trojan-activity; sid:2014361; rev:1;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Win32/Protux.B dnswatch check for CnC IP"; flow:from_client,established; content:"/dns/dnslookup?la=en&host="; http_uri; content:"&type=A&submit=Resolve"; distance:0; http_uri; content:"User-Agent|3a| Mozilla/5.0 (compatible|3B| MSIE 6.0.1|3B| "; http_header; content:"WININET 5.0)|0D 0A|"; http_header; fast_pattern; content:"Host|3a| www.dnswatch.info|0D 0A|Cache-Control|3a| no-cache|0D 0A|"; http_header; classtype:trojan-activity; sid:2014359; rev:6;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY DNSWatch.info IP Check"; flow:from_client,established; content:"/dns/dnslookup?la=en&host="; http_uri; content:"&type=A&submit=Resolve"; distance:0; http_uri; content:"User-Agent|3a| Mozilla/5.0 (compatible|3B| MSIE 6.0.1|3B| "; http_header; content:"WININET 5.0)|0D 0A|"; http_header; fast_pattern; content:"Host|3a| www.dnswatch.info|0D 0A|Cache-Control|3a| no-cache|0D 0A|"; http_header; classtype:trojan-activity; sid:2014359; rev:7;)
#
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Scalaxy Exploit Kit URL template download"; flow:established,from_server; content:"<script>a=|22|http|3a|//"; content:"/tttttt"; fast_pattern; within:50; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014362; rev:2;)
@@ -49904,7 +49952,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32.Blocker Checkin"; flow:established,to_server; content:"/gate.php?cmd="; http_uri; content:"&botnet="; http_uri; content:"&userid="; http_uri; content:"&os="; http_uri; reference:md5,1d8841128e63ed7e26200d4ed3bc8e05; classtype:trojan-activity; sid:2014364; rev:1;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent Post"; flow:established,to_server; content:"User-Agent|3A 20|Post|0d 0a|"; http_header; classtype:trojan-activity; sid:2014366; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent Post"; flow:established,to_server; content:"User-Agent|3A 20|Post|0d 0a|"; http_header; fast_pattern:only; content:!"/uup.php"; http_uri; content:!".360.cn|0d 0a|"; http_header; classtype:trojan-activity; sid:2014366; rev:5;)
#
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Banload Trojan Downloader Dropped Binary"; flow:established,to_client; content:"C|00|o|00|m|00|p|00|a|00|n|00|y|00|N|00|a|00|m|00|e|00|"; content:"m|00|i|00|l|00|k|00|"; fast_pattern; within:30; content:"I|00|n|00|t|00|e|00|r|00|n|00|a|00|l|00|N|00|a|00|m|00|e|00|"; distance:0; content:"m|00|i|00|l|00|k|00|"; within:30; content:"L|00|e|00|g|00|a|00|l|00|C|00|o|00|p|00|y|00|r|00|i|00|g|00|h|00|t|00|"; distance:0; content:"m|00|i|00|l|00|k|00|"; within:30; reference:md5,31bb4e0d67a5af96d5b5691966e25d73; classtype:trojan-activity; sid:2014367; rev:1;)
@@ -49919,7 +49967,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/GamesForum.InfoStealer Reporting to CnC"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/forum/"; http_uri; pcre:"/\/forum\/[0-9a-f]{32}\x2ephp/U"; content:"HTTP/1.0"; content:!"User-Agent|3A|"; nocase; http_header; content:"Data="; fast_pattern; http_client_body; depth:5; classtype:trojan-activity; sid:2014370; rev:2;)
#
-alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Kelihos .eu CnC Domain Generation Algorithm (DGA) Lookup Detected"; byte_test:1,!&,0xF8,2; content:"|00 00 07|"; depth:16; content:"|02|eu|00|"; fast_pattern:only; pcre:"/\x00\x07[a-z]{7}\x02eu\x00/"; threshold: type limit, count 5, seconds 120, track by_src; classtype:trojan-activity; sid:2014371; rev:5;)
+##alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Possible Kelihos .eu CnC Domain Generation Algorithm (DGA) Lookup Detected"; byte_test:1,!&,0xF8,2; content:"|00 00 07|"; depth:16; content:"|02|eu|00|"; fast_pattern:only; pcre:"/\x00\x07[a-z]{7}\x02eu\x00/"; threshold: type both, count 5, seconds 120, track by_src; classtype:trojan-activity; sid:2014371; rev:7;)
#
alert udp any 53 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Kelihos .eu CnC Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|02|eu|00|"; fast_pattern:only; pcre:"/\x00\x07[a-z0-9]{7}\x02eu\x00/"; threshold: type both, track by_src, count 2, seconds 60; classtype:trojan-activity; sid:2014372; rev:4;)
@@ -49943,7 +49991,7 @@
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole/Cutwail Redirection Page 1"; flow:established,from_server; file_data; content:"document.location="; distance:0; content:".php?"; fast_pattern; within:100; pcre:"/\.php\?[^&]{1,8}=[a-f0-9]{16}[\x22\x27\x3b]/"; classtype:bad-unknown; sid:2014378; rev:4;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP GET invalid method case outbound"; flow:established,to_server; content:"get "; depth:4; nocase; content:!"GET "; depth:4; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; classtype:bad-unknown; sid:2014379; rev:2;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP GET invalid method case outbound"; flow:established,to_server; content:"get "; depth:4; nocase; content:!"GET "; depth:4; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; classtype:bad-unknown; sid:2014379; rev:2;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP HEAD invalid method case outbound"; flow:established,to_server; content:"head "; depth:5; nocase; content:!"HEAD "; depth:5; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; classtype:bad-unknown; sid:2014381; rev:2;)
@@ -50003,10 +50051,10 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/PaPaPaEdge.Adware/Gambling Poker-Edge Checkin"; flow:established,to_server; content:"/xml_action.php?user="; http_uri; content:"&appid="; http_uri; content:"&hwid="; http_uri; content:"&id="; http_uri; content:".poker-edge.com|0d 0a|"; http_header; reference:md5,f9d226bf9807c72432050f7dcb396b06; classtype:trojan-activity; sid:2014403; rev:1;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt Negative INT"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,&,0x80,1,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014430; rev:12;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt Negative INT"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,<,0x80,0,relative,big; byte_test:1,&,0x80,1,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014430; rev:13;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_jump:1,0,relative; byte_test:1,<,0x06,-1,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014431; rev:13;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,<,0x80,0,relative,big; byte_jump:1,0,relative; byte_test:1,<,0x06,-1,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014431; rev:15;)
#
##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32/Bifrose.Backdoor Checkin Attempt via Facebook"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/omaha/update.php?"; http_uri; content:"User-Agent|3A 20|Facebook Update/"; http_header; content:"winhttp|3b|"; http_header; reference:md5,61661202e320dd91e4f7e4a10616eefc; classtype:trojan-activity; sid:2014404; rev:2;)
@@ -50021,13 +50069,13 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY EgyPack Exploit Kit Cookie Present"; flow:established,to_server; content:"visited=TRUE|3b| mutex="; http_header; content:"visited=TRUE|3b| mutex="; http_cookie; depth:20; classtype:bad-unknown; sid:2014408; rev:1;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Alureon Primary CnC Checkin"; flow:established,to_server; content:"= HTTP/1.1|0D 0A|Host|3a| "; fast_pattern; content:!"User-Agent|3a| "; http_header; content:"|0D 0A|Cache-Control|3a| no-cache|0D 0A 0D 0A|"; content:!"&"; http_uri; classtype:trojan-activity; sid:2014409; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV.dfze/FakeAV!IK Checkin"; flow:established,to_server; urilen:>150; content:"= HTTP/1.1|0D 0A|Host|3a| "; fast_pattern; content:!"User-Agent|3a| "; http_header; content:"|0D 0A|Cache-Control|3a| no-cache|0D 0A 0D 0A|"; content:!"&"; http_uri; content:!"."; http_uri; reference:md5,fe1e735ec10fb8836691fe2f2ac7ea44; classtype:trojan-activity; sid:2014409; rev:5;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Win32.Ixeshe"; flow:to_server,established; content:"User-Agent|3a| User-Agent|3a| "; nocase; http_header; fast_pattern:only; content:"/ym/Attachments?YY="; nocase; http_uri; reference:url,blog.spiderlabs.com/2012/03/dirty-rat.html; classtype:trojan-activity; sid:2014410; rev:4;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fareit!IK/Kazy/PWS.Siggen.33210 Checkin 2"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/pony/gate.php"; http_uri; fast_pattern; content:"Mozilla/4.0 (compatible|3b| MSIE 5.0|3b| Windows 98)"; http_header; reference:md5,99FAB94FD824737393F5184685E8EDF2; classtype:trojan-activity; sid:2014411; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fareit/Pony Downloader Checkin 2"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/pony/gate.php"; http_uri; fast_pattern; content:"Mozilla/4.0 (compatible|3b| MSIE 5.0|3b| Windows 98)"; http_header; reference:md5,99FAB94FD824737393F5184685E8EDF2; reference:url,www.threatexpert.com/report.aspx?md5=9544c681ae5c4fe3fdbd4d5c6c90e38e; reference:url,www.threatexpert.com/report.aspx?md5=d50c39753ba88daa00bc40848f174168; reference:url,www.threatexpert.com/report.aspx?md5=bf422f3aa215d896f55bbe2ebcd25d17; classtype:trojan-activity; sid:2014411; rev:3;)
#
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole client=done Cookie Set"; flow:established,from_server; content:"client=done|3b|"; content:"client=done|3b|"; http_cookie; depth:12; classtype:bad-unknown; sid:2014412; rev:1;)
@@ -50093,7 +50141,7 @@
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Java Rhino Exploit Attempt - evilcode.class"; flow:established,to_client; content:"code=|22|evilcode.class|22|"; nocase; fast_pattern:only; reference:cve,2011-3544; classtype:attempted-user; sid:2014429; rev:5;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Java Exploit request to /Pol.jar"; flow:established,to_server; content:"/Pol.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014436; rev:2;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Java Exploit request to /Pol.jar"; flow:established,to_server; content:"/Pol.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014436; rev:3;)
#
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FakeAV Landing Page - Initializing Protection System"; flow:established,from_server; content:">Initializing Protection System...</"; fast_pattern; content:">System Tasks</"; distance:0; classtype:trojan-activity; sid:2014437; rev:4;)
@@ -50102,7 +50150,7 @@
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Unknown - news=1 in http_cookie"; flow:established,to_client; content:" news=1"; content:"news=1"; http_cookie; within:6; classtype:bad-unknown; sid:2014438; rev:5;)
##by Pedro Marinho
-alert tcp $EXTERNAL_NET !6661:6668 -> $HOME_NET any (msg:"ET TROJAN IRC Bot Download http Command"; flow:established,from_server; content:"JOIN |3a|#"; nocase; content:"!dl|20|http|3a 2f 2f|"; distance:0; content:"|2e|exe"; distance:0; reference:md5,fa6ae89b101a0367cc98798c7333e3a4; classtype:trojan-activity; sid:2014439; rev:3;)
+alert tcp $EXTERNAL_NET !6661:6668 -> $HOME_NET any (msg:"ET TROJAN IRC Bot Download http Command"; flow:established,from_server; content:"JOIN |3a|#"; nocase; content:"dl|20|http|3a 2f 2f|"; distance:0; content:"|2e|exe"; distance:0; reference:md5,fa6ae89b101a0367cc98798c7333e3a4; classtype:trojan-activity; sid:2014439; rev:4;)
#
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download - scandsk.exe"; flow:established,from_server; content:"attachment|3b|"; http_header; content:"scandsk"; http_header; fast_pattern; within:20; content:".exe|0d 0a|"; http_header; distance:0; classtype:bad-unknown; sid:2014440; rev:7;)
@@ -50156,19 +50204,19 @@
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX TRENDnet TV-IP121WN UltraMJCam ActiveX Control OpenFileDlg Access Potential Remote Stack Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"UltraMJCam.UltraMJCam.1"; nocase; distance:0; content:".OpenFileDlg"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/18675/; classtype:attempted-user; sid:2014456; rev:5;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit JAR from //Home/"; flow:established,to_server; content:"GET //Home/"; depth:11; fast_pattern; content:".jar"; http_uri; nocase; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:2014457; rev:2;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Exploit Kit JAR from //Home/"; flow:established,to_server; content:"GET //Home/"; depth:11; fast_pattern; content:".jar"; http_uri; nocase; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:2014457; rev:3;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Italian Spam Campaign"; flow:established,to_server; content:"/Dettagli.zip"; http_uri; reference:md5,c64504b68d34b18a370f5e77bd0b0337; classtype:trojan-activity; sid:2014458; rev:2;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P QVOD P2P Sharing Traffic detected"; flow:established,from_client; content:"POST /service HTTP/1"; depth:20; content:"|13|QVOD protocol|00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; classtype:policy-violation; sid:2014459; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P QVOD P2P Sharing Traffic detected (tcp)"; flow:established,from_client; content:"POST /service HTTP/1"; depth:20; content:"|13|QVOD protocol|00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; classtype:policy-violation; sid:2014459; rev:1;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus CnC Checkin POST to Config.php"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/config.php"; http_uri; fast_pattern; content:"Accept|3A| */*"; http_header; content:"Content-Type|3A| application/x-www-form-urlencoded"; http_header; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 8.0|3B| Windows NT 5.1|3B|"; http_header; reference:url,blog.fireeye.com/research/2012/04/zeus-takeover-leaves-undead-remains.html#more; classtype:trojan-activity; sid:2014460; rev:1;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zeus CnC Checkin POST to Config.php"; flow:established,to_server; content:"POST"; nocase; http_method; urilen:11; content:"/config.php"; http_uri; fast_pattern; content:"Accept|3A| */*"; http_header; content:"Content-Type|3A| application/x-www-form-urlencoded"; http_header; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 8.0|3B| Windows NT 5.1|3B|"; http_header; reference:url,blog.fireeye.com/research/2012/04/zeus-takeover-leaves-undead-remains.html#more; classtype:trojan-activity; sid:2014460; rev:4;)
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Java Atomic Reference Exploit Attempt Metasploit Specific"; flow:established,from_server; file_data; content:"|3c|applet archive=|22|"; distance:0; content:".jar|22|"; distance:0; within:14; content:"code=|22|msf.x.Exploit.class|22|"; distance:0; fast_pattern:6,19; reference:cve,CVE-2012-0507; reference:url,www.metasploit.com/modules/exploit/multi/browser/java_atomicreferencearray; classtype:bad-unknown; sid:2014461; rev:6;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Java Atomic Reference Exploit Attempt Metasploit Specific"; flow:established,from_server; file_data; content:"|3c|applet archive=|22|"; distance:0; content:".jar|22|"; distance:0; within:14; content:"code=|22|msf.x.Exploit.class|22|"; distance:0; fast_pattern:6,19; reference:cve,CVE-2012-0507; reference:url,www.metasploit.com/modules/exploit/multi/browser/java_atomicreferencearray; classtype:bad-unknown; sid:2014461; rev:7;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LuckyCat/TROJ_WIMMIE Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php?m="; http_uri; content:"&n="; http_uri; within:4; content:"_"; http_uri; distance:0; content:"@"; http_uri; distance:0; pcre:"/\.php\?m=\w&n=\w+_\w+(@|@.c|@.t)$/U"; reference:url,blog.trendmicro.com/luckycat-redux-inside-an-apt-campaign/; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf; classtype:trojan-activity; sid:2014462; rev:2;)
@@ -50198,7 +50246,7 @@
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Blackhole PDF served from iframe"; flow:established,from_server; content:".pdf|27|/></iframe>"; fast_pattern:only; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:2014470; rev:1;)
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY DRIVEBY Generic - EXE Download by Java"; flow:from_server,established; flowbits:isnotset,ET.http.javaclient.vulnerable; flowbits:isset,ET.http.javaclient; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; threshold:type limit,track by_src,count 1,seconds 3; classtype:trojan-activity; sid:2014471; rev:3;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY DRIVEBY Generic - EXE Download by Java"; flow:from_server,established; flowbits:isnotset,ET.http.javaclient.vulnerable; flowbits:isset,ET.http.javaclient; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; threshold:type limit,track by_src,count 1,seconds 3; classtype:trojan-activity; sid:2014471; rev:4;)
#
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO JAVA - Java Archive Download"; flow:from_server,established; flowbits:isnotset,ET.http.javaclient.vulnerable; flowbits:isset,ET.http.javaclient; content:"|0D 0A 0D 0A|PK"; file_data; content:"PK"; within:2; classtype:trojan-activity; sid:2014472; rev:4;)
@@ -50219,106 +50267,106 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN HTTP Request to Zaletelly CnC Domain atserverxx.info"; flow:established,to_server; content:"Host|3a| atserver"; http_header; nocase; content:".info|0d 0a|"; http_header; within:11; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32/Gamarue.F; classtype:trojan-activity; sid:2014477; rev:1;)
#
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to a *.3d-game.com Dynamic DNS Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|3d-game|03|com|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014478; rev:3;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a *.3d-game.com Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|3d-game|03|com|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014478; rev:4;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a *.3d-game.com Dynamic DNS Domain"; flow:established,to_server; content:".3d-game.com|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2014479; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.3d-game.com Domain"; flow:established,to_server; content:".3d-game.com|0D 0A|"; http_header; classtype:bad-unknown; sid:2014479; rev:2;)
#
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to a *.4irc.com Dynamic DNS Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|4irc|03|com|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014480; rev:3;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a *.4irc.com Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|4irc|03|com|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014480; rev:4;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a *.4irc.com Dynamic DNS Domain"; flow:established,to_server; content:".4irc.com|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2014481; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.4irc.com Domain"; flow:established,to_server; content:".4irc.com|0D 0A|"; http_header; classtype:bad-unknown; sid:2014481; rev:2;)
#
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to a *.b0ne.com Dynamic DNS Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|b0ne|03|com|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014482; rev:3;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a *.b0ne.com Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|b0ne|03|com|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014482; rev:4;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a *.b0ne.com Dynamic DNS Domain"; flow:established,to_server; content:".b0ne.com|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2014483; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.b0ne.com Domain"; flow:established,to_server; content:".b0ne.com|0D 0A|"; http_header; classtype:bad-unknown; sid:2014483; rev:2;)
#
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to a *.bbsindex.com Dynamic DNS Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|bbsindex|03|com|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014484; rev:3;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a *.bbsindex.com Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|bbsindex|03|com|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014484; rev:4;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a *.bbsindex.com Dynamic DNS Domain"; flow:established,to_server; content:".bbsindex.com|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2014485; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.bbsindex.com Domain"; flow:established,to_server; content:".bbsindex.com|0D 0A|"; http_header; classtype:bad-unknown; sid:2014485; rev:2;)
#
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to a *.chatnook.com Dynamic DNS Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|chatnook|03|com|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014486; rev:3;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a *.chatnook.com Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|chatnook|03|com|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014486; rev:4;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a *.chatnook.com Dynamic DNS Domain"; flow:established,to_server; content:".chatnook.com|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2014487; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.chatnook.com Domain"; flow:established,to_server; content:".chatnook.com|0D 0A|"; http_header; classtype:bad-unknown; sid:2014487; rev:2;)
#
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to a *.darktech.org Dynamic DNS Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|darktech|03|org|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014488; rev:3;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a *.darktech.org Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|darktech|03|org|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014488; rev:4;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a *.darktech.org Dynamic DNS Domain"; flow:established,to_server; content:".darktech.org|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2014489; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.darktech.org Domain"; flow:established,to_server; content:".darktech.org|0D 0A|"; http_header; classtype:bad-unknown; sid:2014489; rev:3;)
#
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to a *.deaftone.com Dynamic DNS Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|deaftone|03|com|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014490; rev:3;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a *.deaftone.com Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|deaftone|03|com|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014490; rev:4;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a *.deaftone.com Dynamic DNS Domain"; flow:established,to_server; content:".deaftone.com|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2014491; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.deaftone.com Domain"; flow:established,to_server; content:".deaftone.com|0D 0A|"; http_header; classtype:bad-unknown; sid:2014491; rev:2;)
#
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to a *.dtdns.net Dynamic DNS Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|dtdns|03|net|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014492; rev:3;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a *.dtdns.net Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|dtdns|03|net|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014492; rev:4;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a *.dtdns.net Dynamic DNS Domain"; flow:established,to_server; content:".dtdns.net|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2014493; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.dtdns.net Domain"; flow:established,to_server; content:".dtdns.net|0D 0A|"; http_header; classtype:bad-unknown; sid:2014493; rev:5;)
#
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to a *.effers.com Dynamic DNS Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|effers|03|com|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014494; rev:3;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a *.effers.com Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|effers|03|com|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014494; rev:4;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a *.effers.com Dynamic DNS Domain"; flow:established,to_server; content:".effers.com|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2014495; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.effers.com Domain"; flow:established,to_server; content:".effers.com|0D 0A|"; http_header; classtype:bad-unknown; sid:2014495; rev:2;)
#
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to a *.etowns.net Dynamic DNS Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|etowns|03|net|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014496; rev:3;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a *.etowns.net Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|etowns|03|net|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014496; rev:4;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a *.etowns.net Dynamic DNS Domain"; flow:established,to_server; content:".etowns.net|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2014497; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.etowns.net Domain"; flow:established,to_server; content:".etowns.net|0D 0A|"; http_header; classtype:bad-unknown; sid:2014497; rev:2;)
#
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to a *.etowns.org Dynamic DNS Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|etowns|03|org|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014498; rev:3;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a *.etowns.org Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|etowns|03|org|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014498; rev:4;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a *.etowns.org Dynamic DNS Domain"; flow:established,to_server; content:".etowns.org|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2014499; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.etowns.org Domain"; flow:established,to_server; content:".etowns.org|0D 0A|"; http_header; classtype:bad-unknown; sid:2014499; rev:2;)
#
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to a *.flnet.org Dynamic DNS Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|flnet|03|org|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014500; rev:3;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a *.flnet.org Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|flnet|03|org|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014500; rev:4;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a *.flnet.org Dynamic DNS Domain"; flow:established,to_server; content:".flnet.org|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2014501; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.flnet.org Domain"; flow:established,to_server; content:".flnet.org|0D 0A|"; http_header; classtype:bad-unknown; sid:2014501; rev:2;)
#
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to a *.gotgeeks.com Dynamic DNS Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|gotgeeks|03|com|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014502; rev:3;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a *.gotgeeks.com Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|gotgeeks|03|com|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014502; rev:4;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a *.gotgeeks.com Dynamic DNS Domain"; flow:established,to_server; content:".gotgeeks.com|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2014503; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.gotgeeks.com Domain"; flow:established,to_server; content:".gotgeeks.com|0D 0A|"; http_header; classtype:bad-unknown; sid:2014503; rev:2;)
#
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to a *.scieron.com Dynamic DNS Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|scieron|03|com|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014504; rev:3;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a *.scieron.com Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|scieron|03|com|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014504; rev:4;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a *.scieron.com Dynamic DNS Domain"; flow:established,to_server; content:".scieron.com|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2014505; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.scieron.com Domain"; flow:established,to_server; content:".scieron.com|0D 0A|"; http_header; classtype:bad-unknown; sid:2014505; rev:3;)
#
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to a *.slyip.com Dynamic DNS Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|slyip|03|com|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014506; rev:4;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a *.slyip.com Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|slyip|03|com|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014506; rev:5;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a *.slyip.com Dynamic DNS Domain"; flow:established,to_server; content:".slyip.com|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2014507; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.slyip.com Domain"; flow:established,to_server; content:".slyip.com|0D 0A|"; http_header; classtype:bad-unknown; sid:2014507; rev:4;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to a *.slyip.net Dynamic DNS Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:4; content:"|05|slyip|03|net|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014508; rev:4;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a *.slyip.net Dynamic DNS Domain"; flow:established,to_server; content:".slyip.net|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2014509; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.slyip.net Domain"; flow:established,to_server; content:".slyip.net|0D 0A|"; http_header; classtype:bad-unknown; sid:2014509; rev:3;)
#
-alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to a *.suroot.com Dynamic DNS Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|suroot|03|com|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014510; rev:4;)
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a *.suroot.com Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|suroot|03|com|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014510; rev:5;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a *.suroot.com Dynamic DNS Domain"; flow:established,to_server; content:".suroot.com|0D 0A|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2014511; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a *.suroot.com Domain"; flow:established,to_server; content:".suroot.com|0D 0A|"; http_header; classtype:bad-unknown; sid:2014511; rev:3;)
#
alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Request for Zaletelly CnC Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"zaletelly"; fast_pattern; nocase; distance:0; content:"|02|be|00|"; nocase; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~MDrop-EAB/detailed-analysis.aspx; classtype:trojan-activity; sid:2014513; rev:1;)
@@ -50360,7 +50408,7 @@
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO EXE - Served Attached HTTP"; flow:to_client,established; content:"Content-Disposition"; nocase; http_header; content:"attachment"; nocase; http_header; file_data; content:"MZ"; within:2; classtype:misc-activity; sid:2014520; rev:2;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Blackhole Landing to 8 chr folder plus index.html"; flow:established,to_server; content:"/index.html"; http_uri; urilen:20; content:!"search"; nocase; http_uri; pcre:"/^\/[A-Za-z0-9]+[A-Z]+[A-Za-z0-9]*\/index\.html$/U"; classtype:bad-unknown; sid:2014521; rev:3;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Blackhole Landing to 8 chr folder plus index.html"; flow:established,to_server; content:"/index.htm"; fast_pattern:only; http_uri; urilen:20<>21; content:!"search"; nocase; http_uri; pcre:"/^\/[A-Za-z0-9]+[A-Z]+[A-Za-z0-9]*\/index\.html?$/U"; classtype:bad-unknown; sid:2014521; rev:5;)
#
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Exploit Kit Delivering JAR Archive to Client"; flow:established,to_client; flowbits:isset,et.exploitkitlanding; file_data; content:"|50 4B 03 04 14 00 08 00 08 00|"; within:10; classtype:bad-unknown; sid:2014526; rev:1;)
@@ -50387,16 +50435,19 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Metasploit Meterpreter core_channel_* Command Response"; flow:established; content:"|00 01 00 01|core_channel_"; offset:11; depth:17; classtype:successful-user; sid:2014533; rev:4;)
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE BitCoinPlus Embedded site forcing visitors to mine BitCoins"; flow:established,from_server; file_data; content:">BitcoinPlusMiner("; distance:0; reference:url,www.bitcoinplus.com/miner/embeddable; reference:url,www.bitcoinplus.com/miner/whatsthis; classtype:bad-unknown; sid:2014535; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET 88 (msg:"ET TROJAN Virus.Win32.Sality.aa Checkin"; flow:established,to_server; content:".txt"; offset:4; depth:9; content:"User-Agent|3a| Download|0d 0a|"; within:64; reference:md5,1e0e6717f72b66f6fc83f2ef6c00dcb7; classtype:trojan-activity; sid:2014826; rev:5;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE BitCoinPlus Embedded site forcing visitors to mine BitCoins"; flow:established,from_server; file_data; content:"BitcoinPlusMiner("; fast_pattern:only; reference:url,www.bitcoinplus.com/miner/embeddable; reference:url,www.bitcoinplus.com/miner/whatsthis; classtype:bad-unknown; sid:2014535; rev:3;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Java Exploit request to /Klot.jar"; flow:established,to_server; content:"/Klot.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014536; rev:2;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Java Exploit request to /Klot.jar"; flow:established,to_server; content:"/Klot.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014536; rev:3;)
#
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Initial Blackhole Landing .prototype.q catch with split"; flow:established,from_server; content:".prototype.q}catch("; fast_pattern:only; content:".split("; classtype:trojan-activity; sid:2014537; rev:1;)
#
-#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Initial Blackhole Landing Loading... Please Wait"; flow:established,from_server; content:"Please Wait"; fast_pattern:only; content:">Loading..."; content:"<script"; distance:0; classtype:trojan-activity; sid:2014538; rev:2;)
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Initial Blackhole Landing Loading... Please Wait"; flow:established,from_server; content:"Please Wait"; fast_pattern:only; content:">Loading..."; content:"<script"; distance:0; classtype:trojan-activity; sid:2014538; rev:3;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Malicious TDS /indigo?"; flow:to_server,established; content:"/indigo?"; http_uri; pcre:"/\/indigo\?\d+/U"; classtype:bad-unknown; sid:2014539; rev:1;)
@@ -50465,13 +50516,13 @@
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS - Modified Metasploit Jar"; flow:from_server,established; flowbits:isset,ET.http.javaclient.vulnerable; file_data; content:"msf|2f|x|2f|Payload"; distance:0; classtype:trojan-activity; sid:2014560; rev:4;)
##by Nathan Fowler
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN - Known Trojan Downloader HTTP Library MSIE 5 Win98 seen with ZeuS"; flow:established,to_server; content:"User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE 5.0|3b 20|Windows 98)"; http_header; fast_pattern:37,20; content:"*|3b|q=0"; http_header; content:"HTTP/1.0|0d 0a|Host|3a 20|"; classtype:trojan-activity; sid:2014562; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Known Trojan Downloader HTTP Library MSIE 5 Win98 seen with ZeuS"; flow:established,to_server; content:"User-Agent|3a 20|Mozilla/4.0|20|(compatible|3b 20|MSIE 5.0|3b 20|Windows 98)"; http_header; fast_pattern:37,20; content:"*|3b|q=0"; http_header; content:"HTTP/1.0|0d 0a|Host|3a 20|"; classtype:trojan-activity; sid:2014562; rev:3;)
##by Nathan Fowler
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN - Pony Downloader check-in response STATUS-IMPORT-OK"; flow:established,from_server; file_data; content:"STATUS-IMPORT-OK"; within:16; classtype:trojan-activity; sid:2014563; rev:4;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Pony Downloader check-in response STATUS-IMPORT-OK"; flow:established,from_server; file_data; content:"STATUS-IMPORT-OK"; within:16; classtype:trojan-activity; sid:2014563; rev:5;)
#
-alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS landing page with malicious Java applet"; flow:established,from_server; file_data; content:"code="; distance:0; content:".Exploit.class"; distance:2; within:14; classtype:bad-unknown; sid:2014561; rev:1;)
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS landing page with malicious Java applet"; flow:established,from_server; file_data; content:"code="; distance:0; content:"xploit.class"; distance:2; within:18; classtype:bad-unknown; sid:2014561; rev:2;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN OS X Backdoor Checkin"; flow:established,to_server; content:"Accept-Encoding|3a 20|base64,gzip"; http_header; fast_pattern; content:"|20|Mac|20|OS|20|X|3a|"; http_header; reference:url,www.securelist.com/en/blog/208193467/SabPub_Mac_OS_X_Backdoor_Java_Exploits_Targeted_Attacks_and_Possible_APT_link; classtype:trojan-activity; sid:2014564; rev:1;)
@@ -50516,7 +50567,7 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely Infected HTTP POST to PHP with User-Agent of HTTP Client"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; nocase; http_uri; content:"User-Agent|3a 20|HTTP Client|0d 0a|"; http_header; fast_pattern; classtype:trojan-activity; sid:2014579; rev:2;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (OINC)"; flow:established,to_server; content:"User-Agent|3a 20|OINC|0d 0a|"; http_header; reference:url,malwr.com/analysis/5ee02601d265a9a88f03a5465a99b190/; classtype:trojan-activity; sid:2014581; rev:2;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hoax.Win32.BadJoke/DownLoader1.57593 Checkin"; flow:established,to_server; content:"/agent.htm"; http_uri; content:"User-Agent|3a 20|OINC|0d 0a|"; http_header; reference:url,malwr.com/analysis/5ee02601d265a9a88f03a5465a99b190/; classtype:trojan-activity; sid:2014581; rev:3;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Adware/FakeAV.Kraddare Checkin UA"; flow:established,to_server; content:"pcsetup_"; http_header; pcre:"/User-Agent\x3a \w+pcsetup_\w+/H"; reference:url,www.scumware.org/report/update.best-pc.co.kr; classtype:trojan-activity; sid:2014583; rev:4;)
@@ -50567,13 +50618,13 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Mac Flashback Checkin 1"; flow:established,to_server; content:"GET"; http_method; content:"/owncheck/"; http_uri; classtype:trojan-activity; sid:2014597; rev:1;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Mac Flashback Checkin 2"; flow:established,to_server; content:"GET"; http_method; content:"/scheck/"; http_uri; classtype:trojan-activity; sid:2014598; rev:1;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Mac Flashback Checkin 2"; flow:established,to_server; content:"GET"; http_method; content:"/scheck/"; http_uri; fast_pattern:only; pcre:"/^User-Agent\x3a\s*?[A-Za-z0-9+\/=]+?\r?$/Hm"; classtype:trojan-activity; sid:2014598; rev:7;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Mac Flashback Checkin 3"; flow:to_server,established; content:"GET"; http_method; content:"/search?q="; http_uri; content:"&ua="; http_uri; distance: 0; content:"==&al="; http_uri; distance: 0; content:"&cv="; http_uri; distance:0; classtype:trojan-activity; sid:2014599; rev:1;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Mac Flashback Checkin 3"; flow:to_server,established; content:"GET"; http_method; content:"/search?q="; http_uri; content:"&ua="; http_uri; distance: 0; content:"==&al="; http_uri; distance: 0; content:"&cv="; http_uri; distance:0; classtype:trojan-activity; sid:2014599; rev:4;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Nitol.A Checkin"; flow:from_client,established; dsize:1028; content:"|01 00 00 00|"; depth:4; fast_pattern; content:!"|00|"; distance:0; within:1; content:"|00|"; distance:1; within:1; content:"|00|"; distance:61; within:1; content:"Windows|20|"; distance:0; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:0; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:12; within:20; classtype:trojan-activity; sid:2014600; rev:4;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Nitol.A Checkin"; flow:from_client,established; dsize:1028; content:"|01 00 00 00|"; depth:4; content:!"|00|"; distance:0; within:1; content:"|00|"; distance:1; within:1; content:"|00|"; distance:61; within:1; content:"Windows|20|"; distance:0; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:0; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; distance:12; within:20; classtype:trojan-activity; sid:2014600; rev:5;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Nitol.B Checkin"; flow:from_client,established; dsize:536<>1028; content:"|01 00 00 00|"; depth:4; content:!"|26|"; distance:0; within:1; content:"|26|"; distance:1; within:1; content:"|26|"; distance:61; within:1; content:"|26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26|"; distance:204; within:20; content:"|26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26|"; distance:12; within:20; classtype:trojan-activity; sid:2014601; rev:3;)
@@ -50591,7 +50642,7 @@
alert tcp $HOME_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nikjju Mass Injection Internal WebServer Compromised"; flow:established,from_server; file_data; content:"</title><script src="; nocase; distance:0; content:"http|3a|//"; nocase; within:8; content:"/r.php"; fast_pattern; within:100; content:"></script>"; distance:1; within:10; classtype:attempted-user; sid:2014608; rev:5;)
##by Kevin Ross
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Downvision.A Initial Checkin"; flow:established,to_server; content:"/up.php?id=201"; http_uri; content:"User-Agent|3A| /n software IPWorks HTTP/S Component - www.nsoftware.com"; http_header; reference:url,www.fortiguard.com/av/VID3309956; classtype:trojan-activity; sid:2014610; rev:3;)
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Downvision.A Initial Checkin"; flow:established,to_server; content:"/up.php?id=201"; http_uri; content:"software IPWorks HTTP/S Component - www.nsoftware.com"; http_header; reference:url,www.fortiguard.com/av/VID3309956; classtype:trojan-activity; sid:2014610; rev:4;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Incognito Exploit Kit Java request to images.php?t="; flow:established,to_server; content:"/images.php?t="; http_uri; content:"|29 20|Java/"; http_header; pcre:"/^\/images\.php\?t=\d+$/Ui"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014609; rev:1;)
@@ -50606,7 +50657,7 @@
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Jembot PHP Webshell (file upload)"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php"; http_uri; nocase; content:"jembot"; http_uri; nocase; reference:url,lab.onsec.ru/2012/04/find-new-web-bot-jembot.html?m=1; classtype:web-application-activity; sid:2014613; rev:2;)
#
-alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Jembot PHP Webshell (system command)"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php"; http_uri; nocase; content:"empix"; http_uri; nocase; reference:url,lab.onsec.ru/2012/04/find-new-web-bot-jembot.html?m=1; classtype:web-application-activity; sid:2014614; rev:2;)
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Jembot PHP Webshell (system command)"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php"; http_uri; nocase; content:"empix="; http_uri; fast_pattern:only; reference:url,lab.onsec.ru/2012/04/find-new-web-bot-jembot.html?m=1; classtype:web-application-activity; sid:2014614; rev:2;)
#
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Jembot PHP Webshell (hell.php)"; flow:established,to_server; content:"/hell.php"; http_uri; nocase; reference:url,lab.onsec.ru/2012/04/find-new-web-bot-jembot.html?m=1; classtype:web-application-activity; sid:2014615; rev:6;)
@@ -50681,11 +50732,3956 @@
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Incognito Exploit Kit payload request to images.php?t=N"; flow:established,to_server; content:"/images.php?t="; http_uri; urilen:15; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014640; rev:2;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Incognito Exploit Kit landing page request to images.php?t=4xxxxxxx"; flow:established,to_server; content:"/images.php?t=4"; http_uri; urilen:22; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014641; rev:1;)
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Incognito Exploit Kit landing page request to images.php?t=4xxxxxxx"; flow:established,to_server; content:"/images.php?t="; http_uri; urilen:22; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014641; rev:3;)
#
-alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Java Exploit request to /Edu.jar"; flow:established,to_server; content:"/Edu.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014642; rev:1;)
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Java Exploit request to /Edu.jar"; flow:established,to_server; content:"/Edu.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014642; rev:2;)
#
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ConstructorWin32/Agent.V"; flow:to_server,established; content:"GET http|3A|//"; depth:11; content:"|0D 0A|Pragma|3A| no-catch|0D 0A|"; http_header; content:"|0D 0A|X-HOST|3a| "; http_header; content:"|0D 0A|Content-Length|3A| 0|0D 0A|"; http_header; reference:md5,3305ad96bcfd3a406dc9daa31e538902; classtype:trojan-activity; sid:2014643; rev:6;)
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole - Landing Page Recieved - applet PluginDetect and 10hexchar title"; flow:established,to_client; file_data; content:"PluginDetect"; content:"<applet"; pcre:"/<title>[a-f0-9]{10}<\/title>/"; classtype:trojan-activity; sid:2014644; rev:1;)
+
+#
+alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RuggedCom Banner with MAC"; flow:to_client,established; content:"Rugged Operating System"; content:"Copyright |28|c|29| RuggedCom"; distance:0; content:"MAC Address|3A|"; distance:0; flowbits:set,ET.RUGGED.BANNER; reference:url,www.exploit-db.com/exploits/18779/; reference:url,arstechnica.com/business/news/2012/04/backdoor-in-mission-critical-hardware-threatens-power-traffic-control-systems.ars; classtype:attempted-admin; sid:2014645; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET CURRENT_EVENTS RuggedCom factory account backdoor"; flow:to_server,established; content:"factory"; fast_pattern:only; flowbits:isset,ET.RUGGED.BANNER; pcre:"/factory[\r\n\x00]+[0-9]{9}/"; reference:url,www.exploit-db.com/exploits/18779/; reference:url,arstechnica.com/business/news/2012/04/backdoor-in-mission-critical-hardware-threatens-power-traffic-control-systems.ars; classtype:attempted-admin; sid:2014646; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Volunteer Management id parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/mods/hours/data/get_hours.php?"; http_uri; nocase; content:"take="; http_uri; nocase; content:"skip="; http_uri; nocase; content:"pageSize="; http_uri; nocase; content:"id="; http_uri; nocase; pcre:"/id\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/112219/PHP-Volunteer-Management-1.0.2-Cross-Site-Scripting-SQL-Injection.html; classtype:web-application-attack; sid:2014647; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Tracker Software pdfSaver ActiveX StoreInRegistry Method Access Potential Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"2EE01CFA-139F-431E-BB1D-5E56B4DCEC18"; nocase; distance:0; content:"StoreInRegistry"; nocase; distance:0; reference:url,exploit-db.com/exploits/18427/; classtype:attempted-user; sid:2014648; rev:4;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Tracker Software pdfSaver ActiveX StoreInRegistry Method Access Potential Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"pdfxctrlLib.PdfPrinterPreferences"; nocase; distance:0; content:"StoreInRegistry"; nocase; distance:0; reference:url,exploit-db.com/exploits/18427/; classtype:attempted-user; sid:2014649; rev:4;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Tracker Software pdfSaver ActiveX InitFromRegistry Method Access Potential Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"2EE01CFA-139F-431E-BB1D-5E56B4DCEC18"; nocase; distance:0; content:"InitFromRegistry"; nocase; distance:0; reference:url,exploit-db.com/exploits/18427/; classtype:attempted-user; sid:2014650; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Tracker Software pdfSaver ActiveX InitFromRegistry Method Access Potential Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"pdfxctrlLib.PdfPrinterPreferences"; nocase; distance:0; content:"InitFromRegistry"; nocase; distance:0; reference:url,exploit-db.com/exploits/18427/; classtype:attempted-user; sid:2014651; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Quest Explain Plan Display ActiveX Control SaveToFile Insecure Method Access"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"F7014877-6F5A-4019-A3B2-74077F2AE126"; nocase; distance:0; content:".SaveToFile|28|"; nocase; distance:0; reference:url,secunia.com/advisories/48681/; classtype:attempted-user; sid:2014652; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Quest Explain Plan Display ActiveX Control SaveToFile Insecure Method Access 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"QExplain2.ExplainPlanDisplayX"; nocase; distance:0; content:".SaveToFile|28|"; nocase; distance:0; reference:url,secunia.com/advisories/48681/; classtype:attempted-user; sid:2014653; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_videogallery controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"option=com_videogallery"; http_uri; nocase; content:"controller="; http_uri; nocase; content:"|2e 2e 2f|"; http_raw_uri; reference:url,packetstormsecurity.org/files/112161/Joomla-Video-Gallery-Local-File-Inclusion-SQL-Injection.html; classtype:web-application-attack; sid:2014654; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_some controller Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"option=com_some"; http_uri; nocase; content:"controller="; http_uri; nocase; content:"|2e 2e 2f|"; http_raw_uri; reference:url,packetstormsecurity.org/files/108906/Joomla-Some-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014655; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Skysa Official submit parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/skysa-official/skysa.php?"; http_uri; nocase; content:"submit="; http_uri; nocase; pcre:"/submit\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/107342/WordPress-Skysa-Official-1.01-1.02-1.03-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014656; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unkown exploit kit pdf download"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x=x"; http_uri; fast_pattern; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&file="; http_uri; content:".pdf"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014657; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unkown exploit kit payload download"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x=x"; http_uri; fast_pattern; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&spl="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014658; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page Obfuscated Please wait Message"; flow:established,to_client; file_data; content:"Please|3A|wait|3A|page|3A|is|3A|loading"; distance:0; flowbits:set,et.exploitkitlanding; reference:url,isc.sans.edu/diary.html?storyid=13051; classtype:trojan-activity; sid:2014659; rev:1;)
+
+##by Pedro Marinho
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Ponmocup.A Checkin"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/space.php"; http_uri; fast_pattern; content:"Accept|3a| */*|0d 0a|Cookie|3a| uid="; offset:25; depth:25; content:"|3b 20|VISITOR="; distance:0; content:"User-Agent|3a| "; distance:0; content:"Host|3a| "; distance:0; reference:md5,97a1acc085849c0b9af19adcf44607a7; classtype:trojan-activity; sid:2014660; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing for prototype catch substr"; flow:established,from_server; content:"try{prototype|3b|}catch("; fast_pattern; content:"substr"; distance:0; classtype:trojan-activity; sid:2014661; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds Integer indef DoS Attempt"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,>,0x80,0,relative; byte_test:1,<,0xFF,0,relative; byte_jump:1,0,relative, post_offset -128; byte_jump:1,-1,relative; byte_test:1,<,0x06,-1,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020 vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014662; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole - Jar File Naming Algorithm"; flow:established,to_client; content:"Content-Disposition|3a| inline"; http_header; nocase; content:".jar"; http_header; fast_pattern; file_data; content:"PK"; within:2; pcre:"/=[0-9a-f]{8}\.jar/H"; classtype:trojan-activity; sid:2014664; rev:5;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds Negative Integer indef DoS Attempt"; flow:to_server,established; content:"|03 00|"; depth:2; content:"|e0|"; distance:3; within:1; content:"|03 00|"; distance:0; content:"|f0|"; distance:3; within:1; content:"|7f 65|"; distance:1; within:2; content:"|04 01 01 04 01 01 01 01 ff 30|"; distance:3; within:10; content:"|02|"; distance:1; within:1; byte_test:1,>,0x80,0,relative; byte_test:1,<,0xFF,0,relative; byte_jump:1,0,relative, post_offset -128; byte_jump:1,-1,relative; byte_test:1,&,0x80,-1,relative,big; reference:url, www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020 vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014663; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic - Redirection to Kit - BrowserDetect with var stopit"; flow:established,from_server; file_data; content:"var stopit = BrowserDetect.browser"; classtype:trojan-activity; sid:2014665; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/Dialer.Adultchat Checkin"; flow:established,to_server; content:"/getclientid.wnk?srv="; http_uri; content:"&ver="; http_uri; content:"&pin="; http_uri; content:"&OSInfo2="; http_uri; content:"&cinfo="; http_uri; content:"retryattempt="; http_uri; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FDluca.AN&ThreatID=-2147365813; reference:md5,fd2c949dc20b651a53326a3d571641ec; classtype:trojan-activity; sid:2014667; rev:1;)
+
+#
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SpyEyeV1.3.48 Data Post to CnC - lol.php"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/lol.php"; http_uri; content:"data="; depth:5; http_client_body; reference:url,blogs.mcafee.com/mcafee-labs/latest-spyeye-botnet-active-and-cheaper; classtype:trojan-activity; sid:2014669; rev:4;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET CURRENT_EVENTS W32/Backdoor.BAT.Agent.W User Botnet"; flow:established,to_server; content:"USER botnet"; depth:11; reference:md5,fc7059ec1e3e86fd0a664c3747f09725; classtype:trojan-activity; sid:2014700; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole - Injected Page Leading To Driveby"; flow:established,to_client; file_data; content:"/images.php?t="; fast_pattern; content:"width=\"1\" height=\"1\""; within:100; classtype:trojan-activity; sid:2014666; rev:1;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 6 or 7 set"; byte_test:1,!&,64,2; byte_test:1,&,32,2; byte_test:1,&,16,2; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,www.emergingthreatspro.com/bot-of-the-day/kazy-part-deux-revenge-of-the-clear-plastic-tarp/; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014701; rev:7;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set"; byte_test:1,&,64,2; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,www.emergingthreatspro.com/bot-of-the-day/kazy-part-deux-revenge-of-the-clear-plastic-tarp/; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014702; rev:6;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set"; byte_test:1,&,64,3; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,www.emergingthreatspro.com/bot-of-the-day/kazy-part-deux-revenge-of-the-clear-plastic-tarp/; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014703; rev:5;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-CGI query string parameter vulnerability"; flow:to_server,established; content:"?"; http_uri; content:"-"; http_uri; distance:0; content:!"="; http_raw_uri; pcre:"/(\.php|\/)\?[\s\+]*\-[A-Za-z]/Ui"; reference:cve,2012-1823; reference:url,eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/; reference:url,varanoid.com/research-alerts/us-cert/vu520827-php-cgi-query-string-parameter-vulnerability/; classtype:web-application-attack; sid:2014704; rev:4;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Bleeding Life 2 GPLed Exploit Pack exploit request"; flow:to_server,established; content:"/load_module.php?e="; http_uri; priority:1; classtype:trojan-activity; sid:2014705; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Bleeding Life 2 GPLed Exploit Pack payload request (exploit successful!)"; flow:established,to_server; content:"/download_file.php?e="; http_uri; priority:1; classtype:trojan-activity; sid:2014706; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Bleeding Life 2 GPLed Exploit Pack payload download"; flow:established,from_server; content:"filename=payload.exe.exe|0d 0a|"; http_header; priority:1; classtype:trojan-activity; sid:2014707; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible McAfee Virtual Technician MVT.MVTControl.6300 ActiveX Control GetObject method Remote Code Execution"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"2EBE1406-BE0E-44E6-AE10-247A0C5AEDCF"; nocase; distance:0; content:".GetObject("; nocase; distance:0; reference:url,exploit-db.com/exploits/18805/; classtype:attempted-user; sid:2014708; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible McAfee Virtual Technician MVT.MVTControl.6300 ActiveX Control GetObject method Remote Code Execution 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"MVT.MVTControl.6300"; nocase; distance:0; content:".GetObject("; nocase; distance:0; reference:url,exploit-db.com/exploits/18805/; classtype:attempted-user; sid:2014709; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Samsung NET-i Viewer Active-X SEH Overwrite"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"FA6E2EA9-D816-4F00-940B-609C9E8847A4"; nocase; distance:0; content:"RequestScreenOptimization"; nocase; distance:0; reference:url,packetstormsecurity.org/files/112363/Samsung-NET-i Viewer-Active-X-SEH-Overwrite.html; classtype:attempted-user; sid:2014710; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS maxxweb Cms kategorie parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/anzeigen_neu.php?"; nocase; http_uri; content:"bereich="; nocase; http_uri; content:"kat_id="; nocase; http_uri; content:"kategorie="; nocase; http_uri; pcre:"/kategorie\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/112289/Maxxweb-CMS-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014711; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress WPsc-MijnPress plugin rwflush parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/wpsc-mijnpress/mijnpress_plugin_framework.php?"; nocase; http_uri; content:"rwflush="; nocase; http_uri; pcre:"/rwflush\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/112324/WordPress-WPsc-MijnPress-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014712; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"WebexUCFObject.WebexUCFObject"; nocase; distance:0; content:"NewObject("; nocase; distance:0; reference:url,exploit-db.com/exploits/16604/; classtype:attempted-user; sid:2014713; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow 2"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"32E26FD9-F435-4A20-A561-35D4B987CFDC"; nocase; distance:0; content:"NewObject("; nocase; distance:0; reference:url,exploit-db.com/exploits/16604/; classtype:attempted-user; sid:2014714; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_obsuggest controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_obsuggest"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/103598/Joomla-obSuggest-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014715; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_joomtouch controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_joomtouch"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/104112/Joomla-JoomTouch-1.0.2-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014716; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress WP Custom Pages url parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/wp-content/plugins/wp-custom-pages/wp-download.php?"; nocase; http_uri; content:"url="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/100047/WordPress-WP-Custom-Pages-0.5.0.1-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014717; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES Nintendo Wii User-Agent"; flow:established,to_server; content:"(Nintendo Wii"; http_header; reference:url,www.useragentstring.com/pages/Opera/; classtype:policy-violation; sid:2014718; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN W32/Simbot.Backdoor Checkin"; flow:established,to_server; content:"GET /rclgx.php?id="; depth:18; reference:md5,a4edc9d31bc0ad763b3424e9306f4d7c; classtype:trojan-activity; sid:2014719; rev:1;)
+
+#
+alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Downloader/Agent.dxh.1 Reporting to CnC"; flow:established,to_server; dsize:80<>110; content:"!"; depth:1; content:"|5C 7C 3F 2F|"; within:6; content:".exe|5C 7C 3F 2F|"; distance:0; reference:md5,ded49b8c92d7ab6725649f04f30df8ce; classtype:trojan-activity; sid:2014720; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Boatz Checkin"; flow:to_server,established; content:"/clients.php?os="; http_uri; content:"&name="; distance:0; http_uri; content:"&id="; distance:0; http_uri; content:"&loc="; distance:0; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/pastebin-shares-botnet-source-code; classtype:trojan-activity; sid:2014721; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Medfos/Midhos Checkin"; flow:to_server,established; content:"/id="; http_uri; content:"&rt="; distance:0; http_uri; content:"AAAAAAAAAAA"; http_uri; content:!"Accept|3a 20|"; http_header; content:!"Connection|3a 20|"; http_header; reference:md5,00da8acc14d0e827dbb1326c023fc720; reference:md5,8f561f46fb262cac6bb4cacf3e4e78a6; reference:md5,63491dcc8e897bf442599febe48b824d; classtype:trojan-activity; sid:2014722; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Suspicious lcon http header in response seen with Medfos/Midhos downloader"; flow:to_client,established; content:"|0d 0a|lcon|3a 20|"; http_header; reference:md5,63491dcc8e897bf442599febe48b824d; classtype:trojan-activity; sid:2014723; rev:1;)
+
+#
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Java Exploit request to /Cal.jar"; flow:established,to_server; content:"/Cal.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014724; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Request for Blackhole Exploit Kit Landing Page - src.php?case="; flow:established,to_server; content:"/src.php?case="; http_uri; pcre:"/\x2Fsrc\x2Ephp\x3Fcase\x3D[a-f0-9]{16}$/U"; classtype:trojan-activity; sid:2014725; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Outdated Windows Flash Version IE"; flow:established,to_server; content:"x-flash-version|3a| "; http_header; content:!"11,5,502,135|0d 0a|"; distance:0; within:14; http_header; content:"MSIE"; http_header; pcre:"/^User-Agent\x3a[^\r\n]+?MSIE/Hm"; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.adobe.com/software/flash/about/; classtype:policy-violation; sid:2014726; rev:12;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Outdated Mac Flash Version"; flow:established,to_server; content:"x-flash-version|3a 20|"; http_header; content:!"11,5,502,136|0d 0a|"; distance:0; within:14; http_header; content:"Macintosh"; http_header; pcre:"/^User-Agent\x3a.+?Macintosh/Hm"; threshold: type limit, count 1, seconds 60, track by_src; classtype:policy-violation; sid:2014727; rev:10;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Smoke Loader Checkin r=gate"; flow:established,to_server; content:".php?r=gate&"; http_uri; content:"&group="; http_uri; distance:0; content:"&debug="; http_uri; distance:0; content:"5.0 (Windows|3b| U|3b| MSIE 9"; http_header; reference:md5,fafada188ce47a1459f4fcea487f06b5; classtype:trojan-activity; sid:2014728; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FakeAV Landing Page - Viruses were found"; flow:established,from_server; file_data; content:">Viruses were found on your computer!</"; fast_pattern; content:"images/alert.png"; classtype:bad-unknown; sid:2014729; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Potential FAKEAV Download a-f0-9 x16 download"; flow:to_server,established; content:"/pr2/"; http_uri; fast_pattern:only; pcre:"/\/[a-f0-9]{16}\/.+?\.(exe|zip)$/U"; classtype:bad-unknown; sid:2014730; rev:6;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Snap Bot Checkin"; flow:to_server,established; content:"id="; depth:3; http_client_body; content:"&s5_uidx="; distance:0; http_client_body; content:"&os="; distance:0; http_client_body; content:"&s5="; distance:0; http_client_body; reference:md5,a45a1ccf6842b032b7f2ef2f2255c81c; reference:md5,e070ce714e343052d19a7e3213ee2a9a; reference:url,ddanchev.blogspot.com/2011/05/peek-inside-new-ddos-bot-snap.html; classtype:trojan-activity; sid:2014731; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Snap Bot Receiving Download Command"; flow:to_client,established; file_data; content:"|7c|dlexec|7c|"; nocase; distance:1; within:12; content:"|7c|"; distance:0; content:"|7c|"; distance:0; content:"|7c|"; distance:0; pcre:"/^\d+\x7cdlexec\x7c([^\x7c]+\x7c){3}[^\x7c]+$/mi"; reference:md5,a45a1ccf6842b032b7f2ef2f2255c81c; reference:md5,e070ce714e343052d19a7e3213ee2a9a; reference:url,ddanchev.blogspot.com/2011/05/peek-inside-new-ddos-bot-snap.html; classtype:trojan-activity; sid:2014732; rev:5;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Snap Bot Receiving DDoS Command"; flow:to_client,established; file_data; content:"|7c|ddos|7c|"; distance:1; within:10; nocase; pcre:"/^\d+\x7cddos\x7c([^\x7c]+\x7c){5}[^\x7c]+$/mi"; reference:md5,a45a1ccf6842b032b7f2ef2f2255c81c; reference:md5,e070ce714e343052d19a7e3213ee2a9a; reference:url,ddanchev.blogspot.com/2011/05/peek-inside-new-ddos-bot-snap.html; classtype:trojan-activity; sid:2014733; rev:4;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY BitTorrent - Torrent File Downloaded"; flow:established,to_client; file_data; content:"d8|3a|announce"; within:11; classtype:policy-violation; sid:2014734; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Malicious file bitdefender_isecurity.exe download"; flow:established,to_server; content:"GET"; http_method; content:"/programas/bitdefender-internet-security/2011/bitdefender_isecurity.exe"; http_uri; nocase; reference:md5,283ae10839fff3e183193efde3e633eb; classtype:trojan-activity; sid:2014735; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Andromeda Streaming MP3 Server andromeda.php Cross-Site Scripting Attempt"; flow:established,to_server; content:"/andromeda.php?"; http_uri; nocase; content:"q="; nocase; http_uri; content:"s="; nocase; http_uri; pcre:"/s\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/112549/Andromeda-Streaming-MP3-Server-1.9.3.6-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014736; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdSave Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"32B165C1-AD31-11D5-8889-0010A4C62D06"; nocase; distance:0; content:"cmdSave"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014737; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdSave Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"ThreeDify.ThreeDifyDesigner.1"; nocase; distance:0; content:"cmdSave"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014738; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdExport Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"32B165C1-AD31-11D5-8889-0010A4C62D06"; nocase; distance:0; content:"cmdExport"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014739; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdExport Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"ThreeDify.ThreeDifyDesigner.1"; nocase; distance:0; content:"cmdExport"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014740; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdImport Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"32B165C1-AD31-11D5-8889-0010A4C62D06"; nocase; distance:0; content:"cmdImport"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014741; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdImport Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"ThreeDify.ThreeDifyDesigner.1"; nocase; distance:0; content:"cmdImport"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014742; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdOpen Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"32B165C1-AD31-11D5-8889-0010A4C62D06"; nocase; distance:0; content:"cmdOpen"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014743; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdOpen Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"ThreeDify.ThreeDifyDesigner.1"; nocase; distance:0; content:"cmdOpen"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014744; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Try Prototype Catch May 11 2012"; flow:from_server,established; content:"|3b|try{prototype|3b|}catch("; content:"){"; within:6; classtype:trojan-activity; sid:2014745; rev:1;)
+
+#
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Java Exploit request to /Set.jar"; flow:established,to_server; content:"/Set.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014746; rev:5;)
+
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Try Prototype Catch May 14 2012"; flow:from_server,established; content:"try{"; content:"=prototype|3b|}catch("; within:30; classtype:trojan-activity; sid:2014747; rev:3;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit Repeated Exploit Request Pattern"; flow:established,to_server; content:".php?t="; nocase; http_uri; pcre:"/\.php\?t=\d{2,7}$/U"; threshold:type both, track by_src, count 5, seconds 15; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; reference:url,malware.dontneedcoffee.com/2012/05/inside-redkit.html; reference:url,malware.dontneedcoffee.com/2012/05/redkit-not-so-red-anymore.html; reference:url,www.malwaredomainlist.com/forums/index.php?topic=4855.msg23470; classtype:trojan-activity; sid:2014748; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Redkit Java Exploit request to /24842.jar"; flow:established,to_server; content:"/24842.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014749; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Incognito/RedKit Exploit Kit vulnerable Java payload request to /1digit.html"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_server; urilen:7; content:".html"; http_uri; content:" Java/1"; http_header; pcre:"/\/[0-9]\.html$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014750; rev:3;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN Win32/Comrerop Checkin to FTP server"; flow:established,to_server; content:"USER griptoloji|0d 0a|"; depth:17; fast_pattern:5,12; reference:md5,6b16290b05afd1a9d638737924f2ab5c; classtype:trojan-activity; sid:2014757; rev:2;)
+
+##by Pedro Marinho
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan.BAT.Qhost - SET"; flow:established,to_server; content:"GET "; depth:4; content:"/stat/tuk/"; within:10; flowbits:set,ETPRO.Trojan.BAT.Qhost; flowbits:noalert; reference:md5,8174d42fd82457592c573fe73bdc0cd5; classtype:trojan-activity; sid:2014758; rev:3;)
+
+##by Pedro Marinho
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Trojan.BAT.Qhost Response from Controller"; flow:established,from_server; flowbits:isset,ETPRO.Trojan.BAT.Qhost; content:"Set-Cookie|3a| ci_session="; content:"session_id"; distance:0; content:"ip_address"; distance:0; content:"user_agent"; distance:0; content:"last_activity"; distance:0; content:"user_data"; distance:0; reference:md5,8174d42fd82457592c573fe73bdc0cd5; classtype:trojan-activity; sid:2014759; rev:3;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NuclearPack - Java Request - 32char hex-ascii"; flow:to_server,established; content:".jar"; offset:32; http_uri; fast_pattern; content:" Java/1"; http_header; pcre:"/\/[a-z0-9]{32}\.jar$/U"; classtype:bad-unknown; sid:2014751; rev:5;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Win32.HLLW.Autoruner USA_Load UA"; flow:established,to_server; content:"User-Agent|3A 20|USA_Load"; http_header; reference:url,news.drweb.com/show/?i=2440&lng=en&c=5; classtype:trojan-activity; sid:2014752; rev:1;)
+
+#
+##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED probable malicious Glazunov Javascript injection"; flow:established,from_server; content:"|22|,|22|"; content:"|22|)|3b|</script></body>"; distance:64; within:83; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014753; rev:5;)
+
+##by Kevin Ross
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Mepaow.Backdoor Initial Checkin to Intermediary Pre-CnC"; flow:established,to_server; content:"/PostView.nhn?blogId="; fast_pattern; http_uri; content:"&logNo="; http_uri; content:"&parentCategoryNo="; http_uri; content:"&userTopListOpen="; http_uri; content:"&userTopListManageOpen="; http_uri; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest.5)|0d 0a|"; http_header; reference:url,home.mcafee.com/virusinfo/virusprofile.aspx?key=1072862; reference:url,8af17164500aac1c0965b842aca3fed7; classtype:trojan-activity; sid:2014754; rev:5;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS W32/HupigonUser.Backdoor Rabclib UA Checkin"; flow:established,to_server; content:".txt"; http_uri; content:"User-Agent|3A 20|RAbcLib|0D 0A|"; http_header; reference:md5,65467e7ff3140f42f4758eca7b76185c; classtype:trojan-activity; sid:2014755; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Votwup.Backdoor Checkin"; flow:established,to_server; content:"/ddos?uid="; http_uri; content:"&ver="; http_uri; reference:md5,1325e4e44b5bf2f8dfe550dec016da53; classtype:trojan-activity; sid:2014760; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Internal Host Getting External IP Address - ip2city.asp"; flow:established,to_server; content:"/ip2city.asp"; http_uri; classtype:misc-activity; sid:2014761; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN W32/SpyBanker Infection Confirmation Email 2"; flow:established,to_server; content:"From|3A 20 22|Infected|22|"; reference:md5,f091e8ed0e8f4953ff10ce3bd06dbe54; classtype:trojan-activity; sid:2014762; rev:1;)
+
+##by StillSecure
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible Chilkat Software FTP2 ActiveX Component GetFile Access Remote Code Execution"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"302124C4-30A0-484A-9C7A-B51D5BA5306B"; nocase; distance:0; content:".GetFile"; nocase; distance:0; reference:url,packetstormsecurity.org/files/97160/Chilkat-Software-FTP2-ActiveX-Code-Execution.html; classtype:attempted-user; sid:2014763; rev:3;)
+
+##by StillSecure
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible Chilkat Software FTP2 ActiveX Component GetFile Access Remote Code Execution 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"ChilkatFtp2.ChilkatFtp2.1"; nocase; distance:0; content:".GetFile"; nocase; distance:0; reference:url,packetstormsecurity.org/files/97160/Chilkat-Software-FTP2-ActiveX-Code-Execution.html; classtype:attempted-user; sid:2014764; rev:3;)
+
+##by StillSecure
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible Windows Live Writer ActiveX BlogThisLink Method Access Denail of Service Attack"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"8F085BC0-363D-4219-95BA-DC8A5E06D295"; nocase; distance:0; content:"BlogThisLink"; nocase; distance:0; reference:url,1337day.com/exploits/17583; classtype:attempted-user; sid:2014765; rev:3;)
+
+##by StillSecure
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible Windows Live Writer ActiveX BlogThisLink Method Access Denail of Service Attack 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"WindowsLiveWriterApplicationLib.WindowsLiveWriterApplication"; nocase; distance:0; content:"BlogThisLink"; nocase; distance:0; reference:url,1337day.com/exploits/17583; classtype:attempted-user; sid:2014766; rev:3;)
+
+##by StillSecure
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32.Bublik.B/Birele/Variant.Kazy.66443 Checkin"; flow:established,to_server; urilen:12; content:"POST"; http_method; content:"/rdc/rnd.php"; http_uri; reference:md5,48352e3a034a95845864c0f6aad07d39; classtype:trojan-activity; sid:2014767; rev:5;)
+
+##by StillSecure
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress WP Survey and Quiz Tool plugin rowcount Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/wp-survey-and-quiz-tool/javascript/survey_section.php?"; nocase; http_uri; content:"rowcount="; nocase; http_uri; pcre:"/rowcount\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/112685/WordPress-WP-Survey-And-Quiz-Tool-2.9.2-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014768; rev:3;)
+
+##by StillSecure
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress CataBlog plugin category Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-admin/admin.php?"; nocase; http_uri; content:"page=catablog-gallery"; nocase; http_uri; content:"category="; nocase; http_uri; pcre:"/category\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/112710/WordPress-CataBlog-1.6-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014769; rev:3;)
+
+##by StillSecure
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Download Monitor plugin uploader.php Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/download-monitor/uploader.php?"; nocase; http_uri; content:"tab="; nocase; http_uri; content:"s="; nocase; http_uri; pcre:"/s\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/112707/WordPress-Download-Monitor-3.3.5.4-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014770; rev:3;)
+
+##by StillSecure
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Appointment Booking Pro view parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_rsappt_pro2"; nocase; http_uri; content:"view="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/103172/Joomla-Appointment-Booking-Pro-Arbitrary-File-Reading.html; classtype:web-application-attack; sid:2014771; rev:3;)
+
+##by StillSecure
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_media file parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/components/com_media/helpers/media.php?"; nocase; http_uri; content:"file="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/99775/Joomla-Media-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014772; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page JavaScript Split String Obfuscation of CharCode"; flow:established,to_client; content:"|22|h|22|+|22|arCode|22 3B|"; classtype:trojan-activity; sid:2014773; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Malicious PDF qweqwe="; flow:established,to_client; content:"><qwe qweqwe="; reference:url,jsunpack.jeek.org/dec/go?report=4d25f4f01ff5cdbee35a23fcd9e047b69d917b47; classtype:trojan-activity; sid:2014774; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole PDF Payload Request"; flow:established,to_server; content:"/content/"; http_uri; content:".php?f="; http_uri; pcre:"/\x2Fcontent\x2F[a-z0-9]{1,6}\x2Ephp\x3Ff\x3D[0-9]{1,5}$/Ui"; classtype:trojan-activity; sid:2014775; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole PDF Payload Request With Double Colon"; flow:established,to_server; content:"/content/"; http_uri; content:".php?f="; http_uri; content:"|3A 3A|"; http_uri; pcre:"/\x2Fcontent\x2F[a-z0-9]{1,6}\x2Ephp\x3Ff\x3D[0-9]{1,5}\x3A\x3A[0-9]{1,5}$/Ui"; classtype:trojan-activity; sid:2014776; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Kazy/Kryptic Checkin with Opera/9 User-Agent"; flow:established,to_server; content:"/count.php?id="; http_uri; content:"&c="; http_uri; content:"&d="; http_uri; content:"|0d 0a|User-Agent|3a 20|Opera/9 (Windows"; fast_pattern:14,16; http_header; reference:url,malwr.com/analysis/18c5b31198777f93a629a0357b22f2f8/; reference:md5,18c5b31198777f93a629a0357b22f2f8; reference:url,www.virustotal.com/file/94cf780fa829c16cd0b09a462b5419cd1175bac01ba935e906a109d97b4dadaa/; classtype:trojan-activity; sid:2014777; rev:3;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bebloh connectivity check"; flow:established,to_server; content:"GET"; http_method; content:"Host|3a 20|"; depth:6; http_header; content:"Content-Length|3a 20|0|0d 0a|"; distance:0; http_header; content:"|3a 20|no-cache"; distance:0; http_header; content:!"|0d 0a|User-Agent"; http_header; content:!"|0d 0a|Accept"; http_header; reference:md5,3f9ef604b68da32062ef27e15eb71715; reference:md5,ccb463b2dadaf362a03c8bbf34dc247e; classtype:trojan-activity; sid:2014778; rev:1;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain *.2288.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|2288|03|org|00|"; fast_pattern; distance:0; threshold: type limit, count 1, track by_src, seconds 300; classtype:misc-activity; sid:2014779; rev:6;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain *.3322.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|3322|03|net|00|"; fast_pattern; distance:0; threshold: type limit, count 1, track by_src, seconds 300; classtype:misc-activity; sid:2014781; rev:6;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain *.6600.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|6600|03|org|00|"; fast_pattern; distance:0; threshold: type limit, count 1, track by_src, seconds 300; classtype:misc-activity; sid:2014782; rev:6;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain *.7766.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|7766|03|org|00|"; fast_pattern; distance:0; threshold: type limit, count 1, track by_src, seconds 300; classtype:misc-activity; sid:2014783; rev:6;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain *.8800.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|8800|03|org|00|"; fast_pattern; distance:0; threshold: type limit, count 1, track by_src, seconds 300; classtype:misc-activity; sid:2014784; rev:5;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain *.9966.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|9966|03|org|00|"; fast_pattern; distance:0; threshold: type limit, count 1, track by_src, seconds 300; classtype:misc-activity; sid:2014786; rev:5;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.2288.org"; flow:established,to_server; content:".2288.org|0D 0A|"; http_header; classtype:misc-activity; sid:2014787; rev:4;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.3322.net"; flow:established,to_server; content:".3322.net|0D 0A|"; http_header; classtype:misc-activity; sid:2014788; rev:5;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.6600.org"; flow:established,to_server; content:".6600.org|0D 0A|"; http_header; classtype:misc-activity; sid:2014789; rev:3;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.7766.org"; flow:established,to_server; content:".7766.org|0D 0A|"; http_header; classtype:misc-activity; sid:2014790; rev:4;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.8800.org"; flow:established,to_server; content:".8800.org|0D 0A|"; http_header; classtype:misc-activity; sid:2014791; rev:3;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain *.9966.org"; flow:established,to_server; content:".9966.org|0D 0A|"; http_header; classtype:misc-activity; sid:2014792; rev:3;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Win32/MultiPasswordRecovery.A cs-crash PWS"; flow:to_server,established; content:"X-Mailer|3a| Blat "; content:"Subject|3A 20|Contents of file|3A 20|stdin.txt"; content:"name|3D|"; distance:0; content:".mpf"; within:24; classtype:trojan-activity; sid:2014793; rev:3;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Thetatic.A Client POST Get CMD Checkin"; flow:established,to_server; content:"POST"; http_method; content:"CONTENT-TYPE|3a| application/x-www-form-urlencoded"; fast_pattern; http_header; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| Win32|3b| WinHttp.WinHttpRequest.5)"; http_header; content:"cstype="; http_client_body; depth:7; content:"&authname="; distance:0; http_client_body; classtype:trojan-activity; sid:2014794; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Thetatic.A Client POST CMD result"; flow:established,to_server; content:"POST"; http_method; content:".php?cstype="; http_uri; content:"&authname="; distance:0; http_uri; content:"CONTENT-TYPE|3a| file|0D 0A|"; http_header; classtype:trojan-activity; sid:2014795; rev:2;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Thetatic.A Checkin"; flow:established,to_server; content:"User-Agent|3a| Mozilla/5.0 (Windows|3B| U|3B| Windows NT 5.1|3B| rv|3a|1.9.1) Gecko/20090624 Firefox/3.5|0D 0A|Accept|3a| */*|0D 0A|Host|3a| "; http_header; depth:110; fast_pattern:72,20; classtype:trojan-activity; sid:2014796; rev:5;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS ZeuS Ransomware win_unlock"; flow:established,to_server; content:"/locker/lock.php?id="; http_uri; reference:url,www.f-secure.com/weblog/archives/00002367.html; reference:md5,14a1d23b5a8b4f5c186bc5082ede4596; classtype:trojan-activity; sid:2014797; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PCMightyMax Agent PCMM.Installer"; flow:to_server; content:"User-Agent|3A 20|PCMM.Installer"; http_header; classtype:bad-unknown; sid:2014798; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY OpenVPN Update Check"; flow:established,to_server; content:"Host|3a| swupdate.openvpn.net|0d 0a|"; fast_pattern:14,14; http_header; content:"User-Agent|3a| Twisted PageGetter|0d 0a|"; http_header; classtype:policy-violation; sid:2014799; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page getElementByID Qwe - May 22nd 2012"; flow:established,to_client; file_data; content:"getElementById']('qwe')"; distance:0; reference:url,blog.spiderlabs.com/2012/05/catch-me-if-you-can-trojan-banker-zeus-strikes-again-part-2-of-5-1.html; classtype:trojan-activity; sid:2014800; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Try App.title Catch - May 22nd 2012"; flow:established,to_client; file_data; content:"try{app.title}catch("; distance:0; reference:url,blog.spiderlabs.com/2012/05/catch-me-if-you-can-trojan-banker-zeus-strikes-again-part-2-of-5-1.html; classtype:trojan-activity; sid:2014801; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fragus Exploit jar Download"; flow:established,to_server; content:"_.jar?"; http_uri; pcre:"/\w_\.jar\?[a-f0-9]{8}$/U"; classtype:trojan-activity; sid:2014802; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown java_ara Bin Download"; flow:established,to_server; content:"java_ara&name="; http_uri; content:"/forum/"; http_uri; content:".php?"; http_uri; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2014805; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Rogue.Win32/Winwebsec Install 2"; flow:to_server,established; content:"/api/urls/?ts="; http_uri; content:"&affid="; http_uri; content:"GTB0.0|3b|"; http_header; reference:md5,181999985de5feae6f44f9578915417f; classtype:trojan-activity; sid:2014816; rev:3;)
+
+##by StillSecure
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible SkinCrafter ActiveX Control InitLicenKeys Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"B9D38E99-5F6E-4C51-8CFD-507804387AE9"; nocase; distance:0; content:"InitLicenKeys"; nocase; distance:0; reference:url,exploit-db.com/exploits/18892/; classtype:attempted-user; sid:2014806; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible SkinCrafter ActiveX Control InitLicenKeys Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"SKINCRAFTERLib.SCSkin3"; nocase; distance:0; content:"InitLicenKeys"; nocase; distance:0; reference:url,exploit-db.com/exploits/18892/; classtype:attempted-user; sid:2014807; rev:2;)
+
+##by StillSecure
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible IBM Lotus Quickr for Domino ActiveX control Attachment_Times Method Access buffer overflow Attempt"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"05D96F71-87C6-11d3-9BE4-00902742D6E0"; nocase; distance:0; content:"Attachment_Times"; nocase; distance:0; reference:url,secunia.com/advisories/49285/; classtype:attempted-user; sid:2014808; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible IBM Lotus Quickr for Domino ActiveX control Import_Times Method Access buffer overflow Attempt"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"05D96F71-87C6-11d3-9BE4-00902742D6E0"; nocase; distance:0; content:"Import_Times"; nocase; distance:0; reference:url,secunia.com/advisories/49285/; classtype:attempted-user; sid:2014809; rev:2;)
+
+##by StillSecure
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Malicious pusk.exe download"; flow:established,to_server; content:"GET"; http_method; content:"/pusk.exe"; nocase; http_uri; reference:md5,eae75c0e34d11e6daef216cfc3fbbb04; classtype:trojan-activity; sid:2014810; rev:3;)
+
+##by StillSecure
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Dynamic Widgets plugin id parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-admin/themes.php?"; nocase; http_uri; content:"page=dynwid-config"; nocase; http_uri; content:"action="; nocase; http_uri; content:"id="; nocase; http_uri; pcre:"/id\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/112706/WordPress-Dynamic-Widgets-1.5.1-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014811; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress LeagueManager plugin group parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-admin/admin.php?"; nocase; http_uri; content:"page=leaguemanager"; nocase; http_uri; content:"subpage="; nocase; http_uri; content:"league_id="; nocase; http_uri; content:"group="; nocase; http_uri; pcre:"/group\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/112698/WordPress-LeagueManager-3.7-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014812; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress LeagueManager plugin season parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-admin/admin.php?"; nocase; http_uri; content:"page=leaguemanager"; nocase; http_uri; content:"subpage="; nocase; http_uri; content:"edit="; nocase; http_uri; content:"season="; nocase; http_uri; pcre:"/season\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/112698/WordPress-LeagueManager-3.7-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014813; rev:2;)
+
+##by StillSecure
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component JE Story Submit view parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_jesubmit"; nocase; http_uri; content:"view="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/103214/Joomla-JE-K2-Story-Submit-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014814; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_acooldebate controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_acooldebate"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/102422/Joomla-A-Cool-Debate-1.0.3-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014815; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS W32/Renos.Downloader User Agent zeroup"; flow:established,to_server; content:"User-Agent|3A 20|zeroup"; http_header; reference:url,www.f-secure.com/v-descs/trojan_w32_renos_h.shtml; reference:md5,35ba53f6aeb6b38c1107018f271189af; classtype:trojan-activity; sid:2014817; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible SKyWIper/Win32.Flame UA"; flow:established,to_server; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b| Windows NT 5.1|3b| .NET CLR 1.1.2150)|0d 0a|"; http_header; fast_pattern:52,20; reference:url,crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:2014818; rev:4;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Wordpress timthumb look-alike domain list RFI"; flow:to_server,established; content:"/timthumb.php?"; http_uri; content:!"webshot=1"; http_uri; distance:0; content:"src="; http_uri; distance:0; content:"http"; http_uri; distance:0; pcre:"/src\s*=\s*https?\x3A\x2F.*?(((static)?flickr|picasa|img\.youtube|photobucket|imgur|tinypic|blogger|wordpress)\.com|upload\.wikimedia\.org|imageshack\.us)[^\x2f]/Ui"; reference:url,code.google.com/p/timthumb/issues/detail?id=212; classtype:web-application-attack; sid:2014846; rev:9;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Packed Executable Download"; flow:established,to_client; file_data; content:"MZ"; within:2; isdataat:100,relative; content:"This program "; distance:0; content:"PE|00 00|"; distance:0; content:!"data"; within:400; content:!"text"; within:400; content:!"rsrc"; within:400; classtype:misc-activity; sid:2014819; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page Obfuscated Javascript Blob"; flow:established,to_client; file_data; content:"<pre id=|22|"; within:80; content:"style=|22|display|3A|none|3B 22 3E|"; within:100; isdataat:400,relative; content:!"|20|"; within:400; content:!"pre|3E|"; within:400; content:"|2C|"; distance:2; within:2; content:"|2C|"; distance:2; within:2; content:"|2C|"; distance:2; within:2; content:"|2C|"; distance:2; within:2; content:"|3C 2F|pre|3E|3Cscript|3E|"; fast_pattern; distance:400; pcre:"/display\x3Anone\x3B\x22\x3E[0-9]{2,3}\x2C[0-9]{2,3}\x2C[0-9]{2,3}\x2C[0-9]{2,3}\x2C[0-9]{2,3}[^\r\n]*\x3C\x2Fpre\x3E\x3Cscript\x3E/sm"; classtype:trojan-activity; sid:2014820; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole RawValue Specific Exploit PDF"; flow:established,to_client; file_data; content:"%PDF-"; within:5; content:"|2E|rawValue|5D 5B|0|5D 2E|split|28 27 2D 27 29 3B|"; distance:0; reference:cve,2010-0188; classtype:trojan-activity; sid:2014821; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible SKyWIper/Win32.Flame POST"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/wp-content/rss.php"; http_uri; content:"UNIQUE_NUMBER="; depth:14; fast_pattern; http_client_body; content:"&PASSWORD="; distance:0; http_client_body; content:"&ACTION="; distance:0; http_client_body; reference:url,blog.cuckoobox.org/2012/05/29/cuckoo-in-flame/; classtype:trojan-activity; sid:2014822; rev:5;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Malicious PDF asdvsa"; flow:established,from_server; file_data; content:"obj"; distance:0; content:"<<"; within:4; content:"(asdvsa"; within:80; classtype:trojan-activity; sid:2014823; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page Script Profile ASD"; flow:established,to_client; file_data; content:"pre id=|22|asd|22|"; within:80; classtype:trojan-activity; sid:2014825; rev:2;)
+
+#
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Redkit Java Exploit request to b.class"; flow:established,to_server; urilen:10; content:"/b.class"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014824; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS FedEX Spam Inbound"; flow:established,to_server; content:"name=|22|FEDEX"; nocase; content:".zip|22|"; within:47; nocase; pcre:"/name=\x22FEDEX(\s|_|\-)?[a-z0-9\-_\.\s]{0,42}\.zip\x22/i"; classtype:trojan-activity; sid:2014827; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS UPS Spam Inbound"; flow:established,to_server; content:"name=|22|"; nocase; content:"UPS"; nocase; within:11; content:".zip|22|"; within:74; nocase; pcre:"/name=\x22([a-z_]{0,8})?UPS(\s|_|\-)?[a-z0-9\-_\.\s]{0,69}\.zip\x22/i"; classtype:trojan-activity; sid:2014828; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Redkit Java Exploit request to .class file"; flow:established,to_server; content:".class"; http_uri; pcre:"/\/\w{1,2}\/\w{1,2}\.class$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014830; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS php with eval/gzinflate/base64_decode possible webshell"; flow:to_client,established; file_data; content:"<?"; distance:0; content:"eval(gzinflate(base64_decode("; distance:0; reference:url,blog.sucuri.net/2012/05/list-of-domains-hosting-webshells-for-timthumb-attacks.html; classtype:web-application-attack; sid:2014847; rev:5;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible Wireless Manager Sony VAIO SetTmpProfileOption Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"92E7DDED-BBFE-4DDF-B717-074E3B602D1B"; nocase; distance:0; content:"SetTmpProfileOption"; nocase; distance:0; reference:url,packetstormsecurity.org/files/113131/Wireless-Manager-Sony-VAIO-4.0.0.0-Buffer-Overflows.html; classtype:attempted-user; sid:2014831; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible Wireless Manager Sony VAIO ConnectToNetwork Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"92E7DDED-BBFE-4DDF-B717-074E3B602D1B"; nocase; distance:0; content:"ConnectToNetwork"; nocase; distance:0; reference:url,packetstormsecurity.org/files/113131/Wireless-Manager-Sony-VAIO-4.0.0.0-Buffer-Overflows.html; classtype:attempted-user; sid:2014832; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible LEADTOOLS ActiveX Raster Twain AppName Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"00165752-B1BA-11CE-ABC6-F5B2E79D9E3F"; nocase; distance:0; content:".AppName"; nocase; distance:0; reference:url,packetstormsecurity.org/files/93252/LEADTOOLS-ActiveX-Raster-Twain-16.5-Buffer-Overflow.html; classtype:attempted-user; sid:2014833; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible LEADTOOLS ActiveX Raster Twain AppName Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"LTRASTERTWAINLib_U.LEADRasterTwain_U"; nocase; distance:0; content:".AppName"; nocase; distance:0; reference:url,packetstormsecurity.org/files/93252/LEADTOOLS-ActiveX-Raster-Twain-16.5-Buffer-Overflow.html; classtype:attempted-user; sid:2014834; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible SonicWALL SSL-VPN End-Point Interrogator/Installer ActiveX Control Install3rdPartyComponent Method Buffer Overflow"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"Aventail.EPInstaller"; nocase; distance:0; content:"Install3rdPartyComponent"; nocase; distance:0; reference:url,packetstormsecurity.org/files/95286/SonicWALL-SSL-VPN-End-Point-Interrogator-Installer-ActiveX-Control.html; classtype:attempted-user; sid:2014835; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DynPG CMS PathToRoot Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"/plugins/DPGguestbook/guestbookaction.php?"; nocase; http_uri; content:"PathToRoot="; nocase; http_uri; pcre:"/PathToRoot=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/87907/DynPG-CMS-4.1.0-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014836; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Jotloader component section parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_jotloader"; nocase; http_uri; content:"section="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/96812/Joomla-Jotloader-2.2.1-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014837; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress PDF and Print Button Joliprint plugin type parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/joliprint/joliprint_options_upload.php?"; nocase; http_uri; content:"type="; nocase; http_uri; pcre:"/type\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/112700/WordPress-PDF-And-Print-Button-Joliprint-1.3.0-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014838; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress PDF and Print Button Joliprint plugin opt parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-admin/options-general.php?"; nocase; http_uri; content:"page=joliprint/joliprint_admin_options.php"; nocase; http_uri; content:"opt="; nocase; http_uri; pcre:"/opt\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/112700/WordPress-PDF-And-Print-Button-Joliprint-1.3.0-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014839; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Exponent file parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/framework/modules/pixidou/download.php?"; nocase; http_uri; content:"file="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/101230/Exponent-2.0.0-Beta-1.1-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014840; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Feodo/Cridex Traffic Detected"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/zb/v_01_a/in/"; http_uri; classtype:trojan-activity; sid:2014841; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blackhole Exploit Kit Request tkr"; flow:established,to_server; content:".php?"; http_uri; content:"src="; http_uri; distance:0; content:"&gpr="; http_uri; distance:0; content:"&tkr="; http_uri; fast_pattern; distance:0; pcre:"/[\?&]src=\d+&gpr=\d+&tkr[ib]?=[a-f0-9]/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014843; rev:3;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Probable Golfhole exploit kit landing page #2"; flow:established,to_server; content:"/index.php?"; http_uri; depth:11; urilen:43; pcre:"/index.php\?[0-9a-f]{32}$/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014844; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Probable Golfhole exploit kit binary download #2"; flow:established,to_server; content:"/o/"; http_uri; depth:3; urilen:47; pcre:"/o/\d{9}\/[0-9a-f]{32}\/[0-9]$/U"; classtype:trojan-activity; sid:2014845; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS webshell used In timthumb attacks GIF98a 16129xX with PHP"; flow:to_client,established; file_data; content:"GIF89a|01 3f|"; within:8; content:"<?"; within:720; reference:url,blog.sucuri.net/2012/05/list-of-domains-hosting-webshells-for-timthumb-attacks.html; classtype:web-application-attack; sid:2014848; rev:1;)
+
+#
+alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET TROJAN Flamer WuSetupV module traffic 1"; flow:established,to_server; content:"?mp=1"; http_uri; content:"&jz="; http_uri; distance:0; content:"&fd="; http_uri; distance:0; content:"&am="; http_uri; distance:0; content:"&ef="; http_uri; distance:0; content:"&pr="; http_uri; distance:0; content:"&ec="; http_uri; distance:0; content:"&ov="; http_uri; distance:0; content:"&pl="; http_uri; distance:0; reference:md5,1f61d280067e2564999cac20e386041c; classtype:trojan-activity; sid:2014849; rev:3;)
+
+#
+alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET TROJAN Flamer WuSetupV module traffic 2"; flow:established,to_server; content:"?ac=1"; http_uri; content:"&fd="; http_uri; distance:0; content:"&gb="; http_uri; distance:0; content:"&rt="; http_uri; reference:md5,1f61d280067e2564999cac20e386041c; classtype:trojan-activity; sid:2014850; rev:4;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sakura Exploit Kit Version 1.1 Archive Request"; flow:established,to_server; content:"/getfile.php?i="; http_uri; content:"&key="; http_uri; pcre:"/\x2Fgetfile\x2Ephp\x3Fi\x3D[0-9]\x26key\x3D[a-f0-9]{32}$/Ui"; reference:url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html; classtype:trojan-activity; sid:2014851; rev:1;)
+
+##Kevin Ross
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Sakura Exploit Kit Version 1.1 document.write Fake 404 - Landing Page"; flow:established,to_client; content:"document.write(|22|404|22 3B|"; reference:url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html; classtype:trojan-activity; sid:2014852; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura Exploit Kit Version 1.1 Applet Value lxxt"; flow:established,to_client; content:"value=|22|lxxt>"; reference:url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html; classtype:trojan-activity; sid:2014853; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Likely TDS redirecting to exploit kit"; flow:established,to_server; content:".php?go="; http_uri; pcre:"/\.php\?go=\d$/U"; classtype:bad-unknown; sid:2014854; rev:3;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAvCn-A Checkin 1"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/support/s"; http_uri; fast_pattern:only; urilen:10; content:"User-Agent|3a| Internet Explorer|0d 0a|"; http_header; classtype:trojan-activity; sid:2014855; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAvCn-A Checkin 2"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/support/sr"; http_uri; fast_pattern:only; urilen:11; classtype:trojan-activity; sid:2014856; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAvCn-A Checkin 3"; flow:established,to_server; content:"GET"; http_method; nocase; content:".php?0Q9oBPXEN0uECUg"; fast_pattern:only; http_uri; classtype:trojan-activity; sid:2014857; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Fraudulent Paypal Mailing Server Response June 04 2012"; flow:from_server,established; content:"<html>|0d 0a|<title>Paypal"; fast_pattern; content:"|3a 20|Loading<"; distance:0; classtype:trojan-activity; sid:2014858; rev:1;)
+
+#
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS W32.Tinba/Zusy Banking Trojan Hardcoded CnC Domain Request - dakotavolandos.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0e|dakotavolandos|03|com"; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-060111-3803-99&om_rssid=sr-latestthreats30days; classtype:trojan-activity; sid:2014859; rev:2;)
+
+#
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS W32.Tinba/Zusy Banking Trojan Hardcoded CnC Domain Request - dak1otavola1ndos.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dak1otavola1ndos|03|com"; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-060111-3803-99&om_rssid=sr-latestthreats30days; classtype:trojan-activity; sid:2014860; rev:2;)
+
+#
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS W32.Tinba/Zusy Banking Trojan Hardcoded CnC Domain Request - dako22tavol2andos.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|dako22tavol2andos|03|com"; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-060111-3803-99&om_rssid=sr-latestthreats30days; classtype:trojan-activity; sid:2014861; rev:2;)
+
+#
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS W32.Tinba/Zusy Banking Trojan Hardcoded CnC Domain Request - d3akotav33olandos.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|11|d3akotav33olandos|03|com"; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-060111-3803-99&om_rssid=sr-latestthreats30days; classtype:trojan-activity; sid:2014862; rev:2;)
+
+#
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS W32.Tinba/Zusy Banking Trojan Hardcoded CnC Domain Request - d4ak4otavolandos.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|d4ak4otavolandos|03|com"; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-060111-3803-99&om_rssid=sr-latestthreats30days; classtype:trojan-activity; sid:2014863; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32.Gimemo/Aldibot CnC POST"; flow:established,to_server; content:"POST"; http_method; content:"ukashcode="; http_client_body; depth:10; content:"&euro="; http_client_body; distance:0; content:"&submitukash="; http_client_body; distance:0; reference:url,www.evild3ad.com/?p=1693; classtype:trojan-activity; sid:2014864; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT MP4 Embedded in PDF File - Potential Flash Exploit"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"stream"; distance:0; content:"|00 00 00 18 66 74 79 70|mp4"; within:13; reference:cve,2012-0754; reference:url,blog.9bplus.com/observing-the-enemy-cve-2012-0754-pdf-interac; classtype:bad-unknown; sid:2014865; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Redirect to driveby sid=mix"; flow:to_server,established; content:"/go.php?sid=mix"; http_uri; classtype:bad-unknown; sid:2014866; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a dns-stuff.com Domain *.dns-stuff.com"; flow:established,to_server; content:"dns-stuff.com|0d 0a|"; http_header; classtype:bad-unknown; sid:2014867; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to dns-stuff.com Domain *.dns-stuff.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|dns-stuff|03|com"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014868; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Arachni Scanner Web Scan"; flow:established,to_server; content:"Arachni/"; http_header; pcre:"/User-Agent\x3a[^\r\n]+Arachni\/\d\.\d\.\d$/iH"; threshold: type threshold, track by_src, count 1, seconds 300; reference:url,arachni-scanner.com; reference:url,github.com/Zapotek/arachni; classtype:attempted-recon; sid:2014869; rev:2;)
+
+#
+alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SN and CN From MS TS Revoked Cert Chain Seen"; flow:established,from_server; content:"|c1 00 8b 3c 3c 88 11 d1 3e f6 63 ec df 40|"; content:"Microsoft Root Authority"; distance:105; within:24; content:"Microsoft Enforced Licensing Intermediate PCA"; distance:0; content:"|61 1a 02 b7 00 02 00 00 00 12|"; distance:0; content:"Microsoft Enforced Licensing Registration Authority CA"; distance:378; within:54; reference:url,blog.crysys.hu/2012/06/the-flame-malware-wusetupv-exe-certificate-chain/; reference:url,rmhrisk.wpengine.com/?p=52; reference:url,msdn.microsoft.com/en-us/library/aa448396.aspx; reference:md5,1f61d280067e2564999cac20e386041c; classtype:bad-unknown; sid:2014870; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Self Signed SSL Certificate (Reaserch)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"Security Reaserch WWEB Group|2c| LLC"; classtype:trojan-activity; sid:2014871; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Self Signed SSL Certificate (John Doe)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"|08|John Doe0"; classtype:trojan-activity; sid:2014872; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Javascript redirecting to Blackhole June 7 2012"; flow:established,from_server; file_data; content:"st=\"no3"; content:"3rxtc\"\;Date"; distance:12; within:60; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014873; rev:1;)
+
+##by StillSecure
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible NET-i viewer ActiveX Control BackupToAvi Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"3D6F2DBA-F4E5-40A6-8725-E99BC96CC23A"; nocase; distance:0; content:"BackupToAvi"; nocase; distance:0; reference:url,secunia.com/advisories/48966/; classtype:attempted-user; sid:2014874; rev:5;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible NET-i viewer ActiveX Control BackupToAvi Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"208650B1-3CA1-4406-926D-45F2DBB9C299"; nocase; distance:0; content:"BackupToAvi"; nocase; distance:0; reference:url,secunia.com/advisories/48966/; classtype:attempted-user; sid:2014875; rev:4;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible NET-i viewer ActiveX Control ConnectDDNS Method Access Code Execution Vulnerability"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"EEDBA32E-5C2D-48f1-A58E-0AAB0BC230E3"; nocase; distance:0; content:"ConnectDDNS"; nocase; distance:0; reference:url,secunia.com/advisories/48965/; classtype:attempted-user; sid:2014876; rev:4;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible NET-i viewer ActiveX Control ConnectDDNS Method Access Code Execution Vulnerability 2"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"17A7F731-C9EC-461C-B813-2F42A1BB58EB"; nocase; distance:0; content:"ConnectDDNS"; nocase; distance:0; reference:url,secunia.com/advisories/48965/; classtype:attempted-user; sid:2014877; rev:4;)
+
+##by StillSecure
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_jeauto view parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_jeauto"; nocase; http_uri; content:"view="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/96803/Joomla-JE-Auto-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014878; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_jradio controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_jradio"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/96751/Joomla-JRadio-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014879; rev:2;)
+
+##by Still Secure
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress wp-livephp plugin wp-live.php Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/wp-livephp/wp-live.php?"; nocase; http_uri; content:"s="; nocase; http_uri; pcre:"/s\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/108282/WordPress-LivePHP-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014880; rev:4;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Mingle Forum groupid parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-admin/admin.php?"; nocase; http_uri; content:"page=mfstructure"; nocase; http_uri; content:"mingleforum_action="; nocase; http_uri; content:"groupid="; nocase; http_uri; pcre:"/groupid\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/112696/WordPress-Mingle-Forum-1.0.33-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014881; rev:2;)
+
+##by Still Secure
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_catalogue controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_catalogue"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/96190/Joomla-Catalogue-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014882; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_jvb_bridge Itemid Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_jvb_bridge"; nocase; http_uri; content:"Itemid="; nocase; http_uri; pcre:"/Itemid=(.+)?(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/90844/Joomla-JVB-Bridge-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014883; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Request to malicious SutraTDS - lonly= in cookie"; flow:established,to_server; content:" lonly="; fast_pattern:only; content:" lonly="; http_cookie; classtype:bad-unknown; sid:2014884; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SutraTDS (enema) used in Blackhole campaigns"; flow:to_server,established; content:"/top2.html"; http_uri; content:"|0d 0a|Host|3a| enema."; http_header; classtype:bad-unknown; sid:2014885; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER IIS INDEX_ALLOCATION Auth Bypass Attempt"; flow:established,to_server; content:"|3a|$INDEX_ALLOCATION"; http_uri; nocase; reference:url,lists.grok.org.uk/pipermail/full-disclosure/2012-June/087269.html; classtype:bad-unknown; sid:2014886; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN W32/Bakcorox.A ProxyBot CnC Server Connection"; flow:established,to_server; content:"GET favicon.ico HTTP/1.1"; depth:24; content:"Host|3A 20|bcProxyBot.com"; fast_pattern; distance:0; reference:url,contagioexchange.blogspot.co.uk/2012/06/022-crime-win32bakcoroxa-proxy-bot-web.html; classtype:trojan-activity; sid:2014887; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Try Prototype Catch June 11 2012"; flow:from_server,established; content:"try{"; content:"=prototype"; within:25; content:"|3b|}catch("; within:15; classtype:bad-unknown; sid:2014888; rev:4;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Internet Explorer SameID Use-After-Free "; flow:established,from_server; file_data; content:"<DIV id="; nocase; distance:0; content:"<img id="; nocase; distance:0; content:".innerHTML"; distance:0; pcre:"/<DIV\s*?id[\s\r\n]*?\x3d[\s\r\n]*?(?P<divid>[^>]+).+?<img\s*id=\s*?\x22(?P<imgid>[^\x22]+).+?\<a\s*?href=\x22javascript\x3a(?P<firstfunction>[^\x28]+)\(\).+?\>.*?\<div[^\>]+?id=\x22(?P=imgid)\x22[^>]+?on[A-Za-z]+?\s*?=\s*?\x22(?P<secondfunction>[^\x28]+)\(\)\x3b\s*?\x22.+?function[\s\r\n]*?(?P=firstfunction)[\s\r\n]*?\(.*?\).*?\x7b.*?(?P=divid)\x2einnerHTML\s*?\x3d\s*?(?P=divid)\x2einnerHTML[\s\r\n]*?\x3b.*?\x7d.*?function[\s\r\n]*?(?P=secondfunction)[\s\r\n]*?\(.*?\).*?\x7b.*?\x28\x22(?P=imgid)\x22\x29\x2esrc\s*?\x3d/si"; reference:cve,CVE-2012-1875; classtype:attempted-user; sid:2014911; rev:10;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible attempt to enumerate MS SQL Server version"; flow:established,to_server; content:"@@version"; nocase; http_uri; reference:url,support.microsoft.com/kb/321185; classtype:attempted-admin; sid:2014890; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit - Java Exploit Requested - 5 digit jar"; flow:established,to_server; urilen:10; content:".jar"; http_uri; pcre:"/^\/[0-9]{5}\.jar$/U"; classtype:trojan-activity; sid:2014891; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit - Jar File Naming Algorithm"; flow:established,to_client; content:"Content-Disposition: inline"; http_header; nocase; content:".jar"; http_header; fast_pattern; content:"|0D 0A 0D 0A|PK"; pcre:"/=[0-9a-f]{8}\.jar/H"; classtype:trojan-activity; sid:2014892; rev:3;)
+
+#
+alert tcp [184.154.42.194,50.116.22.209,69.64.43.135,69.64.43.137,69.64.43.142,216.17.107.104,216.17.102.194,216.17.106.90,216.17.107.174,64.6.100.124,46.17.98.214] any -> $HOME_NET any (msg:"ET SCAN critical.io Scan"; flags:S; threshold: type limit, track by_src, seconds 3600, count 1; reference:url,critical.io/; classtype:network-scan; sid:2014893; rev:4;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit - Landing Page Received - applet and 5digit jar"; flow:established,to_client; content:"<applet"; fast_pattern; content:".jar"; distance:0; pcre:"/\W[0-9]{5}\.jar/"; classtype:trojan-activity; sid:2014894; rev:7;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit - Landing Page Received - applet and code"; flow:established,to_client; content:"<applet"; content:"code="; pcre:"/code=\"[a-z]\.[a-z][\.\"][ c]/"; classtype:trojan-activity; sid:2014895; rev:5;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Lotus iNotes Upload Module possible ActiveX Control Attachment_Times Method Access Buffer Overflow Attempt"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"0F2AAAE3-7E9E-4b64-AB5D-1CA24C6ACB9C"; nocase; distance:0; content:"Attachment_Times"; nocase; distance:0; reference:url,secunia.com/advisories/49443/; classtype:attempted-user; sid:2014896; rev:4;)
+
+##by StillSecure
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_jmsfileseller view parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_jmsfileseller"; nocase; http_uri; content:"cat_id="; nocase; http_uri; content:"view="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.org/files/101770/Joomla-JMSFileSeller-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014897; rev:3;)
+
+##by StillSecure
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_mscomment controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_mscomment"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,1337day.com/exploits/12246; classtype:web-application-attack; sid:2014898; rev:4;)
+
+##by StillSecure
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Plugin Tinymce Thumbnail Gallery href parameter Remote File Disclosure Attempt"; flow:established,to_server; content:"/wp-content/plugins/tinymce-thumbnail-gallery/php/download-image.php?"; nocase; http_uri; fast_pattern:19,20; content:"href="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.org/files/113417/WordPress-Tinymce-Thumbnail-Gallery-1.0.7-File-Disclosure.html; classtype:web-application-attack; sid:2014899; rev:5;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress 2 Click Social Media Buttons plugin pinterest-url parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/2-click-socialmedia-buttons/libs/pinterest.php?"; nocase; http_uri; fast_pattern:19,20; content:"pinterest-url="; nocase; http_uri; pcre:"/pinterest-url\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/112711/WordPress-2-Click-Social-Media-Buttons-0.32.2-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014900; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress 2 Click Social Media Buttons plugin xing-url parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/2-click-socialmedia-buttons/libs/xing.php?"; nocase; http_uri; fast_pattern:19,20; content:"xing-url="; nocase; http_uri; pcre:"/xing-url\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/112711/WordPress-2-Click-Social-Media-Buttons-0.32.2-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014901; rev:4;)
+
+##by StillSecure
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Camera Stream Client Possible ActiveX Control SetDirectory Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"721700FE-7F0E-49C5-BDED-CA92B7CB1245"; nocase; distance:0; content:"SetDirectory"; nocase; distance:0; reference:url,secunia.com/advisories/48602/; classtype:attempted-user; sid:2014902; rev:4;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Camera Stream Client Possible ActiveX Control SetDirectory Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"DcsCliCtrl.DCSStrmControl.1"; nocase; distance:0; content:"SetDirectory"; nocase; distance:0; reference:url,secunia.com/advisories/48602/; classtype:attempted-user; sid:2014903; rev:3;)
+
+##by StillSecure
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Sharebar plugin status parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/sharebar/sharebar-admin.php?"; nocase; http_uri; fast_pattern:19,20; content:"status="; nocase; http_uri; pcre:"/status\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/112690/WordPress-Sharebar-1.2.1-SQL-Injection-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014904; rev:4;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_ckforms controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_ckforms"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.org/files/95623/Joomla-CKForms-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014905; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET INFO .exe File requested over FTP"; flow:established,to_server; content:"RETR"; depth:4; content:".exe|0d 0a|"; distance:0; pcre:"/^RETR\s+[^\r\n]+?\x2eexe\r?$/m"; classtype:policy-violation; sid:2014906; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Initial Blackhole Landing - UPS Number Loading.. Jun 15 2012"; flow:established,from_server; content:"|20|Number|3A 20 09|Loading|2E 2E 3C|"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014907; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Initial Blackhole Landing - Verizon Balance Due Jun 15 2012"; flow:established,from_server; content:"|20|Balance Due|3a| Loading|2c 20|please wait|2e 2e 2e|"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014908; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole obfuscated Java EXE Download by Vulnerable Version - Likely Driveby"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_client; content:"|0d 0a 9c 62 d8 66 66 66 66 54|"; classtype:trojan-activity; sid:2014909; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET CURRENT_EVENTS MySQL mysql.user Dump (Used in Metasploit Auth-Bypass Module)"; flow:established,to_server; content:"SELECT|20|user|2c|password|20|from|20|mysql|2e|user"; classtype:bad-unknown; sid:2014910; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown - Java Request - gt 60char hex-ascii"; flow:established,to_server; urilen:>60; content:" Java/1."; http_header; pcre:"/[\/\?][a-z0-9]{60,66}[\;0-9]/Ui"; classtype:trojan-activity; sid:2014912; rev:5;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS NuclearPack - JAR Naming Algorithm"; flow:established,to_client; content:"-Disposition|3a| inline"; http_header; nocase; content:".jar"; http_header; pcre:"/=[.\"]\w{8}\.jar/Hi"; content:"|0D 0A 0D 0A|PK"; fast_pattern; classtype:trojan-activity; sid:2014913; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS NuclearPack - PDF Naming Algorithm"; flow:established,to_client; content:"-Disposition|3a| inline"; http_header; nocase; content:".pdf"; http_header; pcre:"/=\w{8}\.pdf/Hi"; content:"|0D 0A 0D 0A|%PDF"; fast_pattern; content:"/Filter/FlateDecode"; classtype:trojan-activity; sid:2014914; rev:5;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS NuclearPack - Landing Page Received - applet archive=32CharHex"; flow:established,to_client; content:"<applet"; content:"archive=|22|"; pcre:"/^\?[a-f0-9]{32}\" /R"; classtype:trojan-activity; sid:2014915; rev:4;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit - Landing Page Requested - 8Digit.html"; flow:established,to_server; urilen:14; content:".html"; http_uri; pcre:"/^\/[0-9]{8}\.html$/U"; flowbits:set,ET.http.driveby.redkit.uri; flowbits:noalert; classtype:trojan-activity; sid:2014916; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit - Landing Page Received - applet and flowbit"; flow:established,to_client; flowbits:isset,ET.http.driveby.redkit.uri; file_data; content:"<applet"; classtype:trojan-activity; sid:2014917; rev:3;)
+
+#
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Java Exploit request to Half.jar"; flow:established,to_server; content:"/Half.jar"; http_uri; nocase; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014918; rev:2;)
+
+#Rob Fisher
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (1)"; flow:established,to_client; content:"|16 03 01|"; depth:3; content:".storage.msn.com"; nocase; distance:0; reference:url,skydrive.live.com; classtype:policy-violation; sid:2014919; rev:2;)
+
+#Rob Fisher
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (2)"; flow:established,to_client; content:"|16 03 01|"; depth:3; content:".storage.live.com"; nocase; reference:url,skydrive.live.com; classtype:policy-violation; sid:2014920; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Try Prototype Catch Jun 18 2012"; flow:established,from_server; content:"try{prototype"; content:"|3B|}catch("; distance:0; within:12; classtype:trojan-activity; sid:2014921; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Potential MSXML2.DOM Document.3.0 Uninitialized Memory Corruption Attempt"; flow:to_client,established; file_data; content:"f5078f3"; content:"-c551-11d3-89b9-0000f81fe221"; nocase; distance:1; within:28; content:"definition"; nocase; pcre:"/clsid\s*\x3a\s*\x7B?\s*f5078f3(2|3)-c551-11d3-89b9-0000f81fe221/si"; pcre:"/(?:\[\s*[\x22\x27]definition[\x22\x27]\s*\]|\.definition)\(/"; reference:cve,CVE-2012-1889; classtype:attempted-admin; sid:2015554; rev:19;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Potential MSXML2.DOMDocument.4-6.0 Uninitialized Memory Corruption CVE-2012-1889"; flow:to_client,established; file_data; content:"88d96"; nocase; content:"-f192-11d4-a65f-0040963251e5"; distance:3; within:28; nocase; content:"definition"; nocase; pcre:"/clsid\s*\x3a\s*\x7B?\s*88d96(9c(0|1)|9e(5|6)|a0(5|6))-f192-11d4-a65f-0040963251e5/si"; pcre:"/(?:\[\s*[\x22\x27]definition[\x22\x27]\s*\]|\.definition)\(/"; reference:cve,CVE-2012-1889; classtype:attempted-admin; sid:2015555; rev:17;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Potential MSXML2.DOMDocument ActiveXObject Uninitialized Memory Corruption Attempt"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"MSXML2."; content:"DOMDocument"; within:23; content:"definition"; nocase; pcre:"/MSXML2\.(FreeThreaded)?DOMDocument(\.[3-6]\.0)?/si"; pcre:"/(?:\[\s*[\x22\x27]definition[\x22\x27]\s*\]|\.definition)\(/"; reference:cve,CVE-2012-1889; classtype:attempted-user; sid:2015556; rev:16;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Incognito Landing Page Requested .php?showtopic=6digit"; flow:established,to_server; flowbits:noalert; flowbits:set,ET.http.driveby.incognito.uri; urilen:25<>45; content:".php?showtopic="; http_uri; pcre:"/\.php\?showtopic=[0-9]{6}$/U"; classtype:trojan-activity; sid:2014922; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Incognito Landing Page Received applet and flowbit"; flow:established,to_client; flowbits:isset,ET.http.driveby.incognito.uri; content:"<applet"; classtype:attempted-user; sid:2014923; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Incognito Payload Requested /getfile.php by Java Client"; flow:established,to_server; content:"/getfile.php?"; http_uri; content:"Java/1"; http_header; classtype:attempted-user; sid:2014924; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO PDF embedded in XDP file (Possibly Malicious)"; flow:established, to_client; content:"<xdp|3a|xdp"; nocase; fast_pattern; content:"<pdf"; nocase; distance:0; pcre:"/\<xdp\x3axdp(\s+[^\>]*)?\>((?!\<\/xdp[^\>]*\>).)*?\<pdf/si"; reference:url,blog.9bplus.com/av-bypass-for-malicious-pdfs-using-xdp; classtype:misc-attack; sid:2014926; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Java Malicious Jar /eeltff.jar"; flow:to_server,established; content:"/eeltff.jar"; nocase; http_uri; classtype:trojan-activity; sid:2014927; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown - Java Request .jar from dl.dropbox.com"; flow:established,to_server; content:"dl.dropbox.com|0D 0A|"; http_header; content:" Java/1"; http_header; content:".jar"; http_uri; classtype:bad-unknown; sid:2014928; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Request to .in FakeAV Campaign June 19 2012 exe or zip"; flow:established,to_server; content:"setup."; fast_pattern:only; http_uri; content:".in|0d 0a|"; http_header; pcre:"/\/[a-f0-9]{16}\/([a-z0-9]{1,3}\/)?setup\.(exe|zip)$/U"; pcre:"/^Host\x3a\s.+\.in\r?$/Hmi"; metadata:stage,hostile_download; reference:url,isc.sans.edu/diary/+Vulnerabilityqueerprocessbrittleness/13501; classtype:trojan-activity; sid:2014929; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Javascript redirecting to badness 21 June 2012"; flow:established,from_server; file_data; content:"javascript'>var wow="; content:"Date&&"; distance:12; within:60; classtype:bad-unknown; sid:2014930; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Please wait a moment Jun 20 2012"; flow:established,to_client; file_data; content:"Please wait a moment. You will be forwarded..."; fast_pattern:26,20; distance:0; classtype:trojan-activity; sid:2014931; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY DynDNS CheckIp External IP Address Server Response"; flow:established,to_client; content:"Server|3A 20|DynDNS-CheckIP/"; http_header; classtype:bad-unknown; sid:2014932; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Win32/Bicololo.Dropper ne_unik CnC Server Response"; flow:established,to_client; file_data; content:"ne_unik"; within:7; classtype:trojan-activity; sid:2014933; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Landing Page - eval(function(p,a,c,"; flow:established,to_client; content:"eval(function(p,a,c,"; content:"|7C|zzz|7C|"; distance:0; classtype:trojan-activity; sid:2014934; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Landing Page Received - foxxysoftware"; flow:established,to_client; content:"|7C|foxxysoftware|7C|"; classtype:trojan-activity; sid:2014935; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Landing Page Received - applet and 0px"; flow:established,to_client; content:"<applet"; content:"'0px'"; within:20; classtype:trojan-activity; sid:2014936; rev:3;)
+
+#
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole - Blackhole Java Exploit request to Trop.jar"; flow:established,to_server; content:"/Trop.jar"; http_uri; nocase; classtype:trojan-activity; sid:2014937; rev:18;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Potential MSXML2.DOMDocument Uninitialized Memory Corruption CVE-2012-1889"; flow:to_client,established; file_data; content:"f6d90f11-9c73-11d3-b32e-00c04f990bb4"; nocase; content:"definition"; nocase; pcre:"/clsid\s*\x3a\s*\x7B?\s*f6d90f11-9c73-11d3-b32e-00c04f990bb4/si"; pcre:"/(?:\[\s*[\x22\x27]definition[\x22\x27]\s*\]|\.definition)\(/"; reference:cve,CVE-2012-1889; classtype:attempted-admin; sid:2014938; rev:10;)
+
+#
+alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query for TOR Hidden Domain .onion Accessible Via TOR"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|onion|00|"; fast_pattern; distance:0; reference:url,en.wikipedia.org/wiki/.onion; classtype:policy-violation; sid:2014939; rev:1;)
+
+##by Kevin Ross
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole RawValue Exploit PDF"; flow:established,to_client; file_data; content:"%PDF-"; within:5; content:"|2E|rawValue|5D 5B|0|5D 2E|split|28 27 2D 27 29 3B 26 23|"; distance:0; reference:cve,2010-0188; classtype:trojan-activity; sid:2014940; rev:2;)
+
+##by Kevin Ross
+alert udp $HOME_NET any -> any 53 (msg:"ET POLICY TOR .exit Pseudo TLD DNS Query"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|exit|00|"; fast_pattern; distance:0; reference:url,en.wikipedia.org/wiki/.onion; classtype:policy-violation; sid:2014941; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Autodesk MapGuide Viewer ActiveX LayersViewWidth Method Access Denial of Service"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"62789780-B744-11D0-986B-00609731A21D"; nocase; distance:0; content:"LayersViewWidth"; nocase; distance:0; reference:url,1337day.com/exploits/13938; classtype:attempted-user; sid:2014942; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Autodesk MapGuide Viewer ActiveX LayersViewWidth Method Access Denial of Service 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"MGMapControl.MGMap"; nocase; distance:0; content:"LayersViewWidth"; nocase; distance:0; reference:url,1337day.com/exploits/13938; classtype:attempted-user; sid:2014943; rev:2;)
+
+##by StillSecure
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WHCMS smarty Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"/includes/smarty/internals/core.write_compiled_include.php?"; nocase; http_uri; fast_pattern:26,20; content:"smarty="; nocase; http_uri; pcre:"/smarty=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/113912/WHCMS-5.0.3-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014944; rev:3;)
+
+##by StillSecure
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WHCMS banco Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"/modules/gateways/boleto/boleto.php?"; nocase; fast_pattern:17,19; http_uri; content:"banco="; nocase; http_uri; pcre:"/banco=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/113912/WHCMS-5.0.3-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014945; rev:3;)
+
+##by StillSecure
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WHCMS smarty Parameter Remote File inclusion Attempt 2"; flow:established,to_server; content:"/includes/smarty/internals/core.process_compiled_include.php?"; nocase; http_uri; fast_pattern:26,20; content:"smarty="; nocase; http_uri; pcre:"/smarty=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/113912/WHCMS-5.0.3-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014946; rev:3;)
+
+##by StillSecure
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Thinkun Remind Plugin dirPath Remote File Disclosure Vulnerability"; flow:established,to_server; content:"/wp-content/plugins/thinkun-remind/exportData.php?"; nocase; http_uri; fast_pattern:19,20; content:"dirPath="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,secunia.com/advisories/49461; classtype:web-application-attack; sid:2014947; rev:2;)
+
+##by StillSecure
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Simple Download Button Shortcode Plugin Arbitrary File Disclosure Vulnerability"; flow:established,to_server; content:"/wp-content/plugins/simple-download-button-shortcode/simple-download-button_dl.php?"; nocase; http_uri; fast_pattern:52,20; content:"file="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,secunia.com/advisories/49462; classtype:web-application-attack; sid:2014948; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Plugins Wp-ImageZoom file parameter Remote File Disclosure Vulnerability"; flow:established,to_server; content:"/wp-content/plugins/wp-imagezoom/download.php?"; nocase; http_uri; fast_pattern:19,20; content:"file="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,1337day.com/exploits/18685; classtype:web-application-attack; sid:2014949; rev:2;)
+
+##by StillSecure
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nagios XI div parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/includes/components/graphexplorer/visApi.php?"; nocase; http_uri; fast_pattern:20,20; content:"type="; nocase; http_uri; content:"div="; nocase; http_uri; pcre:"/div\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,secunia.com/advisories/49544; classtype:web-application-attack; sid:2014950; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nagios XI view parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/perfgraphs/index.php?"; nocase; http_uri; content:"start="; nocase; http_uri; content:"end="; nocase; http_uri; content:"view="; nocase; http_uri; pcre:"/view\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,secunia.com/advisories/49544; classtype:web-application-attack; sid:2014951; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Capfire4 Checkin (register machine)"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/registraMaquina"; http_uri; content:"User-Agent|3a| Clickteam"; http_header; reference:url,labs.alienvault.com/labs/index.php/2012/capfire4-malware-rat-software-and-cc-service-together/; classtype:trojan-activity; sid:2014952; rev:3;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Capfire4 Checkin (update machine status)"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/updMaqStatus"; http_uri; content:"User-Agent|3a| Clickteam"; http_header; reference:url,labs.alienvault.com/labs/index.php/2012/capfire4-malware-rat-software-and-cc-service-together/; classtype:trojan-activity; sid:2014953; rev:3;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Vulnerable iTunes Version 10.6.x"; flow:established,to_server; content:"User-Agent|3a| iTunes/"; http_header; content:!"10.7"; http_header; within:4; flowbits:set,ET.iTunes.vuln; classtype:policy-violation; sid:2014954; rev:6;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor Win32/Hupigon.CK Client Checkin"; flow:to_server,established; content:"|00 00 00 18 01 00 00|"; offset:1; depth:7; fast_pattern; content:"|78 9c|"; distance:5; within:2; classtype:trojan-activity; sid:2014955; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Backdoor Win32/Hupigon.CK Server Checkin"; flow:to_client,established; content:"|00 00 00 01 00 00 00|"; offset:1; depth:7; fast_pattern; content:"|78 9c|"; distance:5; within:2; content:"|00 00 01 00 01|"; distance:2; within:5; classtype:trojan-activity; sid:2014956; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor Win32/Hupigon.CK Client Idle"; flow:to_server,established; content:"|00 00 00 02 00 00 00|"; offset:1; depth:7; fast_pattern; content:"|78 9c|"; distance:5; within:2; content:"|00 00|"; distance:3; within:2; content:"|00|"; distance:1; within:1; classtype:trojan-activity; sid:2014957; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Backdoor Win32/Hupigon.CK Server Idle"; flow:to_client,established; content:"|00 00 00 01 00 00 00|"; offset:1; depth:7; fast_pattern; content:"|78 9c|"; distance:5; within:2; content:"|00 00 1f 00 1f|"; distance:2; within:5; classtype:trojan-activity; sid:2014958; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Base64 - Java Exploit Requested - /1Digit"; flow:established,to_server; urilen:2; content:" Java/1"; http_header; pcre:"/^\/[0-9]$/U"; classtype:trojan-activity; sid:2014959; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Base64 - Landing Page Received - base64encode(GetOs()"; flow:established,to_client; content:"base64encode(GetOs()"; classtype:trojan-activity; sid:2014960; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Scar CnC Checkin"; flow:established,to_server; content:"/yeni_urunler.php?hdd="; http_uri; reference:md5,b345634df53511c7195d661ac755b320; classtype:trojan-activity; sid:2014961; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Nutiliers.A Downloader CnC Checkin - Request Encrypted Response"; flow:established,to_server; content:"/js/data/encryptedtest.dll"; http_uri; reference:md5,7b2bfb9d270a5f446f32502d2ed34d67; classtype:trojan-activity; sid:2014962; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Armageddon CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent|3A| ArmageddoN"; nocase; http_header; content:"GetList="; http_client_body; depth:8; reference:md5,3f4c5649d66fc5befc0db47930edb9f6; classtype:trojan-activity; sid:2014963; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Hacked Website Response '/*km0ae9gr6m*/' Jun 25 2012"; flow:established,from_server; file_data; content:"/*km0ae9gr6m*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014964; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Hacked Website Response '/*qhk6sa6g1c*/' Jun 25 2012"; flow:established,from_server; file_data; content:"/*qhk6sa6g1c*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014965; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic - PDF with NEW PDF EXPLOIT"; flow:established,to_client; file_data; content:"%PDF"; within:4; fast_pattern; content:"NEW PDF EXPLOIT"; classtype:trojan-activity; sid:2014966; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS - Landing Page Requested - 15Alpha1Digit.php"; flow:established,to_server; urilen:21; content:"GET"; http_method; content:".php"; http_uri; pcre:"/^\/[a-z]{15}[0-9]\.php$/U"; classtype:trojan-activity; sid:2014967; rev:2;)
+
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Unknown - Payload Download - 9Alpha1Digit.exe"; flow:established,to_client; content:"attachment"; http_header; content:".exe"; fast_pattern:only; http_header; pcre:"/[a-z]{9}[0-9]\.exe/H"; file_data; content:"MZ"; within:2; classtype:trojan-activity; sid:2014968; rev:7;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown - Java Exploit Requested - 13-14Alpha.jar"; flow:established,to_server; urilen:16<>19; content:".jar"; http_uri; fast_pattern; content:" Java/1"; http_header; pcre:"/^\/[a-z]{13,14}\.jar$/U"; classtype:trojan-activity; sid:2014969; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Runforestrun Malware Campaign Infected Website"; flow:established,to_client; content:"setAttribute|28 22|src|22|, |22|http|3A|//|22| + "; nocase; content:"+ |22|/runforestrun?sid="; fast_pattern; nocase; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-062103-1655-99; reference:url,isc.sans.edu/diary/Run+Forest+/13540; reference:url,isc.sans.edu/diary/Run+Forest+Update+/13561; classtype:trojan-activity; sid:2014970; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS JS.Runfore Malware Campaign Request"; flow:established,to_server; content:"/runforestrun?"; http_uri; fast_pattern:only; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-062103-1655-99; reference:url,isc.sans.edu/diary/Run+Forest+/13540; reference:url,isc.sans.edu/diary/Run+Forest+Update+/13561; classtype:trojan-activity; sid:2014971; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS HeapLib JS Library"; flow:established,to_client; file_data; content:"heapLib.ie|28|"; nocase; reference:url,www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf; classtype:bad-unknown; sid:2014972; rev:1;)
+
+#
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole - Landing Page Requested - /*.php?*=16HexChar"; flow:established,to_server; flowbits:set,ET.http.driveby.blackhole.uri; flowbits:noalert; urilen:23<>60; content:".php?"; http_uri; content:"="; within:8; http_uri; pcre:"/\?[a-z]{1,10}=[a-f0-9]{16}$/U"; pcre:"/[0-9]{1,16}[a-f]{1,16}[0-9]{1,16}$/U"; classtype:trojan-activity; sid:2014973; rev:17;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole - Landing Page Requested - /*.php?*=8HexChar"; flow:established,to_server; flowbits:set,ET.http.driveby.blackhole.uri; flowbits:noalert; urilen:15<>52; content:".php?"; http_uri; content:"="; within:8; http_uri; pcre:"/\?[a-z]{1,10}=[a-f0-9]{8}$/U"; pcre:"/[0-9]{1,8}[a-f]{1,8}[0-9]{1,8}$/U"; classtype:trojan-activity; sid:2014974; rev:4;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole - Landing Page Requested - /Home/index.php"; flow:established,to_server; content:"/Home/index.php"; http_uri; depth:15; flowbits:set,ET.http.driveby.blackhole.uri; flowbits:noalert; classtype:trojan-activity; sid:2014975; rev:3;)
+
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole - Landing Page Recieved - applet and flowbit"; flow:established,to_client; flowbits:isset,ET.http.driveby.blackhole.uri; content:"<applet"; classtype:trojan-activity; sid:2014977; rev:7;)
+
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole - Landing Page Received - catch and flowbit"; flow:established,to_client; flowbits:isset,ET.http.driveby.blackhole.uri; content:"}catch("; classtype:trojan-activity; sid:2014976; rev:3;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zbot CnC POST /common/versions.php"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/common/versions.php"; http_uri; reference:md5,43d8afa89bd6bf06973af62220d6c158; classtype:trojan-activity; sid:2014979; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zbot CnC GET /lost.dat"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/lost.dat"; http_uri; reference:md5,43d8afa89bd6bf06973af62220d6c158; classtype:trojan-activity; sid:2014980; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit Landing Page Try Renamed Prototype Catch - June 28th 2012"; flow:established,to_client; file_data; content:"try {"; distance:0; content:"=prototype|2d|"; within:80; content:"} catch"; within:80; reference:url,research.zscaler.com/2012/06/cleartripcom-infected-with-blackhole.html; classtype:trojan-activity; sid:2014981; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Googlebot UA POST to /uploadify.php"; flow:established,to_server; content:"POST"; http_method; content:"/uploadify.php"; http_uri; nocase; fast_pattern; content:"User-Agent|3a| Mozilla/5.0 (compatible|3b| Googlebot/2.1|3b|"; http_header; reference:url,blog.sucuri.net/2012/06/uploadify-uploadify-and-uploadify-the-new-timthumb.html; classtype:attempted-recon; sid:2014982; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Scalaxy Jar file"; flow:to_client,established; file_data; content:"PK"; within:2; content:"C1.class"; fast_pattern; distance:0; content:"C2.class"; distance:0; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2014983; rev:2;)
+
+#
+alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Hacked Website Response /*km0ae9gr6m*/ Jun 25 2012"; flow:established,from_server; file_data; content:"/*km0ae9gr6m*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014984; rev:3;)
+
+#
+alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Hacked Website Response /*qhk6sa6g1c*/ Jun 25 2012"; flow:established,from_server; file_data; content:"/*qhk6sa6g1c*/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014985; rev:4;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER possible IBM Rational Directory Server (RDS) Help system href browser redirect"; flow:established,to_server; content:"/rds-help/advanced/deferredView.jsp?"; nocase; http_uri; content:"href="; nocase; http_uri; pcre:"/href=\s*(ftps?|https?|php)\:\//Ui"; reference:url,secunia.com/advisories/49627/; classtype:web-application-attack; sid:2014986; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER possible IBM Rational Directory Server (RDS) Help system href Cross Site Scripting Attempt"; flow:established,to_server; content:"/rds-help/advanced/deferredView.jsp?"; nocase; http_uri; content:"href="; nocase; http_uri; pcre:"/href\x3D.+(script|alert|onmouse[a-z]+|onkey[a-z]+|onload|onunload|ondragdrop|onblur|onfocus|onclick|ondblclick|onsubmit|onreset|onselect|onchange|javascript)/Ui"; reference:url,secunia.com/advisories/49627/; classtype:web-application-attack; sid:2014987; rev:1;)
+
+##by StillSecure
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pliggCMS src parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"/modules/thumbnail_plus/thumbs/grab.php?"; nocase; http_uri; content:"src="; nocase; http_uri; pcre:"/src=\s*(ftps?|https?|php)\:\//Ui"; reference:url,1337day.com/exploits/18854; classtype:web-application-attack; sid:2014988; rev:2;)
+
+##by StillSecure
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Download Monitor thumbnail parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/download-monitor/uploader.php?"; nocase; http_uri; fast_pattern:19,20; content:"tab="; nocase; http_uri; content:"thumbnail="; nocase; http_uri; pcre:"/thumbnail\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/112707/WordPress-Download-Monitor-3.3.5.4-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014989; rev:3;)
+
+##by StillSecure
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Download Monitor tags parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/download-monitor/uploader.php?"; nocase; http_uri; fast_pattern:19,20; content:"tab="; nocase; http_uri; content:"tags="; nocase; http_uri; pcre:"/tags\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/112707/WordPress-Download-Monitor-3.3.5.4-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014990; rev:3;)
+
+##by StillSecure
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible SonciWALL Aventail AuthCredential Format String Exploit 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"Aventail.EPInterrogator.10.0.4.018"; nocase; distance:0; content:"AuthCredential"; nocase; distance:0; reference:url,packetstormsecurity.org/files/92931/SonciWALL-Aventail-epi.dll-AuthCredential-Format-String-Exploit.html; classtype:attempted-user; sid:2014991; rev:3;)
+
+##by StillSecure
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible SonciWALL Aventail AuthCredential Format String Exploit"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"2A1BE1E7-C550-4D67-A553-7F2D3A39233D"; nocase; distance:0; content:"AuthCredential"; nocase; distance:0; reference:url,packetstormsecurity.org/files/92931/SonciWALL-Aventail-epi.dll-AuthCredential-Format-String-Exploit.html; classtype:attempted-user; sid:2014992; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AdaptCMS sitepath parameter Remote File Inclusion Vulnerability"; flow:established,to_server; content:"/inc/smarty/libs/init.php?"; nocase; http_uri; content:"sitepath="; nocase; http_uri; pcre:"/sitepath=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/91022/AdaptCMS-2.0.0-Beta-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014993; rev:1;)
+
+##by StillSecure
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_profile controller parameter Local File Inclusion Vulnerability"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_profile"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/95609/Joomla-Profile-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014994; rev:2;)
+
+##by StillSecure
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress jRSS Widget url parameter Local File Inclusion Vulnerability"; flow:established,to_server; content:"/wp-content/plugins/jrss-widget/proxy.php?"; nocase; http_uri; fast_pattern:19,12; content:"url="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/95638/WordPress-jRSS-Widget-1.1.1-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014995; rev:2;)
+
+#
+#alert icmp any any -> any any (msg:"ET DOS Microsoft Windows 7 ICMPv6 Router Advertisement Flood"; itype:134; icode:0; byte_test:1,&,0x08,2; content:"|03|"; offset:20; depth:1; byte_test:1,&,0x40,2,relative; byte_test:1,&,0x80,2,relative; threshold:type threshold, track by_src, count 10, seconds 1; reference:url,www.samsclass.info/ipv6/proj/proj8x-124-flood-router.htm; classtype:attempted-dos; sid:2014996; rev:3;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Pandora Usage"; flow:established,to_server; content:"POST"; http_method; content:"/radio/xmlrpc/"; http_uri; content:"pandora.com|0d 0a|"; http_header; threshold: type threshold, track by_src, count 1, seconds 3600; reference:url,www.pandora.com; classtype:policy-violation; sid:2014997; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Runforestrun Malware Campaign Infected Website Landing Page Obfuscated String JavaScript DGA"; flow:established,to_client; file_data; content:"*/window.eval(String.fromCharCode("; distance:0; isdataat:80,relative; content:!")"; within:80; pcre:"/\x2A[a-z0-9]{10}\x2A\x2Fwindow\x2Eeval\x28String\x2EfromCharCode\x28[0-9]{1,3}\x2C[0-9]{1,3}\x2C/sm"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014998; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zbot CnC POST /common/timestamps.php"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/common/timestamps.php"; http_uri; reference:md5,43d8afa89bd6bf06973af62220d6c158; classtype:trojan-activity; sid:2014999; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NuclearPack Java exploit binary get request"; content:"GET"; http_method; nocase; content:"Java/1."; fast_pattern:only; http_header; pcre:"/[a-f0-9]{32,64}\/[a-f0-9]{32,64}/\w$/U"; classtype:trojan-activity; sid:2015000; rev:3;)
+
+#
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole - Blackhole Java Exploit request to spn.jar"; flow:established,to_server; content:"/spn.jar"; http_uri; nocase; classtype:trojan-activity; sid:2015001; rev:3;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pushbot User-Agent"; flow:to_server,established; content:"User-Agent|3A 20|cvc_v105"; fast_pattern:only; http_header; reference:url,www.cert.pl/news/5587/langswitch_lang/en; classtype:trojan-activity; sid:2015002; rev:4;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Pushbot server response"; flow:to_client,established; file_data; content:"ZG%|20|!GX"; within:7; reference:url,www.cert.pl/news/5587/langswitch_lang/en; classtype:trojan-activity; sid:2015003; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Compressed Executable SZDD Compress.exe Format Over HTTP"; flow:established,to_client; file_data; content:"SZDD"; fast_pattern; within:4; content:"PE|00 00|"; distance:0; reference:url,blog.fireeye.com/research/2012/07/inside-customized-threat.html#more; reference:url,www.cabextract.org.uk/libmspack/doc/szdd_kwaj_format.html; classtype:bad-unknown; sid:2015004; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL 3"; flow:established,from_server; content:"|3c|applet"; fast_pattern; content:"56|3a|14|3a|14|3a|19|3a|27|3a|50|3a|50|3a|"; within:100; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015005; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SofosFO exploit kit jar download"; flow:established,to_server; content:"GET"; http_method; content:"files.php?"; http_uri; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&file="; http_uri; content:".jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015006; rev:4;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SofosFO exploit kit version check"; flow:established,to_server; content:"GET"; http_method; content:"&u="; http_uri; content:"&s="; http_uri; content:"&t="; http_uri; content:"&java"; http_uri; fast_pattern:only; content:"&pdf="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015007; rev:7;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SofosFO exploit kit payload download"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x=x"; http_uri; fast_pattern:only; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&spl="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015009; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS g01pack exploit pack /mix/ Java exploit"; flow:established,to_server; content:"/mix/"; http_uri; depth:5; content:".jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015010; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Split String Obfuscation of Eval 1"; flow:established,to_client; file_data; content:"e|22|+|22|va"; distance:0; pcre:"/(\x3D|\x5B\x22])e\x22\x2B\x22va/"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015012; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Split String Obfuscation of Eval 2"; flow:established,to_client; file_data; content:"e|22|+|22|v|22|+|22|a"; distance:0; pcre:"/(\x3D|\x5B\x22])e\x22\x2B\x22v\x22\x2B\x22a/"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015013; rev:2;)
+
+#
+#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Split String Obfuscation of Eval 3"; flow:established,to_client; file_data; content:"ev|22|+|22|a"; distance:0; pcre:"/(\x3D|\x5B\x22])ev\x22\x2B\x22a/"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015014; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Download Request to Hotfile.com"; flow:established,to_server; content:"GET"; http_method; content:"/dl/"; http_uri; content:"hotfile.com|0d 0a|"; fast_pattern:only; http_header; classtype:policy-violation; sid:2015015; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET INFO FTP STOR to External Network"; flow:established,to_server; content:"STOR "; depth:5; classtype:misc-activity; sid:2015016; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/OnlineGames Checkin"; flow:established,to_server; content:"/game"; http_uri; content:"/diary/item/"; http_uri; content:"User-Agent|3A| getURLDown|0D 0A|"; http_header; reference:md5,60763078b8860fd59a1d8bea2bf8900b; classtype:trojan-activity; sid:2015017; rev:3;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/OnlineGames User Agent loadMM"; flow:established,to_server; content:"User-Agent|3A| loadMM|0D 0A|"; http_header; reference:md5,60763078b8860fd59a1d8bea2bf8900b; classtype:trojan-activity; sid:2015018; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Icoo CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/tUrl.xml?num="; http_uri; fast_pattern:only; content:"Accept-Language|3A| de-at"; http_header; reference:md5,1d2ddece4cd5cff3658c59e20d40dd8b; classtype:trojan-activity; sid:2015019; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Numnet.Downloader CnC Checkin 1"; flow:established,to_server; content:"/counter/mac_proc.php?cid="; fast_pattern; http_uri; content:"&mid="; http_uri; content:"User-Agent|3A| internet|0D 0A|"; http_header; reference:md5,fbc732c7cd1bbd84956b1e76b53384da; classtype:trojan-activity; sid:2015020; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Numnet.Downloader CnC Checkin 2"; flow:established,to_server; content:"/check_counter.php?pid="; http_uri; content:"&mid="; http_uri; content:"User-Agent|3A| internet|0D 0A|"; http_header; reference:md5,fbc732c7cd1bbd84956b1e76b53384da; classtype:trojan-activity; sid:2015021; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Zusy Gettime Checkin"; flow:established,to_server; content:"/gettime.html?"; fast_pattern:only; http_uri; content:"HTTP/1.0"; http_header; content:"If-None-Match|3A 20|"; http_header; reference:md5,a152772516cef409ddd58f90917a3b44; classtype:trojan-activity; sid:2015022; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER IIS 8.3 Filename With Wildcard (Possible File/Dir Bruteforce)"; flow:established,to_server; content:"~1"; http_uri; fast_pattern:only; pcre:"/([\*\?]~1|~1\.?[\*\?]|\/~1\/)/U"; reference:url,soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf; classtype:network-scan; sid:2015023; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Incognito - Malicious PDF Requested - /getfile.php"; flow:established,to_server; content:"/getfile.php?i="; http_uri; content:"&key="; http_uri; content:!" Java/1"; http_header; classtype:trojan-activity; sid:2015024; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS g01pack exploit pack /mix/ payload"; flow:established,to_server; content:"/mix/"; http_uri; depth:5; content:".php"; http_uri; content:"fid="; http_uri; content:"quote="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015011; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page Eval Variable Obfuscation 1"; flow:established,to_client; file_data; content:"=|22|ev|22 3B|"; distance:0; content:"+|22|al|22|"; distance:0; pcre:"/\x2B\x22al\x22(\x3B|\x5D)/"; classtype:trojan-activity; sid:2015025; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page Eval Variable Obfuscation 2"; flow:established,to_client; file_data; content:"=|22|e|22 3B|"; distance:0; content:"+|22|val|22|"; distance:0; pcre:"/\x2B\x22val\x22(\x3B|\x5D)/"; classtype:trojan-activity; sid:2015026; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page Eval Variable Obfuscation 3"; flow:established,to_client; file_data; content:"=|22|eva|22 3B|"; distance:0; content:"+|22|l|22|"; distance:0; pcre:"/\x2B\x22l\x22(\x3B|\x5D)/"; classtype:trojan-activity; sid:2015027; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Cridex Post to CnC"; flow:established,to_server; content:"|0d 0a 0d 0a de ad be ef|"; content:"POST"; http_method; reference:url,vrt-blog.snort.org/2012/07/banking-trojan-spread-via-ups-phish.html; reference:url,www.virustotal.com/file/00bf5b6f32b6a8223b8e55055800ef7870f8acaed334cb12484e44489b2ace24/analysis/; reference:url,www.packetninjas.net; classtype:trojan-activity; sid:2015028; rev:4;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Incognito - Java Exploit Requested - /gotit.php by Java Client"; flow:established,to_server; content:"/gotit.php?"; http_uri; content:" Java/1"; http_header; classtype:trojan-activity; sid:2015030; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Incognito - Payload Request - /load.php by Java Client"; flow:established,to_server; content:"/load.php?"; http_uri; content:" Java/1"; http_header; classtype:trojan-activity; sid:2015031; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Rational ClearQuest Activex Control RegisterSchemaRepoFromFileByDbSet Insecure Method Access"; flow:to_client,established; content:"CLSID"; nocase; content:"88DD90B6-C770-4CFF-B7A4-3AFD16BB8824"; nocase; distance:0; content:"RegisterSchemaRepoFromFileByDbSet"; nocase; distance:0; reference:url,11337day.com/exploits/18917; classtype:attempted-user; sid:2015032; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Concrete CMS approveImmediately parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/index.php/tools/required/edit_collection_popup.php?"; nocase; http_uri; content:"ctask="; nocase; http_uri; content:"approveImmediately="; nocase; http_uri; pcre:"/approveImmediately\x3d.+?(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change|error))/Ui"; reference:url,www.securityfocus.com/bid/53268/info; classtype:web-application-attack; sid:2015033; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Concrete CMS btask parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"arHandle="; nocase; http_uri; content:"method="; nocase; http_uri; content:"btask="; nocase; http_uri; pcre:"/btask\x3d.+?(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change|error))/Ui"; reference:url,www.securityfocus.com/bid/53268/info; classtype:web-application-attack; sid:2015034; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER possible SAP Crystal Report Server 2008 path parameter Directory Traversal vulnerability"; flow:established,to_server; content:"/PerformanceManagement/jsp/qa.jsp?"; nocase; http_uri; content:"func="; nocase; http_uri; content:"root="; nocase; http_uri; content:"path="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,1337day.com/exploits/15332; classtype:web-application-attack; sid:2015035; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Crystal Reports Viewer Activex Control ServerResourceVersion Insecure Method Access"; flow:to_client,established; content:"CLSID"; nocase; content:"88DD90B6-C770-4CFF-B7A4-3AFD16BB8824"; nocase; distance:0; content:"ServerResourceVersion"; nocase; distance:0; reference:url,1337day.com/exploits/15098; classtype:attempted-user; sid:2015036; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Crystal Reports Viewer Activex Control ServerResourceVersion Insecure Method Access 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"CrystalPrintControlLib.CrystalPrintControl"; nocase; distance:0; content:"ServerResourceVersion"; nocase; distance:0; reference:url,1337day.com/exploits/15098; classtype:attempted-user; sid:2015037; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Count Per Day Plugin page parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/count-per-day/userperspan.php?"; nocase; http_uri; fast_pattern:19,15; content:"page="; nocase; http_uri; pcre:"/page\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,secunia.com/advisories/49692/; classtype:web-application-attack; sid:2015038; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_wisroyq controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_wisroyq"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/95508/Joomla-Wisroyq-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015039; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_rssreader controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_rssreader"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/95430/Joomla-RSSReader-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015040; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Custom Contact Forms options-general.php Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-admin/options-general.php?"; nocase; http_uri; content:"page=bb2_options"; nocase; http_uri; content:"x="; nocase; http_uri; pcre:"/x\x3d.+?(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/112616/WordPress-Custom-Contact-Forms-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015041; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS g01pack - 32Char.php by Java Client"; flow:established,to_server; urilen:52<>130; content:".php?"; http_uri; content:" Java/1"; http_header; pcre:"/^\/[a-z]{1,10}\/[a-z0-9]{32}\.php\?/U"; classtype:trojan-activity; sid:2015042; rev:1;)
+
+#
+##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Applet Code Rafa.Rafa 6th July 2012"; flow:established,to_client; file_data; content:"<applet/code=|22|Rafa.Rafa|22|"; classtype:trojan-activity; sid:2015043; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit Obfuscated Applet Value 6th July 2012"; flow:established,to_client; content:"<applet"; content:"value=|22|&#"; isdataat:50,relative; distance:0; content:"|3B|&#"; distance:4; within:3; content:"|3B|&#"; distance:4; within:3; content:"|3B|&#"; distance:4; within:3; pcre:"/value\x3D\x22\x26\x23[0-9]{4}\x3B\x26\x23[0-9]{4}\x3B\x26\x23[0-9]{4}\x3B\x26\x23/"; classtype:trojan-activity; sid:2015044; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Potential Common Malicious JavaScript Loop"; flow:established,to_client; file_data; content:"for("; distance:0; content:"|3B|"; within:20; content:">=0|3B|"; fast_pattern; within:10; content:"--)"; within:10; pcre:"/for\x28[^\x3D\r\n]*[0-9]{1,6}\x2D[0-9]{1,5}\x3B[^\x3D\r\n]\x3E\x3D0\x3B[^\29\r\n]\x2D\x2D\x29/"; classtype:bad-unknown; sid:2015045; rev:1;)
+
+#
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Exploit Kit Java Exploit request to /Set1.jar 6th July 2012"; flow:established,to_server; content:"/Set1.jar"; http_uri; classtype:trojan-activity; sid:2015046; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit Landing Page Redirect.php Port 8080 Request"; flow:established,to_server; content:"/redirect.php?d="; fast_pattern:only; http_uri; content:"|3A|8080|0D 0A|"; http_header; pcre:"/\x2Fredirect\x2Ephp\x3Fd\x3D[0-9a-f]{8}$/U"; classtype:trojan-activity; sid:2015047; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Potential MSXML2.FreeThreadedDOMDocument Uninitialized Memory Corruption Attempt"; flow:to_client,established; file_data; content:"f6d90f12-9c73-11d3-b32e-00c04f990bb4"; nocase; content:"definition"; nocase; pcre:"/clsid\s*\x3a\s*\x7B?\s*f6d90f12-9c73-11d3-b32e-00c04f990bb4/si"; pcre:"/(?:\[\s*[\x22\x27]definition[\x22\x27]\s*\]|\.definition)\(/"; reference:cve,2012-1889; classtype:attempted-user; sid:2015557; rev:7;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS 09 July 2012 Blackhole Landing Page - Please Wait Loading"; flow:established,from_server; file_data; content:"Please wait, the page is loading..."; distance:0; nocase; content:"x-java-applet"; distance:0; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015048; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Request For Blackhole Landing Page Go.php"; flow:established,to_server; content:"/go.php?d="; http_uri; fast_pattern:only; pcre:"/\x2Fgo\x2Ephp\x3Dd\x3D[a-f0-9]{16}$/U"; classtype:trojan-activity; sid:2015049; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Generic - 8Char.JAR Naming Algorithm"; flow:established,to_client; content:"-Disposition|3a| inline"; http_header; nocase; content:".jar"; http_header; fast_pattern; pcre:"/[=\"]\w{8}\.jar/Hi"; file_data; content:"PK"; within:2; classtype:trojan-activity; sid:2015050; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS c3284d Malware Network Compromised Redirect (comments 1)"; flow:established,to_client; file_data; content:"#c3284d#"; distance:0; content:"#/c3284d#"; distance:0; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015051; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS c3284d Malware Network Compromised Redirect (comments 2)"; flow:established,to_client; file_data; content:"<!--c3284d-->"; distance:0; content:"<!--/c3284d-->"; distance:0; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015052; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_s=1 - Landing Page - 10HexChar Title and applet"; flow:established,to_client; file_data; content:"<applet"; pcre:"/<title>[a-f0-9]{10}<\/title>/"; classtype:trojan-activity; sid:2015053; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_s=1 - Landing Page - 100HexChar value and applet"; flow:established,to_client; file_data; content:"<applet"; content:"value=\""; pcre:"/value=.[a-f0-9]{100}/"; classtype:trojan-activity; sid:2015054; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_s=1 - Payload Requested - 32AlphaNum?s=1 Java Request"; flow:established,to_server; urilen:37; content:"?s=1"; http_uri; content:" Java/1"; http_header; pcre:"/^\/[a-z0-9]{32}\?s=1$/Ui"; classtype:trojan-activity; sid:2015055; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit Landing Page Structure"; flow:established,to_client; file_data; content:"<html><body><script>"; distance:0; content:"Math.floor"; fast_pattern; distance:0; content:"try{"; distance:0; content:"prototype"; within:20; content:"}catch("; within:20; classtype:trojan-activity; sid:2015056; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS c3284d malware network iframe"; flow:established,to_client; file_data; content:"|22| name=|22|Twitter|22| scrolling=|22|auto|22| frameborder=|22|no|22| align=|22|center|22| height=|22|2|22| width=|22|2|22|></iframe>"; distance:0; classtype:trojan-activity; sid:2015057; rev:2;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bdvkpbuldslsapeb.ru"; flow:established,to_server; content:"|3a| bdvkpbuldslsapeb.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015061; rev:2;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain eilqnjkoytyjuchn.ru"; flow:established,to_server; content:"|3a| eilqnjkoytyjuchn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015062; rev:2;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain npxsiiwpxqqiihmo.ru"; flow:established,to_server; content:"|3a| npxsiiwpxqqiihmo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015063; rev:2;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qtmyeslmsoxkjbku.ru"; flow:established,to_server; content:"|3a| qtmyeslmsoxkjbku.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015064; rev:2;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain adbjjkquyyhyqknf.ru"; flow:established,to_server; content:"|3a| adbjjkquyyhyqknf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015065; rev:2;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ciqmhuwgvfsxdtrw.ru"; flow:established,to_server; content:"|3a| ciqmhuwgvfsxdtrw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015066; rev:2;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mocrafrewsdjztbj.ru"; flow:established,to_server; content:"|3a| mocrafrewsdjztbj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015067; rev:2;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain otruvbidvikzhlop.ru"; flow:established,to_server; content:"|3a| otruvbidvikzhlop.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015068; rev:2;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain yafzvancybuwmnno.ru"; flow:established,to_server; content:"|3a| yafzvancybuwmnno.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015069; rev:2;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bhujzorkulhkpwob.ru"; flow:established,to_server; content:"|3a| bhujzorkulhkpwob.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015070; rev:2;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lohnrnnpvvtxedfl.ru"; flow:established,to_server; content:"|3a| lohnrnnpvvtxedfl.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015071; rev:2;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ntvrnrdpyoadopbo.ru"; flow:established,to_server; content:"|3a| ntvrnrdpyoadopbo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015072; rev:2;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain wakvnkyzkyietkdr.ru"; flow:established,to_server; content:"|3a| wakvnkyzkyietkdr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015073; rev:2;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain zfyafrjmmajqfvbh.ru"; flow:established,to_server; content:"|3a| zfyafrjmmajqfvbh.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015074; rev:2;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jnlkttkruqsdjqlx.ru"; flow:established,to_server; content:"|3a| jnlkttkruqsdjqlx.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015075; rev:2;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lsbppxhgckolsnap.ru"; flow:established,to_server; content:"|3a| lsbppxhgckolsnap.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015076; rev:2;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vznrahwzgntmfcqk.ru"; flow:established,to_server; content:"|3a| vznrahwzgntmfcqk.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015077; rev:2;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xeeypppxswpquvrf.ru"; flow:established,to_server; content:"|3a| xeeypppxswpquvrf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015078; rev:2;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain inqgvoeohpcsfxmn.ru"; flow:established,to_server; content:"|3a| inqgvoeohpcsfxmn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015079; rev:2;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ksgmckchdppqeicu.ru"; flow:established,to_server; content:"|3a| ksgmckchdppqeicu.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015080; rev:2;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain uyrorwlibbjeasoq.ru"; flow:established,to_server; content:"|3a| uyrorwlibbjeasoq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015081; rev:2;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain wejungvnykczyjam.ru"; flow:established,to_server; content:"|3a| wejungvnykczyjam.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015082; rev:2;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gmvdnpqbblixlgxj.ru"; flow:established,to_server; content:"|3a| gmvdnpqbblixlgxj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015083; rev:2;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jrkjelzwleadyxsd.ru"; flow:established,to_server; content:"|3a| jrkjelzwleadyxsd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015084; rev:2;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain sywleisrsstsqoic.ru"; flow:established,to_server; content:"|3a| sywleisrsstsqoic.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015085; rev:2;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain venrfhmthwpqlqge.ru"; flow:established,to_server; content:"|3a| venrfhmthwpqlqge.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015086; rev:2;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fmacqvmqafqwmebl.ru"; flow:established,to_server; content:"|3a| fmacqvmqafqwmebl.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015087; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hrpgglxvqwjesffr.ru"; flow:established,to_server; content:"|3a| hrpgglxvqwjesffr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015088; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rxbkqfydlnzopqrn.ru"; flow:established,to_server; content:"|3a| rxbkqfydlnzopqrn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015089; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain tdsorylshsxjeawf.ru"; flow:established,to_server; content:"|3a| tdsorylshsxjeawf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015090; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain elfxqghdubihhsgd.ru"; flow:established,to_server; content:"|3a| elfxqghdubihhsgd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015091; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gqtcxunxhyujqjkf.ru"; flow:established,to_server; content:"|3a| gqtcxunxhyujqjkf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015092; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain sdxkjaophbtufumx.ru"; flow:established,to_server; content:"|3a| sdxkjaophbtufumx.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015094; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain clkujrjqvexvbmoi.ru"; flow:established,to_server; content:"|3a| clkujrjqvexvbmoi.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015095; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fqyyxagzkrpvxtki.ru"; flow:established,to_server; content:"|3a| fqyyxagzkrpvxtki.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015096; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain owldagkyzrkhqnjo.ru"; flow:established,to_server; content:"|3a| owldagkyzrkhqnjo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015097; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rccjvgsgffokiwze.ru"; flow:established,to_server; content:"|3a| rccjvgsgffokiwze.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015098; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain blorcdyiipxcwyxv.ru"; flow:established,to_server; content:"|3a| blorcdyiipxcwyxv.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015099; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain dpewaddpoewiycnj.ru"; flow:established,to_server; content:"|3a| dpewaddpoewiycnj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015100; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain nwpykqeizraqthry.ru"; flow:established,to_server; content:"|3a| nwpykqeizraqthry.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015101; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain pchgijctfprxhnje.ru"; flow:established,to_server; content:"|3a| pchgijctfprxhnje.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015102; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain zisiiogqigzzqqeq.ru"; flow:established,to_server; content:"|3a| zisiiogqigzzqqeq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015103; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain cpittmwbqtjrjpql.ru"; flow:established,to_server; content:"|3a| cpittmwbqtjrjpql.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015104; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mvuvchtcxxibeubd.ru"; flow:established,to_server; content:"|3a| mvuvchtcxxibeubd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015105; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain oblcasnhxbbocpfj.ru"; flow:established,to_server; content:"|3a| oblcasnhxbbocpfj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015106; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xixftoplsduqqorx.ru"; flow:established,to_server; content:"|3a| xixftoplsduqqorx.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015107; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bpnqmxkpxxgbdnby.ru"; flow:established,to_server; content:"|3a| bpnqmxkpxxgbdnby.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015108; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain kvzstpqmeoxtcwko.ru"; flow:established,to_server; content:"|3a| kvzstpqmeoxtcwko.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015109; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain nbqypqrjiqxlfvdj.ru"; flow:established,to_server; content:"|3a| nbqypqrjiqxlfvdj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015110; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain whddmvrxufbkkoew.ru"; flow:established,to_server; content:"|3a| whddmvrxufbkkoew.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015111; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ymrhcvphevonympo.ru"; flow:established,to_server; content:"|3a| ymrhcvphevonympo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015112; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jveqgnmjxkocqifr.ru"; flow:established,to_server; content:"|3a| jveqgnmjxkocqifr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015113; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lavvckpordclbduy.ru"; flow:established,to_server; content:"|3a| lavvckpordclbduy.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015114; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vhhzcvbegxbjsxke.ru"; flow:established,to_server; content:"|3a| vhhzcvbegxbjsxke.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015115; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xmwettbvtbhvrjuo.ru"; flow:established,to_server; content:"|3a| xmwettbvtbhvrjuo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015116; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain iujniiokeyjbmerc.ru"; flow:established,to_server; content:"|3a| iujniiokeyjbmerc.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015117; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain kzxrowftdocgyghs.ru"; flow:established,to_server; content:"|3a| kzxrowftdocgyghs.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015118; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gacdiuwnhonuulpe.ru"; flow:established,to_server; content:"|3a| gacdiuwnhonuulpe.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015119; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ifrhgnqeeotnzrmz.ru"; flow:established,to_server; content:"|3a| ifrhgnqeeotnzrmz.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015120; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rmdlgyreitjsjkfq.ru"; flow:established,to_server; content:"|3a| rmdlgyreitjsjkfq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015121; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain uqspvdwyltgcyhft.ru"; flow:established,to_server; content:"|3a| uqspvdwyltgcyhft.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015122; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ezfydrexncoidbus.ru"; flow:established,to_server; content:"|3a| ezfydrexncoidbus.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015123; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hfveiooumeyrpchg.ru"; flow:established,to_server; content:"|3a| hfveiooumeyrpchg.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015124; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qlihxnncwioxkdls.ru"; flow:established,to_server; content:"|3a| qlihxnncwioxkdls.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015125; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain sqwlonyduvpowdgy.ru"; flow:established,to_server; content:"|3a| sqwlonyduvpowdgy.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015126; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain dyjvewshptsboygd.ru"; flow:established,to_server; content:"|3a| dyjvewshptsboygd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015127; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain febcbuyswmishvpl.ru"; flow:established,to_server; content:"|3a| febcbuyswmishvpl.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015128; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain plmekaayiholtevt.ru"; flow:established,to_server; content:"|3a| plmekaayiholtevt.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015129; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rpckbgrziwbdrmhr.ru"; flow:established,to_server; content:"|3a| rpckbgrziwbdrmhr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015130; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain cyosongjihugkjbg.ru"; flow:established,to_server; content:"|3a| cyosongjihugkjbg.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015131; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain eefysywrvkgxuqdf.ru"; flow:established,to_server; content:"|3a| eefysywrvkgxuqdf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015132; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain nkrbvqxzfwicmhwb.ru"; flow:established,to_server; content:"|3a| nkrbvqxzfwicmhwb.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015133; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qphhsudsmeftdaht.ru"; flow:established,to_server; content:"|3a| qphhsudsmeftdaht.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015134; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain axtopsbtntqnfdyk.ru"; flow:established,to_server; content:"|3a| axtopsbtntqnfdyk.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015135; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ddkudnuklgiwtdyw.ru"; flow:established,to_server; content:"|3a| ddkudnuklgiwtdyw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015136; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mkwwclogcvgeekws.ru"; flow:established,to_server; content:"|3a| mkwwclogcvgeekws.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015137; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain opldkflyvlkywuec.ru"; flow:established,to_server; content:"|3a| opldkflyvlkywuec.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015138; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain yvxfekhokspfuwqr.ru"; flow:established,to_server; content:"|3a| yvxfekhokspfuwqr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015139; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bdprvpxdejpohqpt.ru"; flow:established,to_server; content:"|3a| bdprvpxdejpohqpt.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015140; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ljbvfrsvcevyfhor.ru"; flow:established,to_server; content:"|3a| ljbvfrsvcevyfhor.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015141; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain noqzuukouyfuyrmd.ru"; flow:established,to_server; content:"|3a| noqzuukouyfuyrmd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015142; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xvcewyydwsmdgaju.ru"; flow:established,to_server; content:"|3a| xvcewyydwsmdgaju.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015143; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain zatiscwwtipqlycd.ru"; flow:established,to_server; content:"|3a| zatiscwwtipqlycd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015144; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jjgshrjdcynohyuk.ru"; flow:established,to_server; content:"|3a| jjgshrjdcynohyuk.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015145; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mouwwvcwwlilnxub.ru"; flow:established,to_server; content:"|3a| mouwwvcwwlilnxub.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015146; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vuhaojpwxgsxuitu.ru"; flow:established,to_server; content:"|3a| vuhaojpwxgsxuitu.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015147; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain yayfefhrwawquwcw.ru"; flow:established,to_server; content:"|3a| yayfefhrwawquwcw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015148; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain iiloishkjwvqldlq.ru"; flow:established,to_server; content:"|3a| iiloishkjwvqldlq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015149; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain knauycqgsdhgbwjo.ru"; flow:established,to_server; content:"|3a| knauycqgsdhgbwjo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015150; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain uumwyzhctrwdsrdp.ru"; flow:established,to_server; content:"|3a| uumwyzhctrwdsrdp.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015151; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain wzbdwenwshfzglwt.ru"; flow:established,to_server; content:"|3a| wzbdwenwshfzglwt.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015152; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain hiplksflttfkpsxn.ru"; flow:established,to_server; content:"|3a| hiplksflttfkpsxn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015153; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain jnfrqmekhoevppvw.ru"; flow:established,to_server; content:"|3a| jnfrqmekhoevppvw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015154; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain ttqtkmthptxvwiku.ru"; flow:established,to_server; content:"|3a| ttqtkmthptxvwiku.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015155; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain vygzhvfiuommkqfj.ru"; flow:established,to_server; content:"|3a| vygzhvfiuommkqfj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015156; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain fhuidtlqttqxgjvn.ru"; flow:established,to_server; content:"|3a| fhuidtlqttqxgjvn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015157; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain imjosxuhbcdonrco.ru"; flow:established,to_server; content:"|3a| imjosxuhbcdonrco.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015158; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain rtvqcdpbqxgwnrcn.ru"; flow:established,to_server; content:"|3a| rtvqcdpbqxgwnrcn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015159; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain tykvyflnjhbnqpnr.ru"; flow:established,to_server; content:"|3a| tykvyflnjhbnqpnr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015160; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain ehyewyqydfpidbdp.ru"; flow:established,to_server; content:"|3a| ehyewyqydfpidbdp.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015161; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain gmokuosvnbkshdtd.ru"; flow:established,to_server; content:"|3a| gmokuosvnbkshdtd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015162; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain qsbourrdxgxgwepy.ru"; flow:established,to_server; content:"|3a| qsbourrdxgxgwepy.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015163; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain sxpskxdgoczvcjgp.ru"; flow:established,to_server; content:"|3a| sxpskxdgoczvcjgp.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015164; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain dhedppigtpbwrmpc.ru"; flow:established,to_server; content:"|3a| dhedppigtpbwrmpc.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015165; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain flthmyjeuhdygshf.ru"; flow:established,to_server; content:"|3a| flthmyjeuhdygshf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015166; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain osflhkaowydftniw.ru"; flow:established,to_server; content:"|3a| osflhkaowydftniw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015167; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain rxupwhkznihnxzqx.ru"; flow:established,to_server; content:"|3a| rxupwhkznihnxzqx.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015168; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain bgjzhlasdrwwnenj.ru"; flow:established,to_server; content:"|3a| bgjzhlasdrwwnenj.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015169; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain elxegvkalqvkyoxc.ru"; flow:established,to_server; content:"|3a| elxegvkalqvkyoxc.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015170; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain nrkhysgoltauclop.ru"; flow:established,to_server; content:"|3a| nrkhysgoltauclop.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015171; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain pwyloytoagndnrex.ru"; flow:established,to_server; content:"|3a| pwyloytoagndnrex.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015172; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain zenquqdskekaudbe.ru"; flow:established,to_server; content:"|3a| zenquqdskekaudbe.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015173; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain cldcrgtnuwvgnbfd.ru"; flow:established,to_server; content:"|3a| cldcrgtnuwvgnbfd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015174; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain mroeqjdaukskbgua.ru"; flow:established,to_server; content:"|3a| mroeqjdaukskbgua.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015175; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain owekhoeuhmdiehrw.ru"; flow:established,to_server; content:"|3a| owekhoeuhmdiehrw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015176; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain ydrngsmrdiiyvoiy.ru"; flow:established,to_server; content:"|3a| ydrngsmrdiiyvoiy.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015177; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain bkhyiqitpoxewhmt.ru"; flow:established,to_server; content:"|3a| bkhyiqitpoxewhmt.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015178; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain krtbityuhlewigfe.ru"; flow:established,to_server; content:"|3a| krtbityuhlewigfe.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015179; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain nvjgyermzsmynaeq.ru"; flow:established,to_server; content:"|3a| nvjgyermzsmynaeq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015180; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain jwkpdxqbemsmclal.ru"; flow:established,to_server; content:"|3a| jwkpdxqbemsmclal.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015181; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain lccwpflcdjrdfjib.ru"; flow:established,to_server; content:"|3a| lccwpflcdjrdfjib.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015182; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain uinyjmxfqinkxbda.ru"; flow:established,to_server; content:"|3a| uinyjmxfqinkxbda.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015183; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain xndfbivuonkxfxrq.ru"; flow:established,to_server; content:"|3a| xndfbivuonkxfxrq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015184; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain hvpmffxpfnlquqxo.ru"; flow:established,to_server; content:"|3a| hvpmffxpfnlquqxo.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015185; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain kbgsbqjugdqrgtdw.ru"; flow:established,to_server; content:"|3a| kbgsbqjugdqrgtdw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015186; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain tisubmfvqrgnloxr.ru"; flow:established,to_server; content:"|3a| tisubmfvqrgnloxr.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015187; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain vmibswhnpqhqwyih.ru"; flow:established,to_server; content:"|3a| vmibswhnpqhqwyih.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015188; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain gvujhzvjxwptrtdg.ru"; flow:established,to_server; content:"|3a| gvujhzvjxwptrtdg.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015189; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain iblpdiqdmmsbnuxb.ru"; flow:established,to_server; content:"|3a| iblpdiqdmmsbnuxb.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015190; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain shxrsvasoncjnxpn.ru"; flow:established,to_server; content:"|3a| shxrsvasoncjnxpn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015191; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain ummxjwieppswcnrg.ru"; flow:established,to_server; content:"|3a| ummxjwieppswcnrg.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015192; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain fuyfrockpfclxccd.ru"; flow:established,to_server; content:"|3a| fuyfrockpfclxccd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015193; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain haqmuqqukywrcxfa.ru"; flow:established,to_server; content:"|3a| haqmuqqukywrcxfa.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015194; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain qhcplcuugevvyham.ru"; flow:established,to_server; content:"|3a| qhcplcuugevvyham.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015195; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain tmrtbcienxrbnsjc.ru"; flow:established,to_server; content:"|3a| tmrtbcienxrbnsjc.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015196; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain dueebwwdllfburag.ru"; flow:established,to_server; content:"|3a| dueebwwdllfburag.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015197; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain fzsirujgdbvabrjm.ru"; flow:established,to_server; content:"|3a| fzsirujgdbvabrjm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015198; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain pghnrmkoeoetfwsm.ru"; flow:established,to_server; content:"|3a| pghnrmkoeoetfwsm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015199; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain rlvqmipovrqbmvqd.ru"; flow:established,to_server; content:"|3a| rlvqmipovrqbmvqd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015200; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain ctjbmgjudwisgshv.ru"; flow:established,to_server; content:"|3a| ctjbmgjudwisgshv.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015201; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain eyxejlabqaytqmjx.ru"; flow:established,to_server; content:"|3a| eyxejlabqaytqmjx.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015202; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain ogmjjmqdhlbyabzg.ru"; flow:established,to_server; content:"|3a| ogmjjmqdhlbyabzg.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015203; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain qlbpfyrupyadvjsl.ru"; flow:established,to_server; content:"|3a| qlbpfyrupyadvjsl.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015204; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain atnwerhvttvbivra.ru"; flow:established,to_server; content:"|3a| atnwerhvttvbivra.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015205; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain dydderasilekaegh.ru"; flow:established,to_server; content:"|3a| dydderasilekaegh.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015206; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain mfqfrnqllqcrayiw.ru"; flow:established,to_server; content:"|3a| mfqfrnqllqcrayiw.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015207; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain pkglwwwmjxokzzfq.ru"; flow:established,to_server; content:"|3a| pkglwwwmjxokzzfq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015208; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain yrrnrgliojezjctg.ru"; flow:established,to_server; content:"|3a| yrrnrgliojezjctg.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015209; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain bxhzugppnulxghvm.ru"; flow:established,to_server; content:"|3a| bxhzugppnulxghvm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015210; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain lfvcngdbzjrzgyby.ru"; flow:established,to_server; content:"|3a| lfvcngdbzjrzgyby.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015211; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain nkkijjyioljbfysn.ru"; flow:established,to_server; content:"|3a| nkkijjyioljbfysn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015212; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain xqwkdyjydkggsppd.ru"; flow:established,to_server; content:"|3a| xqwkdyjydkggsppd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015213; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain axmvnmubgwlmqfrp.ru"; flow:established,to_server; content:"|3a| axmvnmubgwlmqfrp.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015214; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain keabgwmpzqhpmlng.ru"; flow:established,to_server; content:"|3a| keabgwmpzqhpmlng.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015215; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain mjpflkwqskuqbjnk.ru"; flow:established,to_server; content:"|3a| mjpflkwqskuqbjnk.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015216; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain vqcicnuhtwhxmtjd.ru"; flow:established,to_server; content:"|3a| vqcicnuhtwhxmtjd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015217; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain yvqnltydqtpresfu.ru"; flow:established,to_server; content:"|3a| yvqnltydqtpresfu.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015218; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain iefwvulgninlkoxe.ru"; flow:established,to_server; content:"|3a| iefwvulgninlkoxe.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015219; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain ljubdldgqwbarplc.ru"; flow:established,to_server; content:"|3a| ljubdldgqwbarplc.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015220; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain upgghggmbusopaxv.ru"; flow:established,to_server; content:"|3a| upgghggmbusopaxv.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015221; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain wuvjdexaqtmqkvgk.ru"; flow:established,to_server; content:"|3a| wuvjdexaqtmqkvgk.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015222; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain hektxucstnbuncix.ru"; flow:established,to_server; content:"|3a| hektxucstnbuncix.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015223; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain jiyxdlvawkranmin.ru"; flow:established,to_server; content:"|3a| jiyxdlvawkranmin.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015224; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain tplczomvebjmhsgk.ru"; flow:established,to_server; content:"|3a| tplczomvebjmhsgk.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015225; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain vuaivypissryzhij.ru"; flow:established,to_server; content:"|3a| vuaivypissryzhij.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015226; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain gdoqznfilmtulxxv.ru"; flow:established,to_server; content:"|3a| gdoqznfilmtulxxv.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015227; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain iiewprjomieydnix.ru"; flow:established,to_server; content:"|3a| iiewprjomieydnix.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015228; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain ropypfmcqjjfdiel.ru"; flow:established,to_server; content:"|3a| ropypfmcqjjfdiel.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015229; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain utfenjxpvwtroioi.ru"; flow:established,to_server; content:"|3a| utfenjxpvwtroioi.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015230; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain edtmjcvfnfcbweed.ru"; flow:established,to_server; content:"|3a| edtmjcvfnfcbweed.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015231; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain hhishrpjdixwtctz.ru"; flow:established,to_server; content:"|3a| hhishrpjdixwtctz.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015232; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain qouubrmdxtgnnjvm.ru"; flow:established,to_server; content:"|3a| qouubrmdxtgnnjvm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015233; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain stkbtccbckhdkbii.ru"; flow:established,to_server; content:"|3a| stkbtccbckhdkbii.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015234; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain dcyjurmfwhgvyoio.ru"; flow:established,to_server; content:"|3a| dcyjurmfwhgvyoio.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015235; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain fhnpjsnknkuvhazm.ru"; flow:established,to_server; content:"|3a| fhnpjsnknkuvhazm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015236; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain pozrtgdmhvhvdscn.ru"; flow:established,to_server; content:"|3a| pozrtgdmhvhvdscn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015237; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain rsoxjlibxohdcyov.ru"; flow:established,to_server; content:"|3a| rsoxjlibxohdcyov.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015238; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain ccdifvomwhtynpay.ru"; flow:established,to_server; content:"|3a| ccdifvomwhtynpay.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015239; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain ehsmldxnregnruez.ru"; flow:established,to_server; content:"|3a| ehsmldxnregnruez.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015240; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain lsvdxjpwykxxvryd.ru"; flow:established,to_server; content:"|3a| lsvdxjpwykxxvryd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015241; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain oxkjnvhjnvnegtyb.ru"; flow:established,to_server; content:"|3a| oxkjnvhjnvnegtyb.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015242; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain xfymtpavzblzbknq.ru"; flow:established,to_server; content:"|3a| xfymtpavzblzbknq.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015243; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain bloxgsfzinxmdspt.ru"; flow:established,to_server; content:"|3a| bloxgsfzinxmdspt.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015244; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain ksacasnubklrikdl.ru"; flow:established,to_server; content:"|3a| ksacasnubklrikdl.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015245; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain mxpgggggukxqteoy.ru"; flow:established,to_server; content:"|3a| mxpgggggukxqteoy.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015246; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain wedkgpdcxlrunbmu.ru"; flow:established,to_server; content:"|3a| wedkgpdcxlrunbmu.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015247; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain yjsovtnpgbwqcbbd.ru"; flow:established,to_server; content:"|3a| yjsovtnpgbwqcbbd.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015248; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain jrfyaswntteouafv.ru"; flow:established,to_server; content:"|3a| jrfyaswntteouafv.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015249; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain lwtcxuzbdrsnpqfb.ru"; flow:established,to_server; content:"|3a| lwtcxuzbdrsnpqfb.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015250; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain veihxoqukuetxqbn.ru"; flow:established,to_server; content:"|3a| veihxoqukuetxqbn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015251; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain xiwlnutkxsqxwjge.ru"; flow:established,to_server; content:"|3a| xiwlnutkxsqxwjge.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015252; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain hrkusbnevtmyisab.ru"; flow:established,to_server; content:"|3a| hrkusbnevtmyisab.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015253; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain kwyyhhqtwxupnhyu.ru"; flow:established,to_server; content:"|3a| kwyyhhqtwxupnhyu.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015254; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain tdndpphrtyniynvz.ru"; flow:established,to_server; content:"|3a| tdndpphrtyniynvz.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015255; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain wicjgufeimlbmcus.ru"; flow:established,to_server; content:"|3a| wicjgufeimlbmcus.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015256; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain gqortbbbsnksxpmm.ru"; flow:established,to_server; content:"|3a| gqortbbbsnksxpmm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015257; rev:1;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fjgtmicxtlxynlpf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fjgtmicxtlxynlpf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015258; rev:4;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ppsvcvrcgkllplyn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ppsvcvrcgkllplyn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015259; rev:4;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ruhctasjmpqbyvhm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ruhctasjmpqbyvhm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015260; rev:4;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bdvkpbuldslsapeb.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bdvkpbuldslsapeb|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015261; rev:4;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain eilqnjkoytyjuchn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|eilqnjkoytyjuchn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015262; rev:4;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain npxsiiwpxqqiihmo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|npxsiiwpxqqiihmo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015263; rev:4;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qtmyeslmsoxkjbku.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qtmyeslmsoxkjbku|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015264; rev:4;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain adbjjkquyyhyqknf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|adbjjkquyyhyqknf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015265; rev:4;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ciqmhuwgvfsxdtrw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ciqmhuwgvfsxdtrw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015266; rev:4;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mocrafrewsdjztbj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mocrafrewsdjztbj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015267; rev:4;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain otruvbidvikzhlop.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|otruvbidvikzhlop|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015268; rev:4;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain yafzvancybuwmnno.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yafzvancybuwmnno|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015269; rev:4;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bhujzorkulhkpwob.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bhujzorkulhkpwob|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015270; rev:4;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lohnrnnpvvtxedfl.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lohnrnnpvvtxedfl|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015271; rev:4;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ntvrnrdpyoadopbo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ntvrnrdpyoadopbo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015272; rev:4;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain wakvnkyzkyietkdr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wakvnkyzkyietkdr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015273; rev:4;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain zfyafrjmmajqfvbh.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zfyafrjmmajqfvbh|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015274; rev:4;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jnlkttkruqsdjqlx.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jnlkttkruqsdjqlx|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015275; rev:4;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lsbppxhgckolsnap.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lsbppxhgckolsnap|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015276; rev:4;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vznrahwzgntmfcqk.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vznrahwzgntmfcqk|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015277; rev:4;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xeeypppxswpquvrf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xeeypppxswpquvrf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015278; rev:4;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain inqgvoeohpcsfxmn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|inqgvoeohpcsfxmn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015279; rev:4;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ksgmckchdppqeicu.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ksgmckchdppqeicu|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015280; rev:4;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain uyrorwlibbjeasoq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|uyrorwlibbjeasoq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015281; rev:4;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain wejungvnykczyjam.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wejungvnykczyjam|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015282; rev:4;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gmvdnpqbblixlgxj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gmvdnpqbblixlgxj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015283; rev:4;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jrkjelzwleadyxsd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jrkjelzwleadyxsd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015284; rev:4;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain sywleisrsstsqoic.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|sywleisrsstsqoic|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015285; rev:4;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain venrfhmthwpqlqge.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|venrfhmthwpqlqge|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015286; rev:4;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fmacqvmqafqwmebl.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fmacqvmqafqwmebl|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015287; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hrpgglxvqwjesffr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hrpgglxvqwjesffr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015288; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rxbkqfydlnzopqrn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rxbkqfydlnzopqrn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015289; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain tdsorylshsxjeawf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tdsorylshsxjeawf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015290; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain elfxqghdubihhsgd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|elfxqghdubihhsgd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015291; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gqtcxunxhyujqjkf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gqtcxunxhyujqjkf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015292; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qxggipnnfmnihkic.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qxggipnnfmnihkic|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015293; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain sdxkjaophbtufumx.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|sdxkjaophbtufumx|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015294; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain clkujrjqvexvbmoi.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|clkujrjqvexvbmoi|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015295; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fqyyxagzkrpvxtki.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fqyyxagzkrpvxtki|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015296; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain owldagkyzrkhqnjo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|owldagkyzrkhqnjo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015297; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rccjvgsgffokiwze.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rccjvgsgffokiwze|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015298; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain blorcdyiipxcwyxv.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|blorcdyiipxcwyxv|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015299; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain dpewaddpoewiycnj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dpewaddpoewiycnj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015300; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain nwpykqeizraqthry.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|nwpykqeizraqthry|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015301; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain pchgijctfprxhnje.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|pchgijctfprxhnje|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015302; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain zisiiogqigzzqqeq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zisiiogqigzzqqeq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015303; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain cpittmwbqtjrjpql.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|cpittmwbqtjrjpql|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015304; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mvuvchtcxxibeubd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mvuvchtcxxibeubd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015305; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain oblcasnhxbbocpfj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|oblcasnhxbbocpfj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015306; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xixftoplsduqqorx.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xixftoplsduqqorx|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015307; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bpnqmxkpxxgbdnby.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bpnqmxkpxxgbdnby|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015308; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain kvzstpqmeoxtcwko.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|kvzstpqmeoxtcwko|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015309; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain nbqypqrjiqxlfvdj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|nbqypqrjiqxlfvdj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015310; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain whddmvrxufbkkoew.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|whddmvrxufbkkoew|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015311; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ymrhcvphevonympo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ymrhcvphevonympo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015312; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jveqgnmjxkocqifr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jveqgnmjxkocqifr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015313; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lavvckpordclbduy.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lavvckpordclbduy|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015314; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vhhzcvbegxbjsxke.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vhhzcvbegxbjsxke|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015315; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xmwettbvtbhvrjuo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xmwettbvtbhvrjuo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015316; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain iujniiokeyjbmerc.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iujniiokeyjbmerc|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015317; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain kzxrowftdocgyghs.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|kzxrowftdocgyghs|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015318; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gacdiuwnhonuulpe.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gacdiuwnhonuulpe|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015319; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ifrhgnqeeotnzrmz.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ifrhgnqeeotnzrmz|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015320; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rmdlgyreitjsjkfq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rmdlgyreitjsjkfq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015321; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain uqspvdwyltgcyhft.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|uqspvdwyltgcyhft|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015322; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ezfydrexncoidbus.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ezfydrexncoidbus|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015323; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hfveiooumeyrpchg.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hfveiooumeyrpchg|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015324; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qlihxnncwioxkdls.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qlihxnncwioxkdls|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015325; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain sqwlonyduvpowdgy.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|sqwlonyduvpowdgy|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015326; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain dyjvewshptsboygd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dyjvewshptsboygd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015327; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain febcbuyswmishvpl.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|febcbuyswmishvpl|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015328; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain plmekaayiholtevt.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|plmekaayiholtevt|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015329; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rpckbgrziwbdrmhr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rpckbgrziwbdrmhr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015330; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain cyosongjihugkjbg.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|cyosongjihugkjbg|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015331; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain eefysywrvkgxuqdf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|eefysywrvkgxuqdf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015332; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain nkrbvqxzfwicmhwb.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|nkrbvqxzfwicmhwb|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015333; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qphhsudsmeftdaht.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qphhsudsmeftdaht|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015334; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain axtopsbtntqnfdyk.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|axtopsbtntqnfdyk|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015335; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ddkudnuklgiwtdyw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ddkudnuklgiwtdyw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015336; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mkwwclogcvgeekws.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mkwwclogcvgeekws|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015337; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain opldkflyvlkywuec.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|opldkflyvlkywuec|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015338; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain yvxfekhokspfuwqr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yvxfekhokspfuwqr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015339; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bdprvpxdejpohqpt.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bdprvpxdejpohqpt|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015340; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ljbvfrsvcevyfhor.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ljbvfrsvcevyfhor|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015341; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain noqzuukouyfuyrmd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|noqzuukouyfuyrmd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015342; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xvcewyydwsmdgaju.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xvcewyydwsmdgaju|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015343; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain zatiscwwtipqlycd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zatiscwwtipqlycd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015344; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jjgshrjdcynohyuk.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jjgshrjdcynohyuk|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015345; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mouwwvcwwlilnxub.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mouwwvcwwlilnxub|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015346; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vuhaojpwxgsxuitu.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vuhaojpwxgsxuitu|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015347; rev:3;)
+
+#
+#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain yayfefhrwawquwcw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yayfefhrwawquwcw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015348; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain iiloishkjwvqldlq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iiloishkjwvqldlq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015349; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain knauycqgsdhgbwjo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|knauycqgsdhgbwjo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015350; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain uumwyzhctrwdsrdp.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|uumwyzhctrwdsrdp|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015351; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain wzbdwenwshfzglwt.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wzbdwenwshfzglwt|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015352; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain hiplksflttfkpsxn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hiplksflttfkpsxn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015353; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain jnfrqmekhoevppvw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jnfrqmekhoevppvw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015354; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain ttqtkmthptxvwiku.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ttqtkmthptxvwiku|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015355; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain vygzhvfiuommkqfj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vygzhvfiuommkqfj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015356; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain fhuidtlqttqxgjvn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fhuidtlqttqxgjvn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015357; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain imjosxuhbcdonrco.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|imjosxuhbcdonrco|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015358; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain rtvqcdpbqxgwnrcn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rtvqcdpbqxgwnrcn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015359; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain tykvyflnjhbnqpnr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tykvyflnjhbnqpnr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015360; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain ehyewyqydfpidbdp.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ehyewyqydfpidbdp|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015361; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain gmokuosvnbkshdtd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gmokuosvnbkshdtd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015362; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain qsbourrdxgxgwepy.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qsbourrdxgxgwepy|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015363; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain sxpskxdgoczvcjgp.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|sxpskxdgoczvcjgp|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015364; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain dhedppigtpbwrmpc.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dhedppigtpbwrmpc|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015365; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain flthmyjeuhdygshf.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|flthmyjeuhdygshf|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015366; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain osflhkaowydftniw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|osflhkaowydftniw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015367; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain rxupwhkznihnxzqx.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rxupwhkznihnxzqx|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015368; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain bgjzhlasdrwwnenj.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bgjzhlasdrwwnenj|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015369; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain elxegvkalqvkyoxc.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|elxegvkalqvkyoxc|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015370; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain nrkhysgoltauclop.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|nrkhysgoltauclop|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015371; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain pwyloytoagndnrex.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|pwyloytoagndnrex|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015372; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain zenquqdskekaudbe.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|zenquqdskekaudbe|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015373; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain cldcrgtnuwvgnbfd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|cldcrgtnuwvgnbfd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015374; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain mroeqjdaukskbgua.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mroeqjdaukskbgua|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015375; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain owekhoeuhmdiehrw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|owekhoeuhmdiehrw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015376; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain ydrngsmrdiiyvoiy.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ydrngsmrdiiyvoiy|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015377; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain bkhyiqitpoxewhmt.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bkhyiqitpoxewhmt|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015378; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain krtbityuhlewigfe.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|krtbityuhlewigfe|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015379; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain nvjgyermzsmynaeq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|nvjgyermzsmynaeq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015380; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain jwkpdxqbemsmclal.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jwkpdxqbemsmclal|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015381; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain lccwpflcdjrdfjib.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lccwpflcdjrdfjib|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015382; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain uinyjmxfqinkxbda.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|uinyjmxfqinkxbda|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015383; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain xndfbivuonkxfxrq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xndfbivuonkxfxrq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015384; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain hvpmffxpfnlquqxo.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hvpmffxpfnlquqxo|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015385; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain kbgsbqjugdqrgtdw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|kbgsbqjugdqrgtdw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015386; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain tisubmfvqrgnloxr.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tisubmfvqrgnloxr|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015387; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain vmibswhnpqhqwyih.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vmibswhnpqhqwyih|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015388; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain gvujhzvjxwptrtdg.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gvujhzvjxwptrtdg|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015389; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain iblpdiqdmmsbnuxb.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iblpdiqdmmsbnuxb|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015390; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain shxrsvasoncjnxpn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|shxrsvasoncjnxpn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015391; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain ummxjwieppswcnrg.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ummxjwieppswcnrg|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015392; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain fuyfrockpfclxccd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fuyfrockpfclxccd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015393; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain haqmuqqukywrcxfa.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|haqmuqqukywrcxfa|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015394; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain qhcplcuugevvyham.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qhcplcuugevvyham|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015395; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain tmrtbcienxrbnsjc.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tmrtbcienxrbnsjc|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015396; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain dueebwwdllfburag.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dueebwwdllfburag|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015397; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain fzsirujgdbvabrjm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fzsirujgdbvabrjm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015398; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain pghnrmkoeoetfwsm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|pghnrmkoeoetfwsm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015399; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain rlvqmipovrqbmvqd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rlvqmipovrqbmvqd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015400; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain ctjbmgjudwisgshv.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ctjbmgjudwisgshv|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015401; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain eyxejlabqaytqmjx.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|eyxejlabqaytqmjx|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015402; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain ogmjjmqdhlbyabzg.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ogmjjmqdhlbyabzg|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015403; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain qlbpfyrupyadvjsl.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qlbpfyrupyadvjsl|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015404; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain atnwerhvttvbivra.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|atnwerhvttvbivra|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015405; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain dydderasilekaegh.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dydderasilekaegh|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015406; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain mfqfrnqllqcrayiw.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mfqfrnqllqcrayiw|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015407; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain pkglwwwmjxokzzfq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|pkglwwwmjxokzzfq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015408; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain yrrnrgliojezjctg.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yrrnrgliojezjctg|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015409; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain bxhzugppnulxghvm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bxhzugppnulxghvm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015410; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain lfvcngdbzjrzgyby.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lfvcngdbzjrzgyby|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015411; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain nkkijjyioljbfysn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|nkkijjyioljbfysn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015412; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain xqwkdyjydkggsppd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xqwkdyjydkggsppd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015413; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain axmvnmubgwlmqfrp.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|axmvnmubgwlmqfrp|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015414; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain keabgwmpzqhpmlng.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|keabgwmpzqhpmlng|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015415; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain mjpflkwqskuqbjnk.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mjpflkwqskuqbjnk|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015416; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain vqcicnuhtwhxmtjd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vqcicnuhtwhxmtjd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015417; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain yvqnltydqtpresfu.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yvqnltydqtpresfu|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015418; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain iefwvulgninlkoxe.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iefwvulgninlkoxe|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015419; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain ljubdldgqwbarplc.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ljubdldgqwbarplc|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015420; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain upgghggmbusopaxv.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|upgghggmbusopaxv|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015421; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain wuvjdexaqtmqkvgk.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wuvjdexaqtmqkvgk|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015422; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain hektxucstnbuncix.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hektxucstnbuncix|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015423; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain jiyxdlvawkranmin.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jiyxdlvawkranmin|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015424; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain tplczomvebjmhsgk.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tplczomvebjmhsgk|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015425; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain vuaivypissryzhij.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|vuaivypissryzhij|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015426; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain gdoqznfilmtulxxv.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gdoqznfilmtulxxv|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015427; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain iiewprjomieydnix.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|iiewprjomieydnix|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015428; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain ropypfmcqjjfdiel.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ropypfmcqjjfdiel|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015429; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain utfenjxpvwtroioi.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|utfenjxpvwtroioi|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015430; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain edtmjcvfnfcbweed.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|edtmjcvfnfcbweed|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015431; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain hhishrpjdixwtctz.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hhishrpjdixwtctz|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015432; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain qouubrmdxtgnnjvm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|qouubrmdxtgnnjvm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015433; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain stkbtccbckhdkbii.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|stkbtccbckhdkbii|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015434; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain dcyjurmfwhgvyoio.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|dcyjurmfwhgvyoio|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015435; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain fhnpjsnknkuvhazm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|fhnpjsnknkuvhazm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015436; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain pozrtgdmhvhvdscn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|pozrtgdmhvhvdscn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015437; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain rsoxjlibxohdcyov.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|rsoxjlibxohdcyov|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015438; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain ccdifvomwhtynpay.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ccdifvomwhtynpay|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015439; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain ehsmldxnregnruez.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ehsmldxnregnruez|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015440; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain lsvdxjpwykxxvryd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lsvdxjpwykxxvryd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015441; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain oxkjnvhjnvnegtyb.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|oxkjnvhjnvnegtyb|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015442; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain xfymtpavzblzbknq.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xfymtpavzblzbknq|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015443; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain bloxgsfzinxmdspt.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|bloxgsfzinxmdspt|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015444; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain ksacasnubklrikdl.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|ksacasnubklrikdl|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015445; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain mxpgggggukxqteoy.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|mxpgggggukxqteoy|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015446; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain wedkgpdcxlrunbmu.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wedkgpdcxlrunbmu|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015447; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain yjsovtnpgbwqcbbd.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|yjsovtnpgbwqcbbd|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015448; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain jrfyaswntteouafv.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|jrfyaswntteouafv|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015449; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain lwtcxuzbdrsnpqfb.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|lwtcxuzbdrsnpqfb|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015450; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain veihxoqukuetxqbn.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|veihxoqukuetxqbn|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015451; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain xiwlnutkxsqxwjge.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|xiwlnutkxsqxwjge|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015452; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain hrkusbnevtmyisab.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|hrkusbnevtmyisab|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015453; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain kwyyhhqtwxupnhyu.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|kwyyhhqtwxupnhyu|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015454; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain tdndpphrtyniynvz.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|tdndpphrtyniynvz|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015455; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain wicjgufeimlbmcus.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|wicjgufeimlbmcus|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015456; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain gqortbbbsnksxpmm.ru Pseudo Random Domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|gqortbbbsnksxpmm|02|ru|00|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015457; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Pift Checkin 1"; flow:established,to_server; content:"/plg3.z"; fast_pattern; http_uri; urilen:7; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; http_header; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23873/en_US/McAfee%20Labs%20Threat%20Advisory-W32-Pift.pdf; reference:md5,d3c6af8284276b11c2f693c1195b4735; classtype:trojan-activity; sid:2015458; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Pift Checkin 2"; flow:established,to_server; content:"/ext1.z"; fast_pattern; http_uri; urilen:7; content:"User-Agent|3a| Mozilla/4.0|0d 0a|"; http_header; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23873/en_US/McAfee%20Labs%20Threat%20Advisory-W32-Pift.pdf; reference:md5,d3c6af8284276b11c2f693c1195b4735; classtype:trojan-activity; sid:2015459; rev:1;)
+
+#
+alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Win32/Pift DNS TXT CnC Lookup ppift.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|05|ppift|03|net|00 00 10|"; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23873/en_US/McAfee%20Labs%20Threat%20Advisory-W32-Pift.pdf; reference:md5,d3c6af8284276b11c2f693c1195b4735; classtype:trojan-activity; sid:2015460; rev:3;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fjgtmicxtlxynlpf.ru"; flow:established,to_server; content:"|3a| fjgtmicxtlxynlpf.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015461; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain ppsvcvrcgkllplyn.ru"; flow:established,to_server; content:"|3a| ppsvcvrcgkllplyn.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015462; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain ruhctasjmpqbyvhm.ru"; flow:established,to_server; content:"|3a| ruhctasjmpqbyvhm.ru|0D 0A|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015463; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible AdminStudio Activex Control LaunchProcess Method Access Arbitrary Code Execution"; flow:to_client,established; file_data; content:"ActiveXObject"; distance:0; nocase; content:"LaunchHelp.HelpLauncher.1"; nocase; distance:0; content:"LaunchProcess"; nocase; distance:0; reference:url,packetstormsecurity.org/files/114564/AdminStudio-LaunchHelp.dll-ActiveX-Arbitrary-Code-Execution.html; classtype:attempted-user; sid:2015464; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Oracle AutoVue ActiveX SetMarkupMode Method Access Remote Code Execution"; flow:to_client,established; file_data; content:"ActiveXObject"; distance:0; nocase; content:"AutoVueX.ocx"; fast_pattern; nocase; distance:0; content:"SetMarkupMode"; nocase; distance:0; reference:url,packetstormsecurity.org/files/114364/Oracle-AutoVue-ActiveX-SetMarkupMode-Remote-Code-Execution.html; classtype:attempted-user; sid:2015465; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Leaflet plugin(leaflet_marker) id parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-admin/admin.php?"; nocase; http_uri; content:"page=leaflet_marker"; nocase; http_uri; content:"id="; nocase; http_uri; pcre:"/id\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/112699/WordPress-Leaflet-0.0.1-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015466; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Leaflet plugin(leaflet_layer) id parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-admin/admin.php?"; nocase; http_uri; content:"page=leaflet_layer"; nocase; http_uri; content:"id="; nocase; http_uri; pcre:"/id\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/112699/WordPress-Leaflet-0.0.1-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015467; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS joomla com_jstore controller parameter Local File Inclusion vulnerability"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_jstore"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/94689/Joomla-JStore-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015468; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Help Center Live file parameter Local File Inclusion vulnerability"; flow:established,to_server; content:"/module.php?"; nocase; http_uri; content:"module=helpcenter"; nocase; http_uri; content:"file="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/88998/Help-Center-Live-2.0.6-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015469; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpPollScript include_class Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"/php/init.poll.php?"; nocase; http_uri; content:"include_class="; nocase; http_uri; pcre:"/include_class=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/81376/phpPollScript-1.3-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2015470; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS joomla com_edir controller parameter Local File Inclusion vulnerability"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_edir"; nocase; http_uri; content:"view="; nocase; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/95604/Joomla-eDir-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015471; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS joomla com_connect controller parameter Local File Inclusion vulnerability"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_connect"; nocase; http_uri; content:"view="; nocase; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/95590/Joomla-Connect-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015472; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress CataBlog plugin category parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-admin/admin.php?"; nocase; http_uri; content:"page=catablog-gallery"; nocase; http_uri; content:"category="; nocase; http_uri; pcre:"/category\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/112710/WordPress-CataBlog-1.6-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015473; rev:1;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN ZeroAccess udp traffic detected"; content:"|9e 98|"; offset:6; depth:2; dsize:20; classtype:trojan-activity; sid:2015474; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS BlackHole Landing Page /intpmt.html"; flow:established,to_server; content:"/intpmt.html"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2015475; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS BlackHole Landing Page /upinv.html"; flow:established,to_server; content:"/upinv.html"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2015476; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Eval Split String Obfuscation In Brackets"; flow:established,to_client; content:"[|22|e"; fast_pattern; content:"|22|+|22|"; within:11; content:"l|22|]"; within:11; pcre:"/\x7B\x22e(v|x22\x2B\x22)(v|x22\x2B\x22|a)(a|v|x22\x2B\x22)[^\x5D]*?l\x22\x5D/"; classtype:trojan-activity; sid:2015477; rev:3;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Unknown TDS /top2.html"; flow:established,to_server; urilen:9; content:"/top2.html"; http_uri; fast_pattern:only; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:trojan-activity; sid:2015478; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Unknown TDS /rem2.html"; flow:established,to_server; urilen:10; content:"/rem2.html"; http_uri; fast_pattern:only; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:trojan-activity; sid:2015479; rev:2;)
+
+#
+alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Compromised WordPress Server pulling Malicious JS"; flow:established,to_server; content:"/net/?u="; http_uri; fast_pattern:only; content:"Host|3a| net"; http_header; content:"net.net"; http_header; distance:2; within:7; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 6.0)"; http_header; pcre:"/^Host\x3a\snet[0-4]{2}net\.net\r?\n$/Hmi"; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:trojan-activity; sid:2015480; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Compromised Wordpress Install Serving Malicious JS"; flow:established,to_client; file_data; content:"var wow"; fast_pattern; content:"Date"; distance:0; within:200; pcre:"/var wow\s*=\s*\x22[^\x22\n]+?\x22\x3b[^\x3b\n]*?Date[^\x3b\n]*?\x3b/"; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:trojan-activity; sid:2015481; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN ZeroAccess Outbound udp traffic detected"; content:"|28 94 8d ab c9 c0 d1 99|"; offset:4; depth:8; dsize:16; threshold: type both, track by_src, count 10, seconds 600; classtype:trojan-activity; sid:2015482; rev:4;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Java .jar request to dotted-quad domain"; flow:established,to_server; content:".jar"; http_uri; fast_pattern:only; content:" Java/1"; http_header; pcre:"/^Host: \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r?$/Hmi"; classtype:bad-unknown; sid:2015483; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN w3af User-Agent 2"; flow:established,to_server; content:"w3af.sf.net"; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]+?w3af\.sf\.net/Hmi"; classtype:attempted-recon; sid:2015484; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY TuneIn Internet Radio Usage Detected"; flow:established,to_server; content:"/tuner/?StationId="; http_uri; fast_pattern:only; content:"tunein.com|0d 0a|"; http_header; reference:url,tunein.com/support/get-started; classtype:policy-violation; sid:2015485; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java Exploit Recent Jar (1)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"chcyih.class"; classtype:trojan-activity; sid:2015486; rev:7;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Java Exploit Recent Jar (2)"; flow:established,to_server; content:"/java.jar"; http_uri; nocase; fast_pattern:only; content:" Java/1"; http_header; classtype:trojan-activity; sid:2015487; rev:7;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java Exploit Recent Jar (3)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"NewClass1.class"; classtype:trojan-activity; sid:2015488; rev:8;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/OnlineGame.DaGame Variant CnC Checkin"; flow:established,to_server; content:"/logexp.php?aid="; http_uri; content:"&pid="; http_uri; content:"&kind="; http_uri; pcre:"/User\x2DAgent\x3A\x20[a-f0-9]{5,14}\x0D\x0A/H"; classtype:trojan-activity; sid:2015489; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible beSTORM ActiveX (WinGraphviz.dll) Remote Heap Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"684811FB-0523-420F-9E8F-A5452C65A19C"; nocase; distance:0; content:"ToSvg"; nocase; distance:0; reference:url,exploit-db.com/exploits/19861/; classtype:attempted-user; sid:2015490; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible CA BrightStor ARCserve Backup ActiveX AddColumn Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3"; nocase; distance:0; content:"AddColumn"; nocase; distance:0; reference:url,packetstormsecurity.org/files/82950/CA-BrightStor-ARCserve-Backup-AddColumn-ActiveX-Buffer-Overflow.html; classtype:attempted-user; sid:2015491; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible CA BrightStor ARCserve Backup ActiveX AddColumn Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"ListCtrl.ocx"; fast_pattern; nocase; distance:0; content:"AddColumn"; nocase; distance:0; reference:url,packetstormsecurity.org/files/82950/CA-BrightStor-ARCserve-Backup-AddColumn-ActiveX-Buffer-Overflow.html; classtype:attempted-user; sid:2015492; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible CommuniCrypt Mail SMTP ActiveX AddAttachments Method Access Stack Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"F8D07B72-B4B4-46A0-ACC0-C771D4614B82"; nocase; distance:0; content:"AddAttachments"; nocase; distance:0; reference:url,packetstormsecurity.org/files/89856/CommuniCrypt-Mail-1.16-SMTP-ActiveX-Stack-Buffer-Overflow.html; classtype:attempted-user; sid:2015493; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Plugin PICA Photo Gallery imgname parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/wp-content/plugins/pica-photo-gallery/picadownload.php?"; nocase; http_uri; fast_pattern:19,20; content:"imgname="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/113404/WordPress-PICA-Photo-Gallery-1.0-File-Disclosure.html; classtype:web-application-attack; sid:2015494; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Web Edition mod parameter Local File Inclusion vulnerability"; flow:established,to_server; content:"/include/we_modules/show.php?"; nocase; http_uri; content:"mod="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/99789/Web-Edition-6.1.0.2-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015495; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress church_admin Plugin id parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/church-admin/includes/validate.php?"; nocase; http_uri; fast_pattern:19,14; content:"id="; nocase; http_uri; pcre:"/id\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,securityfocus.com/bid/54329; classtype:web-application-attack; sid:2015496; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Download Manager cid parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-admin/admin.php?"; nocase; http_uri; content:"page=file-manager/categories"; nocase; http_uri; content:"cid="; nocase; http_uri; pcre:"/cid\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/112708/WordPress-Download-Manager-2.2.2-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015497; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_hello controller parameter Local File Inclusion vulnerability"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_hello"; fast_pattern:only; nocase; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/114893/Joomla-Hello-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015498; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Plugin Newsletter data parameter Local File Inclusion vulnerability"; flow:established,to_server; content:"/wp-content/plugins/plugin-newsletter/preview.php?"; nocase; http_uri; fast_pattern:19,19; content:"data="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/113413/WordPress-Newsletter-1.5-File-Disclosure.html; classtype:web-application-attack; sid:2015499; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Geo Location IP info online service (geoiptool.com)"; flow:established,to_server; content:"GET"; http_method; urilen:1; content:"/"; http_uri; content:"Host|3A| "; http_header; content:"geoiptool.com|0d 0a|"; within:20; http_header; reference:md5,04f02d7fea812ef78d2340015c5d768e; classtype:policy-violation; sid:2015500; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN ProxyBox - HTTP CnC - Checkin Response"; flow:established,to_client; file_data; content:"1234567890|0a|"; within:11; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:trojan-activity; sid:2015501; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN ProxyBox -ProxyBotCommand - CHECK_ME"; flow:established,to_server; content:"CHECK_ME|0D 0A|Port|3a| "; depth:16; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:trojan-activity; sid:2015502; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ProxyBox - HTTP CnC - .com.tw/check_version.php"; flow:established,to_server; content:"/check_version.php"; http_uri; content:"&version="; http_uri; content:".com.tw|0D 0A|"; http_header; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:trojan-activity; sid:2015503; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ProxyBox - HTTP CnC - POST 1-letter.php"; flow:established,to_server; content:"POST"; http_method; urilen:6; content:"Indy Library"; http_header; pcre:"/^\/[a-z]\.php/U"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:trojan-activity; sid:2015504; rev:5;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ProxyBox - HTTP CnC - getiplist.php"; flow:established,to_server; content:"/getiplist.php"; http_uri; content:!"User-Agent"; http_header; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:trojan-activity; sid:2015505; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ProxyBox - HTTP CnC - get_servers.php"; flow:established,to_server; content:"/get_servers.php?"; http_uri; content:!"User-Agent"; http_header; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:trojan-activity; sid:2015506; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ProxyBox - HTTP CnC - botinfo.php"; flow:established,to_server; content:"/botinfo.php?"; http_uri; content:!"User-Agent"; http_header; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:trojan-activity; sid:2015508; rev:2;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED ProxyBox - HTTP CnC - proxy_info.php"; flow:established,to_server; content:"/proxy_info.php"; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:trojan-activity; sid:2015509; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN ProxyBox - ProxyBotCommand - I_AM"; flow:established,to_server; content:"I_AM|0D 0A|"; depth:6; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:trojan-activity; sid:2015510; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ProxyBox - ProxyBotCommand - FORCE_AUTHENTICATION*"; flow:established,to_client; content:"FORCE_AUTHENTICATION_"; depth:21; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:trojan-activity; sid:2015511; rev:2;)
+
+#Darren Spruell
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Urlzone/Bebloh/Bublik Checkin /was/vas.php"; flow:established,to_server; content:"POST"; http_method; content:"/was/vas.php"; http_uri; fast_pattern:only; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fBublik.B; reference:url,www.threatexpert.com/report.aspx?md5=3ccc73f049a1de731baf7ea8915c92a8; reference:url,www.threatexpert.com/report.aspx?md5=91ce41376a5b33059744cb58758213bb; reference:url,www.threatexpert.com/report.aspx?md5=21880326089f2eab466128974fc70d24; classtype:trojan-activity; sid:2015512; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Potential RoaringBeast ProFTPd Exploit Specific config files upload"; flow:established,to_server; content:"STOR "; content:".conf|0d 0a|"; distance:0; fast_pattern; pcre:"/^\s*?STOR\s+[^\r\n]*?\x2f(tgt|trace|rbp(c|p))\.conf\r$/mi"; reference:url,www.exploit-db.com/exploits/18181/; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015513; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Potential RoaringBeast ProFTPd Exploit nsswitch.conf Upload"; flow:established,to_server; content:"STOR "; content:"nsswitch.conf|0d 0a|"; distance:0; pcre:"/^\s*?STOR\s+[^\r\n]*?nsswitch\.conf\r$/mi"; reference:url,www.exploit-db.com/exploits/18181/; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015514; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Potential RoaringBeast ProFTPd Exploit Specific (CHMOD 777)"; flow:established,to_server; content:"SITE CHMOD 777 NONEXISTANT"; depth:26; reference:url,www.exploit-db.com/exploits/18181/; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015515; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit PluginDetect Rename Saigon"; flow:established,from_server; content:"var Saigon={version|3a 22|"; fast_pattern:only; classtype:trojan-activity; sid:2015516; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS .HTM being served from WP 1-flash-gallery Upload DIR (likely malicious)"; flow:established,to_server; content:"/wp-content/uploads/fgallery/"; fast_pattern:11,18; nocase; http_uri; content:".htm"; nocase; distance:0; http_uri; classtype:bad-unknown; sid:2015517; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS .PHP being served from WP 1-flash-gallery Upload DIR (likely malicious)"; flow:established,to_server; content:"/wp-content/uploads/fgallery/"; fast_pattern:11,18; nocase; http_uri; content:".php"; distance:0; http_uri; classtype:bad-unknown; sid:2015518; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page Split String Obfuscated Math Floor - July 19th 2012"; flow:established,to_client; file_data; content:"=Math|3B|"; distance:0; content:"[|22|f"; distance:0; content:"|22|+|22|"; within:15; content:"r|22|]"; within:12; classtype:trojan-activity; sid:2015519; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page Applet Structure"; flow:established,to_client; content:"<|2F|script><applet/archive="; fast_pattern; content:".jar"; within:20; content:"code=|22|"; distance:0; content:"|22|><param/name=|22|"; distance:9; within:15; content:"<|2F|applet><|2F|body><|2F|html>"; distance:0; pcre:"/code\x3D\x22[a-z]{4}\x2E[a-z]{4}\x22/i"; classtype:trojan-activity; sid:2015520; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Pakes2 - Server Hello"; flow:established,to_client; dsize:11; content:"|01 00 01 ae 84 e3 aa 1f 90|"; offset:2; depth:9; classtype:trojan-activity; sid:2015521; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Pakes2 - Client Alive"; flow:established,to_server; dsize:6; content:"|01 00 21 01|"; offset:2; depth:4; classtype:trojan-activity; sid:2015522; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pakes2 - Checkin - /test.php"; flow:established,to_server; urilen:9; content:"/test.php"; http_uri; fast_pattern:only; content:!"User-Agent"; http_header; classtype:trojan-activity; sid:2015523; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS c3284d Malware Network Compromised Redirect (comments 3)"; flow:established,from_server; file_data; content:"/*c3284d*/"; fast_pattern:only; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2015524; rev:2;)
+
+#
+##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole try eval prototype string splitting evasion Jul 24 2012"; flow:established,from_server; file_data; content:"try{eval(|22|p"; fast_pattern; content:"|3b|}catch("; within:30; classtype:trojan-activity; sid:2015525; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Fake Googlebot UA 1 Inbound"; flow:established,to_server; content:"User-Agent|3a|"; http_header; content:!" Mozilla/5.0 (compatible|3b| Googlebot/2.1|3b| +http|3a|//www.google.com/bot.html)|0d 0a|"; http_header; within:75; content:!" Googlebot/2.1 (+http|3a|//www.google.com/bot.html)|0d 0a|"; http_header; within:50; content:"Googlebot"; fast_pattern; http_header; nocase; distance:0; pcre:"/^User-Agent\x3a[^\r\n]+?Googlebot[^\-].+?\r$/Hmi"; reference:url,www.incapsula.com/the-incapsula-blog/item/369-was-that-really-a-google-bot-crawling-my-site; reference:url,support.google.com/webmasters/bin/answer.py?hl=en&answer=1061943; classtype:bad-unknown; sid:2015526; rev:4;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Fake Googlebot UA 2 Inbound"; flow:established,to_server; content:"User-Agent|3a|"; http_header; content:!"Googlebot-News|0d 0a|"; within:16; http_header; content:!" Googlebot-Image/1.0|0d 0a|"; within:22; http_header; content:!" Googlebot-Video/1.0|0d 0a|"; within:22; http_header; content:"Googlebot-"; fast_pattern; http_header; nocase; distance:0; content:!"Mobile/2.1|3b| +http|3a|//www.google.com/bot.html)|0d 0a|"; within:46; http_header; pcre:"/^User-Agent\x3a[^\r\n]+?Googlebot-.+?\r$/Hmi"; reference:url,www.incapsula.com/the-incapsula-blog/item/369-was-that-really-a-google-bot-crawling-my-site; reference:url,support.google.com/webmasters/bin/answer.py?hl=en&answer=1061943; classtype:network-scan; sid:2015527; rev:4;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET [5080,$HTTP_PORTS] (msg:"ET TROJAN Win32.Agent2.fher Related User-Agent (Microsoft Internet Updater)"; flow:established,to_server; content:"User-Agent|3a| Microsoft|20|Internet|20|Updater|0d 0a|"; fast_pattern:12,20; reference:md5,2c832d51e4e72dc3939c224cc282152c; classtype:trojan-activity; sid:2015528; rev:3;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Googlebot User-Agent Outbound (likely malicious)"; flow:to_server,established; content:"Googlebot"; nocase; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]*?Googlebot/Hmi"; classtype:bad-unknown; sid:2015529; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to RunForestRun DGA Domain 16-alpha.waw.pl"; flow:established,to_server; content:".waw.pl|0D 0A|"; nocase; fast_pattern:only; http_header; pcre:"/^Host\x3a\s[^\r\n]+?\.[abedgfihkmlonqpsruwvyxz]{16}\.waw\.pl\r$/Hmi"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015530; rev:3;)
+
+#
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query to RunForestRun DGA Domain 16-alpha.waw.pl"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|10|"; distance:0; content:"|03|waw|02|pl|00|"; fast_pattern; within:24; nocase; pcre:"/\x10[abedgfihkmlonqpsruwvyxz]{16}\x03waw\x02pl\x00/i"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015531; rev:3;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ZeroAccess HTTP GET request"; flow:established,to_server; content:"GET"; http_method; nocase; content:"?w="; fast_pattern:only; http_uri; content:"&i="; http_uri; content:"&v="; http_uri; content:"Host|3a 20|"; depth:6; http_header; content:"Connection|3a 20|close|0d 0a|Cookie|3a 20|"; http_header; content:!"Accept"; http_header; pcre:"/\/\d{10}\?w=\d{3}&i=\d{6,10}&v=\d\.\d$/U"; classtype:trojan-activity; sid:2015535; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Generic - ProxyJudge Reverse Proxy Scoring Activity"; flow:established,to_client; file_data; content:"ProxyJudge V"; fast_pattern:only; nocase; classtype:trojan-activity; sid:2015532; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Karagany checkin (sid5 1)"; flow:to_server,established; content:"?f="; http_uri; content:"&t="; http_uri; content:"&sid5="; http_uri; content:!"Accept|3a| "; http_header; classtype:trojan-activity; sid:2015533; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Karagany checkin (sid5 2)"; flow:to_server,established; content:"?mode="; http_uri; content:"&f="; http_uri; content:"&sid5="; http_uri; content:!"Accept|3a| "; http_header; classtype:trojan-activity; sid:2015534; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress featurific-for-wordpress plugin snum parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/featurific-for-wordpress/cached_image.php?"; nocase; http_uri; fast_pattern:19,20; content:"snum="; nocase; http_uri; pcre:"/snum\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/107256/WordPress-Featurific-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015536; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Symantec AppStream LaunchObj ActiveX Control Arbitrary File Download and Execute"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"3356DB7C-58A7-11D4-AA5C-006097314BF8"; nocase; distance:0; content:"installAppMgr"; nocase; distance:0; reference:url,packetstormsecurity.org/files/82969/Symantec-AppStream-LaunchObj-ActiveX-Control-Arbitrary-File-Download-and-Execute..html; classtype:attempted-user; sid:2015537; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible WinZip FileView ActiveX CreateNewFolderFromName Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"A09AE68F-B14D-43ED-B713-BA413F034904"; nocase; distance:0; content:"CreateNewFolderFromName"; nocase; distance:0; reference:url,packetstormsecurity.org/files/83024/WinZip-FileView-WZFILEVIEW.FileViewCtrl.61-ActiveX-Buffer-Overflow.html; classtype:attempted-user; sid:2015538; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible WinZip FileView (WZFILEVIEW.FileViewCtrl.61) ActiveX Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; distance:0; nocase; content:"WZFILEVIEW.FileViewCtrl.61"; nocase; distance:0; content:"CreateNewFolderFromName"; nocase; distance:0; reference:url,packetstormsecurity.org/files/83024/WinZip-FileView-WZFILEVIEW.FileViewCtrl.61-ActiveX-Buffer-Overflow.html; classtype:attempted-user; sid:2015539; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_picasa2gallery controller parameter Local File Inclusion vulnerability"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_picasa2gallery"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/90915/Joomla-Picasa2Gallery-1.2.8-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015540; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Commentics id parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/comments/admin/index.php?"; nocase; http_uri; content:"page=edit_page"; nocase; http_uri; content:"id="; nocase; http_uri; pcre:"/id\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/113996/Commentics-2.0-Cross-Site-Request-Forgery-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015541; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress clickdesk-live-support-chat plugin cdwidgetid parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/clickdesk-live-support-chat/clickdesk.php?"; nocase; http_uri; fast_pattern:19,20; content:"cdwidgetid="; nocase; http_uri; pcre:"/cdwidgetid\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/107255/WordPress-Clickdesk-Live-Support-Chat-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015542; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpProfiles menu Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"/Full_Release/include/body_admin.inc.php?"; nocase; http_uri; content:"menu="; nocase; http_uri; pcre:"/menu=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/114971/phpProfiles-4.5.4-Beta-XSS-RFI-SQL-Injection.html; classtype:web-application-attack; sid:2015543; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpProfiles topic_title parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/full_release/community.php?"; nocase; http_uri; content:"action="; nocase; http_uri; content:"comm_id="; nocase; http_uri; content:"topic_title="; nocase; http_uri; pcre:"/topic\_title\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/114971/phpProfiles-4.5.4-Beta-XSS-RFI-SQL-Injection.html; classtype:web-application-attack; sid:2015544; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla PollXT component Itemid parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_pollxt"; nocase; http_uri; content:"Itemid="; nocase; http_uri; content:"|2e 2e 2f|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/94681/Joomla-PollXT-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015545; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Trojan Cridex checkin"; flow:established,to_server; content:"POST"; http_method; content:"/mx5/B/in/"; fast_pattern:only; http_uri; reference:url,blog.webroot.com/2012/07/13/spamvertised-american-airlines-themed-emails-lead-to-black-hole-exploit-kit/; reference:url,stopmalvertising.com/rootkits/analysis-of-cridex.html; classtype:trojan-activity; sid:2015546; rev:3;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pakes2 - EXE Download Request"; flow:established,to_server; urilen:<12; content:".exe"; http_uri; fast_pattern; content:"1.1|0D 0A|User-Agent|3a| Mozilla/4.0|0D 0A|Host|3a| "; content:"|0D 0A 0D 0A|"; within:19; classtype:trojan-activity; sid:2015547; rev:3;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS g01pack Exploit Kit Landing Page"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:trojan-activity; sid:2015548; rev:10;)
+
+#
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED g01pack Exploit Kit Landing Page 2"; flow:established,to_server; urilen:5; content:"/mix/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:trojan-activity; sid:2015549; rev:4;)
+
+#
+alert udp $HOME_NET any -> any 53 (msg:"ET DNS Query for a Suspicious *.upas.su domain"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|upas|02|su|00|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2015550; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a *.upas.su domain"; flow:to_server,established; content:".upas.su|0d 0a|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2015551; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN HTExploit Method"; flow:established,to_server; content:"POTATO "; depth:7; reference:url,www.mkit.com.ar/labs/htexploit/download.php; classtype:trojan-activity; sid:2015552; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake-AV Conditional Redirect (Blackmuscats)"; flow:established,to_server; content:"/blackmuscats?"; fast_pattern:only; http_uri; reference:url,blog.sucuri.net/2012/07/blackmuscats-conditional-redirections-to-faveav.html/; classtype:trojan-activity; sid:2015553; rev:2;)
+
+#
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED g01pack Exploit Kit Landing Page 3"; flow:established,to_server; urilen:7; content:"/login/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:trojan-activity; sid:2015558; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cridex Self Signed SSL Certificate (TR, Some-State, Internet Widgits)"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"|55 04 06 13 02|TR"; content:"|55 04 08 13 0a|Some-State"; distance:0; content:"|13 18|Internet Widgits Pty"; within:35; classtype:trojan-activity; sid:2015559; rev:4;)
+
+#
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Self Signed SSL Certificate to (MyCompany Ltd) could be SSL CnC"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7; content:"MyCompany Ltd"; classtype:bad-unknown; sid:2015560; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO PDF Using CCITTFax Filter"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/CCITTFaxDecode"; distance:0; reference:url,nakedsecurity.sophos.com/2012/04/05/ccittfax-pdf-malware/; reference:url,blog.fireeye.com/research/2012/07/analysis-of-a-different-pdf-malware.html#more; classtype:bad-unknown; sid:2015561; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.Jorik.Totem.vg HTTP request"; flow:established,to_server; content:"/?xclzve_"; depth:9; http_uri; reference:md5,cf5df13f8498326f1c6407749b3fe160; classtype:trojan-activity; sid:2015562; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible BarCodeWiz BarcodeWiz.dll ActiveX Control Barcode Method Remote Buffer Overflow Attempt"; flow:to_client,established; content:"CLSID"; nocase; content:"CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6"; nocase; distance:0; content:"Barcode"; nocase; distance:0; reference:url,securityfocus.com/bid/54701; classtype:attempted-user; sid:2015563; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible BarCodeWiz (BARCODEWIZLib.BarCodeWiz) ActiveX Control Buffer Overflow"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"BARCODEWIZLib.BarCodeWiz"; nocase; distance:0; content:"Barcode"; nocase; distance:0; reference:url,securityfocus.com/bid/54701; classtype:attempted-user; sid:2015564; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ManageEngine Applications Manager attributeToSelect parameter Cross-Site Script Attempt"; flow:established,to_server; content:"/jsp/ThresholdActionConfiguration.jsp?"; nocase; http_uri; content:"resourceid="; nocase; http_uri; content:"attributeIDs="; nocase; http_uri; content:"attributeToSelect="; nocase; http_uri; pcre:"/attributeToSelect\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,securityfocus.com/bid/54759/; classtype:web-application-attack; sid:2015565; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible AOL ICQ ActiveX Control DownloadAgent Method Access Arbitrary File Download and Execute"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"54BDE6EC-F42F-4500-AC46-905177444300"; nocase; distance:0; content:"DownloadAgent"; nocase; distance:0; reference:url,packetstormsecurity.org/files/83020/America-Online-ICQ-ActiveX-Control-Arbitrary-File-Download-and-Execute..html; classtype:attempted-user; sid:2015566; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible AOL ICQ ActiveX Control DownloadAgent Method Access Arbitrary File Download and Execute 2"; flow:to_client,established; file_data; content:"ActiveXObject"; distance:0; nocase; content:"ICQPhone.SipxPhoneManager.1"; nocase; distance:0; content:"DownloadAgent"; nocase; distance:0; reference:url,packetstormsecurity.org/files/83020/America-Online-ICQ-ActiveX-Control-Arbitrary-File-Download-and-Execute..html; classtype:attempted-user; sid:2015567; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_jeformcr view parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_jeformcr"; fast_pattern:only; nocase; http_uri; content:"view="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.org/files/94549/Joomla-Jeformcr-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015568; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Bsadv controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_bsadv"; fast_pattern:only; nocase; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.org/files/94540/Joomla-Basdv-Local-File-Inclusion-Directory-Traversal.html; classtype:web-application-attack; sid:2015569; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_mailchimpccnewsletter controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_mailchimpccnewsletter"; fast_pattern:only; nocase; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.org/files/95332/Joomla-MailChimpCCNewsletter-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015570; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pragmaMx img_url parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/plugins/imgpopup/img_popup.php?"; nocase; http_uri; content:"img_url="; nocase; http_uri; pcre:"/img\_url\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/113035/pragmaMx-1.12.1-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015571; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TEMENOS T24 skin parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/genrequest.jsp?"; nocase; http_uri; content:"routineName="; nocase; http_uri; content:"routineArgs="; nocase; http_uri; content:"compId="; nocase; http_uri; content:"skin="; nocase; http_uri; pcre:"/skin\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/115126/Temenos-T24-R07.03-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015572; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Yszz JS/Encryption (Used in KaiXin Exploit Kit)"; flow:to_client,established; file_data; content:"|2f 2a|Yszz 0.7 vip|2a 2f|"; fast_pattern:only; nocase; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2015573; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DoSWF Flash Encryption (Used in KaiXin Exploit Kit)"; flow:to_client,established; file_data; content:"CWS"; within:3; content:"<doswf version="; fast_pattern:only; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2015574; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Kit Java Class"; flow:to_client,established; file_data; content:"PK"; within:2; content:"Gond"; pcre:"/^(?:a(?:ttack|dExp)|([a-z])\1)\.class/Ri"; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2015575; rev:4;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to tor2web.org Domain (.onion proxy)"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|07|tor2web|03|org|00|"; nocase; distance:0; reference:url,tor2web.org; classtype:bad-unknown; sid:2015576; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Lile.A DoS Outbound"; flow:established,to_server; content:"GET"; http_method; content:"UserAgent|3a|"; http_header; content:"Windows 98"; fast_pattern:only; http_header; content:"Host|3a| www.fbi.gov"; http_header; threshold:type limit, track by_src, count 1, seconds 30; reference:url,symantec.com/security_response/writeup.jsp?docid=2005-101311-0945-99&tabid=2; reference:md5,d6d0cd7eca2cef5aad66efbd312a7987; classtype:trojan-activity; sid:2015577; rev:4;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Javascript redirecting to badness August 6 2012"; flow:established,from_server; content:"text/javascript'>var wow="; content:"document.cookie.indexOf"; distance:0; within:70; classtype:bad-unknown; sid:2015578; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit Landing Page Structure"; flow:established,to_client; content:"|3c|script>try{"; fast_pattern; content:"Math."; within:15; content:"}catch("; within:20; content:"eval"; within:17; classtype:trojan-activity; sid:2015579; rev:6;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Replace JavaScript Large Obfuscated Blob - August 3rd 2012"; flow:established,to_client; content:"=|22|"; isdataat:300,relative; content:"|22|"; within:300; content:"|22|.replace(/"; distance:0; content:"/g.|22 22 29 3B|"; fast_pattern; within:30; classtype:trojan-activity; sid:2015580; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Atadommoc.C - HTTP CnC"; flow:established,to_server; content:"POST"; http_method; content:"rxT"; http_client_body; depth:3; classtype:trojan-activity; sid:2015581; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Comments"; flow:established,to_client; file_data; content:"FoxxySF Website Copier"; distance:0; reference:url,blog.eset.com/2012/08/07/foxxy-software-outfoxed; classtype:trojan-activity; sid:2015583; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Comments(2)"; flow:established,to_client; content:"Added By FoxxySF"; fast_pattern:only; reference:url,blog.eset.com/2012/08/07/foxxy-software-outfoxed; classtype:trojan-activity; sid:2015584; rev:3;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FoxxySoftware - Hit Counter Access"; flow:to_server,established; content:"/wtf/callback=getip"; fast_pattern:only; http_uri; nocase; content:".php?username="; nocase; http_uri; content:"&website="; nocase; http_uri; content:"foxxysoftware.org"; http_header; nocase; reference:url,blog.eset.com/2012/08/07/foxxy-software-outfoxed; classtype:trojan-activity; sid:2015585; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Redirection Page You Will Be Forwarded - 7th August 2012"; flow:established,to_client; file_data; content:"<h1><b>Please wait a moment. You will be forwarded...<|2F|h1><|2F|b>"; distance:0; classtype:trojan-activity; sid:2015582; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Redirection Page Try Math.Round Catch - 7th August 2012"; flow:established,to_client; file_data; content:"try{"; distance:0; content:"=Math.round|3B|}catch("; distance:0; classtype:trojan-activity; sid:2015586; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MP-FormGrabber Checkin"; flow:established,to_server; content:"/panel/gate.php?host="; nocase; http_uri; content:"&data="; nocase; distance:0; http_uri; reference:url,www.xylibox.com/2012/08/mp-formgrabber.html?spref=tw; classtype:trojan-activity; sid:2015587; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Suspicious Windows Executable WriteProcessMemory"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"WriteProcessMemory"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; reference:url,jessekornblum.livejournal.com/284641.html; reference:url,msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx; classtype:misc-activity; sid:2015588; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Suspicious Windows Executable CreateRemoteThread"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; content:"CreateRemoteThread"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss_33649; reference:url,jessekornblum.livejournal.com/284641.html; reference:url,msdn.microsoft.com/en-us/library/windows/desktop/ms682437%28v=vs.85%29.aspx; classtype:misc-activity; sid:2015589; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page Intial Structure - 8th August 2012"; flow:established,to_client; file_data; content:"|3C|html|3E 3C|body|3E 3C|script|3E|"; within:20; content:"=function|28 29 7B|"; fast_pattern; distance:1; within:12; classtype:trojan-activity; sid:2015590; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Potential Blackhole Zeus Drop - 8th August 2012"; flow:established,to_client; file_data; content:"P|00|r|00|o|00|d|00|u|00|c|00|t|00|N|00|a|00|m|00|e"; content:"n|00|o|00|n|00|a|00|m|00|e"; fast_pattern; within:15; classtype:trojan-activity; sid:2015591; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Specific JavaScript Replace hwehes - 8th August 2012"; flow:established,to_client; file_data; content:".replace(/hwehes/g"; fast_pattern:only; classtype:trojan-activity; sid:2015592; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sutra TDS /simmetry"; flow:to_server,established; content:"/simmetry?"; fast_pattern:only; http_uri; reference:url,blog.sucuri.net/2012/08/very-good-malware-redirection.html; classtype:trojan-activity; sid:2015593; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN FinFisher Malware Connection Initialization"; flow:to_server,established; content:"|0c 00 00 00 40 01 73 00|"; depth:8; reference:url,community.rapid7.com/community/infosec/blog/2012/08/08/finfisher; classtype:trojan-activity; sid:2015594; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN FinFisher Malware Connection Handshake"; flow:to_server,established; content:"|5c 00 00 00 a0 02 72 00 0c 00 00 00 40 04 fe 00|"; depth:16; reference:url,community.rapid7.com/community/infosec/blog/2012/08/08/finfisher; classtype:trojan-activity; sid:2015595; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown .rr.nu Malware landing page"; flow:established,to_server; content:"/sl.php"; http_uri; content:".rr.nu|0D 0A|"; fast_pattern:only; http_header; reference:url,isc.sans.edu/diary.html?storyid=13864; classtype:bad-unknown; sid:2015596; rev:1;)
+
+#
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Gauss Domain *.gowin7.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|06|gowin7|03|com|00|"; fast_pattern; nocase; distance:0; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015597; rev:2;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query Gauss Domain *.secuurity.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|secuurity|03|net|00|"; fast_pattern; nocase; distance:0; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015598; rev:2;)
+
+#
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Gauss Domain *.bestcomputeradvisor.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|13|bestcomputeradvisor|03|com|00|"; fast_pattern; nocase; distance:0; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015599; rev:3;)
+
+#
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Gauss Domain *.dotnetadvisor.info"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|dotnetadvisor|04|info|00|"; fast_pattern; nocase; distance:0; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015600; rev:3;)
+
+#
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Gauss Domain *.dataspotlight.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0d|dataspotlight|03|net|00|"; fast_pattern; nocase; distance:0; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015601; rev:3;)
+
+#
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Gauss Domain *.guest-access.net"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|guest-access|03|net|00|"; fast_pattern; nocase; distance:0; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015602; rev:3;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY SPL - Java Exploit Requested - /spl_data/"; flow:established,to_server; content:"/spl_data/"; http_uri; fast_pattern:only; content:" Java/"; http_header; classtype:trojan-activity; sid:2015603; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY SPL - Java Exploit Requested .jar Naming Pattern"; flow:established,to_server; content:"-a."; http_uri; content:".jar"; http_uri; fast_pattern:only; content:" Java/"; http_header; pcre:"/\/[a-z]{4,20}-a\.[a-z]{4,20}\.jar$/U"; classtype:trojan-activity; sid:2015604; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY SPL - Landing Page Received"; flow:established,to_client; file_data; content:"application/x-java-applet"; content:"width=|22|0|22| height=|22|0|22|>"; fast_pattern; within:100; classtype:trojan-activity; sid:2015605; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible HP Easy Printer Care XMLCacheMgr Class ActiveX Control Remote Code Execution"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"6F255F99-6961-48DC-B17E-6E1BCCBC0EE3"; nocase; distance:0; content:"CacheDocumentXMLWithId"; nocase; distance:0; reference:url,1337day.com/exploits/17395; classtype:attempted-user; sid:2015606; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible HP Easy Printer Care XMLCacheMgr Class ActiveX Control Remote Code Execution 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"HPESPRIT.XMLCacheMgr.1"; nocase; distance:0; content:"CacheDocumentXMLWithId"; nocase; distance:0; reference:url,1337day.com/exploits/17395; classtype:attempted-user; sid:2015607; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Kazaa Altnet Download Manager ActiveX Control Install Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"DEF37997-D9C9-4A4B-BF3C-88F99EACEEC2"; nocase; distance:0; content:".Install("; nocase; distance:0; reference:url,packetstormsecurity.org/files/83086/Kazaa-Altnet-Download-Manager-ActiveX-Control-Buffer-Overflow.html; classtype:attempted-user; sid:2015608; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Advanced Text Widget plugin page parameter Cross-Site Script Attempt"; flow:established,to_server; content:"/wp-content/plugins/advanced-text-widget/advancedtext.php?"; nocase; http_uri; fast_pattern:19,22; content:"page="; nocase; http_uri; pcre:"/page\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/107192/WordPress-Advanced-Text-Widget-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015609; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Lanoba Social plugin action parameter Cross-Site Script Attempt"; flow:established,to_server; content:"/wp-content/plugins/lanoba-social-plugin/index.php?"; nocase; http_uri; fast_pattern:19,22; content:"action="; nocase; http_uri; pcre:"/action\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,packetstormsecurity.org/files/107191/WordPress-Lanoba-Social-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015610; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla je-media-player view parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/components/je-media-player.html?"; nocase; http_uri; content:"view="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.org/files/91171/Joomla-JE-Media-Player-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015611; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dirLIST show_scaled_image.php Local File Inclusion Attempt"; flow:established,to_server; content:"/dirLIST_files/gallery_files/show_scaled_image.php?"; nocase; http_uri; content:"image_path="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.org/files/115381/dirLIST-0.3.0-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015612; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dirLIST thumb_gen.php Local File Inclusion Attempt"; flow:established,to_server; content:"/dirLIST_files/thumb_gen.php?"; nocase; http_uri; content:"image_path="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.org/files/115381/dirLIST-0.3.0-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015613; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BaglerCMS articleID parameter Cross-Site Script Attempt"; flow:established,to_server; content:"/baglercms.php?"; nocase; http_uri; content:"articleID="; nocase; http_uri; pcre:"/articleID\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,1337day.com/exploits/18221; classtype:web-application-attack; sid:2015614; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress LiveGrounds plugin uid parameter Cross-Site Script Attempt"; flow:established,to_server; content:"/wp-content/plugins/livegrounds/lg_crop.php?"; nocase; http_uri; fast_pattern:19,13; content:"uid="; nocase; http_uri; pcre:"/uid\x3d.+(s(cript|tyle\x3D)|on(mouse[a-z]|key[a-z]|load|unload|dragdrop|blur|focus|click|dblclick|submit|reset|select|change))/Ui"; reference:url,1337day.com/exploits/18932; classtype:web-application-attack; sid:2015615; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN DOCHTML C&C http directive in HTML comments"; flow:established,from_server; content:"|3c|!-- DOCHTMLhttp|3a|//"; reference:url,blog.accuvantlabs.com/blog/dgrif/anatomy-targeted-attack; classtype:trojan-activity; sid:2015616; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Smardf/Boaxxe GET to cc.php3"; flow:established,to_server; content:"/cc.php3"; http_uri; fast_pattern:only; content:"GET"; http_method; content:!"|0d 0a|Accept"; http_header; reference:md5,f856b4c526c3e5cee9d47df59295d2e1; reference:md5,232b4dbed0453e2a952630fb1076248f; classtype:trojan-activity; sid:2015617; rev:1;)
+
+#
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Gauss Domain *.datajunction.org"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0c|datajunction|03|org|00|"; fast_pattern; nocase; distance:0; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015618; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS gr8domain.biz hostile redirector seen with Blackhole and Fake AV - Aug 08 2012"; flow:established,to_server; content:".gr8domain.biz|0d 0a|"; http_header; fast_pattern:only; pcre:"/Host\x3a[^\r\n]+\.gr8domain\.biz/i"; classtype:trojan-activity; sid:2015619; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page JavaScript Replace - 13th August 2012"; flow:established,to_client; file_data; content:"=document.body.childNodes["; content:"].innerHTML.replace(/"; distance:1; within:21; content:"/g,|22 22|)|3B|"; within:30; classtype:trojan-activity; sid:2015620; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page ChildNodes.Length - August 13th 2012"; flow:established,to_client; file_data; content:"=0|3B|i<document.body.childNodes.length|3B|i++{"; classtype:trojan-activity; sid:2015621; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page Hwehes String - August 13th 2012"; flow:established,to_client; file_data; content:"hwehes"; content:"hwehes"; distance:0; content:"hwehes"; distance:0; content:"hwehes"; distance:0; classtype:trojan-activity; sid:2015622; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Urlzone/Bebloh/Bublik Checkin /was/uid.php"; flow:established,to_server; content:"POST"; http_method; content:"/was/uid.php"; fast_pattern:only; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fBublik.B; reference:url,www.threatexpert.com/report.aspx?md5=3ccc73f049a1de731baf7ea8915c92a8; reference:url,www.threatexpert.com/report.aspx?md5=91ce41376a5b33059744cb58758213bb; reference:url,www.threatexpert.com/report.aspx?md5=21880326089f2eab466128974fc70d24; classtype:trojan-activity; sid:2015623; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Magento XMLRPC-Exploit Attempt"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/api/xmlrpc"; http_uri; content:"file|3a 2f 2f 2f|"; reference:url,www.magentocommerce.com/blog/comments/important-security-update-zend-platform-vulnerability/; reference:url,www.magentocommerce.com/blog/update-zend-framework-vulnerability-security-update; reference:url,www.exploit-db.com/exploits/19793/; classtype:web-application-attack; sid:2015625; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Gh0st Checkin (6 Byte keyword)"; flow:to_server,established; content:"|00 00|"; offset:8; depth:2; content:"|00 00 78 9C|"; distance:2; within:4; byte_test:2,>,15,6,little; pcre:"/^[a-z0-9]{6}..\x00\x00/i"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:url,labs.alienvault.com/labs/index.php/2012/new-macontrol-variant-targeting-uyghur-users-the-windows-version-using-gh0st-rat/; reference:url,www.infowar-monitor.net/2009/09/tracking-ghostnet-investigating-a-cyber-espionage-network/; reference:url,blogs.rsa.com/will-gragido/lions-at-the-watering-hole-the-voho-affair/; classtype:trojan-activity; sid:2015627; rev:4;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Gh0st Checkin (7 Byte keyword)"; flow:to_server,established; content:"|00 00|"; offset:9; depth:2; content:"|00 00 78 9C|"; distance:2; within:4; byte_test:2,>,15,7,little; pcre:"/^[a-z0-9]{7}..\x00\x00/i"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:url,labs.alienvault.com/labs/index.php/2012/new-macontrol-variant-targeting-uyghur-users-the-windows-version-using-gh0st-rat/; reference:url,www.infowar-monitor.net/2009/09/tracking-ghostnet-investigating-a-cyber-espionage-network/; reference:url,blogs.rsa.com/will-gragido/lions-at-the-watering-hole-the-voho-affair/; classtype:trojan-activity; sid:2015628; rev:4;)
+
+#Nathan
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Shamoon/Wiper/DistTrack Checkin"; flow:to_server,established; content:"/data.asp?mydata="; http_uri; content:"&uid="; http_uri; content:"&state="; http_uri; content:"User-Agent|3a| you"; http_header; reference:url,www.symantec.com/connect/blogs/shamoon-attacks; reference:url,www.securelist.com/en/blog/208193786/Shamoon_the_Wiper_Copycats_at_Work; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23936/en_US/McAfee_Labs_Threat_Advisory_W32_DistTrack.pdf; classtype:trojan-activity; sid:2015632; rev:4;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Cridex Response from exfiltrated data upload"; flow:to_client,established; file_data; content:"|de ad be ef|"; distance:0; content:"|00 01 00 00 00|"; distance:3; within:5; reference:url,www.virustotal.com/file/00bf5b6f32b6a8223b8e55055800ef7870f8acaed334cb12484e44489b2ace24/analysis/; reference:url,www.packetninjas.net; classtype:trojan-activity; sid:2015629; rev:3;)
+
+#
+##alert ip $HOME_NET any -> [184.82.162.163/32,184.22.103.202/32,158.255.211.28/32] any (msg:"ET DELETED Possible XDocCrypt/Dorifel CnC IP"; threshold:type limit, track by_src, count 1, seconds 600; reference:url,www.fox-it.com/en/blog/xdoccryptdorifel-document-encrypting-and-network-spreading-virus; classtype:trojan-activity; sid:2015630; rev:5;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible XDocCrypt/Dorifel Checkin"; flow:established,to_server; content:"GET"; http_method; content:"&pin="; http_uri; content:"&crc="; http_uri; content:"&uniq="; http_uri; reference:url,www.fox-it.com/en/blog/xdoccryptdorifel-document-encrypting-and-network-spreading-virus; classtype:trojan-activity; sid:2015631; rev:4;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to Abused Domain *.mooo.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|mooo|03|com|00|"; fast_pattern; distance:0; threshold: type limit, count 1, track by_src, seconds 300; classtype:misc-activity; sid:2015633; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to Abused Domain *.mooo.com"; flow:established,to_server; content:".mooo.com|0D 0A|"; http_header; classtype:bad-unknown; sid:2015634; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Briba Checkin"; flow:to_server,established; content:"POST"; nocase; http_method; content:"loginmid="; http_client_body; content:"nickid="; http_client_body; reference:url,labs.alienvault.com/labs/index.php/2012/cve-2012-1535-adobe-flash-being-exploited-in-the-wild/; classtype:trojan-activity; sid:2015635; rev:2;)
+
+##by StillSecure
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible CA eTrust PestPatrol ActiveX Control Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"5E644C49-F8B0-4E9A-A2ED-5F176BB18CE6"; nocase; distance:0; content:".Initialize("; nocase; distance:0; reference:url,exploit-db.com/exploits/16630/; classtype:attempted-user; sid:2015636; rev:4;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MindTouch Deki Wiki link.php Remote File Inclusion Attempt"; flow:established,to_server; content:"/web/deki/gui/link.php?"; nocase; http_uri; content:"IP="; nocase; http_uri; pcre:"/IP=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/115479/MindTouch-Deki-Wiki-10.1.3-Local-File-Inclusion-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2015637; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MindTouch Deki Wiki deki_plugin.php Remote File Inclusion Attempt"; flow:established,to_server; content:"/web/deki/plugins/deki_plugin.php?"; nocase; http_uri; content:"IP="; nocase; http_uri; pcre:"/IP=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/115479/MindTouch-Deki-Wiki-10.1.3-Local-File-Inclusion-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2015638; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MindTouch Deki Wiki wgDekiPluginPath parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"/web/deki/plugins/deki_plugin.php?"; nocase; http_uri; content:"wgDekiPluginPath="; nocase; http_uri; pcre:"/wgDekiPluginPath=\s*(ftps?|https?|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/115479/MindTouch-Deki-Wiki-10.1.3-Local-File-Inclusion-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2015639; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MindTouch Deki Wiki link.php Local File Inclusion Attempt"; flow:established,to_server; content:"/web/deki/gui/link.php?"; nocase; http_uri; content:"IP="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.org/files/115479/MindTouch-Deki-Wiki-10.1.3-Local-File-Inclusion-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2015640; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MindTouch Deki Wiki deki_plugin.php Local File Inclusion Attempt"; flow:established,to_server; content:"/web/deki/plugins/deki_plugin.php?"; nocase; http_uri; content:"IP="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.org/files/115479/MindTouch-Deki-Wiki-10.1.3-Local-File-Inclusion-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2015641; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MindTouch Deki Wiki wgDekiPluginPath parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/web/deki/plugins/deki_plugin.php?"; nocase; http_uri; content:"wgDekiPluginPath="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.org/files/115479/MindTouch-Deki-Wiki-10.1.3-Local-File-Inclusion-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2015642; rev:2;)
+
+##by StillSecure
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"525A15D0-4938-11D4-94C7-0050DA20189B"; nocase; distance:0; content:"CheckRequirements("; nocase; distance:0; reference:url,exploit-db.com/exploits/16609/; reference:url,kb.cert.org/vuls/id/179281; classtype:attempted-user; sid:2015643; rev:4;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"SnoopyX.SnoopyCtrl.1"; nocase; distance:0; content:"CheckRequirements("; nocase; distance:0; reference:url,exploit-db.com/exploits/16609/; classtype:attempted-user; sid:2015644; rev:3;)
+
+##by StillSecure
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_g2bridge controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_g2bridge"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.org/files/90150/Joomla-G2Bridge-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015645; rev:3;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit Kit seen with O1/O2.class /form"; flow:established,to_server; content:"/L"; http_uri; depth:2; content:"/search|0d 0a|"; http_header; fast_pattern:only; pcre:"/^\/L[a-zA-Z0-9]+\/[a-zA-Z0-9\x5f]+\?[a-z]+=[A-Za-z0-9\x2e]{10,}$/Um"; classtype:trojan-activity; sid:2015646; rev:4;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit Kit seen with O1/O2.class /search"; flow:established,to_server; content:"/L"; http_uri; depth:2; content:"/form|0d 0a|"; http_header; fast_pattern:only; pcre:"/^\/L[a-zA-Z0-9]+\/[a-zA-Z0-9\x5f]+\?[a-z]+=[A-Za-z0-9\x2e]{10,}$/Um"; classtype:trojan-activity; sid:2015647; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit Landing - Aug 21 2012"; flow:established,from_server; content:"|3c|html>|3c|body>|3c|applet "; fast_pattern; content:"code="; within:100; content:">|3c|param"; distance:0; content:">|3c|script>"; distance:0; content:".split("; within:100; content:").join("; within:100; classtype:trojan-activity; sid:2015648; rev:4;)
+
+#
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Fake AV base64 affid initial Landing or owned Check-In, asset owned if /callback/ in URI"; flow:established,to_server; content:"/?"; http_uri; content:"=YWZmaWQ9"; http_uri; classtype:trojan-activity; sid:2015649; rev:3;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Malicious Redirect n.php h=*&s=*"; flow:to_server,established; content:"/n.php?h="; fast_pattern:only; http_uri; content:"&s="; http_uri; content:".rr.nu|0d 0a|"; http_header; pcre:"/\/n\.php\?h=\w*?&s=\w{1,5}$/Ui"; reference:url,0xicf.wordpress.com/category/security-updates/; reference:url,support.clean-mx.de/clean-mx viruses.php?domain=rr.nu&sort=first%20desc; reference:url,urlquery.net/report.php?id=111302; classtype:attempted-user; sid:2015669; rev:9;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Javascript 23 Aug 2012 split join split applet"; flow:established,from_server; file_data; content:"|3c|script"; distance:0; content:"split(|22|"; within:40; content:".join(|22 22|).split(|22 22 29 3b|"; within:50; classtype:trojan-activity; sid:2015651; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL 23 Aug 2012"; flow:established,from_server; file_data; content:"applet"; distance:0; content:"0xb|3a|0x9|3a|0x9|3a|0x4|3a|0x1f|3a|0x31|3a|0x31|3a|"; within:200; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015652; rev:4;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing try catch try catch math eval Aug 27 2012"; flow:established,from_server; content:"try{"; content:"|3b|}catch("; within:25; content:"){try{"; fast_pattern; within:15; content:"}catch("; within:35; content:"eval("; distance:0; classtype:bad-unknown; sid:2015654; rev:2;)
+
+#
+##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED 0day JRE 17 exploit Class 1"; flow:established,to_client; file_data; content:"PK"; within:2; content:"|2f|Gondvv.class"; distance:0; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; classtype:trojan-activity; sid:2015655; rev:3;)
+
+#
+##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED 0day JRE 17 exploit Class 2"; flow:established,to_client; file_data; content:"PK"; within:2; content:"|2f|Gondzz.class"; distance:0; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; classtype:trojan-activity; sid:2015656; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS 0day JRE 17 metasploit Exploit Class"; flow:established,to_client; file_data; content:"PK"; within:2; content:"|2f|Payload.class"; distance:0; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; reference:url,metasploit.com/modules/exploit/multi/browser/java_jre17_exec; classtype:trojan-activity; sid:2015657; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS 0day JRE 17 metasploit Payload Class"; flow:established,to_client; file_data; content:"PK"; within:2; content:"Exploit.class"; distance:0; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; reference:url,metasploit.com/modules/exploit/multi/browser/java_jre17_exec; classtype:trojan-activity; sid:2015658; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Admin bhadmin.php access Outbound"; flow:established,to_server; content:"/bhadmin.php"; http_uri; fast_pattern:only; classtype:attempted-user; sid:2015659; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS - Blackhole Admin Login Outbound"; flow:established,to_server; content:"AuthPass="; http_client_body; content:"AuthLanguage="; http_client_body; content:"AuthTemplate="; http_client_body; classtype:attempted-user; sid:2015660; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Admin bhadmin.php access Inbound"; flow:established,to_server; content:"/bhadmin.php"; http_uri; fast_pattern:only; classtype:attempted-user; sid:2015661; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS - Blackhole Admin Login Inbound"; flow:established,to_server; content:"AuthPass="; http_client_body; content:"AuthLanguage="; http_client_body; content:"AuthTemplate="; http_client_body; classtype:attempted-user; sid:2015662; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NeoSploit - Obfuscated Payload Requested"; flow:established,to_server; urilen:>89; content:" Java/1"; http_header; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/[0-9]{7}$/U"; classtype:attempted-user; sid:2015663; rev:1;)
+
+#
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED NeoSploit - PDF Exploit Requested"; flow:established,to_server; urilen:>89; content:".pdf"; http_uri; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/.*\.pdf$/U"; classtype:attempted-user; sid:2015664; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NeoSploit - TDS"; flow:established,to_server; urilen:34; content:"/?"; http_uri; depth:2; pcre:"/^\/\?[a-f0-9]{32}$/U"; classtype:attempted-user; sid:2015665; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NeoSploit - Version Enumerated - Java"; flow:established,to_server; urilen:>85; content:"/1."; offset:75; depth:3; http_uri; content:"|2e|"; distance:1; within:1; http_uri; content:"|2e|"; distance:1; within:1; http_uri; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/1\.[4-7]\.[0-2]\.[0-9]{1,2}\//U"; classtype:attempted-user; sid:2015666; rev:3;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NeoSploit - Version Enumerated - null"; flow:established,to_server; urilen:85; content:"/null/null"; http_uri; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/null\/null$/U"; classtype:attempted-user; sid:2015667; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS - Landing Page - 100HexChar value and applet"; flow:established,to_client; file_data; content:"<applet"; distance:0; content:"value=|22|"; pcre:"/^[a-f0-9]{100}/R"; classtype:attempted-user; sid:2015668; rev:3;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit Kit suspected Blackhole"; flow:established,to_server; content:".js?"; http_uri; fast_pattern:only; urilen:33<>34; pcre:"/\/\d+\.js\?\d+&[a-f0-9]{16}$/U"; classtype:bad-unknown; sid:2015670; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1342 (msg:"ET CURRENT_EVENTS Unknown Exploit Kit redirect"; flow:established,to_server; content:"GET /t/"; depth:7; fast_pattern; pcre:"/^[a-f0-9]{32}\sHTTP\x2f1\./Ri"; content:"|0d 0a|Host|3a| "; distance:0; pcre:"/^[^\r\n]+\x3a1342\r\n/R"; classtype:bad-unknown; sid:2015672; rev:9;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.JS.QLP Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/read.php?nm="; http_uri; depth:16; content:!"User-Agent|3a|"; http_header; classtype:trojan-activity; sid:2015673; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO 3XX redirect to data URL"; flow:from_server,established; content:"3"; depth:1; http_stat_code; content:"Location|3a| data|3a|"; http_header; fast_pattern:only; classtype:misc-activity; sid:2015674; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO SimpleTDS go.php (sid)"; flow:established,to_server; content:"/go.php?sid="; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2015675; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit Payload Download Request - Sep 04 2012"; flow:established,to_server; content:" Java/"; http_header; fast_pattern:only; urilen:>24; content:!".jar"; nocase; http_uri; content:"!.class"; nocase; http_uri; pcre:"/\/[A-Z]{20,}\?[A-Z]=\d$/Ui"; classtype:trojan-activity; sid:2015676; rev:2;)
+
+#Chris Wakelin
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sakura exploit kit binary download request /out.php"; flow:established,to_server; content:"/out.php?id="; fast_pattern:only; http_uri; pcre:"/\/out.php\?id=\d$/U"; classtype:trojan-activity; sid:2015677; rev:3;)
+
+#Chris Wakelin
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sakura exploit kit exploit download request /view.php"; flow:established,to_server; content:"/view.php?i="; http_uri; fast_pattern:only; pcre:"/\/view.php\?i=\d&key=[0-9a-f]{32}$/U"; classtype:trojan-activity; sid:2015678; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Probable Sakura exploit kit landing page with obfuscated URLs"; flow:established,from_server; content:"applet"; content:"myyu?44"; fast_pattern; within:200; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015679; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL Nov 09 2012"; flow:established,from_server; file_data; content:"applet"; content:"0b0909041f"; fast_pattern; within:200; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015680; rev:3;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit with fast-flux like behavior hostile FQDN - Sep 05 2012"; flow:established,to_server; content:".justdied.com|0d 0a|"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2015681; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit with fast-flux like behavior static initial landing - Sep 05 2012"; flow:established,to_server; content:"/PJeHubmUD"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2015682; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit with fast-flux like behavior hostile java archive - Sep 05 2012"; flow:established,to_server; content:"pqvjdujfllkwl.jar"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2015683; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole alt URL request Sep 05 2012 bv6rcs3v1ithi.php?w="; flow:established,to_server; content:"/bv6rcs3v1ithi.php?w="; http_uri; fast_pattern:only; reference:url,urlquery.net/report.php?id=158608; classtype:attempted-user; sid:2015684; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Signed TLS Certificate with md5WithRSAEncryption"; flow:established,from_server; content:"|16 03 01|"; depth:3; content:"|02|"; distance:2; within:1; byte_jump:3,0,relative,big; content:"|16 03 01|"; within:3; content:"|0b|"; distance:2; within:2; content:"|30 82|"; distance:9; within:2; content:"|30 82|"; distance:2; within:2; content:"|a0 03 02 01 02 02|"; distance:2; within:6; byte_jump:1,0,relative,big; content:"|30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00|"; within:15; reference:url,www.win.tue.nl/hashclash/rogue-ca/; reference:url,ietf.org/rfc/rfc3280.txt; reference:url,jensign.com/JavaScience/GetTBSCert/index.html; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; reference:url,news.netcraft.com/archives/2012/08/31/governments-and-banks-still-using-weak-md5-signed-ssl-certificates.html; classtype:misc-activity; sid:2015686; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Inbound /uploadify.php Access"; flow:established,to_server; content:"POST"; http_method; content:"/uploadify.php"; http_uri; nocase; fast_pattern:only; reference:url,blog.sucuri.net/2012/06/uploadify-uploadify-and-uploadify-the-new-timthumb.html; classtype:attempted-recon; sid:2015687; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Remote PHP Code Execution (php.pjpg)"; flow:established,to_server; content:"POST"; http_method; content:".php.pjpg"; fast_pattern:only; http_uri; nocase; reference:url,exploitsdownload.com/search/Arbitrary%20File%20Upload/27; classtype:web-application-attack; sid:2015688; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY NeoSploit - Java Exploit Requested"; flow:established,to_server; urilen:>89; content:".jar"; http_uri; fast_pattern:only; content:" Java/1"; http_header; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/.*\.jar$/U"; classtype:attempted-user; sid:2015689; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NeoSploit - Obfuscated Payload Requested"; flow:established,to_server; urilen:>89; content:" Java/1"; http_header; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/[0-9]{7}$/U"; classtype:attempted-user; sid:2015690; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NeoSploit - PDF Exploit Requested"; flow:established,to_server; urilen:>89; content:".pdf"; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/.*\.pdf$/U"; classtype:attempted-user; sid:2015691; rev:1;)
+
+#
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED NeoSploit - TDS"; flow:established,to_server; urilen:34; content:"/?"; http_uri; depth:2; pcre:"/^\/\?[a-f0-9]{32}$/U"; classtype:attempted-user; sid:2015692; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NeoSploit - Version Enumerated - Java"; flow:established,to_server; urilen:>85; content:"/1."; http_uri; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/1\.[4-7]\.[0-2]\.[0-9]{1,2}\//U"; classtype:attempted-user; sid:2015693; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NeoSploit - Version Enumerated - null"; flow:established,to_server; urilen:85; content:"/null/null"; http_uri; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/null\/null$/U"; classtype:attempted-user; sid:2015694; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic - 8Char.JAR Naming Algorithm"; flow:established,to_client; content:"-Disposition|3a| inline"; http_header; nocase; content:".jar"; http_header; fast_pattern:only; pcre:"/[=\"]\w{8}\.jar/Hi"; file_data; content:"PK"; within:2; classtype:attempted-user; sid:2015695; rev:3;)
+
+#
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED g01pack Exploit Kit Landing Page 4"; flow:established,to_server; urilen:10; content:"/comments/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:trojan-activity; sid:2015696; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole repetitive applet/code tag"; flow:established,from_server; file_data; content:"applet/code="; content:"/archive="; distance:0; content:".jar"; distance:0; pcre:"/applet\/code=[\x22\x27](?P<val1>[a-zA-Z0-9]+)[a-z]\.(?P=val1)[a-z][\x22\x27][^\x3e]+\.jar[\x22\x27]/"; classtype:trojan-activity; sid:2015697; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SPL Landing Page Requested"; flow:established,to_server; content:"/?"; http_uri; content:"YWZmaWQ9"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2015698; rev:3;)
+
+#
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown base64-style Java-based Exploit Kit using github as initial director"; flow:established,to_server; content:"%3D HTTP/1."; fast_pattern:only; content:"/?"; http_uri; isdataat:45,relative; pcre:"/\/\?[a-z0-9]{5,}=[a-zA-Z0-9\x25]{40,}\x253D$/I"; classtype:trojan-activity; sid:2015699; rev:2;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole2 - URI Structure"; flow:established,to_server; urilen:>122; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[a-z]{2,12}=[a-f0-9]{64}&[a-z]{2,12}=/U"; classtype:attempted-user; sid:2015700; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole2 - Landing Page Received"; flow:established,to_client; file_data; content:"<applet"; content:".php?"; distance:0; pcre:"/^[a-z]{2,12}=[a-f0-9]{64}&[a-z]{2,12}=/R"; classtype:attempted-user; sid:2015701; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET SCAN Brutus Scan Outbound"; flow:established,to_server; content:"Brutus/AET"; http_header; classtype:attempted-recon; sid:2015702; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Brutus Scan Inbound"; flow:established,to_server; content:"Brutus/AET"; http_header; classtype:attempted-recon; sid:2015703; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DoSWF Flash Encryption Banner"; flow:to_client,established; file_data; content:"FWS"; within:3; content:"DoSWF"; distance:0; classtype:attempted-user; sid:2015704; rev:5;)
+
+#
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED g01pack Exploit Kit Landing Page 6"; flow:established,to_server; urilen:6; content:"/news/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:trojan-activity; sid:2015705; rev:3;)
+
+#
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED g01pack Exploit Kit Landing Page 5"; flow:established,to_server; urilen:6; content:"/view/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:trojan-activity; sid:2015706; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO JAVA - document.createElement applet"; flow:established,to_client; file_data; content:"document.createElement"; nocase; content:"applet"; nocase; fast_pattern; within:10; classtype:misc-activity; sid:2015707; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript"; flow:established,to_client; file_data; content:"eval(function(p,a,c"; content:"|7C|applet|7C|"; nocase; fast_pattern:only; classtype:bad-unknown; sid:2015708; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Blackhole Landing to 7-8 chr folder plus index.htm or index.html"; flow:established,to_server; content:"/index.htm"; fast_pattern:only; http_uri; urilen:18<>21; content:!"search"; nocase; http_uri; pcre:"/^\/[A-Za-z0-9]+[A-Z]+[A-Za-z0-9]*\/index\.html?$/U"; pcre:"/^\/[A-Za-z0-9]{7,8}\/index\.html?$/U"; classtype:bad-unknown; sid:2015709; rev:5;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole2 - Landing Page Received"; flow:established,to_client; file_data; content:"<applet"; content:"<param"; distance:0; content:"value="; distance:0; pcre:"/^.{1,5}[a-f0-9]{100}/R"; classtype:trojan-activity; sid:2015710; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Internet Explorer execCommand function Use after free Vulnerability 0day"; flow:established,to_client; file_data; content:".execCommand|28|"; nocase; fast_pattern; pcre:"/^[\r\n\s]*[\x22\x27](s|\\(x|u00)[57]3)(e|\\(x|u00)[46]5)(l|\\(x|u00)[46]c)(e|\\(x|u00)[46]5)(c|\\(x|u00)[46]3)(t|\\(x|u00)[57]4)(A|\\(x|u00)[46]1)(l|\\(x|u00)[46]c){2}/Ri"; content:".write("; nocase; content:"parent|2e|"; nocase; distance:0; pcre:"/^\w+?\[[^\]]+?\]\.src[\r\n\s]*=/Ri"; content:"onselect"; nocase; reference:url,eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/; reference:cve,CVE-2012-4969; classtype:attempted-user; sid:2015711; rev:4;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Internet Explorer execCommand function Use after free Vulnerability 0day Metasploit"; flow:established,to_client; file_data; content:".execCommand|28|"; nocase; pcre:"/^[\r\n\s]*[\x22\x27]selectAll/Ri"; content:"YMjf\\u0c08\\u0c0cKDog"; fast_pattern:only; reference:url,eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/; reference:cve,CVE-2012-4969; classtype:attempted-user; sid:2015712; rev:5;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dapato Checkin 8"; flow:established,to_server; content:"GET"; http_method; nocase; content:"?uid={"; http_uri; content:"}&user="; fast_pattern:only; http_uri; content:"&os="; distance:0; http_uri; content:"User-Agent|3a 20|Mozilla/4.1"; http_header; reference:md5,de7c781205d31f58a04d5acd13ff977d; classtype:trojan-activity; sid:2015713; rev:5;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Mirage Campaign checkin"; flow:established,to_server; content:"POST"; http_method; content:"/result?hl="; depth:11; http_uri; content:"&meta="; distance:0; http_uri; content:"Mjtdkj"; depth:6; http_client_body; reference:md5,ce1cdc9c95a6808945f54164b2e4d9d2; reference:url,secureworks.com/research/threats/the-mirage-campaign/; classtype:trojan-activity; sid:2015714; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Mirage Campaign checkin (port 443)"; flow:established,to_server; content:"POST "; depth:5; content:"/result?hl="; offset:5; depth:11; content:"&meta="; distance:0; content:"|0d 0a 0d 0a|Mjtdkj"; distance:0; reference:md5,ce1cdc9c95a6808945f54164b2e4d9d2; reference:url,secureworks.com/research/threats/the-mirage-campaign/; classtype:trojan-activity; sid:2015715; rev:3;)
+
+#
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole2 - Client reporting targeted software versions"; flow:established,to_server; urilen:>122; content:".php?"; http_uri; content:"="; distance:0; http_uri; content:"&"; http_uri; distance:64; within:1; content:"="; http_uri; distance:0; content:"&"; http_uri; distance:20; within:1; pcre:"/\.php\?[a-z]+=[a-f0-9]{64}&[^\?]+=[a-f0-9]{20}&/U"; classtype:attempted-user; sid:2015716; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN SSL Cert Used In Unknown Exploit Kit (ashburn)"; flow:established,from_server; content:"ashburn@gmail.com"; fast_pattern:only; classtype:trojan-activity; sid:2015717; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN SSL Cert Used In Unknown Exploit Kit"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; distance:3; within:1; byte_extract:3,0,Certs.len,relative; content:"|55 04 0a 0c 0C|The Internet"; distance:3; within:Certs.len; content:"|55 04 03 0c 03|web"; distance:0; classtype:trojan-activity; sid:2015718; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET [$HTTP_PORTS,84] -> $HOME_NET any (msg:"ET TROJAN Win32/Kuluoz.B CnC"; flow:from_server,established; content:"|0d 0a 0d 0a|c=run&u=/get/"; content:".exe"; distance:0; classtype:trojan-activity; sid:2015902; rev:3;)
+
+#
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query to Unknown CnC DGA Domain palauone.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|08|palauone|03|com|00|"; nocase; distance:4; within:14; fast_pattern; classtype:bad-unknown; sid:2015719; rev:1;)
+
+#
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query to Unknown CnC DGA Domain traindiscover.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|0d|traindiscover|03|com|00|"; nocase; distance:4; within:19; fast_pattern; classtype:bad-unknown; sid:2015720; rev:2;)
+
+#
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query to Unknown CnC DGA Domain manymanyd.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|09|manymanyd|03|com|00|"; nocase; distance:4; within:15; fast_pattern; classtype:bad-unknown; sid:2015721; rev:2;)
+
+#
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query to Unknown CnC DGA Domain whatandwhyeh.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|0c|whatandwhyeh|03|com|00|"; nocase; distance:4; within:18; fast_pattern; classtype:bad-unknown; sid:2015722; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ZeroAccess Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/counter.img?theme="; fast_pattern:only; http_uri; content:"&digits="; http_uri; content:"&siteId="; http_uri; content:"User-Agent|3a| Opera/9 (Windows NT"; http_header; reference:url,sophos.com/en-us/medialibrary/PDFs/technical%20papers/Sophos_ZeroAccess_Botnet.pdf; classtype:trojan-activity; sid:2015723; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS pamdql Exploit Kit 09/25/12 Sending Jar"; flow:established,from_server; content:"/x-java-archive|0d 0a|"; fast_pattern:only; content:"|0d 0a|Set-Cookie|3a 20|"; pcre:"/^[a-zA-Z]{5}=[a-z0-9]{8}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{12}\r\n/R"; content:"|0d 0a 0d 0a|PK"; distance:0; classtype:trojan-activity; sid:2015724; rev:10;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS pamdql Exploit Kit 09/25/12 Sending PDF"; flow:established,from_server; content:"application/pdf|0d 0a|"; fast_pattern:only; content:"|0d 0a|Set-Cookie|3a 20|"; pcre:"/^[a-zA-Z]{5}=[a-z0-9]{8}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{12}\r\n/R"; content:"|0d 0a 0d 0a|%PDF-"; distance:0; classtype:trojan-activity; sid:2015725; rev:7;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Access To mm-forms-community upload dir (Outbound)"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/mm-forms-community/upload/temp/"; http_uri; fast_pattern:20,20; reference:url,www.exploit-db.com/exploits/18997/; reference:cve,2012-3574; classtype:trojan-activity; sid:2015726; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Access To mm-forms-community upload dir (Inbound)"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/mm-forms-community/upload/temp/"; http_uri; fast_pattern:20,20; reference:url,www.exploit-db.com/exploits/18997/; reference:cve,2012-3574; classtype:trojan-activity; sid:2015727; rev:1;)
+
+#
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query to Unknown CnC DGA Domain bktwenty.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|08|bktwenty|03|com|00|"; nocase; distance:4; within:14; fast_pattern; classtype:bad-unknown; sid:2015728; rev:2;)
+
+#
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query to Unknown CnC DGA Domain adbullion.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|09|adbullion|03|com|00|"; nocase; distance:4; within:15; fast_pattern; classtype:bad-unknown; sid:2015729; rev:2;)
+
+#
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query to Unknown CnC DGA Domain sleeveblouse.com 09/20/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|04|"; distance:0; content:"|0c|sleeveblouse|03|com|00|"; nocase; distance:4; within:18; fast_pattern; classtype:bad-unknown; sid:2015730; rev:2;)
+
+#
+##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED g01pack Exploit Kit Landing Page 7"; flow:established,to_server; urilen:7; content:"/feeds/"; http_uri; content:".dyndns"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2015731; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole2 - Landing Page Received - classid"; flow:established,to_client; file_data; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; content:"<param"; distance:0; content:"value="; pcre:"/^.{1,5}[a-f0-9]{100}/R"; classtype:trojan-activity; sid:2015732; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sakura exploit kit exploit download request /sarah.php"; flow:established,to_server; content:"/sarah.php?s="; http_uri; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015733; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sakura exploit kit exploit download request /nano.php"; flow:established,to_server; content:"/nano.php?x="; fast_pattern:only; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015734; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Probable Sakura Java applet with obfuscated URL Sep 21 2012"; flow:established,from_server; file_data; content:"applet"; content:"nzzv@55"; fast_pattern; within:200; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015735; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET [$HTTP_PORTS,84] -> $HOME_NET any (msg:"ET TROJAN Win32/Kuluoz.B CnC 2"; flow:from_server,established; content:"|0d 0a 0d 0a|c=idl"; fast_pattern; distance:0; isdataat:!1,relative; reference:md5,a88ba0c2b30afba357ebb38df9898f9e; classtype:trojan-activity; sid:2015903; rev:6;)
+
+#
+alert tcp $EXTERNAL_NET [$HTTP_PORTS,84] -> $HOME_NET any (msg:"ET TROJAN Win32/Kuluoz.B CnC 3"; flow:from_server,established; content:"200 OK|0d 0a|Server|3a| "; content:"|0d 0a 0d 0a|c=rdl&u="; distance:0; fast_pattern; content:"&a="; distance:0; content:"&k="; distance:0; content:"&n="; distance:0; reference:md5,a88ba0c2b30afba357ebb38df9898f9e; classtype:trojan-activity; sid:2015904; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Unknown CnC DGA Domain defmaybe.com 09/25/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|08|defmaybe|03|com|00|"; nocase; distance:0; classtype:bad-unknown; sid:2015736; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS PHPMyAdmin BackDoor Access"; flow:established,to_server; content:"POST"; http_method; content:"/server_sync.php?"; fast_pattern:only; http_uri; content:"c="; http_uri; pcre:"/\/server_sync.php\?(?:.+?&)?c=/Ui"; reference:url,www.phpmyadmin.net/home_page/security/PMASA-2012-5.php; classtype:attempted-admin; sid:2015737; rev:4;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS pamdql obfuscated javascript --- padding"; flow:established,from_server; content:"|0d 0a 0d 0a|"; content:"d---o---c---u---m---"; within:500; classtype:bad-unknown; sid:2015738; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS pamdql applet with obfuscated URL"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"103hj115hj115hj111hj57hj46hj46hj"; within:200; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015739; rev:4;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS MALVERTISING - Redirect To Blackhole - Push JavaScript"; flow:established,to_client; file_data; content:".push( 'h' )\;"; content:".push( 't' )\;"; within:20; classtype:trojan-activity; sid:2015740; rev:1;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Unknown CnC DGA Domain adbullion.com 09/26/12"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|09|adbullion|03|com|00|"; nocase; distance:0; classtype:bad-unknown; sid:2015741; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN SSL Cert Used In Unknown Exploit Kit"; flow:established,from_server; content:"|16 03|"; content:"|0b|"; distance:3; within:1; byte_extract:3,0,Certs.len,relative; content:"|55 04 06 13 02|SE"; distance:3; within:Certs.len; content:"|55 04 08 13 01 20|"; distance:0; content:"|55 04 07 13 01 20|"; distance:0; content:"|55 04 0a 13 01 20|"; distance:0; content:"|55 04 0b 13 01 20|"; distance:0; content:"|55 04 03 13 01 20|"; distance:0; fast_pattern; classtype:trojan-activity; sid:2015742; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)"; flow:established,to_client; flowbits:isset,ET.http.binary; content:"IsDebuggerPresent"; classtype:misc-activity; sid:2015744; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO EXE CheckRemoteDebuggerPresent (Used in Malware Anti-Debugging)"; flow:established,to_client; file_data; flowbits:isset,ET.http.binary; content:"CheckRemoteDebuggerPresent"; classtype:misc-activity; sid:2015745; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible JBoss/JMX InvokerServlet Auth Bypass Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/invoker/JMXInvokerServlet/"; http_uri; nocase; reference:cve,CVE-2007-1036; reference:url,exploit-db.com/exploits/21080/; classtype:web-application-attack; sid:2015747; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake Anti-Hacking Tool"; flow:established,to_server; content:"/update/WinUpdater.exe"; http_uri; content:!"User-Agent|3a|"; http_header; reference:md5,93443e59c473b89b5afad940a843982a; reference:url,eff.org/deeplinks/2012/08/syrian-malware-post; classtype:trojan-activity; sid:2015748; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible Oracle SQL Injection utl_inaddr call in URI"; flow:established,to_server; content:"utl_inaddr.get_host"; nocase; http_uri; fast_pattern:only; classtype:attempted-admin; sid:2015749; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SofosFO/NeoSploit possible landing page 10/01/12"; flow:established,to_server; urilen:51; content:"/4ff"; http_uri; depth:4; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015750; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SofosFO/NeoSploit possible landing page 10/01/12 (2)"; flow:established,to_server; urilen:51; content:"/504"; http_uri; depth:4; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015751; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Windows EXE with alternate byte XOR 51 - possible SofosFO/NeoSploit download"; flow:established,to_client; content:"|0d 0a|Mi"; isdataat:76,relative; content:"|54 5b 69 40 20 43 72 5c 67 41 61 5e 20 50 61 5d 6e 5c 74 13 62 56 20 41 75 5d 20 5a 6e 13 44 7c 53 13 6d 5c 64 56|"; distance:0; classtype:trojan-activity; sid:2015752; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pincav.cjvb Checkin"; flow:established,to_server; content:"POST"; http_method; nocase; content:"User-Agent|3A 20|Asynchronous WinHTTP"; http_header; content:"CyoK"; http_client_body; depth:4; content:"CyoK"; http_client_body; distance:0; reference:md5,1e5499640ca31e4b1f113b97a0cae08b; classtype:trojan-activity; sid:2015753; rev:2;)
+
+#
+alert udp $EXTERNAL_NET any -> $HOME_NET [137,138,139,445] (msg:"ET SCAN Nessus Netbios Scanning"; content:"n|00|e|00|s|00|s|00|u|00|s"; fast_pattern:only; reference:url,www.tenable.com/products/nessus/nessus-product-overview; classtype:attempted-recon; sid:2015754; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Image Content-Type with Obfuscated PHP (Seen with C99 Shell)"; flow:from_server,established; content:"Content-Type|3a| image/"; http_header; file_data; content:"eval(gzinflate(base64_decode("; distance:0; fast_pattern; reference:url,malwaremustdie.blogspot.jp/2012/10/how-far-phpc99shell-malware-can-go-from.html; classtype:attempted-user; sid:2015755; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Trojan Downloader GetBooks UA"; flow:established,to_server; content:"User-Agent|3a| GetBooks"; http_header; nocase; fast_pattern:only; classtype:trojan-activity; sid:2015756; rev:6;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY AskSearch Toolbar Spyware User-Agent (AskTBar) 2"; flow:to_server,established; content:"User-Agent|3a| AskTb"; http_header; classtype:policy-violation; sid:2015757; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS g01pack Exploit Kit Landing Page (2)"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".mine.nu|0d 0a|"; http_header; nocase; fast_pattern:only; classtype:trojan-activity; sid:2015758; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java Exploit Recent Jar (4)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"hw.class"; content:"test.class"; classtype:trojan-activity; sid:2015759; rev:7;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Zbot UA"; flow:established,to_server; content:"Windows NT 7.1"; http_header; content:"Firefox/9.1.2"; http_header; classtype:trojan-activity; sid:2015780; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Win32.Pushdo.s Checkin"; flow:to_server,established; content:"POST"; http_method; urilen:39; content:"/?ptrxcz_"; fast_pattern:only; http_uri; pcre:"/^\/\?ptrxcz_[a-z0-9A-Z]{30}$/U"; reference:md5,58ffe2b79be4e789be80f92b7f96e20c; classtype:trojan-activity; sid:2015807; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit 32-32 byte hex initial landing"; flow:established,to_server; content:"/?"; http_uri; fast_pattern; isdataat:64,relative; content:"="; http_uri; distance:32; within:1; pcre:"/\/\?[a-f0-9]{32}=[^&]+&[a-f0-9]{32}=[^&]+$/U"; classtype:trojan-activity; sid:2015781; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit 32-32 byte hex hostile jar"; flow:established,to_server; content:".jar"; http_uri; fast_pattern:only; urilen:70; pcre:"/\/[a-f0-9]{32}\/[a-f0-9]{32}\.jar$/U"; classtype:trojan-activity; sid:2015782; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PWS-Zbot.gen.als Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/gateway.php"; http_uri; content:"page="; depth:5; http_client_body; content:"&unm="; fast_pattern:only; http_client_body; content:"&cnm="; http_client_body; content:"&query="; http_client_body; reference:md5,ccc99c9f07e7be0f408ef3a68a9da298; classtype:trojan-activity; sid:2016019; rev:4;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS BegOp Exploit Kit Payload"; flow:established,from_server; content:"Content-Type|3a| image/"; http_header; fast_pattern:only; file_data; content:"M"; within:1; content:!"Z"; within:1; content:"Z"; distance:1; within:1; classtype:trojan-activity; sid:2015783; rev:6;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS pamdql obfuscated javascript _222_ padding"; flow:established,from_server; file_data; content:"d_222_o_222_c_222_u_222_"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015785; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Rich Text File download - SET"; flow:from_server,established; file_data; content:"|7B 5C 72 74 66 31|"; within:6; flowbits:set,ET.http.rtf.download; flowbits:noalert; reference:cve,2012-0183; classtype:attempted-user; sid:2015790; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS BegOpEK - TDS - icon.php"; flow:established,to_server; content:"/icon.php"; urilen:9; classtype:trojan-activity; sid:2015789; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS BegOpEK - Landing Page"; flow:established,to_client; file_data; content:"<applet"; content:"Ini.class"; distance:0; within:50; classtype:trojan-activity; sid:2015788; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole 2 Landing Page"; flow:to_server,established; content:"/links/"; fast_pattern:only; http_uri; content:".php"; http_uri; pcre:"/\/links\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U"; classtype:trojan-activity; sid:2015787; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ransom.Win32.Birele.gsg Checkin"; flow:established,to_server; content:".html"; http_uri; content:"From|3a| "; depth:6; fast_pattern; http_header; content:!"@"; http_header; within:18; content:"|0d 0a|Via|3a| "; http_header; distance:18; within:7; content:"^"; http_header; within:40; pcre:"/From\x3a\d{18}\x0d\x0aVia\x3a[^\x0d\x0a]+?[\x5d\x5e\x60\x5c]/H"; reference:md5,116aaaa5765228d61501322b02a6a3b1; reference:md5,2e66f39a263cb2e95425847b60ee2a93; reference:md5,0ea9b34e9d77b5a4ef5170406ed1aaed; classtype:trojan-activity; sid:2015786; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY archive.org heritix Crawler User-Agent (Outbound)"; flow:established,to_server; content:"heritrix"; fast_pattern:only; http_header; pcre:"/^User-Agent\x3a[^\r\n]+?heritrix/Hmi"; reference:md5,9fcbd8ebbbafdb0f64805f2c9a53fb7b; reference:url,crawler.archive.org/index.html; classtype:trojan-activity; sid:2015791; rev:3;)
+
+#
+alert tcp $HOME_NET any -> 209.139.208.0/23 $HTTP_PORTS (msg:"ET CURRENT_EVENTS Scalaxy Secondary Landing Page 10/11/12"; flow:to_server,established; content:"/q"; http_uri; depth:2; pcre:"/^\/q[a-zA-Z0-9+-]{3,14}\/[a-zA-Z0-9+-]{3,16}\?[a-z]{1,6}=[a-zA-Z0-9+-\._]{7,18}$/U"; classtype:trojan-activity; sid:2015792; rev:1;)
+
+#
+alert tcp $HOME_NET any -> 209.139.208.0/23 $HTTP_PORTS (msg:"ET CURRENT_EVENTS Scalaxy Java Exploit 10/11/12"; flow:to_server,established; content:"/m"; http_uri; depth:2; pcre:"/^\/m[a-zA-Z0-9-_]{3,14}\/[a-zA-Z0-9-_]{3,17}$/U"; classtype:trojan-activity; sid:2015793; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PhpTax Possible Remote Code Exec"; flow:established,to_server; content:"/phptax/"; http_uri; fast_pattern:only; content:"&pfilez="; http_uri; nocase; classtype:web-application-attack; sid:2015794; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole 2 Landing Page (2)"; flow:to_server,established; content:"/detects/"; fast_pattern:only; http_uri; content:".php"; http_uri; pcre:"/\/detects\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U"; classtype:trojan-activity; sid:2015796; rev:4;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole 2 Landing Page (3)"; flow:to_server,established; content:"/watches/"; fast_pattern:only; http_uri; content:".php"; http_uri; pcre:"/\/watches\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U"; classtype:trojan-activity; sid:2015797; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole 2 Landing Page (4)"; flow:to_server,established; content:"/boards/"; fast_pattern:only; http_uri; content:".php"; http_uri; pcre:"/\/boards\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U"; classtype:trojan-activity; sid:2015798; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Fareit.A/Pony Downloader Checkin (2)"; flow:to_server,established; content:"ch=1"; http_uri; fast_pattern:only; content:"ch=1"; http_client_body; depth:4; pcre:"/ch=1$/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3aWin32%2fFareit.A; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3aWin32%2fFareit; reference:url,www.threatexpert.com/report.aspx?md5=99fab94fd824737393f5184685e8edf2; reference:url,www.threatexpert.com/report.aspx?md5=9544c681ae5c4fe3fdbd4d5c6c90e38e; reference:url,www.threatexpert.com/report.aspx?md5=d50c39753ba88daa00bc40848f174168; reference:url,www.threatexpert.com/report.aspx?md5=bf422f3aa215d896f55bbe2ebcd25d17; classtype:trojan-activity; sid:2015799; rev:5;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dorkbot GeoIP Lookup (Skype LOL Worm)"; flow:to_server,established; content:"User-Agent|3a| Mozilla/4.0|0d 0a|Host|3a| api.wipmania.com|0d 0a|"; http_header; depth:49; fast_pattern:31,18; classtype:trojan-activity; sid:2015800; rev:5;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN System Progressive Detection FakeAV (INTEL)"; flow:to_server,established; content:"/api/"; http_uri; nocase; content:"ts="; http_uri; nocase; content:"affid="; http_uri; nocase; content:"|3b|c|3a|INT-"; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]+\(b\x3a\d+?\x3bc\x3aINT-/Hm"; reference:md5,76bea2200601172ebc2374e4b418c63a; classtype:trojan-activity; sid:2015860; rev:4;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN System Progressive Detection FakeAV (AMD)"; flow:to_server,established; content:"/api/"; http_uri; nocase; content:"ts="; http_uri; nocase; content:"affid="; http_uri; nocase; content:"|3b|c|3a|AMD-"; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]+\(b\x3a\d+?\x3bc\x3aAMD-/Hm"; reference:md5,76bea2200601172ebc2374e4b418c63a; classtype:trojan-activity; sid:2015861; rev:4;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS pamdql obfuscated javascript -_-- padding"; flow:established,from_server; file_data; content:"d-_--o-_--c-_--u-_--"; within:500; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015801; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET CURRENT_EVENTS Blackhole 2 Landing Page (5)"; flow:to_server,established; content:"/forum/links/column.php"; http_uri; nocase; content:".ru:8080|0d 0a|"; http_header; nocase; fast_pattern:only; classtype:trojan-activity; sid:2015802; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole 2 Landing Page (6)"; flow:established,from_server; file_data; content:"<html><head><title></title></head><body>"; within:40; content:"applet archive="; distance:0; pcre:"/\.php\?\w{2,10}\=[0-9a-f]{10}\&\w{2,10}\=[a-z0-9]{2,6}\&[a-z]{2,8}\=[a-z]{2,10}\&[a-z]{2,8}\=[a-z]{2,8}/Rsmi"; reference:url,fortknoxnetworks.blogspot.com/2012/10/blackhhole-exploit-kit-v-20-url-pattern.html; classtype:trojan-activity; sid:2015803; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS BlackHole 2 PDF Exploit"; flow:established,from_server; file_data; content:"/Index[5 1 7 1 9 4 23 4 50 3]"; flowbits:isset,ET.pdf.in.http; reference:url,fortknoxnetworks.blogspot.com/2012/10/blackhhole-exploit-kit-v-20-url-pattern.html; classtype:trojan-activity; sid:2015804; rev:3;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Mini-Flame v 4.x C2 HTTP request"; flow:established,to_server; content:"/cgi-bin/feed.cgi"; http_uri; fast_pattern:only; pcre:"/(?:web(?:\.(?:velocitycache\.com|autoflash\.info)|update\.(?:dyndns\.info|hopto\.org)|app\.serveftp\.com)|flash(?:center\.info|rider\.org)|cache\.dyndns\.info)\r?$/Hmi"; reference:url,www.securelist.com/en/analysis/204792247/miniFlame_aka_SPE_Elvis_and_his_friends; classtype:trojan-activity; sid:2015805; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Mini-Flame v 5.x C2 HTTP request"; flow:established,to_server; content:"/cgi-bin/counter.cgi"; http_uri; fast_pattern:only; pcre:"/(?:(?:nvidia(?:s(?:tream|oft)|drivers)|(?:rendercode|videosyn)c|flashupdates|syncstream)\.info|194\.192\.14\.125|202\.75\.58\.179)\r?$/Hmi"; reference:url,www.securelist.com/en/analysis/204792247/miniFlame_aka_SPE_Elvis_and_his_friends; classtype:trojan-activity; sid:2015806; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,443] (msg:"ET TROJAN Taidoor C2"; flow:established,to_server; content:"GET "; depth:4; content:".php?id="; fast_pattern; distance:6; within:8; pcre:"/^GET\s\/[a-z]{5}\.php\?id=[A-Z0-9]{18}\sHTTP\/1\.[0-1]\r\n/"; content:"MSIE 6.0|3b|"; distance:0; classtype:trojan-activity; sid:2015808; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Vuln (CVE-2012-1535 Uncompressed) Exploit Specific"; flow:from_server,established; flowbits:isset,OLE.CompoundFile; file_data; content:"FWS"; content:"kern"; distance:0; flowbits:set,Ole.Flash.kernpresent; flowbits:noalert; classtype:trojan-activity; sid:2015809; rev:4;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Vuln (CVE-2012-1535 Uncompressed) Exploit Specific"; flow:from_server,established; flowbits:isset,Ole.Flash.kernpresent; file_data; content:"heapSpray"; classtype:trojan-activity; sid:2015810; rev:1;)
+
+#
+alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER FaTaLisTiCz_Fx Webshell Detected"; flow:established,from_server; content:"visitz="; http_cookie; file_data; content:"FaTaLisTiCz_Fx"; classtype:web-application-activity; sid:2015811; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO Jar file 10/17/12"; flow:to_client,established; file_data; content:"PK"; within:2; content:"SecretKey.class"; fast_pattern; distance:0; content:"Mac.class"; distance:0; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2015812; rev:2;)
+
+#
+alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Torpig Sinkhole Domain (Possible Infected Host)"; content:"|00 01 00 00 00 00 00 00|"; depth:8; offset:4; content:"|0f|torpig-sinkhole|03|org|00|"; nocase; distance:0; fast_pattern; reference:url,www.sysenter-honeynet.org/?p=269; classtype:bad-unknown; sid:2015813; rev:4;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Fujacks Activity"; flow:to_server,established; content:"User-Agent|3a| QQ|0d 0a|"; http_header; content:".whboy.net|0d 0a|"; nocase; http_header; fast_pattern:only; classtype:trojan-activity; sid:2015814; rev:11;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK Font File Download (32-bit Host) Dec 11 2012"; flow:to_server,established; content:"/32s_font.eot"; http_uri; classtype:trojan-activity; sid:2015815; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK Font File Download (64-bit Host) Dec 11 2012"; flow:to_server,established; content:"/64s_font.eot"; http_uri; classtype:trojan-activity; sid:2015816; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL Oct 19 2012"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"&|23|48|3b|&|23|98|3b|&|23|48|3b|&|23|57|3b|&|23|48|3b|&|23|57|3b|&|23|48|3b|&|23|52|3b|&|23|49|3b|&|23|102|3b|"; within:300; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015823; rev:3;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN GeckaSeka User-Agent"; flow: established,to_server; content:"GeckaSeka"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+GeckaSeka/Hi"; classtype:trojan-activity; sid:2015824; rev:3;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole2 Non-Vulnerable Client Fed Fake Flash Executable"; flow: established,to_server; content:"/adobe/update_flash_player.exe"; http_uri; reference:url,research.zscaler.com/2012/10/blackhole-exploit-kit-v2-on-rise.html; classtype:trojan-activity; sid:2015817; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS g01pack Exploit Kit .homeip. Landing Page"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".homeip."; http_header; nocase; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015818; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS g01pack Exploit Kit .homelinux. Landing Page"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".homelinux."; http_header; nocase; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015819; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Suspicious Windows NT version 7 User-Agent"; flow: established,to_server; content:"Windows NT 7"; nocase; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]+Windows NT 7/Hmi"; classtype:trojan-activity; sid:2015820; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Suspicious Windows NT version 8 User-Agent"; flow: established,to_server; content:"Windows NT 8"; nocase; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]+Windows NT 8/Hmi"; classtype:trojan-activity; sid:2015821; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Suspicious Windows NT version 9 User-Agent"; flow:established,to_server; content:"Windows NT 9"; nocase; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]+Windows NT 9/Hmi"; classtype:trojan-activity; sid:2015822; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus/Citadel Control Panel Access (Outbound)"; flow:established,to_server; content:".php?m=login"; fast_pattern:only; http_uri; nocase; content:"user="; http_client_body; depth:5; nocase; content:"pass="; http_client_body; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015825; rev:7;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET TROJAN Zeus/Citadel Control Panel Access (Inbound)"; flow:established,to_server; content:".php?m=login"; http_uri; fast_pattern:only; nocase; content:"user="; depth:5; http_client_body; nocase; content:"pass="; http_client_body; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015826; rev:6;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Citadel API Access Iframer Controller (Outbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/iframer/"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015827; rev:5;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET TROJAN Citadel API Access IFramer Controller (Inbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/iframer/"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015828; rev:6;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Citadel API Access VNC Controller (Outbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/vnc/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015829; rev:5;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET TROJAN Citadel API Access VNC Controller (Inbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/vnc/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015830; rev:5;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Citadel API Access Bot Controller (Outbound)"; flow:established,to_server; content:"/api.php/"; fast_pattern:only; http_uri; content:"/bots/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015831; rev:5;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET TROJAN Citadel API Access Bot Controller (Inbound)"; flow:established,to_server; content:"/api.php/"; fast_pattern:only; http_uri; content:"/bots/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015832; rev:5;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Citadel API Access Video Controller (Outbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/video/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015833; rev:5;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET TROJAN Citadel API Access Video Controller (Inbound)"; flow:established,to_server; content:"/api.php/"; fast_pattern:only; http_uri; content:"/video/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015834; rev:6;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Smoke Loader C2 Response"; flow:established,from_server; content:"Content-Length|3a| 4|0d 0a|"; http_header; file_data; content:"Smk0"; depth:4; fast_pattern; classtype:trojan-activity; sid:2015835; rev:5;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole 2.0 Binary Get Request"; content:"GET"; http_method; content:" Java/1."; http_header; fast_pattern:only; content:".php?"; http_uri; pcre:"/\.php\?\w{2,8}\=(0[0-9a-b]|3[0-9]){5,32}\&\w{2,9}\=(0[0-9a-b]|3[0-9]){10}\&\w{1,8}\=\d{2}\&\w{1,8}\=\w{1,8}\&\w{1,8}\=\w{1,8}$/U"; reference:url,fortknoxnetworks.blogspot.be/2012/10/blackhole-20-binary-get-request.html; classtype:successful-user; sid:2015836; rev:6;)
+
+#
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN SSL Cert Used In Unknown Exploit Kit"; flow:established,from_server; content:"|00 c8 b9 67 4e 25 75 e9 92|"; content:"|55 04 06 13 02 4e 4c|"; distance:0; content:"|55 04 07 0c 01 20|"; distance:0; content:"|55 04 03 0c 01 20|"; distance:0; classtype:trojan-activity; sid:2015837; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Landing Page"; flow:established,to_server; content:"/beacon/"; http_uri; fast_pattern:only; pcre:"/\/beacon\/[a-f0-9]{8}\.htm$/U"; classtype:successful-user; sid:2015840; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Landing Page"; flow:established,to_server; content:"/Applet.jar"; http_uri; fast_pattern:only; pcre:"/^\/Applet\.jar$/U"; classtype:successful-user; sid:2015841; rev:2;)
+
+#
+alert udp $HOME_NET 5355 -> any any (msg:"ET INFO LLNMR query response to wpad"; content:"|80 00 00 01 00 01|"; offset:2; depth:6; content:"|04|wpad|00 00 01 00 01 04|wpad|00 00 01 00 01|"; distance:0; isdataat:7,relative; classtype:misc-activity; sid:2015842; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole request for file containing Java payload URIs (1)"; flow:established,to_server; content:".php?asd=12gqw"; http_uri; content:"|29 20|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015843; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole file containing obfuscated Java payload URIs"; flow:established,from_server; file_data; content:"0b0909041f3131"; depth:14; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015844; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS pamdql obfuscated javascript __-_ padding"; flow:established,from_server; file_data; content:"d__-_o__-_c__-_u__-_m__-_e__-_n__-_t"; within:500; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015845; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS NeoSploit Jar with three-letter class names"; flow:established,from_server; file_data; content:"PK"; depth:2; content:".classPK"; pcre:"/(\0[a-z]{3}.classPK.{43}){4}/"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015846; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SofosFO/NeoSploit possible second stage landing page"; flow:established,to_server; urilen:>25; content:"/50a"; http_uri; depth:4; pcre:"/^\/50a[a-f0-9]{21}\/(((\d+,)+\d+)|null)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015847; rev:4;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Imposter USPS Domain"; flow:established,to_server; content:".usps.com."; http_header; nocase; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]\.usps\.com\./Hi"; classtype:trojan-activity; sid:2015848; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Metasploit CVE-2012-1723 Path (Seen in Unknown EK) 10/29/12"; flow:to_client,established; file_data; content:"PK"; within:2; content:"cve1723/"; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2015849; rev:3;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Georgian Targeted Attack - Trojan Checkin"; flow:established,to_server; content:"/index312.php?ver="; http_uri; content:"&cam="; http_uri; content:"&p=spy"; http_uri; content:"&id="; http_uri; reference:md5,d4af87ba30c59d816673df165511e466; reference:url,dea.gov.ge/uploads/CERT%20DOCS/Cyber%20Espionage.pdf; classtype:trojan-activity; sid:2015850; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Georgian Targeted Attack - Client Request"; flow:established,to_server; urilen:9; content:"/calc.php"; http_uri; flowbits:set,ET.cyberEspionageGeorgia; flowbits:noalert; reference:md5,d4af87ba30c59d816673df165511e466; reference:url,dea.gov.ge/uploads/CERT%20DOCS/Cyber%20Espionage.pdf; classtype:trojan-activity; sid:2015851; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Georgian Targeted Attack - Server Response"; flow:established,from_server; flowbits:isset,ET.cyberEspionageGeorgia; file_data; content:"<html><head><META HTTP-EQUIV=|22|Pragma|22| CONTENT=|22|no-cache|22|></head><body>"; base64_decode:bytes 365, offset 0, relative; base64_data; content:"MZ"; within:2; content:"This program cannot be run in DOS mode."; within:360; reference:md5,d4af87ba30c59d816673df165511e466; reference:url,dea.gov.ge/uploads/CERT%20DOCS/Cyber%20Espionage.pdf; classtype:trojan-activity; sid:2015852; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Georbot requesting update"; flow:to_server,established; content:"/modules/docs/upload/calc.exe"; http_uri; classtype:trojan-activity; sid:2015853; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Georbot initial checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:".php?ver="; http_uri; content:"&p=cert123"; fast_pattern:only; http_uri; content:"&id="; http_uri; classtype:trojan-activity; sid:2015854; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Georbot checkin"; flow:to_server,established; content:".php?ver="; http_uri; content:"&p=bot123"; http_uri; content:"&id="; http_uri; classtype:trojan-activity; sid:2015855; rev:2;)
+
+#
+alert udp any any -> any 161 (msg:"ET SNMP Attempt to retrieve Cisco Config via TFTP (CISCO-CONFIG-COPY)"; content:"|2b 06 01 04 01 09 09 60 01 01 01 01|"; fast_pattern:only; classtype:policy-violation; sid:2015856; rev:5;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET TFTP Outbound TFTP Data Transfer with Cisco config"; content:"|00 03|"; depth:2; content:"|0a 21 0a|version|20|"; distance:2; within:12; classtype:policy-violation; sid:2015857; rev:4;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura/RedKit obfuscated URL"; flow:established,from_server; file_data; content:"<applet"; pcre:"/^.{1,500}\/.{1,12}\/.{1,12}\x3a.{1,12}p.{1,12}t.{1,12}t.{1,12}h/Rs"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015858; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Metasploit CVE-2012-1723 Attacker.class (Seen in Unknown EK) 11/01/12"; flow:to_client,established; file_data; content:"<applet"; content:"Attacker.class"; distance:0; classtype:trojan-activity; sid:2015859; rev:3;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potentially Unwanted Program RebateInformerSetup.exe Download Reporting"; flow:established,to_server; content:"/RebateInformerSetup.exe"; fast_pattern; nocase; http_uri; content:"User-Agent|3a| Inno Setup Downloader"; http_header; reference:url,www.ripoffreport.com/directory/rebategiant-com.aspx; classtype:trojan-activity; sid:2015862; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole request for file containing Java payload URIs (2)"; flow:established,to_server; content:"php?fbebf=nt34t4"; http_uri; content:"|29 20|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015863; rev:3;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole 2.0 PDF GET request"; flow:established,to_server; content:".php?"; http_uri; content:"00020002"; http_uri; fast_pattern:only; pcre:"/\.php\?\w{2,9}\=(0[0-9a-b]|3[0-9]){5}\&\w{3,9}\=(3[0-9a-f]|4[0-9a-f])\&\w{3,9}\=(0[0-9a-b]|3[0-9]){10}\&\w{3,9}\=(0[0-9a-b]{1,8})00020002$/U"; reference:url,fortknoxnetworks.blogspot.com/2012/11/deeper-into-blackhole-urls-and-dialects.html; classtype:attempted-user; sid:2015864; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Self-Singed SSL Cert Used in Conjunction with Neosploit"; flow:from_server,established; content:"|16 03 01|"; content:"|00 be d3 cf b1 fe a1 55 bf|"; distance:0; content:"webmaster@localhost"; distance:0; content:"|30 81 89 02 81 81 00 ac 12 38 fc 5c bf 7c 8c 18 e7 db 09 dc|"; distance:0; classtype:trojan-activity; sid:2015865; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sophos PDF Standard Encryption Key Length Buffer Overflow"; flow:from_server,established; file_data; flowbits:isset,ET.pdf.in.http; content:"/Standard"; content:"/Length"; within:200; pcre:"/^[\r\n\s]+(\d{4}|(?!(\d{1,2}[\r\n\s]|1[0-2][0-8][\r\n\s])))((?!>>).)+\/R\s+3[\r\n\s>]/Rs"; classtype:trojan-activity; sid:2015866; rev:3;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.ADDNEW (DarKDdoser) CnC 1"; flow:to_server,established; dsize:<100; content:"ADDNEW|7C|ddoser|7C|"; depth:14; pcre:"/\x7C(NEW|Awaiting commands)/R"; reference:url,blog.fireeye.com/research/2012/11/backdooraddnew-darkddoser-and-gh0st-a-match-made-in-heaven.html; reference:md5,691305b05ae75389526aa7c15b319c3b; classtype:trojan-activity; sid:2015868; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.ADDNEW (DarKDdoser) CnC 2"; flow:to_server,established; dsize:<100; content:"ADDNEW|7C|Zombie|7C|"; depth:14; pcre:"/\x7C(NEW|Awaiting commands)/R"; reference:url,blog.fireeye.com/research/2012/11/backdooraddnew-darkddoser-and-gh0st-a-match-made-in-heaven.html; reference:md5,691305b05ae75389526aa7c15b319c3b; classtype:trojan-activity; sid:2015869; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.ADDNEW (DarKDdoser) CnC 3"; flow:to_server,established; dsize:<100; content:"ADDNEW|7C|Stable|7C|"; depth:14; pcre:"/\x7C(NEW|Awaiting commands)/R"; reference:url,blog.fireeye.com/research/2012/11/backdooraddnew-darkddoser-and-gh0st-a-match-made-in-heaven.html; reference:md5,691305b05ae75389526aa7c15b319c3b; classtype:trojan-activity; sid:2015870; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sophos PDF Standard Encryption Key Length Buffer Overflow"; flow:from_server,established; file_data; flowbits:isset,ET.pdf.in.http; content:"/Standard"; content:"/R 3"; within:200; pcre:"/^[\r\n\s]+((?!>>).)+?\/Length[\r\n\s]+(\d{4}|(?!(\d{1,2}[\r\n\s]|1[0-2][0-8][\r\n\s])))/Rs"; classtype:trojan-activity; sid:2015867; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole request for file containing Java payload URIs (3)"; flow:established,to_server; content:".php?asvvab=125qwafdsg"; http_uri; content:"|29 20|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015871; rev:3;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole request for Payload"; flow:established,to_server; content:".php?"; http_uri; content:"|3a|"; http_uri; fast_pattern; content:"|3a|"; distance:2; within:1; http_uri; content:"|3a|"; distance:2; within:1; http_uri; pcre:"/\.php\?[a-z]+=(([1-2][a-z]|3[0-9])\x3a){3,}([1-2][a-z]|3[0-9])&/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015872; rev:5;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Cool Exploit Kit Requesting Payload"; flow:established,to_server; content:"/f.php?k="; http_uri; fast_pattern:only; pcre:"/^\/[a-z]\/f\.php\?k=\d(&e=\d&f=\d)?$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015873; rev:4;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Known Reveton Domain HTTP whatwillber.com"; flow:established,to_server; content:"whatwillber.com|0d 0a|"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2015874; rev:3;)
+
+#
+alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query Known Reveton Domain whatwillber.com"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|0b|whatwillber|03|com|00|"; nocase; distance:0; classtype:bad-unknown; sid:2015875; rev:4;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO Jar file 09 Nov 12"; flow:to_client,established; file_data; content:"PK"; within:2; content:"SecretKey.class"; fast_pattern:only; content:"Anony"; pcre:"/^(mous)?\.class/R"; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2015876; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole 32-hex/q.php Landing Page/Java exploit URI"; flow:established,to_server; urilen:39; content:"/q.php"; http_uri; offset:33; pcre:"/^\/[0-9a-f]{32}/q\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015877; rev:3;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Maxmind geoip check to /app/geoip.js"; flow:established,to_server; content:"/app/geoip.js"; http_uri; fast_pattern:only; content:"maxmind.com|0d 0a|"; http_header; classtype:policy-violation; sid:2015878; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Kit Landing Page NOP String"; flow:established,to_client; file_data; content:" == -1 {|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0|5c|x5C0"; distance:0; reference:url,ondailybasis.com/blog/?p=1610; classtype:trojan-activity; sid:2015881; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Kit Landing Page parseInt Javascript Replace"; flow:established,to_client; file_data; content:" = parseInt("; distance:0; content:".replace(|2F 5C 2E 7C 5C 5F 2F|g, ''))|3B|"; within:30; reference:url,ondailybasis.com/blog/?p=1610; classtype:trojan-activity; sid:2015882; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Java Exploit Campaign SetAttribute Java Applet"; flow:established,to_client; file_data; content:"document.createElement(|22|applet|22|)|3B|"; fast_pattern:13,20; distance:0; nocase; content:".setAttribute(|22|code"; distance:0; nocase; content:".class|22 29 3B|"; nocase; within:50; content:".setAttribute(|22|archive"; nocase; distance:0; content:"document.createElement|22|param"; nocase; distance:0; reference:url,ondailybasis.com/blog/?p=1593; classtype:trojan-activity; sid:2015883; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritXPack Landing Page"; flow:established,to_client; file_data; content:"<applet"; content:"a.Test"; fast_pattern; classtype:trojan-activity; sid:2015884; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack - No Java URI - Dot.class"; flow:established,to_server; urilen:10; content:"/Dot.class"; http_uri; classtype:trojan-activity; sid:2015885; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CirtXPack - No Java URI - /a.Test"; flow:established,to_server; urilen:7; content:"/a.Test"; classtype:trojan-activity; sid:2015886; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible exploitation of CVE-2012-5076 by an exploit kit Nov 13 2012"; flow:from_server,established; file_data; content:"<object"; content:"0b0909041f"; distance:0; fast_pattern; content:"3131"; distance:0; classtype:trojan-activity; sid:2015887; rev:3;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Popads/Unknown Java Exploit Kit 32-32 byte hex java payload request"; flow:established,to_server; content:"/0"; http_uri; offset:33; depth:2; urilen:35; pcre:"/\/[a-f0-9]{32}\/0/U"; flowbits:isset,ET.http.javaclient.vulnerable; content:" Java/1"; http_header; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015888; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SofosFO/NeoSploit possible second stage landing page"; flow:established,to_server; urilen:>25; content:"/50"; http_uri; depth:3; pcre:"/^\/50[a-f][a-f0-9]{21}\/(([CBrhVykGTU]+Y){3}[CBrhVykGTU]{1,2}|NHee)S(([CBrhVykGTU]+Y){3}[CBrhVykGTU]|NHee)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015889; rev:5;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CoolEK - Landing Page - FlashExploit"; flow:established,to_client; file_data; content:"FlashExploit()"; classtype:trojan-activity; sid:2015890; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CoolEK - Landing Page - Title"; flow:established,to_client; file_data; content:"<title>Hello my friend...</title>"; classtype:trojan-activity; sid:2015891; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CoolEK - PDF Exploit - pdf_new.php"; flow:established,to_server; content:"/pdf_new.php"; fast_pattern:only; http_uri; classtype:trojan-activity; sid:2015892; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK - PDF Exploit - pdf_old.php"; flow:established,to_server; content:"/pdf_old.php"; fast_pattern:only; http_uri; classtype:trojan-activity; sid:2015893; rev:3;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown FakeAV - /get/*.crp"; flow:established,to_server; content:"/get/"; http_uri; content:".crp"; http_uri; fast_pattern; classtype:trojan-activity; sid:2015894; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown_comee.pl - POST with stpfu in http_client_body"; flow:established,to_server; content:"POST"; http_method; content:"stpfu"; http_client_body; depth:5; classtype:trojan-activity; sid:2015895; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Unknown_comee.pl - Response from stpfu in http_client_body"; flow:established,to_client; file_data; content:"|6C 95 32 CB|"; within:4; classtype:trojan-activity; sid:2015896; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible TDS Exploit Kit /flow redirect at .ru domain"; flow:established,to_server; urilen:<12; content:"/flow"; fast_pattern; depth:5; http_uri; content:".php"; distance:1; within:5; http_uri; content:"GET"; http_method; content:".ru|0d 0a|"; http_header; pcre:"/^\/flow\d{1,2}\.php$/U"; classtype:bad-unknown; sid:2015897; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Suspicious Windows NT version 1 User-Agent"; flow: established,to_server; content:"Windows NT 1"; nocase; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]+Windows NT 1/Hmi"; classtype:trojan-activity; sid:2015898; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Suspicious Windows NT version 2 User-Agent"; flow: established,to_server; content:"Windows NT 2"; nocase; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]+Windows NT 2/Hmi"; classtype:trojan-activity; sid:2015899; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Suspicious Windows NT version 3 User-Agent"; flow: established,to_server; content:"Windows NT 3"; nocase; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]+Windows NT 3/Hmi"; classtype:trojan-activity; sid:2015900; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS g01pack - Landing Page - Java ClassID and 32HexChar.jar"; flow:established,to_client; file_data; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; content:".jar"; pcre:"/[a-f0-9]{32}\.jar/"; classtype:trojan-activity; sid:2015901; rev:1;)
+
+#
+alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS WSO - WebShell Activity - WSO Title"; flow:established,to_client; file_data; content:"<title>"; content:" - WSO "; fast_pattern; distance:0; content:"</title>"; distance:0; classtype:attempted-user; sid:2015905; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS WSO - WebShell Activity - POST structure"; flow:established,to_server; content:"POST"; http_method; content:"&c="; http_client_body; content:"&p1="; http_client_body; content:"&p2="; http_client_body; content:"&p3="; http_client_body; fast_pattern; pcre:"/a=(?:S(?:e(?:lfRemove|cInfo)|tringTools|afeMode|ql)|(?:Bruteforc|Consol)e|FilesMan|Network|Logout|Php)/P"; classtype:attempted-user; sid:2015906; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BoA -Account Phished"; flow:established,to_server; content:"POST"; http_method; content:"creditcard="; http_client_body; content:"expyear="; http_client_body; content:"ccv="; http_client_body; content:"pin="; http_client_body; classtype:bad-unknown; sid:2015907; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS BoA - PII Phished"; flow:established,to_server; content:"POST"; http_method; content:"&phone3="; http_client_body; content:"&ssn3="; http_client_body; content:"&dob3="; http_client_body; classtype:bad-unknown; sid:2015908; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS - BoA - Creds Phished"; flow:established,to_server; content:"reason="; http_client_body; content:"Access_ID="; http_client_body; content:"Access_ID_1="; http_client_body; content:"Current_Passcode="; http_client_body; classtype:bad-unknown; sid:2015909; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Remax - AOL Creds"; flow:established,to_server; content:"POST"; http_method; content:"aoluser="; http_client_body; content:"aolpassword="; http_client_body; classtype:bad-unknown; sid:2015910; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Remax - Yahoo Creds"; flow:established,to_server; content:"POST"; http_method; content:"yahoouser="; http_client_body; content:"yahoopassword="; http_client_body; classtype:bad-unknown; sid:2015911; rev:3;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Remax - Gmail Creds"; flow:established,to_server; content:"POST"; http_method; content:"gmailuser="; http_client_body; content:"gmailpassword="; http_client_body; classtype:bad-unknown; sid:2015912; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Remax - Hotmail Creds"; flow:established,to_server; content:"POST"; http_method; content:"hotmailuser="; http_client_body; content:"hotmailpassword="; http_client_body; classtype:bad-unknown; sid:2015913; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Remax - Other Creds"; flow:established,to_server; content:"POST"; http_method; content:"otheruser="; http_client_body; content:"otherpassword="; http_client_body; classtype:bad-unknown; sid:2015914; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK Landing Pattern (1)"; flow:to_server,established; content:"/r/l/"; depth:5; http_uri; content:".php"; http_uri; pcre:"/^\/r\/l\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U"; classtype:trojan-activity; sid:2015915; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK Landing Pattern (2)"; flow:to_server,established; content:"/t/l/"; depth:5; http_uri; content:".php"; http_uri; pcre:"/^\/t\/l\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U"; classtype:trojan-activity; sid:2015916; rev:2;)
+
+#
+alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - D.K - Title"; flow:established,to_client; file_data; content:"<title>"; content:" - D.K "; fast_pattern; distance:0; content:"</title>"; distance:0; classtype:bad-unknown; sid:2015917; rev:1;)
+
+#
+alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Generic - c99shell based header"; flow:established,to_client; file_data; content:"<span>Uname<br>User<br>Php<br>Hdd<br>Cwd</span>"; classtype:attempted-user; sid:2015918; rev:1;)
+
+#
+alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Generic - c99shell based header w/colons"; flow:established,to_client; file_data; content:"<span>Uname|3a|<br>User|3a|<br>Php|3a|<br>Hdd|3a|<br>Cwd|3a|</span>"; classtype:attempted-user; sid:2015919; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER WebShell - Generic - c99shell based POST structure w/multipart"; flow:established,to_server; content:"POST"; http_method; content:"form-data\; name=|22|a|22|"; http_client_body; content:"form-data\; name=|22|c|22|"; http_client_body; content:"form-data\; name=|22|p1|22|"; http_client_body; classtype:attempted-user; sid:2015920; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Spam Campaign JPG CnC Link"; flow:established,to_client; file_data; content:"he1l0|3A|hxxp|3A|//"; distance:0; content:".jpg"; distance:0; reference:url,blog.fireeye.com/research/2012/11/more-phish.html; classtype:trojan-activity; sid:2015921; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Glazunov Java exploit request /9-10-/4-5-digit"; flow:established,to_server; content:"|29 20|Java/"; http_header; urilen:14<>18; pcre:"/^\/\d{9,10}\/\d{4,5}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015922; rev:4;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Glazunov Java payload request /5-digit"; flow:established,to_server; content:"|29 20|Java/"; http_header; urilen:6; pcre:"/^\/\d{5}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015923; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER WebShell - PHP eMailer"; flow:established,to_server; content:"POST"; http_method; content:"form-data|3b| name=|22|from|22|"; http_client_body; content:"form-data|3b| name=|22|realname|22|"; http_client_body; content:"form-data|3b| name=|22|amount|22|"; http_client_body; classtype:web-application-activity; sid:2015924; rev:1;)
+
+#
+alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Unknown - self-kill"; flow:established,to_client; file_data; content:"<a href=|22|?x=selfremove|22|>[Self-Kill]</a>"; classtype:web-application-activity; sid:2015925; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER WebShell - Unknown - .php?x=img&img="; flow:established,to_server; content:".php?x=img&img="; http_uri; fast_pattern:only; classtype:web-application-activity; sid:2015926; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit /h***.htm(l) Landing Page - Set"; flow:established,to_server; urilen:8<>11; content:"/h"; depth:2; http_uri; pcre:"/^\/h[a-z]{3}\.html?$/U"; flowbits:set,ET.http.driveby.redkit.uri; flowbits:noalert; classtype:trojan-activity; sid:2015927; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit Exploit Kit Java Request to Recent jar (1)"; flow:established,to_server; content:"/332.jar"; fast_pattern:only; http_uri; content:"|29 20|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015928; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit Exploit Kit Java Request to Recent jar (2)"; flow:established,to_server; content:"/887.jar"; fast_pattern:only; http_uri; content:"|29 20|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015929; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit Exploit Kit Vulnerable Java Payload Request URI (1)"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_server; content:"/33.html"; depth:8; http_uri; urilen:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015930; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit Exploit Kit vulnerable Java Payload Request to URI (2)"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_server; content:"/41.html"; depth:8; http_uri; urilen:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015931; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole 2 Landing Page (7)"; flow:to_server,established; content:"/news/enter/2012-1"; fast_pattern:only; http_uri; content:".php"; http_uri; pcre:"/\/news\/enter\/2012-1[0-2]-([0-2][0-9]|3[0-1])\.php/U"; classtype:trojan-activity; sid:2015932; rev:3;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole 2 Landing Page (8)"; flow:to_server,established; content:"/less/"; fast_pattern:only; http_uri; content:".php"; http_uri; pcre:"/\/less\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U"; classtype:trojan-activity; sid:2015933; rev:4;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET CURRENT_EVENTS Nuclear Exploit Kit HTTP Off-port Landing Page Request"; flow:established,to_server; content:"GET /t/"; depth:7; pcre:"/^[a-f0-9]{32}\s*HTTP\/1\.[0-1]\r\n/R"; classtype:trojan-activity; sid:2015936; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER WebShell - PostMan"; flow:established,to_server; content:"POST"; http_method; content:"form-data|3b| name=|22|formSubmited|22|"; http_client_body; content:"form-data|3b| name=|22|scriptPassword|22|"; http_client_body; classtype:misc-activity; sid:2015937; rev:6;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Banking PHISH - Login.php?LOB=RBG"; flow:established,to_server; content:"/Logon.php?LOB=RBG"; http_uri; content:"&_pageLabel=page_"; http_uri; classtype:trojan-activity; sid:2015938; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS g01pack Exploit Kit .blogsite. Landing Page"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".blogsite."; http_header; nocase; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015939; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN SFTP/FTP Password Exposure via sftp-config.json"; flow:to_server,established; content:"/sftp-config.json"; fast_pattern:only; http_uri; reference:url,blog.sucuri.net/2012/11/psa-sftpftp-password-exposure-via-sftp-config-json.html; classtype:attempted-recon; sid:2015940; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimeBoss - Java Exploit - Recent Jar (1)"; flow:established,to_server; content:"/amor"; http_uri; content:".jar"; http_uri; within:6; content:" Java/"; http_header; fast_pattern:only; pcre:"/amor\d{0,2}\.jar/U"; classtype:trojan-activity; sid:2015941; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimeBoss - Java Exploit - Recent Jar (2)"; flow:established,to_server; content:"/java7.jar?r="; http_uri; content:" Java/"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2015942; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Crimeboss - Java Exploit - Recent Jar (3)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"amor.class"; distance:0; classtype:trojan-activity; sid:2015943; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimeBoss - Stats Access"; flow:established,to_server; content:".php?action=stats_access"; http_uri; classtype:trojan-activity; sid:2015944; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimeBoss - Stats Java On"; flow:established,to_server; content:".php?action=stats_javaon"; http_uri; classtype:trojan-activity; sid:2015945; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimeBoss - Setup"; flow:established,to_server; content:".php?setup=d&s="; http_uri; content:"&r="; pcre:"/\.php?setup=d&s=\d+&r=\d+$/U"; classtype:trojan-activity; sid:2015946; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Piwik Backdoor Access"; flow:established,to_server; content:"/core/Loader.php?"; fast_pattern:only; http_uri; nocase; content:"g="; http_uri; content:"s="; http_uri; reference:url,blog.sucuri.net/2012/11/piwik-org-webserver-hacked-and-backdoor-added-to-piwik.html; classtype:web-application-attack; sid:2015947; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Piwik Backdoor Access 2"; flow:established,to_server; content:"/core/DataTable/Filter/Megre.php"; http_uri; nocase; reference:url,blog.sucuri.net/2012/11/piwik-org-webserver-hacked-and-backdoor-added-to-piwik.html; classtype:web-application-attack; sid:2015948; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Propack Recent Jar (1)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"propack/"; distance:0; classtype:trojan-activity; sid:2015949; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Propack Payload Request"; flow:established,to_server; content:".php?j=1&k="; http_uri; nocase; fast_pattern:only; content:" Java/1"; http_header; pcre:"/\.php\?j=1&k=[0-9](i=[0-9])?$/U"; classtype:trojan-activity; sid:2015950; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SibHost Jar Request"; flow:established,to_server; content:".jar?m="; http_uri; content:"|29 20|Java/1"; http_header; fast_pattern:only; pcre:"/\.jar\?m\=[1-2]$/U"; classtype:trojan-activity; sid:2015951; rev:14;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS PHISH Generic -SSN - ssn1 ssn2 ssn3"; flow:established,to_server; content:"POST"; http_method; content:"ssn1="; http_client_body; content:"ssn2="; http_client_body; content:"ssn3="; http_client_body; classtype:trojan-activity; sid:2015952; rev:1;)
+
+#
+alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_SERVER PIWIK Backdored Version calls home"; flow:established,to_server; content:"POST"; http_method; content:"prostoivse.com|0d 0a|"; http_header; nocase; content:"/x.php"; http_uri; content:"reff="; http_client_body; nocase; reference:url,piwik.org/blog/2012/11/security-report-piwik-org-webserver-hacked-for-a-few-hours-on-2012-nov-26th/; reference:url,forum.piwik.org/read.php?2,97666; classtype:web-application-attack; sid:2015953; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO PDF /FlateDecode and PDF version 1.0"; flow:established,from_server; file_data; content:"%PDF-1.0"; fast_pattern; within:8; content:"/FlateDecode"; distance:0; classtype:trojan-activity; sid:2015954; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS PDF /FlateDecode and PDF version 1.1 (seen in pamdql EK)"; flow:established,from_server; file_data; content:"%PDF-1.1"; fast_pattern; within:8; content:"/FlateDecode"; distance:0; classtype:trojan-activity; sid:2015955; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Serenity Exploit Kit Landing Page HTML Header"; flow:established,to_client; file_data; content:"<head><title>Loading... Please wait<|2F|title><meta name=|22|robots|22| content=|22|noindex|22|><|2F|head>"; distance:0; classtype:trojan-activity; sid:2015956; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Lyposit Ransomware Checkin 1"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/ad/?"; depth:5; http_uri; fast_pattern; pcre:"/^\/ad\/\?[a-z]{1,4}\x3d[a-z0-9]+?$/Ui"; content:"User-Agent|3a| Microsoft BITS/"; http_header; classtype:trojan-activity; sid:2015957; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Lyposit Ransomware Checkin 2"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/ad/?"; depth:5; http_uri; fast_pattern; pcre:"/^\/ad\/\?[a-z]{1,4}\x3d[a-z0-9]+?$/Ui"; content:!"User-Agent|3a| "; http_header; classtype:trojan-activity; sid:2015958; rev:1;)
+
+#
+#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO PHISH Generic - Bank and Routing"; flow:established,to_server; content:"POST"; http_method; content:"bank"; http_client_body; nocase; content:"routing"; http_client_body; nocase; classtype:bad-unknown; sid:2015963; rev:2;)
+
+#
+alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP Samsung Printer SNMP Hardcode RW Community String"; content:"s!a@m#n$p%c"; fast_pattern:only; reference:url,www.l8security.com/post/36715280176/vu-281284-samsung-printer-snmp-backdoor; classtype:attempted-admin; sid:2015959; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack Jar Request"; flow:established,to_server; content:"/j.php?t=u00"; http_uri; content:"|29 20|Java/1"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2015960; rev:9;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack PDF Request"; flow:established,to_server; content:"/p5.php?t=u00"; http_uri; fast_pattern:only; content:"&oh="; http_uri; classtype:trojan-activity; sid:2015961; rev:11;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack Payload Request"; flow:established,to_server; content:"/load.php?e=u00"; http_uri; fast_pattern:only; content:"&token=u00"; http_uri; classtype:trojan-activity; sid:2015962; rev:9;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET [443,80,8080,9000:9009] (msg:"ET TROJAN WORM_VOBFUS Checkin 1"; flow:established,to_server; content:"GET "; depth:4; content:"/1/?"; within:4; content:" HTTP"; distance:1; within:5; content:"MSIE 7.0|3b|"; content:".ddns"; fast_pattern; content:".eu|0d 0a|"; distance:1; within:5; pcre:"/\r\nHost\x3a \d{5}\x2eddns[a-z0-9]\x2eeu\r\n\r\n$/"; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; classtype:trojan-activity; sid:2015968; rev:5;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET [443,80,8080,9000:9009] (msg:"ET TROJAN WORM_VOBFUS Requesting exe"; flow:established,to_server; content:"GET "; depth:4; content:"MSIE 7.0|3b|"; content:".ddns"; fast_pattern; distance:0; content:".eu|0d 0a|"; distance:1; within:5; pcre:"/GET \/[a-z0-9]+?\/?\?[a-z]\d? HTTP\/1\.1\r\nUser-Agent\x3a .+?\r\nHost\x3a \d{5}\x2eddns[a-z0-9]\.eu\x0d\x0a\x0d\x0a$/i"; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; classtype:trojan-activity; sid:2015969; rev:5;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Zuponcic EK Java Exploit Jar"; flow:established,from_server; file_data; content:"PK"; within:2; content:"FlashPlayer.class"; distance:0; content:".SF"; content:".RSA"; classtype:trojan-activity; sid:2015971; rev:8;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Zuponcic EK Payload Request"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:"|29 20|Java/1"; http_header; content:"/"; http_uri; content:"i=2ZI"; fast_pattern; http_client_body; depth:5; classtype:trojan-activity; sid:2015970; rev:10;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown EK Landing URL"; flow:established,to_server; content:".php?dentesus=208779"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2015964; rev:10;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO EXE SCardForgetReaderGroupA (Used in Malware Anti-Debugging)"; flow:established,to_client; file_data; flowbits:isset,ET.http.binary; content:"SCardForgetReaderGroupA"; fast_pattern:only; reference:url,www.trusteer.com/blog/evading-malware-researchers-shylock%E2%80%99s-new-trick; classtype:misc-activity; sid:2015965; rev:3;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS PHISH PayPal - Account Phished"; flow:established,to_server; content:"POST"; http_method; content:"login_email="; http_client_body; content:"login_password="; http_client_body; content:"target_page="; http_client_body; classtype:bad-unknown; sid:2015972; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS PHISH Gateway POST to gateway-p"; flow:established,to_server; content:"POST"; http_method; content:"/gateway-p"; http_uri; classtype:bad-unknown; sid:2015973; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sibhost Status Check"; flow:established,to_server; content:"POST"; http_method; content:"?s=1"; http_uri; content:"|29 20|Java/1"; http_header; content:"text="; http_client_body; depth:5; pcre:"/\?s=1$/U"; classtype:trojan-activity; sid:2015974; rev:9;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET EXPLOIT MySQL Stack based buffer overrun Exploit Specific"; flow:to_server,established; content:"grant"; nocase; content:"file"; nocase; distance:0; content:"on"; distance:0; nocase; pcre:"/grant\s+(file|all)\s+on\s+A{500,}/"; reference:url,seclists.org/fulldisclosure/2012/Dec/4; classtype:attempted-user; sid:2015975; rev:3;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET [443,80,8080,9000:9009] (msg:"ET TROJAN WORM_VOBFUS Checkin Generic"; flow:established,to_server; content:"GET "; depth:4; content:"/1/?"; within:4; fast_pattern; content:" HTTP"; distance:1; within:5; content:"Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 5.1|3b| SV1)|0d 0a|"; pcre:"/GET \/1\/\?\w HTTP\/1\.1\r\nUser-Agent\x3a Mozilla\/4\.0 \x28compatible\x3b MSIE 7\.0\x3b Windows NT 5\.1\x3b SV1\x29\r\nHost\x3a .+?(\x3a(443|8080|900[0-9]))?\x0d\x0a\x0d\x0a$/i"; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; reference:url,blog.dynamoo.com/2012/11/vobfus-sites-to-block.html; classtype:trojan-activity; sid:2015976; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS probable malicious Glazunov Javascript injection"; flow:established,from_server; file_data; content:"(|22|"; distance:0; content:"|22|))|3b|"; distance:52; within:76; content:")|3b|</script></body>"; within:200; fast_pattern; pcre:"/\(\x22[0-9\x3a\x3b\x3c\x3d\x3e\x3fa-k]{50,70}\x22\).{0,200}\)\x3b<\/script><\/body>/s"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015977; rev:6;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL Dec 03 2012"; flow:established,from_server; file_data; content:"applet"; content:"Dyy3Ojj"; within:300; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015978; rev:4;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritXPack - Landing Page"; flow:established,from_server; file_data; content:"|7C|pdfver|7C|"; content:"|7C|applet|7C|"; classtype:bad-unknown; sid:2015979; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS PHISH Google - Account Phished"; flow:established,to_server; content:"POST"; http_method; content:"continue="; http_client_body; content:"followup="; http_client_body; content:"checkedDomains="; http_client_body; classtype:bad-unknown; sid:2015980; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Zuponcic Hostile Jar"; flow:established,to_server; content:"Host|3a 20|"; http_header; content:"."; http_header; distance:2; within:1; content:"Java/"; http_header; content:".jar"; http_uri; fast_pattern:only; pcre:"/^Host\x3a\x20[a-z]{2}\./Hm"; pcre:"/^\/[a-zA-Z]{7}\.jar$/U"; classtype:trojan-activity; sid:2015981; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Zuponcic Hostile JavaScript"; flow:established,to_server; urilen:11; content:"Host|3a 20|"; http_header; content:"."; http_header; distance:2; within:1; content:"/js/java.js"; http_uri; fast_pattern:only; pcre:"/^Host\x3a\x20[a-z]{2}\./Hm"; classtype:trojan-activity; sid:2015982; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nagios XI Network Monitor - OS Command Injection"; flow:to_server,established; content:"/nagiosxi/includes/components/graphexplorer/visApi.php?"; http_uri; pcre:"/(\?|&)(host|service|opt|end|start)=[^&]+?\x60.+?\x60/Ui"; reference:url,exchange.nagios.org/directory/Addons/Components/Graph-Explorer-Component/details; classtype:attempted-user; sid:2016015; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS PHISH Bank - York - Creds Phished"; flow:established,to_server; content:"POST"; http_method; content:"/secured/private/login.php"; http_uri; classtype:bad-unknown; sid:2015983; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Joomla Component SQLi Attempt"; flow:established,to_server; content:"option=com_"; http_uri; nocase; content:"union"; http_uri; nocase; distance:0; content:"select"; nocase; http_uri; distance:0; content:"from"; nocase; http_uri; distance:0; content:"jos_users"; distance:0; http_uri; nocase; fast_pattern; classtype:web-application-attack; sid:2015984; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Kuluoz.B Request"; flow:established,to_server; content:"GET"; http_method; pcre:"/^\/[a-f0-9]+$/Ui"; content:"Windows NT 9.0|3b|"; http_header; pcre:"/^Host\x3a\s*(\d{1,3}\.){3}\d{1,3}(\x3a\d{1,5})?\r?$/Hmi"; reference:md5,0282bc929bae27ef95733cfa390b10e0; classtype:trojan-activity; sid:2015985; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET SCAN MYSQL MySQL Remote FAST Account Password Cracking"; flow:to_server,established; content:"|11|"; offset:3; depth:4; threshold:type both,track by_src,count 100,seconds 1; reference:url,www.securityfocus.com/archive/1/524927/30/0/threaded; classtype:protocol-command-decode; sid:2015986; rev:5;)
+
+#
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL Heap based buffer overrun Exploit Specific"; flow:to_server,established; byte_test:3,>,10000,0,little; content:"|00 03|"; offset:3; depth:2; pcre:"/^(USE|PASS|SELECT|UPDATE|INSERT|ASCII|SHOW|CREATE|DESCRIBE|DROP|ALTER)\s+?(.{1})\2{300}/Ri"; reference:url,archives.neohapsis.com/archives/fulldisclosure/2012-12/0006.html; classtype:attempted-user; sid:2015987; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimeBoss - Stats Load Fail"; flow:established,to_server; content:"?action=stats_loadfail"; http_uri; classtype:bad-unknown; sid:2015988; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit - Potential Java Exploit Requested - 3 digit jar"; flow:established,to_server; urilen:6<>9; content:".jar"; http_uri; pcre:"/^\/[0-9]{3}\.jar$/U"; classtype:bad-unknown; sid:2015989; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit - Potential Payload Requested - /2Digit.html"; flow:established,to_server; urilen:8; content:".html"; http_uri; content:" Java/1"; http_header; pcre:"/\/[0-9]{2}\.html$/U"; classtype:bad-unknown; sid:2015990; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Robopak - Landing Page Received"; flow:established,to_client; file_data; content:"|22|ors.class|22|"; fast_pattern:only; content:"|22|bhjwfffiorjwe|22|"; classtype:bad-unknown; sid:2015991; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL (Linux) Database Privilege Elevation (Exploit Specific)"; flow:to_server,established; content:"|03|"; offset:3; depth:4; content:"select |27|TYPE=TRIGGERS|27| into outfile|27|"; nocase; pcre:"/\s*?\/.+?\.TRG\x27\s*?LINES TERMINATED BY |27 5f|ntriggers=/Ri"; content:"CREATE DEFINER=|60|root|60|@|60|localhost|60|"; nocase; distance:0; pcre:"/\s+?trigger\s+?[^\x20]+?\s+?after\s+?insert\s+?on\s+?/Ri"; content:"UPDATE mysql.user"; nocase; fast_pattern:only; reference:cve,2012-5613; reference:url,seclists.org/fulldisclosure/2012/Dec/6; classtype:attempted-user; sid:2015992; rev:6;)
+
+#
+alert tcp $SQL_SERVERS 3306 -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL User Account Enumeration"; flow:from_server,established; content:"|02|"; offset:3; depth:4; content:"|15 04|Access denied for user"; fast_pattern:only; threshold:type both,track by_dst,count 10,seconds 1; reference:url,seclists.org/fulldisclosure/2012/Dec/att-9/; classtype:protocol-command-decode; sid:2015993; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET INFO MySQL Database Query Version OS compile"; flow:to_server,established; content:"|03|"; offset:3; depth:4; content:"select |40 40|version_compile_os"; nocase; pcre:"/SELECT @@version_compile_os\s*?\x3b/i"; classtype:misc-activity; sid:2015994; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL Server for Windows Remote SYSTEM Level Exploit (Stuxnet Techique DUMP INTO executable)"; flow:to_server,established; content:"|03|"; offset:3; depth:4; content:"SELECT data FROM"; nocase; distance:0; content:"INTO DUMPFILE"; nocase; distance:0; content:"c|3a|/windows/system32/"; nocase; fast_pattern; content:".exe"; nocase; distance:0; pcre:"/SELECT data FROM [^\x20]+?\x20INTO DUMPFILE [\x27\x22]c\x3a\/windows\/system32\/[a-z0-9_-]+?\.exe[\x27\x22]/i"; reference:url,seclists.org/fulldisclosure/2012/Dec/att-13/; classtype:attempted-user; sid:2015995; rev:4;)
+
+#
+alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL Server for Windows Remote SYSTEM Level Exploit (Stuxnet Techique)"; flow:to_server,established; content:"|03|"; offset:3; depth:4; content:"INSERT INTO"; nocase; distance:0; content:"#pragma namespace("; nocase; distance:0; content:"|5c 5c 5c|.|5c 5c 5c 5c|root|5c 5c 5c 5c|"; nocase; distance:0; content:"__EventFilter"; nocase; distance:0; content:" __InstanceModificationEvent"; nocase; distance:0; content:"TargetInstance"; nocase; distance:0; content:"Win32_LocalTime"; nocase; distance:0; content:"ActiveScriptEventConsumer"; nocase; distance:0; content:"JScript"; nocase; distance:0; content:"WScript.Shell"; nocase; distance:0; content:"WSH.run"; nocase; distance:0; content:".exe"; distance:0; content:"__FilterToConsumerBinding"; pcre:"/WSH\.run\x28\x5c+?[\x22\x27][a-z0-9_-]+?\.exe/"; reference:url,seclists.org/fulldisclosure/2012/Dec/att-13/; classtype:attempted-user; sid:2015996; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake Google Chrome Update/Install"; flow:established,to_server; content:"/chrome/google_chrome_"; http_uri; content:".exe"; http_uri; distance:0; pcre:"/\/chrome\/google_chrome_(update|installer)\.exe$/U"; reference:url,www.barracudanetworks.com/blogs/labsblog?bid=3108; reference:url,www.bluecoat.com/security-blog/2012-12-05/blackhole-kit-doesnt-chrome; classtype:trojan-activity; sid:2015997; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack Jar Request (2)"; flow:established,to_server; content:"/j16.php?i="; http_uri; content:"|29 20|Java/1"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2016013; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack PDF Request (2)"; flow:established,to_server; content:"/lpdf.php?i="; http_uri; fast_pattern:only; pcre:"/lpdf.php?i=[a-zA-Z0-9]+&?$/U"; classtype:trojan-activity; sid:2016012; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack Landing Pattern"; flow:established,to_server; content:"/i.php?token="; http_uri; fast_pattern:only; pcre:"/\/i.php?token=[a-z0-9]+$/U"; classtype:trojan-activity; sid:2015998; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Quarian HTTP Proxy Header"; flow:established,to_server; content:"Content_length|3A 20|"; http_header; content:"Proxy-Connetion|3A 20|"; http_header; reference:url,vrt-blog.snort.org/2012/12/quarian.html; classtype:trojan-activity; sid:2015999; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Necurs"; flow:to_server,established; content:"POST"; http_method; content:"/iis/host.aspx"; http_uri; fast_pattern; content:!"User-Agent|3a|"; http_header; content:"application/octet-stream"; http_header; reference:md5,871ecf11ddd7ffe294cab82bcaf9c310; reference:url,blogs.technet.com/b/mmpc/archive/2012/12/06/unexpected-reboot-necurs.aspx; classtype:trojan-activity; sid:2016000; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Win32/Trojan.Agent.AXMO CnC Beacon"; flow:established,to_server; content:"POST"; content:"/log HTTP/1."; distance:0; fast_pattern; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|"; distance:0; reference:url,contagiodump.blogspot.co.uk/2012/12/osxdockstera-and-win32trojanagentaxmo.html; classtype:trojan-activity; sid:2016014; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS PDF /XFA and PDF-1.[0-4] Spec Violation (seen in pamdql and other EKs)"; flow:established,to_client; file_data; content:"%PDF-1."; within:7; pcre:"/^[0-4][^0-9]/R"; content:"/XFA"; distance:0; fast_pattern; pcre:"/^[\r\n\s]*[\d\x5b]/R"; classtype:trojan-activity; sid:2016001; rev:4;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ViArt Shop Evaluation admin_header.php Remote File Inclusion Attempt"; flow:established,to_server; content:"/admin/admin_header.php?"; nocase; http_uri; content:"root_folder_path="; fast_pattern:only; nocase; http_uri; pcre:"/root\_folder\_path=\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ui"; reference:url,packetstormsecurity.org/files/116871/ViArt-Shop-Evaluation-4.1-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016002; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ViArt Shop Evaluation ajax_list_tree.php Remote File Inclusion Attempt"; flow:established,to_server; content:"/includes/ajax_list_tree.php?"; nocase; http_uri; content:"root_folder_path="; fast_pattern:only; nocase; http_uri; pcre:"/root\_folder\_path=\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ui"; reference:url,packetstormsecurity.org/files/116871/ViArt-Shop-Evaluation-4.1-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016003; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ViArt Shop Evaluation previews_functions.php Remote File Inclusion Attempt"; flow:established,to_server; content:"/includes/previews_functions.php?"; nocase; http_uri; content:"root_folder_path="; fast_pattern:only; nocase; http_uri; pcre:"/root\_folder\_path=\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ui"; reference:url,packetstormsecurity.org/files/116871/ViArt-Shop-Evaluation-4.1-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016004; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Achievo atknodetype parameter Local File Inclusion Vulnerability"; flow:established,to_server; content:"/dispatch.php?"; nocase; http_uri; content:"atkaction=search"; fast_pattern:only; nocase; http_uri; content:"atknodetype="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.org/files/117822/Achievo-1.4.5-XSS-LFI-SQL-Injection.html; classtype:web-application-attack; sid:2016005; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PRADO PHP Framework functional_tests.php Local File Inclusion Vulnerability"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/tests/test_tools/functional_tests.php?"; nocase; http_uri; content:"sr="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.org/files/118348/PRADO-PHP-Framework-3.2.0-File-Read.html; classtype:web-application-attack; sid:2016006; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PRADO PHP Framework functional.php Local File Inclusion Vulnerability"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/demos/time-tracker/tests/functional.php?"; nocase; http_uri; content:"sr="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.org/files/118348/PRADO-PHP-Framework-3.2.0-File-Read.html; classtype:web-application-attack; sid:2016007; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Inventory consulta_fact.php Cross Site Scripting Attempt"; flow:established,to_server; content:"/consulta_fact.php?"; nocase; http_uri; fast_pattern:only; content:"fact_num="; nocase; http_uri; pcre:"/fact_num\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui"; reference:url,packetstormsecurity.org/files/117683/Inventory-1.0-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016008; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Inventory newinventario.php Cross Site Scripting Attempt"; flow:established,to_server; content:"/newinventario.php?"; nocase; http_uri; fast_pattern:only; content:"sn="; nocase; http_uri; pcre:"/sn\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui"; reference:url,packetstormsecurity.org/files/117683/Inventory-1.0-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016009; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Inventory newtransact.php Cross Site Scripting Attempt"; flow:established,to_server; content:"/newtransact.php?"; nocase; http_uri; fast_pattern:only; content:"ref="; nocase; http_uri; pcre:"/ref\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui"; reference:url,packetstormsecurity.org/files/117683/Inventory-1.0-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016010; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SmokeBot grab data plaintext"; flow:established,to_server; content:"cmd=grab&data="; fast_pattern:only; http_client_body; content:"&login="; http_client_body; classtype:trojan-activity; sid:2016011; rev:3;)
+
+#
+alert udp any any -> $HOME_NET 53 (msg:"ET CURRENT_EVENTS DNS Amplification Attack Inbound"; content:"|01 00 00 01 00 00 00 00 00 01|"; depth:10; offset:2; pcre:"/^[^\x00]+?\x00/R"; content:"|00 ff 00 01 00 00 29 10|"; within:8; fast_pattern; threshold: type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2016016; rev:4;)
+
+#
+alert udp $HOME_NET 53 -> any any (msg:"ET CURRENT_EVENTS DNS Amplification Attack Outbound"; content:"|01 00 00 01 00 00 00 00 00 01|"; depth:10; offset:2; pcre:"/^[^\x00]+?\x00/R"; content:"|00 ff 00 01 00 00 29 10|"; within:8; fast_pattern; threshold: type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2016017; rev:4;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Embedded Open Type Font file .eot seeing at Cool Exploit Kit"; flow:established,to_client; file_data; content:"|02 00 02 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00|"; offset:8; depth:18; content:"|4c 50|"; distance:8; within:2; content:"|10 00 40 00|D|00|e|00|x|00|t|00|e|00|r|00 00|"; distance:0; content:"|00|R|00|e|00|g|00|u|00|l|00|a|00|r|00|"; distance:0; content:"V|00|e|00|r|00|s|00|i|00|o|00|n|00 20 00|1|00 2e 00|0"; reference:cve,2011-3402; classtype:attempted-user; sid:2016018; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FakeScan - Landing Page - Title - Microsoft Antivirus 2013"; flow:established,to_client; file_data; content:"<title>Microsoft Antivirus 2013</title>"; classtype:bad-unknown; sid:2016020; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FakeScan - Payload Download Received"; flow:established,to_client; content:"attachment"; http_header; content:"freescan"; http_header; fast_pattern; file_data; content:"MZ"; within:2; classtype:bad-unknown; sid:2016021; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS MALVERTISING FlashPost - Redirection IFRAME"; flow:established,to_client; file_data; content:"{|22|iframe|22 3a|true,|22|url|22|"; within:20; classtype:bad-unknown; sid:2016022; rev:2;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALVERTISING FlashPost - POST to *.stats"; flow:established,to_server; content:"POST"; http_method; content:".stats"; http_uri; content:"pageURL="; http_client_body; classtype:bad-unknown; sid:2016023; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole - TDS Redirection To Exploit Kit - Loading"; flow:established,to_client; file_data; content:"<title>Loading...!</title>"; classtype:bad-unknown; sid:2016024; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole - TDS Redirection To Exploit Kit - /head/head1.html"; flow:established,to_server; content:"/head/head1.html"; http_uri; classtype:bad-unknown; sid:2016025; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS NuclearPack - Landing Page Received - <applet and 32HexChar.jar"; flow:established,to_client; file_data; content:"<applet"; fast_pattern:only; content:".jar"; content:"param"; pcre:"/[a-f0-9]{32}\.jar/"; classtype:bad-unknown; sid:2016026; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS g01pack - Landing Page Received - <applet and 32AlphaNum.jar"; flow:established,to_client; file_data; content:"<applet"; fast_pattern:only; content:".jar"; pcre:"/[a-z0-9]{32}\.jar/"; classtype:bad-unknown; sid:2016027; rev:3;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Metasploit -Java Atomic Exploit Downloaded"; flow:established,to_client; file_data; content:"PK"; within:2; content:"msf|2f|x|2f|"; distance:0; classtype:bad-unknown; sid:2016028; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Kelihos.K Executable Download DGA"; flow:established,to_server; content:".exe"; http_uri; fast_pattern:only; content:"Host|3a 20|"; http_header; content:".ru|0d 0a|"; http_header; distance:7; within:6; pcre:"/^Host\x3a\x20(?:u(?:wf(?:ekfyj|ubpeb)|d(?:xowub|zycaf)|h(?:duxic|zubvo)|x(?:fokur|osgik)|celgos|ggifym|mpefan|qlahaf)|s(?:u(?:t(?:fasof|imjy)|kbewli)|i(?:ttanyg|webheb|hemuj)|e(?:suhror|xjereh)|o(?:haxim|qvaqo)|axyjuw)|r(?:i(?:zsebym|firac|sytfa|trios)|e(?:bfelqi|kvyfo)|u(?:xymqic|jfeag)|y(?:buhoq|kafeh)|acadpuh)|j(?:y(?:meegom|vvozoz|kyvca|torqu)|a(?:mwazer|ibzup)|e(?:btelyx|dytlu)|o(?:dkymy|kenqi))|o(?:t(?:geguuz|xolpow|pipug)|q(?:lapjim|jogxi)|cgaextu|gdowkys|jpaxlam|vquqaip|smuryf)|i(?:r(?:ojvuqu|hegre)|v(?:kikcop|nuvuk)|hmytog|kevzaq|mgohut|pdehas|wvahin|zxirfy)|b(?:y(?:(?:cmolh|vbym)y|gotbys|jlegta)|i(?:pulte|wuvba)|o(?:pwyeb|wbaiv))|p(?:e(?:dugtap|gyrgun|vhyvys)|y(?:nxomoj|ykxug)|a(?:gube|waha)v|ogwytfy)|d(?:e(?:afesqy|hjujuq)|o(?:hwapih|xilik)|a(?:lwoza|rabub)|inymak)|t(?:a(?:hfifak|ixcih)|i(?:wciwu|koqo)x|ecviqir|ozfyma|uriwil)|g(?:i(?:jevsog|nnyjyb)|olhysux|ywilhof|azuzoz|edopan|ubahvi)|y(?:(?:n(?:japru|kicy)|kocna)r|bsahov|dabxag|xyqwiz|zsabuq)|h(?:a(?:hsekju|poneg)|e(?:ztymut|dybih)|uquqxov|itakat)|w(?:a(?:pifnu|rkafo)c|e(?:tifjam|fecfo)|ibveces|yjenqo)|a(?:d(?:nedat|tesok)|qzepylu|baxhad|smukuf|wewsip)|l(?:u(?:(?:fseki|pylzu)m|ditla)|eqgugom|opoqyv)|z(?:u(?:pivzed|qijcel)|aefofin|idamuk|ylhomu)|v(?:u(?:njuet|ohsub)|ijsixem|otqygiq|euwhyz)|m(?:u(?:zupdyg|hipew|wosiv)|osjinme|abuhos)|x(?:o(?:fsimi|gitaj|moqol)|ikmonej|enacoz)|f(?:e(?:vnotow|tucxo)|i(?:dedhah|xavpu))|k(?:u(?:btyhuz|irfufo)|ejejib|ycufvy)|n(?:(?:iliqri|obzeky)x|eluzjiv)|c(?:ylqiduh|aqxaro|itsibe)|q(?:aijroke|iquzcy|uohdit)|e(?:gnisje|stesgo|vdyvaz))\.ru\r$/Hm"; classtype:trojan-activity; sid:2016029; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS LOIC POST"; flow:established,to_server; content:"POST"; http_method; content:"13"; depth:2; http_client_body; content:"=MSG"; fast_pattern; http_client_body; distance:11; within:4; pcre:"/^13\d{11}/P"; threshold:type limit, track by_src, count 1, seconds 300; classtype:web-application-attack; sid:2016030; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS LOIC GET"; flow:established,to_server; content:"GET"; http_method; content:"/?msg=MSG"; http_uri; threshold:type limit, track by_src, count 1, seconds 300; classtype:web-application-attack; sid:2016031; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS JCE Joomla Scanner"; flow:established,to_server; content:"User-Agent|3a| BOT/0.1 (BOT for JCE)"; http_header; classtype:web-application-attack; sid:2016032; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Simple Slowloris Flooder"; flow:established,to_server; content:"POST"; http_method; content:"Content-length|3A| 5235|0D 0A|"; depth:22; http_header; content:!"User-Agent|3a|"; http_header; threshold:type limit, track by_src, count 1, seconds 300; reference:url,www.imperva.com/docs/HII_Denial_of_Service_Attacks-Trends_Techniques_and_Technologies.pdf; classtype:web-application-attack; sid:2016033; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Faked Russian Opera UA without Accept - probable downloader"; flow:established,to_server; content:"User-Agent|3a 20|Opera/9.80"; http_header; content:"Edition Yx|3b| ru"; fast_pattern; http_header; distance:0; content:!"Accept|3a|"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016034; rev:1;)
+
+#
+alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible SibHost PDF Request"; flow:established,to_server; content:".pdf?p=1&s="; http_uri; fast_pattern:only; pcre:"/\.pdf\?p=1&s=[1-2]$/U"; classtype:trojan-activity; sid:2016035; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress FSML Plugin fsml-admin.js.php Remote File Inclusion Attempt"; flow:established,to_server; content:"/wp-content/plugins/floating-social-media-links/fsml-admin.js.php?"; nocase; http_uri; fast_pattern:47,18; content:"wpp="; nocase; http_uri; pcre:"/wpp=\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ui"; reference:url,secunia.com/advisories/51346; classtype:web-application-attack; sid:2016037; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress FSML Plugin fsml-hideshow.js.php Remote File Inclusion Attempt"; flow:established,to_server; content:"/wp-content/plugins/floating-social-media-links/fsml-hideshow.js.php?"; nocase; http_uri; fast_pattern:47,21; content:"wpp="; nocase; http_uri; pcre:"/wpp=\s*(?:(?:ht|f)tps?|data|php)\x3a\//Ui"; reference:url,secunia.com/advisories/51346; classtype:web-application-attack; sid:2016038; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Havalite userId parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/hava_user.php?"; nocase; http_uri; fast_pattern:only; content:"userId="; nocase; http_uri; pcre:"/userId\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui"; reference:url,packetstormsecurity.org/files/118714/Havalite-1.1.7-Cross-Site-Scripting-Shell-Upload.html; classtype:web-application-attack; sid:2016039; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SimpleInvoices having parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"module="; nocase; http_uri; content:"view="; nocase; http_uri; content:"having="; nocase; http_uri; fast_pattern:only; pcre:"/having\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui"; reference:url,packetstormsecurity.org/files/118737/SimpleInvoices-2011.1-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016040; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible NVIDIA Install Application ActiveX Control AddPackages Unicode Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"A9C8F210-55EB-4849-8807-EC49C5389A79"; nocase; distance:0; content:".AddPackages"; nocase; distance:0; reference:url,packetstormsecurity.org/files/118648/NVIDIA-Install-Application-2.1002.85.551-Buffer-Overflow.html; classtype:attempted-user; sid:2016041; rev:2;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Manhali download.php Local File Inclusion Vulnerability"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/includes/download.php?"; nocase; http_uri; content:"f="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.org/files/116724/Manhali-1.8-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016042; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RIPS code.php Local File Inclusion Vulnerability"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/windows/code.php?"; nocase; http_uri; content:"file="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.org/files/111164/RIPS-0.53-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016043; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RIPS function.php Local File Inclusion Vulnerability"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/windows/function.php?"; nocase; http_uri; content:"file="; nocase; http_uri; content:"|2e 2e 2f|"; depth:200; reference:url,packetstormsecurity.org/files/111164/RIPS-0.53-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016044; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Admidio headline parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/adm_program/modules/guestbook/guestbook_new.php?"; nocase; http_uri; fast_pattern:30,18; content:"headline="; nocase; http_uri; pcre:"/headline\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui"; reference:url,packetstormsecurity.org/files/116155/Admidio-2.3.5-Cross-Site-Scripting-SQL-Injection.html; classtype:web-application-attack; sid:2016045; rev:1;)
+
+#
+alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simplemachines view parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/ssi_examples.php?"; nocase; http_uri; fast_pattern:only; content:"view="; nocase; http_uri; pcre:"/view\x3d.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/Ui"; reference:url,packetstormsecurity.org/files/117618/SMF-2.0.2-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016036; rev:1;)
+
|